This is an archive of the discontinued LLVM Phabricator instance.

[libfuzzer] adapter-based custom mutators
Needs ReviewPublic

Authored by aizatsky on Mar 7 2016, 3:49 PM.

Download Raw Diff

Details

Reviewers

kcc
eugenis

Summary

Adapter based mutator plugins into libfuzzer custom mutator support.
It performs mutation on individual function arguments rather than on
full data set.

I've benchmarked the mutator on a simple fuzzer that invokes icu
toupper. It has two string arguments: language & string itself.
The fuzzer was benchmarked with 1,000,000 runs on empty corpus 10 times
each.

Adapter mutator avg units: 584.7 (stddev 29.2)
Standard mutator avg units: 532.8 (stddev 47.3)

Diff Detail

Event Timeline

aizatsky updated this revision to Diff 50004.Mar 7 2016, 3:49 PM

aizatsky retitled this revision from to [wip][libfuzzer] adapter-based custom mutators.

aizatsky updated this object.

cleanup

aizatsky retitled this revision from [wip][libfuzzer] adapter-based custom mutators to [libfuzzer] adapter-based custom mutators.Mar 9 2016, 11:31 AM

aizatsky updated this object.

aizatsky added reviewers: kcc, eugenis.

aizatsky added a subscriber: llvm-commits.

format

fixing broken clang format.

Revision Contents

Path

Size

lib/

Fuzzer/

FuzzerFnAdapter.h

199 lines

test/

CMakeLists.txt

1 line

SimpleFnAdapterMutatorTest.cpp

24 lines

fuzzer-fn-adapter-mutator.test

4 lines

Diff 50170

lib/Fuzzer/FuzzerFnAdapter.h

Show All 9 Lines
// W A R N I N G : E X P E R I M E N T A L.		// W A R N I N G : E X P E R I M E N T A L.
//		//
// Defines an adapter to fuzz functions with (almost) arbitrary signatures.		// Defines an adapter to fuzz functions with (almost) arbitrary signatures.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#ifndef LLVM_FUZZER_ADAPTER_H		#ifndef LLVM_FUZZER_ADAPTER_H
#define LLVM_FUZZER_ADAPTER_H		#define LLVM_FUZZER_ADAPTER_H

		#include <assert.h>
#include <stddef.h>		#include <stddef.h>
#include <stdint.h>		#include <stdint.h>
		#include <string.h>

#include <algorithm>		#include <algorithm>
		#include <random>
#include <tuple>		#include <tuple>
#include <vector>		#include <vector>

		#include "FuzzerInterface.h"

namespace fuzzer {		namespace fuzzer {

/// Unpacks bytes from \p Data according to \p F argument types		/// Unpacks bytes from \p Data according to \p F argument types
/// and calls the function.		/// and calls the function.
/// Use to automatically adapt LLVMFuzzerTestOneInput interface to		/// Use to automatically adapt LLVMFuzzerTestOneInput interface to
/// a specific function.		/// a specific function.
/// Supported argument types: primitive types, std::vector<uint8_t>.		/// Supported argument types: primitive types, std::vector<uint8_t>.
template <typename Fn> bool Adapt(Fn F, const uint8_t *Data, size_t Size);		template <typename Fn> bool Adapt(Fn F, const uint8_t *Data, size_t Size);

		/// Mutates given \p Data acoording to \p F argument types.
		template <typename Fn>
		size_t AdaptMutate(Fn F, uint8_t *Data, size_t Size, size_t MaxSize,
		unsigned int Seed);

// The implementation performs several steps:		// The implementation performs several steps:
// - function argument types are obtained (Args...)		// - function argument types are obtained (Args...)
// - data is unpacked into std::tuple<Args...> one by one		// - data is unpacked into std::tuple<Args...> one by one
// - function is called with std::tuple<Args...> containing arguments.		// - function is called with std::tuple<Args...> containing arguments.
namespace impl {		namespace impl {

// Single argument unpacking.		// Single argument packing/unpacking.

template <typename T>		template <typename T>
size_t UnpackPrimitive(const uint8_t Data, size_t Size, T Value) {		size_t UnpackPrimitive(const uint8_t Data, size_t Size, T Value) {
if (Size < sizeof(T))		if (Size < sizeof(T))
return Size;		return Size;
Value = reinterpret_cast<const T *>(Data);		Value = reinterpret_cast<const T *>(Data);
return Size - sizeof(T);		return Size - sizeof(T);
}		}

		template <typename T>
		size_t PackPrimitive(const T &Value, uint8_t *Data, size_t Size) {
		if (Size < sizeof(T))
		return Size;
		reinterpret_cast<T >(Data) = Value;
		return Size - sizeof(T);
		}

/// Unpacks into a given Value and returns the Size - num_consumed_bytes.		/// Unpacks into a given Value and returns the Size - num_consumed_bytes.
/// Return value equal to Size signals inability to unpack the data (typically		/// Return value equal to Size signals inability to unpack the data (typically
/// because there are not enough bytes).		/// because there are not enough bytes).
template <typename T>		template <typename T>
size_t UnpackSingle(const uint8_t Data, size_t Size, T Value);		size_t UnpackSingle(const uint8_t Data, size_t Size, T Value);

#define UNPACK_SINGLE_PRIMITIVE(Type) \		/// Packs the \p Value into \p Data and return Size - num_written_size;
		template <typename T>
		size_t PackSingle(const T &Value, uint8_t *Data, size_t Size);

		// Mutates single primitive value.
		template <typename T> size_t MutatePrimitive(T *Value) {
		Mutate(reinterpret_cast<uint8_t *>(Value), sizeof(T), sizeof(T));
		return sizeof(T);
		}

		// Mutates single value.
		template <typename T> size_t MutateSingle(T *Value, size_t MaxSize);

		#define ADAPT_PRIMITIVE_TYPE(Type) \
template <> \		template <> \
size_t UnpackSingle<Type>(const uint8_t Data, size_t Size, Type Value) { \		size_t UnpackSingle<Type>(const uint8_t Data, size_t Size, Type Value) { \
return UnpackPrimitive(Data, Size, Value); \		return UnpackPrimitive(Data, Size, Value); \
		} \
		template <> \
		size_t PackSingle<Type>(const Type &Value, uint8_t *Data, size_t Size) { \
		return PackPrimitive(Value, Data, Size); \
		} \
		template <> size_t MutateSingle<Type>(Type * Value, size_t MaxSize) { \
		return MutatePrimitive(Value); \
}		}

UNPACK_SINGLE_PRIMITIVE(char)		ADAPT_PRIMITIVE_TYPE(char)
UNPACK_SINGLE_PRIMITIVE(signed char)		ADAPT_PRIMITIVE_TYPE(signed char)
UNPACK_SINGLE_PRIMITIVE(unsigned char)		ADAPT_PRIMITIVE_TYPE(unsigned char)

UNPACK_SINGLE_PRIMITIVE(short int)		ADAPT_PRIMITIVE_TYPE(short int)
UNPACK_SINGLE_PRIMITIVE(unsigned short int)		ADAPT_PRIMITIVE_TYPE(unsigned short int)

UNPACK_SINGLE_PRIMITIVE(int)		ADAPT_PRIMITIVE_TYPE(int)
UNPACK_SINGLE_PRIMITIVE(unsigned int)		ADAPT_PRIMITIVE_TYPE(unsigned int)

UNPACK_SINGLE_PRIMITIVE(long int)		ADAPT_PRIMITIVE_TYPE(long int)
UNPACK_SINGLE_PRIMITIVE(unsigned long int)		ADAPT_PRIMITIVE_TYPE(unsigned long int)

UNPACK_SINGLE_PRIMITIVE(bool)		ADAPT_PRIMITIVE_TYPE(bool)
UNPACK_SINGLE_PRIMITIVE(wchar_t)		ADAPT_PRIMITIVE_TYPE(wchar_t)

UNPACK_SINGLE_PRIMITIVE(float)		ADAPT_PRIMITIVE_TYPE(float)
UNPACK_SINGLE_PRIMITIVE(double)		ADAPT_PRIMITIVE_TYPE(double)
UNPACK_SINGLE_PRIMITIVE(long double)		ADAPT_PRIMITIVE_TYPE(long double)

#undef UNPACK_SINGLE_PRIMITIVE		#undef ADAPT_PRIMITIVE_TYPE

		// std::vector specializations.

template <>		template <>
size_t UnpackSingle<std::vector<uint8_t>>(const uint8_t *Data, size_t Size,		size_t UnpackSingle<std::vector<uint8_t>>(const uint8_t *Data, size_t Size,
std::vector<uint8_t> *Value) {		std::vector<uint8_t> *Value) {
if (Size < 1)		if (Size < 1)
return Size;		return Size;
size_t Len = std::min(static_cast<size_t>(*Data), Size - 1);		size_t Len = std::min(static_cast<size_t>(*Data), Size - 1);
std::vector<uint8_t> V(Data + 1, Data + 1 + Len);		std::vector<uint8_t> V(Data + 1, Data + 1 + Len);
Value->swap(V);		Value->swap(V);
return Size - Len - 1;		return Size - Len - 1;
}		}

template <>		template <>
		size_t PackSingle<std::vector<uint8_t>>(const std::vector<uint8_t> &Value,
		uint8_t *Data, size_t Size) {
		size_t Len = Value.size();
		if (Size < 1 + Len)
		return Size;
		assert(Len < 256);
		*Data = static_cast<uint8_t>(Len);
		memcpy(Data + 1, Value.data(), Len);
		return Size - Len - 1;
		}

		template <>
		size_t MutateSingle<std::vector<uint8_t>>(std::vector<uint8_t> *Value,
		size_t MaxSize) {
		size_t Len = Value->size();
		Value->resize(MaxSize);
		size_t NewLen =
		Mutate(reinterpret_cast<uint8_t >(&((Value)[0u])), Len, MaxSize);
		Value->resize(NewLen);
		return NewLen;
		}

		// std::string specializations.

		template <>
size_t UnpackSingle<std::string>(const uint8_t *Data, size_t Size,		size_t UnpackSingle<std::string>(const uint8_t *Data, size_t Size,
std::string *Value) {		std::string *Value) {
if (Size < 1)		if (Size < 1)
return Size;		return Size;
size_t Len = std::min(static_cast<size_t>(*Data), Size - 1);		size_t Len = std::min(static_cast<size_t>(*Data), Size - 1);
std::string S(Data + 1, Data + 1 + Len);		std::string S(Data + 1, Data + 1 + Len);
Value->swap(S);		Value->swap(S);
return Size - Len - 1;		return Size - Len - 1;
}		}

		template <>
		size_t PackSingle<std::string>(const std::string &Value, uint8_t *Data,
		size_t Size) {
		size_t Len = Value.size();
		if (Size < 1 + Len)
		return Size;
		assert(Len < 256);
		*Data = static_cast<uint8_t>(Len);
		memcpy(Data + 1, Value.c_str(), Len);
		return Size - Len - 1;
		}

		template <>
		size_t MutateSingle<std::string>(std::string *Value, size_t MaxSize) {
		size_t Len = Value->size();
		Value->resize(MaxSize);
		size_t NewLen =
		Mutate(reinterpret_cast<uint8_t >(&((Value)[0u])), Len, MaxSize);
		Value->resize(NewLen);
		return NewLen;
		}

// Unpacking into arbitrary tuple.		// Unpacking into arbitrary tuple.

// Recursion guard.		// Recursion guard.
template <int N, typename TupleT>		template <int N, typename TupleT>
typename std::enable_if<N == std::tuple_size<TupleT>::value, bool>::type		typename std::enable_if<N == std::tuple_size<TupleT>::value, bool>::type
UnpackImpl(const uint8_t Data, size_t Size, TupleT Tuple) {		UnpackImpl(const uint8_t Data, size_t Size, TupleT Tuple) {
return true;		return true;
}		}
Show All 11 Lines
}		}

// Unpacks into arbitrary tuple and returns true if successful.		// Unpacks into arbitrary tuple and returns true if successful.
template <typename... Args>		template <typename... Args>
bool Unpack(const uint8_t Data, size_t Size, std::tuple<Args...> Tuple) {		bool Unpack(const uint8_t Data, size_t Size, std::tuple<Args...> Tuple) {
return UnpackImpl<0, std::tuple<Args...>>(Data, Size, Tuple);		return UnpackImpl<0, std::tuple<Args...>>(Data, Size, Tuple);
}		}

		// Pack aribtrary tuple into bytes.

		// recursion guard.
		template <int N, typename TupleT>
		typename std::enable_if<N == std::tuple_size<TupleT>::value, size_t>::type
		PackImpl(const TupleT &Tuple, uint8_t *Data, size_t Size) {
		return Size;
		}

		// Unpack tuple elements starting from Nth.
		template <int N, typename TupleT>
		typename std::enable_if<N < std::tuple_size<TupleT>::value, size_t>::type
		PackImpl(const TupleT &Tuple, uint8_t *Data, size_t Size) {
		size_t NewSize = PackSingle(std::get<N>(Tuple), Data, Size);
		if (NewSize == Size) {
		return Size;
		}

		return (Size - NewSize) +
		PackImpl<N + 1, TupleT>(Tuple, Data + (Size - NewSize), NewSize);
		}

		template <typename... Args>
		size_t Pack(const std::tuple<Args...> &Tuple, uint8_t *Data, size_t Size) {
		return PackImpl<0, std::tuple<Args...>>(Tuple, Data, Size);
		}

// Helper integer sequence templates.		// Helper integer sequence templates.

template <int...> struct Seq {};		template <int...> struct Seq {};

template <int N, int... S> struct GenSeq : GenSeq<N - 1, N - 1, S...> {};		template <int N, int... S> struct GenSeq : GenSeq<N - 1, N - 1, S...> {};

// GenSeq<N>::type is Seq<0, 1, ..., N-1>		// GenSeq<N>::type is Seq<0, 1, ..., N-1>
template <int... S> struct GenSeq<0, S...> { typedef Seq<S...> type; };		template <int... S> struct GenSeq<0, S...> { typedef Seq<S...> type; };
Show All 29 Lines	bool UnpackAndApply(Fn F, const uint8_t *Data, size_t Size) {
typename FnTraits<Fn>::ArgsTupleT Tuple;		typename FnTraits<Fn>::ArgsTupleT Tuple;
if (!Unpack(Data, Size, &Tuple))		if (!Unpack(Data, Size, &Tuple))
return false;		return false;

Apply(F, Tuple);		Apply(F, Tuple);
return true;		return true;
}		}

		using MutatorFn = std::function<size_t(size_t)>;

		// Build MutatorFns for each member of a tuple.

		// Recursion guard.
		template <int N, typename... Args>
		typename std::enable_if<N == sizeof...(Args), void>::type
		BuildMutators(std::vector<MutatorFn> Mutators, std::tuple<Args...> Tuple) {}

		template <int N, typename... Args>
		typename std::enable_if<N < sizeof...(Args), void>::type
		BuildMutators(std::vector<MutatorFn> Mutators, std::tuple<Args...> Tuple) {
		auto ValuePtr = &std::get<N>(*Tuple);
		Mutators->push_back(
		[ValuePtr](size_t MaxSize) { return MutateSingle(ValuePtr, MaxSize); });
		BuildMutators<N + 1, Args...>(Mutators, Tuple);
		}

		template <typename... Args>
		void Mutate(std::tuple<Args...> *Tuple, size_t MaxSize, unsigned int Seed) {
		std::mt19937 Random(Seed);

		std::vector<MutatorFn> Mutators;
		BuildMutators<0, Args...>(&Mutators, Tuple);

		int Iters = static_cast<int>(Random() % 10) + 1;
		for (int Iter = 0; Iter < Iters; Iter++) {
		size_t FieldIdx = Random() % sizeof...(Args);
		Mutators[FieldIdx](MaxSize);
		}
		}

		template <typename Fn>
		size_t AdaptMutate(Fn F, uint8_t *Data, size_t Size, size_t MaxSize,
		unsigned int Seed) {
		typename FnTraits<Fn>::ArgsTupleT Tuple;
		Unpack(Data, Size, &Tuple);
		Mutate(&Tuple, MaxSize, Seed);
		size_t NewSize = Pack(Tuple, Data, MaxSize);
		assert(NewSize > 0);
		return NewSize;
		}

} // namespace impl		} // namespace impl

template <typename Fn> bool Adapt(Fn F, const uint8_t *Data, size_t Size) {		template <typename Fn> bool Adapt(Fn F, const uint8_t *Data, size_t Size) {
return impl::UnpackAndApply(F, Data, Size);		return impl::UnpackAndApply(F, Data, Size);
}		}

		template <typename Fn>
		size_t AdaptMutate(Fn F, uint8_t *Data, size_t Size, size_t MaxSize,
		unsigned int Seed) {
		return impl::AdaptMutate(F, Data, Size, MaxSize, Seed);
		}

} // namespace fuzzer		} // namespace fuzzer

#endif		#endif

lib/Fuzzer/test/CMakeLists.txt

Show All 22 Lines	set(Tests
MemcmpTest		MemcmpTest
LeakTest		LeakTest
NullDerefTest		NullDerefTest
NthRunCrashTest		NthRunCrashTest
RepeatedMemcmp		RepeatedMemcmp
SimpleCmpTest		SimpleCmpTest
SimpleDictionaryTest		SimpleDictionaryTest
SimpleFnAdapterTest		SimpleFnAdapterTest
		SimpleFnAdapterMutatorTest
SimpleHashTest		SimpleHashTest
SimpleTest		SimpleTest
StrcmpTest		StrcmpTest
StrncmpTest		StrncmpTest
SwitchTest		SwitchTest
ThreadedTest		ThreadedTest
TimeoutTest		TimeoutTest
)		)
▲ Show 20 Lines • Show All 98 Lines • Show Last 20 Lines

lib/Fuzzer/test/SimpleFnAdapterMutatorTest.cpp

This file was added.

				#include <iostream>
				#include <vector>

				#include "FuzzerInternal.h"
				#include "FuzzerFnAdapter.h"

				static void TestFn(std::string S1, std::string S2) {
				if (S1.size() > 0 && S1 == S2) {
				std::cout << "BINGO; Found the target, exiting\n";
				exit(0);
				}
				}

				extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
				fuzzer::Adapt(TestFn, Data, Size);
				return 0;
				}


				extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
				size_t MaxSize, unsigned int Seed) {
				return fuzzer::AdaptMutate(TestFn, Data, Size, MaxSize, Seed);
				}

lib/Fuzzer/test/fuzzer-fn-adapter-mutator.test

This file was added.

				RUN: LLVMFuzzer-SimpleFnAdapterMutatorTest 2>&1 \| FileCheck %s

				CHECK: BINGO