Update FuzzingBitGen to reduce possible infinite loops.

The old FuzzingBitGen algorithm would pull a byte from the head of the data stream to determine whether to return a min or a max, and then it would attempt to pull variate data from the tail of the stream. Once the data stream was expired it would return minimum values from the distributions, which could lead to infinite loops in rejection sampling algorithms.

The updated FuzzingBitGen now takes the following.
  1. Separate control and a data streams (as absl::Span<uint8_t>).
     The control stream indicates whether the distribution functions will return boundary values (min, max, mean) or a value derived from the data stream.
     The data stream provides the actual byte data for generating random values.

  2. A seed for an internal LCG PRNG (as uint64_t).
     When the data stream is exhausted, FuzzingBitGen uses the internal LCG to generate random variates. While the old version had an internal LCG PRNG, those values were not used by the distribution functions.

The basic flow of each variate generation is:
  1. Read a byte from the control stream (in fuzzing_bit_gen).
  2. Depending on the byte, return a min/max/mean/variate, etc.
  3. Once the data stream is expired, use an internal LCG to generate variates.

This update also calls c++ distribution functions in more cases, so that outputs are more aligned with actual distribution behavior.

Adds a test to demonstrate that std::shuffle() is properly manipulated by the fuzzing framework.
Also add additional tests to FuzzingBitGen for the distribution functions.

NOTE: This will change the variates generated by FuzzingBitGen from prior versions.
PiperOrigin-RevId: 873431571

Author: laramiel

domain_tests/BUILD

@@ -106,6 +106,7 @@ cc_test(
         "@abseil-cpp//absl/random",
         "@abseil-cpp//absl/random:bit_gen_ref",
         "@com_google_fuzztest//fuzztest:domain_core",
+        "@com_google_fuzztest//fuzztest/internal:printer",
         "@googletest//:gtest_main",
     ],
 )

domain_tests/CMakeLists.txt

@@ -80,6 +80,21 @@ fuzztest_cc_test(
     GTest::gmock_main
 )
 
+fuzztest_cc_test(
+  NAME
+    bitgen_ref_domain_test
+  SRCS
+    "bitgen_ref_domain_test.cc"
+  DEPS
+    fuzztest::domain_testing
+    absl::random_bit_gen_ref
+    absl::random_random
+    fuzztest::domain_core
+    fuzztest::meta
+    fuzztest::printer
+    GTest::gmock_main
+)
+
 fuzztest_cc_test(
   NAME
     container_combinators_test

domain_tests/bitgen_ref_domain_test.cc

@@ -12,13 +12,18 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+#include <algorithm>
+#include <cstddef>
+#include <string>
 #include <vector>
 
+#include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "absl/random/bit_gen_ref.h"
 #include "absl/random/random.h"
 #include "./fuzztest/domain_core.h"
 #include "./domain_tests/domain_testing.h"
+#include "./fuzztest/internal/printer.h"
 
 namespace fuzztest {
 namespace {
@@ -30,33 +35,77 @@ TEST(BitGenRefDomainTest, DistinctVariatesGeneratedByCallOperator) {
   Value v0(domain, bitgen_for_seeding);
   Value v1(domain, bitgen_for_seeding);
 
-  // Discard the first value, which may be from the data stream.
-  // If the implementation of BitGenRefDomain changes this may break.
-  v0.user_value();
-  v1.user_value();
-
   std::vector<absl::BitGenRef::result_type> a, b;
   for (int i = 0; i < 10; ++i) {
     a.push_back(v0.user_value());
     b.push_back(v1.user_value());
   }
+
+  // These streams should be different, except in very rare cases.
   EXPECT_NE(a, b);
 }
 
-TEST(BitGenRefDomainTest, AbseilUniformReturnsLowerBoundWhenExhausted) {
+TEST(BitGenRefDomainTest, AbseilUniformIsFunctionalWhenExhausted) {
   absl::BitGen bitgen_for_seeding;
 
   Domain<absl::BitGenRef> domain = Arbitrary<absl::BitGenRef>();
   Value v0(domain, bitgen_for_seeding);
 
-  // Discard the first value, which may be from the data stream.
-  // If the implementation of BitGenRefDomain changes this may break.
-  v0.user_value();
+  // When the same domain is used to generate multiple values, the generated
+  // data sequence should be identical.
+  std::vector<int> values;
+  for (int i = 0; i < 20; ++i) {
+    values.push_back(absl::Uniform<int>(v0.user_value, 0, 100));
+  }
 
-  for (int i = 0; i < 10; ++i) {
-    EXPECT_EQ(absl::Uniform<int>(v0.user_value, 0, 100), 0);
+  // Verify repeatability
+  Value v1(v0, domain);
+  for (int i = 0; i < 20; ++i) {
+    EXPECT_EQ(absl::Uniform<int>(v1.user_value, 0, 100), values[i]);
   }
 }
 
+TEST(BitGenRefDomainTest, IsPrintable) {
+  absl::BitGen bitgen_for_seeding;
+
+  Domain<absl::BitGenRef> domain = Arbitrary<absl::BitGenRef>();
+  Value v0(domain, bitgen_for_seeding);
+
+  // Print corpus value
+  std::string s;
+  domain.GetPrinter().PrintCorpusValue(
+      v0.corpus_value, &s, domain_implementor::PrintMode::kHumanReadable);
+  EXPECT_THAT(s, testing::StartsWith("FuzzingBitGen"));
+}
+
+TEST(BitGenRefDomainTest, MutateUntilSorted) {
+  absl::BitGen bitgen_for_seeding;
+  std::vector<int> vec;
+
+  // There are 5! possible permutations (120) of the 5-element vector. If
+  // FuzzingBitGen generated completely random values, then the likelihood
+  // that looping 10k times would not find a sorted permutation is
+  // approximately e^(-10000/120).
+  // However the `Mutate` operation does not generate an entirely new prng
+  // sequence, so we reset the value every 10 iterations instead.
+  int count = 0;
+  [&]() {
+    while (count < 10000) {
+      auto domain = Arbitrary<absl::BitGenRef>();
+      Value fuzz_rng(domain, bitgen_for_seeding);
+      vec = {5, 4, 1, 3, 2};
+
+      for (size_t j = 0; j < 10; ++j) {
+        count++;
+        std::shuffle(vec.begin(), vec.end(), fuzz_rng.user_value);
+        if (std::is_sorted(vec.begin(), vec.end())) return;
+        fuzz_rng.Mutate(domain, bitgen_for_seeding, {}, false);
+      }
+    }
+  }();
+
+  EXPECT_TRUE(std::is_sorted(vec.begin(), vec.end()));
+}
+
 }  // namespace
 }  // namespace fuzztest

e2e_tests/functional_test.cc

@@ -1703,7 +1703,16 @@ TEST_P(FuzzingModeCrashFindingTest, VectorValueTestFindsAbortInFuzzingMode) {
 
 TEST_P(FuzzingModeCrashFindingTest, BitGenRefTestFindsAbortInFuzzingMode) {
   auto [status, std_out, std_err] = Run("MySuite.BitGenRef");
-  EXPECT_THAT_LOG(std_err, HasSubstr("argument 0: absl::BitGenRef{}"));
+  EXPECT_THAT_LOG(std_err, AnyOf(HasSubstr("argument 0: absl::BitGenRef{}"),
+                                 HasSubstr("argument 0: FuzzingBitGen")));
+  ExpectTargetAbort(status, std_err);
+}
+
+TEST_P(FuzzingModeCrashFindingTest,
+       BitGenRefShuffleTestFindsAbortInFuzzingMode) {
+  auto [status, std_out, std_err] = Run("MySuite.BitGenRefShuffle");
+  EXPECT_THAT_LOG(std_err, AnyOf(HasSubstr("argument 0: absl::BitGenRef{}"),
+                                 HasSubstr("argument 0: FuzzingBitGen")));
   ExpectTargetAbort(status, std_err);
 }
 

e2e_tests/testdata/fuzz_tests_for_microbenchmarking.cc

@@ -24,6 +24,7 @@
 // i.e., to check that the fuzzer behaves as expected and outputs the expected
 // results. E.g., the fuzzer finds the abort() or bug.
 
+#include <algorithm>
 #include <array>
 #include <cmath>
 #include <cstdint>
@@ -33,6 +34,7 @@
 #include <string>
 #include <string_view>
 #include <tuple>
+#include <type_traits>
 #include <utility>
 #include <vector>
 
@@ -240,15 +242,26 @@ FUZZ_TEST(MySuite, FixedSizeVectorValue)
     .WithDomains(fuzztest::VectorOf(fuzztest::Arbitrary<char>()).WithSize(4));
 
 __attribute__((optnone)) void BitGenRef(absl::BitGenRef bitgen) {
+  // This uses FuzzingBitGen's mocking support for absl::Uniform().
   if (absl::Uniform(bitgen, 0, 256) == 'F' &&
       absl::Uniform(bitgen, 0, 256) == 'U' &&
-      absl::Uniform(bitgen, 0, 256) == 'Z' &&
-      absl::Uniform(bitgen, 0, 256) == 'Z') {
+      absl::Uniform(bitgen, 32, 128) == 'Z' &&
+      absl::Uniform(bitgen, 32, 128) == 'Z') {
     std::abort();  // Bug!
   }
 }
 FUZZ_TEST(MySuite, BitGenRef);
 
+__attribute__((optnone)) void BitGenRefShuffle(absl::BitGenRef bitgen) {
+  // This uses FuzzingBitGen's operator().
+  std::vector<int> v = {4, 1, 3, 2, 5};
+  std::shuffle(v.begin(), v.end(), bitgen);
+  if (std::is_sorted(v.begin(), v.end())) {
+    std::abort();  // Bug!
+  }
+}
+FUZZ_TEST(MySuite, BitGenRefShuffle);
+
 __attribute__((optnone)) void WithDomainClass(uint8_t a, double d) {
   // This will only crash with a=10, to make it easier to check the results.
   // d can have any value.

fuzztest/BUILD

@@ -219,18 +219,31 @@ cc_library(
     ],
 )
 
+cc_test(
+    name = "fuzzing_bit_gen_test",
+    srcs = ["fuzzing_bit_gen_test.cc"],
+    deps = [
+        ":fuzzing_bit_gen",
+        "@abseil-cpp//absl/random",
+        "@abseil-cpp//absl/random:bit_gen_ref",
+        "@googletest//:gtest_main",
+    ],
+)
+
 cc_library(
     name = "fuzzing_bit_gen",
     srcs = ["fuzzing_bit_gen.cc"],
     hdrs = ["fuzzing_bit_gen.h"],
     deps = [
+        "@abseil-cpp//absl/base:core_headers",
         "@abseil-cpp//absl/base:fast_type_id",
         "@abseil-cpp//absl/base:no_destructor",
         "@abseil-cpp//absl/container:flat_hash_map",
         "@abseil-cpp//absl/numeric:bits",
         "@abseil-cpp//absl/numeric:int128",
         "@abseil-cpp//absl/random:bit_gen_ref",
         "@abseil-cpp//absl/types:span",
+        "@com_google_fuzztest//fuzztest/internal:fuzzing_mock_stream",
         "@com_google_fuzztest//fuzztest/internal:register_fuzzing_mocks",
     ],
 )

fuzztest/CMakeLists.txt

@@ -60,16 +60,30 @@ fuzztest_cc_library(
   SRCS
     "fuzzing_bit_gen.cc"
   DEPS
+    absl::core_headers
     absl::fast_type_id
     absl::no_destructor
     absl::flat_hash_map
     absl::bits
     absl::int128
     absl::random_bit_gen_ref
     absl::span
+    fuzztest::fuzzing_mock_stream
     fuzztest::register_fuzzing_mocks
 )
 
+fuzztest_cc_test(
+  NAME
+    fuzzing_bit_gen_test
+  SRCS
+    "fuzzing_bit_gen_test.cc"
+  DEPS
+    fuzztest::fuzzing_bit_gen
+    absl::random_random
+    absl::random_bit_gen_ref
+    GTest::gmock_main
+)
+
 fuzztest_cc_library(
   NAME
     fuzztest