This is an archive of the discontinued LLVM Phabricator instance.

Differential D20301

[libfuzzer] Trying random unit prefixes during corpus load.
ClosedPublic

Authored by aizatsky on May 16 2016, 2:29 PM.

Details

Reviewers
kcc
vitalybuka
Commits
rGaf432a45e321: [libfuzzer] Trying random unit prefixes during corpus load.
rL270632: [libfuzzer] Trying random unit prefixes during corpus load.

Diff Detail

Event Timeline

aizatsky updated this revision to Diff 57400.May 16 2016, 2:29 PM
aizatsky updated this revision to Diff 57401.
aizatsky retitled this revision from to [libfuzzer] Trying random unit prefixes during corpus load..
aizatsky updated this object.

format.

aizatsky added reviewers: kcc, vitalybuka.May 16 2016, 2:30 PM
aizatsky added a project: Restricted Project.
aizatsky added a subscriber: llvm-commits.
kcc edited edge metadata.May 16 2016, 2:40 PM

I wonder if it makes sense to add a test here?

lib/Fuzzer/FuzzerLoop.cpp
360

didn't you want to flush the coverage here?

382

S < U.size() ?

vitalybuka added inline comments.May 16 2016, 3:08 PM
lib/Fuzzer/FuzzerLoop.cpp
382

Probably unimportant here.

aizatsky updated this revision to Diff 58149.May 23 2016, 2:02 PM
aizatsky edited edge metadata.

fuzzer unit test.

aizatsky updated this revision to Diff 58150.May 23 2016, 2:06 PM
aizatsky marked 3 inline comments as done.

reset coverage.

aizatsky added a comment.May 23 2016, 2:06 PM

Added test and limited the number of truncation points. PTAL.

kcc added inline comments.May 23 2016, 3:01 PM
lib/Fuzzer/FuzzerFlags.def
87

I'd prefer to have this flag of by default for now

lib/Fuzzer/FuzzerLoop.cpp
362

no {}, same below

379

do you expect duplicates here?

lib/Fuzzer/test/FuzzerUnittest.cpp
16 ↗(On Diff #58150)

make it static and not extern "C"

aizatsky updated this revision to Diff 58347.May 24 2016, 4:05 PM
aizatsky marked 2 inline comments as done.

review

lib/Fuzzer/FuzzerLoop.cpp
379

There might be, but I don't really care. For big corpus there would be only one point.

kcc accepted this revision.May 24 2016, 4:08 PM
kcc edited edge metadata.

LGTM, ok as an off-by-default feature.
I am still not convinced it's good enough yet, will need to play and see.
Some things to check:

  • are there many duplicate sizes?
  • will this blow up the corpus too much?
This revision is now accepted and ready to land.May 24 2016, 4:08 PM
aizatsky added a comment.May 24 2016, 4:19 PM

My plan is to enable it for fuzzer in chrome with big units and see if units get smaller over time.

Closed by commit rL270632: [libfuzzer] Trying random unit prefixes during corpus load. (authored by aizatsky). · Explain WhyMay 24 2016, 4:20 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
Fuzzer/
1 line
1 line
2 lines
41 lines

Diff 57400

lib/Fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 324 Lines▼ Show 20 Lines if (Flags.dict)
if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary)) if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))
return 1; return 1;
if (Flags.verbosity > 0 && !Dictionary.empty()) if (Flags.verbosity > 0 && !Dictionary.empty())
Printf("Dictionary: %zd entries\n", Dictionary.size()); Printf("Dictionary: %zd entries\n", Dictionary.size());
bool DoPlainRun = AllInputsAreFiles(); bool DoPlainRun = AllInputsAreFiles();
Options.SaveArtifacts = !DoPlainRun; Options.SaveArtifacts = !DoPlainRun;
Options.PrintNewCovPcs = Flags.print_new_cov_pcs; Options.PrintNewCovPcs = Flags.print_new_cov_pcs;
Options.PrintFinalStats = Flags.print_final_stats; Options.PrintFinalStats = Flags.print_final_stats;
Options.TruncateUnits = Flags.truncate_units;
unsigned Seed = Flags.seed; unsigned Seed = Flags.seed;
// Initialize Seed. // Initialize Seed.
if (Seed == 0) if (Seed == 0)
Seed = (std::chrono::system_clock::now().time_since_epoch().count() << 10) + Seed = (std::chrono::system_clock::now().time_since_epoch().count() << 10) +
getpid(); getpid();
if (Flags.verbosity) if (Flags.verbosity)
Printf("INFO: Seed: %u\n", Seed); Printf("INFO: Seed: %u\n", Seed);
▲ Show 20 LinesShow All 84 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerFlags.def

Show First 20 LinesShow All 78 Lines▼ Show 20 Lines
FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.") FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.")
FUZZER_FLAG_INT(close_fd_mask, 0, "If 1, close stdout at startup; " FUZZER_FLAG_INT(close_fd_mask, 0, "If 1, close stdout at startup; "
"if 2, close stderr; if 3, close both. " "if 2, close stderr; if 3, close both. "
"Be careful, this will also close e.g. asan's stderr/stdout.") "Be careful, this will also close e.g. asan's stderr/stdout.")
FUZZER_FLAG_INT(detect_leaks, 1, "If 1, and if LeakSanitizer is enabled " FUZZER_FLAG_INT(detect_leaks, 1, "If 1, and if LeakSanitizer is enabled "
"try to detect memory leaks during fuzzing (i.e. not only at shut down).") "try to detect memory leaks during fuzzing (i.e. not only at shut down).")
FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon" FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon"
"reaching this limit of RSS memory usage.") "reaching this limit of RSS memory usage.")
FUZZER_FLAG_INT(truncate_units, 1, "Try truncated units when loading corpus.")
kccUnsubmitted
Done
ReplyInline Actions

I'd prefer to have this flag of by default for now

kcc: I'd prefer to have this flag of by default for now
FUZZER_DEPRECATED_FLAG(exit_on_first) FUZZER_DEPRECATED_FLAG(exit_on_first)
FUZZER_DEPRECATED_FLAG(save_minimized_corpus) FUZZER_DEPRECATED_FLAG(save_minimized_corpus)
FUZZER_DEPRECATED_FLAG(sync_command) FUZZER_DEPRECATED_FLAG(sync_command)
FUZZER_DEPRECATED_FLAG(sync_timeout) FUZZER_DEPRECATED_FLAG(sync_timeout)
FUZZER_DEPRECATED_FLAG(test_single_input) FUZZER_DEPRECATED_FLAG(test_single_input)

lib/Fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 300 Lines▼ Show 20 Lines struct FuzzingOptions {
std::string ArtifactPrefix = "./"; std::string ArtifactPrefix = "./";
std::string ExactArtifactPath; std::string ExactArtifactPath;
bool SaveArtifacts = true; bool SaveArtifacts = true;
bool PrintNEW = true; // Print a status line when new units are found; bool PrintNEW = true; // Print a status line when new units are found;
bool OutputCSV = false; bool OutputCSV = false;
bool PrintNewCovPcs = false; bool PrintNewCovPcs = false;
bool PrintFinalStats = false; bool PrintFinalStats = false;
bool DetectLeaks = true; bool DetectLeaks = true;
bool TruncateUnits = true;
}; };
// Aggregates all available coverage measurements. // Aggregates all available coverage measurements.
struct Coverage { struct Coverage {
Coverage() { Reset(); } Coverage() { Reset(); }
void Reset() { void Reset() {
BlockCoverage = 0; BlockCoverage = 0;
Show All 21 Linespublic:
Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options); Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options);
void AddToCorpus(const Unit &U) { void AddToCorpus(const Unit &U) {
Corpus.push_back(U); Corpus.push_back(U);
UpdateCorpusDistribution(); UpdateCorpusDistribution();
} }
size_t ChooseUnitIdxToMutate(); size_t ChooseUnitIdxToMutate();
const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; }; const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; };
void TruncateUnits(std::vector<Unit>* NewCorpus);
void Loop(); void Loop();
void Drill(); void Drill();
void ShuffleAndMinimize(); void ShuffleAndMinimize();
void InitializeTraceState(); void InitializeTraceState();
void AssignTaintLabels(uint8_t *Data, size_t Size); void AssignTaintLabels(uint8_t *Data, size_t Size);
size_t CorpusSize() const { return Corpus.size(); } size_t CorpusSize() const { return Corpus.size(); }
size_t MaxUnitSizeInCorpus() const; size_t MaxUnitSizeInCorpus() const;
void ReadDir(const std::string &Path, long *Epoch, size_t MaxSize) { void ReadDir(const std::string &Path, long *Epoch, size_t MaxSize) {
▲ Show 20 LinesShow All 101 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 53 Lines▼ Show 20 Lines
__attribute__((weak)) void __sanitizer_free_hook(void *ptr); __attribute__((weak)) void __sanitizer_free_hook(void *ptr);
__attribute__((weak)) void __lsan_enable(); __attribute__((weak)) void __lsan_enable();
__attribute__((weak)) void __lsan_disable(); __attribute__((weak)) void __lsan_disable();
__attribute__((weak)) int __lsan_do_recoverable_leak_check(); __attribute__((weak)) int __lsan_do_recoverable_leak_check();
} }
namespace fuzzer { namespace fuzzer {
static const size_t kMaxUnitSizeToPrint = 256; static const size_t kMaxUnitSizeToPrint = 256;
static const size_t TruncatePoints = 100;
static void MissingWeakApiFunction(const char *FnName) { static void MissingWeakApiFunction(const char *FnName) {
Printf("ERROR: %s is not defined. Exiting.\n" Printf("ERROR: %s is not defined. Exiting.\n"
"Did you use -fsanitize-coverage=... to build your code?\n", "Did you use -fsanitize-coverage=... to build your code?\n",
FnName); FnName);
exit(1); exit(1);
} }
▲ Show 20 LinesShow All 278 Lines▼ Show 20 Lines
void Fuzzer::ShuffleCorpus(UnitVector *V) { void Fuzzer::ShuffleCorpus(UnitVector *V) {
std::random_shuffle(V->begin(), V->end(), MD.GetRand()); std::random_shuffle(V->begin(), V->end(), MD.GetRand());
if (Options.PreferSmall) if (Options.PreferSmall)
std::stable_sort(V->begin(), V->end(), [](const Unit &A, const Unit &B) { std::stable_sort(V->begin(), V->end(), [](const Unit &A, const Unit &B) {
return A.size() < B.size(); return A.size() < B.size();
}); });
} }
// Tries random prefixes of corpus items.
// Prefix length is chosen according to exponential distribution
// to sample short lengths much more heavily.
void Fuzzer::TruncateUnits(std::vector<Unit>* NewCorpus) {
kccUnsubmitted
Done
ReplyInline Actions

didn't you want to flush the coverage here?

kcc: didn't you want to flush the coverage here?
size_t MaxCorpusLen = 0;
for (const auto &U : Corpus) {
kccUnsubmitted
Done
ReplyInline Actions

no {}, same below

kcc: no {}, same below
MaxCorpusLen = std::max(MaxCorpusLen, U.size());
}
if (MaxCorpusLen <= 1)
return;
// 50% of exponential distribution is Log[2]/lambda.
// Choose lambda so that median is MaxCorpusLen / 2.
double Lambda = 2.0 * log(2.0) / static_cast<double>(MaxCorpusLen);
std::exponential_distribution<> Dist(Lambda);
std::vector<double> Sizes;
Sizes.reserve(TruncatePoints);
for (size_t I = 0; I < TruncatePoints; ++I) {
Sizes.push_back(Dist(MD.GetRand().Get_mt19937()));
}
std::sort(Sizes.begin(), Sizes.end());
kccUnsubmitted
Not Done
ReplyInline Actions

do you expect duplicates here?

kcc: do you expect duplicates here?
aizatskyAuthorUnsubmitted
Not Done
ReplyInline Actions

There might be, but I don't really care. For big corpus there would be only one point.

aizatsky: There might be, but I don't really care. For big corpus there would be only one point.
for (size_t S : Sizes) {
for (const auto &U : Corpus) {
if (S <= U.size() && RunOne(U.data(), S)) {
kccUnsubmitted
Done
ReplyInline Actions

S < U.size() ?

kcc: S < U.size() ?
vitalybukaUnsubmitted
Done
ReplyInline Actions

Probably unimportant here.

vitalybuka: Probably unimportant here.
Unit U1(U.begin(), U.begin() + S);
NewCorpus->push_back(U1);
WriteToOutputCorpus(U1);
PrintStatusForNewUnit(U1);
}
}
}
PrintStats("TRUNC ");
}
void Fuzzer::ShuffleAndMinimize() { void Fuzzer::ShuffleAndMinimize() {
PrintStats("READ "); PrintStats("READ ");
std::vector<Unit> NewCorpus; std::vector<Unit> NewCorpus;
if (Options.ShuffleAtStartUp) if (Options.ShuffleAtStartUp)
ShuffleCorpus(&Corpus); ShuffleCorpus(&Corpus);
if (Options.TruncateUnits)
TruncateUnits(&NewCorpus);
for (const auto &U : Corpus) { for (const auto &U : Corpus) {
if (RunOne(U)) { if (RunOne(U)) {
NewCorpus.push_back(U); NewCorpus.push_back(U);
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size()); Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size());
} }
} }
Corpus = NewCorpus; Corpus = NewCorpus;
UpdateCorpusDistribution(); UpdateCorpusDistribution();
for (auto &X : Corpus) for (auto &X : Corpus)
UnitHashesAddedToCorpus.insert(Hash(X)); UnitHashesAddedToCorpus.insert(Hash(X));
PrintStats("INITED"); PrintStats("INITED");
CheckForMemoryLeaks(); CheckForMemoryLeaks();
} }
bool Fuzzer::UpdateMaxCoverage() { bool Fuzzer::UpdateMaxCoverage() {
uintptr_t PrevBufferLen = MaxCoverage.PcBufferLen; uintptr_t PrevBufferLen = MaxCoverage.PcBufferLen;
bool Res = CoverageController::RecordMax(Options, &MaxCoverage); bool Res = CoverageController::RecordMax(Options, &MaxCoverage);
if (Options.PrintNewCovPcs && PrevBufferLen != MaxCoverage.PcBufferLen) { if (Options.PrintNewCovPcs && PrevBufferLen != MaxCoverage.PcBufferLen) {
uintptr_t *CoverageBuf; uintptr_t *CoverageBuf;
__sanitizer_get_coverage_pc_buffer(&CoverageBuf); __sanitizer_get_coverage_pc_buffer(&CoverageBuf);
assert(CoverageBuf); assert(CoverageBuf);
▲ Show 20 LinesShow All 389 LinesShow Last 20 Lines