This is an archive of the discontinued LLVM Phabricator instance.

Differential D27179

LibFuzzer - Implement timers for Windows and improve synchronization.
AbandonedPublic

Authored by mpividori on Nov 28 2016, 4:44 PM.

Details

Reviewers
kcc
amccarth
zturner
Summary

+ Implemented timeouts for Windows using TimerQueueTimers.
+ Modified the implementation of timer for Posix systems. Instead of using ALRM signals, I create a new thread.

This simplifies the code, since both Posix and Windows implementations use a special thread to call AlarmCallback().
Under this assumption, we can safely use locks to synchronize that thread with the main thread.
(We couldn't do that if the same code could be executed asynchronously by a signal handler in Posix systems and by a separated thread in Windows).
Also, I realized that previous implementation assumed that the ALRM signals would be handled by the main thread, which is not necessarily true. In POSIX it is unspecified with thread handle signals.

+ I added a new flag RunningCB to know if the Fuzzer's main thread is running the CB function, instead of using ! CurrentUnitSize. ! CurrentUnitSize doesn't work properly.

For example, in FuzzerLoop.cpp, line 452, we execute the callback with size 0. Previous implementation failed to detect timeouts in that execution.

+ Add a mutex RunningCBMtx to synchronize the access to the Fuzzer's data between different threads.

All the information related to the state of the fuzzer is only modified by the main thread, when it is not running the callback function.
So, in order to consistently access to the Fuzzer's data, we should lock the `RunningCBMtx` and make sure `RunningCB` is true (the main thread is running the CB).
This is used to synchronize the thread which manages the timers, and the one which supervises rss limits, with the main thread.

Diff Detail

Repository
rL LLVM

Event Timeline

mpividori updated this revision to Diff 79472.Nov 28 2016, 4:44 PM
mpividori retitled this revision from to LibFuzzer - Implement timers for Windows and improve synchronization..
mpividori updated this object.
mpividori added a reviewer: zturner.
mpividori set the repository for this revision to rL LLVM.
mpividori added a subscriber: llvm-commits.
Herald added a subscriber: aemerson. · View Herald TranscriptNov 28 2016, 4:44 PM
mpividori updated this revision to Diff 79592.Nov 29 2016, 9:31 AM

+ Move the interruption handler into a separate thread for Posix implemention (instead of asynchronous signal handler). This is more appropriate for 2 reasons:

  • InterruptCallback() uses functions like printf, and accesses to global data, which is not appropriate for a signal handler. By using a separate thread, we are able to synchronize with the main thread.
  • Is the same approach than Windows, which makes code simpler, since we are sure that InterruptCallback() will be excecuted in a separate thread in both Windows and Posix systems.

+ Improve Signal Handler interface (FuzzerUtil*.cpp files).

mpividori updated this revision to Diff 79594.Nov 29 2016, 9:41 AM

+ Remove: #include "FuzzerInternal.h" in FuzzerUtil*.cpp files.

zturner added reviewers: amccarth, kcc.Nov 29 2016, 9:44 AM

+amccarth for the windows stuff. +kcc for the posix refactoring.

zturner added inline comments.Nov 29 2016, 9:54 AM
lib/Fuzzer/FuzzerUtil.h
47–54

How about getting rid of the constructor and initializing all these inline?

int timeout = 0;
HandlerT sigalrm_cb = nullptr;
// etc
lib/Fuzzer/FuzzerUtilWindows.cpp
30–32

@kcc: Are there any issues with using static global constructors in libfuzzer?

89–90

Shouldn't use all delete the timer as well? You store it locally in SetTimer but then let the handle leak. So every time we call SetTimer it will leak a handle.

mpividori added inline comments.Nov 29 2016, 10:18 AM
lib/Fuzzer/FuzzerUtil.h
47–54

@zturner , I think using a constructor is clearer. Do you mean to avoid the static constructor? In that case, I can remove it and initialize that members inline inside SetSignalHandler().

lib/Fuzzer/FuzzerUtilWindows.cpp
30–32

@zturner , the Code Standards mentions that we should avoid static constructors: [[1]](http://llvm.org/docs/CodingStandards.html#do-not-use-static-constructors). In this case, I included it because it is a very simple constructor. I can remove it and initialize that struct inside SetSignalHandler().

89–90

According to the documentation, the timers which were added to the TimerQueue are automatically deleted when deleting the TimerQueue.

zturner added inline comments.Nov 29 2016, 10:30 AM
lib/Fuzzer/FuzzerUtil.h
47–54

I don't know if it's stated anywhere in the coding standards, but there has been an push in the LLVM community recently to use inline initialization instead of constructor initializer list in cases such as this where there are long lists of member variables initialized with constant values. So your entire class definition would look like:

struct SignalHandlerOptions {
  int timeout = 0;
  HandlerT sigalrm_cb = nullptr;
  HandlerT sigsegv_cb = nullptr;
  HandlerT sigbus_cb = nullptr;
  HandlerT sigabrt_cb = nullptr;
  HandlerT sigill_cb = nullptr;
  HandlerT sigfpe_cb = nullptr;
  HandlerT sigint_cb = nullptr;
  HandlerT sigterm_cb = nullptr;
};

And there would be no constructor definition. In this case it's not critical, but the motivation is that when you have multiple constructor overloads that all repeat the same exact initializer list, this syntax reduces boilerplate and reduces the chance of 2 constructors accidentally initializing things differently.

lib/Fuzzer/FuzzerUtilWindows.cpp
89–90

Ahh, I didn't notice that. But it seems we can still create multiple timers here. For example if you call the SetTimer twice it will add a new timer instead of overwriting the old timer. Is this desired? If a user is not supposed to call SetTimer twice, then maybe we should add assert(!TimerQueue). But if it is ok to call SetTimer more than once and have subsequent calls overwrite the existing timer value, then we should probably store the HANDLE in the class and delete it and recreate on subsequent calls.

Also, one thing I just thought of that might be a problem. The timer callback is not going to be invoked on the fuzzer thread, but rather a thread in the windows system thread pool. But I looked at the Alarm callback function and it begins like this:

if (!InFuzzingThread()) return;

So, I think this check is going to always fail. If we need to guarantee that alarms happen on the fuzzing thread, we need a different strategy.

What do you think?

mpividori added inline comments.Nov 29 2016, 11:05 AM
lib/Fuzzer/FuzzerUtil.h
47–54

@zturner , Thanks. Yes, I agree. It is simpler and reduces boilerplate code. I will add that changes.

lib/Fuzzer/FuzzerUtilWindows.cpp
89–90

@zturner thanks for your comments.
+ Yes, we can create multiple timers here, but we don't expose the function SetTimer any more (I removed that), so the user doesn't have access to it. The Timer instance is only accessed by SetSignalHandler() function. Anyway, I can add the changes you proposed.
Also, the code could be simplified by using a separate thread for the timer instead of using TimerQueues. Something like:

void TimerThread(int Seconds) {
  while (1) {
    sleep(Seconds);
    AlrmCallback();
  }
}

I wasn't sure which option is prefered. What do you think? If we consider a separate thread, we could use the same implementation for Posix too, and get rid of SIGALRM.

+ The if (!InFuzzingThread()) return; line was removed in these changes. Yes, I adapted the code to handle that situation.

Previous implementation assumed that the ALRM signals would be handled by the main thread, which is not necessarily true. In POSIX it is unspecified with thread handle signals.
With the changes included in this diff, we can be sure that Alarm callback is executed by a thread different to the main thread in both Posix and Windows implementations:
  • In Windows: by a thread from the windows system thread pool.
  • In Posix: by a separate thread that waits for SIGALRM signals.
zturner added inline comments.Nov 29 2016, 11:15 AM
lib/Fuzzer/FuzzerInternal.h
146–147

It seems like we could use std::atomic_bool here. Does that not work for some reason? The only thing I see that is questionable is that in FuzzerCallback::CrashCallback we check the value, and then run multiple lines of code before returning.

But on the other hand, in Fuzzer::ExecuteCallback, we always set it to true before executing any callback, and false after. So maybe there is no race condition?

atomic_bool is more lightweight than grabbing a full blown mutex, so if we can be sure it's safe, then it seems better.

lib/Fuzzer/FuzzerUtilWindows.cpp
89–90

I don't think we need to create a thread for it, using the windows threadpool is more efficient.

mpividori added inline comments.Nov 29 2016, 11:29 AM
lib/Fuzzer/FuzzerInternal.h
146–147

@zturner, thanks for your comments.
I can't use std::atomic_bool because not only do I need to be sure it is modified atomically, buy also I need to synchronize the main thread with the rest of the threads accessing the Fuzzer's data. Because of that I added the mutex RunningCBMtx.
All the information related to the state of the fuzzer is only modified by the main thread, when it is not running the callback function.
So, in order to consistently access to the Fuzzer's data, we should lock the RunningCBMtx and make sure RunningCB is true (the main thread is running the CB).
By locking the RunningCBMtx, we can be sure that the main thread won't change its state in RunningCB.
This is used to synchronize the thread which manages the timers, and the one which supervises rss limits, with the main thread.

mpividori added inline comments.Nov 29 2016, 11:37 AM
lib/Fuzzer/FuzzerInternal.h
146–147

In the callbacks: Fuzzer::InterruptCallback(), Fuzzer::AlarmCallback() and Fuzzer::RssLimitCallback(), I lock the mutex RunningCBMtx, before accessing the Fuzzer's data. I can do that because I am sure that callbacks are executed by a separate thread in Posix and Windows implementations.
For the special case of: Fuzzer::CrashCallback(), I can't use the mutex because the callback can be executed asynchronously by the main thread in Posix, where we use signal handlers for crash signals such as: SIGSEGV, SIGILL, etc. So, I do my best and only check for the RunningCB flag.

mpividori updated this revision to Diff 79621.Nov 29 2016, 12:27 PM
mpividori edited edge metadata.

+ Initialize inline the members of SignalHandlerOptions.

amccarth edited edge metadata.Nov 29 2016, 1:47 PM

I focused on the Windows-specific code, and it looks good to me as long as the signal callbacks are doing anything tricky.

lib/Fuzzer/FuzzerUtilWindows.cpp
32

Tiny little irrelevant nit: s/WINAPI/CALLBACK/

In modern times, there is no practical distinction, as they both evaluate to __stdcall. Technically, the exception handler is a callback rather than a Windows API.

38

I'm not sure what these callbacks may be doing in lib fuzzer. Be aware that exception handlers cannot acquire any synchronization objects and cannot allocate memory, presumably because that could cause a deadlock.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681419(v=vs.85).aspx

mpividori added inline comments.Nov 29 2016, 2:19 PM
lib/Fuzzer/FuzzerUtilWindows.cpp
38

@amccarth, thanks for your comments.
Yes, in fact all that callbacks call Fuzzer::CrashCallback() which doesn't consider the synchronization lock, as I mentioned before.

mpividori added a comment.Nov 29 2016, 4:39 PM

I splitted this diff in :
+ https://reviews.llvm.org/D27237
+ https://reviews.llvm.org/D27238
+ https://reviews.llvm.org/D27240

mpividori abandoned this revision.Nov 29 2016, 5:28 PM

Revision Contents

PathSize
lib/
Fuzzer/
25 lines
3 lines
29 lines
23 lines
85 lines
169 lines

Diff 79621

lib/Fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 449 Lines▼ Show 20 Linesint FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
auto *MD = new MutationDispatcher(Rand, Options); auto *MD = new MutationDispatcher(Rand, Options);
auto *Corpus = new InputCorpus(Options.OutputCorpus); auto *Corpus = new InputCorpus(Options.OutputCorpus);
auto *F = new Fuzzer(Callback, *Corpus, *MD, Options); auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
for (auto &U: Dictionary) for (auto &U: Dictionary)
if (U.size() <= Word::GetMaxSize()) if (U.size() <= Word::GetMaxSize())
MD->AddWordToManualDictionary(Word(U.data(), U.size())); MD->AddWordToManualDictionary(Word(U.data(), U.size()));
StartRssThread(F, Flags.rss_limit_mb); SignalHandlerOptions Opts;
if (Flags.timeout > 0) {
Opts.timeout = Flags.timeout / 2 + 1;
Opts.sigalrm_cb = Fuzzer::StaticAlarmCallback;
}
Opts.sigsegv_cb = Fuzzer::StaticCrashSignalCallback;
Opts.sigbus_cb = Fuzzer::StaticCrashSignalCallback;
Opts.sigabrt_cb = Fuzzer::StaticCrashSignalCallback;
Opts.sigill_cb = Fuzzer::StaticCrashSignalCallback;
Opts.sigfpe_cb = Fuzzer::StaticCrashSignalCallback;
Opts.sigint_cb = Fuzzer::StaticInterruptCallback;
Opts.sigterm_cb = Fuzzer::StaticInterruptCallback;
SetSignalHandler(Opts);
// Timer StartRssThread(F, Flags.rss_limit_mb);
if (Flags.timeout > 0)
SetTimer(Flags.timeout / 2 + 1);
if (Flags.handle_segv) SetSigSegvHandler();
if (Flags.handle_bus) SetSigBusHandler();
if (Flags.handle_abrt) SetSigAbrtHandler();
if (Flags.handle_ill) SetSigIllHandler();
if (Flags.handle_fpe) SetSigFpeHandler();
if (Flags.handle_int) SetSigIntHandler();
if (Flags.handle_term) SetSigTermHandler();
if (Flags.minimize_crash_internal_step) if (Flags.minimize_crash_internal_step)
return MinimizeCrashInputInternalStep(F, Corpus); return MinimizeCrashInputInternalStep(F, Corpus);
if (DoPlainRun) { if (DoPlainRun) {
Options.SaveArtifacts = false; Options.SaveArtifacts = false;
int Runs = std::max(1, Flags.runs); int Runs = std::max(1, Flags.runs);
Printf("%s: Running %zd inputs %d time(s) each.\n", ProgName->c_str(), Printf("%s: Running %zd inputs %d time(s) each.\n", ProgName->c_str(),
▲ Show 20 LinesShow All 62 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerInternal.h

Show All 11 Lines
#ifndef LLVM_FUZZER_INTERNAL_H #ifndef LLVM_FUZZER_INTERNAL_H
#define LLVM_FUZZER_INTERNAL_H #define LLVM_FUZZER_INTERNAL_H
#include <algorithm> #include <algorithm>
#include <atomic> #include <atomic>
#include <chrono> #include <chrono>
#include <climits> #include <climits>
#include <cstdlib> #include <cstdlib>
#include <mutex>
#include <string.h> #include <string.h>
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
#include "FuzzerExtFunctions.h" #include "FuzzerExtFunctions.h"
#include "FuzzerInterface.h" #include "FuzzerInterface.h"
#include "FuzzerOptions.h" #include "FuzzerOptions.h"
#include "FuzzerSHA1.h" #include "FuzzerSHA1.h"
#include "FuzzerValueBitMap.h" #include "FuzzerValueBitMap.h"
▲ Show 20 LinesShow All 109 Lines▼ Show 20 Linesprivate:
void ResetEdgeCoverage(); void ResetEdgeCoverage();
void ResetCounters(); void ResetCounters();
void PrepareCounters(Fuzzer::Coverage *C); void PrepareCounters(Fuzzer::Coverage *C);
bool RecordMaxCoverage(Fuzzer::Coverage *C); bool RecordMaxCoverage(Fuzzer::Coverage *C);
void AllocateCurrentUnitData(); void AllocateCurrentUnitData();
uint8_t *CurrentUnitData = nullptr; uint8_t *CurrentUnitData = nullptr;
std::atomic<size_t> CurrentUnitSize; std::atomic<size_t> CurrentUnitSize;
bool RunningCB;
std::mutex RunningCBMtx;
zturnerUnsubmitted
Not Done
ReplyInline Actions

It seems like we could use std::atomic_bool here. Does that not work for some reason? The only thing I see that is questionable is that in FuzzerCallback::CrashCallback we check the value, and then run multiple lines of code before returning.

But on the other hand, in Fuzzer::ExecuteCallback, we always set it to true before executing any callback, and false after. So maybe there is no race condition?

atomic_bool is more lightweight than grabbing a full blown mutex, so if we can be sure it's safe, then it seems better.

zturner: It seems like we could use `std::atomic_bool` here. Does that not work for some reason? The…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@zturner, thanks for your comments.
I can't use std::atomic_bool because not only do I need to be sure it is modified atomically, buy also I need to synchronize the main thread with the rest of the threads accessing the Fuzzer's data. Because of that I added the mutex RunningCBMtx.
All the information related to the state of the fuzzer is only modified by the main thread, when it is not running the callback function.
So, in order to consistently access to the Fuzzer's data, we should lock the RunningCBMtx and make sure RunningCB is true (the main thread is running the CB).
By locking the RunningCBMtx, we can be sure that the main thread won't change its state in RunningCB.
This is used to synchronize the thread which manages the timers, and the one which supervises rss limits, with the main thread.

mpividori: @zturner, thanks for your comments. I can't use `std::atomic_bool` because not only do I need…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

In the callbacks: Fuzzer::InterruptCallback(), Fuzzer::AlarmCallback() and Fuzzer::RssLimitCallback(), I lock the mutex RunningCBMtx, before accessing the Fuzzer's data. I can do that because I am sure that callbacks are executed by a separate thread in Posix and Windows implementations.
For the special case of: Fuzzer::CrashCallback(), I can't use the mutex because the callback can be executed asynchronously by the main thread in Posix, where we use signal handlers for crash signals such as: SIGSEGV, SIGILL, etc. So, I do my best and only check for the RunningCB flag.

mpividori: In the callbacks: `Fuzzer::InterruptCallback()`, `Fuzzer::AlarmCallback()` and `Fuzzer…
uint8_t BaseSha1[kSHA1NumBytes]; // Checksum of the base unit. uint8_t BaseSha1[kSHA1NumBytes]; // Checksum of the base unit.
size_t TotalNumberOfRuns = 0; size_t TotalNumberOfRuns = 0;
size_t NumberOfNewUnitsAdded = 0; size_t NumberOfNewUnitsAdded = 0;
bool HasMoreMallocsThanFrees = false; bool HasMoreMallocsThanFrees = false;
size_t NumberOfLeakDetectionAttempts = 0; size_t NumberOfLeakDetectionAttempts = 0;
Show All 25 Lines

lib/Fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 151 Lines▼ Show 20 Lines if (int TraceLevel = AllocTracer.TraceLevel) {
Printf("FREE[%zd] %p\n", N, ptr); Printf("FREE[%zd] %p\n", N, ptr);
if (TraceLevel >= 2 && EF) if (TraceLevel >= 2 && EF)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
} }
} }
Fuzzer::Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD, Fuzzer::Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,
FuzzingOptions Options) FuzzingOptions Options)
: CB(CB), Corpus(Corpus), MD(MD), Options(Options) { : RunningCB(false), CB(CB), Corpus(Corpus), MD(MD), Options(Options) {
SetDeathCallback(); SetDeathCallback();
InitializeTraceState(); InitializeTraceState();
assert(!F); assert(!F);
F = this; F = this;
TPC.ResetMaps(); TPC.ResetMaps();
ResetCoverage(); ResetCoverage();
IsMyThread = true; IsMyThread = true;
if (Options.DetectLeaks && EF->__sanitizer_install_malloc_and_free_hooks) if (Options.DetectLeaks && EF->__sanitizer_install_malloc_and_free_hooks)
▲ Show 20 LinesShow All 80 Lines▼ Show 20 Lines
void Fuzzer::CrashCallback() { void Fuzzer::CrashCallback() {
Printf("==%d== ERROR: libFuzzer: deadly signal\n", GetPid()); Printf("==%d== ERROR: libFuzzer: deadly signal\n", GetPid());
if (EF->__sanitizer_print_stack_trace) if (EF->__sanitizer_print_stack_trace)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
Printf("NOTE: libFuzzer has rudimentary signal handlers.\n" Printf("NOTE: libFuzzer has rudimentary signal handlers.\n"
" Combine libFuzzer with AddressSanitizer or similar for better " " Combine libFuzzer with AddressSanitizer or similar for better "
"crash reports.\n"); "crash reports.\n");
Printf("SUMMARY: libFuzzer: deadly signal\n"); Printf("SUMMARY: libFuzzer: deadly signal\n");
if (RunningCB) { // The fuzzer is in a consistent state.
DumpCurrentUnit("crash-"); DumpCurrentUnit("crash-");
PrintFinalStats(); PrintFinalStats();
}
exit(Options.ErrorExitCode); exit(Options.ErrorExitCode);
} }
void Fuzzer::InterruptCallback() { void Fuzzer::InterruptCallback() {
Printf("==%d== libFuzzer: run interrupted; exiting\n", GetPid()); Printf("==%d== libFuzzer: run interrupted; exiting\n", GetPid());
std::lock_guard<std::mutex> Lock(RunningCBMtx);
if (RunningCB) // The fuzzer is in a consistent state.
PrintFinalStats(); PrintFinalStats();
_Exit(0); // Stop right now, don't perform any at-exit actions. _Exit(0); // Stop right now, don't perform any at-exit actions.
} }
NO_SANITIZE_MEMORY NO_SANITIZE_MEMORY
void Fuzzer::AlarmCallback() { void Fuzzer::AlarmCallback() {
assert(Options.UnitTimeoutSec > 0); assert(Options.UnitTimeoutSec > 0);
if (!InFuzzingThread()) return; std::lock_guard<std::mutex> Lock(RunningCBMtx);
if (!CurrentUnitSize) if (!RunningCB)
return; // We have not started running units yet. return; // We have not started running units yet.
size_t Seconds = size_t Seconds =
duration_cast<seconds>(system_clock::now() - UnitStartTime).count(); duration_cast<seconds>(system_clock::now() - UnitStartTime).count();
if (Seconds == 0) if (Seconds == 0)
return; return;
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("AlarmCallback %zd\n", Seconds); Printf("AlarmCallback %zd\n", Seconds);
if (Seconds >= (size_t)Options.UnitTimeoutSec) { if (Seconds >= (size_t)Options.UnitTimeoutSec) {
Show All 13 Lines
void Fuzzer::RssLimitCallback() { void Fuzzer::RssLimitCallback() {
Printf( Printf(
"==%d== ERROR: libFuzzer: out-of-memory (used: %zdMb; limit: %zdMb)\n", "==%d== ERROR: libFuzzer: out-of-memory (used: %zdMb; limit: %zdMb)\n",
GetPid(), GetPeakRSSMb(), Options.RssLimitMb); GetPid(), GetPeakRSSMb(), Options.RssLimitMb);
Printf(" To change the out-of-memory limit use -rss_limit_mb=<N>\n\n"); Printf(" To change the out-of-memory limit use -rss_limit_mb=<N>\n\n");
if (EF->__sanitizer_print_memory_profile) if (EF->__sanitizer_print_memory_profile)
EF->__sanitizer_print_memory_profile(95); EF->__sanitizer_print_memory_profile(95);
DumpCurrentUnit("oom-");
Printf("SUMMARY: libFuzzer: out-of-memory\n"); Printf("SUMMARY: libFuzzer: out-of-memory\n");
std::lock_guard<std::mutex> Lock(RunningCBMtx);
if (RunningCB) { // The fuzzer is in a consistent state.
DumpCurrentUnit("oom-");
PrintFinalStats(); PrintFinalStats();
}
_Exit(Options.ErrorExitCode); // Stop right now. _Exit(Options.ErrorExitCode); // Stop right now.
} }
void Fuzzer::PrintStats(const char *Where, const char *End, size_t Units) { void Fuzzer::PrintStats(const char *Where, const char *End, size_t Units) {
size_t ExecPerSec = execPerSec(); size_t ExecPerSec = execPerSec();
if (Options.OutputCSV) { if (Options.OutputCSV) {
static bool csvHeaderPrinted = false; static bool csvHeaderPrinted = false;
if (!csvHeaderPrinted) { if (!csvHeaderPrinted) {
▲ Show 20 LinesShow All 195 Lines▼ Show 20 Linesvoid Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) {
memcpy(DataCopy, Data, Size); memcpy(DataCopy, Data, Size);
if (CurrentUnitData && CurrentUnitData != Data) if (CurrentUnitData && CurrentUnitData != Data)
memcpy(CurrentUnitData, Data, Size); memcpy(CurrentUnitData, Data, Size);
CurrentUnitSize = Size; CurrentUnitSize = Size;
AllocTracer.Start(Options.TraceMalloc); AllocTracer.Start(Options.TraceMalloc);
UnitStartTime = system_clock::now(); UnitStartTime = system_clock::now();
ResetCounters(); // Reset coverage right before the callback. ResetCounters(); // Reset coverage right before the callback.
TPC.ResetMaps(); TPC.ResetMaps();
RunningCBMtx.lock();
RunningCB = true;
RunningCBMtx.unlock();
int Res = CB(DataCopy, Size); int Res = CB(DataCopy, Size);
RunningCBMtx.lock();
RunningCB = false;
RunningCBMtx.unlock();
UnitStopTime = system_clock::now(); UnitStopTime = system_clock::now();
(void)Res; (void)Res;
assert(Res == 0); assert(Res == 0);
HasMoreMallocsThanFrees = AllocTracer.Stop(); HasMoreMallocsThanFrees = AllocTracer.Stop();
CurrentUnitSize = 0; CurrentUnitSize = 0;
delete[] DataCopy; delete[] DataCopy;
} }
▲ Show 20 LinesShow All 241 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerUtil.h

Show All 35 Lines
void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC); void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC);
std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC); std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC);
int NumberOfCpuCores(); int NumberOfCpuCores();
// Platform specific functions. // Platform specific functions.
void SetTimer(int Seconds); struct SignalHandlerOptions {
typedef void (*HandlerT)();
int timeout = 0;
HandlerT sigalrm_cb = nullptr;
HandlerT sigsegv_cb = nullptr;
HandlerT sigbus_cb = nullptr;
HandlerT sigabrt_cb = nullptr;
HandlerT sigill_cb = nullptr;
HandlerT sigfpe_cb = nullptr;
HandlerT sigint_cb = nullptr;
HandlerT sigterm_cb = nullptr;
zturnerUnsubmitted
Not Done
ReplyInline Actions

How about getting rid of the constructor and initializing all these inline?

int timeout = 0;
HandlerT sigalrm_cb = nullptr;
// etc
zturner: How about getting rid of the constructor and initializing all these inline? ``` int timeout =…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@zturner , I think using a constructor is clearer. Do you mean to avoid the static constructor? In that case, I can remove it and initialize that members inline inside SetSignalHandler().

mpividori: @zturner , I think using a constructor is clearer. Do you mean to avoid the static constructor?
zturnerUnsubmitted
Not Done
ReplyInline Actions

I don't know if it's stated anywhere in the coding standards, but there has been an push in the LLVM community recently to use inline initialization instead of constructor initializer list in cases such as this where there are long lists of member variables initialized with constant values. So your entire class definition would look like:

struct SignalHandlerOptions {
  int timeout = 0;
  HandlerT sigalrm_cb = nullptr;
  HandlerT sigsegv_cb = nullptr;
  HandlerT sigbus_cb = nullptr;
  HandlerT sigabrt_cb = nullptr;
  HandlerT sigill_cb = nullptr;
  HandlerT sigfpe_cb = nullptr;
  HandlerT sigint_cb = nullptr;
  HandlerT sigterm_cb = nullptr;
};

And there would be no constructor definition. In this case it's not critical, but the motivation is that when you have multiple constructor overloads that all repeat the same exact initializer list, this syntax reduces boilerplate and reduces the chance of 2 constructors accidentally initializing things differently.

zturner: I don't know if it's stated anywhere in the coding standards, but there has been an push in the…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@zturner , Thanks. Yes, I agree. It is simpler and reduces boilerplate code. I will add that changes.

mpividori: @zturner , Thanks. Yes, I agree. It is simpler and reduces boilerplate code. I will add that…
};
void SetSigSegvHandler(); void SetSignalHandler(const SignalHandlerOptions& Opt);
void SetSigBusHandler();
void SetSigAbrtHandler();
void SetSigIllHandler();
void SetSigFpeHandler();
void SetSigIntHandler();
void SetSigTermHandler();
void SleepSeconds(int Seconds); void SleepSeconds(int Seconds);
int GetPid(); int GetPid();
size_t GetPeakRSSMb(); size_t GetPeakRSSMb();
bool ExecuteCommandAndReadOutput(const std::string &Command, std::string *Out); bool ExecuteCommandAndReadOutput(const std::string &Command, std::string *Out);
Show All 10 Lines

lib/Fuzzer/FuzzerUtilPosix.cpp

//===- FuzzerUtilPosix.cpp - Misc utils for Posix. ------------------------===// //===- FuzzerUtilPosix.cpp - Misc utils for Posix. ------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Misc utils implementation using Posix API. // Misc utils implementation using Posix API.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
#if LIBFUZZER_POSIX #if LIBFUZZER_POSIX
#include "FuzzerInternal.h" #include "FuzzerUtil.h"
#include "FuzzerIO.h" #include "FuzzerIO.h"
#include <cassert> #include <cassert>
#include <chrono> #include <chrono>
#include <cstring> #include <cstring>
#include <errno.h> #include <errno.h>
#include <iomanip> #include <iomanip>
#include <signal.h> #include <signal.h>
#include <sstream> #include <sstream>
#include <stdio.h> #include <stdio.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/syscall.h> #include <sys/syscall.h>
#include <sys/time.h> #include <sys/time.h>
#include <sys/types.h> #include <sys/types.h>
#include <thread> #include <thread>
#include <unistd.h> #include <unistd.h>
namespace fuzzer { namespace fuzzer {
static void AlarmHandler(int, siginfo_t *, void *) { static SignalHandlerOptions HandlerOpt;
Fuzzer::StaticAlarmCallback();
}
static void CrashHandler(int, siginfo_t *, void *) {
Fuzzer::StaticCrashSignalCallback();
}
static void InterruptHandler(int, siginfo_t *, void *) {
Fuzzer::StaticInterruptCallback();
}
static void SetSigaction(int signum, static void SetSigaction(int signum,
void (*callback)(int, siginfo_t *, void *)) { void (*callback)(int, siginfo_t *, void *)) {
struct sigaction sigact; struct sigaction sigact;
memset(&sigact, 0, sizeof(sigact)); memset(&sigact, 0, sizeof(sigact));
sigact.sa_sigaction = callback; sigact.sa_sigaction = callback;
if (sigaction(signum, &sigact, 0)) { if (sigaction(signum, &sigact, 0)) {
Printf("libFuzzer: sigaction failed with %d\n", errno); Printf("libFuzzer: sigaction failed with %d\n", errno);
exit(1); exit(1);
} }
} }
void SetTimer(int Seconds) { static void SignalHandlerThread(sigset_t Set) {
struct itimerval T {{Seconds, 0}, {Seconds, 0}}; int Sig;
while (true) {
sigwait(&Set, &Sig);
switch (Sig) {
case SIGALRM:
HandlerOpt.sigalrm_cb();
break;
case SIGINT:
HandlerOpt.sigint_cb();
break;
case SIGTERM:
HandlerOpt.sigterm_cb();
break;
}
}
}
void SetSignalHandler(const SignalHandlerOptions& Opt) {
HandlerOpt = Opt;
sigset_t Set;
sigemptyset(&Set);
// Set SIGALRM, SIGING and SIGTERM to be handled in a separate thread.
if (Opt.timeout > 0 && Opt.sigalrm_cb) {
sigaddset(&Set, SIGALRM);
struct itimerval T {{Opt.timeout, 0}, {Opt.timeout, 0}};
if (setitimer(ITIMER_REAL, &T, nullptr)) { if (setitimer(ITIMER_REAL, &T, nullptr)) {
Printf("libFuzzer: setitimer failed with %d\n", errno); Printf("libFuzzer: setitimer failed with %d\n", errno);
exit(1); exit(1);
} }
SetSigaction(SIGALRM, AlarmHandler); }
if (Opt.sigint_cb)
sigaddset(&Set, SIGINT);
if (Opt.sigterm_cb)
sigaddset(&Set, SIGTERM);
if ((Opt.timeout > 0 && Opt.sigalrm_cb) || Opt.sigint_cb || Opt.sigterm_cb) {
//Block the listed signals in all future threads.
int Err;
if ((Err = pthread_sigmask(SIG_BLOCK, &Set, NULL))) {
Printf("libFuzzer: pthread_sigmask failed with %d.\n", Err);
exit(1);
}
// Start thread to wait for incoming signals.
std::thread T(SignalHandlerThread, Set);
T.detach();
} }
void SetSigSegvHandler() { SetSigaction(SIGSEGV, CrashHandler); } if (Opt.sigsegv_cb)
void SetSigBusHandler() { SetSigaction(SIGBUS, CrashHandler); } SetSigaction(SIGSEGV, [](int,siginfo_t*,void*) {HandlerOpt.sigsegv_cb();});
void SetSigAbrtHandler() { SetSigaction(SIGABRT, CrashHandler); } if (Opt.sigbus_cb)
void SetSigIllHandler() { SetSigaction(SIGILL, CrashHandler); } SetSigaction(SIGBUS, [](int,siginfo_t*,void*) {HandlerOpt.sigbus_cb();});
void SetSigFpeHandler() { SetSigaction(SIGFPE, CrashHandler); } if (Opt.sigabrt_cb)
void SetSigIntHandler() { SetSigaction(SIGINT, InterruptHandler); } SetSigaction(SIGABRT, [](int,siginfo_t*,void*) {HandlerOpt.sigabrt_cb();});
void SetSigTermHandler() { SetSigaction(SIGTERM, InterruptHandler); } if (Opt.sigill_cb)
SetSigaction(SIGILL, [](int,siginfo_t*,void*) {HandlerOpt.sigill_cb();});
if (Opt.sigfpe_cb)
SetSigaction(SIGFPE, [](int,siginfo_t*,void*) {HandlerOpt.sigfpe_cb();});
}
void SleepSeconds(int Seconds) { void SleepSeconds(int Seconds) {
sleep(Seconds); // Use C API to avoid coverage from instrumented libc++. sleep(Seconds); // Use C API to avoid coverage from instrumented libc++.
} }
int GetPid() { return getpid(); } int GetPid() { return getpid(); }
size_t GetPeakRSSMb() { size_t GetPeakRSSMb() {
Show All 26 Lines

lib/Fuzzer/FuzzerUtilWindows.cpp

//===- FuzzerUtilWindows.cpp - Misc utils for Windows. --------------------===// //===- FuzzerUtilWindows.cpp - Misc utils for Windows. --------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Misc utils implementation for Windows. // Misc utils implementation for Windows.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
#if LIBFUZZER_WINDOWS #if LIBFUZZER_WINDOWS
#include "FuzzerInternal.h" #include "FuzzerUtil.h"
#include "FuzzerIO.h" #include "FuzzerIO.h"
#include <cassert> #include <cassert>
#include <chrono> #include <chrono>
#include <cstring> #include <cstring>
#include <errno.h> #include <errno.h>
#include <iomanip> #include <iomanip>
#include <signal.h> #include <signal.h>
#include <sstream> #include <sstream>
#include <stdio.h> #include <stdio.h>
#include <sys/types.h> #include <sys/types.h>
#include <windows.h> #include <windows.h>
#include <Psapi.h> #include <Psapi.h>
namespace fuzzer { namespace fuzzer {
LONG WINAPI SEGVHandler(PEXCEPTION_POINTERS ExceptionInfo) { static SignalHandlerOptions HandlerOpt;
LONG WINAPI ExceptionHandler(PEXCEPTION_POINTERS ExceptionInfo) {
zturnerUnsubmitted
Not Done
ReplyInline Actions

@kcc: Are there any issues with using static global constructors in libfuzzer?

zturner: @kcc: Are there any issues with using static global constructors in libfuzzer?
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@zturner , the Code Standards mentions that we should avoid static constructors: [[1]](http://llvm.org/docs/CodingStandards.html#do-not-use-static-constructors). In this case, I included it because it is a very simple constructor. I can remove it and initialize that struct inside SetSignalHandler().

mpividori: @zturner , the Code Standards mentions that we should avoid static constructors: [[1]](http…
amccarthUnsubmitted
Not Done
ReplyInline Actions

Tiny little irrelevant nit: s/WINAPI/CALLBACK/

In modern times, there is no practical distinction, as they both evaluate to __stdcall. Technically, the exception handler is a callback rather than a Windows API.

amccarth: Tiny little irrelevant nit: s/WINAPI/CALLBACK/ In modern times, there is no practical…
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) { switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_ACCESS_VIOLATION: case EXCEPTION_ACCESS_VIOLATION:
case EXCEPTION_ARRAY_BOUNDS_EXCEEDED: case EXCEPTION_ARRAY_BOUNDS_EXCEEDED:
case EXCEPTION_STACK_OVERFLOW: case EXCEPTION_STACK_OVERFLOW:
Fuzzer::StaticCrashSignalCallback(); if (HandlerOpt.sigsegv_cb)
HandlerOpt.sigsegv_cb();
amccarthUnsubmitted
Not Done
ReplyInline Actions

I'm not sure what these callbacks may be doing in lib fuzzer. Be aware that exception handlers cannot acquire any synchronization objects and cannot allocate memory, presumably because that could cause a deadlock.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681419(v=vs.85).aspx

amccarth: I'm not sure what these callbacks may be doing in lib fuzzer. Be aware that exception handlers…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@amccarth, thanks for your comments.
Yes, in fact all that callbacks call Fuzzer::CrashCallback() which doesn't consider the synchronization lock, as I mentioned before.

mpividori: @amccarth, thanks for your comments. Yes, in fact all that callbacks call `Fuzzer…
break; break;
}
return EXCEPTION_CONTINUE_SEARCH;
}
LONG WINAPI BUSHandler(PEXCEPTION_POINTERS ExceptionInfo) {
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_DATATYPE_MISALIGNMENT: case EXCEPTION_DATATYPE_MISALIGNMENT:
case EXCEPTION_IN_PAGE_ERROR: case EXCEPTION_IN_PAGE_ERROR:
Fuzzer::StaticCrashSignalCallback(); if (HandlerOpt.sigbus_cb)
HandlerOpt.sigbus_cb();
break; break;
}
return EXCEPTION_CONTINUE_SEARCH;
}
LONG WINAPI ILLHandler(PEXCEPTION_POINTERS ExceptionInfo) {
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_ILLEGAL_INSTRUCTION: case EXCEPTION_ILLEGAL_INSTRUCTION:
case EXCEPTION_PRIV_INSTRUCTION: case EXCEPTION_PRIV_INSTRUCTION:
Fuzzer::StaticCrashSignalCallback(); if (HandlerOpt.sigill_cb)
HandlerOpt.sigill_cb();
break; break;
}
return EXCEPTION_CONTINUE_SEARCH;
}
LONG WINAPI FPEHandler(PEXCEPTION_POINTERS ExceptionInfo) {
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_FLT_DENORMAL_OPERAND: case EXCEPTION_FLT_DENORMAL_OPERAND:
case EXCEPTION_FLT_DIVIDE_BY_ZERO: case EXCEPTION_FLT_DIVIDE_BY_ZERO:
case EXCEPTION_FLT_INEXACT_RESULT: case EXCEPTION_FLT_INEXACT_RESULT:
case EXCEPTION_FLT_INVALID_OPERATION: case EXCEPTION_FLT_INVALID_OPERATION:
case EXCEPTION_FLT_OVERFLOW: case EXCEPTION_FLT_OVERFLOW:
case EXCEPTION_FLT_STACK_CHECK: case EXCEPTION_FLT_STACK_CHECK:
case EXCEPTION_FLT_UNDERFLOW: case EXCEPTION_FLT_UNDERFLOW:
case EXCEPTION_INT_DIVIDE_BY_ZERO: case EXCEPTION_INT_DIVIDE_BY_ZERO:
case EXCEPTION_INT_OVERFLOW: case EXCEPTION_INT_OVERFLOW:
Fuzzer::StaticCrashSignalCallback(); if (HandlerOpt.sigfpe_cb)
HandlerOpt.sigfpe_cb();
break; break;
} }
return EXCEPTION_CONTINUE_SEARCH; return EXCEPTION_CONTINUE_SEARCH;
} }
BOOL WINAPI INTHandler(DWORD dwCtrlType) { BOOL WINAPI CtrlHandler(DWORD dwCtrlType) {
switch (dwCtrlType) { switch (dwCtrlType) {
case CTRL_C_EVENT: case CTRL_C_EVENT:
Fuzzer::StaticInterruptCallback(); if (HandlerOpt.sigint_cb)
HandlerOpt.sigint_cb();
return TRUE; return TRUE;
default:
return FALSE;
}
}
BOOL WINAPI TERMHandler(DWORD dwCtrlType) {
switch (dwCtrlType) {
case CTRL_BREAK_EVENT: case CTRL_BREAK_EVENT:
Fuzzer::StaticInterruptCallback(); if (HandlerOpt.sigterm_cb)
HandlerOpt.sigterm_cb();
return TRUE; return TRUE;
default:
return FALSE;
} }
return FALSE;
} }
void SetTimer(int Seconds) { void CALLBACK AlarmHandler(PVOID, BOOLEAN) {
// TODO: Complete this implementation. HandlerOpt.sigalrm_cb();
return;
} }
void SetSigSegvHandler() { class TimerQ {
if (!AddVectoredExceptionHandler(1, SEGVHandler)) { HANDLE TimerQueue;
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n"); public:
TimerQ() : TimerQueue(NULL) {};
~TimerQ() {
if (TimerQueue)
DeleteTimerQueueEx(TimerQueue, NULL);
zturnerUnsubmitted
Not Done
ReplyInline Actions

Shouldn't use all delete the timer as well? You store it locally in SetTimer but then let the handle leak. So every time we call SetTimer it will leak a handle.

zturner: Shouldn't use all delete the timer as well? You store it locally in `SetTimer` but then let…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

According to the documentation, the timers which were added to the TimerQueue are automatically deleted when deleting the TimerQueue.

mpividori: According to the documentation, the timers which were added to the `TimerQueue` are…
zturnerUnsubmitted
Not Done
ReplyInline Actions

Ahh, I didn't notice that. But it seems we can still create multiple timers here. For example if you call the SetTimer twice it will add a new timer instead of overwriting the old timer. Is this desired? If a user is not supposed to call SetTimer twice, then maybe we should add assert(!TimerQueue). But if it is ok to call SetTimer more than once and have subsequent calls overwrite the existing timer value, then we should probably store the HANDLE in the class and delete it and recreate on subsequent calls.

Also, one thing I just thought of that might be a problem. The timer callback is not going to be invoked on the fuzzer thread, but rather a thread in the windows system thread pool. But I looked at the Alarm callback function and it begins like this:

if (!InFuzzingThread()) return;

So, I think this check is going to always fail. If we need to guarantee that alarms happen on the fuzzing thread, we need a different strategy.

What do you think?

zturner: Ahh, I didn't notice that. But it seems we can still create multiple timers here. For example…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@zturner thanks for your comments.
+ Yes, we can create multiple timers here, but we don't expose the function SetTimer any more (I removed that), so the user doesn't have access to it. The Timer instance is only accessed by SetSignalHandler() function. Anyway, I can add the changes you proposed.
Also, the code could be simplified by using a separate thread for the timer instead of using TimerQueues. Something like:

void TimerThread(int Seconds) {
  while (1) {
    sleep(Seconds);
    AlrmCallback();
  }
}

I wasn't sure which option is prefered. What do you think? If we consider a separate thread, we could use the same implementation for Posix too, and get rid of SIGALRM.

+ The if (!InFuzzingThread()) return; line was removed in these changes. Yes, I adapted the code to handle that situation.

Previous implementation assumed that the ALRM signals would be handled by the main thread, which is not necessarily true. In POSIX it is unspecified with thread handle signals.
With the changes included in this diff, we can be sure that Alarm callback is executed by a thread different to the main thread in both Posix and Windows implementations:
  • In Windows: by a thread from the windows system thread pool.
  • In Posix: by a separate thread that waits for SIGALRM signals.
mpividori: @zturner thanks for your comments. + Yes, we can create multiple timers here, but we don't…
zturnerUnsubmitted
Not Done
ReplyInline Actions

I don't think we need to create a thread for it, using the windows threadpool is more efficient.

zturner: I don't think we need to create a thread for it, using the windows threadpool is more efficient.
};
void SetTimer(int Seconds) {
if (!TimerQueue) {
TimerQueue = CreateTimerQueue();
if (!TimerQueue) {
Printf("libFuzzer: CreateTimerQueue failed.\n");
exit(1); exit(1);
} }
} }
HANDLE Timer;
void SetSigBusHandler() { if (!CreateTimerQueueTimer(&Timer, TimerQueue, AlarmHandler, NULL,
if (!AddVectoredExceptionHandler(1, BUSHandler)) { Seconds*1000, Seconds*1000, 0)) {
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n"); Printf("libFuzzer: CreateTimerQueueTimer failed.\n");
exit(1); exit(1);
} }
} };
};
static void CrashHandler(int) { static TimerQ Timer;
Fuzzer::StaticCrashSignalCallback();
}
void SetSigAbrtHandler() { signal(SIGABRT, CrashHandler); }
void SetSigIllHandler() { void SetSignalHandler(const SignalHandlerOptions& Opt) {
if (!AddVectoredExceptionHandler(1, ILLHandler)) { HandlerOpt = Opt;
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n");
exit(1);
}
}
void SetSigFpeHandler() { if (Opt.timeout > 0 && Opt.sigalrm_cb)
if (!AddVectoredExceptionHandler(1, FPEHandler)) { Timer.SetTimer(Opt.timeout);
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n");
exit(1);
}
}
void SetSigIntHandler() { if (Opt.sigint_cb || Opt.sigterm_cb)
if (!SetConsoleCtrlHandler(INTHandler, TRUE)) { if (!SetConsoleCtrlHandler(CtrlHandler, TRUE)) {
DWORD LastError = GetLastError(); DWORD LastError = GetLastError();
Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n", Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n",
LastError); LastError);
exit(1); exit(1);
} }
if (Opt.sigsegv_cb || Opt.sigbus_cb || Opt.sigill_cb || Opt.sigfpe_cb)
if (!AddVectoredExceptionHandler(1, ExceptionHandler)) {
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n");
exit(1);
} }
void SetSigTermHandler() { if (Opt.sigabrt_cb)
if (!SetConsoleCtrlHandler(TERMHandler, TRUE)) { if (SIG_ERR == signal(SIGABRT, [](int){HandlerOpt.sigabrt_cb();})) {
DWORD LastError = GetLastError(); Printf("libFuzzer: signal failed with %d\n", errno);
Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n",
LastError);
exit(1); exit(1);
} }
} }
void SleepSeconds(int Seconds) { void SleepSeconds(int Seconds) {
Sleep(Seconds * 1000); Sleep(Seconds * 1000);
} }
int GetPid() { return GetCurrentProcessId(); } int GetPid() { return GetCurrentProcessId(); }
▲ Show 20 LinesShow All 45 LinesShow Last 20 Lines