forked from OSchip/llvm-project
[lib/Fuzzer] minor refactoring/simplification, NFC
llvm-svn: 236757
This commit is contained in:
parent
3f3b3abe2b
commit
7d470cfb0c
|
@ -287,4 +287,11 @@ void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
|
||||||
dfsan_label L2 = dfsan_read_label(s2, n);
|
dfsan_label L2 = dfsan_read_label(s2, n);
|
||||||
DFSan->DFSanCmpCallback(PC, n, ICMP_EQ, S1, S2, L1, L2);
|
DFSan->DFSanCmpCallback(PC, n, ICMP_EQ, S1, S2, L1, L2);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
|
||||||
|
uint64_t Arg2) {
|
||||||
|
// This symbol will be present if dfsan is disabled on the given function.
|
||||||
|
// FIXME: implement poor man's taint analysis here (w/o dfsan).
|
||||||
|
}
|
||||||
|
|
||||||
} // extern "C"
|
} // extern "C"
|
||||||
|
|
|
@ -61,7 +61,7 @@ class Fuzzer {
|
||||||
};
|
};
|
||||||
Fuzzer(UserCallback Callback, FuzzingOptions Options);
|
Fuzzer(UserCallback Callback, FuzzingOptions Options);
|
||||||
void AddToCorpus(const Unit &U) { Corpus.push_back(U); }
|
void AddToCorpus(const Unit &U) { Corpus.push_back(U); }
|
||||||
size_t Loop(size_t NumIterations);
|
void Loop(size_t NumIterations);
|
||||||
void ShuffleAndMinimize();
|
void ShuffleAndMinimize();
|
||||||
void InitializeDFSan();
|
void InitializeDFSan();
|
||||||
size_t CorpusSize() const { return Corpus.size(); }
|
size_t CorpusSize() const { return Corpus.size(); }
|
||||||
|
@ -85,8 +85,10 @@ class Fuzzer {
|
||||||
private:
|
private:
|
||||||
void AlarmCallback();
|
void AlarmCallback();
|
||||||
void ExecuteCallback(const Unit &U);
|
void ExecuteCallback(const Unit &U);
|
||||||
size_t MutateAndTestOne(Unit *U);
|
void MutateAndTestOne(Unit *U);
|
||||||
|
void ReportNewCoverage(size_t NewCoverage, const Unit &U);
|
||||||
size_t RunOne(const Unit &U);
|
size_t RunOne(const Unit &U);
|
||||||
|
void RunOneAndUpdateCorpus(const Unit &U);
|
||||||
size_t RunOneMaximizeTotalCoverage(const Unit &U);
|
size_t RunOneMaximizeTotalCoverage(const Unit &U);
|
||||||
size_t RunOneMaximizeFullCoverageSet(const Unit &U);
|
size_t RunOneMaximizeFullCoverageSet(const Unit &U);
|
||||||
size_t RunOneMaximizeCoveragePairs(const Unit &U);
|
size_t RunOneMaximizeCoveragePairs(const Unit &U);
|
||||||
|
|
|
@ -143,6 +143,12 @@ size_t Fuzzer::RunOne(const Unit &U) {
|
||||||
return Res;
|
return Res;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void Fuzzer::RunOneAndUpdateCorpus(const Unit &U) {
|
||||||
|
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
|
||||||
|
return;
|
||||||
|
ReportNewCoverage(RunOne(U), U);
|
||||||
|
}
|
||||||
|
|
||||||
static uintptr_t HashOfArrayOfPCs(uintptr_t *PCs, uintptr_t NumPCs) {
|
static uintptr_t HashOfArrayOfPCs(uintptr_t *PCs, uintptr_t NumPCs) {
|
||||||
uintptr_t Res = 0;
|
uintptr_t Res = 0;
|
||||||
for (uintptr_t i = 0; i < NumPCs; i++) {
|
for (uintptr_t i = 0; i < NumPCs; i++) {
|
||||||
|
@ -259,55 +265,50 @@ void Fuzzer::SaveCorpus() {
|
||||||
<< Options.OutputCorpus << "\n";
|
<< Options.OutputCorpus << "\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t Fuzzer::MutateAndTestOne(Unit *U) {
|
void Fuzzer::ReportNewCoverage(size_t NewCoverage, const Unit &U) {
|
||||||
size_t NewUnits = 0;
|
if (!NewCoverage) return;
|
||||||
for (int i = 0; i < Options.MutateDepth; i++) {
|
Corpus.push_back(U);
|
||||||
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
|
|
||||||
return NewUnits;
|
|
||||||
MutateWithDFSan(U);
|
|
||||||
Mutate(U, Options.MaxLen);
|
|
||||||
size_t NewCoverage = RunOne(*U);
|
|
||||||
if (NewCoverage) {
|
|
||||||
Corpus.push_back(*U);
|
|
||||||
NewUnits++;
|
|
||||||
PrintStats("NEW ", NewCoverage, "");
|
PrintStats("NEW ", NewCoverage, "");
|
||||||
if (Options.Verbosity) {
|
if (Options.Verbosity) {
|
||||||
std::cerr << " L: " << U->size();
|
std::cerr << " L: " << U.size();
|
||||||
if (U->size() < 30) {
|
if (U.size() < 30) {
|
||||||
std::cerr << " ";
|
std::cerr << " ";
|
||||||
PrintUnitInASCIIOrTokens(*U, "\t");
|
PrintUnitInASCIIOrTokens(U, "\t");
|
||||||
Print(*U);
|
Print(U);
|
||||||
}
|
}
|
||||||
std::cerr << "\n";
|
std::cerr << "\n";
|
||||||
}
|
}
|
||||||
WriteToOutputCorpus(*U);
|
WriteToOutputCorpus(U);
|
||||||
if (Options.ExitOnFirst)
|
if (Options.ExitOnFirst)
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
|
||||||
}
|
|
||||||
return NewUnits;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t Fuzzer::Loop(size_t NumIterations) {
|
void Fuzzer::MutateAndTestOne(Unit *U) {
|
||||||
size_t NewUnits = 0;
|
for (int i = 0; i < Options.MutateDepth; i++) {
|
||||||
|
MutateWithDFSan(U);
|
||||||
|
Mutate(U, Options.MaxLen);
|
||||||
|
RunOneAndUpdateCorpus(*U);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void Fuzzer::Loop(size_t NumIterations) {
|
||||||
for (size_t i = 1; i <= NumIterations; i++) {
|
for (size_t i = 1; i <= NumIterations; i++) {
|
||||||
for (size_t J1 = 0; J1 < Corpus.size(); J1++) {
|
for (size_t J1 = 0; J1 < Corpus.size(); J1++) {
|
||||||
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
|
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
|
||||||
return NewUnits;
|
return;
|
||||||
// First, simply mutate the unit w/o doing crosses.
|
// First, simply mutate the unit w/o doing crosses.
|
||||||
CurrentUnit = Corpus[J1];
|
CurrentUnit = Corpus[J1];
|
||||||
NewUnits += MutateAndTestOne(&CurrentUnit);
|
MutateAndTestOne(&CurrentUnit);
|
||||||
// Now, cross with others.
|
// Now, cross with others.
|
||||||
if (Options.DoCrossOver) {
|
if (Options.DoCrossOver) {
|
||||||
for (size_t J2 = 0; J2 < Corpus.size(); J2++) {
|
for (size_t J2 = 0; J2 < Corpus.size(); J2++) {
|
||||||
CurrentUnit.clear();
|
CurrentUnit.clear();
|
||||||
CrossOver(Corpus[J1], Corpus[J2], &CurrentUnit, Options.MaxLen);
|
CrossOver(Corpus[J1], Corpus[J2], &CurrentUnit, Options.MaxLen);
|
||||||
NewUnits += MutateAndTestOne(&CurrentUnit);
|
MutateAndTestOne(&CurrentUnit);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return NewUnits;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
} // namespace fuzzer
|
} // namespace fuzzer
|
||||||
|
|
Loading…
Reference in New Issue