2016-09-21 09:50:50 +08:00
|
|
|
//===- FuzzerCorpus.h - Internal header for the Fuzzer ----------*- C++ -* ===//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
// fuzzer::InputCorpus
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
#ifndef LLVM_FUZZER_CORPUS
|
|
|
|
#define LLVM_FUZZER_CORPUS
|
|
|
|
|
2016-09-22 05:41:48 +08:00
|
|
|
#include <random>
|
2016-09-22 06:42:17 +08:00
|
|
|
#include <unordered_set>
|
2016-09-22 05:41:48 +08:00
|
|
|
|
2016-09-21 09:50:50 +08:00
|
|
|
#include "FuzzerDefs.h"
|
2016-09-22 05:41:48 +08:00
|
|
|
#include "FuzzerRandom.h"
|
2016-09-21 09:50:50 +08:00
|
|
|
|
|
|
|
namespace fuzzer {
|
|
|
|
|
|
|
|
struct InputInfo {
|
|
|
|
Unit U; // The actual input data.
|
2016-09-22 05:41:48 +08:00
|
|
|
uint8_t Sha1[kSHA1NumBytes]; // Checksum.
|
2016-09-22 06:42:17 +08:00
|
|
|
// Stats.
|
|
|
|
uintptr_t NumExecutedMutations = 0;
|
|
|
|
uintptr_t NumSuccessfullMutations = 0;
|
2016-09-22 09:34:58 +08:00
|
|
|
|
|
|
|
// A set of features (PCIDs, etc) that were first found with this unit.
|
|
|
|
std::vector<uintptr_t> Features;
|
2016-09-21 09:50:50 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
class InputCorpus {
|
|
|
|
public:
|
|
|
|
InputCorpus() {
|
2016-09-22 05:41:48 +08:00
|
|
|
Inputs.reserve(1 << 14); // Avoid too many resizes.
|
2016-09-21 09:50:50 +08:00
|
|
|
}
|
2016-09-22 05:41:48 +08:00
|
|
|
size_t size() const { return Inputs.size(); }
|
|
|
|
bool empty() const { return Inputs.empty(); }
|
|
|
|
const Unit &operator[] (size_t Idx) const { return Inputs[Idx].U; }
|
2016-09-22 09:34:58 +08:00
|
|
|
void AddToCorpus(const Unit &U, uintptr_t *Features, size_t NumFeatures) {
|
|
|
|
uint8_t Hash[kSHA1NumBytes];
|
|
|
|
ComputeSHA1(U.data(), U.size(), Hash);
|
|
|
|
if (!Hashes.insert(Sha1ToString(Hash)).second) return;
|
|
|
|
Inputs.push_back(InputInfo());
|
|
|
|
InputInfo &II = Inputs.back();
|
2016-09-21 09:50:50 +08:00
|
|
|
II.U = U;
|
2016-09-22 09:34:58 +08:00
|
|
|
II.Features.insert(II.Features.begin(), Features, Features + NumFeatures);
|
|
|
|
memcpy(II.Sha1, Hash, kSHA1NumBytes);
|
2016-09-22 05:41:48 +08:00
|
|
|
UpdateCorpusDistribution();
|
2016-09-21 09:50:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
typedef const std::vector<InputInfo>::const_iterator ConstIter;
|
2016-09-22 05:41:48 +08:00
|
|
|
ConstIter begin() const { return Inputs.begin(); }
|
|
|
|
ConstIter end() const { return Inputs.end(); }
|
2016-09-21 09:50:50 +08:00
|
|
|
|
|
|
|
bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
|
2016-09-22 06:42:17 +08:00
|
|
|
InputInfo &ChooseUnitToMutate(Random &Rand) {
|
2016-09-22 05:41:48 +08:00
|
|
|
return Inputs[ChooseUnitIdxToMutate(Rand)];
|
|
|
|
};
|
|
|
|
|
|
|
|
// Returns an index of random unit from the corpus to mutate.
|
|
|
|
// Hypothesis: units added to the corpus last are more likely to be
|
|
|
|
// interesting. This function gives more weight to the more recent units.
|
|
|
|
size_t ChooseUnitIdxToMutate(Random &Rand) {
|
2016-09-22 06:42:17 +08:00
|
|
|
size_t Idx = static_cast<size_t>(CorpusDistribution(Rand.Get_mt19937()));
|
2016-09-22 05:41:48 +08:00
|
|
|
assert(Idx < Inputs.size());
|
|
|
|
return Idx;
|
|
|
|
}
|
|
|
|
|
2016-09-22 06:42:17 +08:00
|
|
|
void PrintStats() {
|
|
|
|
for (size_t i = 0; i < Inputs.size(); i++) {
|
|
|
|
const auto &II = Inputs[i];
|
2016-09-22 09:34:58 +08:00
|
|
|
Printf(" [%zd %s]\tsz: %zd\truns: %zd\tsucc: %zd\tfea: %zd\n", i,
|
2016-09-22 06:42:17 +08:00
|
|
|
Sha1ToString(II.Sha1).c_str(), II.U.size(),
|
2016-09-22 09:34:58 +08:00
|
|
|
II.NumExecutedMutations, II.NumSuccessfullMutations,
|
|
|
|
II.Features.size());
|
2016-09-22 06:42:17 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-09-22 05:41:48 +08:00
|
|
|
private:
|
|
|
|
|
|
|
|
// Updates the probability distribution for the units in the corpus.
|
|
|
|
// Must be called whenever the corpus or unit weights are changed.
|
|
|
|
void UpdateCorpusDistribution() {
|
|
|
|
size_t N = Inputs.size();
|
|
|
|
std::vector<double> Intervals(N + 1);
|
|
|
|
std::vector<double> Weights(N);
|
|
|
|
std::iota(Intervals.begin(), Intervals.end(), 0);
|
|
|
|
std::iota(Weights.begin(), Weights.end(), 1);
|
|
|
|
CorpusDistribution = std::piecewise_constant_distribution<double>(
|
|
|
|
Intervals.begin(), Intervals.end(), Weights.begin());
|
|
|
|
}
|
|
|
|
std::piecewise_constant_distribution<double> CorpusDistribution;
|
2016-09-21 09:50:50 +08:00
|
|
|
|
|
|
|
std::unordered_set<std::string> Hashes;
|
2016-09-22 05:41:48 +08:00
|
|
|
std::vector<InputInfo> Inputs;
|
2016-09-21 09:50:50 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace fuzzer
|
|
|
|
|
|
|
|
#endif // LLVM_FUZZER_CORPUS
|