This is an archive of the discontinued LLVM Phabricator instance.

Differential D20301

[libfuzzer] Trying random unit prefixes during corpus load.
ClosedPublic

Authored by aizatsky on May 16 2016, 2:29 PM.

Details

Reviewers
kcc
vitalybuka
Commits
rGaf432a45e321: [libfuzzer] Trying random unit prefixes during corpus load.
rL270632: [libfuzzer] Trying random unit prefixes during corpus load.

Diff Detail

Repository
rL LLVM

Event Timeline

aizatsky updated this revision to Diff 57400.May 16 2016, 2:29 PM
aizatsky updated this revision to Diff 57401.
aizatsky retitled this revision from to [libfuzzer] Trying random unit prefixes during corpus load..
aizatsky updated this object.

format.

aizatsky added reviewers: kcc, vitalybuka.May 16 2016, 2:30 PM
aizatsky added a project: Restricted Project.
aizatsky added a subscriber: llvm-commits.
kcc edited edge metadata.May 16 2016, 2:40 PM

I wonder if it makes sense to add a test here?

lib/Fuzzer/FuzzerLoop.cpp
360 ↗(On Diff #57401)

didn't you want to flush the coverage here?

382 ↗(On Diff #57401)

S < U.size() ?

vitalybuka added inline comments.May 16 2016, 3:08 PM
lib/Fuzzer/FuzzerLoop.cpp
382 ↗(On Diff #57401)

Probably unimportant here.

aizatsky updated this revision to Diff 58149.May 23 2016, 2:02 PM
aizatsky edited edge metadata.

fuzzer unit test.

aizatsky updated this revision to Diff 58150.May 23 2016, 2:06 PM
aizatsky marked 3 inline comments as done.

reset coverage.

aizatsky added a comment.May 23 2016, 2:06 PM

Added test and limited the number of truncation points. PTAL.

kcc added inline comments.May 23 2016, 3:01 PM
lib/Fuzzer/FuzzerFlags.def
87 ↗(On Diff #58150)

I'd prefer to have this flag of by default for now

lib/Fuzzer/FuzzerLoop.cpp
362 ↗(On Diff #58150)

no {}, same below

379 ↗(On Diff #58150)

do you expect duplicates here?

lib/Fuzzer/test/FuzzerUnittest.cpp
16 ↗(On Diff #58150)

make it static and not extern "C"

aizatsky updated this revision to Diff 58347.May 24 2016, 4:05 PM
aizatsky marked 2 inline comments as done.

review

lib/Fuzzer/FuzzerLoop.cpp
379 ↗(On Diff #58150)

There might be, but I don't really care. For big corpus there would be only one point.

kcc accepted this revision.May 24 2016, 4:08 PM
kcc edited edge metadata.

LGTM, ok as an off-by-default feature.
I am still not convinced it's good enough yet, will need to play and see.
Some things to check:

  • are there many duplicate sizes?
  • will this blow up the corpus too much?
This revision is now accepted and ready to land.May 24 2016, 4:08 PM
aizatsky added a comment.May 24 2016, 4:19 PM

My plan is to enable it for fuzzer in chrome with big units and see if units get smaller over time.

Closed by commit rL270632: [libfuzzer] Trying random unit prefixes during corpus load. (authored by aizatsky). · Explain WhyMay 24 2016, 4:20 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Fuzzer/
1 line
1 line
6 lines
43 lines
test/
22 lines

Diff 58350

llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 324 Lines▼ Show 20 Lines if (Flags.dict)
if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary)) if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))
return 1; return 1;
if (Flags.verbosity > 0 && !Dictionary.empty()) if (Flags.verbosity > 0 && !Dictionary.empty())
Printf("Dictionary: %zd entries\n", Dictionary.size()); Printf("Dictionary: %zd entries\n", Dictionary.size());
bool DoPlainRun = AllInputsAreFiles(); bool DoPlainRun = AllInputsAreFiles();
Options.SaveArtifacts = !DoPlainRun; Options.SaveArtifacts = !DoPlainRun;
Options.PrintNewCovPcs = Flags.print_new_cov_pcs; Options.PrintNewCovPcs = Flags.print_new_cov_pcs;
Options.PrintFinalStats = Flags.print_final_stats; Options.PrintFinalStats = Flags.print_final_stats;
Options.TruncateUnits = Flags.truncate_units;
unsigned Seed = Flags.seed; unsigned Seed = Flags.seed;
// Initialize Seed. // Initialize Seed.
if (Seed == 0) if (Seed == 0)
Seed = (std::chrono::system_clock::now().time_since_epoch().count() << 10) + Seed = (std::chrono::system_clock::now().time_since_epoch().count() << 10) +
getpid(); getpid();
if (Flags.verbosity) if (Flags.verbosity)
Printf("INFO: Seed: %u\n", Seed); Printf("INFO: Seed: %u\n", Seed);
▲ Show 20 LinesShow All 84 LinesShow Last 20 Lines

llvm/trunk/lib/Fuzzer/FuzzerFlags.def

Show First 20 LinesShow All 78 Lines▼ Show 20 Lines
FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.") FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.")
FUZZER_FLAG_INT(close_fd_mask, 0, "If 1, close stdout at startup; " FUZZER_FLAG_INT(close_fd_mask, 0, "If 1, close stdout at startup; "
"if 2, close stderr; if 3, close both. " "if 2, close stderr; if 3, close both. "
"Be careful, this will also close e.g. asan's stderr/stdout.") "Be careful, this will also close e.g. asan's stderr/stdout.")
FUZZER_FLAG_INT(detect_leaks, 1, "If 1, and if LeakSanitizer is enabled " FUZZER_FLAG_INT(detect_leaks, 1, "If 1, and if LeakSanitizer is enabled "
"try to detect memory leaks during fuzzing (i.e. not only at shut down).") "try to detect memory leaks during fuzzing (i.e. not only at shut down).")
FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon" FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon"
"reaching this limit of RSS memory usage.") "reaching this limit of RSS memory usage.")
FUZZER_FLAG_INT(truncate_units, 0, "Try truncated units when loading corpus.")
FUZZER_DEPRECATED_FLAG(exit_on_first) FUZZER_DEPRECATED_FLAG(exit_on_first)
FUZZER_DEPRECATED_FLAG(save_minimized_corpus) FUZZER_DEPRECATED_FLAG(save_minimized_corpus)
FUZZER_DEPRECATED_FLAG(sync_command) FUZZER_DEPRECATED_FLAG(sync_command)
FUZZER_DEPRECATED_FLAG(sync_timeout) FUZZER_DEPRECATED_FLAG(sync_timeout)
FUZZER_DEPRECATED_FLAG(test_single_input) FUZZER_DEPRECATED_FLAG(test_single_input)

llvm/trunk/lib/Fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 311 Lines▼ Show 20 Lines struct FuzzingOptions {
std::string ArtifactPrefix = "./"; std::string ArtifactPrefix = "./";
std::string ExactArtifactPath; std::string ExactArtifactPath;
bool SaveArtifacts = true; bool SaveArtifacts = true;
bool PrintNEW = true; // Print a status line when new units are found; bool PrintNEW = true; // Print a status line when new units are found;
bool OutputCSV = false; bool OutputCSV = false;
bool PrintNewCovPcs = false; bool PrintNewCovPcs = false;
bool PrintFinalStats = false; bool PrintFinalStats = false;
bool DetectLeaks = true; bool DetectLeaks = true;
bool TruncateUnits = false;
}; };
// Aggregates all available coverage measurements. // Aggregates all available coverage measurements.
struct Coverage { struct Coverage {
Coverage() { Reset(); } Coverage() { Reset(); }
void Reset() { void Reset() {
BlockCoverage = 0; BlockCoverage = 0;
Show All 21 Linespublic:
Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options); Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options);
void AddToCorpus(const Unit &U) { void AddToCorpus(const Unit &U) {
Corpus.push_back(U); Corpus.push_back(U);
UpdateCorpusDistribution(); UpdateCorpusDistribution();
} }
size_t ChooseUnitIdxToMutate(); size_t ChooseUnitIdxToMutate();
const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; }; const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; };
void TruncateUnits(std::vector<Unit> *NewCorpus);
void Loop(); void Loop();
void Drill(); void Drill();
void ShuffleAndMinimize(); void ShuffleAndMinimize();
void InitializeTraceState(); void InitializeTraceState();
void AssignTaintLabels(uint8_t *Data, size_t Size); void AssignTaintLabels(uint8_t *Data, size_t Size);
size_t CorpusSize() const { return Corpus.size(); } size_t CorpusSize() const { return Corpus.size(); }
size_t MaxUnitSizeInCorpus() const; size_t MaxUnitSizeInCorpus() const;
void ReadDir(const std::string &Path, long *Epoch, size_t MaxSize) { void ReadDir(const std::string &Path, long *Epoch, size_t MaxSize) {
Show All 26 Linespublic:
void Merge(const std::vector<std::string> &Corpora); void Merge(const std::vector<std::string> &Corpora);
// Returns a subset of 'Extra' that adds coverage to 'Initial'. // Returns a subset of 'Extra' that adds coverage to 'Initial'.
UnitVector FindExtraUnits(const UnitVector &Initial, const UnitVector &Extra); UnitVector FindExtraUnits(const UnitVector &Initial, const UnitVector &Extra);
MutationDispatcher &GetMD() { return MD; } MutationDispatcher &GetMD() { return MD; }
void PrintFinalStats(); void PrintFinalStats();
void SetMaxLen(size_t MaxLen); void SetMaxLen(size_t MaxLen);
void RssLimitCallback(); void RssLimitCallback();
// Public for tests.
void ResetCoverage();
private: private:
void AlarmCallback(); void AlarmCallback();
void CrashCallback(); void CrashCallback();
void InterruptCallback(); void InterruptCallback();
void MutateAndTestOne(); void MutateAndTestOne();
void ReportNewCoverage(const Unit &U); void ReportNewCoverage(const Unit &U);
bool RunOne(const Unit &U) { return RunOne(U.data(), U.size()); } bool RunOne(const Unit &U) { return RunOne(U.data(), U.size()); }
void RunOneAndUpdateCorpus(uint8_t *Data, size_t Size); void RunOneAndUpdateCorpus(uint8_t *Data, size_t Size);
void WriteToOutputCorpus(const Unit &U); void WriteToOutputCorpus(const Unit &U);
void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix); void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
void PrintStats(const char *Where, const char *End = "\n"); void PrintStats(const char *Where, const char *End = "\n");
void PrintStatusForNewUnit(const Unit &U); void PrintStatusForNewUnit(const Unit &U);
void ShuffleCorpus(UnitVector *V); void ShuffleCorpus(UnitVector *V);
void TryDetectingAMemoryLeak(uint8_t *Data, size_t Size); void TryDetectingAMemoryLeak(uint8_t *Data, size_t Size);
void CheckForMemoryLeaks(); void CheckForMemoryLeaks();
// Updates the probability distribution for the units in the corpus. // Updates the probability distribution for the units in the corpus.
// Must be called whenever the corpus or unit weights are changed. // Must be called whenever the corpus or unit weights are changed.
void UpdateCorpusDistribution(); void UpdateCorpusDistribution();
void ResetCoverage();
bool UpdateMaxCoverage(); bool UpdateMaxCoverage();
// Trace-based fuzzing: we run a unit with some kind of tracing // Trace-based fuzzing: we run a unit with some kind of tracing
// enabled and record potentially useful mutations. Then // enabled and record potentially useful mutations. Then
// We apply these mutations one by one to the unit and run it again. // We apply these mutations one by one to the unit and run it again.
// Start tracing; forget all previously proposed mutations. // Start tracing; forget all previously proposed mutations.
void StartTraceRecording(); void StartTraceRecording();
Show All 38 Lines

llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 53 Lines▼ Show 20 Lines
__attribute__((weak)) void __sanitizer_free_hook(void *ptr); __attribute__((weak)) void __sanitizer_free_hook(void *ptr);
__attribute__((weak)) void __lsan_enable(); __attribute__((weak)) void __lsan_enable();
__attribute__((weak)) void __lsan_disable(); __attribute__((weak)) void __lsan_disable();
__attribute__((weak)) int __lsan_do_recoverable_leak_check(); __attribute__((weak)) int __lsan_do_recoverable_leak_check();
} }
namespace fuzzer { namespace fuzzer {
static const size_t kMaxUnitSizeToPrint = 256; static const size_t kMaxUnitSizeToPrint = 256;
static const size_t TruncateMaxRuns = 1000;
static void MissingWeakApiFunction(const char *FnName) { static void MissingWeakApiFunction(const char *FnName) {
Printf("ERROR: %s is not defined. Exiting.\n" Printf("ERROR: %s is not defined. Exiting.\n"
"Did you use -fsanitize-coverage=... to build your code?\n", "Did you use -fsanitize-coverage=... to build your code?\n",
FnName); FnName);
exit(1); exit(1);
} }
▲ Show 20 LinesShow All 278 Lines▼ Show 20 Lines
void Fuzzer::ShuffleCorpus(UnitVector *V) { void Fuzzer::ShuffleCorpus(UnitVector *V) {
std::random_shuffle(V->begin(), V->end(), MD.GetRand()); std::random_shuffle(V->begin(), V->end(), MD.GetRand());
if (Options.PreferSmall) if (Options.PreferSmall)
std::stable_sort(V->begin(), V->end(), [](const Unit &A, const Unit &B) { std::stable_sort(V->begin(), V->end(), [](const Unit &A, const Unit &B) {
return A.size() < B.size(); return A.size() < B.size();
}); });
} }
// Tries random prefixes of corpus items.
// Prefix length is chosen according to exponential distribution
// to sample short lengths much more heavily.
void Fuzzer::TruncateUnits(std::vector<Unit> *NewCorpus) {
size_t MaxCorpusLen = 0;
for (const auto &U : Corpus)
MaxCorpusLen = std::max(MaxCorpusLen, U.size());
if (MaxCorpusLen <= 1)
return;
// 50% of exponential distribution is Log[2]/lambda.
// Choose lambda so that median is MaxCorpusLen / 2.
double Lambda = 2.0 * log(2.0) / static_cast<double>(MaxCorpusLen);
std::exponential_distribution<> Dist(Lambda);
std::vector<double> Sizes;
size_t TruncatePoints = std::max(1ul, TruncateMaxRuns / Corpus.size());
Sizes.reserve(TruncatePoints);
for (size_t I = 0; I < TruncatePoints; ++I) {
Sizes.push_back(Dist(MD.GetRand().Get_mt19937()) + 1);
}
std::sort(Sizes.begin(), Sizes.end());
for (size_t S : Sizes) {
for (const auto &U : Corpus) {
if (S < U.size() && RunOne(U.data(), S)) {
Unit U1(U.begin(), U.begin() + S);
NewCorpus->push_back(U1);
WriteToOutputCorpus(U1);
PrintStatusForNewUnit(U1);
}
}
}
PrintStats("TRUNC ");
}
void Fuzzer::ShuffleAndMinimize() { void Fuzzer::ShuffleAndMinimize() {
PrintStats("READ "); PrintStats("READ ");
std::vector<Unit> NewCorpus; std::vector<Unit> NewCorpus;
if (Options.ShuffleAtStartUp) if (Options.ShuffleAtStartUp)
ShuffleCorpus(&Corpus); ShuffleCorpus(&Corpus);
if (Options.TruncateUnits) {
ResetCoverage();
TruncateUnits(&NewCorpus);
ResetCoverage();
}
for (const auto &U : Corpus) { for (const auto &U : Corpus) {
if (RunOne(U)) { if (RunOne(U)) {
NewCorpus.push_back(U); NewCorpus.push_back(U);
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size()); Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size());
} }
} }
Corpus = NewCorpus; Corpus = NewCorpus;
▲ Show 20 LinesShow All 414 LinesShow Last 20 Lines

llvm/trunk/lib/Fuzzer/test/FuzzerUnittest.cpp

// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
#include "FuzzerInternal.h" #include "FuzzerInternal.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include <set> #include <set>
using namespace fuzzer; using namespace fuzzer;
// For now, have LLVMFuzzerTestOneInput just to make it link. // For now, have LLVMFuzzerTestOneInput just to make it link.
// Later we may want to make unittests that actually call LLVMFuzzerTestOneInput. // Later we may want to make unittests that actually call LLVMFuzzerTestOneInput.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
abort(); abort();
} }
static int EmptyLLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
return 0;
}
TEST(Fuzzer, CrossOver) { TEST(Fuzzer, CrossOver) {
Random Rand(0); Random Rand(0);
MutationDispatcher MD(Rand); MutationDispatcher MD(Rand);
Unit A({0, 1, 2}), B({5, 6, 7}); Unit A({0, 1, 2}), B({5, 6, 7});
Unit C; Unit C;
Unit Expected[] = { Unit Expected[] = {
{ 0 }, { 0 },
{ 0, 1 }, { 0, 1 },
▲ Show 20 LinesShow All 394 Lines▼ Show 20 LinesTEST(Corpus, Distribution) {
for (size_t i = 0; i < N * TriesPerUnit; i++) { for (size_t i = 0; i < N * TriesPerUnit; i++) {
Hist[Fuzz.ChooseUnitIdxToMutate()]++; Hist[Fuzz.ChooseUnitIdxToMutate()]++;
} }
for (size_t i = 0; i < N; i++) { for (size_t i = 0; i < N; i++) {
// A weak sanity check that every unit gets invoked. // A weak sanity check that every unit gets invoked.
EXPECT_GT(Hist[i], TriesPerUnit / N / 3); EXPECT_GT(Hist[i], TriesPerUnit / N / 3);
} }
} }
TEST(Corpus, TruncateUnits) {
Random Rand(0);
MutationDispatcher MD(Rand);
Fuzzer::FuzzingOptions Options;
Options.OutputCorpus = ""; // stops from writing new units.
Fuzzer Fuzz(EmptyLLVMFuzzerTestOneInput, MD, Options);
Fuzz.AddToCorpus(Unit(1024, static_cast<uint8_t>(1)));
Fuzz.ResetCoverage();
std::vector<Unit> NewCorpus;
Fuzz.TruncateUnits(&NewCorpus);
// New corpus should have a shorter unit.
EXPECT_EQ(1ul, NewCorpus.size());
EXPECT_EQ(1ul, NewCorpus[0].size());
}