This is an archive of the discontinued LLVM Phabricator instance.

Bear with me, this report is a bit strange but I'm sure we can find a good explanation for it. The code looks fine, I think it has uncovered something else.

Since this commit, our 2 stage aarch64 bots have been failing on one particular test:
https://lab.llvm.org/buildbot/#/builders/185/builds/260

I haven't seen this on any other bots. The odd thing is that stage 1, which we build with clang-12, is fine.

The error itself is:

/tmp/FlagsTest-19213f.o: In function `sancov.module_ctor_8bit_counters':
FlagsTest.cpp:(.text.sancov.module_ctor_8bit_counters[sancov.module_ctor_8bit_counters]+0x14): undefined reference to `__start___sancov_cntrs'
FlagsTest.cpp:(.text.sancov.module_ctor_8bit_counters[sancov.module_ctor_8bit_counters]+0x18): undefined reference to `__stop___sancov_cntrs'
<...>

I looked at the IR for the test file and it was identical with this commit reverted. (which makes a lot of sense but just for sanity) I saw that these _sancov_cntrs etc. are defined in the IR. (I thought they might be in the fuzzer lib instead for example)

So the weird thing is, why doesn't the linker just find the definitions inside the file?

If I add -c to the command lit runs, and examine the pre-link objects:

$ objdump -h /tmp/not_working | grep sancov
 18 .text.sancov.module_ctor_8bit_counters 00000048  0000000000000000  0000000000000000  00002bb8  2**2
 23 __sancov_cntrs 00000008  0000000000000000  0000000000000000  00002e08  2**0
 24 __sancov_pcs  00000080  0000000000000000  0000000000000000  00002e10  2**3
 25 __sancov_cntrs 0000002d  0000000000000000  0000000000000000  00002e90  2**0
 26 __sancov_pcs  000002d0  0000000000000000  0000000000000000  00002ec0  2**3
 27 __sancov_cntrs 0000000a  0000000000000000  0000000000000000  00003190  2**0
 28 __sancov_pcs  000000a0  0000000000000000  0000000000000000  000031a0  2**3
 29 __sancov_cntrs 0000001e  0000000000000000  0000000000000000  00003240  2**0
 30 __sancov_pcs  000001e0  0000000000000000  0000000000000000  00003260  2**3
 31 __sancov_cntrs 0000001a  0000000000000000  0000000000000000  00003440  2**0
 32 __sancov_pcs  000001a0  0000000000000000  0000000000000000  00003460  2**3
 33 __sancov_cntrs 00000001  0000000000000000  0000000000000000  00003600  2**0
 34 __sancov_pcs  00000010  0000000000000000  0000000000000000  00003608  2**3
$ objdump -h /tmp/working | grep sancov
 14 __sancov_pcs  00000780  0000000000520340  0000000000520340  00120340  2**3
 27 __sancov_cntrs 00000078  00000000005520d0  00000000005520d0  001420d0  2**0

It seems that module_ctor_8bit_counters in the working object has been placed into the .text section. Where in the not working object it's got its own section, plus we have way more __sancov_.... (whether that's a good thing or not)

Our buildbot is using lld, I tried this using ld as well and got the same results. So I'm assuming that it's not both linkers mishandling the same input, but something before that going wrong. (which would be why clang-12 stage 1 was fine but clang-14 stage 2 was not)

If we look at the symbols:

$ nm /tmp/not_working | grep sancov
                 U __sancov_lowest_stack
                 w __start___sancov_cntrs
                 w __start___sancov_pcs
                 w __stop___sancov_cntrs
                 w __stop___sancov_pcs
0000000000000000 t sancov.module_ctor_8bit_counters
$ nm /tmp/working | grep sancov
00000000004f08a0 T _ZN8__sancov11SancovFlags11SetDefaultsEv
00000000004f10d0 t _ZN8__sancov12_GLOBAL__N_119WriteModuleCoverageEPcPKcPKmm
00000000006ec278 b _ZN8__sancov12_GLOBAL__N_119pc_guard_controllerE
000000000051c768 r _ZN8__sancov12_GLOBAL__N_15MagicE
00000000004f08b0 T _ZN8__sancov21InitializeSancovFlagsEv
00000000006ec270 B _ZN8__sancov30sancov_flags_dont_use_directlyE
0000000000452410 W _ZTW21__sancov_lowest_stack
00000000004f0890 W __sancov_default_options
0000000000000008 B __sancov_lowest_stack
00000000005520d0 D __start___sancov_cntrs
0000000000520340 R __start___sancov_pcs
0000000000552148 D __stop___sancov_cntrs
0000000000520ac0 R __stop___sancov_pcs
000000000050704c t sancov.module_ctor_8bit_counters

The working object has resolved the _start__/_stop__ symbols before we go to the linker. I don't understand at the moment, how it does that and what might be going wrong in the failing case.

@MaskRay is this anything to do with https://reviews.llvm.org/D106246 ? (either way, you have been in this area do you have any pointers of how to investigate?)

The failure has resolved itself somehow. I'm going to see if I can find anything more but don't expect to.

DavidSpickett mentioned this in rG683147ff11cf: [compiler-rt][fuzzer] Xfail flags test on AArch64 Linux.Aug 11 2021, 6:56 AM

I spoke to soon and it's back again. I've xfailed the test in https://reviews.llvm.org/rG683147ff11cf115b071a0367bb7814db053b9c54.

FYI, the test failure totally wasn't anything to do with your patch.

For anyone else who might hit this, I've left the details on https://reviews.llvm.org/rGd4b193ca64e91c54487c52ac2f6eee5bd40e41ef. It's some issue with GNU ld <2.32 when handling objects created by a clang with the new pass manager enabled.

Revision Contents

Path

Size

compiler-rt/

lib/

fuzzer/

FuzzerBuiltinsMsvc.h

3 lines

FuzzerCommand.h

12 lines

FuzzerCorpus.h

21 lines

FuzzerDataFlowTrace.h

16 lines

FuzzerDataFlowTrace.cpp

30 lines

24 lines

9 lines

63 lines

4 lines

28 lines

8 lines

10 lines

3 lines

8 lines

8 lines

12 lines

30 lines

57 lines

18 lines

6 lines

2 lines

6 lines

4 lines

2 lines

FuzzerUtilWindows.cpp

2 lines

tests/

FuzzerUnittest.cpp

51 lines

Diff 363817

compiler-rt/lib/fuzzer/FuzzerBuiltinsMsvc.h

	Show All 35 Lines
	// compiler-rt/lib/builtins/int_lib.h which defines the __builtin functions used			// compiler-rt/lib/builtins/int_lib.h which defines the __builtin functions used
	// outside of Windows.			// outside of Windows.
	inline uint32_t Clzll(uint64_t X) {			inline uint32_t Clzll(uint64_t X) {
	unsigned long LeadZeroIdx = 0;			unsigned long LeadZeroIdx = 0;

	#if !defined(_M_ARM) && !defined(_M_X64)			#if !defined(_M_ARM) && !defined(_M_X64)
	// Scan the high 32 bits.			// Scan the high 32 bits.
	if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X >> 32)))			if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X >> 32)))
	return static_cast<int>(63 - (LeadZeroIdx + 32)); // Create a bit offset from the MSB.			return static_cast<int>(
				63 - (LeadZeroIdx + 32)); // Create a bit offset from the MSB.
	// Scan the low 32 bits.			// Scan the low 32 bits.
	if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X)))			if (_BitScanReverse(&LeadZeroIdx, static_cast<unsigned long>(X)))
	return static_cast<int>(63 - LeadZeroIdx);			return static_cast<int>(63 - LeadZeroIdx);

	#else			#else
	if (_BitScanReverse64(&LeadZeroIdx, X)) return 63 - LeadZeroIdx;			if (_BitScanReverse64(&LeadZeroIdx, X)) return 63 - LeadZeroIdx;
	#endif			#endif
	return 64;			return 64;
	Show All 14 Lines

compiler-rt/lib/fuzzer/FuzzerCommand.h

Show All 27 Lines	public:
// is immutable, meaning this flag effectively marks the end of the mutable		// is immutable, meaning this flag effectively marks the end of the mutable
// argument list.		// argument list.
static inline const char *ignoreRemainingArgs() {		static inline const char *ignoreRemainingArgs() {
return "-ignore_remaining_args=1";		return "-ignore_remaining_args=1";
}		}

Command() : CombinedOutAndErr(false) {}		Command() : CombinedOutAndErr(false) {}

explicit Command(const Vector<std::string> &ArgsToAdd)		explicit Command(const std::vector<std::string> &ArgsToAdd)
: Args(ArgsToAdd), CombinedOutAndErr(false) {}		: Args(ArgsToAdd), CombinedOutAndErr(false) {}

explicit Command(const Command &Other)		explicit Command(const Command &Other)
: Args(Other.Args), CombinedOutAndErr(Other.CombinedOutAndErr),		: Args(Other.Args), CombinedOutAndErr(Other.CombinedOutAndErr),
OutputFile(Other.OutputFile) {}		OutputFile(Other.OutputFile) {}

Command &operator=(const Command &Other) {		Command &operator=(const Command &Other) {
Args = Other.Args;		Args = Other.Args;
CombinedOutAndErr = Other.CombinedOutAndErr;		CombinedOutAndErr = Other.CombinedOutAndErr;
OutputFile = Other.OutputFile;		OutputFile = Other.OutputFile;
return *this;		return *this;
}		}

~Command() {}		~Command() {}

// Returns true if the given Arg is present in Args. Only checks up to		// Returns true if the given Arg is present in Args. Only checks up to
// "-ignore_remaining_args=1".		// "-ignore_remaining_args=1".
bool hasArgument(const std::string &Arg) const {		bool hasArgument(const std::string &Arg) const {
auto i = endMutableArgs();		auto i = endMutableArgs();
return std::find(Args.begin(), i, Arg) != i;		return std::find(Args.begin(), i, Arg) != i;
}		}

// Gets all of the current command line arguments, including those after		// Gets all of the current command line arguments, including those after
// "-ignore-remaining-args=1".		// "-ignore-remaining-args=1".
const Vector<std::string> &getArguments() const { return Args; }		const std::vector<std::string> &getArguments() const { return Args; }

// Adds the given argument before "-ignore_remaining_args=1", or at the end		// Adds the given argument before "-ignore_remaining_args=1", or at the end
// if that flag isn't present.		// if that flag isn't present.
void addArgument(const std::string &Arg) {		void addArgument(const std::string &Arg) {
Args.insert(endMutableArgs(), Arg);		Args.insert(endMutableArgs(), Arg);
}		}

// Adds all given arguments before "-ignore_remaining_args=1", or at the end		// Adds all given arguments before "-ignore_remaining_args=1", or at the end
// if that flag isn't present.		// if that flag isn't present.
void addArguments(const Vector<std::string> &ArgsToAdd) {		void addArguments(const std::vector<std::string> &ArgsToAdd) {
Args.insert(endMutableArgs(), ArgsToAdd.begin(), ArgsToAdd.end());		Args.insert(endMutableArgs(), ArgsToAdd.begin(), ArgsToAdd.end());
}		}

// Removes the given argument from the command argument list. Ignores any		// Removes the given argument from the command argument list. Ignores any
// occurrences after "-ignore_remaining_args=1", if present.		// occurrences after "-ignore_remaining_args=1", if present.
void removeArgument(const std::string &Arg) {		void removeArgument(const std::string &Arg) {
auto i = endMutableArgs();		auto i = endMutableArgs();
Args.erase(std::remove(Args.begin(), i, Arg), i);		Args.erase(std::remove(Args.begin(), i, Arg), i);
▲ Show 20 Lines • Show All 70 Lines • ▼ Show 20 Lines	if (!result.empty())
result = result.substr(0, result.length() - 1);		result = result.substr(0, result.length() - 1);
return result;		return result;
}		}

private:		private:
Command(Command &&Other) = delete;		Command(Command &&Other) = delete;
Command &operator=(Command &&Other) = delete;		Command &operator=(Command &&Other) = delete;

Vector<std::string>::iterator endMutableArgs() {		std::vector<std::string>::iterator endMutableArgs() {
return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());		return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());
}		}

Vector<std::string>::const_iterator endMutableArgs() const {		std::vector<std::string>::const_iterator endMutableArgs() const {
return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());		return std::find(Args.begin(), Args.end(), ignoreRemainingArgs());
}		}

// The command arguments. Args[0] is the command name.		// The command arguments. Args[0] is the command name.
Vector<std::string> Args;		std::vector<std::string> Args;

// True indicates stderr is redirected to stdout.		// True indicates stderr is redirected to stdout.
bool CombinedOutAndErr;		bool CombinedOutAndErr;

// If not empty, stdout is redirected to the named file.		// If not empty, stdout is redirected to the named file.
std::string OutputFile;		std::string OutputFile;
};		};

} // namespace fuzzer		} // namespace fuzzer

#endif // LLVM_FUZZER_COMMAND_H		#endif // LLVM_FUZZER_COMMAND_H

compiler-rt/lib/fuzzer/FuzzerCorpus.h

Show All 33 Lines	struct InputInfo {
size_t Tmp = 0; // Used by ValidateFeatureSet.		size_t Tmp = 0; // Used by ValidateFeatureSet.
// Stats.		// Stats.
size_t NumExecutedMutations = 0;		size_t NumExecutedMutations = 0;
size_t NumSuccessfullMutations = 0;		size_t NumSuccessfullMutations = 0;
bool NeverReduce = false;		bool NeverReduce = false;
bool MayDeleteFile = false;		bool MayDeleteFile = false;
bool Reduced = false;		bool Reduced = false;
bool HasFocusFunction = false;		bool HasFocusFunction = false;
Vector<uint32_t> UniqFeatureSet;		std::vector<uint32_t> UniqFeatureSet;
Vector<uint8_t> DataFlowTraceForFocusFunction;		std::vector<uint8_t> DataFlowTraceForFocusFunction;
// Power schedule.		// Power schedule.
bool NeedsEnergyUpdate = false;		bool NeedsEnergyUpdate = false;
double Energy = 0.0;		double Energy = 0.0;
double SumIncidence = 0.0;		double SumIncidence = 0.0;
Vector<std::pair<uint32_t, uint16_t>> FeatureFreqs;		std::vector<std::pair<uint32_t, uint16_t>> FeatureFreqs;

// Delete feature Idx and its frequency from FeatureFreqs.		// Delete feature Idx and its frequency from FeatureFreqs.
bool DeleteFeatureFreq(uint32_t Idx) {		bool DeleteFeatureFreq(uint32_t Idx) {
if (FeatureFreqs.empty())		if (FeatureFreqs.empty())
return false;		return false;

// Binary search over local feature frequencies sorted by index.		// Binary search over local feature frequencies sorted by index.
auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),		auto Lower = std::lower_bound(FeatureFreqs.begin(), FeatureFreqs.end(),
▲ Show 20 Lines • Show All 147 Lines • ▼ Show 20 Lines	size_t NumInputsWithDataFlowTrace() {
});		});
}		}

bool empty() const { return Inputs.empty(); }		bool empty() const { return Inputs.empty(); }
const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }		const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
InputInfo *AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,		InputInfo *AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
bool HasFocusFunction, bool NeverReduce,		bool HasFocusFunction, bool NeverReduce,
std::chrono::microseconds TimeOfUnit,		std::chrono::microseconds TimeOfUnit,
const Vector<uint32_t> &FeatureSet,		const std::vector<uint32_t> &FeatureSet,
const DataFlowTrace &DFT, const InputInfo *BaseII) {		const DataFlowTrace &DFT, const InputInfo *BaseII) {
assert(!U.empty());		assert(!U.empty());
if (FeatureDebug)		if (FeatureDebug)
Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);		Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
// Inputs.size() is cast to uint32_t below.		// Inputs.size() is cast to uint32_t below.
assert(Inputs.size() < std::numeric_limits<uint32_t>::max());		assert(Inputs.size() < std::numeric_limits<uint32_t>::max());
Inputs.push_back(new InputInfo());		Inputs.push_back(new InputInfo());
InputInfo &II = *Inputs.back();		InputInfo &II = *Inputs.back();
Show All 32 Lines	void PrintUnit(const Unit &U) {
for (uint8_t C : U) {		for (uint8_t C : U) {
if (C != 'F' && C != 'U' && C != 'Z')		if (C != 'F' && C != 'U' && C != 'Z')
C = '.';		C = '.';
Printf("%c", C);		Printf("%c", C);
}		}
}		}

// Debug-only		// Debug-only
void PrintFeatureSet(const Vector<uint32_t> &FeatureSet) {		void PrintFeatureSet(const std::vector<uint32_t> &FeatureSet) {
if (!FeatureDebug) return;		if (!FeatureDebug) return;
Printf("{");		Printf("{");
for (uint32_t Feature: FeatureSet)		for (uint32_t Feature: FeatureSet)
Printf("%u,", Feature);		Printf("%u,", Feature);
Printf("}");		Printf("}");
}		}

// Debug-only		// Debug-only
▲ Show 20 Lines • Show All 50 Lines • ▼ Show 20 Lines	size_t ChooseUnitIdxToMutate(Random &Rand) {
return Idx;		return Idx;
}		}

void PrintStats() {		void PrintStats() {
for (size_t i = 0; i < Inputs.size(); i++) {		for (size_t i = 0; i < Inputs.size(); i++) {
const auto &II = *Inputs[i];		const auto &II = *Inputs[i];
Printf(" [% 3zd %s] sz: % 5zd runs: % 5zd succ: % 5zd focus: %d\n", i,		Printf(" [% 3zd %s] sz: % 5zd runs: % 5zd succ: % 5zd focus: %d\n", i,
Sha1ToString(II.Sha1).c_str(), II.U.size(),		Sha1ToString(II.Sha1).c_str(), II.U.size(),
II.NumExecutedMutations, II.NumSuccessfullMutations, II.HasFocusFunction);		II.NumExecutedMutations, II.NumSuccessfullMutations,
		II.HasFocusFunction);
}		}
}		}

void PrintFeatureSet() {		void PrintFeatureSet() {
for (size_t i = 0; i < kFeatureSetSize; i++) {		for (size_t i = 0; i < kFeatureSetSize; i++) {
if(size_t Sz = GetFeature(i))		if(size_t Sz = GetFeature(i))
Printf("[%zd: id %zd sz%zd] ", i, SmallestElementPerFeature[i], Sz);		Printf("[%zd: id %zd sz%zd] ", i, SmallestElementPerFeature[i], Sz);
}		}
▲ Show 20 Lines • Show All 221 Lines • ▼ Show 20 Lines	if (FeatureDebug) {
Printf("%f ", Weights[i]);		Printf("%f ", Weights[i]);
Printf("Weights\n");		Printf("Weights\n");
}		}
CorpusDistribution = std::piecewise_constant_distribution<double>(		CorpusDistribution = std::piecewise_constant_distribution<double>(
Intervals.begin(), Intervals.end(), Weights.begin());		Intervals.begin(), Intervals.end(), Weights.begin());
}		}
std::piecewise_constant_distribution<double> CorpusDistribution;		std::piecewise_constant_distribution<double> CorpusDistribution;

Vector<double> Intervals;		std::vector<double> Intervals;
Vector<double> Weights;		std::vector<double> Weights;

std::unordered_set<std::string> Hashes;		std::unordered_set<std::string> Hashes;
Vector<InputInfo*> Inputs;		std::vector<InputInfo *> Inputs;

size_t NumAddedFeatures = 0;		size_t NumAddedFeatures = 0;
size_t NumUpdatedFeatures = 0;		size_t NumUpdatedFeatures = 0;
uint32_t InputSizesPerFeature[kFeatureSetSize];		uint32_t InputSizesPerFeature[kFeatureSetSize];
uint32_t SmallestElementPerFeature[kFeatureSetSize];		uint32_t SmallestElementPerFeature[kFeatureSetSize];

bool DistributionNeedsUpdate = true;		bool DistributionNeedsUpdate = true;
uint16_t FreqOfMostAbundantRareFeature = 0;		uint16_t FreqOfMostAbundantRareFeature = 0;
uint16_t GlobalFeatureFreqs[kFeatureSetSize] = {};		uint16_t GlobalFeatureFreqs[kFeatureSetSize] = {};
Vector<uint32_t> RareFeatures;		std::vector<uint32_t> RareFeatures;

std::string OutputCorpus;		std::string OutputCorpus;
};		};

} // namespace fuzzer		} // namespace fuzzer

#endif // LLVM_FUZZER_CORPUS		#endif // LLVM_FUZZER_CORPUS

compiler-rt/lib/fuzzer/FuzzerDataFlowTrace.h

Show All 33 Lines
#include <unordered_map>		#include <unordered_map>
#include <unordered_set>		#include <unordered_set>
#include <vector>		#include <vector>
#include <string>		#include <string>

namespace fuzzer {		namespace fuzzer {

int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,		int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
const Vector<SizedFile> &CorporaFiles);		const std::vector<SizedFile> &CorporaFiles);

class BlockCoverage {		class BlockCoverage {
public:		public:
// These functions guarantee no CoverageVector is longer than UINT32_MAX.		// These functions guarantee no CoverageVector is longer than UINT32_MAX.
bool AppendCoverage(std::istream &IN);		bool AppendCoverage(std::istream &IN);
bool AppendCoverage(const std::string &S);		bool AppendCoverage(const std::string &S);

size_t NumCoveredFunctions() const { return Functions.size(); }		size_t NumCoveredFunctions() const { return Functions.size(); }
Show All 21 Lines	uint32_t GetNumberOfCoveredBlocks(size_t FunctionId) {
const auto &Counters = It->second;		const auto &Counters = It->second;
uint32_t Result = 0;		uint32_t Result = 0;
for (auto Cnt: Counters)		for (auto Cnt: Counters)
if (Cnt)		if (Cnt)
Result++;		Result++;
return Result;		return Result;
}		}

Vector<double> FunctionWeights(size_t NumFunctions) const;		std::vector<double> FunctionWeights(size_t NumFunctions) const;
void clear() { Functions.clear(); }		void clear() { Functions.clear(); }

private:		private:
typedef Vector<uint32_t> CoverageVector;		typedef std::vector<uint32_t> CoverageVector;

uint32_t NumberOfCoveredBlocks(const CoverageVector &Counters) const {		uint32_t NumberOfCoveredBlocks(const CoverageVector &Counters) const {
uint32_t Res = 0;		uint32_t Res = 0;
for (auto Cnt : Counters)		for (auto Cnt : Counters)
if (Cnt)		if (Cnt)
Res++;		Res++;
return Res;		return Res;
}		}
Show All 19 Lines	private:
// Functions that have DFT entry.		// Functions that have DFT entry.
std::unordered_set<size_t> FunctionsWithDFT;		std::unordered_set<size_t> FunctionsWithDFT;
};		};

class DataFlowTrace {		class DataFlowTrace {
public:		public:
void ReadCoverage(const std::string &DirPath);		void ReadCoverage(const std::string &DirPath);
bool Init(const std::string &DirPath, std::string *FocusFunction,		bool Init(const std::string &DirPath, std::string *FocusFunction,
Vector<SizedFile> &CorporaFiles, Random &Rand);		std::vector<SizedFile> &CorporaFiles, Random &Rand);
void Clear() { Traces.clear(); }		void Clear() { Traces.clear(); }
const Vector<uint8_t> *Get(const std::string &InputSha1) const {		const std::vector<uint8_t> *Get(const std::string &InputSha1) const {
auto It = Traces.find(InputSha1);		auto It = Traces.find(InputSha1);
if (It != Traces.end())		if (It != Traces.end())
return &It->second;		return &It->second;
return nullptr;		return nullptr;
}		}

private:		private:
// Input's sha1 => DFT for the FocusFunction.		// Input's sha1 => DFT for the FocusFunction.
std::unordered_map<std::string, Vector<uint8_t> > Traces;		std::unordered_map<std::string, std::vector<uint8_t>> Traces;
BlockCoverage Coverage;		BlockCoverage Coverage;
std::unordered_set<std::string> CorporaHashes;		std::unordered_set<std::string> CorporaHashes;
};		};
} // namespace fuzzer		} // namespace fuzzer

#endif // LLVM_FUZZER_DATA_FLOW_TRACE		#endif // LLVM_FUZZER_DATA_FLOW_TRACE

compiler-rt/lib/fuzzer/FuzzerDataFlowTrace.cpp

Show First 20 Lines • Show All 46 Lines • ▼ Show 20 Lines	while (std::getline(IN, L, '\n')) {
std::stringstream SS(L.c_str() + 1);		std::stringstream SS(L.c_str() + 1);
size_t FunctionId = 0;		size_t FunctionId = 0;
SS >> FunctionId;		SS >> FunctionId;
if (L[0] == 'F') {		if (L[0] == 'F') {
FunctionsWithDFT.insert(FunctionId);		FunctionsWithDFT.insert(FunctionId);
continue;		continue;
}		}
if (L[0] != 'C') continue;		if (L[0] != 'C') continue;
Vector<uint32_t> CoveredBlocks;		std::vector<uint32_t> CoveredBlocks;
while (true) {		while (true) {
uint32_t BB = 0;		uint32_t BB = 0;
SS >> BB;		SS >> BB;
if (!SS) break;		if (!SS) break;
CoveredBlocks.push_back(BB);		CoveredBlocks.push_back(BB);
}		}
if (CoveredBlocks.empty()) return false;		if (CoveredBlocks.empty()) return false;
// Ensures no CoverageVector is longer than UINT32_MAX.		// Ensures no CoverageVector is longer than UINT32_MAX.
uint32_t NumBlocks = CoveredBlocks.back();		uint32_t NumBlocks = CoveredBlocks.back();
CoveredBlocks.pop_back();		CoveredBlocks.pop_back();
for (auto BB : CoveredBlocks)		for (auto BB : CoveredBlocks)
if (BB >= NumBlocks) return false;		if (BB >= NumBlocks) return false;
auto It = Functions.find(FunctionId);		auto It = Functions.find(FunctionId);
auto &Counters =		auto &Counters =
It == Functions.end()		It == Functions.end()
? Functions.insert({FunctionId, Vector<uint32_t>(NumBlocks)})		? Functions.insert({FunctionId, std::vector<uint32_t>(NumBlocks)})
.first->second		.first->second
: It->second;		: It->second;

if (Counters.size() != NumBlocks) return false; // wrong number of blocks.		if (Counters.size() != NumBlocks) return false; // wrong number of blocks.

Counters[0]++;		Counters[0]++;
for (auto BB : CoveredBlocks)		for (auto BB : CoveredBlocks)
Counters[BB]++;		Counters[BB]++;
}		}
return true;		return true;
}		}

// Assign weights to each function.		// Assign weights to each function.
// General principles:		// General principles:
// * any uncovered function gets weight 0.		// * any uncovered function gets weight 0.
// * a function with lots of uncovered blocks gets bigger weight.		// * a function with lots of uncovered blocks gets bigger weight.
// * a function with a less frequently executed code gets bigger weight.		// * a function with a less frequently executed code gets bigger weight.
Vector<double> BlockCoverage::FunctionWeights(size_t NumFunctions) const {		std::vector<double> BlockCoverage::FunctionWeights(size_t NumFunctions) const {
Vector<double> Res(NumFunctions);		std::vector<double> Res(NumFunctions);
for (auto It : Functions) {		for (auto It : Functions) {
auto FunctionID = It.first;		auto FunctionID = It.first;
auto Counters = It.second;		auto Counters = It.second;
assert(FunctionID < NumFunctions);		assert(FunctionID < NumFunctions);
auto &Weight = Res[FunctionID];		auto &Weight = Res[FunctionID];
// Give higher weight if the function has a DFT.		// Give higher weight if the function has a DFT.
Weight = FunctionsWithDFT.count(FunctionID) ? 1000. : 1;		Weight = FunctionsWithDFT.count(FunctionID) ? 1000. : 1;
// Give higher weight to functions with less frequently seen basic blocks.		// Give higher weight to functions with less frequently seen basic blocks.
Weight /= SmallestNonZeroCounter(Counters);		Weight /= SmallestNonZeroCounter(Counters);
// Give higher weight to functions with the most uncovered basic blocks.		// Give higher weight to functions with the most uncovered basic blocks.
Weight *= NumberOfUncoveredBlocks(Counters) + 1;		Weight *= NumberOfUncoveredBlocks(Counters) + 1;
}		}
return Res;		return Res;
}		}

void DataFlowTrace::ReadCoverage(const std::string &DirPath) {		void DataFlowTrace::ReadCoverage(const std::string &DirPath) {
Vector<SizedFile> Files;		std::vector<SizedFile> Files;
GetSizedFilesFromDir(DirPath, &Files);		GetSizedFilesFromDir(DirPath, &Files);
for (auto &SF : Files) {		for (auto &SF : Files) {
auto Name = Basename(SF.File);		auto Name = Basename(SF.File);
if (Name == kFunctionsTxt) continue;		if (Name == kFunctionsTxt) continue;
if (!CorporaHashes.count(Name)) continue;		if (!CorporaHashes.count(Name)) continue;
std::ifstream IF(SF.File);		std::ifstream IF(SF.File);
Coverage.AppendCoverage(IF);		Coverage.AppendCoverage(IF);
}		}
}		}

static void DFTStringAppendToVector(Vector<uint8_t> *DFT,		static void DFTStringAppendToVector(std::vector<uint8_t> *DFT,
const std::string &DFTString) {		const std::string &DFTString) {
assert(DFT->size() == DFTString.size());		assert(DFT->size() == DFTString.size());
for (size_t I = 0, Len = DFT->size(); I < Len; I++)		for (size_t I = 0, Len = DFT->size(); I < Len; I++)
(*DFT)[I] = DFTString[I] == '1';		(*DFT)[I] = DFTString[I] == '1';
}		}

// converts a string of '0' and '1' into a Vector<uint8_t>		// converts a string of '0' and '1' into a std::vector<uint8_t>
static Vector<uint8_t> DFTStringToVector(const std::string &DFTString) {		static std::vector<uint8_t> DFTStringToVector(const std::string &DFTString) {
Vector<uint8_t> DFT(DFTString.size());		std::vector<uint8_t> DFT(DFTString.size());
DFTStringAppendToVector(&DFT, DFTString);		DFTStringAppendToVector(&DFT, DFTString);
return DFT;		return DFT;
}		}

static bool ParseError(const char *Err, const std::string &Line) {		static bool ParseError(const char *Err, const std::string &Line) {
Printf("DataFlowTrace: parse error: %s: Line: %s\n", Err, Line.c_str());		Printf("DataFlowTrace: parse error: %s: Line: %s\n", Err, Line.c_str());
return false;		return false;
}		}
Show All 18 Lines	for (size_t I = 0; I < Len; I++) {
if (Beg[I] != '0' && Beg[I] != '1')		if (Beg[I] != '0' && Beg[I] != '1')
return ParseError("the trace should contain only 0 or 1", Line);		return ParseError("the trace should contain only 0 or 1", Line);
}		}
*DFTString = Beg;		*DFTString = Beg;
return true;		return true;
}		}

bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction,		bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction,
Vector<SizedFile> &CorporaFiles, Random &Rand) {		std::vector<SizedFile> &CorporaFiles, Random &Rand) {
if (DirPath.empty()) return false;		if (DirPath.empty()) return false;
Printf("INFO: DataFlowTrace: reading from '%s'\n", DirPath.c_str());		Printf("INFO: DataFlowTrace: reading from '%s'\n", DirPath.c_str());
Vector<SizedFile> Files;		std::vector<SizedFile> Files;
GetSizedFilesFromDir(DirPath, &Files);		GetSizedFilesFromDir(DirPath, &Files);
std::string L;		std::string L;
size_t FocusFuncIdx = SIZE_MAX;		size_t FocusFuncIdx = SIZE_MAX;
Vector<std::string> FunctionNames;		std::vector<std::string> FunctionNames;

// Collect the hashes of the corpus files.		// Collect the hashes of the corpus files.
for (auto &SF : CorporaFiles)		for (auto &SF : CorporaFiles)
CorporaHashes.insert(Hash(FileToVector(SF.File)));		CorporaHashes.insert(Hash(FileToVector(SF.File)));

// Read functions.txt		// Read functions.txt
std::ifstream IF(DirPlusFile(DirPath, kFunctionsTxt));		std::ifstream IF(DirPlusFile(DirPath, kFunctionsTxt));
size_t NumFunctions = 0;		size_t NumFunctions = 0;
while (std::getline(IF, L, '\n')) {		while (std::getline(IF, L, '\n')) {
FunctionNames.push_back(L);		FunctionNames.push_back(L);
NumFunctions++;		NumFunctions++;
if (*FocusFunction == L)		if (*FocusFunction == L)
FocusFuncIdx = NumFunctions - 1;		FocusFuncIdx = NumFunctions - 1;
}		}
if (!NumFunctions)		if (!NumFunctions)
return false;		return false;

if (*FocusFunction == "auto") {		if (*FocusFunction == "auto") {
// AUTOFOCUS works like this:		// AUTOFOCUS works like this:
// * reads the coverage data from the DFT files.		// * reads the coverage data from the DFT files.
// * assigns weights to functions based on coverage.		// * assigns weights to functions based on coverage.
// * chooses a random function according to the weights.		// * chooses a random function according to the weights.
ReadCoverage(DirPath);		ReadCoverage(DirPath);
auto Weights = Coverage.FunctionWeights(NumFunctions);		auto Weights = Coverage.FunctionWeights(NumFunctions);
Vector<double> Intervals(NumFunctions + 1);		std::vector<double> Intervals(NumFunctions + 1);
std::iota(Intervals.begin(), Intervals.end(), 0);		std::iota(Intervals.begin(), Intervals.end(), 0);
auto Distribution = std::piecewise_constant_distribution<double>(		auto Distribution = std::piecewise_constant_distribution<double>(
Intervals.begin(), Intervals.end(), Weights.begin());		Intervals.begin(), Intervals.end(), Weights.begin());
FocusFuncIdx = static_cast<size_t>(Distribution(Rand));		FocusFuncIdx = static_cast<size_t>(Distribution(Rand));
*FocusFunction = FunctionNames[FocusFuncIdx];		*FocusFunction = FunctionNames[FocusFuncIdx];
assert(FocusFuncIdx < NumFunctions);		assert(FocusFuncIdx < NumFunctions);
Printf("INFO: AUTOFOCUS: %zd %s\n", FocusFuncIdx,		Printf("INFO: AUTOFOCUS: %zd %s\n", FocusFuncIdx,
FunctionNames[FocusFuncIdx].c_str());		FunctionNames[FocusFuncIdx].c_str());
Show All 39 Lines	bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction,
}		}
Printf("INFO: DataFlowTrace: %zd trace files, %zd functions, "		Printf("INFO: DataFlowTrace: %zd trace files, %zd functions, "
"%zd traces with focus function\n",		"%zd traces with focus function\n",
NumTraceFiles, NumFunctions, NumTracesWithFocusFunction);		NumTraceFiles, NumFunctions, NumTracesWithFocusFunction);
return NumTraceFiles > 0;		return NumTraceFiles > 0;
}		}

int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,		int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
const Vector<SizedFile> &CorporaFiles) {		const std::vector<SizedFile> &CorporaFiles) {
Printf("INFO: collecting data flow: bin: %s dir: %s files: %zd\n",		Printf("INFO: collecting data flow: bin: %s dir: %s files: %zd\n",
DFTBinary.c_str(), DirPath.c_str(), CorporaFiles.size());		DFTBinary.c_str(), DirPath.c_str(), CorporaFiles.size());
if (CorporaFiles.empty()) {		if (CorporaFiles.empty()) {
Printf("ERROR: can't collect data flow without corpus provided.");		Printf("ERROR: can't collect data flow without corpus provided.");
return 1;		return 1;
}		}

static char DFSanEnv[] = "DFSAN_OPTIONS=warn_unimplemented=0";		static char DFSanEnv[] = "DFSAN_OPTIONS=warn_unimplemented=0";
putenv(DFSanEnv);		putenv(DFSanEnv);
MkDir(DirPath);		MkDir(DirPath);
for (auto &F : CorporaFiles) {		for (auto &F : CorporaFiles) {
// For every input F we need to collect the data flow and the coverage.		// For every input F we need to collect the data flow and the coverage.
// Data flow collection may fail if we request too many DFSan tags at once.		// Data flow collection may fail if we request too many DFSan tags at once.
// So, we start from requesting all tags in range [0,Size) and if that fails		// So, we start from requesting all tags in range [0,Size) and if that fails
// we then request tags in [0,Size/2) and [Size/2, Size), and so on.		// we then request tags in [0,Size/2) and [Size/2, Size), and so on.
// Function number => DFT.		// Function number => DFT.
auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File)));		auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File)));
std::unordered_map<size_t, Vector<uint8_t>> DFTMap;		std::unordered_map<size_t, std::vector<uint8_t>> DFTMap;
std::unordered_set<std::string> Cov;		std::unordered_set<std::string> Cov;
Command Cmd;		Command Cmd;
Cmd.addArgument(DFTBinary);		Cmd.addArgument(DFTBinary);
Cmd.addArgument(F.File);		Cmd.addArgument(F.File);
Cmd.addArgument(OutPath);		Cmd.addArgument(OutPath);
Printf("CMD: %s\n", Cmd.toString().c_str());		Printf("CMD: %s\n", Cmd.toString().c_str());
ExecuteCommand(Cmd);		ExecuteCommand(Cmd);
}		}
Show All 12 Lines

compiler-rt/lib/fuzzer/FuzzerDefs.h

	Show All 32 Lines
	struct FuzzingOptions;			struct FuzzingOptions;
	class InputCorpus;			class InputCorpus;
	struct InputInfo;			struct InputInfo;
	struct ExternalFunctions;			struct ExternalFunctions;

	// Global interface to functions that may or may not be available.			// Global interface to functions that may or may not be available.
	extern ExternalFunctions *EF;			extern ExternalFunctions *EF;

	// We are using a custom allocator to give a different symbol name to STL			typedef std::vector<uint8_t> Unit;
	// containers in order to avoid ODR violations.			typedef std::vector<Unit> UnitVector;
	template<typename T>
	class fuzzer_allocator: public std::allocator<T> {
	public:
	fuzzer_allocator() = default;

	template<class U>
	fuzzer_allocator(const fuzzer_allocator<U>&) {}

	template<class Other>
	struct rebind { typedef fuzzer_allocator<Other> other; };
	};

	template<typename T>
	using Vector = std::vector<T, fuzzer_allocator<T>>;

	template<typename T>
	using Set = std::set<T, std::less<T>, fuzzer_allocator<T>>;

	typedef Vector<uint8_t> Unit;
	typedef Vector<Unit> UnitVector;
	typedef int (UserCallback)(const uint8_t Data, size_t Size);			typedef int (UserCallback)(const uint8_t Data, size_t Size);

	int FuzzerDriver(int argc, char **argv, UserCallback Callback);			int FuzzerDriver(int argc, char **argv, UserCallback Callback);

	uint8_t *ExtraCountersBegin();			uint8_t *ExtraCountersBegin();
	uint8_t *ExtraCountersEnd();			uint8_t *ExtraCountersEnd();
	void ClearExtraCounters();			void ClearExtraCounters();

	extern bool RunningUserCallback;			extern bool RunningUserCallback;

	} // namespace fuzzer			} // namespace fuzzer

	#endif // LLVM_FUZZER_DEFS_H			#endif // LLVM_FUZZER_DEFS_H

compiler-rt/lib/fuzzer/FuzzerDictionary.h

	Show First 20 Lines • Show All 46 Lines • ▼ Show 20 Lines
	};			};

	typedef FixedWord<64> Word;			typedef FixedWord<64> Word;

	class DictionaryEntry {			class DictionaryEntry {
	public:			public:
	DictionaryEntry() {}			DictionaryEntry() {}
	DictionaryEntry(Word W) : W(W) {}			DictionaryEntry(Word W) : W(W) {}
	DictionaryEntry(Word W, size_t PositionHint) : W(W), PositionHint(PositionHint) {}			DictionaryEntry(Word W, size_t PositionHint)
				: W(W), PositionHint(PositionHint) {}
	const Word &GetW() const { return W; }			const Word &GetW() const { return W; }

	bool HasPositionHint() const { return PositionHint != std::numeric_limits<size_t>::max(); }			bool HasPositionHint() const {
				return PositionHint != std::numeric_limits<size_t>::max();
				}
	size_t GetPositionHint() const {			size_t GetPositionHint() const {
	assert(HasPositionHint());			assert(HasPositionHint());
	return PositionHint;			return PositionHint;
	}			}
	void IncUseCount() { UseCount++; }			void IncUseCount() { UseCount++; }
	void IncSuccessCount() { SuccessCount++; }			void IncSuccessCount() { SuccessCount++; }
	size_t GetUseCount() const { return UseCount; }			size_t GetUseCount() const { return UseCount; }
	size_t GetSuccessCount() const {return SuccessCount; }			size_t GetSuccessCount() const {return SuccessCount; }
	▲ Show 20 Lines • Show All 41 Lines • ▼ Show 20 Lines
	};			};

	// Parses one dictionary entry.			// Parses one dictionary entry.
	// If successful, write the enty to Unit and returns true,			// If successful, write the enty to Unit and returns true,
	// otherwise returns false.			// otherwise returns false.
	bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);			bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);
	// Parses the dictionary file, fills Units, returns true iff all lines			// Parses the dictionary file, fills Units, returns true iff all lines
	// were parsed successfully.			// were parsed successfully.
	bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units);			bool ParseDictionaryFile(const std::string &Text, std::vector<Unit> *Units);

	} // namespace fuzzer			} // namespace fuzzer

	#endif // LLVM_FUZZER_DICTIONARY_H			#endif // LLVM_FUZZER_DICTIONARY_H

compiler-rt/lib/fuzzer/FuzzerDriver.cpp

Show First 20 Lines • Show All 80 Lines • ▼ Show 20 Lines
#undef FUZZER_FLAG_INT		#undef FUZZER_FLAG_INT
#undef FUZZER_FLAG_UNSIGNED		#undef FUZZER_FLAG_UNSIGNED
#undef FUZZER_FLAG_STRING		#undef FUZZER_FLAG_STRING
};		};

static const size_t kNumFlags =		static const size_t kNumFlags =
sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]);		sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]);

static Vector<std::string> *Inputs;		static std::vector<std::string> *Inputs;
static std::string *ProgName;		static std::string *ProgName;

static void PrintHelp() {		static void PrintHelp() {
Printf("Usage:\n");		Printf("Usage:\n");
auto Prog = ProgName->c_str();		auto Prog = ProgName->c_str();
Printf("\nTo run fuzzing pass 0 or more directories.\n");		Printf("\nTo run fuzzing pass 0 or more directories.\n");
Printf("%s [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n", Prog);		Printf("%s [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n", Prog);

▲ Show 20 Lines • Show All 84 Lines • ▼ Show 20 Lines	for (size_t F = 0; F < kNumFlags; F++) {
}		}
}		}
Printf("\n\nWARNING: unrecognized flag '%s'; "		Printf("\n\nWARNING: unrecognized flag '%s'; "
"use -help=1 to list all flags\n\n", Param);		"use -help=1 to list all flags\n\n", Param);
return true;		return true;
}		}

// We don't use any library to minimize dependencies.		// We don't use any library to minimize dependencies.
static void ParseFlags(const Vector<std::string> &Args,		static void ParseFlags(const std::vector<std::string> &Args,
const ExternalFunctions *EF) {		const ExternalFunctions *EF) {
for (size_t F = 0; F < kNumFlags; F++) {		for (size_t F = 0; F < kNumFlags; F++) {
if (FlagDescriptions[F].IntFlag)		if (FlagDescriptions[F].IntFlag)
*FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;		*FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;
if (FlagDescriptions[F].UIntFlag)		if (FlagDescriptions[F].UIntFlag)
*FlagDescriptions[F].UIntFlag =		*FlagDescriptions[F].UIntFlag =
static_cast<unsigned int>(FlagDescriptions[F].Default);		static_cast<unsigned int>(FlagDescriptions[F].Default);
if (FlagDescriptions[F].StrFlag)		if (FlagDescriptions[F].StrFlag)
*FlagDescriptions[F].StrFlag = nullptr;		*FlagDescriptions[F].StrFlag = nullptr;
}		}

// Disable len_control by default, if LLVMFuzzerCustomMutator is used.		// Disable len_control by default, if LLVMFuzzerCustomMutator is used.
if (EF->LLVMFuzzerCustomMutator) {		if (EF->LLVMFuzzerCustomMutator) {
Flags.len_control = 0;		Flags.len_control = 0;
Printf("INFO: found LLVMFuzzerCustomMutator (%p). "		Printf("INFO: found LLVMFuzzerCustomMutator (%p). "
"Disabling -len_control by default.\n", EF->LLVMFuzzerCustomMutator);		"Disabling -len_control by default.\n", EF->LLVMFuzzerCustomMutator);
}		}

Inputs = new Vector<std::string>;		Inputs = new std::vector<std::string>;
for (size_t A = 1; A < Args.size(); A++) {		for (size_t A = 1; A < Args.size(); A++) {
if (ParseOneFlag(Args[A].c_str())) {		if (ParseOneFlag(Args[A].c_str())) {
if (Flags.ignore_remaining_args)		if (Flags.ignore_remaining_args)
break;		break;
continue;		continue;
}		}
Inputs->push_back(Args[A]);		Inputs->push_back(Args[A]);
}		}
▲ Show 20 Lines • Show All 49 Lines • ▼ Show 20 Lines	if (CreateDirectory) {
}		}
return;		return;
}		}

Printf("ERROR: The required directory \"%s\" does not exist\n", Path.c_str());		Printf("ERROR: The required directory \"%s\" does not exist\n", Path.c_str());
exit(1);		exit(1);
}		}

std::string CloneArgsWithoutX(const Vector<std::string> &Args,		std::string CloneArgsWithoutX(const std::vector<std::string> &Args,
const char X1, const char X2) {		const char X1, const char X2) {
std::string Cmd;		std::string Cmd;
for (auto &S : Args) {		for (auto &S : Args) {
if (FlagValue(S.c_str(), X1) \|\| FlagValue(S.c_str(), X2))		if (FlagValue(S.c_str(), X1) \|\| FlagValue(S.c_str(), X2))
continue;		continue;
Cmd += S + " ";		Cmd += S + " ";
}		}
return Cmd;		return Cmd;
}		}

static int RunInMultipleProcesses(const Vector<std::string> &Args,		static int RunInMultipleProcesses(const std::vector<std::string> &Args,
unsigned NumWorkers, unsigned NumJobs) {		unsigned NumWorkers, unsigned NumJobs) {
std::atomic<unsigned> Counter(0);		std::atomic<unsigned> Counter(0);
std::atomic<bool> HasErrors(false);		std::atomic<bool> HasErrors(false);
Command Cmd(Args);		Command Cmd(Args);
Cmd.removeFlag("jobs");		Cmd.removeFlag("jobs");
Cmd.removeFlag("workers");		Cmd.removeFlag("workers");
Vector<std::thread> V;		std::vector<std::thread> V;
std::thread Pulse(PulseThread);		std::thread Pulse(PulseThread);
Pulse.detach();		Pulse.detach();
for (unsigned i = 0; i < NumWorkers; i++)		for (unsigned i = 0; i < NumWorkers; i++)
V.push_back(std::thread(WorkerThread, std::ref(Cmd), &Counter, NumJobs, &HasErrors));		V.push_back(std::thread(WorkerThread, std::ref(Cmd), &Counter, NumJobs,
		&HasErrors));
for (auto &T : V)		for (auto &T : V)
T.join();		T.join();
return HasErrors ? 1 : 0;		return HasErrors ? 1 : 0;
}		}

static void RssThread(Fuzzer *F, size_t RssLimitMb) {		static void RssThread(Fuzzer *F, size_t RssLimitMb) {
while (true) {		while (true) {
SleepSeconds(1);		SleepSeconds(1);
Show All 37 Lines	static std::string GetDedupTokenFromCmdOutput(const std::string &S) {
if (Beg == std::string::npos)		if (Beg == std::string::npos)
return "";		return "";
auto End = S.find('\n', Beg);		auto End = S.find('\n', Beg);
if (End == std::string::npos)		if (End == std::string::npos)
return "";		return "";
return S.substr(Beg, End - Beg);		return S.substr(Beg, End - Beg);
}		}

int CleanseCrashInput(const Vector<std::string> &Args,		int CleanseCrashInput(const std::vector<std::string> &Args,
const FuzzingOptions &Options) {		const FuzzingOptions &Options) {
if (Inputs->size() != 1 \|\| !Flags.exact_artifact_path) {		if (Inputs->size() != 1 \|\| !Flags.exact_artifact_path) {
Printf("ERROR: -cleanse_crash should be given one input file and"		Printf("ERROR: -cleanse_crash should be given one input file and"
" -exact_artifact_path\n");		" -exact_artifact_path\n");
exit(1);		exit(1);
}		}
std::string InputFilePath = Inputs->at(0);		std::string InputFilePath = Inputs->at(0);
std::string OutputFilePath = Flags.exact_artifact_path;		std::string OutputFilePath = Flags.exact_artifact_path;
Command Cmd(Args);		Command Cmd(Args);
Cmd.removeFlag("cleanse_crash");		Cmd.removeFlag("cleanse_crash");

assert(Cmd.hasArgument(InputFilePath));		assert(Cmd.hasArgument(InputFilePath));
Cmd.removeArgument(InputFilePath);		Cmd.removeArgument(InputFilePath);

auto TmpFilePath = TempPath("CleanseCrashInput", ".repro");		auto TmpFilePath = TempPath("CleanseCrashInput", ".repro");
Cmd.addArgument(TmpFilePath);		Cmd.addArgument(TmpFilePath);
Cmd.setOutputFile(getDevNull());		Cmd.setOutputFile(getDevNull());
Cmd.combineOutAndErr();		Cmd.combineOutAndErr();

std::string CurrentFilePath = InputFilePath;		std::string CurrentFilePath = InputFilePath;
auto U = FileToVector(CurrentFilePath);		auto U = FileToVector(CurrentFilePath);
size_t Size = U.size();		size_t Size = U.size();

const Vector<uint8_t> ReplacementBytes = {' ', 0xff};		const std::vector<uint8_t> ReplacementBytes = {' ', 0xff};
for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) {		for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) {
bool Changed = false;		bool Changed = false;
for (size_t Idx = 0; Idx < Size; Idx++) {		for (size_t Idx = 0; Idx < Size; Idx++) {
Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts,		Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts,
Idx, Size);		Idx, Size);
uint8_t OriginalByte = U[Idx];		uint8_t OriginalByte = U[Idx];
if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(),		if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(),
ReplacementBytes.end(),		ReplacementBytes.end(),
Show All 14 Lines	for (size_t Idx = 0; Idx < Size; Idx++) {
}		}
}		}
}		}
if (!Changed) break;		if (!Changed) break;
}		}
return 0;		return 0;
}		}

int MinimizeCrashInput(const Vector<std::string> &Args,		int MinimizeCrashInput(const std::vector<std::string> &Args,
const FuzzingOptions &Options) {		const FuzzingOptions &Options) {
if (Inputs->size() != 1) {		if (Inputs->size() != 1) {
Printf("ERROR: -minimize_crash should be given one input file\n");		Printf("ERROR: -minimize_crash should be given one input file\n");
exit(1);		exit(1);
}		}
std::string InputFilePath = Inputs->at(0);		std::string InputFilePath = Inputs->at(0);
Command BaseCmd(Args);		Command BaseCmd(Args);
BaseCmd.removeFlag("minimize_crash");		BaseCmd.removeFlag("minimize_crash");
▲ Show 20 Lines • Show All 83 Lines • ▼ Show 20 Lines	int MinimizeCrashInputInternalStep(Fuzzer F, InputCorpus Corpus) {
F->SetMaxInputLen(U.size());		F->SetMaxInputLen(U.size());
F->SetMaxMutationLen(U.size() - 1);		F->SetMaxMutationLen(U.size() - 1);
F->MinimizeCrashLoop(U);		F->MinimizeCrashLoop(U);
Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");		Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");
exit(0);		exit(0);
return 0;		return 0;
}		}

void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector<std::string> &Args,		void Merge(Fuzzer *F, FuzzingOptions &Options,
const Vector<std::string> &Corpora, const char *CFPathOrNull) {		const std::vector<std::string> &Args,
		const std::vector<std::string> &Corpora, const char *CFPathOrNull) {
if (Corpora.size() < 2) {		if (Corpora.size() < 2) {
Printf("INFO: Merge requires two or more corpus dirs\n");		Printf("INFO: Merge requires two or more corpus dirs\n");
exit(0);		exit(0);
}		}

Vector<SizedFile> OldCorpus, NewCorpus;		std::vector<SizedFile> OldCorpus, NewCorpus;
GetSizedFilesFromDir(Corpora[0], &OldCorpus);		GetSizedFilesFromDir(Corpora[0], &OldCorpus);
for (size_t i = 1; i < Corpora.size(); i++)		for (size_t i = 1; i < Corpora.size(); i++)
GetSizedFilesFromDir(Corpora[i], &NewCorpus);		GetSizedFilesFromDir(Corpora[i], &NewCorpus);
std::sort(OldCorpus.begin(), OldCorpus.end());		std::sort(OldCorpus.begin(), OldCorpus.end());
std::sort(NewCorpus.begin(), NewCorpus.end());		std::sort(NewCorpus.begin(), NewCorpus.end());

std::string CFPath = CFPathOrNull ? CFPathOrNull : TempPath("Merge", ".txt");		std::string CFPath = CFPathOrNull ? CFPathOrNull : TempPath("Merge", ".txt");
Vector<std::string> NewFiles;		std::vector<std::string> NewFiles;
Set<uint32_t> NewFeatures, NewCov;		std::set<uint32_t> NewFeatures, NewCov;
CrashResistantMerge(Args, OldCorpus, NewCorpus, &NewFiles, {}, &NewFeatures,		CrashResistantMerge(Args, OldCorpus, NewCorpus, &NewFiles, {}, &NewFeatures,
{}, &NewCov, CFPath, true);		{}, &NewCov, CFPath, true);
for (auto &Path : NewFiles)		for (auto &Path : NewFiles)
F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen));		F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen));
// We are done, delete the control file if it was a temporary one.		// We are done, delete the control file if it was a temporary one.
if (!Flags.merge_control_file)		if (!Flags.merge_control_file)
RemoveFile(CFPath);		RemoveFile(CFPath);

exit(0);		exit(0);
}		}

int AnalyzeDictionary(Fuzzer *F, const Vector<Unit>& Dict,		int AnalyzeDictionary(Fuzzer *F, const std::vector<Unit> &Dict,
UnitVector& Corpus) {		UnitVector &Corpus) {
Printf("Started dictionary minimization (up to %d tests)\n",		Printf("Started dictionary minimization (up to %d tests)\n",
Dict.size() * Corpus.size() * 2);		Dict.size() * Corpus.size() * 2);

// Scores and usage count for each dictionary unit.		// Scores and usage count for each dictionary unit.
Vector<int> Scores(Dict.size());		std::vector<int> Scores(Dict.size());
Vector<int> Usages(Dict.size());		std::vector<int> Usages(Dict.size());

Vector<size_t> InitialFeatures;		std::vector<size_t> InitialFeatures;
Vector<size_t> ModifiedFeatures;		std::vector<size_t> ModifiedFeatures;
for (auto &C : Corpus) {		for (auto &C : Corpus) {
// Get coverage for the testcase without modifications.		// Get coverage for the testcase without modifications.
F->ExecuteCallback(C.data(), C.size());		F->ExecuteCallback(C.data(), C.size());
InitialFeatures.clear();		InitialFeatures.clear();
TPC.CollectFeatures([&](size_t Feature) {		TPC.CollectFeatures([&](size_t Feature) {
InitialFeatures.push_back(Feature);		InitialFeatures.push_back(Feature);
});		});

for (size_t i = 0; i < Dict.size(); ++i) {		for (size_t i = 0; i < Dict.size(); ++i) {
Vector<uint8_t> Data = C;		std::vector<uint8_t> Data = C;
auto StartPos = std::search(Data.begin(), Data.end(),		auto StartPos = std::search(Data.begin(), Data.end(),
Dict[i].begin(), Dict[i].end());		Dict[i].begin(), Dict[i].end());
// Skip dictionary unit, if the testcase does not contain it.		// Skip dictionary unit, if the testcase does not contain it.
if (StartPos == Data.end())		if (StartPos == Data.end())
continue;		continue;

++Usages[i];		++Usages[i];
while (StartPos != Data.end()) {		while (StartPos != Data.end()) {
Show All 29 Lines	for (size_t i = 0; i < Dict.size(); ++i) {
Printf("\"");		Printf("\"");
PrintASCII(Dict[i].data(), Dict[i].size(), "\"");		PrintASCII(Dict[i].data(), Dict[i].size(), "\"");
Printf(" # Score: %d, Used: %d\n", Scores[i], Usages[i]);		Printf(" # Score: %d, Used: %d\n", Scores[i], Usages[i]);
}		}
Printf("###### End of useless dictionary elements. ######\n");		Printf("###### End of useless dictionary elements. ######\n");
return 0;		return 0;
}		}

Vector<std::string> ParseSeedInuts(const char *seed_inputs) {		std::vector<std::string> ParseSeedInuts(const char *seed_inputs) {
// Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file		// Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file
Vector<std::string> Files;		std::vector<std::string> Files;
if (!seed_inputs) return Files;		if (!seed_inputs) return Files;
std::string SeedInputs;		std::string SeedInputs;
if (Flags.seed_inputs[0] == '@')		if (Flags.seed_inputs[0] == '@')
SeedInputs = FileToString(Flags.seed_inputs + 1); // File contains list.		SeedInputs = FileToString(Flags.seed_inputs + 1); // File contains list.
else		else
SeedInputs = Flags.seed_inputs; // seed_inputs contains the list.		SeedInputs = Flags.seed_inputs; // seed_inputs contains the list.
if (SeedInputs.empty()) {		if (SeedInputs.empty()) {
Printf("seed_inputs is empty or @file does not exist.\n");		Printf("seed_inputs is empty or @file does not exist.\n");
exit(1);		exit(1);
}		}
// Parse SeedInputs.		// Parse SeedInputs.
size_t comma_pos = 0;		size_t comma_pos = 0;
while ((comma_pos = SeedInputs.find_last_of(',')) != std::string::npos) {		while ((comma_pos = SeedInputs.find_last_of(',')) != std::string::npos) {
Files.push_back(SeedInputs.substr(comma_pos + 1));		Files.push_back(SeedInputs.substr(comma_pos + 1));
SeedInputs = SeedInputs.substr(0, comma_pos);		SeedInputs = SeedInputs.substr(0, comma_pos);
}		}
Files.push_back(SeedInputs);		Files.push_back(SeedInputs);
return Files;		return Files;
}		}

static Vector<SizedFile> ReadCorpora(const Vector<std::string> &CorpusDirs,		static std::vector<SizedFile>
const Vector<std::string> &ExtraSeedFiles) {		ReadCorpora(const std::vector<std::string> &CorpusDirs,
Vector<SizedFile> SizedFiles;		const std::vector<std::string> &ExtraSeedFiles) {
		std::vector<SizedFile> SizedFiles;
size_t LastNumFiles = 0;		size_t LastNumFiles = 0;
for (auto &Dir : CorpusDirs) {		for (auto &Dir : CorpusDirs) {
GetSizedFilesFromDir(Dir, &SizedFiles);		GetSizedFilesFromDir(Dir, &SizedFiles);
Printf("INFO: % 8zd files found in %s\n", SizedFiles.size() - LastNumFiles,		Printf("INFO: % 8zd files found in %s\n", SizedFiles.size() - LastNumFiles,
Dir.c_str());		Dir.c_str());
LastNumFiles = SizedFiles.size();		LastNumFiles = SizedFiles.size();
}		}
for (auto &File : ExtraSeedFiles)		for (auto &File : ExtraSeedFiles)
if (auto Size = FileSize(File))		if (auto Size = FileSize(File))
SizedFiles.push_back({File, Size});		SizedFiles.push_back({File, Size});
return SizedFiles;		return SizedFiles;
}		}

int FuzzerDriver(int argc, char **argv, UserCallback Callback) {		int FuzzerDriver(int argc, char **argv, UserCallback Callback) {
using namespace fuzzer;		using namespace fuzzer;
assert(argc && argv && "Argument pointers cannot be nullptr");		assert(argc && argv && "Argument pointers cannot be nullptr");
std::string Argv0((*argv)[0]);		std::string Argv0((*argv)[0]);
EF = new ExternalFunctions();		EF = new ExternalFunctions();
if (EF->LLVMFuzzerInitialize)		if (EF->LLVMFuzzerInitialize)
EF->LLVMFuzzerInitialize(argc, argv);		EF->LLVMFuzzerInitialize(argc, argv);
if (EF->__msan_scoped_disable_interceptor_checks)		if (EF->__msan_scoped_disable_interceptor_checks)
EF->__msan_scoped_disable_interceptor_checks();		EF->__msan_scoped_disable_interceptor_checks();
const Vector<std::string> Args(argv, argv + *argc);		const std::vector<std::string> Args(argv, argv + *argc);
assert(!Args.empty());		assert(!Args.empty());
ProgName = new std::string(Args[0]);		ProgName = new std::string(Args[0]);
if (Argv0 != *ProgName) {		if (Argv0 != *ProgName) {
Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");		Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
exit(1);		exit(1);
}		}
ParseFlags(Args, EF);		ParseFlags(Args, EF);
if (Flags.help) {		if (Flags.help) {
▲ Show 20 Lines • Show All 72 Lines • ▼ Show 20 Lines	if (Flags.artifact_prefix) {
}		}
ValidateDirectoryExists(ArtifactPathDir, Flags.create_missing_dirs);		ValidateDirectoryExists(ArtifactPathDir, Flags.create_missing_dirs);
}		}
if (Flags.exact_artifact_path) {		if (Flags.exact_artifact_path) {
Options.ExactArtifactPath = Flags.exact_artifact_path;		Options.ExactArtifactPath = Flags.exact_artifact_path;
ValidateDirectoryExists(DirName(Options.ExactArtifactPath),		ValidateDirectoryExists(DirName(Options.ExactArtifactPath),
Flags.create_missing_dirs);		Flags.create_missing_dirs);
}		}
Vector<Unit> Dictionary;		std::vector<Unit> Dictionary;
if (Flags.dict)		if (Flags.dict)
if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))		if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))
return 1;		return 1;
if (Flags.verbosity > 0 && !Dictionary.empty())		if (Flags.verbosity > 0 && !Dictionary.empty())
Printf("Dictionary: %zd entries\n", Dictionary.size());		Printf("Dictionary: %zd entries\n", Dictionary.size());
bool RunIndividualFiles = AllInputsAreFiles();		bool RunIndividualFiles = AllInputsAreFiles();
Options.SaveArtifacts =		Options.SaveArtifacts =
!RunIndividualFiles \|\| Flags.minimize_crash_internal_step;		!RunIndividualFiles \|\| Flags.minimize_crash_internal_step;
▲ Show 20 Lines • Show All 180 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerFork.h

	Show All 11 Lines
	#include "FuzzerDefs.h"			#include "FuzzerDefs.h"
	#include "FuzzerOptions.h"			#include "FuzzerOptions.h"
	#include "FuzzerRandom.h"			#include "FuzzerRandom.h"

	#include <string>			#include <string>

	namespace fuzzer {			namespace fuzzer {
	void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,			void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
	const Vector<std::string> &Args,			const std::vector<std::string> &Args,
	const Vector<std::string> &CorpusDirs, int NumJobs);			const std::vector<std::string> &CorpusDirs, int NumJobs);
	} // namespace fuzzer			} // namespace fuzzer

	#endif // LLVM_FUZZER_FORK_H			#endif // LLVM_FUZZER_FORK_H

compiler-rt/lib/fuzzer/FuzzerFork.cpp

Show First 20 Lines • Show All 80 Lines • ▼ Show 20 Lines	~FuzzJob() {
RemoveFile(LogPath);		RemoveFile(LogPath);
RemoveFile(SeedListPath);		RemoveFile(SeedListPath);
RmDirRecursive(CorpusDir);		RmDirRecursive(CorpusDir);
RmDirRecursive(FeaturesDir);		RmDirRecursive(FeaturesDir);
}		}
};		};

struct GlobalEnv {		struct GlobalEnv {
Vector<std::string> Args;		std::vector<std::string> Args;
Vector<std::string> CorpusDirs;		std::vector<std::string> CorpusDirs;
std::string MainCorpusDir;		std::string MainCorpusDir;
std::string TempDir;		std::string TempDir;
std::string DFTDir;		std::string DFTDir;
std::string DataFlowBinary;		std::string DataFlowBinary;
Set<uint32_t> Features, Cov;		std::set<uint32_t> Features, Cov;
Set<std::string> FilesWithDFT;		std::set<std::string> FilesWithDFT;
Vector<std::string> Files;		std::vector<std::string> Files;
Random *Rand;		Random *Rand;
std::chrono::system_clock::time_point ProcessStartTime;		std::chrono::system_clock::time_point ProcessStartTime;
int Verbosity = 0;		int Verbosity = 0;

size_t NumTimeouts = 0;		size_t NumTimeouts = 0;
size_t NumOOMs = 0;		size_t NumOOMs = 0;
size_t NumCrashes = 0;		size_t NumCrashes = 0;

▲ Show 20 Lines • Show All 72 Lines • ▼ Show 20 Lines	FuzzJob *CreateNewJob(size_t JobId) {
// Start from very short runs and gradually increase them.		// Start from very short runs and gradually increase them.
return Job;		return Job;
}		}

void RunOneMergeJob(FuzzJob *Job) {		void RunOneMergeJob(FuzzJob *Job) {
auto Stats = ParseFinalStatsFromLog(Job->LogPath);		auto Stats = ParseFinalStatsFromLog(Job->LogPath);
NumRuns += Stats.number_of_executed_units;		NumRuns += Stats.number_of_executed_units;

Vector<SizedFile> TempFiles, MergeCandidates;		std::vector<SizedFile> TempFiles, MergeCandidates;
// Read all newly created inputs and their feature sets.		// Read all newly created inputs and their feature sets.
// Choose only those inputs that have new features.		// Choose only those inputs that have new features.
GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);		GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);
std::sort(TempFiles.begin(), TempFiles.end());		std::sort(TempFiles.begin(), TempFiles.end());
for (auto &F : TempFiles) {		for (auto &F : TempFiles) {
auto FeatureFile = F.File;		auto FeatureFile = F.File;
FeatureFile.replace(0, Job->CorpusDir.size(), Job->FeaturesDir);		FeatureFile.replace(0, Job->CorpusDir.size(), Job->FeaturesDir);
auto FeatureBytes = FileToVector(FeatureFile, 0, false);		auto FeatureBytes = FileToVector(FeatureFile, 0, false);
assert((FeatureBytes.size() % sizeof(uint32_t)) == 0);		assert((FeatureBytes.size() % sizeof(uint32_t)) == 0);
Vector<uint32_t> NewFeatures(FeatureBytes.size() / sizeof(uint32_t));		std::vector<uint32_t> NewFeatures(FeatureBytes.size() / sizeof(uint32_t));
memcpy(NewFeatures.data(), FeatureBytes.data(), FeatureBytes.size());		memcpy(NewFeatures.data(), FeatureBytes.data(), FeatureBytes.size());
for (auto Ft : NewFeatures) {		for (auto Ft : NewFeatures) {
if (!Features.count(Ft)) {		if (!Features.count(Ft)) {
MergeCandidates.push_back(F);		MergeCandidates.push_back(F);
break;		break;
}		}
}		}
}		}
// if (!FilesToAdd.empty() \|\| Job->ExitCode != 0)		// if (!FilesToAdd.empty() \|\| Job->ExitCode != 0)
Printf("#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd "		Printf("#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd "
"oom/timeout/crash: %zd/%zd/%zd time: %zds job: %zd dft_time: %d\n",		"oom/timeout/crash: %zd/%zd/%zd time: %zds job: %zd dft_time: %d\n",
NumRuns, Cov.size(), Features.size(), Files.size(),		NumRuns, Cov.size(), Features.size(), Files.size(),
Stats.average_exec_per_sec, NumOOMs, NumTimeouts, NumCrashes,		Stats.average_exec_per_sec, NumOOMs, NumTimeouts, NumCrashes,
secondsSinceProcessStartUp(), Job->JobId, Job->DftTimeInSeconds);		secondsSinceProcessStartUp(), Job->JobId, Job->DftTimeInSeconds);

if (MergeCandidates.empty()) return;		if (MergeCandidates.empty()) return;

Vector<std::string> FilesToAdd;		std::vector<std::string> FilesToAdd;
Set<uint32_t> NewFeatures, NewCov;		std::set<uint32_t> NewFeatures, NewCov;
CrashResistantMerge(Args, {}, MergeCandidates, &FilesToAdd, Features,		CrashResistantMerge(Args, {}, MergeCandidates, &FilesToAdd, Features,
&NewFeatures, Cov, &NewCov, Job->CFPath, false);		&NewFeatures, Cov, &NewCov, Job->CFPath, false);
for (auto &Path : FilesToAdd) {		for (auto &Path : FilesToAdd) {
auto U = FileToVector(Path);		auto U = FileToVector(Path);
auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));		auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));
WriteToFile(U, NewPath);		WriteToFile(U, NewPath);
Files.push_back(NewPath);		Files.push_back(NewPath);
}		}
▲ Show 20 Lines • Show All 54 Lines • ▼ Show 20 Lines	while (auto Job = FuzzQ->Pop()) {
// Printf("WorkerThread: job %p\n", Job);		// Printf("WorkerThread: job %p\n", Job);
Job->ExitCode = ExecuteCommand(Job->Cmd);		Job->ExitCode = ExecuteCommand(Job->Cmd);
MergeQ->Push(Job);		MergeQ->Push(Job);
}		}
}		}

// This is just a skeleton of an experimental -fork=1 feature.		// This is just a skeleton of an experimental -fork=1 feature.
void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,		void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
const Vector<std::string> &Args,		const std::vector<std::string> &Args,
const Vector<std::string> &CorpusDirs, int NumJobs) {		const std::vector<std::string> &CorpusDirs, int NumJobs) {
Printf("INFO: -fork=%d: fuzzing in separate process(s)\n", NumJobs);		Printf("INFO: -fork=%d: fuzzing in separate process(s)\n", NumJobs);

GlobalEnv Env;		GlobalEnv Env;
Env.Args = Args;		Env.Args = Args;
Env.CorpusDirs = CorpusDirs;		Env.CorpusDirs = CorpusDirs;
Env.Rand = &Rand;		Env.Rand = &Rand;
Env.Verbosity = Options.Verbosity;		Env.Verbosity = Options.Verbosity;
Env.ProcessStartTime = std::chrono::system_clock::now();		Env.ProcessStartTime = std::chrono::system_clock::now();
Env.DataFlowBinary = Options.CollectDataFlow;		Env.DataFlowBinary = Options.CollectDataFlow;

Vector<SizedFile> SeedFiles;		std::vector<SizedFile> SeedFiles;
for (auto &Dir : CorpusDirs)		for (auto &Dir : CorpusDirs)
GetSizedFilesFromDir(Dir, &SeedFiles);		GetSizedFilesFromDir(Dir, &SeedFiles);
std::sort(SeedFiles.begin(), SeedFiles.end());		std::sort(SeedFiles.begin(), SeedFiles.end());
Env.TempDir = TempPath("FuzzWithFork", ".dir");		Env.TempDir = TempPath("FuzzWithFork", ".dir");
Env.DFTDir = DirPlusFile(Env.TempDir, "DFT");		Env.DFTDir = DirPlusFile(Env.TempDir, "DFT");
RmDirRecursive(Env.TempDir); // in case there is a leftover from old runs.		RmDirRecursive(Env.TempDir); // in case there is a leftover from old runs.
MkDir(Env.TempDir);		MkDir(Env.TempDir);
MkDir(Env.DFTDir);		MkDir(Env.DFTDir);


if (CorpusDirs.empty())		if (CorpusDirs.empty())
MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));		MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));
else		else
Env.MainCorpusDir = CorpusDirs[0];		Env.MainCorpusDir = CorpusDirs[0];

if (Options.KeepSeed) {		if (Options.KeepSeed) {
for (auto &File : SeedFiles)		for (auto &File : SeedFiles)
Env.Files.push_back(File.File);		Env.Files.push_back(File.File);
} else {		} else {
auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");		auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");
Set<uint32_t> NewFeatures, NewCov;		std::set<uint32_t> NewFeatures, NewCov;
CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, Env.Features,		CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, Env.Features,
&NewFeatures, Env.Cov, &NewCov, CFPath, false);		&NewFeatures, Env.Cov, &NewCov, CFPath, false);
Env.Features.insert(NewFeatures.begin(), NewFeatures.end());		Env.Features.insert(NewFeatures.begin(), NewFeatures.end());
Env.Cov.insert(NewFeatures.begin(), NewFeatures.end());		Env.Cov.insert(NewFeatures.begin(), NewFeatures.end());
RemoveFile(CFPath);		RemoveFile(CFPath);
}		}
Printf("INFO: -fork=%d: %zd seed inputs, starting to fuzz in %s\n", NumJobs,		Printf("INFO: -fork=%d: %zd seed inputs, starting to fuzz in %s\n", NumJobs,
Env.Files.size(), Env.TempDir.c_str());		Env.Files.size(), Env.TempDir.c_str());

int ExitCode = 0;		int ExitCode = 0;

JobQueue FuzzQ, MergeQ;		JobQueue FuzzQ, MergeQ;

auto StopJobs = [&]() {		auto StopJobs = [&]() {
for (int i = 0; i < NumJobs; i++)		for (int i = 0; i < NumJobs; i++)
FuzzQ.Push(nullptr);		FuzzQ.Push(nullptr);
MergeQ.Push(nullptr);		MergeQ.Push(nullptr);
WriteToFile(Unit({1}), Env.StopFile());		WriteToFile(Unit({1}), Env.StopFile());
};		};

size_t JobId = 1;		size_t JobId = 1;
Vector<std::thread> Threads;		std::vector<std::thread> Threads;
for (int t = 0; t < NumJobs; t++) {		for (int t = 0; t < NumJobs; t++) {
Threads.push_back(std::thread(WorkerThread, &FuzzQ, &MergeQ));		Threads.push_back(std::thread(WorkerThread, &FuzzQ, &MergeQ));
FuzzQ.Push(Env.CreateNewJob(JobId++));		FuzzQ.Push(Env.CreateNewJob(JobId++));
}		}

while (true) {		while (true) {
std::unique_ptr<FuzzJob> Job(MergeQ.Pop());		std::unique_ptr<FuzzJob> Job(MergeQ.Pop());
if (!Job)		if (!Job)
▲ Show 20 Lines • Show All 69 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerIO.h

	Show All 26 Lines
	void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);			void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);
	// Write Data.c_str() to the file without terminating null character.			// Write Data.c_str() to the file without terminating null character.
	void WriteToFile(const std::string &Data, const std::string &Path);			void WriteToFile(const std::string &Data, const std::string &Path);
	void WriteToFile(const Unit &U, const std::string &Path);			void WriteToFile(const Unit &U, const std::string &Path);

	void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path);			void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path);
	void AppendToFile(const std::string &Data, const std::string &Path);			void AppendToFile(const std::string &Data, const std::string &Path);

	void ReadDirToVectorOfUnits(const char Path, Vector<Unit> V, long *Epoch,			void ReadDirToVectorOfUnits(const char Path, std::vector<Unit> V, long *Epoch,
	size_t MaxSize, bool ExitOnError,			size_t MaxSize, bool ExitOnError,
	Vector<std::string> *VPaths = 0);			std::vector<std::string> *VPaths = 0);

	// Returns "Dir/FileName" or equivalent for the current OS.			// Returns "Dir/FileName" or equivalent for the current OS.
	std::string DirPlusFile(const std::string &DirPath,			std::string DirPlusFile(const std::string &DirPath,
	const std::string &FileName);			const std::string &FileName);

	// Returns the name of the dir, similar to the 'dirname' utility.			// Returns the name of the dir, similar to the 'dirname' utility.
	std::string DirName(const std::string &FileName);			std::string DirName(const std::string &FileName);

	Show All 15 Lines
	void RawPrint(const char *Str);			void RawPrint(const char *Str);

	// Platform specific functions:			// Platform specific functions:
	bool IsFile(const std::string &Path);			bool IsFile(const std::string &Path);
	bool IsDirectory(const std::string &Path);			bool IsDirectory(const std::string &Path);
	size_t FileSize(const std::string &Path);			size_t FileSize(const std::string &Path);

	void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,			void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
	Vector<std::string> *V, bool TopDir);			std::vector<std::string> *V, bool TopDir);

	bool MkDirRecursive(const std::string &Dir);			bool MkDirRecursive(const std::string &Dir);
	void RmDirRecursive(const std::string &Dir);			void RmDirRecursive(const std::string &Dir);

	// Iterate files and dirs inside Dir, recursively.			// Iterate files and dirs inside Dir, recursively.
	// Call DirPreCallback/DirPostCallback on dirs before/after			// Call DirPreCallback/DirPostCallback on dirs before/after
	// calling FileCallback on files.			// calling FileCallback on files.
	void IterateDirRecursive(const std::string &Dir,			void IterateDirRecursive(const std::string &Dir,
	void (*DirPreCallback)(const std::string &Dir),			void (*DirPreCallback)(const std::string &Dir),
	void (*DirPostCallback)(const std::string &Dir),			void (*DirPostCallback)(const std::string &Dir),
	void (*FileCallback)(const std::string &Dir));			void (*FileCallback)(const std::string &Dir));

	struct SizedFile {			struct SizedFile {
	std::string File;			std::string File;
	size_t Size;			size_t Size;
	bool operator<(const SizedFile &B) const { return Size < B.Size; }			bool operator<(const SizedFile &B) const { return Size < B.Size; }
	};			};

	void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V);			void GetSizedFilesFromDir(const std::string &Dir, std::vector<SizedFile> *V);

	char GetSeparator();			char GetSeparator();
	bool IsSeparator(char C);			bool IsSeparator(char C);
	// Similar to the basename utility: returns the file name w/o the dir prefix.			// Similar to the basename utility: returns the file name w/o the dir prefix.
	std::string Basename(const std::string &Path);			std::string Basename(const std::string &Path);

	FILE* OpenFile(int Fd, const char *Mode);			FILE* OpenFile(int Fd, const char *Mode);

	Show All 17 Lines

compiler-rt/lib/fuzzer/FuzzerIO.cpp

	Show First 20 Lines • Show All 84 Lines • ▼ Show 20 Lines
	void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path) {			void AppendToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
	FILE *Out = fopen(Path.c_str(), "a");			FILE *Out = fopen(Path.c_str(), "a");
	if (!Out)			if (!Out)
	return;			return;
	fwrite(Data, sizeof(Data[0]), Size, Out);			fwrite(Data, sizeof(Data[0]), Size, Out);
	fclose(Out);			fclose(Out);
	}			}

	void ReadDirToVectorOfUnits(const char Path, Vector<Unit> V, long *Epoch,			void ReadDirToVectorOfUnits(const char Path, std::vector<Unit> V, long *Epoch,
	size_t MaxSize, bool ExitOnError,			size_t MaxSize, bool ExitOnError,
	Vector<std::string> *VPaths) {			std::vector<std::string> *VPaths) {
	long E = Epoch ? *Epoch : 0;			long E = Epoch ? *Epoch : 0;
	Vector<std::string> Files;			std::vector<std::string> Files;
	ListFilesInDirRecursive(Path, Epoch, &Files, /TopDir/true);			ListFilesInDirRecursive(Path, Epoch, &Files, /TopDir/true);
	size_t NumLoaded = 0;			size_t NumLoaded = 0;
	for (size_t i = 0; i < Files.size(); i++) {			for (size_t i = 0; i < Files.size(); i++) {
	auto &X = Files[i];			auto &X = Files[i];
	if (Epoch && GetEpoch(X) < E) continue;			if (Epoch && GetEpoch(X) < E) continue;
	NumLoaded++;			NumLoaded++;
	if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024)			if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024)
	Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path);			Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path);
	auto S = FileToVector(X, MaxSize, ExitOnError);			auto S = FileToVector(X, MaxSize, ExitOnError);
	if (!S.empty()) {			if (!S.empty()) {
	V->push_back(S);			V->push_back(S);
	if (VPaths)			if (VPaths)
	VPaths->push_back(X);			VPaths->push_back(X);
	}			}
	}			}
	}			}

	void GetSizedFilesFromDir(const std::string &Dir, Vector<SizedFile> *V) {			void GetSizedFilesFromDir(const std::string &Dir, std::vector<SizedFile> *V) {
	Vector<std::string> Files;			std::vector<std::string> Files;
	ListFilesInDirRecursive(Dir, 0, &Files, /TopDir/true);			ListFilesInDirRecursive(Dir, 0, &Files, /TopDir/true);
	for (auto &File : Files)			for (auto &File : Files)
	if (size_t Size = FileSize(File))			if (size_t Size = FileSize(File))
	V->push_back({File, Size});			V->push_back({File, Size});
	}			}

	std::string DirPlusFile(const std::string &DirPath,			std::string DirPlusFile(const std::string &DirPath,
	const std::string &FileName) {			const std::string &FileName) {
	▲ Show 20 Lines • Show All 83 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerIOPosix.cpp

	Show First 20 Lines • Show All 47 Lines • ▼ Show 20 Lines
	std::string Basename(const std::string &Path) {			std::string Basename(const std::string &Path) {
	size_t Pos = Path.rfind(GetSeparator());			size_t Pos = Path.rfind(GetSeparator());
	if (Pos == std::string::npos) return Path;			if (Pos == std::string::npos) return Path;
	assert(Pos < Path.size());			assert(Pos < Path.size());
	return Path.substr(Pos + 1);			return Path.substr(Pos + 1);
	}			}

	void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,			void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
	Vector<std::string> *V, bool TopDir) {			std::vector<std::string> *V, bool TopDir) {
	auto E = GetEpoch(Dir);			auto E = GetEpoch(Dir);
	if (Epoch)			if (Epoch)
	if (E && *Epoch >= E) return;			if (E && *Epoch >= E) return;

	DIR *D = opendir(Dir.c_str());			DIR *D = opendir(Dir.c_str());
	if (!D) {			if (!D) {
	Printf("%s: %s; exiting\n", strerror(errno), Dir.c_str());			Printf("%s: %s; exiting\n", strerror(errno), Dir.c_str());
	exit(1);			exit(1);
	}			}
	while (auto E = readdir(D)) {			while (auto E = readdir(D)) {
	std::string Path = DirPlusFile(Dir, E->d_name);			std::string Path = DirPlusFile(Dir, E->d_name);
	if (E->d_type == DT_REG \|\| E->d_type == DT_LNK \|\|			if (E->d_type == DT_REG \|\| E->d_type == DT_LNK \|\|
	(E->d_type == DT_UNKNOWN && IsFile(Path)))			(E->d_type == DT_UNKNOWN && IsFile(Path)))
	V->push_back(Path);			V->push_back(Path);
	else if ((E->d_type == DT_DIR \|\|			else if ((E->d_type == DT_DIR \|\|
	(E->d_type == DT_UNKNOWN && IsDirectory(Path))) &&			(E->d_type == DT_UNKNOWN && IsDirectory(Path))) &&
	*E->d_name != '.')			*E->d_name != '.')
	ListFilesInDirRecursive(Path, Epoch, V, false);			ListFilesInDirRecursive(Path, Epoch, V, false);
	}			}
	closedir(D);			closedir(D);
	if (Epoch && TopDir)			if (Epoch && TopDir)
	*Epoch = E;			*Epoch = E;
	}			}


	void IterateDirRecursive(const std::string &Dir,			void IterateDirRecursive(const std::string &Dir,
	void (*DirPreCallback)(const std::string &Dir),			void (*DirPreCallback)(const std::string &Dir),
	void (*DirPostCallback)(const std::string &Dir),			void (*DirPostCallback)(const std::string &Dir),
	void (*FileCallback)(const std::string &Dir)) {			void (*FileCallback)(const std::string &Dir)) {
	DirPreCallback(Dir);			DirPreCallback(Dir);
	DIR *D = opendir(Dir.c_str());			DIR *D = opendir(Dir.c_str());
	if (!D) return;			if (!D) return;
	while (auto E = readdir(D)) {			while (auto E = readdir(D)) {
	▲ Show 20 Lines • Show All 91 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerIOWindows.cpp

Show First 20 Lines • Show All 105 Lines • ▼ Show 20 Lines	size_t FileSize(const std::string &Path) {
}		}
ULARGE_INTEGER size;		ULARGE_INTEGER size;
size.HighPart = attr.nFileSizeHigh;		size.HighPart = attr.nFileSizeHigh;
size.LowPart = attr.nFileSizeLow;		size.LowPart = attr.nFileSizeLow;
return size.QuadPart;		return size.QuadPart;
}		}

void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,		void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
Vector<std::string> *V, bool TopDir) {		std::vector<std::string> *V, bool TopDir) {
auto E = GetEpoch(Dir);		auto E = GetEpoch(Dir);
if (Epoch)		if (Epoch)
if (E && *Epoch >= E) return;		if (E && *Epoch >= E) return;

std::string Path(Dir);		std::string Path(Dir);
assert(!Path.empty());		assert(!Path.empty());
if (Path.back() != '\\')		if (Path.back() != '\\')
Path.push_back('\\');		Path.push_back('\\');
Show All 31 Lines	if (LastError != ERROR_NO_MORE_FILES)
Printf("FindNextFileA failed (Error code: %lu).\n", LastError);		Printf("FindNextFileA failed (Error code: %lu).\n", LastError);

FindClose(FindHandle);		FindClose(FindHandle);

if (Epoch && TopDir)		if (Epoch && TopDir)
*Epoch = E;		*Epoch = E;
}		}


void IterateDirRecursive(const std::string &Dir,		void IterateDirRecursive(const std::string &Dir,
void (*DirPreCallback)(const std::string &Dir),		void (*DirPreCallback)(const std::string &Dir),
void (*DirPostCallback)(const std::string &Dir),		void (*DirPostCallback)(const std::string &Dir),
void (*FileCallback)(const std::string &Dir)) {		void (*FileCallback)(const std::string &Dir)) {
// TODO(metzman): Implement ListFilesInDirRecursive via this function.		// TODO(metzman): Implement ListFilesInDirRecursive via this function.
DirPreCallback(Dir);		DirPreCallback(Dir);

DWORD DirAttrs = GetFileAttributesA(Dir.c_str());		DWORD DirAttrs = GetFileAttributesA(Dir.c_str());
▲ Show 20 Lines • Show All 121 Lines • ▼ Show 20 Lines	if (!(Res = ParseDir(FileName, Pos)))
return 0;		return 0;
Pos += Res;		Pos += Res;
if (!(Res = ParseDir(FileName, Pos)))		if (!(Res = ParseDir(FileName, Pos)))
return 0;		return 0;
Pos += Res;		Pos += Res;
return Pos - Offset;		return Pos - Offset;
}		}

// Parse the given Ref string from the position Offset, to exactly match the given		// Parse the given Ref string from the position Offset, to exactly match the
// string Patt.		// given string Patt. Returns number of characters considered if successful.
// Returns number of characters considered if successful.
static size_t ParseCustomString(const std::string &Ref, size_t Offset,		static size_t ParseCustomString(const std::string &Ref, size_t Offset,
const char *Patt) {		const char *Patt) {
size_t Len = strlen(Patt);		size_t Len = strlen(Patt);
if (Offset + Len > Ref.size())		if (Offset + Len > Ref.size())
return 0;		return 0;
return Ref.compare(Offset, Len, Patt) == 0 ? Len : 0;		return Ref.compare(Offset, Len, Patt) == 0 ? Len : 0;
}		}

▲ Show 20 Lines • Show All 115 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerInternal.h

Show All 29 Lines
using namespace std::chrono;		using namespace std::chrono;

class Fuzzer {		class Fuzzer {
public:		public:

Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,		Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,
FuzzingOptions Options);		FuzzingOptions Options);
~Fuzzer();		~Fuzzer();
void Loop(Vector<SizedFile> &CorporaFiles);		void Loop(std::vector<SizedFile> &CorporaFiles);
void ReadAndExecuteSeedCorpora(Vector<SizedFile> &CorporaFiles);		void ReadAndExecuteSeedCorpora(std::vector<SizedFile> &CorporaFiles);
void MinimizeCrashLoop(const Unit &U);		void MinimizeCrashLoop(const Unit &U);
void RereadOutputCorpus(size_t MaxSize);		void RereadOutputCorpus(size_t MaxSize);

size_t secondsSinceProcessStartUp() {		size_t secondsSinceProcessStartUp() {
return duration_cast<seconds>(system_clock::now() - ProcessStartTime)		return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
.count();		.count();
}		}

Show All 19 Lines	public:

void ExecuteCallback(const uint8_t *Data, size_t Size);		void ExecuteCallback(const uint8_t *Data, size_t Size);
bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,		bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
InputInfo *II = nullptr, bool ForceAddToCorpus = false,		InputInfo *II = nullptr, bool ForceAddToCorpus = false,
bool *FoundUniqFeatures = nullptr);		bool *FoundUniqFeatures = nullptr);
void TPCUpdateObservedPCs();		void TPCUpdateObservedPCs();

// Merge Corpora[1:] into Corpora[0].		// Merge Corpora[1:] into Corpora[0].
void Merge(const Vector<std::string> &Corpora);		void Merge(const std::vector<std::string> &Corpora);
void CrashResistantMergeInternalStep(const std::string &ControlFilePath);		void CrashResistantMergeInternalStep(const std::string &ControlFilePath);
MutationDispatcher &GetMD() { return MD; }		MutationDispatcher &GetMD() { return MD; }
void PrintFinalStats();		void PrintFinalStats();
void SetMaxInputLen(size_t MaxInputLen);		void SetMaxInputLen(size_t MaxInputLen);
void SetMaxMutationLen(size_t MaxMutationLen);		void SetMaxMutationLen(size_t MaxMutationLen);
void RssLimitCallback();		void RssLimitCallback();

bool InFuzzingThread() const { return IsMyThread; }		bool InFuzzingThread() const { return IsMyThread; }
▲ Show 20 Lines • Show All 52 Lines • ▼ Show 20 Lines	private:
system_clock::time_point UnitStartTime, UnitStopTime;		system_clock::time_point UnitStartTime, UnitStopTime;
long TimeOfLongestUnitInSeconds = 0;		long TimeOfLongestUnitInSeconds = 0;
long EpochOfLastReadOfOutputCorpus = 0;		long EpochOfLastReadOfOutputCorpus = 0;

size_t MaxInputLen = 0;		size_t MaxInputLen = 0;
size_t MaxMutationLen = 0;		size_t MaxMutationLen = 0;
size_t TmpMaxMutationLen = 0;		size_t TmpMaxMutationLen = 0;

Vector<uint32_t> UniqFeatureSetTmp;		std::vector<uint32_t> UniqFeatureSetTmp;

// Need to know our own thread.		// Need to know our own thread.
static thread_local bool IsMyThread;		static thread_local bool IsMyThread;
};		};

struct ScopedEnableMsanInterceptorChecks {		struct ScopedEnableMsanInterceptorChecks {
ScopedEnableMsanInterceptorChecks() {		ScopedEnableMsanInterceptorChecks() {
if (EF->__msan_scoped_enable_interceptor_checks)		if (EF->__msan_scoped_enable_interceptor_checks)
Show All 22 Lines

compiler-rt/lib/fuzzer/FuzzerLoop.cpp

Show First 20 Lines • Show All 382 Lines • ▼ Show 20 Lines

void Fuzzer::SetMaxMutationLen(size_t MaxMutationLen) {		void Fuzzer::SetMaxMutationLen(size_t MaxMutationLen) {
assert(MaxMutationLen && MaxMutationLen <= MaxInputLen);		assert(MaxMutationLen && MaxMutationLen <= MaxInputLen);
this->MaxMutationLen = MaxMutationLen;		this->MaxMutationLen = MaxMutationLen;
}		}

void Fuzzer::CheckExitOnSrcPosOrItem() {		void Fuzzer::CheckExitOnSrcPosOrItem() {
if (!Options.ExitOnSrcPos.empty()) {		if (!Options.ExitOnSrcPos.empty()) {
static auto *PCsSet = new Set<uintptr_t>;		static auto *PCsSet = new std::set<uintptr_t>;
auto HandlePC = [&](const TracePC::PCTableEntry *TE) {		auto HandlePC = [&](const TracePC::PCTableEntry *TE) {
if (!PCsSet->insert(TE->PC).second)		if (!PCsSet->insert(TE->PC).second)
return;		return;
std::string Descr = DescribePC("%F %L", TE->PC + 1);		std::string Descr = DescribePC("%F %L", TE->PC + 1);
if (Descr.find(Options.ExitOnSrcPos) != std::string::npos) {		if (Descr.find(Options.ExitOnSrcPos) != std::string::npos) {
Printf("INFO: found line matching '%s', exiting.\n",		Printf("INFO: found line matching '%s', exiting.\n",
Options.ExitOnSrcPos.c_str());		Options.ExitOnSrcPos.c_str());
_Exit(0);		_Exit(0);
}		}
};		};
TPC.ForEachObservedPC(HandlePC);		TPC.ForEachObservedPC(HandlePC);
}		}
if (!Options.ExitOnItem.empty()) {		if (!Options.ExitOnItem.empty()) {
if (Corpus.HasUnit(Options.ExitOnItem)) {		if (Corpus.HasUnit(Options.ExitOnItem)) {
Printf("INFO: found item with checksum '%s', exiting.\n",		Printf("INFO: found item with checksum '%s', exiting.\n",
Options.ExitOnItem.c_str());		Options.ExitOnItem.c_str());
_Exit(0);		_Exit(0);
}		}
}		}
}		}

void Fuzzer::RereadOutputCorpus(size_t MaxSize) {		void Fuzzer::RereadOutputCorpus(size_t MaxSize) {
if (Options.OutputCorpus.empty() \|\| !Options.ReloadIntervalSec)		if (Options.OutputCorpus.empty() \|\| !Options.ReloadIntervalSec)
return;		return;
Vector<Unit> AdditionalCorpus;		std::vector<Unit> AdditionalCorpus;
Vector<std::string> AdditionalCorpusPaths;		std::vector<std::string> AdditionalCorpusPaths;
ReadDirToVectorOfUnits(		ReadDirToVectorOfUnits(
Options.OutputCorpus.c_str(), &AdditionalCorpus,		Options.OutputCorpus.c_str(), &AdditionalCorpus,
&EpochOfLastReadOfOutputCorpus, MaxSize,		&EpochOfLastReadOfOutputCorpus, MaxSize,
/ExitOnError/ false,		/ExitOnError/ false,
(Options.Verbosity >= 2 ? &AdditionalCorpusPaths : nullptr));		(Options.Verbosity >= 2 ? &AdditionalCorpusPaths : nullptr));
if (Options.Verbosity >= 2)		if (Options.Verbosity >= 2)
Printf("Reload: read %zd new units.\n", AdditionalCorpus.size());		Printf("Reload: read %zd new units.\n", AdditionalCorpus.size());
bool Reloaded = false;		bool Reloaded = false;
Show All 26 Lines	if (TimeOfUnit > Threshhold && TimeOfUnit >= Options.ReportSlowUnits) {
TimeOfLongestUnitInSeconds = TimeOfUnit;		TimeOfLongestUnitInSeconds = TimeOfUnit;
Printf("Slowest unit: %zd s:\n", TimeOfLongestUnitInSeconds);		Printf("Slowest unit: %zd s:\n", TimeOfLongestUnitInSeconds);
WriteUnitToFileWithPrefix({Data, Data + Size}, "slow-unit-");		WriteUnitToFileWithPrefix({Data, Data + Size}, "slow-unit-");
}		}
}		}

static void WriteFeatureSetToFile(const std::string &FeaturesDir,		static void WriteFeatureSetToFile(const std::string &FeaturesDir,
const std::string &FileName,		const std::string &FileName,
const Vector<uint32_t> &FeatureSet) {		const std::vector<uint32_t> &FeatureSet) {
if (FeaturesDir.empty() \|\| FeatureSet.empty()) return;		if (FeaturesDir.empty() \|\| FeatureSet.empty()) return;
WriteToFile(reinterpret_cast<const uint8_t *>(FeatureSet.data()),		WriteToFile(reinterpret_cast<const uint8_t *>(FeatureSet.data()),
FeatureSet.size() * sizeof(FeatureSet[0]),		FeatureSet.size() * sizeof(FeatureSet[0]),
DirPlusFile(FeaturesDir, FileName));		DirPlusFile(FeaturesDir, FileName));
}		}

static void RenameFeatureSetFile(const std::string &FeaturesDir,		static void RenameFeatureSetFile(const std::string &FeaturesDir,
const std::string &OldFile,		const std::string &OldFile,
▲ Show 20 Lines • Show All 310 Lines • ▼ Show 20 Lines	void Fuzzer::PurgeAllocator() {

if (Options.RssLimitMb <= 0 \|\|		if (Options.RssLimitMb <= 0 \|\|
GetPeakRSSMb() > static_cast<size_t>(Options.RssLimitMb) / 2)		GetPeakRSSMb() > static_cast<size_t>(Options.RssLimitMb) / 2)
EF->__sanitizer_purge_allocator();		EF->__sanitizer_purge_allocator();

LastAllocatorPurgeAttemptTime = system_clock::now();		LastAllocatorPurgeAttemptTime = system_clock::now();
}		}

void Fuzzer::ReadAndExecuteSeedCorpora(Vector<SizedFile> &CorporaFiles) {		void Fuzzer::ReadAndExecuteSeedCorpora(std::vector<SizedFile> &CorporaFiles) {
const size_t kMaxSaneLen = 1 << 20;		const size_t kMaxSaneLen = 1 << 20;
const size_t kMinDefaultLen = 4096;		const size_t kMinDefaultLen = 4096;
size_t MaxSize = 0;		size_t MaxSize = 0;
size_t MinSize = -1;		size_t MinSize = -1;
size_t TotalSize = 0;		size_t TotalSize = 0;
for (auto &File : CorporaFiles) {		for (auto &File : CorporaFiles) {
MaxSize = Max(File.Size, MaxSize);		MaxSize = Max(File.Size, MaxSize);
MinSize = Min(File.Size, MinSize);		MinSize = Min(File.Size, MinSize);
▲ Show 20 Lines • Show All 48 Lines • ▼ Show 20 Lines	void Fuzzer::ReadAndExecuteSeedCorpora(std::vector<SizedFile> &CorporaFiles) {

if (Corpus.empty() && Options.MaxNumberOfRuns) {		if (Corpus.empty() && Options.MaxNumberOfRuns) {
Printf("ERROR: no interesting inputs were found. "		Printf("ERROR: no interesting inputs were found. "
"Is the code instrumented for coverage? Exiting.\n");		"Is the code instrumented for coverage? Exiting.\n");
exit(1);		exit(1);
}		}
}		}

void Fuzzer::Loop(Vector<SizedFile> &CorporaFiles) {		void Fuzzer::Loop(std::vector<SizedFile> &CorporaFiles) {
auto FocusFunctionOrAuto = Options.FocusFunction;		auto FocusFunctionOrAuto = Options.FocusFunction;
DFT.Init(Options.DataFlowTrace, &FocusFunctionOrAuto, CorporaFiles,		DFT.Init(Options.DataFlowTrace, &FocusFunctionOrAuto, CorporaFiles,
MD.GetRand());		MD.GetRand());
TPC.SetFocusFunction(FocusFunctionOrAuto);		TPC.SetFocusFunction(FocusFunctionOrAuto);
ReadAndExecuteSeedCorpora(CorporaFiles);		ReadAndExecuteSeedCorpora(CorporaFiles);
DFT.Clear(); // No need for DFT any more.		DFT.Clear(); // No need for DFT any more.
TPC.SetPrintNewPCs(Options.PrintNewCovPcs);		TPC.SetPrintNewPCs(Options.PrintNewCovPcs);
TPC.SetPrintNewFuncs(Options.PrintNewCovFuncs);		TPC.SetPrintNewFuncs(Options.PrintNewCovFuncs);
▲ Show 20 Lines • Show All 71 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerMerge.h

	Show First 20 Lines • Show All 46 Lines • ▼ Show 20 Lines
	#include <set>			#include <set>
	#include <vector>			#include <vector>

	namespace fuzzer {			namespace fuzzer {

	struct MergeFileInfo {			struct MergeFileInfo {
	std::string Name;			std::string Name;
	size_t Size = 0;			size_t Size = 0;
	Vector<uint32_t> Features, Cov;			std::vector<uint32_t> Features, Cov;
	};			};

	struct Merger {			struct Merger {
	Vector<MergeFileInfo> Files;			std::vector<MergeFileInfo> Files;
	size_t NumFilesInFirstCorpus = 0;			size_t NumFilesInFirstCorpus = 0;
	size_t FirstNotProcessedFile = 0;			size_t FirstNotProcessedFile = 0;
	std::string LastFailure;			std::string LastFailure;

	bool Parse(std::istream &IS, bool ParseCoverage);			bool Parse(std::istream &IS, bool ParseCoverage);
	bool Parse(const std::string &Str, bool ParseCoverage);			bool Parse(const std::string &Str, bool ParseCoverage);
	void ParseOrExit(std::istream &IS, bool ParseCoverage);			void ParseOrExit(std::istream &IS, bool ParseCoverage);
	size_t Merge(const Set<uint32_t> &InitialFeatures, Set<uint32_t> *NewFeatures,			size_t Merge(const std::set<uint32_t> &InitialFeatures,
	const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,			std::set<uint32_t> *NewFeatures,
	Vector<std::string> *NewFiles);			const std::set<uint32_t> &InitialCov, std::set<uint32_t> *NewCov,
				std::vector<std::string> *NewFiles);
	size_t ApproximateMemoryConsumption() const;			size_t ApproximateMemoryConsumption() const;
	Set<uint32_t> AllFeatures() const;			std::set<uint32_t> AllFeatures() const;
	};			};

	void CrashResistantMerge(const Vector<std::string> &Args,			void CrashResistantMerge(const std::vector<std::string> &Args,
	const Vector<SizedFile> &OldCorpus,			const std::vector<SizedFile> &OldCorpus,
	const Vector<SizedFile> &NewCorpus,			const std::vector<SizedFile> &NewCorpus,
	Vector<std::string> *NewFiles,			std::vector<std::string> *NewFiles,
	const Set<uint32_t> &InitialFeatures,			const std::set<uint32_t> &InitialFeatures,
	Set<uint32_t> *NewFeatures,			std::set<uint32_t> *NewFeatures,
	const Set<uint32_t> &InitialCov,			const std::set<uint32_t> &InitialCov,
	Set<uint32_t> *NewCov,			std::set<uint32_t> *NewCov, const std::string &CFPath,
	const std::string &CFPath,
	bool Verbose);			bool Verbose);

	} // namespace fuzzer			} // namespace fuzzer

	#endif // LLVM_FUZZER_MERGE_H			#endif // LLVM_FUZZER_MERGE_H

compiler-rt/lib/fuzzer/FuzzerMerge.cpp

Show First 20 Lines • Show All 71 Lines • ▼ Show 20 Lines	bool Merger::Parse(std::istream &IS, bool ParseCoverage) {
for (size_t i = 0; i < NumFiles; i++)		for (size_t i = 0; i < NumFiles; i++)
if (!std::getline(IS, Files[i].Name, '\n'))		if (!std::getline(IS, Files[i].Name, '\n'))
return false;		return false;

// Parse STARTED, FT, and COV lines.		// Parse STARTED, FT, and COV lines.
size_t ExpectedStartMarker = 0;		size_t ExpectedStartMarker = 0;
const size_t kInvalidStartMarker = -1;		const size_t kInvalidStartMarker = -1;
size_t LastSeenStartMarker = kInvalidStartMarker;		size_t LastSeenStartMarker = kInvalidStartMarker;
Vector<uint32_t> TmpFeatures;		std::vector<uint32_t> TmpFeatures;
Set<uint32_t> PCs;		std::set<uint32_t> PCs;
while (std::getline(IS, Line, '\n')) {		while (std::getline(IS, Line, '\n')) {
std::istringstream ISS1(Line);		std::istringstream ISS1(Line);
std::string Marker;		std::string Marker;
uint32_t N;		uint32_t N;
if (!(ISS1 >> Marker) \|\| !(ISS1 >> N))		if (!(ISS1 >> Marker) \|\| !(ISS1 >> N))
return false;		return false;
if (Marker == "STARTED") {		if (Marker == "STARTED") {
// STARTED FILE_ID FILE_SIZE		// STARTED FILE_ID FILE_SIZE
Show All 37 Lines	size_t Merger::ApproximateMemoryConsumption() const {
size_t Res = 0;		size_t Res = 0;
for (const auto &F: Files)		for (const auto &F: Files)
Res += sizeof(F) + F.Features.size() * sizeof(F.Features[0]);		Res += sizeof(F) + F.Features.size() * sizeof(F.Features[0]);
return Res;		return Res;
}		}

// Decides which files need to be merged (add those to NewFiles).		// Decides which files need to be merged (add those to NewFiles).
// Returns the number of new features added.		// Returns the number of new features added.
size_t Merger::Merge(const Set<uint32_t> &InitialFeatures,		size_t Merger::Merge(const std::set<uint32_t> &InitialFeatures,
Set<uint32_t> *NewFeatures,		std::set<uint32_t> *NewFeatures,
const Set<uint32_t> &InitialCov, Set<uint32_t> *NewCov,		const std::set<uint32_t> &InitialCov,
Vector<std::string> *NewFiles) {		std::set<uint32_t> *NewCov,
		std::vector<std::string> *NewFiles) {
NewFiles->clear();		NewFiles->clear();
NewFeatures->clear();		NewFeatures->clear();
NewCov->clear();		NewCov->clear();
assert(NumFilesInFirstCorpus <= Files.size());		assert(NumFilesInFirstCorpus <= Files.size());
Set<uint32_t> AllFeatures = InitialFeatures;		std::set<uint32_t> AllFeatures = InitialFeatures;

// What features are in the initial corpus?		// What features are in the initial corpus?
for (size_t i = 0; i < NumFilesInFirstCorpus; i++) {		for (size_t i = 0; i < NumFilesInFirstCorpus; i++) {
auto &Cur = Files[i].Features;		auto &Cur = Files[i].Features;
AllFeatures.insert(Cur.begin(), Cur.end());		AllFeatures.insert(Cur.begin(), Cur.end());
}		}
// Remove all features that we already know from all other inputs.		// Remove all features that we already know from all other inputs.
for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) {		for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) {
auto &Cur = Files[i].Features;		auto &Cur = Files[i].Features;
Vector<uint32_t> Tmp;		std::vector<uint32_t> Tmp;
std::set_difference(Cur.begin(), Cur.end(), AllFeatures.begin(),		std::set_difference(Cur.begin(), Cur.end(), AllFeatures.begin(),
AllFeatures.end(), std::inserter(Tmp, Tmp.begin()));		AllFeatures.end(), std::inserter(Tmp, Tmp.begin()));
Cur.swap(Tmp);		Cur.swap(Tmp);
}		}

// Sort. Give preference to		// Sort. Give preference to
// * smaller files		// * smaller files
// * files with more features.		// * files with more features.
Show All 21 Lines	if (FoundNewFeatures)
NewFiles->push_back(Files[i].Name);		NewFiles->push_back(Files[i].Name);
for (auto Cov : Files[i].Cov)		for (auto Cov : Files[i].Cov)
if (InitialCov.find(Cov) == InitialCov.end())		if (InitialCov.find(Cov) == InitialCov.end())
NewCov->insert(Cov);		NewCov->insert(Cov);
}		}
return NewFeatures->size();		return NewFeatures->size();
}		}

Set<uint32_t> Merger::AllFeatures() const {		std::set<uint32_t> Merger::AllFeatures() const {
Set<uint32_t> S;		std::set<uint32_t> S;
for (auto &File : Files)		for (auto &File : Files)
S.insert(File.Features.begin(), File.Features.end());		S.insert(File.Features.begin(), File.Features.end());
return S;		return S;
}		}

// Inner process. May crash if the target crashes.		// Inner process. May crash if the target crashes.
void Fuzzer::CrashResistantMergeInternalStep(const std::string &CFPath) {		void Fuzzer::CrashResistantMergeInternalStep(const std::string &CFPath) {
Printf("MERGE-INNER: using the control file '%s'\n", CFPath.c_str());		Printf("MERGE-INNER: using the control file '%s'\n", CFPath.c_str());
Merger M;		Merger M;
std::ifstream IF(CFPath);		std::ifstream IF(CFPath);
M.ParseOrExit(IF, false);		M.ParseOrExit(IF, false);
IF.close();		IF.close();
if (!M.LastFailure.empty())		if (!M.LastFailure.empty())
Printf("MERGE-INNER: '%s' caused a failure at the previous merge step\n",		Printf("MERGE-INNER: '%s' caused a failure at the previous merge step\n",
M.LastFailure.c_str());		M.LastFailure.c_str());

Printf("MERGE-INNER: %zd total files;"		Printf("MERGE-INNER: %zd total files;"
" %zd processed earlier; will process %zd files now\n",		" %zd processed earlier; will process %zd files now\n",
M.Files.size(), M.FirstNotProcessedFile,		M.Files.size(), M.FirstNotProcessedFile,
M.Files.size() - M.FirstNotProcessedFile);		M.Files.size() - M.FirstNotProcessedFile);

std::ofstream OF(CFPath, std::ofstream::out \| std::ofstream::app);		std::ofstream OF(CFPath, std::ofstream::out \| std::ofstream::app);
Set<size_t> AllFeatures;		std::set<size_t> AllFeatures;
auto PrintStatsWrapper = [this, &AllFeatures](const char* Where) {		auto PrintStatsWrapper = [this, &AllFeatures](const char* Where) {
this->PrintStats(Where, "\n", 0, AllFeatures.size());		this->PrintStats(Where, "\n", 0, AllFeatures.size());
};		};
Set<const TracePC::PCTableEntry *> AllPCs;		std::set<const TracePC::PCTableEntry *> AllPCs;
for (size_t i = M.FirstNotProcessedFile; i < M.Files.size(); i++) {		for (size_t i = M.FirstNotProcessedFile; i < M.Files.size(); i++) {
Fuzzer::MaybeExitGracefully();		Fuzzer::MaybeExitGracefully();
auto U = FileToVector(M.Files[i].Name);		auto U = FileToVector(M.Files[i].Name);
if (U.size() > MaxInputLen) {		if (U.size() > MaxInputLen) {
U.resize(MaxInputLen);		U.resize(MaxInputLen);
U.shrink_to_fit();		U.shrink_to_fit();
}		}

// Write the pre-run marker.		// Write the pre-run marker.
OF << "STARTED " << i << " " << U.size() << "\n";		OF << "STARTED " << i << " " << U.size() << "\n";
OF.flush(); // Flush is important since Command::Execute may crash.		OF.flush(); // Flush is important since Command::Execute may crash.
// Run.		// Run.
TPC.ResetMaps();		TPC.ResetMaps();
ExecuteCallback(U.data(), U.size());		ExecuteCallback(U.data(), U.size());
// Collect coverage. We are iterating over the files in this order:		// Collect coverage. We are iterating over the files in this order:
// * First, files in the initial corpus ordered by size, smallest first.		// * First, files in the initial corpus ordered by size, smallest first.
// * Then, all other files, smallest first.		// * Then, all other files, smallest first.
// So it makes no sense to record all features for all files, instead we		// So it makes no sense to record all features for all files, instead we
// only record features that were not seen before.		// only record features that were not seen before.
Set<size_t> UniqFeatures;		std::set<size_t> UniqFeatures;
TPC.CollectFeatures([&](size_t Feature) {		TPC.CollectFeatures([&](size_t Feature) {
if (AllFeatures.insert(Feature).second)		if (AllFeatures.insert(Feature).second)
UniqFeatures.insert(Feature);		UniqFeatures.insert(Feature);
});		});
TPC.UpdateObservedPCs();		TPC.UpdateObservedPCs();
// Show stats.		// Show stats.
if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)))		if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)))
PrintStatsWrapper("pulse ");		PrintStatsWrapper("pulse ");
Show All 10 Lines	TPC.ForEachObservedPC([&](const TracePC::PCTableEntry *TE) {
OF << " " << TPC.PCTableEntryIdx(TE);		OF << " " << TPC.PCTableEntryIdx(TE);
});		});
OF << "\n";		OF << "\n";
OF.flush();		OF.flush();
}		}
PrintStatsWrapper("DONE ");		PrintStatsWrapper("DONE ");
}		}

static size_t WriteNewControlFile(const std::string &CFPath,		static size_t
const Vector<SizedFile> &OldCorpus,		WriteNewControlFile(const std::string &CFPath,
const Vector<SizedFile> &NewCorpus,		const std::vector<SizedFile> &OldCorpus,
const Vector<MergeFileInfo> &KnownFiles) {		const std::vector<SizedFile> &NewCorpus,
		const std::vector<MergeFileInfo> &KnownFiles) {
std::unordered_set<std::string> FilesToSkip;		std::unordered_set<std::string> FilesToSkip;
for (auto &SF: KnownFiles)		for (auto &SF: KnownFiles)
FilesToSkip.insert(SF.Name);		FilesToSkip.insert(SF.Name);

Vector<std::string> FilesToUse;		std::vector<std::string> FilesToUse;
auto MaybeUseFile = [=, &FilesToUse](std::string Name) {		auto MaybeUseFile = [=, &FilesToUse](std::string Name) {
if (FilesToSkip.find(Name) == FilesToSkip.end())		if (FilesToSkip.find(Name) == FilesToSkip.end())
FilesToUse.push_back(Name);		FilesToUse.push_back(Name);
};		};
for (auto &SF: OldCorpus)		for (auto &SF: OldCorpus)
MaybeUseFile(SF.File);		MaybeUseFile(SF.File);
auto FilesToUseFromOldCorpus = FilesToUse.size();		auto FilesToUseFromOldCorpus = FilesToUse.size();
for (auto &SF: NewCorpus)		for (auto &SF: NewCorpus)
Show All 11 Lines	Printf("MERGE-OUTER: failed to write to the control file: %s\n",
CFPath.c_str());		CFPath.c_str());
exit(1);		exit(1);
}		}

return FilesToUse.size();		return FilesToUse.size();
}		}

// Outer process. Does not call the target code and thus should not fail.		// Outer process. Does not call the target code and thus should not fail.
void CrashResistantMerge(const Vector<std::string> &Args,		void CrashResistantMerge(const std::vector<std::string> &Args,
const Vector<SizedFile> &OldCorpus,		const std::vector<SizedFile> &OldCorpus,
const Vector<SizedFile> &NewCorpus,		const std::vector<SizedFile> &NewCorpus,
Vector<std::string> *NewFiles,		std::vector<std::string> *NewFiles,
const Set<uint32_t> &InitialFeatures,		const std::set<uint32_t> &InitialFeatures,
Set<uint32_t> *NewFeatures,		std::set<uint32_t> *NewFeatures,
const Set<uint32_t> &InitialCov,		const std::set<uint32_t> &InitialCov,
Set<uint32_t> *NewCov,		std::set<uint32_t> *NewCov, const std::string &CFPath,
const std::string &CFPath,
bool V /Verbose/) {		bool V /Verbose/) {
if (NewCorpus.empty() && OldCorpus.empty()) return; // Nothing to merge.		if (NewCorpus.empty() && OldCorpus.empty()) return; // Nothing to merge.
size_t NumAttempts = 0;		size_t NumAttempts = 0;
Vector<MergeFileInfo> KnownFiles;		std::vector<MergeFileInfo> KnownFiles;
if (FileSize(CFPath)) {		if (FileSize(CFPath)) {
VPrintf(V, "MERGE-OUTER: non-empty control file provided: '%s'\n",		VPrintf(V, "MERGE-OUTER: non-empty control file provided: '%s'\n",
CFPath.c_str());		CFPath.c_str());
Merger M;		Merger M;
std::ifstream IF(CFPath);		std::ifstream IF(CFPath);
if (M.Parse(IF, /ParseCoverage=/true)) {		if (M.Parse(IF, /ParseCoverage=/true)) {
VPrintf(V, "MERGE-OUTER: control file ok, %zd files total,"		VPrintf(V, "MERGE-OUTER: control file ok, %zd files total,"
" first not processed file %zd\n",		" first not processed file %zd\n",
▲ Show 20 Lines • Show All 82 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerMutate.h

Show First 20 Lines • Show All 71 Lines • ▼ Show 20 Lines	public:
/// Applies one of the configured mutations.		/// Applies one of the configured mutations.
/// Returns the new size of data which could be up to MaxSize.		/// Returns the new size of data which could be up to MaxSize.
size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize);		size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize);

/// Applies one of the configured mutations to the bytes of Data		/// Applies one of the configured mutations to the bytes of Data
/// that have '1' in Mask.		/// that have '1' in Mask.
/// Mask.size() should be >= Size.		/// Mask.size() should be >= Size.
size_t MutateWithMask(uint8_t *Data, size_t Size, size_t MaxSize,		size_t MutateWithMask(uint8_t *Data, size_t Size, size_t MaxSize,
const Vector<uint8_t> &Mask);		const std::vector<uint8_t> &Mask);

/// Applies one of the default mutations. Provided as a service		/// Applies one of the default mutations. Provided as a service
/// to mutation authors.		/// to mutation authors.
size_t DefaultMutate(uint8_t *Data, size_t Size, size_t MaxSize);		size_t DefaultMutate(uint8_t *Data, size_t Size, size_t MaxSize);

/// Creates a cross-over of two pieces of Data, returns its size.		/// Creates a cross-over of two pieces of Data, returns its size.
size_t CrossOver(const uint8_t Data1, size_t Size1, const uint8_t Data2,		size_t CrossOver(const uint8_t Data1, size_t Size1, const uint8_t Data2,
size_t Size2, uint8_t *Out, size_t MaxOutSize);		size_t Size2, uint8_t *Out, size_t MaxOutSize);
Show All 10 Lines	private:
struct Mutator {		struct Mutator {
size_t (MutationDispatcher::Fn)(uint8_t Data, size_t Size, size_t Max);		size_t (MutationDispatcher::Fn)(uint8_t Data, size_t Size, size_t Max);
const char *Name;		const char *Name;
};		};

size_t AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t Size,		size_t AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t Size,
size_t MaxSize);		size_t MaxSize);
size_t MutateImpl(uint8_t *Data, size_t Size, size_t MaxSize,		size_t MutateImpl(uint8_t *Data, size_t Size, size_t MaxSize,
Vector<Mutator> &Mutators);		std::vector<Mutator> &Mutators);

size_t InsertPartOf(const uint8_t From, size_t FromSize, uint8_t To,		size_t InsertPartOf(const uint8_t From, size_t FromSize, uint8_t To,
size_t ToSize, size_t MaxToSize);		size_t ToSize, size_t MaxToSize);
size_t CopyPartOf(const uint8_t From, size_t FromSize, uint8_t To,		size_t CopyPartOf(const uint8_t From, size_t FromSize, uint8_t To,
size_t ToSize);		size_t ToSize);
size_t ApplyDictionaryEntry(uint8_t *Data, size_t Size, size_t MaxSize,		size_t ApplyDictionaryEntry(uint8_t *Data, size_t Size, size_t MaxSize,
DictionaryEntry &DE);		DictionaryEntry &DE);

Show All 12 Lines	private:
const FuzzingOptions Options;		const FuzzingOptions Options;

// Dictionary provided by the user via -dict=DICT_FILE.		// Dictionary provided by the user via -dict=DICT_FILE.
Dictionary ManualDictionary;		Dictionary ManualDictionary;
// Persistent dictionary modified by the fuzzer, consists of		// Persistent dictionary modified by the fuzzer, consists of
// entries that led to successful discoveries in the past mutations.		// entries that led to successful discoveries in the past mutations.
Dictionary PersistentAutoDictionary;		Dictionary PersistentAutoDictionary;

Vector<DictionaryEntry *> CurrentDictionaryEntrySequence;		std::vector<DictionaryEntry *> CurrentDictionaryEntrySequence;

static const size_t kCmpDictionaryEntriesDequeSize = 16;		static const size_t kCmpDictionaryEntriesDequeSize = 16;
DictionaryEntry CmpDictionaryEntriesDeque[kCmpDictionaryEntriesDequeSize];		DictionaryEntry CmpDictionaryEntriesDeque[kCmpDictionaryEntriesDequeSize];
size_t CmpDictionaryEntriesDequeIdx = 0;		size_t CmpDictionaryEntriesDequeIdx = 0;

const Unit *CrossOverWith = nullptr;		const Unit *CrossOverWith = nullptr;
Vector<uint8_t> MutateInPlaceHere;		std::vector<uint8_t> MutateInPlaceHere;
Vector<uint8_t> MutateWithMaskTemp;		std::vector<uint8_t> MutateWithMaskTemp;
// CustomCrossOver needs its own buffer as a custom implementation may call		// CustomCrossOver needs its own buffer as a custom implementation may call
// LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.		// LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
Vector<uint8_t> CustomCrossOverInPlaceHere;		std::vector<uint8_t> CustomCrossOverInPlaceHere;

Vector<Mutator> Mutators;		std::vector<Mutator> Mutators;
Vector<Mutator> DefaultMutators;		std::vector<Mutator> DefaultMutators;
Vector<Mutator> CurrentMutatorSequence;		std::vector<Mutator> CurrentMutatorSequence;
};		};

} // namespace fuzzer		} // namespace fuzzer

#endif // LLVM_FUZZER_MUTATE_H		#endif // LLVM_FUZZER_MUTATE_H

compiler-rt/lib/fuzzer/FuzzerMutate.cpp

Show First 20 Lines • Show All 479 Lines • ▼ Show 20 Lines	for (auto DE : CurrentDictionaryEntrySequence) {
assert(DE->GetW().size());		assert(DE->GetW().size());
// Linear search is fine here as this happens seldom.		// Linear search is fine here as this happens seldom.
if (!PersistentAutoDictionary.ContainsWord(DE->GetW()))		if (!PersistentAutoDictionary.ContainsWord(DE->GetW()))
PersistentAutoDictionary.push_back(*DE);		PersistentAutoDictionary.push_back(*DE);
}		}
}		}

void MutationDispatcher::PrintRecommendedDictionary() {		void MutationDispatcher::PrintRecommendedDictionary() {
Vector<DictionaryEntry> V;		std::vector<DictionaryEntry> V;
for (auto &DE : PersistentAutoDictionary)		for (auto &DE : PersistentAutoDictionary)
if (!ManualDictionary.ContainsWord(DE.GetW()))		if (!ManualDictionary.ContainsWord(DE.GetW()))
V.push_back(DE);		V.push_back(DE);
if (V.empty()) return;		if (V.empty()) return;
Printf("###### Recommended dictionary. ######\n");		Printf("###### Recommended dictionary. ######\n");
for (auto &DE: V) {		for (auto &DE: V) {
assert(DE.GetW().size());		assert(DE.GetW().size());
Printf("\"");		Printf("\"");
Show All 38 Lines
size_t MutationDispatcher::DefaultMutate(uint8_t *Data, size_t Size,		size_t MutationDispatcher::DefaultMutate(uint8_t *Data, size_t Size,
size_t MaxSize) {		size_t MaxSize) {
return MutateImpl(Data, Size, MaxSize, DefaultMutators);		return MutateImpl(Data, Size, MaxSize, DefaultMutators);
}		}

// Mutates Data in place, returns new size.		// Mutates Data in place, returns new size.
size_t MutationDispatcher::MutateImpl(uint8_t *Data, size_t Size,		size_t MutationDispatcher::MutateImpl(uint8_t *Data, size_t Size,
size_t MaxSize,		size_t MaxSize,
Vector<Mutator> &Mutators) {		std::vector<Mutator> &Mutators) {
assert(MaxSize > 0);		assert(MaxSize > 0);
// Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),		// Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),
// in which case they will return 0.		// in which case they will return 0.
// Try several times before returning un-mutated data.		// Try several times before returning un-mutated data.
for (int Iter = 0; Iter < 100; Iter++) {		for (int Iter = 0; Iter < 100; Iter++) {
auto M = Mutators[Rand(Mutators.size())];		auto M = Mutators[Rand(Mutators.size())];
size_t NewSize = (this->*(M.Fn))(Data, Size, MaxSize);		size_t NewSize = (this->*(M.Fn))(Data, Size, MaxSize);
if (NewSize && NewSize <= MaxSize) {		if (NewSize && NewSize <= MaxSize) {
if (Options.OnlyASCII)		if (Options.OnlyASCII)
ToASCII(Data, NewSize);		ToASCII(Data, NewSize);
CurrentMutatorSequence.push_back(M);		CurrentMutatorSequence.push_back(M);
return NewSize;		return NewSize;
}		}
}		}
*Data = ' ';		*Data = ' ';
return 1; // Fallback, should not happen frequently.		return 1; // Fallback, should not happen frequently.
}		}

// Mask represents the set of Data bytes that are worth mutating.		// Mask represents the set of Data bytes that are worth mutating.
size_t MutationDispatcher::MutateWithMask(uint8_t *Data, size_t Size,		size_t MutationDispatcher::MutateWithMask(uint8_t *Data, size_t Size,
size_t MaxSize,		size_t MaxSize,
const Vector<uint8_t> &Mask) {		const std::vector<uint8_t> &Mask) {
size_t MaskedSize = std::min(Size, Mask.size());		size_t MaskedSize = std::min(Size, Mask.size());
// * Copy the worthy bytes into a temporary array T		// * Copy the worthy bytes into a temporary array T
// * Mutate T		// * Mutate T
// * Copy T back.		// * Copy T back.
// This is totally unoptimized.		// This is totally unoptimized.
auto &T = MutateWithMaskTemp;		auto &T = MutateWithMaskTemp;
if (T.size() < Size)		if (T.size() < Size)
T.resize(Size);		T.resize(Size);
Show All 23 Lines

compiler-rt/lib/fuzzer/FuzzerTracePC.h

Show First 20 Lines • Show All 163 Lines • ▼ Show 20 Lines	for (size_t m = 0; m < NumModules; m++)
for (size_t r = 0; r < Modules[m].NumRegions; r++)		for (size_t r = 0; r < Modules[m].NumRegions; r++)
CB(Modules[m].Regions[r]);		CB(Modules[m].Regions[r]);
}		}

struct { const PCTableEntry Start, Stop; } ModulePCTable[4096];		struct { const PCTableEntry Start, Stop; } ModulePCTable[4096];
size_t NumPCTables;		size_t NumPCTables;
size_t NumPCsInPCTables;		size_t NumPCsInPCTables;

Set<const PCTableEntry*> ObservedPCs;		std::set<const PCTableEntry *> ObservedPCs;
std::unordered_map<uintptr_t, uintptr_t> ObservedFuncs; // PC => Counter.		std::unordered_map<uintptr_t, uintptr_t> ObservedFuncs; // PC => Counter.

uint8_t *FocusFunctionCounterPtr = nullptr;		uint8_t *FocusFunctionCounterPtr = nullptr;

ValueBitMap ValueProfileMap;		ValueBitMap ValueProfileMap;
uintptr_t InitialStack;		uintptr_t InitialStack;
};		};

▲ Show 20 Lines • Show All 118 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp

Show First 20 Lines • Show All 151 Lines • ▼ Show 20 Lines	#elif defined(__powerpc__) \|\| defined(__sparc__) \|\| defined(__arm__) \|\| \
defined(__aarch64__)		defined(__aarch64__)
return PC + 4;		return PC + 4;
#else		#else
return PC + 1;		return PC + 1;
#endif		#endif
}		}

void TracePC::UpdateObservedPCs() {		void TracePC::UpdateObservedPCs() {
Vector<uintptr_t> CoveredFuncs;		std::vector<uintptr_t> CoveredFuncs;
auto ObservePC = [&](const PCTableEntry *TE) {		auto ObservePC = [&](const PCTableEntry *TE) {
if (ObservedPCs.insert(TE).second && DoPrintNewPCs) {		if (ObservedPCs.insert(TE).second && DoPrintNewPCs) {
PrintPC("\tNEW_PC: %p %F %L", "\tNEW_PC: %p",		PrintPC("\tNEW_PC: %p %F %L", "\tNEW_PC: %p",
GetNextInstructionPc(TE->PC));		GetNextInstructionPc(TE->PC));
Printf("\n");		Printf("\n");
}		}
};		};

▲ Show 20 Lines • Show All 126 Lines • ▼ Show 20 Lines	auto CoveredFunctionCallback = [&](const PCTableEntry *First,
std::string FileStr = DescribePC("%s", VisualizePC);		std::string FileStr = DescribePC("%s", VisualizePC);
if (!IsInterestingCoverageFile(FileStr))		if (!IsInterestingCoverageFile(FileStr))
return;		return;
std::string FunctionStr = DescribePC("%F", VisualizePC);		std::string FunctionStr = DescribePC("%F", VisualizePC);
if (FunctionStr.find("in ") == 0)		if (FunctionStr.find("in ") == 0)
FunctionStr = FunctionStr.substr(3);		FunctionStr = FunctionStr.substr(3);
std::string LineStr = DescribePC("%l", VisualizePC);		std::string LineStr = DescribePC("%l", VisualizePC);
size_t NumEdges = Last - First;		size_t NumEdges = Last - First;
Vector<uintptr_t> UncoveredPCs;		std::vector<uintptr_t> UncoveredPCs;
Vector<uintptr_t> CoveredPCs;		std::vector<uintptr_t> CoveredPCs;
for (auto TE = First; TE < Last; TE++)		for (auto TE = First; TE < Last; TE++)
if (!ObservedPCs.count(TE))		if (!ObservedPCs.count(TE))
UncoveredPCs.push_back(TE->PC);		UncoveredPCs.push_back(TE->PC);
else		else
CoveredPCs.push_back(TE->PC);		CoveredPCs.push_back(TE->PC);

if (PrintAllCounters) {		if (PrintAllCounters) {
Printf("U");		Printf("U");
▲ Show 20 Lines • Show All 370 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerUtil.h

	Show First 20 Lines • Show All 60 Lines • ▼ Show 20 Lines

	// Fuchsia does not have popen/pclose.			// Fuchsia does not have popen/pclose.
	FILE OpenProcessPipe(const char Command, const char *Mode);			FILE OpenProcessPipe(const char Command, const char *Mode);
	int CloseProcessPipe(FILE *F);			int CloseProcessPipe(FILE *F);

	const void SearchMemory(const void haystack, size_t haystacklen,			const void SearchMemory(const void haystack, size_t haystacklen,
	const void *needle, size_t needlelen);			const void *needle, size_t needlelen);

	std::string CloneArgsWithoutX(const Vector<std::string> &Args,			std::string CloneArgsWithoutX(const std::vector<std::string> &Args,
	const char X1, const char X2);			const char X1, const char X2);

	inline std::string CloneArgsWithoutX(const Vector<std::string> &Args,			inline std::string CloneArgsWithoutX(const std::vector<std::string> &Args,
	const char *X) {			const char *X) {
	return CloneArgsWithoutX(Args, X, X);			return CloneArgsWithoutX(Args, X, X);
	}			}

	inline std::pair<std::string, std::string> SplitBefore(std::string X,			inline std::pair<std::string, std::string> SplitBefore(std::string X,
	std::string S) {			std::string S) {
	auto Pos = S.find(X);			auto Pos = S.find(X);
	if (Pos == std::string::npos)			if (Pos == std::string::npos)
	Show All 39 Lines

compiler-rt/lib/fuzzer/FuzzerUtil.cpp

Show First 20 Lines • Show All 118 Lines • ▼ Show 20 Lines	for (size_t Pos = L; Pos <= R; Pos++) {
} else {		} else {
// Any other character.		// Any other character.
U->push_back(V);		U->push_back(V);
}		}
}		}
return true;		return true;
}		}

bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units) {		bool ParseDictionaryFile(const std::string &Text, std::vector<Unit> *Units) {
if (Text.empty()) {		if (Text.empty()) {
Printf("ParseDictionaryFile: file does not exist or is empty\n");		Printf("ParseDictionaryFile: file does not exist or is empty\n");
return false;		return false;
}		}
std::istringstream ISS(Text);		std::istringstream ISS(Text);
Units->clear();		Units->clear();
Unit U;		Unit U;
int LineNo = 0;		int LineNo = 0;
▲ Show 20 Lines • Show All 102 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerUtilWindows.cpp

Show First 20 Lines • Show All 198 Lines • ▼ Show 20 Lines	const void SearchMemory(const void Data, size_t DataLen, const void *Patt,
for (const char *It = Cdata; It < End; ++It)		for (const char *It = Cdata; It < End; ++It)
if (It[0] == Cpatt[0] && memcmp(It, Cpatt, PattLen) == 0)		if (It[0] == Cpatt[0] && memcmp(It, Cpatt, PattLen) == 0)
return It;		return It;

return NULL;		return NULL;
}		}

std::string DisassembleCmd(const std::string &FileName) {		std::string DisassembleCmd(const std::string &FileName) {
Vector<std::string> command_vector;		std::vector<std::string> command_vector;
command_vector.push_back("dumpbin /summary > nul");		command_vector.push_back("dumpbin /summary > nul");
if (ExecuteCommand(Command(command_vector)) == 0)		if (ExecuteCommand(Command(command_vector)) == 0)
return "dumpbin /disasm " + FileName;		return "dumpbin /disasm " + FileName;
Printf("libFuzzer: couldn't find tool to disassemble (dumpbin)\n");		Printf("libFuzzer: couldn't find tool to disassemble (dumpbin)\n");
exit(1);		exit(1);
}		}

std::string SearchRegexCmd(const std::string &Regex) {		std::string SearchRegexCmd(const std::string &Regex) {
Show All 14 Lines

compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp

Show All 18 Lines
#include "gtest/gtest.h"		#include "gtest/gtest.h"
#include <memory>		#include <memory>
#include <set>		#include <set>
#include <sstream>		#include <sstream>

using namespace fuzzer;		using namespace fuzzer;

// For now, have LLVMFuzzerTestOneInput just to make it link.		// For now, have LLVMFuzzerTestOneInput just to make it link.
// Later we may want to make unittests that actually call LLVMFuzzerTestOneInput.		// Later we may want to make unittests that actually call
		// LLVMFuzzerTestOneInput.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {		extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
abort();		abort();
}		}

TEST(Fuzzer, Basename) {		TEST(Fuzzer, Basename) {
EXPECT_EQ(Basename("foo/bar"), "bar");		EXPECT_EQ(Basename("foo/bar"), "bar");
EXPECT_EQ(Basename("bar"), "bar");		EXPECT_EQ(Basename("bar"), "bar");
EXPECT_EQ(Basename("/bar"), "bar");		EXPECT_EQ(Basename("/bar"), "bar");
▲ Show 20 Lines • Show All 47 Lines • ▼ Show 20 Lines	Unit Expected[] = {
{ 0, 5, 1, 2, 6, 7 },		{ 0, 5, 1, 2, 6, 7 },
{ 0, 5, 1, 6, 2, 7 },		{ 0, 5, 1, 6, 2, 7 },
{ 0, 5, 1, 6, 7, 2 },		{ 0, 5, 1, 6, 7, 2 },
{ 0, 5, 6, 1, 2, 7 },		{ 0, 5, 6, 1, 2, 7 },
{ 0, 5, 6, 1, 7, 2 },		{ 0, 5, 6, 1, 7, 2 },
{ 0, 5, 6, 7, 1, 2 }		{ 0, 5, 6, 7, 1, 2 }
};		};
for (size_t Len = 1; Len < 8; Len++) {		for (size_t Len = 1; Len < 8; Len++) {
Set<Unit> FoundUnits, ExpectedUnitsWitThisLength;		std::set<Unit> FoundUnits, ExpectedUnitsWitThisLength;
for (int Iter = 0; Iter < 3000; Iter++) {		for (int Iter = 0; Iter < 3000; Iter++) {
C.resize(Len);		C.resize(Len);
size_t NewSize = MD->CrossOver(A.data(), A.size(), B.data(), B.size(),		size_t NewSize = MD->CrossOver(A.data(), A.size(), B.data(), B.size(),
C.data(), C.size());		C.data(), C.size());
C.resize(NewSize);		C.resize(NewSize);
FoundUnits.insert(C);		FoundUnits.insert(C);
}		}
for (const Unit &U : Expected)		for (const Unit &U : Expected)
▲ Show 20 Lines • Show All 137 Lines • ▼ Show 20 Lines	for (int i = 0; i < NumIter; i++) {
if (NewSize == 8 && !memcmp(INS8, T, 8)) FoundMask \|= 1 << 8;		if (NewSize == 8 && !memcmp(INS8, T, 8)) FoundMask \|= 1 << 8;
if (NewSize == 8 && !memcmp(INS9, T, 8)) FoundMask \|= 1 << 9;		if (NewSize == 8 && !memcmp(INS9, T, 8)) FoundMask \|= 1 << 9;

}		}
EXPECT_EQ(FoundMask, (1 << 10) - 1);		EXPECT_EQ(FoundMask, (1 << 10) - 1);
}		}

TEST(FuzzerMutate, InsertRepeatedBytes1) {		TEST(FuzzerMutate, InsertRepeatedBytes1) {
TestInsertRepeatedBytes(&MutationDispatcher::Mutate_InsertRepeatedBytes, 10000);		TestInsertRepeatedBytes(&MutationDispatcher::Mutate_InsertRepeatedBytes,
		10000);
}		}
TEST(FuzzerMutate, InsertRepeatedBytes2) {		TEST(FuzzerMutate, InsertRepeatedBytes2) {
TestInsertRepeatedBytes(&MutationDispatcher::Mutate, 300000);		TestInsertRepeatedBytes(&MutationDispatcher::Mutate, 300000);
}		}

void TestChangeByte(Mutator M, int NumIter) {		void TestChangeByte(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());		std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();		fuzzer::EF = t.get();
▲ Show 20 Lines • Show All 298 Lines • ▼ Show 20 Lines	TEST(FuzzerDictionary, ParseOneDictionaryEntry) {
EXPECT_EQ(U, Unit({0xAB, 'z', 0xDE}));		EXPECT_EQ(U, Unit({0xAB, 'z', 0xDE}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U));		EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U));
EXPECT_EQ(U, Unit({'#'}));		EXPECT_EQ(U, Unit({'#'}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U));		EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U));
EXPECT_EQ(U, Unit({'"'}));		EXPECT_EQ(U, Unit({'"'}));
}		}

TEST(FuzzerDictionary, ParseDictionaryFile) {		TEST(FuzzerDictionary, ParseDictionaryFile) {
Vector<Unit> Units;		std::vector<Unit> Units;
EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units));		EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units));
EXPECT_FALSE(ParseDictionaryFile("", &Units));		EXPECT_FALSE(ParseDictionaryFile("", &Units));
EXPECT_TRUE(ParseDictionaryFile("\n", &Units));		EXPECT_TRUE(ParseDictionaryFile("\n", &Units));
EXPECT_EQ(Units.size(), 0U);		EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units));		EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units));
EXPECT_EQ(Units.size(), 0U);		EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));		EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
EXPECT_EQ(Units.size(), 0U);		EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));		EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
EXPECT_EQ(Units.size(), 0U);		EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units));		EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units));
EXPECT_EQ(Units, Vector<Unit>({Unit({'a', 'a'})}));		EXPECT_EQ(Units, std::vector<Unit>({Unit({'a', 'a'})}));
EXPECT_TRUE(		EXPECT_TRUE(
ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units));		ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units));
EXPECT_EQ(Units,		EXPECT_EQ(Units,
Vector<Unit>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})}));		std::vector<Unit>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})}));
}		}

TEST(FuzzerUtil, Base64) {		TEST(FuzzerUtil, Base64) {
EXPECT_EQ("", Base64({}));		EXPECT_EQ("", Base64({}));
EXPECT_EQ("YQ==", Base64({'a'}));		EXPECT_EQ("YQ==", Base64({'a'}));
EXPECT_EQ("eA==", Base64({'x'}));		EXPECT_EQ("eA==", Base64({'x'}));
EXPECT_EQ("YWI=", Base64({'a', 'b'}));		EXPECT_EQ("YWI=", Base64({'a', 'b'}));
EXPECT_EQ("eHk=", Base64({'x', 'y'}));		EXPECT_EQ("eHk=", Base64({'x', 'y'}));
Show All 14 Lines	TEST(Corpus, Distribution) {
for (size_t i = 0; i < N; i++)		for (size_t i = 0; i < N; i++)
C->AddToCorpus(Unit{static_cast<uint8_t>(i)}, /NumFeatures/ 1,		C->AddToCorpus(Unit{static_cast<uint8_t>(i)}, /NumFeatures/ 1,
/MayDeleteFile/ false, /HasFocusFunction/ false,		/MayDeleteFile/ false, /HasFocusFunction/ false,
/ForceAddToCorpus/ false,		/ForceAddToCorpus/ false,
/TimeOfUnit/ std::chrono::microseconds(0),		/TimeOfUnit/ std::chrono::microseconds(0),
/FeatureSet/ {}, DFT,		/FeatureSet/ {}, DFT,
/BaseII/ nullptr);		/BaseII/ nullptr);

Vector<size_t> Hist(N);		std::vector<size_t> Hist(N);
for (size_t i = 0; i < N * TriesPerUnit; i++) {		for (size_t i = 0; i < N * TriesPerUnit; i++) {
Hist[C->ChooseUnitIdxToMutate(Rand)]++;		Hist[C->ChooseUnitIdxToMutate(Rand)]++;
}		}
for (size_t i = 0; i < N; i++) {		for (size_t i = 0; i < N; i++) {
// A weak sanity check that every unit gets invoked.		// A weak sanity check that every unit gets invoked.
EXPECT_GT(Hist[i], TriesPerUnit / N / 3);		EXPECT_GT(Hist[i], TriesPerUnit / N / 3);
}		}
}		}

template <typename T> void EQ(const Vector<T> &A, const Vector<T> &B) {		template <typename T>
		void EQ(const std::vector<T> &A, const std::vector<T> &B) {
EXPECT_EQ(A, B);		EXPECT_EQ(A, B);
}		}

template <typename T> void EQ(const Set<T> &A, const Vector<T> &B) {		template <typename T> void EQ(const std::set<T> &A, const std::vector<T> &B) {
EXPECT_EQ(A, Set<T>(B.begin(), B.end()));		EXPECT_EQ(A, std::set<T>(B.begin(), B.end()));
}		}

void EQ(const Vector<MergeFileInfo> &A, const Vector<std::string> &B) {		void EQ(const std::vector<MergeFileInfo> &A,
Set<std::string> a;		const std::vector<std::string> &B) {
		std::set<std::string> a;
for (const auto &File : A)		for (const auto &File : A)
a.insert(File.Name);		a.insert(File.Name);
Set<std::string> b(B.begin(), B.end());		std::set<std::string> b(B.begin(), B.end());
EXPECT_EQ(a, b);		EXPECT_EQ(a, b);
}		}

#define TRACED_EQ(A, ...) \		#define TRACED_EQ(A, ...) \
{ \		{ \
SCOPED_TRACE(#A); \		SCOPED_TRACE(#A); \
EQ(A, __VA_ARGS__); \		EQ(A, __VA_ARGS__); \
}		}
▲ Show 20 Lines • Show All 103 Lines • ▼ Show 20 Lines	TEST(Merger, Parse) {
TRACED_EQ(M.Files[1].Features, {4, 5, 6});		TRACED_EQ(M.Files[1].Features, {4, 5, 6});
TRACED_EQ(M.Files[1].Cov, {7, 8, 9});		TRACED_EQ(M.Files[1].Cov, {7, 8, 9});
TRACED_EQ(M.Files[2].Features, {1, 3, 6});		TRACED_EQ(M.Files[2].Features, {1, 3, 6});
TRACED_EQ(M.Files[2].Cov, {16});		TRACED_EQ(M.Files[2].Cov, {16});
}		}

TEST(Merger, Merge) {		TEST(Merger, Merge) {
Merger M;		Merger M;
Set<uint32_t> Features, NewFeatures;		std::set<uint32_t> Features, NewFeatures;
Set<uint32_t> Cov, NewCov;		std::set<uint32_t> Cov, NewCov;
Vector<std::string> NewFiles;		std::vector<std::string> NewFiles;

// Adds new files and features		// Adds new files and features
EXPECT_TRUE(M.Parse("3\n0\nA\nB\nC\n"		EXPECT_TRUE(M.Parse("3\n0\nA\nB\nC\n"
"STARTED 0 1000\n"		"STARTED 0 1000\n"
"FT 0 1 2 3\n"		"FT 0 1 2 3\n"
"STARTED 1 1001\n"		"STARTED 1 1001\n"
"FT 1 4 5 6 \n"		"FT 1 4 5 6 \n"
"STARTED 2 1002\n"		"STARTED 2 1002\n"
▲ Show 20 Lines • Show All 203 Lines • ▼ Show 20 Lines	alignas(64) uint8_t Ar[N + 8] = {
0, 0, 3, 0, 4, 0, 0, 0,		0, 0, 3, 0, 4, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,		0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 5, 0, 6, 0, 0,		0, 0, 0, 5, 0, 6, 0, 0,
0, 0, 0, 0, 0, 0, 7, 0,		0, 0, 0, 0, 0, 0, 7, 0,
0, 0, 0, 0, 0, 0, 0, 0,		0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 8,		0, 0, 0, 0, 0, 0, 0, 8,
9, 9, 9, 9, 9, 9, 9, 9,		9, 9, 9, 9, 9, 9, 9, 9,
};		};
typedef Vector<std::pair<size_t, uint8_t> > Vec;		typedef std::vector<std::pair<size_t, uint8_t>> Vec;
Vec Res, Expected;		Vec Res, Expected;
auto CB = [&](size_t FirstFeature, size_t Idx, uint8_t V) {		auto CB = [&](size_t FirstFeature, size_t Idx, uint8_t V) {
Res.push_back({FirstFeature + Idx, V});		Res.push_back({FirstFeature + Idx, V});
};		};
ForEachNonZeroByte(Ar, Ar + N, 100, CB);		ForEachNonZeroByte(Ar, Ar + N, 100, CB);
Expected = {{108, 1}, {109, 2}, {118, 3}, {120, 4},		Expected = {{108, 1}, {109, 2}, {118, 3}, {120, 4},
{135, 5}, {137, 6}, {146, 7}, {163, 8}};		{135, 5}, {137, 6}, {146, 7}, {163, 8}};
EXPECT_EQ(Res, Expected);		EXPECT_EQ(Res, Expected);

Res.clear();		Res.clear();
ForEachNonZeroByte(Ar + 9, Ar + N, 109, CB);		ForEachNonZeroByte(Ar + 9, Ar + N, 109, CB);
Expected = { {109, 2}, {118, 3}, {120, 4},		Expected = { {109, 2}, {118, 3}, {120, 4},
{135, 5}, {137, 6}, {146, 7}, {163, 8}};		{135, 5}, {137, 6}, {146, 7}, {163, 8}};
EXPECT_EQ(Res, Expected);		EXPECT_EQ(Res, Expected);

Res.clear();		Res.clear();
ForEachNonZeroByte(Ar + 9, Ar + N - 9, 109, CB);		ForEachNonZeroByte(Ar + 9, Ar + N - 9, 109, CB);
Expected = { {109, 2}, {118, 3}, {120, 4},		Expected = { {109, 2}, {118, 3}, {120, 4},
{135, 5}, {137, 6}, {146, 7}};		{135, 5}, {137, 6}, {146, 7}};
EXPECT_EQ(Res, Expected);		EXPECT_EQ(Res, Expected);
}		}

// FuzzerCommand unit tests. The arguments in the two helper methods below must		// FuzzerCommand unit tests. The arguments in the two helper methods below must
// match.		// match.
static void makeCommandArgs(Vector<std::string> *ArgsToAdd) {		static void makeCommandArgs(std::vector<std::string> *ArgsToAdd) {
assert(ArgsToAdd);		assert(ArgsToAdd);
ArgsToAdd->clear();		ArgsToAdd->clear();
ArgsToAdd->push_back("foo");		ArgsToAdd->push_back("foo");
ArgsToAdd->push_back("-bar=baz");		ArgsToAdd->push_back("-bar=baz");
ArgsToAdd->push_back("qux");		ArgsToAdd->push_back("qux");
ArgsToAdd->push_back(Command::ignoreRemainingArgs());		ArgsToAdd->push_back(Command::ignoreRemainingArgs());
ArgsToAdd->push_back("quux");		ArgsToAdd->push_back("quux");
ArgsToAdd->push_back("-grault=garply");		ArgsToAdd->push_back("-grault=garply");
Show All 19 Lines	TEST(FuzzerCommand, Create) {

// Default constructor		// Default constructor
Command DefaultCmd;		Command DefaultCmd;

CmdLine = DefaultCmd.toString();		CmdLine = DefaultCmd.toString();
EXPECT_EQ(CmdLine, "");		EXPECT_EQ(CmdLine, "");

// Explicit constructor		// Explicit constructor
Vector<std::string> ArgsToAdd;		std::vector<std::string> ArgsToAdd;
makeCommandArgs(&ArgsToAdd);		makeCommandArgs(&ArgsToAdd);
Command InitializedCmd(ArgsToAdd);		Command InitializedCmd(ArgsToAdd);

CmdLine = InitializedCmd.toString();		CmdLine = InitializedCmd.toString();
EXPECT_EQ(CmdLine, makeCmdLine("", ""));		EXPECT_EQ(CmdLine, makeCmdLine("", ""));

// Compare each argument		// Compare each argument
auto InitializedArgs = InitializedCmd.getArguments();		auto InitializedArgs = InitializedCmd.getArguments();
Show All 15 Lines	TEST(FuzzerCommand, Create) {
Command AssignedCmd;		Command AssignedCmd;
AssignedCmd = CopiedCmd;		AssignedCmd = CopiedCmd;

CmdLine = AssignedCmd.toString();		CmdLine = AssignedCmd.toString();
EXPECT_EQ(CmdLine, makeCmdLine("", ""));		EXPECT_EQ(CmdLine, makeCmdLine("", ""));
}		}

TEST(FuzzerCommand, ModifyArguments) {		TEST(FuzzerCommand, ModifyArguments) {
Vector<std::string> ArgsToAdd;		std::vector<std::string> ArgsToAdd;
makeCommandArgs(&ArgsToAdd);		makeCommandArgs(&ArgsToAdd);
Command Cmd;		Command Cmd;
std::string CmdLine;		std::string CmdLine;

Cmd.addArguments(ArgsToAdd);		Cmd.addArguments(ArgsToAdd);
CmdLine = Cmd.toString();		CmdLine = Cmd.toString();
EXPECT_EQ(CmdLine, makeCmdLine("", ""));		EXPECT_EQ(CmdLine, makeCmdLine("", ""));

Cmd.addArgument("waldo");		Cmd.addArgument("waldo");
EXPECT_TRUE(Cmd.hasArgument("waldo"));		EXPECT_TRUE(Cmd.hasArgument("waldo"));

CmdLine = Cmd.toString();		CmdLine = Cmd.toString();
EXPECT_EQ(CmdLine, makeCmdLine("waldo", ""));		EXPECT_EQ(CmdLine, makeCmdLine("waldo", ""));

Cmd.removeArgument("waldo");		Cmd.removeArgument("waldo");
EXPECT_FALSE(Cmd.hasArgument("waldo"));		EXPECT_FALSE(Cmd.hasArgument("waldo"));

CmdLine = Cmd.toString();		CmdLine = Cmd.toString();
EXPECT_EQ(CmdLine, makeCmdLine("", ""));		EXPECT_EQ(CmdLine, makeCmdLine("", ""));
}		}

TEST(FuzzerCommand, ModifyFlags) {		TEST(FuzzerCommand, ModifyFlags) {
Vector<std::string> ArgsToAdd;		std::vector<std::string> ArgsToAdd;
makeCommandArgs(&ArgsToAdd);		makeCommandArgs(&ArgsToAdd);
Command Cmd(ArgsToAdd);		Command Cmd(ArgsToAdd);
std::string Value, CmdLine;		std::string Value, CmdLine;
ASSERT_FALSE(Cmd.hasFlag("fred"));		ASSERT_FALSE(Cmd.hasFlag("fred"));

Value = Cmd.getFlagValue("fred");		Value = Cmd.getFlagValue("fred");
EXPECT_EQ(Value, "");		EXPECT_EQ(Value, "");

Show All 15 Lines	TEST(FuzzerCommand, ModifyFlags) {
Value = Cmd.getFlagValue("fred");		Value = Cmd.getFlagValue("fred");
EXPECT_EQ(Value, "");		EXPECT_EQ(Value, "");

CmdLine = Cmd.toString();		CmdLine = Cmd.toString();
EXPECT_EQ(CmdLine, makeCmdLine("", ""));		EXPECT_EQ(CmdLine, makeCmdLine("", ""));
}		}

TEST(FuzzerCommand, SetOutput) {		TEST(FuzzerCommand, SetOutput) {
Vector<std::string> ArgsToAdd;		std::vector<std::string> ArgsToAdd;
makeCommandArgs(&ArgsToAdd);		makeCommandArgs(&ArgsToAdd);
Command Cmd(ArgsToAdd);		Command Cmd(ArgsToAdd);
std::string CmdLine;		std::string CmdLine;
ASSERT_FALSE(Cmd.hasOutputFile());		ASSERT_FALSE(Cmd.hasOutputFile());
ASSERT_FALSE(Cmd.isOutAndErrCombined());		ASSERT_FALSE(Cmd.isOutAndErrCombined());

Cmd.combineOutAndErr(true);		Cmd.combineOutAndErr(true);
EXPECT_TRUE(Cmd.isOutAndErrCombined());		EXPECT_TRUE(Cmd.isOutAndErrCombined());
▲ Show 20 Lines • Show All 63 Lines • ▼ Show 20 Lines	double SubAndSquare(double X, double Y) {
return R;		return R;
}		}

TEST(Entropic, ComputeEnergy) {		TEST(Entropic, ComputeEnergy) {
const double Precision = 0.01;		const double Precision = 0.01;
struct EntropicOptions Entropic = {true, 0xFF, 100, false};		struct EntropicOptions Entropic = {true, 0xFF, 100, false};
std::unique_ptr<InputCorpus> C(new InputCorpus("", Entropic));		std::unique_ptr<InputCorpus> C(new InputCorpus("", Entropic));
std::unique_ptr<InputInfo> II(new InputInfo());		std::unique_ptr<InputInfo> II(new InputInfo());
Vector<std::pair<uint32_t, uint16_t>> FeatureFreqs = {{1, 3}, {2, 3}, {3, 3}};		std::vector<std::pair<uint32_t, uint16_t>> FeatureFreqs = {
		{1, 3}, {2, 3}, {3, 3}};
II->FeatureFreqs = FeatureFreqs;		II->FeatureFreqs = FeatureFreqs;
II->NumExecutedMutations = 0;		II->NumExecutedMutations = 0;
II->UpdateEnergy(4, false, std::chrono::microseconds(0));		II->UpdateEnergy(4, false, std::chrono::microseconds(0));
EXPECT_LT(SubAndSquare(II->Energy, 1.450805), Precision);		EXPECT_LT(SubAndSquare(II->Energy, 1.450805), Precision);

II->NumExecutedMutations = 9;		II->NumExecutedMutations = 9;
II->UpdateEnergy(5, false, std::chrono::microseconds(0));		II->UpdateEnergy(5, false, std::chrono::microseconds(0));
EXPECT_LT(SubAndSquare(II->Energy, 1.525496), Precision);		EXPECT_LT(SubAndSquare(II->Energy, 1.525496), Precision);
Show All 12 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[libFuzzer] replace Vector/Set with std::vector/std::set. The custom names are not required any more since we now build with a private version of libc++. Fix some of the 81+ character lines. Mechanical change, NFC expected.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 363817

compiler-rt/lib/fuzzer/FuzzerBuiltinsMsvc.h

compiler-rt/lib/fuzzer/FuzzerCommand.h

compiler-rt/lib/fuzzer/FuzzerCorpus.h

compiler-rt/lib/fuzzer/FuzzerDataFlowTrace.h

compiler-rt/lib/fuzzer/FuzzerDataFlowTrace.cpp

compiler-rt/lib/fuzzer/FuzzerDefs.h

compiler-rt/lib/fuzzer/FuzzerDictionary.h

compiler-rt/lib/fuzzer/FuzzerDriver.cpp

compiler-rt/lib/fuzzer/FuzzerFork.h

compiler-rt/lib/fuzzer/FuzzerFork.cpp

compiler-rt/lib/fuzzer/FuzzerIO.h

compiler-rt/lib/fuzzer/FuzzerIO.cpp

compiler-rt/lib/fuzzer/FuzzerIOPosix.cpp

compiler-rt/lib/fuzzer/FuzzerIOWindows.cpp

compiler-rt/lib/fuzzer/FuzzerInternal.h

compiler-rt/lib/fuzzer/FuzzerLoop.cpp

compiler-rt/lib/fuzzer/FuzzerMerge.h

compiler-rt/lib/fuzzer/FuzzerMerge.cpp

compiler-rt/lib/fuzzer/FuzzerMutate.h

compiler-rt/lib/fuzzer/FuzzerMutate.cpp

compiler-rt/lib/fuzzer/FuzzerTracePC.h

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp

compiler-rt/lib/fuzzer/FuzzerUtil.h

compiler-rt/lib/fuzzer/FuzzerUtil.cpp

compiler-rt/lib/fuzzer/FuzzerUtilWindows.cpp

compiler-rt/lib/fuzzer/tests/FuzzerUnittest.cpp

[libFuzzer] replace Vector/Set with std::vector/std::set. The custom names are not required any more since we now build with a private version of libc++. Fix some of the 81+ character lines. Mechanical change, NFC expected.
ClosedPublic