2017-08-22 07:25:50 +08:00
|
|
|
//===- FuzzerInternal.h - Internal header for the Fuzzer --------*- C++ -* ===//
|
|
|
|
|
//
|
2019-01-19 16:50:56 +08:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2017-08-22 07:25:50 +08:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
// Define the main class fuzzer::Fuzzer and most functions.
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
|
|
#ifndef LLVM_FUZZER_INTERNAL_H
|
|
|
|
|
#define LLVM_FUZZER_INTERNAL_H
|
|
|
|
|
|
2018-06-06 09:23:29 +08:00
|
|
|
#include "FuzzerDataFlowTrace.h"
|
2017-08-22 07:25:50 +08:00
|
|
|
#include "FuzzerDefs.h"
|
|
|
|
|
#include "FuzzerExtFunctions.h"
|
|
|
|
|
#include "FuzzerInterface.h"
|
|
|
|
|
#include "FuzzerOptions.h"
|
|
|
|
|
#include "FuzzerSHA1.h"
|
|
|
|
|
#include "FuzzerValueBitMap.h"
|
|
|
|
|
#include <algorithm>
|
|
|
|
|
#include <atomic>
|
|
|
|
|
#include <chrono>
|
|
|
|
|
#include <climits>
|
|
|
|
|
#include <cstdlib>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
namespace fuzzer {
|
|
|
|
|
|
|
|
|
|
using namespace std::chrono;
|
|
|
|
|
|
|
|
|
|
class Fuzzer {
|
|
|
|
|
public:
|
|
|
|
|
|
|
|
|
|
Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,
|
|
|
|
|
FuzzingOptions Options);
|
|
|
|
|
~Fuzzer();
|
2019-05-10 09:34:26 +08:00
|
|
|
void Loop(Vector<SizedFile> &CorporaFiles);
|
|
|
|
|
void ReadAndExecuteSeedCorpora(Vector<SizedFile> &CorporaFiles);
|
2017-08-22 07:25:50 +08:00
|
|
|
void MinimizeCrashLoop(const Unit &U);
|
|
|
|
|
void RereadOutputCorpus(size_t MaxSize);
|
|
|
|
|
|
|
|
|
|
size_t secondsSinceProcessStartUp() {
|
|
|
|
|
return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
|
|
|
|
|
.count();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool TimedOut() {
|
|
|
|
|
return Options.MaxTotalTimeSec > 0 &&
|
|
|
|
|
secondsSinceProcessStartUp() >
|
|
|
|
|
static_cast<size_t>(Options.MaxTotalTimeSec);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
size_t execPerSec() {
|
|
|
|
|
size_t Seconds = secondsSinceProcessStartUp();
|
|
|
|
|
return Seconds ? TotalNumberOfRuns / Seconds : 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; }
|
|
|
|
|
|
|
|
|
|
static void StaticAlarmCallback();
|
|
|
|
|
static void StaticCrashSignalCallback();
|
|
|
|
|
static void StaticExitCallback();
|
|
|
|
|
static void StaticInterruptCallback();
|
|
|
|
|
static void StaticFileSizeExceedCallback();
|
2017-11-10 04:30:19 +08:00
|
|
|
static void StaticGracefulExitCallback();
|
2017-08-22 07:25:50 +08:00
|
|
|
|
|
|
|
|
void ExecuteCallback(const uint8_t *Data, size_t Size);
|
|
|
|
|
bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
|
2017-12-02 03:18:38 +08:00
|
|
|
InputInfo *II = nullptr, bool *FoundUniqFeatures = nullptr);
|
2017-08-22 07:25:50 +08:00
|
|
|
|
|
|
|
|
// Merge Corpora[1:] into Corpora[0].
|
2017-08-28 07:20:09 +08:00
|
|
|
void Merge(const Vector<std::string> &Corpora);
|
2017-08-22 07:25:50 +08:00
|
|
|
void CrashResistantMergeInternalStep(const std::string &ControlFilePath);
|
|
|
|
|
MutationDispatcher &GetMD() { return MD; }
|
|
|
|
|
void PrintFinalStats();
|
|
|
|
|
void SetMaxInputLen(size_t MaxInputLen);
|
|
|
|
|
void SetMaxMutationLen(size_t MaxMutationLen);
|
|
|
|
|
void RssLimitCallback();
|
|
|
|
|
|
|
|
|
|
bool InFuzzingThread() const { return IsMyThread; }
|
|
|
|
|
size_t GetCurrentUnitInFuzzingThead(const uint8_t **Data) const;
|
|
|
|
|
void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
|
|
|
|
|
bool DuringInitialCorpusExecution);
|
|
|
|
|
|
|
|
|
|
void HandleMalloc(size_t Size);
|
2019-02-09 05:27:23 +08:00
|
|
|
static void MaybeExitGracefully();
|
2019-02-12 08:12:33 +08:00
|
|
|
std::string WriteToOutputCorpus(const Unit &U);
|
2017-08-22 07:25:50 +08:00
|
|
|
|
|
|
|
|
private:
|
|
|
|
|
void AlarmCallback();
|
|
|
|
|
void CrashCallback();
|
|
|
|
|
void ExitCallback();
|
|
|
|
|
void CrashOnOverwrittenData();
|
|
|
|
|
void InterruptCallback();
|
|
|
|
|
void MutateAndTestOne();
|
2017-10-24 06:04:30 +08:00
|
|
|
void PurgeAllocator();
|
2017-08-22 07:25:50 +08:00
|
|
|
void ReportNewCoverage(InputInfo *II, const Unit &U);
|
|
|
|
|
void PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size);
|
|
|
|
|
void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
|
[libFuzzer] Merge: print feature coverage number as well.
Summary:
feature coverage is a useful signal that is available during the merge
process, but was not printed previously.
Output example:
```
$ ./fuzzer -use_value_profile=1 -merge=1 new_corpus/ seed_corpus/
INFO: Seed: 1676551929
INFO: Loaded 1 modules (2380 inline 8-bit counters): 2380 [0x90d180, 0x90dacc),
INFO: Loaded 1 PC tables (2380 PCs): 2380 [0x684018,0x68d4d8),
MERGE-OUTER: 180 files, 78 in the initial corpus
MERGE-OUTER: attempt 1
INFO: Seed: 1676574577
INFO: Loaded 1 modules (2380 inline 8-bit counters): 2380 [0x90d180, 0x90dacc),
INFO: Loaded 1 PC tables (2380 PCs): 2380 [0x684018,0x68d4d8),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
MERGE-INNER: using the control file '/tmp/libFuzzerTemp.111754.txt'
MERGE-INNER: 180 total files; 0 processed earlier; will process 180 files now
#1 pulse cov: 134 ft: 330 exec/s: 0 rss: 37Mb
#2 pulse cov: 142 ft: 462 exec/s: 0 rss: 38Mb
#4 pulse cov: 152 ft: 651 exec/s: 0 rss: 38Mb
#8 pulse cov: 152 ft: 943 exec/s: 0 rss: 38Mb
#16 pulse cov: 520 ft: 2783 exec/s: 0 rss: 39Mb
#32 pulse cov: 552 ft: 3280 exec/s: 0 rss: 41Mb
#64 pulse cov: 576 ft: 3641 exec/s: 0 rss: 50Mb
#78 LOADED cov: 602 ft: 3936 exec/s: 0 rss: 88Mb
#128 pulse cov: 611 ft: 3996 exec/s: 0 rss: 93Mb
#180 DONE cov: 611 ft: 4016 exec/s: 0 rss: 155Mb
MERGE-OUTER: succesfull in 1 attempt(s)
MERGE-OUTER: the control file has 39741 bytes
MERGE-OUTER: consumed 0Mb (37Mb rss) to parse the control file
MERGE-OUTER: 9 new files with 80 new features added; 9 new coverage edges
```
Reviewers: hctim, morehouse
Reviewed By: morehouse
Subscribers: delcypher, #sanitizers, llvm-commits, kcc
Tags: #llvm, #sanitizers
Differential Revision: https://reviews.llvm.org/D66030
llvm-svn: 368617
2019-08-13 04:21:27 +08:00
|
|
|
void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0,
|
|
|
|
|
size_t Features = 0);
|
2017-08-22 07:25:50 +08:00
|
|
|
void PrintStatusForNewUnit(const Unit &U, const char *Text);
|
|
|
|
|
void CheckExitOnSrcPosOrItem();
|
|
|
|
|
|
|
|
|
|
static void StaticDeathCallback();
|
|
|
|
|
void DumpCurrentUnit(const char *Prefix);
|
|
|
|
|
void DeathCallback();
|
|
|
|
|
|
|
|
|
|
void AllocateCurrentUnitData();
|
|
|
|
|
uint8_t *CurrentUnitData = nullptr;
|
|
|
|
|
std::atomic<size_t> CurrentUnitSize;
|
|
|
|
|
uint8_t BaseSha1[kSHA1NumBytes]; // Checksum of the base unit.
|
|
|
|
|
|
2017-11-10 04:30:19 +08:00
|
|
|
bool GracefulExitRequested = false;
|
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
size_t TotalNumberOfRuns = 0;
|
|
|
|
|
size_t NumberOfNewUnitsAdded = 0;
|
|
|
|
|
|
|
|
|
|
size_t LastCorpusUpdateRun = 0;
|
|
|
|
|
|
|
|
|
|
bool HasMoreMallocsThanFrees = false;
|
|
|
|
|
size_t NumberOfLeakDetectionAttempts = 0;
|
|
|
|
|
|
2017-10-24 06:04:30 +08:00
|
|
|
system_clock::time_point LastAllocatorPurgeAttemptTime = system_clock::now();
|
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
UserCallback CB;
|
|
|
|
|
InputCorpus &Corpus;
|
|
|
|
|
MutationDispatcher &MD;
|
|
|
|
|
FuzzingOptions Options;
|
2018-06-06 09:23:29 +08:00
|
|
|
DataFlowTrace DFT;
|
2017-08-22 07:25:50 +08:00
|
|
|
|
|
|
|
|
system_clock::time_point ProcessStartTime = system_clock::now();
|
|
|
|
|
system_clock::time_point UnitStartTime, UnitStopTime;
|
|
|
|
|
long TimeOfLongestUnitInSeconds = 0;
|
|
|
|
|
long EpochOfLastReadOfOutputCorpus = 0;
|
|
|
|
|
|
|
|
|
|
size_t MaxInputLen = 0;
|
|
|
|
|
size_t MaxMutationLen = 0;
|
|
|
|
|
size_t TmpMaxMutationLen = 0;
|
|
|
|
|
|
2017-08-28 07:20:09 +08:00
|
|
|
Vector<uint32_t> UniqFeatureSetTmp;
|
2017-08-22 07:25:50 +08:00
|
|
|
|
|
|
|
|
// Need to know our own thread.
|
|
|
|
|
static thread_local bool IsMyThread;
|
|
|
|
|
};
|
|
|
|
|
|
2018-07-10 07:51:08 +08:00
|
|
|
struct ScopedEnableMsanInterceptorChecks {
|
|
|
|
|
ScopedEnableMsanInterceptorChecks() {
|
|
|
|
|
if (EF->__msan_scoped_enable_interceptor_checks)
|
|
|
|
|
EF->__msan_scoped_enable_interceptor_checks();
|
|
|
|
|
}
|
|
|
|
|
~ScopedEnableMsanInterceptorChecks() {
|
|
|
|
|
if (EF->__msan_scoped_disable_interceptor_checks)
|
|
|
|
|
EF->__msan_scoped_disable_interceptor_checks();
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct ScopedDisableMsanInterceptorChecks {
|
|
|
|
|
ScopedDisableMsanInterceptorChecks() {
|
|
|
|
|
if (EF->__msan_scoped_disable_interceptor_checks)
|
|
|
|
|
EF->__msan_scoped_disable_interceptor_checks();
|
|
|
|
|
}
|
|
|
|
|
~ScopedDisableMsanInterceptorChecks() {
|
|
|
|
|
if (EF->__msan_scoped_enable_interceptor_checks)
|
|
|
|
|
EF->__msan_scoped_enable_interceptor_checks();
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
} // namespace fuzzer
|
|
|
|
|
|
|
|
|
|
#endif // LLVM_FUZZER_INTERNAL_H
|