This is an archive of the discontinued LLVM Phabricator instance.

Differential D20085

[libfuzzer] Refactoring coverage state-management code..
ClosedPublic

Authored by aizatsky on May 9 2016, 3:18 PM.

Details

Reviewers
kcc
vitalybuka
Commits
rG1aa501e7e833: [libfuzzer] Refactoring coverage state-management code.
rL269140: [libfuzzer] Refactoring coverage state-management code.
Summary

It is now less state-dependent and will allow easier comparing of
coverages of different units.

Diff Detail

Event Timeline

aizatsky updated this revision to Diff 56644.May 9 2016, 3:18 PM
aizatsky retitled this revision from to [libfuzzer][WIP] extracting static coverage state to proper value object..
aizatsky updated this object.
aizatsky updated this revision to Diff 56651.May 9 2016, 4:23 PM

updates

aizatsky updated this revision to Diff 56769.May 10 2016, 11:33 AM

ready for review.

aizatsky retitled this revision from [libfuzzer][WIP] extracting static coverage state to proper value object. to [libfuzzer] Refactoring coverage state-management code...May 10 2016, 11:34 AM
aizatsky updated this object.
aizatsky added reviewers: kcc, vitalybuka.
aizatsky added a project: Restricted Project.
aizatsky added a subscriber: llvm-commits.
kcc edited edge metadata.May 10 2016, 1:50 PM

Correct me if I am wrong, but this change seems to add extra malloc call for every unit.
Don't do that.
Instead of creating a scratch copy on every execution we may want to have two copies: current and maximal.
But no mallocs, please.

lib/Fuzzer/FuzzerLoop.cpp
355–357

Will this cause extra memory allocations to happen for every execution of RunOne()?

lib/Fuzzer/FuzzerTracePC.h
1 ↗(On Diff #56769)

i-face? really?

I don't want to expose this in a header file.
I see why you did this (to have mergeable objects), but that might be a bad idea because of extra memory allocations.

aizatsky updated this revision to Diff 56823.May 10 2016, 2:56 PM
aizatsky marked an inline comment as done.
aizatsky edited edge metadata.

no additional malloc

aizatsky added a comment.May 10 2016, 2:56 PM

Made sure that no additional allocations happen. PTAL.

lib/Fuzzer/FuzzerTracePC.h
1 ↗(On Diff #56769)

Trying to stay within 80 chars.

I don't really need this header. I had this in FuzzerInternal.h first. I'm happy to move this definition back. I simply presumed that you'd like to keep it separate.

aizatsky added inline comments.May 10 2016, 3:01 PM
lib/Fuzzer/FuzzerLoop.cpp
355–357

BTW all tests pass without this call, but you used to have it before. Do you want me to keep it?

kcc added inline comments.May 10 2016, 3:29 PM
lib/Fuzzer/FuzzerInternal.h
353

is this used?

lib/Fuzzer/FuzzerLoop.cpp
355–357

let's not make too many changes at the same time, leave it for now.

lib/Fuzzer/FuzzerTracePC.h
2 ↗(On Diff #56823)

No, this header is fine, I just don't like i-face. Just leave "Path tracer"

9 ↗(On Diff #56823)

Fix the comment (move from the cpp file)

25 ↗(On Diff #56823)

move the code to cpp file

32 ↗(On Diff #56823)

ditto

aizatsky updated this revision to Diff 56830.May 10 2016, 3:38 PM
aizatsky marked 5 inline comments as done.

review

aizatsky added a comment.May 10 2016, 3:38 PM

All Done. PTAL.

lib/Fuzzer/FuzzerInternal.h
353

Not right now, but I used it several times for debugging. I'd like to keep it.

lib/Fuzzer/FuzzerLoop.cpp
355–357

Added comment.

kcc accepted this revision.May 10 2016, 3:43 PM
kcc edited edge metadata.

LGTM, but please test on at least one non-trivial target (other than tests) that is large and fast, to ensure we haven't missed any perf degradation.

Also, consider moving all coverage stuff from FuzzerLoop into a separate file (FuzzerCoverage) in a separate change.

This revision is now accepted and ready to land.May 10 2016, 3:43 PM
aizatsky added a comment.May 10 2016, 4:34 PM

I don't see any performance difference. Tested on chromium's mp4_box_reader_fuzzer (166M binary).

Before:

$ ./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 ~/tmp/fuzzers/mp4_box_reader_fuzzer
INFO: Seed: 1
INFO: -max_len is not provided, using 500
#0 READ units: 429 exec/s: 0
#429 INITED cov: 517 bits: 686 indir: 23 units: 120 exec/s: 0
#16384 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5461
#32768 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5461
#65536 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5041
#131072 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 5041
#262144 pulse cov: 547 bits: 686 indir: 25 units: 120 exec/s: 4681
^C==32409== libFuzzer: run interrupted; exiting
./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 63.74s user 2.01s system 99% cpu 1:05.82 total

After:

$ ./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 ~/tmp/fuzzers/mp4_box_reader_fuzzer
INFO: Seed: 1
INFO: -max_len is not provided, using 500
#0 READ units: 425 exec/s: 0
#425 INITED cov: 381 bits: 686 indir: 23 units: 120 exec/s: 0
#426 NEW cov: 411 bits: 686 indir: 25 units: 121 exec/s: 0 L: 157 MS: 1 InsertByte-
#4002 NEW cov: 411 bits: 686 indir: 25 units: 122 exec/s: 4002 L: 453 MS: 2 EraseByte-ShuffleBytes-
#4003 NEW cov: 412 bits: 686 indir: 25 units: 123 exec/s: 4003 L: 453 MS: 3 EraseByte-ShuffleBytes-ShuffleBytes-
#16384 pulse cov: 412 bits: 686 indir: 25 units: 123 exec/s: 5461
#30789 NEW cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4398 L: 187 MS: 3 ChangeByte-ChangeBit-EraseByte-
#32768 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4681
#65536 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 4681
#131072 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 5041
#262144 pulse cov: 412 bits: 688 indir: 25 units: 124 exec/s: 5041
^C==29836== libFuzzer: run interrupted; exiting
./out/fuzzer/mp4_box_reader_fuzzer -seed=1 -runs=1000000 99.80s user 0.61s system 99% cpu 1:40.48 total

Closed by commit rL269140: [libfuzzer] Refactoring coverage state-management code. (authored by aizatsky). · Explain WhyMay 10 2016, 4:49 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
Fuzzer/
88 lines
178 lines
3 lines
27 lines

Diff 56651

lib/Fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 106 Lines▼ Show 20 Lines
bool ToASCII(uint8_t *Data, size_t Size); bool ToASCII(uint8_t *Data, size_t Size);
bool IsASCII(const Unit &U); bool IsASCII(const Unit &U);
int NumberOfCpuCores(); int NumberOfCpuCores();
int GetPid(); int GetPid();
int SignalToMainThread(); int SignalToMainThread();
void SleepSeconds(int Seconds); void SleepSeconds(int Seconds);
struct PcCoverageMap {
static const size_t kMapSizeInBits = 65371; // Prime.
static const size_t kMapSizeInBitsAligned = 65536; // 2^16
static const size_t kBitsInWord =(sizeof(uintptr_t) * 8);
static const size_t kMapSizeInWords = kMapSizeInBitsAligned / kBitsInWord;
void Reset() {
memset(Map, 0, sizeof(Map));
}
size_t MergeFrom(const PcCoverageMap& Other) {
uintptr_t Res = 0;
for (size_t i = 0; i < kMapSizeInWords; i++)
Res += __builtin_popcountl(Map[i] |= Other.Map[i]);
return Res;
}
void Update(uintptr_t Addr) {
uintptr_t Idx = Addr % kMapSizeInBits;
uintptr_t WordIdx = Idx / kBitsInWord;
uintptr_t BitIdx = Idx % kBitsInWord;
Map[WordIdx] |= 1UL << BitIdx;
}
uintptr_t Map[kMapSizeInWords] __attribute__((aligned(512)));
};
// Clears the current PC Map. // Clears the current PC Map.
void PcMapResetCurrent(); void PcMapResetCurrent();
// Merges the current PC Map into the combined one, and clears the former. // Merges the current PC Map into the combined one, and clears the former.
void PcMapMergeCurrentToCombined(); size_t PcMapMergeInto(PcCoverageMap* Map);
// Returns the size of the combined PC Map.
size_t PcMapCombinedSize();
class Random { class Random {
public: public:
Random(unsigned int seed) : R(seed) {} Random(unsigned int seed) : R(seed) {}
size_t Rand() { return R(); } size_t Rand() { return R(); }
size_t RandBool() { return Rand() % 2; } size_t RandBool() { return Rand() % 2; }
size_t operator()(size_t n) { return n ? Rand() % n : 0; } size_t operator()(size_t n) { return n ? Rand() % n : 0; }
std::mt19937 &Get_mt19937() { return R; } std::mt19937 &Get_mt19937() { return R; }
▲ Show 20 LinesShow All 175 Lines▼ Show 20 Lines struct FuzzingOptions {
std::string ExactArtifactPath; std::string ExactArtifactPath;
bool SaveArtifacts = true; bool SaveArtifacts = true;
bool PrintNEW = true; // Print a status line when new units are found; bool PrintNEW = true; // Print a status line when new units are found;
bool OutputCSV = false; bool OutputCSV = false;
bool PrintNewCovPcs = false; bool PrintNewCovPcs = false;
bool PrintFinalStats = false; bool PrintFinalStats = false;
bool DetectLeaks = true; bool DetectLeaks = true;
}; };
struct CoverageStats {
CoverageStats() { Reset(); }
void Reset() {
Generation = -1;
BlockCoverage = 0;
CallerCalleeCoverage = 0;
PcMapBits = 0;
CounterBitmapBits = 0;
PcBufferLen = 0;
CounterBitmap.clear();
PCMap.Reset();
}
bool MergeFrom(const CoverageStats& Other);
kccUnsubmitted
Not Done
ReplyInline Actions

is this used?

kcc: is this used?
aizatskyAuthorUnsubmitted
Not Done
ReplyInline Actions

Not right now, but I used it several times for debugging. I'd like to keep it.

aizatsky: Not right now, but I used it several times for debugging. I'd like to keep it.
std::string DebugString() const;
size_t TotalBits() { // Slow. Call it only for printing stats.
size_t Res = 0;
for (auto x : CounterBitmap)
Res += __builtin_popcount(x);
return Res;
}
int64_t Generation;
size_t BlockCoverage;
size_t CallerCalleeCoverage;
size_t PcBufferLen;
size_t CounterBitmapBits;
size_t PcMapBits;
PcCoverageMap PCMap;
std::vector<uint8_t> CounterBitmap;
};
Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options); Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options);
void AddToCorpus(const Unit &U) { void AddToCorpus(const Unit &U) {
Corpus.push_back(U); Corpus.push_back(U);
UpdateCorpusDistribution(); UpdateCorpusDistribution();
} }
size_t ChooseUnitIdxToMutate(); size_t ChooseUnitIdxToMutate();
const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; }; const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; };
void Loop(); void Loop();
▲ Show 20 LinesShow All 53 Lines▼ Show 20 Linesprivate:
void ShuffleCorpus(UnitVector *V); void ShuffleCorpus(UnitVector *V);
void TryDetectingAMemoryLeak(uint8_t *Data, size_t Size); void TryDetectingAMemoryLeak(uint8_t *Data, size_t Size);
void CheckForMemoryLeaks(); void CheckForMemoryLeaks();
// Updates the probability distribution for the units in the corpus. // Updates the probability distribution for the units in the corpus.
// Must be called whenever the corpus or unit weights are changed. // Must be called whenever the corpus or unit weights are changed.
void UpdateCorpusDistribution(); void UpdateCorpusDistribution();
size_t RecordBlockCoverage();
size_t RecordCallerCalleeCoverage();
void PrepareCoverageBeforeRun();
bool CheckCoverageAfterRun();
void ResetCoverage(); void ResetCoverage();
// Trace-based fuzzing: we run a unit with some kind of tracing // Trace-based fuzzing: we run a unit with some kind of tracing
// enabled and record potentially useful mutations. Then // enabled and record potentially useful mutations. Then
// We apply these mutations one by one to the unit and run it again. // We apply these mutations one by one to the unit and run it again.
// Start tracing; forget all previously proposed mutations. // Start tracing; forget all previously proposed mutations.
void StartTraceRecording(); void StartTraceRecording();
Show All 12 Linesprivate:
size_t TotalNumberOfRuns = 0; size_t TotalNumberOfRuns = 0;
size_t NumberOfNewUnitsAdded = 0; size_t NumberOfNewUnitsAdded = 0;
bool HasMoreMallocsThanFrees = false; bool HasMoreMallocsThanFrees = false;
size_t NumberOfLeakDetectionAttempts = 0; size_t NumberOfLeakDetectionAttempts = 0;
std::vector<Unit> Corpus; std::vector<Unit> Corpus;
std::unordered_set<std::string> UnitHashesAddedToCorpus; std::unordered_set<std::string> UnitHashesAddedToCorpus;
// For UseCounters
std::vector<uint8_t> CounterBitmap;
size_t TotalBits() { // Slow. Call it only for printing stats.
size_t Res = 0;
for (auto x : CounterBitmap)
Res += __builtin_popcount(x);
return Res;
}
std::vector<uint8_t> MutateInPlaceHere; std::vector<uint8_t> MutateInPlaceHere;
std::piecewise_constant_distribution<double> CorpusDistribution; std::piecewise_constant_distribution<double> CorpusDistribution;
UserCallback CB; UserCallback CB;
MutationDispatcher &MD; MutationDispatcher &MD;
FuzzingOptions Options; FuzzingOptions Options;
system_clock::time_point ProcessStartTime = system_clock::now(); system_clock::time_point ProcessStartTime = system_clock::now();
system_clock::time_point UnitStartTime; system_clock::time_point UnitStartTime;
long TimeOfLongestUnitInSeconds = 0; long TimeOfLongestUnitInSeconds = 0;
long EpochOfLastReadOfOutputCorpus = 0; long EpochOfLastReadOfOutputCorpus = 0;
size_t LastRecordedBlockCoverage = 0;
size_t LastRecordedPcMapSize = 0; CoverageStats MaxCoverage;
size_t LastRecordedCallerCalleeCoverage = 0;
size_t LastCoveragePcBufferLen = 0;
}; };
}; // namespace fuzzer }; // namespace fuzzer
#endif // LLVM_FUZZER_INTERNAL_H #endif // LLVM_FUZZER_INTERNAL_H

lib/Fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 75 Lines▼ Show 20 Lines
// Only one Fuzzer per process. // Only one Fuzzer per process.
static Fuzzer *F; static Fuzzer *F;
size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize) { size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize) {
assert(F); assert(F);
return F->GetMD().Mutate(Data, Size, MaxSize); return F->GetMD().Mutate(Data, Size, MaxSize);
} }
struct CoverageController {
static void Init() {
Generation = 0;
Reset();
}
static void Reset() {
CHECK_WEAK_API_FUNCTION(__sanitizer_reset_coverage);
__sanitizer_reset_coverage();
PcMapResetCurrent();
Generation++;
}
static void Prepare(const Fuzzer::FuzzingOptions& Options,
Fuzzer::CoverageStats* Stats) {
if (Options.UseCounters) {
size_t NumCounters = __sanitizer_get_number_of_counters();
Stats->CounterBitmap.resize(NumCounters);
__sanitizer_update_counter_bitset_and_clear_counters(0);
}
}
static void Record(const Fuzzer::FuzzingOptions& Options, Fuzzer::CoverageStats* Stats) {
Stats->BlockCoverage = __sanitizer_get_total_unique_coverage();
if (Options.UseIndirCalls && __sanitizer_get_total_unique_caller_callee_pairs)
Stats->CallerCalleeCoverage = __sanitizer_get_total_unique_caller_callee_pairs();
if (Options.UseCounters)
Stats->CounterBitmapBits += __sanitizer_update_counter_bitset_and_clear_counters(Stats->CounterBitmap.data());
Stats->PcMapBits = PcMapMergeInto(&Stats->PCMap);
Stats->Generation = Generation;
uintptr_t *CoverageBuf;
Stats->PcBufferLen = __sanitizer_get_coverage_pc_buffer(&CoverageBuf);
}
static int64_t Generation;
};
int64_t CoverageController::Generation;
Fuzzer::Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options) Fuzzer::Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options)
: CB(CB), MD(MD), Options(Options) { : CB(CB), MD(MD), Options(Options) {
SetDeathCallback(); SetDeathCallback();
InitializeTraceState(); InitializeTraceState();
assert(!F); assert(!F);
F = this; F = this;
CoverageController::Init();
} }
void Fuzzer::SetDeathCallback() { void Fuzzer::SetDeathCallback() {
CHECK_WEAK_API_FUNCTION(__sanitizer_set_death_callback); CHECK_WEAK_API_FUNCTION(__sanitizer_set_death_callback);
__sanitizer_set_death_callback(StaticDeathCallback); __sanitizer_set_death_callback(StaticDeathCallback);
} }
void Fuzzer::StaticDeathCallback() { void Fuzzer::StaticDeathCallback() {
▲ Show 20 LinesShow All 105 Lines▼ Show 20 Linesvoid Fuzzer::PrintStats(const char *Where, const char *End) {
size_t ExecPerSec = execPerSec(); size_t ExecPerSec = execPerSec();
if (Options.OutputCSV) { if (Options.OutputCSV) {
static bool csvHeaderPrinted = false; static bool csvHeaderPrinted = false;
if (!csvHeaderPrinted) { if (!csvHeaderPrinted) {
csvHeaderPrinted = true; csvHeaderPrinted = true;
Printf("runs,block_cov,bits,cc_cov,corpus,execs_per_sec,tbms,reason\n"); Printf("runs,block_cov,bits,cc_cov,corpus,execs_per_sec,tbms,reason\n");
} }
Printf("%zd,%zd,%zd,%zd,%zd,%zd,%s\n", TotalNumberOfRuns, Printf("%zd,%zd,%zd,%zd,%zd,%zd,%s\n", TotalNumberOfRuns,
LastRecordedBlockCoverage, TotalBits(), MaxCoverage.BlockCoverage, MaxCoverage.TotalBits(),
LastRecordedCallerCalleeCoverage, Corpus.size(), ExecPerSec, MaxCoverage.CallerCalleeCoverage, Corpus.size(), ExecPerSec,
Where); Where);
} }
if (!Options.Verbosity) if (!Options.Verbosity)
return; return;
Printf("#%zd\t%s", TotalNumberOfRuns, Where); Printf("#%zd\t%s", TotalNumberOfRuns, Where);
if (LastRecordedBlockCoverage) if (MaxCoverage.BlockCoverage)
Printf(" cov: %zd", LastRecordedBlockCoverage); Printf(" cov: %zd", MaxCoverage.BlockCoverage);
if (LastRecordedPcMapSize) if (MaxCoverage.PcMapBits)
Printf(" path: %zd", LastRecordedPcMapSize); Printf(" path: %zd", MaxCoverage.PcMapBits);
if (auto TB = TotalBits()) if (auto TB = MaxCoverage.TotalBits())
Printf(" bits: %zd", TB); Printf(" bits: %zd", TB);
if (LastRecordedCallerCalleeCoverage) if (MaxCoverage.CallerCalleeCoverage)
Printf(" indir: %zd", LastRecordedCallerCalleeCoverage); Printf(" indir: %zd", MaxCoverage.CallerCalleeCoverage);
Printf(" units: %zd exec/s: %zd", Corpus.size(), ExecPerSec); Printf(" units: %zd exec/s: %zd", Corpus.size(), ExecPerSec);
Printf("%s", End); Printf("%s", End);
} }
void Fuzzer::PrintFinalStats() { void Fuzzer::PrintFinalStats() {
if (!Options.PrintFinalStats) return; if (!Options.PrintFinalStats) return;
size_t ExecPerSec = execPerSec(); size_t ExecPerSec = execPerSec();
Printf("stat::number_of_executed_units: %zd\n", TotalNumberOfRuns); Printf("stat::number_of_executed_units: %zd\n", TotalNumberOfRuns);
▲ Show 20 LinesShow All 58 Lines▼ Show 20 Linesvoid Fuzzer::ShuffleAndMinimize() {
std::vector<Unit> NewCorpus; std::vector<Unit> NewCorpus;
if (Options.ShuffleAtStartUp) if (Options.ShuffleAtStartUp)
ShuffleCorpus(&Corpus); ShuffleCorpus(&Corpus);
for (const auto &U : Corpus) { for (const auto &U : Corpus) {
if (RunOne(U)) { if (RunOne(U)) {
NewCorpus.push_back(U); NewCorpus.push_back(U);
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("NEW0: %zd L %zd\n", LastRecordedBlockCoverage, U.size()); Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size());
} }
} }
Corpus = NewCorpus; Corpus = NewCorpus;
UpdateCorpusDistribution(); UpdateCorpusDistribution();
for (auto &X : Corpus) for (auto &X : Corpus)
UnitHashesAddedToCorpus.insert(Hash(X)); UnitHashesAddedToCorpus.insert(Hash(X));
PrintStats("INITED"); PrintStats("INITED");
CheckForMemoryLeaks(); CheckForMemoryLeaks();
} }
bool Fuzzer::RunOne(const uint8_t *Data, size_t Size) { bool Fuzzer::RunOne(const uint8_t *Data, size_t Size) {
TotalNumberOfRuns++; TotalNumberOfRuns++;
PrepareCoverageBeforeRun(); CoverageStats Stats;
CoverageController::Prepare(Options, &Stats);
kccUnsubmitted
Done
ReplyInline Actions

Will this cause extra memory allocations to happen for every execution of RunOne()?

kcc: Will this cause extra memory allocations to happen for every execution of RunOne()?
aizatskyAuthorUnsubmitted
Not Done
ReplyInline Actions

BTW all tests pass without this call, but you used to have it before. Do you want me to keep it?

aizatsky: BTW all tests pass without this call, but you used to have it before. Do you want me to keep it?
kccUnsubmitted
Done
ReplyInline Actions

let's not make too many changes at the same time, leave it for now.

kcc: let's not make too many changes at the same time, leave it for now.
aizatskyAuthorUnsubmitted
Not Done
ReplyInline Actions

Added comment.

aizatsky: Added comment.
ExecuteCallback(Data, Size); ExecuteCallback(Data, Size);
bool Res = CheckCoverageAfterRun(); CoverageController::Record(Options, &Stats);
uintptr_t PrevBufferLen = MaxCoverage.PcBufferLen;
bool Res = MaxCoverage.MergeFrom(Stats);
if (Options.PrintNewCovPcs && PrevBufferLen != MaxCoverage.PcBufferLen) {
uintptr_t *CoverageBuf;
__sanitizer_get_coverage_pc_buffer(&CoverageBuf);
assert(CoverageBuf);
for (size_t i = PrevBufferLen; i < MaxCoverage.PcBufferLen; ++i) {
Printf("%p\n", CoverageBuf[i]);
}
}
auto UnitStopTime = system_clock::now(); auto UnitStopTime = system_clock::now();
auto TimeOfUnit = auto TimeOfUnit =
duration_cast<seconds>(UnitStopTime - UnitStartTime).count(); duration_cast<seconds>(UnitStopTime - UnitStartTime).count();
if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)) && if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)) &&
secondsSinceProcessStartUp() >= 2) secondsSinceProcessStartUp() >= 2)
PrintStats("pulse "); PrintStats("pulse ");
if (TimeOfUnit > TimeOfLongestUnitInSeconds && if (TimeOfUnit > TimeOfLongestUnitInSeconds &&
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Linesvoid Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) {
int Res = CB(DataCopy.get(), Size); int Res = CB(DataCopy.get(), Size);
(void)Res; (void)Res;
HasMoreMallocsThanFrees = AllocTracer.Stop(); HasMoreMallocsThanFrees = AllocTracer.Stop();
CurrentUnitSize = 0; CurrentUnitSize = 0;
CurrentUnitData = nullptr; CurrentUnitData = nullptr;
assert(Res == 0); assert(Res == 0);
} }
size_t Fuzzer::RecordBlockCoverage() { bool Fuzzer::CoverageStats::MergeFrom(const CoverageStats& Other) {
CHECK_WEAK_API_FUNCTION(__sanitizer_get_total_unique_coverage); assert(Other.Generation >= 0);
uintptr_t PrevCoverage = LastRecordedBlockCoverage; if (Generation < 0)
LastRecordedBlockCoverage = __sanitizer_get_total_unique_coverage(); Generation = Other.Generation;
// All coverage data has to come from a single generation.
assert(Generation == Other.Generation);
if (PrevCoverage == LastRecordedBlockCoverage || !Options.PrintNewCovPcs) bool Res = false;
return LastRecordedBlockCoverage;
uintptr_t PrevBufferLen = LastCoveragePcBufferLen; if (Other.BlockCoverage > BlockCoverage) {
uintptr_t *CoverageBuf; Res = true;
LastCoveragePcBufferLen = __sanitizer_get_coverage_pc_buffer(&CoverageBuf); BlockCoverage = Other.BlockCoverage;
assert(CoverageBuf);
for (size_t i = PrevBufferLen; i < LastCoveragePcBufferLen; ++i) {
Printf("%p\n", CoverageBuf[i]);
} }
return LastRecordedBlockCoverage; if (Other.CallerCalleeCoverage > CallerCalleeCoverage) {
Res = true;
CallerCalleeCoverage = Other.CallerCalleeCoverage;
} }
size_t Fuzzer::RecordCallerCalleeCoverage() { if (Other.PcBufferLen > PcBufferLen) {
if (!Options.UseIndirCalls) Res = true;
return 0; PcBufferLen = Other.PcBufferLen;
if (!__sanitizer_get_total_unique_caller_callee_pairs)
return 0;
return LastRecordedCallerCalleeCoverage =
__sanitizer_get_total_unique_caller_callee_pairs();
} }
void Fuzzer::PrepareCoverageBeforeRun() { if (CounterBitmap.size() != 0) {
if (Options.UseCounters) { assert(CounterBitmap.size() == Other.CounterBitmap.size());
size_t NumCounters = __sanitizer_get_number_of_counters(); size_t NewCounterBitmapBits = 0;
CounterBitmap.resize(NumCounters);
__sanitizer_update_counter_bitset_and_clear_counters(0); for (size_t i = 0; i < CounterBitmap.size(); ++i) {
NewCounterBitmapBits += __builtin_popcount(CounterBitmap[i] |= Other.CounterBitmap[i]);
}
if (NewCounterBitmapBits != CounterBitmapBits) {
Res = true;
CounterBitmapBits = NewCounterBitmapBits;
} }
RecordBlockCoverage();
RecordCallerCalleeCoverage();
} }
bool Fuzzer::CheckCoverageAfterRun() { size_t NewPcMapBits = PCMap.MergeFrom(Other.PCMap);
size_t OldCoverage = LastRecordedBlockCoverage; if (NewPcMapBits > PcMapBits) {
size_t NewCoverage = RecordBlockCoverage(); Res = true;
size_t OldCallerCalleeCoverage = LastRecordedCallerCalleeCoverage; PcMapBits = NewPcMapBits;
size_t NewCallerCalleeCoverage = RecordCallerCalleeCoverage(); }
size_t NumNewBits = 0;
size_t OldPcMapSize = LastRecordedPcMapSize; return Res;
PcMapMergeCurrentToCombined(); }
size_t NewPcMapSize = PcMapCombinedSize();
LastRecordedPcMapSize = NewPcMapSize; std::string Fuzzer::CoverageStats::DebugString() const {
if (NewPcMapSize > OldPcMapSize) std::string Result = std::string("CoverageStats{") +
return true; "BlockCoverage=" + std::to_string(BlockCoverage) +
if (Options.UseCounters) " CallerCalleeCoverage=" + std::to_string(CallerCalleeCoverage) +
NumNewBits = __sanitizer_update_counter_bitset_and_clear_counters( " PcMapSize=" + std::to_string(PcMapBits) +
CounterBitmap.data()); "}";
return NewCoverage > OldCoverage || return Result;
NewCallerCalleeCoverage > OldCallerCalleeCoverage || NumNewBits;
} }
void Fuzzer::WriteToOutputCorpus(const Unit &U) { void Fuzzer::WriteToOutputCorpus(const Unit &U) {
if (Options.OutputCorpus.empty()) if (Options.OutputCorpus.empty())
return; return;
std::string Path = DirPlusFile(Options.OutputCorpus, Hash(U)); std::string Path = DirPlusFile(Options.OutputCorpus, Hash(U));
WriteToFile(U, Path); WriteToFile(U, Path);
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
▲ Show 20 LinesShow All 190 Lines▼ Show 20 Lines
size_t Fuzzer::ChooseUnitIdxToMutate() { size_t Fuzzer::ChooseUnitIdxToMutate() {
size_t Idx = size_t Idx =
static_cast<size_t>(CorpusDistribution(MD.GetRand().Get_mt19937())); static_cast<size_t>(CorpusDistribution(MD.GetRand().Get_mt19937()));
assert(Idx < Corpus.size()); assert(Idx < Corpus.size());
return Idx; return Idx;
} }
void Fuzzer::ResetCoverage() { void Fuzzer::ResetCoverage() {
CHECK_WEAK_API_FUNCTION(__sanitizer_reset_coverage); CoverageController::Reset();
__sanitizer_reset_coverage(); MaxCoverage.Reset();
CounterBitmap.clear();
} }
// Experimental search heuristic: drilling. // Experimental search heuristic: drilling.
// - Read, shuffle, execute and minimize the corpus. // - Read, shuffle, execute and minimize the corpus.
// - Choose one random unit. // - Choose one random unit.
// - Reset the coverage. // - Reset the coverage.
// - Start fuzzing as if the chosen unit was the only element of the corpus. // - Start fuzzing as if the chosen unit was the only element of the corpus.
// - When done, reset the coverage again. // - When done, reset the coverage again.
▲ Show 20 LinesShow All 77 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerMutate.cpp

Show First 20 LinesShow All 113 Lines▼ Show 20 Linessize_t MutationDispatcher::Mutate_AddWordFromPersistentAutoDictionary(
return AddWordFromDictionary(PersistentAutoDictionary, Data, Size, MaxSize); return AddWordFromDictionary(PersistentAutoDictionary, Data, Size, MaxSize);
} }
size_t MutationDispatcher::AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t MutationDispatcher::AddWordFromDictionary(Dictionary &D, uint8_t *Data,
size_t Size, size_t MaxSize) { size_t Size, size_t MaxSize) {
if (D.empty()) return 0; if (D.empty()) return 0;
DictionaryEntry &DE = D[Rand(D.size())]; DictionaryEntry &DE = D[Rand(D.size())];
const Word &W = DE.GetW(); const Word &W = DE.GetW();
// Printf("UseWord:");
// PrintASCII(W);
// Printf(" (%zd)\n", D.size());
bool UsePositionHint = DE.HasPositionHint() && bool UsePositionHint = DE.HasPositionHint() &&
DE.GetPositionHint() + W.size() < Size && Rand.RandBool(); DE.GetPositionHint() + W.size() < Size && Rand.RandBool();
if (Rand.RandBool()) { // Insert W. if (Rand.RandBool()) { // Insert W.
if (Size + W.size() > MaxSize) return 0; if (Size + W.size() > MaxSize) return 0;
size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1); size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1);
memmove(Data + Idx + W.size(), Data + Idx, Size - Idx); memmove(Data + Idx + W.size(), Data + Idx, Size - Idx);
memcpy(Data + Idx, W.data(), W.size()); memcpy(Data + Idx, W.data(), W.size());
Size += W.size(); Size += W.size();
▲ Show 20 LinesShow All 146 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerTracePC.cpp

Show All 9 Lines
// This module implements __sanitizer_cov_trace_pc, a callback required // This module implements __sanitizer_cov_trace_pc, a callback required
// for -fsanitize-coverage=trace-pc instrumentation. // for -fsanitize-coverage=trace-pc instrumentation.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "FuzzerInternal.h" #include "FuzzerInternal.h"
namespace fuzzer { namespace fuzzer {
static const size_t kMapSizeInBits = 65371; // Prime.
static const size_t kMapSizeInBitsAligned = 65536; // 2^16 static PcCoverageMap CurrentMap;
static const size_t kBitsInWord =(sizeof(uintptr_t) * 8);
static const size_t kMapSizeInWords = kMapSizeInBitsAligned / kBitsInWord;
static uintptr_t CurrentMap[kMapSizeInWords] __attribute__((aligned(512)));
static uintptr_t CombinedMap[kMapSizeInWords] __attribute__((aligned(512)));
static size_t CombinedMapSize;
static thread_local uintptr_t Prev; static thread_local uintptr_t Prev;
void PcMapResetCurrent() { void PcMapResetCurrent() {
if (Prev) { if (Prev) {
Prev = 0; Prev = 0;
memset(CurrentMap, 0, sizeof(CurrentMap)); CurrentMap.Reset();
} }
} }
void PcMapMergeCurrentToCombined() { size_t PcMapMergeInto(PcCoverageMap* Map) {
if (!Prev) return; if (!Prev) return 0;
uintptr_t Res = 0; return Map->MergeFrom(CurrentMap);
for (size_t i = 0; i < kMapSizeInWords; i++)
Res += __builtin_popcountl(CombinedMap[i] |= CurrentMap[i]);
CombinedMapSize = Res;
} }
size_t PcMapCombinedSize() { return CombinedMapSize; }
static void HandlePC(uint32_t PC) { static void HandlePC(uint32_t PC) {
// We take 12 bits of PC and mix it with the previous PCs. // We take 12 bits of PC and mix it with the previous PCs.
uintptr_t Next = (Prev << 5) ^ (PC & 4095); uintptr_t Next = (Prev << 5) ^ (PC & 4095);
uintptr_t Idx = Next % kMapSizeInBits; CurrentMap.Update(Next);
uintptr_t WordIdx = Idx / kBitsInWord;
uintptr_t BitIdx = Idx % kBitsInWord;
CurrentMap[WordIdx] |= 1UL << BitIdx;
Prev = Next; Prev = Next;
} }
} // namespace fuzzer } // namespace fuzzer
extern "C" void __sanitizer_cov_trace_pc() { extern "C" void __sanitizer_cov_trace_pc() {
fuzzer::HandlePC(static_cast<uint32_t>( fuzzer::HandlePC(static_cast<uint32_t>(
reinterpret_cast<uintptr_t>(__builtin_return_address(0)))); reinterpret_cast<uintptr_t>(__builtin_return_address(0))));
} }