2017-08-22 07:25:50 +08:00
|
|
|
//===- FuzzerDefs.h - Internal header for the Fuzzer ------------*- C++ -* ===//
|
|
|
|
|
//
|
2019-01-19 16:50:56 +08:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2017-08-22 07:25:50 +08:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Basic definitions.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
#ifndef LLVM_FUZZER_DEFS_H
|
|
|
|
|
#define LLVM_FUZZER_DEFS_H
|
|
|
|
|
|
|
|
|
|
#include <cassert>
|
|
|
|
|
#include <cstddef>
|
|
|
|
|
#include <cstdint>
|
|
|
|
|
#include <cstring>
|
[libFuzzer] Make -merge=1 to reuse coverage information from the control file.
Summary:
This change allows to perform corpus merging in two steps. This is useful when
the user wants to address the following two points simultaneously:
1) Get trustworthy incremental stats for the coverage and corpus size changes
when adding new corpus units.
2) Make sure the shorter units will be preferred when two or more units give the
same unique signal (equivalent to the `REDUCE` logic).
This solution was brainstormed together with @kcc, hopefully it looks good to
the other people too. The proposed use case scenario:
1) We have a `fuzz_target` binary and `existing_corpus` directory.
2) We do fuzzing and write new units into the `new_corpus` directory.
3) We want to merge the new corpus into the existing corpus and satisfy the
points mentioned above.
4) We create an empty directory `merged_corpus` and run the first merge step:
`
./fuzz_target -merge=1 -merge_control_file=MCF ./merged_corpus ./existing_corpus
`
this provides the initial stats for `existing_corpus`, e.g. from the output:
`
MERGE-OUTER: 3 new files with 11 new features added; 11 new coverage edges
`
5) We recreate `merged_corpus` directory and run the second merge step:
`
./fuzz_target -merge=1 -merge_control_file=MCF ./merged_corpus ./existing_corpus ./new_corpus
`
this provides the final stats for the merged corpus, e.g. from the output:
`
MERGE-OUTER: 6 new files with 14 new features added; 14 new coverage edges
`
Alternative solutions to this approach are:
A) Store precise coverage information for every unit (not only unique signal).
B) Execute the same two steps without reusing the control file.
Either of these would be suboptimal as it would impose an extra disk or CPU load
respectively, which is bad given the quadratic complexity in the worst case.
Tested on Linux, Mac, Windows.
Reviewers: morehouse, metzman, hctim, kcc
Reviewed By: morehouse
Subscribers: JDevlieghere, delcypher, mgrang, #sanitizers, llvm-commits, kcc
Tags: #llvm, #sanitizers
Differential Revision: https://reviews.llvm.org/D66107
llvm-svn: 371620
2019-09-11 22:11:08 +08:00
|
|
|
#include <memory>
|
|
|
|
|
#include <set>
|
2017-08-22 07:25:50 +08:00
|
|
|
#include <string>
|
|
|
|
|
#include <vector>
|
[libFuzzer] Make -merge=1 to reuse coverage information from the control file.
Summary:
This change allows to perform corpus merging in two steps. This is useful when
the user wants to address the following two points simultaneously:
1) Get trustworthy incremental stats for the coverage and corpus size changes
when adding new corpus units.
2) Make sure the shorter units will be preferred when two or more units give the
same unique signal (equivalent to the `REDUCE` logic).
This solution was brainstormed together with @kcc, hopefully it looks good to
the other people too. The proposed use case scenario:
1) We have a `fuzz_target` binary and `existing_corpus` directory.
2) We do fuzzing and write new units into the `new_corpus` directory.
3) We want to merge the new corpus into the existing corpus and satisfy the
points mentioned above.
4) We create an empty directory `merged_corpus` and run the first merge step:
`
./fuzz_target -merge=1 -merge_control_file=MCF ./merged_corpus ./existing_corpus
`
this provides the initial stats for `existing_corpus`, e.g. from the output:
`
MERGE-OUTER: 3 new files with 11 new features added; 11 new coverage edges
`
5) We recreate `merged_corpus` directory and run the second merge step:
`
./fuzz_target -merge=1 -merge_control_file=MCF ./merged_corpus ./existing_corpus ./new_corpus
`
this provides the final stats for the merged corpus, e.g. from the output:
`
MERGE-OUTER: 6 new files with 14 new features added; 14 new coverage edges
`
Alternative solutions to this approach are:
A) Store precise coverage information for every unit (not only unique signal).
B) Execute the same two steps without reusing the control file.
Either of these would be suboptimal as it would impose an extra disk or CPU load
respectively, which is bad given the quadratic complexity in the worst case.
Tested on Linux, Mac, Windows.
Reviewers: morehouse, metzman, hctim, kcc
Reviewed By: morehouse
Subscribers: JDevlieghere, delcypher, mgrang, #sanitizers, llvm-commits, kcc
Tags: #llvm, #sanitizers
Differential Revision: https://reviews.llvm.org/D66107
llvm-svn: 371620
2019-09-11 22:11:08 +08:00
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
|
|
|
|
|
namespace fuzzer {
|
|
|
|
|
|
|
|
|
|
template <class T> T Min(T a, T b) { return a < b ? a : b; }
|
|
|
|
|
template <class T> T Max(T a, T b) { return a > b ? a : b; }
|
|
|
|
|
|
|
|
|
|
class Random;
|
|
|
|
|
class Dictionary;
|
|
|
|
|
class DictionaryEntry;
|
|
|
|
|
class MutationDispatcher;
|
|
|
|
|
struct FuzzingOptions;
|
|
|
|
|
class InputCorpus;
|
|
|
|
|
struct InputInfo;
|
|
|
|
|
struct ExternalFunctions;
|
|
|
|
|
|
|
|
|
|
// Global interface to functions that may or may not be available.
|
|
|
|
|
extern ExternalFunctions *EF;
|
|
|
|
|
|
2017-08-28 07:20:09 +08:00
|
|
|
// We are using a custom allocator to give a different symbol name to STL
|
|
|
|
|
// containers in order to avoid ODR violations.
|
|
|
|
|
template<typename T>
|
|
|
|
|
class fuzzer_allocator: public std::allocator<T> {
|
|
|
|
|
public:
|
2018-06-06 17:22:19 +08:00
|
|
|
fuzzer_allocator() = default;
|
|
|
|
|
|
|
|
|
|
template<class U>
|
|
|
|
|
fuzzer_allocator(const fuzzer_allocator<U>&) {}
|
|
|
|
|
|
2017-08-28 07:20:09 +08:00
|
|
|
template<class Other>
|
|
|
|
|
struct rebind { typedef fuzzer_allocator<Other> other; };
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
template<typename T>
|
|
|
|
|
using Vector = std::vector<T, fuzzer_allocator<T>>;
|
|
|
|
|
|
|
|
|
|
template<typename T>
|
|
|
|
|
using Set = std::set<T, std::less<T>, fuzzer_allocator<T>>;
|
|
|
|
|
|
|
|
|
|
typedef Vector<uint8_t> Unit;
|
|
|
|
|
typedef Vector<Unit> UnitVector;
|
2017-08-22 07:25:50 +08:00
|
|
|
typedef int (*UserCallback)(const uint8_t *Data, size_t Size);
|
|
|
|
|
|
2020-07-24 08:07:55 +08:00
|
|
|
int FuzzerDriver(int *argc, char ***argv, UserCallback Callback);
|
2017-08-22 07:25:50 +08:00
|
|
|
|
|
|
|
|
uint8_t *ExtraCountersBegin();
|
|
|
|
|
uint8_t *ExtraCountersEnd();
|
|
|
|
|
void ClearExtraCounters();
|
|
|
|
|
|
2018-07-18 00:12:00 +08:00
|
|
|
extern bool RunningUserCallback;
|
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
} // namespace fuzzer
|
|
|
|
|
|
|
|
|
|
#endif // LLVM_FUZZER_DEFS_H
|