This is an archive of the discontinued LLVM Phabricator instance.

Differential D100303

[fuzzer] Print reloaded file paths
ClosedPublic

Authored by SweetVishnya on Apr 12 2021, 6:42 AM.

Details

Reviewers
kcc
morehouse
Commits
rG827ccc93b8f3: [fuzzer] Print reloaded file paths
Summary

In order to integrate libFuzzer with a dynamic symbolic execution tool
Sydr we need to print loaded file paths.

Diff Detail

Event Timeline

SweetVishnya requested review of this revision.Apr 12 2021, 6:42 AM
SweetVishnya created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptApr 12 2021, 6:42 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B98265: Diff 336821.Apr 12 2021, 7:11 AM
SweetVishnya added a reviewer: morehouse.Apr 14 2021, 1:13 AM
SweetVishnya added a comment.Apr 14 2021, 1:23 AM

Should I reformat the code outside of my patch to make build green?

morehouse added a comment.Apr 14 2021, 9:18 AM

What are you trying to do with symbolic execution that requires this patch?

In D100303#2688144, @SweetVishnya wrote:

Should I reformat the code outside of my patch to make build green?

Not a big deal either way, but feel free to delete the extra line if you want.

SweetVishnya added a comment.Apr 14 2021, 9:45 AM

We integrated our dynamic symbolic execution tool (Sydr) with libFuzzer. We feed generated inputs from Sydr to libFuzzer corpus. We need to know loaded (good) inputs to:

  1. Evaluate symbolic execution profit. We want to know which files were taken from Sydr.
  2. We should delete files that were not loaded by libFuzzer to keep corpus neat.
  3. Also, we want to know which files exactly made the profit (RELOAD -> +cov/+feature).
SweetVishnya added a comment.Apr 14 2021, 9:51 AM

We mostly lean on fuzzer to detect crashes and estimate inputs. We want to delete discarded inputs. So, they won't be given to DSE as inputs.

morehouse added a comment.Apr 14 2021, 12:02 PM
In D100303#2689282, @SweetVishnya wrote:

We integrated our dynamic symbolic execution tool (Sydr) with libFuzzer. We feed generated inputs from Sydr to libFuzzer corpus. We need to know loaded (good) inputs to:

  1. Evaluate symbolic execution profit. We want to know which files were taken from Sydr.
  2. We should delete files that were not loaded by libFuzzer to keep corpus neat.
  3. Also, we want to know which files exactly made the profit (RELOAD -> +cov/+feature).

Very cool, makes sense. Any plans to open source this work? I would be very interested in your results.

compiler-rt/lib/fuzzer/FuzzerLoop.cpp
418
426

Since we need the index anyway now, let's refactor the loop to use the index for both AdditionalCorpus and AdditionalCorpusPaths.

SweetVishnya updated this revision to Diff 337719.Apr 15 2021, 4:42 AM
SweetVishnya edited the summary of this revision. (Show Details)

Fix all review issues

SweetVishnya marked 2 inline comments as done.Apr 15 2021, 4:47 AM

Very cool, makes sense. Any plans to open source this work? I would be very interested in your results.

It is a closed source project for now, but we have a paper [1] and going to write a new one this Fall. We still try to open source the underlying parts in open source projects like Triton, DynamoRIO, and now LLVM. We are still undecided about the future. Maybe we will open source it partially.

[1] https://arxiv.org/abs/2011.09269

Harbormaster completed remote builds in B98883: Diff 337719.Apr 15 2021, 6:11 AM
morehouse accepted this revision.Apr 15 2021, 7:53 AM

LGTM

This revision is now accepted and ready to land.Apr 15 2021, 7:53 AM
Closed by commit rG827ccc93b8f3: [fuzzer] Print reloaded file paths (authored by SweetVishnya, committed by morehouse). · Explain WhyApr 16 2021, 10:00 AM
This revision was automatically updated to reflect the committed changes.
morehouse added a commit: rG827ccc93b8f3: [fuzzer] Print reloaded file paths.

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
5 lines
11 lines
14 lines

Diff 338161

compiler-rt/lib/fuzzer/FuzzerIO.h

Show All 26 Lines
void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path); void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);
// Write Data.c_str() to the file without terminating null character. // Write Data.c_str() to the file without terminating null character.
void WriteToFile(const std::string &Data, const std::string &Path); void WriteToFile(const std::string &Data, const std::string &Path);
void WriteToFile(const Unit &U, const std::string &Path); void WriteToFile(const Unit &U, const std::string &Path);
void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path); void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path);
void AppendToFile(const std::string &Data, const std::string &Path); void AppendToFile(const std::string &Data, const std::string &Path);
void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V, void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V, long *Epoch,
long *Epoch, size_t MaxSize, bool ExitOnError); size_t MaxSize, bool ExitOnError,
Vector<std::string> *VPaths = 0);
// Returns "Dir/FileName" or equivalent for the current OS. // Returns "Dir/FileName" or equivalent for the current OS.
std::string DirPlusFile(const std::string &DirPath, std::string DirPlusFile(const std::string &DirPath,
const std::string &FileName); const std::string &FileName);
// Returns the name of the dir, similar to the 'dirname' utility. // Returns the name of the dir, similar to the 'dirname' utility.
std::string DirName(const std::string &FileName); std::string DirName(const std::string &FileName);
▲ Show 20 LinesShow All 68 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerIO.cpp

Show First 20 LinesShow All 84 Lines▼ Show 20 Lines
void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path) { void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
FILE *Out = fopen(Path.c_str(), "a"); FILE *Out = fopen(Path.c_str(), "a");
if (!Out) if (!Out)
return; return;
fwrite(Data, sizeof(Data[0]), Size, Out); fwrite(Data, sizeof(Data[0]), Size, Out);
fclose(Out); fclose(Out);
} }
void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V, void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V, long *Epoch,
long *Epoch, size_t MaxSize, bool ExitOnError) { size_t MaxSize, bool ExitOnError,
Vector<std::string> *VPaths) {
long E = Epoch ? *Epoch : 0; long E = Epoch ? *Epoch : 0;
Vector<std::string> Files; Vector<std::string> Files;
ListFilesInDirRecursive(Path, Epoch, &Files, /*TopDir*/true); ListFilesInDirRecursive(Path, Epoch, &Files, /*TopDir*/true);
size_t NumLoaded = 0; size_t NumLoaded = 0;
for (size_t i = 0; i < Files.size(); i++) { for (size_t i = 0; i < Files.size(); i++) {
auto &X = Files[i]; auto &X = Files[i];
if (Epoch && GetEpoch(X) < E) continue; if (Epoch && GetEpoch(X) < E) continue;
NumLoaded++; NumLoaded++;
if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024) if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024)
Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path); Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path);
auto S = FileToVector(X, MaxSize, ExitOnError); auto S = FileToVector(X, MaxSize, ExitOnError);
if (!S.empty()) if (!S.empty()) {
V->push_back(S); V->push_back(S);
if (VPaths)
VPaths->push_back(X);
}
} }
} }
void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V) { void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V) {
Vector<std::string> Files; Vector<std::string> Files;
ListFilesInDirRecursive(Dir, 0, &Files, /*TopDir*/true); ListFilesInDirRecursive(Dir, 0, &Files, /*TopDir*/true);
for (auto &File : Files) for (auto &File : Files)
if (size_t Size = FileSize(File)) if (size_t Size = FileSize(File))
V->push_back({File, Size}); V->push_back({File, Size});
} }
▲ Show 20 LinesShow All 86 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 408 Lines▼ Show 20 Lines if (!Options.ExitOnItem.empty()) {
} }
} }
} }
void Fuzzer::RereadOutputCorpus(size_t MaxSize) { void Fuzzer::RereadOutputCorpus(size_t MaxSize) {
if (Options.OutputCorpus.empty() || !Options.ReloadIntervalSec) if (Options.OutputCorpus.empty() || !Options.ReloadIntervalSec)
return; return;
Vector<Unit> AdditionalCorpus; Vector<Unit> AdditionalCorpus;
ReadDirToVectorOfUnits(Options.OutputCorpus.c_str(), &AdditionalCorpus, Vector<std::string> AdditionalCorpusPaths;
ReadDirToVectorOfUnits(
morehouseUnsubmitted
Done
ReplyInline Actions
/*ExitOnError*/ false,
- (Options.Verbosity >= 2 ? &AdditionalCorpusPaths : 0));
+ (Options.Verbosity >= 2 ? &AdditionalCorpusPaths : nullptr));
if (Options.Verbosity >= 2)
morehouse:
Options.OutputCorpus.c_str(), &AdditionalCorpus,
&EpochOfLastReadOfOutputCorpus, MaxSize, &EpochOfLastReadOfOutputCorpus, MaxSize,
/*ExitOnError*/ false); /*ExitOnError*/ false,
(Options.Verbosity >= 2 ? &AdditionalCorpusPaths : nullptr));
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("Reload: read %zd new units.\n", AdditionalCorpus.size()); Printf("Reload: read %zd new units.\n", AdditionalCorpus.size());
bool Reloaded = false; bool Reloaded = false;
for (auto &U : AdditionalCorpus) { for (size_t i = 0; i != AdditionalCorpus.size(); ++i) {
morehouseUnsubmitted
Done
ReplyInline Actions

Since we need the index anyway now, let's refactor the loop to use the index for both AdditionalCorpus and AdditionalCorpusPaths.

morehouse: Since we need the index anyway now, let's refactor the loop to use the index for both…
auto &U = AdditionalCorpus[i];
if (U.size() > MaxSize) if (U.size() > MaxSize)
U.resize(MaxSize); U.resize(MaxSize);
if (!Corpus.HasUnit(U)) { if (!Corpus.HasUnit(U)) {
if (RunOne(U.data(), U.size())) { if (RunOne(U.data(), U.size())) {
CheckExitOnSrcPosOrItem(); CheckExitOnSrcPosOrItem();
Reloaded = true; Reloaded = true;
if (Options.Verbosity >= 2)
Printf("Reloaded %s\n", AdditionalCorpusPaths[i].c_str());
} }
} }
} }
if (Reloaded) if (Reloaded)
PrintStats("RELOAD"); PrintStats("RELOAD");
} }
void Fuzzer::PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size) { void Fuzzer::PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size) {
▲ Show 20 LinesShow All 488 LinesShow Last 20 Lines