This is an archive of the discontinued LLVM Phabricator instance.

Differential D27234

[libFuzzer] Diff 4 - Split FuzzerUtil implementation for Posix and Windows.
ClosedPublic

Authored by mpividori on Nov 29 2016, 3:27 PM.

Details

Reviewers
kcc
zturner
Commits
rG34dcfb9294a7: [LibFuzzer] Split FuzzerUtil for Posix and Windows.
rL288529: [LibFuzzer] Split FuzzerUtil for Posix and Windows.
Summary

Implement utils functions for Windows, using vectored exception handlers as equivalent of POSIX signals. Implementation of timers is incomplete.

Diff Detail

Repository
rL LLVM

Event Timeline

mpividori updated this revision to Diff 79657.Nov 29 2016, 3:27 PM
mpividori retitled this revision from to [libFuzzer] Diff 4 - Split FuzzerUtil implementation for Posix and Windows..
mpividori updated this object.
mpividori added reviewers: kcc, zturner.
mpividori set the repository for this revision to rL LLVM.
mpividori added a subscriber: llvm-commits.
Herald added a subscriber: mgorny. · View Herald TranscriptNov 29 2016, 3:27 PM
amccarth added a subscriber: amccarth.Nov 29 2016, 4:34 PM

My comments are mostly just things to be aware of. No changes required.

lib/Fuzzer/FuzzerUtil.cpp
205

Implicit conversion from unsigned to signed. Probably not an issue until processors get a lot bigger.

Relying on implicit conversions makes it hard to turn on conversion warnings, which might help detect real bugs in other parts of the code.

lib/Fuzzer/FuzzerUtilPosix.cpp
56

Be aware that this name clashes with the Windows function SetTimer that's in scope here. You're OK, since this is a C++ file and so it'll be name-mangled and thus distinct. If this had been a C source file instead, though, this would be a problem.

lib/Fuzzer/FuzzerUtilWindows.cpp
159

Be aware that this converts from an unsigned to a signed type. This is not a big deal with modern Windows, since it's extremely unlikely you'll ever see a PID approaching 2^31, but it's at least theoretically possible. If some logging somewhere prints this as a signed int, it may not look like the value you'd see in other Window stools.

Raymond Chen mentions seeing PIDs approaching 4 billion, but I suspect that's when they were actually pointers in disguise. http://stackoverflow.com/a/17868515/1386054

186

I'm not sure if libfuzzer has its own coding style guidelines, but I'd probably use nullptr rather than NULL.

mpividori updated this revision to Diff 79692.Nov 29 2016, 6:54 PM

Update Diff.

zturner added inline comments.Nov 30 2016, 9:09 AM
lib/Fuzzer/FuzzerUtil.cpp
199

I noticed that in the SleepSeconds function, there is a comment that they couldn't use stl because they wanted to avoid coverage of instrumented libc++. You might wait for comments from kcc@ about whether this is relevant here as well. If so, we might need to go back to pure C implementations for each platform.

lib/Fuzzer/FuzzerUtilWindows.cpp
170

This function appears almost entirely the same except _popen vs popen. Perhaps this could be hidden behind a function called OpenProcessPipe and then ExecuteCommandAndReadOutput could be shared.

174–175

This looks wrong to me. fread does not indicate an error by returning a value less than 0, it indicates an error by returning a value different from the requested number of bytes. Then, you check feof and ferr to determine whether it was an error or an end of file. This code doesn't seem to handle the case where there was an error reading the process output.

mpividori added inline comments.Nov 30 2016, 9:39 AM
lib/Fuzzer/FuzzerUtilWindows.cpp
170

@zturner thanks. Yes, I agree. I will add that modification.

174–175

@zturner, Yes you are right. This code was moved from the previous implementation for Posix. Anyway, I will fix this.

mpividori added inline comments.Nov 30 2016, 1:24 PM
lib/Fuzzer/FuzzerUtil.cpp
205

@amccarth Ok, I will make an explicit cast.

lib/Fuzzer/FuzzerUtilPosix.cpp
56

@amccarth thanks. Anyway, I remove that function in the diff 7.

lib/Fuzzer/FuzzerUtilWindows.cpp
159

@amccarth Ok. I will add that changes in a new diff.

186

@amccarth it doesn't have own style guidelines... I think we should follow LLVM guidelines. But this requires many changes... If @kcc agrees I can update the code to follow LLVM code guidelines in a new diff.

mpividori added a comment.Nov 30 2016, 1:40 PM

@amccarth suggestions were included in the diff: https://reviews.llvm.org/D27281

kcc added inline comments.Nov 30 2016, 2:08 PM
lib/Fuzzer/FuzzerUtil.h
64 ↗(On Diff #79692)

No such ifdefs, please.
Can this be moved to the win-specific file?

zturner added inline comments.Nov 30 2016, 2:10 PM
lib/Fuzzer/FuzzerUtil.h
64 ↗(On Diff #79692)

It is called directly from non platform specific code. The alternative would be to add a function like SearchMemory(), and in Posix file it just calls memmem, and in Win32 it does its own algorithm. Then update callsites to use SearchMemory() instead.

kcc added inline comments.Nov 30 2016, 2:18 PM
lib/Fuzzer/FuzzerUtil.h
64 ↗(On Diff #79692)

Yes, that would be fine.

mpividori added inline comments.Nov 30 2016, 2:43 PM
lib/Fuzzer/FuzzerUtil.h
64 ↗(On Diff #79692)

@kcc @zturner Actually I can remove that #ifdef since it is only a declaration and the type matches the type of the memmem() function in Posix.

mpividori updated this revision to Diff 79822.Nov 30 2016, 2:48 PM

Added changes to include @zturner's suggestion.

zturner accepted this revision.Nov 30 2016, 2:52 PM
zturner edited edge metadata.

lgtm, will wait for kcc to also lgtm before committing.

This revision is now accepted and ready to land.Nov 30 2016, 2:52 PM
mpividori added inline comments.Nov 30 2016, 2:53 PM
lib/Fuzzer/FuzzerUtil.cpp
199

@kcc what do you think about this?

kcc added inline comments.Nov 30 2016, 2:56 PM
lib/Fuzzer/FuzzerUtil.cpp
197–198

why this change from >0 to == sizeof(Buff)

In general, please avoid mixing refactoring and functionality changes.

lib/Fuzzer/FuzzerUtil.h
66 ↗(On Diff #79822)

This sounds wrong. This declares "fuzzer::memmem", while on Linux we actually use "memmem"

zturner added inline comments.Nov 30 2016, 2:58 PM
lib/Fuzzer/FuzzerUtil.cpp
197–198

That change was my suggestion. The code is incorrect as written because fread doesn't use <= 0 to indicate an error, it uses != request_size, then you check ferror. In any case, your point about mixing functionality and refactoring changes is still valid, so it might be worth doing this in a followup as you suggest.

kcc added inline comments.Nov 30 2016, 3:02 PM
lib/Fuzzer/FuzzerUtil.cpp
197–198

hmmm. am I reading "man fread" wrong?
On success, fread() and fwrite() return the number of items read or written. This number equals the number of bytes transferred only when size is 1. If an error occurs, or the end of

the file is reached, the return value is a short item count (or zero).
zturner added inline comments.Nov 30 2016, 3:08 PM
lib/Fuzzer/FuzzerUtil.cpp
197–198

It's a little bit ambiguous, but it doesn't explicitly state that 0 is for errors and the less specific condition of < request_size is eof. Indeed, the very next line in the man page is "fread() does not distinguish between end-of-file and error, and callers must use feof(3) and ferror(3) to determine which occurred."

So it seems like the modified version is slightly more correct.

zturner added inline comments.Nov 30 2016, 3:09 PM
lib/Fuzzer/FuzzerUtil.cpp
197–198

Also, the Microsoft documentation says similarly "fread returns the number of full items actually read, which may be less than count if an error occurs or if the end of the file is encountered before reaching count. Use the feof or ferror function to distinguish a read error from an end-of-file condition." So again, it seems you can't use the return value to distinguish feof and ferr, and it seems theoretically possible that a value greater than 0 but less than the number of bytes requested could still be an error, which would only be determinable through ferror.

kcc added inline comments.Nov 30 2016, 3:11 PM
lib/Fuzzer/FuzzerUtil.cpp
197–198

Ok.

mpividori updated this revision to Diff 79826.Nov 30 2016, 3:22 PM
mpividori edited edge metadata.

+ Remove memmem() and add SearchMemory() as suggested.
+ Remove changes to fread. I will add that changes in a new diff as suggested.

zturner added inline comments.Nov 30 2016, 4:03 PM
lib/Fuzzer/FuzzerUtil.cpp
199

Kostya, can you confirm that the call to std::thread::hardware_concurrency() here is ok? The call to sleep earlier has a comment explicitly stating that stl can't be used. Is the same thing going to be true here?

kcc accepted this revision.Nov 30 2016, 4:25 PM
kcc edited edge metadata.

LGTM (I did not read the widows code)
As for every other patch, please ensure check-fuzzer still work on Linux.

lib/Fuzzer/FuzzerUtil.cpp
199

Yep, should be fine.
We should only avoid heavy STL around the calls to the user callback.
This one is happening at init time.

Closed by commit rL288529: [LibFuzzer] Split FuzzerUtil for Posix and Windows. (authored by zturner). · Explain WhyDec 2 2016, 11:48 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
Fuzzer/
2 lines
3 lines
123 lines
105 lines
205 lines

Diff 79657

lib/Fuzzer/CMakeLists.txt

Show All 18 Lines add_library(LLVMFuzzerNoMainObjects OBJECT
FuzzerLoop.cpp FuzzerLoop.cpp
FuzzerMutate.cpp FuzzerMutate.cpp
FuzzerSHA1.cpp FuzzerSHA1.cpp
FuzzerTracePC.cpp FuzzerTracePC.cpp
FuzzerTraceState.cpp FuzzerTraceState.cpp
FuzzerUtil.cpp FuzzerUtil.cpp
FuzzerUtilDarwin.cpp FuzzerUtilDarwin.cpp
FuzzerUtilLinux.cpp FuzzerUtilLinux.cpp
FuzzerUtilPosix.cpp
FuzzerUtilWindows.cpp
) )
add_library(LLVMFuzzerNoMain STATIC add_library(LLVMFuzzerNoMain STATIC
$<TARGET_OBJECTS:LLVMFuzzerNoMainObjects> $<TARGET_OBJECTS:LLVMFuzzerNoMainObjects>
) )
target_link_libraries(LLVMFuzzerNoMain ${PTHREAD_LIB}) target_link_libraries(LLVMFuzzerNoMain ${PTHREAD_LIB})
add_library(LLVMFuzzer STATIC add_library(LLVMFuzzer STATIC
FuzzerMain.cpp FuzzerMain.cpp
$<TARGET_OBJECTS:LLVMFuzzerNoMainObjects> $<TARGET_OBJECTS:LLVMFuzzerNoMainObjects>
) )
target_link_libraries(LLVMFuzzer ${PTHREAD_LIB}) target_link_libraries(LLVMFuzzer ${PTHREAD_LIB})
if( LLVM_INCLUDE_TESTS ) if( LLVM_INCLUDE_TESTS )
add_subdirectory(test) add_subdirectory(test)
endif() endif()
endif() endif()

lib/Fuzzer/FuzzerDriver.cpp

Show All 18 Lines
#include <algorithm> #include <algorithm>
#include <atomic> #include <atomic>
#include <chrono> #include <chrono>
#include <cstring> #include <cstring>
#include <mutex> #include <mutex>
#include <string> #include <string>
#include <thread> #include <thread>
#include <unistd.h>
// This function should be present in the libFuzzer so that the client // This function should be present in the libFuzzer so that the client
// binary can test for its existence. // binary can test for its existence.
extern "C" __attribute__((used)) void __libfuzzer_is_present() {} extern "C" __attribute__((used)) void __libfuzzer_is_present() {}
namespace fuzzer { namespace fuzzer {
// Program arguments. // Program arguments.
▲ Show 20 LinesShow All 402 Lines▼ Show 20 Lines if (Flags.exit_on_src_pos)
Options.ExitOnSrcPos = Flags.exit_on_src_pos; Options.ExitOnSrcPos = Flags.exit_on_src_pos;
if (Flags.exit_on_item) if (Flags.exit_on_item)
Options.ExitOnItem = Flags.exit_on_item; Options.ExitOnItem = Flags.exit_on_item;
unsigned Seed = Flags.seed; unsigned Seed = Flags.seed;
// Initialize Seed. // Initialize Seed.
if (Seed == 0) if (Seed == 0)
Seed = (std::chrono::system_clock::now().time_since_epoch().count() << 10) + Seed = (std::chrono::system_clock::now().time_since_epoch().count() << 10) +
getpid(); GetPid();
if (Flags.verbosity) if (Flags.verbosity)
Printf("INFO: Seed: %u\n", Seed); Printf("INFO: Seed: %u\n", Seed);
Random Rand(Seed); Random Rand(Seed);
auto *MD = new MutationDispatcher(Rand, Options); auto *MD = new MutationDispatcher(Rand, Options);
auto *Corpus = new InputCorpus(Options.OutputCorpus); auto *Corpus = new InputCorpus(Options.OutputCorpus);
auto *F = new Fuzzer(Callback, *Corpus, *MD, Options); auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
▲ Show 20 LinesShow All 86 LinesShow Last 20 Lines

lib/Fuzzer/FuzzerUtil.cpp

//===- FuzzerUtil.cpp - Misc utils ----------------------------------------===// //===- FuzzerUtil.cpp - Misc utils ----------------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Misc utils. // Misc utils.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "FuzzerUtil.h" #include "FuzzerUtil.h"
#include "FuzzerInternal.h" #include "FuzzerInternal.h"
#include "FuzzerIO.h" #include "FuzzerIO.h"
#include <sstream>
#include <iomanip>
#include <sys/resource.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/syscall.h>
#include <cassert> #include <cassert>
#include <chrono> #include <chrono>
#include <cstring> #include <cstring>
#include <stdio.h> #include <errno.h>
#include <signal.h> #include <signal.h>
#include <sstream> #include <sstream>
#include <unistd.h> #include <stdio.h>
#include <errno.h> #include <sys/types.h>
#include <thread> #include <thread>
namespace fuzzer { namespace fuzzer {
void PrintHexArray(const uint8_t *Data, size_t Size, void PrintHexArray(const uint8_t *Data, size_t Size,
const char *PrintAfter) { const char *PrintAfter) {
for (size_t i = 0; i < Size; i++) for (size_t i = 0; i < Size; i++)
Printf("0x%x,", (unsigned)Data[i]); Printf("0x%x,", (unsigned)Data[i]);
Show All 20 Lines for (size_t i = 0; i < Size; i++)
PrintASCIIByte(Data[i]); PrintASCIIByte(Data[i]);
Printf("%s", PrintAfter); Printf("%s", PrintAfter);
} }
void PrintASCII(const Unit &U, const char *PrintAfter) { void PrintASCII(const Unit &U, const char *PrintAfter) {
PrintASCII(U.data(), U.size(), PrintAfter); PrintASCII(U.data(), U.size(), PrintAfter);
} }
static void AlarmHandler(int, siginfo_t *, void *) {
Fuzzer::StaticAlarmCallback();
}
static void CrashHandler(int, siginfo_t *, void *) {
Fuzzer::StaticCrashSignalCallback();
}
static void InterruptHandler(int, siginfo_t *, void *) {
Fuzzer::StaticInterruptCallback();
}
static void SetSigaction(int signum,
void (*callback)(int, siginfo_t *, void *)) {
struct sigaction sigact;
memset(&sigact, 0, sizeof(sigact));
sigact.sa_sigaction = callback;
if (sigaction(signum, &sigact, 0)) {
Printf("libFuzzer: sigaction failed with %d\n", errno);
exit(1);
}
}
void SetTimer(int Seconds) {
struct itimerval T {{Seconds, 0}, {Seconds, 0}};
if (setitimer(ITIMER_REAL, &T, nullptr)) {
Printf("libFuzzer: setitimer failed with %d\n", errno);
exit(1);
}
SetSigaction(SIGALRM, AlarmHandler);
}
void SetSigSegvHandler() { SetSigaction(SIGSEGV, CrashHandler); }
void SetSigBusHandler() { SetSigaction(SIGBUS, CrashHandler); }
void SetSigAbrtHandler() { SetSigaction(SIGABRT, CrashHandler); }
void SetSigIllHandler() { SetSigaction(SIGILL, CrashHandler); }
void SetSigFpeHandler() { SetSigaction(SIGFPE, CrashHandler); }
void SetSigIntHandler() { SetSigaction(SIGINT, InterruptHandler); }
void SetSigTermHandler() { SetSigaction(SIGTERM, InterruptHandler); }
int NumberOfCpuCores() {
const char *CmdLine = nullptr;
if (LIBFUZZER_LINUX) {
CmdLine = "nproc";
} else if (LIBFUZZER_APPLE) {
CmdLine = "sysctl -n hw.ncpu";
} else {
assert(0 && "NumberOfCpuCores() is not implemented for your platform");
}
FILE *F = popen(CmdLine, "r");
int N = 1;
if (!F || fscanf(F, "%d", &N) != 1) {
Printf("WARNING: Failed to parse output of command \"%s\" in %s(). "
"Assuming CPU count of 1.\n",
CmdLine, __func__);
N = 1;
}
if (pclose(F)) {
Printf("WARNING: Executing command \"%s\" failed in %s(). "
"Assuming CPU count of 1.\n",
CmdLine, __func__);
N = 1;
}
if (N < 1) {
Printf("WARNING: Reported CPU count (%d) from command \"%s\" was invalid "
"in %s(). Assuming CPU count of 1.\n",
N, CmdLine, __func__);
N = 1;
}
return N;
}
bool ToASCII(uint8_t *Data, size_t Size) { bool ToASCII(uint8_t *Data, size_t Size) {
bool Changed = false; bool Changed = false;
for (size_t i = 0; i < Size; i++) { for (size_t i = 0; i < Size; i++) {
uint8_t &X = Data[i]; uint8_t &X = Data[i];
auto NewX = X; auto NewX = X;
NewX &= 127; NewX &= 127;
if (!isspace(NewX) && !isprint(NewX)) if (!isspace(NewX) && !isprint(NewX))
NewX = ' '; NewX = ' ';
▲ Show 20 LinesShow All 79 Lines▼ Show 20 Lines if (ParseOneDictionaryEntry(S, &U)) {
Printf("ParseDictionaryFile: error in line %d\n\t\t%s\n", LineNo, Printf("ParseDictionaryFile: error in line %d\n\t\t%s\n", LineNo,
S.c_str()); S.c_str());
return false; return false;
} }
} }
return true; return true;
} }
void SleepSeconds(int Seconds) {
sleep(Seconds); // Use C API to avoid coverage from instrumented libc++.
}
int GetPid() { return getpid(); }
std::string Base64(const Unit &U) { std::string Base64(const Unit &U) {
static const char Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" static const char Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz" "abcdefghijklmnopqrstuvwxyz"
"0123456789+/"; "0123456789+/";
std::string Res; std::string Res;
size_t i; size_t i;
for (i = 0; i + 2 < U.size(); i += 3) { for (i = 0; i + 2 < U.size(); i += 3) {
uint32_t x = (U[i] << 16) + (U[i + 1] << 8) + U[i + 2]; uint32_t x = (U[i] << 16) + (U[i + 1] << 8) + U[i + 2];
Show All 12 Lines if (i + 1 == U.size()) {
Res += Table[(x >> 18) & 63]; Res += Table[(x >> 18) & 63];
Res += Table[(x >> 12) & 63]; Res += Table[(x >> 12) & 63];
Res += Table[(x >> 6) & 63]; Res += Table[(x >> 6) & 63];
Res += "="; Res += "=";
} }
return Res; return Res;
} }
size_t GetPeakRSSMb() {
struct rusage usage;
if (getrusage(RUSAGE_SELF, &usage))
return 0;
if (LIBFUZZER_LINUX) {
// ru_maxrss is in KiB
return usage.ru_maxrss >> 10;
} else if (LIBFUZZER_APPLE) {
// ru_maxrss is in bytes
return usage.ru_maxrss >> 20;
}
assert(0 && "GetPeakRSSMb() is not implemented for your platform");
return 0;
}
std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC) { std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC) {
if (!EF->__sanitizer_symbolize_pc) return "<can not symbolize>"; if (!EF->__sanitizer_symbolize_pc) return "<can not symbolize>";
char PcDescr[1024]; char PcDescr[1024];
EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC), EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC),
SymbolizedFMT, PcDescr, sizeof(PcDescr)); SymbolizedFMT, PcDescr, sizeof(PcDescr));
PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case. PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case.
return PcDescr; return PcDescr;
} }
void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC) { void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC) {
if (EF->__sanitizer_symbolize_pc) if (EF->__sanitizer_symbolize_pc)
Printf("%s", DescribePC(SymbolizedFMT, PC).c_str()); Printf("%s", DescribePC(SymbolizedFMT, PC).c_str());
else else
Printf(FallbackFMT, PC); Printf(FallbackFMT, PC);
} }
bool ExecuteCommandAndReadOutput(const std::string &Command, std::string *Out) { int NumberOfCpuCores() {
kccUnsubmitted
Not Done
ReplyInline Actions

why this change from >0 to == sizeof(Buff)

In general, please avoid mixing refactoring and functionality changes.

kcc: why this change from >0 to == sizeof(Buff) In general, please avoid mixing refactoring and…
zturnerUnsubmitted
Not Done
ReplyInline Actions

That change was my suggestion. The code is incorrect as written because fread doesn't use <= 0 to indicate an error, it uses != request_size, then you check ferror. In any case, your point about mixing functionality and refactoring changes is still valid, so it might be worth doing this in a followup as you suggest.

zturner: That change was my suggestion. The code is incorrect as written because `fread` doesn't use <=…
kccUnsubmitted
Not Done
ReplyInline Actions

hmmm. am I reading "man fread" wrong?
On success, fread() and fwrite() return the number of items read or written. This number equals the number of bytes transferred only when size is 1. If an error occurs, or the end of

the file is reached, the return value is a short item count (or zero).
kcc: hmmm. am I reading "man fread" wrong? On success, fread() and fwrite() return the number of…
zturnerUnsubmitted
Not Done
ReplyInline Actions

It's a little bit ambiguous, but it doesn't explicitly state that 0 is for errors and the less specific condition of < request_size is eof. Indeed, the very next line in the man page is "fread() does not distinguish between end-of-file and error, and callers must use feof(3) and ferror(3) to determine which occurred."

So it seems like the modified version is slightly more correct.

zturner: It's a little bit ambiguous, but it doesn't explicitly state that 0 is for errors and the less…
zturnerUnsubmitted
Not Done
ReplyInline Actions

Also, the Microsoft documentation says similarly "fread returns the number of full items actually read, which may be less than count if an error occurs or if the end of the file is encountered before reaching count. Use the feof or ferror function to distinguish a read error from an end-of-file condition." So again, it seems you can't use the return value to distinguish feof and ferr, and it seems theoretically possible that a value greater than 0 but less than the number of bytes requested could still be an error, which would only be determinable through ferror.

zturner: Also, the [[ https://msdn.microsoft.com/en-us/library/kt0etdcs.aspx | Microsoft documentation…
kccUnsubmitted
Not Done
ReplyInline Actions

Ok.

kcc: Ok.
FILE *Pipe = popen(Command.c_str(), "r"); unsigned N = std::thread::hardware_concurrency();
zturnerUnsubmitted
Not Done
ReplyInline Actions

I noticed that in the SleepSeconds function, there is a comment that they couldn't use stl because they wanted to avoid coverage of instrumented libc++. You might wait for comments from kcc@ about whether this is relevant here as well. If so, we might need to go back to pure C implementations for each platform.

zturner: I noticed that in the `SleepSeconds` function, there is a comment that they couldn't use stl…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@kcc what do you think about this?

mpividori: @kcc what do you think about this?
zturnerUnsubmitted
Not Done
ReplyInline Actions

Kostya, can you confirm that the call to std::thread::hardware_concurrency() here is ok? The call to sleep earlier has a comment explicitly stating that stl can't be used. Is the same thing going to be true here?

zturner: Kostya, can you confirm that the call to `std::thread::hardware_concurrency()` here is ok? The…
kccUnsubmitted
Not Done
ReplyInline Actions

Yep, should be fine.
We should only avoid heavy STL around the calls to the user callback.
This one is happening at init time.

kcc: Yep, should be fine. We should only avoid heavy STL around the calls to the user callback.
if (!Pipe) return false; if (!N) {
char Buff[1024]; Printf("WARNING: std::thread::hardware_concurrency not well defined for "
size_t N; "your platform. Assuming CPU count of 1.\n");
while ((N = fread(Buff, 1, sizeof(Buff), Pipe)) > 0) N = 1;
Out->append(Buff, N); }
return true; return N;
amccarthUnsubmitted
Not Done
ReplyInline Actions

Implicit conversion from unsigned to signed. Probably not an issue until processors get a lot bigger.

Relying on implicit conversions makes it hard to turn on conversion warnings, which might help detect real bugs in other parts of the code.

amccarth: Implicit conversion from unsigned to signed. Probably not an issue until processors get a lot…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@amccarth Ok, I will make an explicit cast.

mpividori: @amccarth Ok, I will make an explicit cast.
} }
} // namespace fuzzer } // namespace fuzzer

lib/Fuzzer/FuzzerUtilPosix.cpp

  • This file was added.
//===- FuzzerUtilPosix.cpp - Misc utils for Posix. ------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// Misc utils implementation using Posix API.
//===----------------------------------------------------------------------===//
#include "FuzzerDefs.h"
#if LIBFUZZER_POSIX
#include "FuzzerInternal.h"
#include "FuzzerIO.h"
#include <cassert>
#include <chrono>
#include <cstring>
#include <errno.h>
#include <iomanip>
#include <signal.h>
#include <sstream>
#include <stdio.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <thread>
#include <unistd.h>
namespace fuzzer {
static void AlarmHandler(int, siginfo_t *, void *) {
Fuzzer::StaticAlarmCallback();
}
static void CrashHandler(int, siginfo_t *, void *) {
Fuzzer::StaticCrashSignalCallback();
}
static void InterruptHandler(int, siginfo_t *, void *) {
Fuzzer::StaticInterruptCallback();
}
static void SetSigaction(int signum,
void (*callback)(int, siginfo_t *, void *)) {
struct sigaction sigact;
memset(&sigact, 0, sizeof(sigact));
sigact.sa_sigaction = callback;
if (sigaction(signum, &sigact, 0)) {
Printf("libFuzzer: sigaction failed with %d\n", errno);
exit(1);
}
}
void SetTimer(int Seconds) {
amccarthUnsubmitted
Not Done
ReplyInline Actions

Be aware that this name clashes with the Windows function SetTimer that's in scope here. You're OK, since this is a C++ file and so it'll be name-mangled and thus distinct. If this had been a C source file instead, though, this would be a problem.

amccarth: Be aware that this name clashes with the Windows function SetTimer that's in scope here.
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@amccarth thanks. Anyway, I remove that function in the diff 7.

mpividori: @amccarth thanks. Anyway, I remove that function in the diff 7.
struct itimerval T {{Seconds, 0}, {Seconds, 0}};
if (setitimer(ITIMER_REAL, &T, nullptr)) {
Printf("libFuzzer: setitimer failed with %d\n", errno);
exit(1);
}
SetSigaction(SIGALRM, AlarmHandler);
}
void SetSigSegvHandler() { SetSigaction(SIGSEGV, CrashHandler); }
void SetSigBusHandler() { SetSigaction(SIGBUS, CrashHandler); }
void SetSigAbrtHandler() { SetSigaction(SIGABRT, CrashHandler); }
void SetSigIllHandler() { SetSigaction(SIGILL, CrashHandler); }
void SetSigFpeHandler() { SetSigaction(SIGFPE, CrashHandler); }
void SetSigIntHandler() { SetSigaction(SIGINT, InterruptHandler); }
void SetSigTermHandler() { SetSigaction(SIGTERM, InterruptHandler); }
void SleepSeconds(int Seconds) {
sleep(Seconds); // Use C API to avoid coverage from instrumented libc++.
}
int GetPid() { return getpid(); }
size_t GetPeakRSSMb() {
struct rusage usage;
if (getrusage(RUSAGE_SELF, &usage))
return 0;
if (LIBFUZZER_LINUX) {
// ru_maxrss is in KiB
return usage.ru_maxrss >> 10;
} else if (LIBFUZZER_APPLE) {
// ru_maxrss is in bytes
return usage.ru_maxrss >> 20;
}
assert(0 && "GetPeakRSSMb() is not implemented for your platform");
return 0;
}
bool ExecuteCommandAndReadOutput(const std::string &Command, std::string *Out) {
FILE *Pipe = popen(Command.c_str(), "r");
if (!Pipe) return false;
char Buff[1024];
size_t N;
while ((N = fread(Buff, 1, sizeof(Buff), Pipe)) > 0)
Out->append(Buff, N);
return true;
}
} // namespace fuzzer
#endif // LIBFUZZER_POSIX

lib/Fuzzer/FuzzerUtilWindows.cpp

  • This file was added.
//===- FuzzerUtilWindows.cpp - Misc utils for Windows. --------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// Misc utils implementation for Windows.
//===----------------------------------------------------------------------===//
#include "FuzzerDefs.h"
#if LIBFUZZER_WINDOWS
#include "FuzzerInternal.h"
#include "FuzzerIO.h"
#include <cassert>
#include <chrono>
#include <cstring>
#include <errno.h>
#include <iomanip>
#include <signal.h>
#include <sstream>
#include <stdio.h>
#include <sys/types.h>
#include <windows.h>
#include <Psapi.h>
namespace fuzzer {
LONG WINAPI SEGVHandler(PEXCEPTION_POINTERS ExceptionInfo) {
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_ACCESS_VIOLATION:
case EXCEPTION_ARRAY_BOUNDS_EXCEEDED:
case EXCEPTION_STACK_OVERFLOW:
Fuzzer::StaticCrashSignalCallback();
break;
}
return EXCEPTION_CONTINUE_SEARCH;
}
LONG WINAPI BUSHandler(PEXCEPTION_POINTERS ExceptionInfo) {
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_DATATYPE_MISALIGNMENT:
case EXCEPTION_IN_PAGE_ERROR:
Fuzzer::StaticCrashSignalCallback();
break;
}
return EXCEPTION_CONTINUE_SEARCH;
}
LONG WINAPI ILLHandler(PEXCEPTION_POINTERS ExceptionInfo) {
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_ILLEGAL_INSTRUCTION:
case EXCEPTION_PRIV_INSTRUCTION:
Fuzzer::StaticCrashSignalCallback();
break;
}
return EXCEPTION_CONTINUE_SEARCH;
}
LONG WINAPI FPEHandler(PEXCEPTION_POINTERS ExceptionInfo) {
switch (ExceptionInfo->ExceptionRecord->ExceptionCode) {
case EXCEPTION_FLT_DENORMAL_OPERAND:
case EXCEPTION_FLT_DIVIDE_BY_ZERO:
case EXCEPTION_FLT_INEXACT_RESULT:
case EXCEPTION_FLT_INVALID_OPERATION:
case EXCEPTION_FLT_OVERFLOW:
case EXCEPTION_FLT_STACK_CHECK:
case EXCEPTION_FLT_UNDERFLOW:
case EXCEPTION_INT_DIVIDE_BY_ZERO:
case EXCEPTION_INT_OVERFLOW:
Fuzzer::StaticCrashSignalCallback();
break;
}
return EXCEPTION_CONTINUE_SEARCH;
}
BOOL WINAPI INTHandler(DWORD dwCtrlType) {
switch (dwCtrlType) {
case CTRL_C_EVENT:
Fuzzer::StaticInterruptCallback();
return TRUE;
default:
return FALSE;
}
}
BOOL WINAPI TERMHandler(DWORD dwCtrlType) {
switch (dwCtrlType) {
case CTRL_BREAK_EVENT:
Fuzzer::StaticInterruptCallback();
return TRUE;
default:
return FALSE;
}
}
void SetTimer(int Seconds) {
// TODO: Complete this implementation.
return;
}
void SetSigSegvHandler() {
if (!AddVectoredExceptionHandler(1, SEGVHandler)) {
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n");
exit(1);
}
}
void SetSigBusHandler() {
if (!AddVectoredExceptionHandler(1, BUSHandler)) {
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n");
exit(1);
}
}
static void CrashHandler(int) {
Fuzzer::StaticCrashSignalCallback();
}
void SetSigAbrtHandler() { signal(SIGABRT, CrashHandler); }
void SetSigIllHandler() {
if (!AddVectoredExceptionHandler(1, ILLHandler)) {
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n");
exit(1);
}
}
void SetSigFpeHandler() {
if (!AddVectoredExceptionHandler(1, FPEHandler)) {
Printf("libFuzzer: AddVectoredExceptionHandler failed.\n");
exit(1);
}
}
void SetSigIntHandler() {
if (!SetConsoleCtrlHandler(INTHandler, TRUE)) {
DWORD LastError = GetLastError();
Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n",
LastError);
exit(1);
}
}
void SetSigTermHandler() {
if (!SetConsoleCtrlHandler(TERMHandler, TRUE)) {
DWORD LastError = GetLastError();
Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n",
LastError);
exit(1);
}
}
void SleepSeconds(int Seconds) {
Sleep(Seconds * 1000);
}
int GetPid() { return GetCurrentProcessId(); }
amccarthUnsubmitted
Not Done
ReplyInline Actions

Be aware that this converts from an unsigned to a signed type. This is not a big deal with modern Windows, since it's extremely unlikely you'll ever see a PID approaching 2^31, but it's at least theoretically possible. If some logging somewhere prints this as a signed int, it may not look like the value you'd see in other Window stools.

Raymond Chen mentions seeing PIDs approaching 4 billion, but I suspect that's when they were actually pointers in disguise. http://stackoverflow.com/a/17868515/1386054

amccarth: Be aware that this converts from an unsigned to a signed type. This is not a big deal with…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@amccarth Ok. I will add that changes in a new diff.

mpividori: @amccarth Ok. I will add that changes in a new diff.
size_t GetPeakRSSMb() {
PROCESS_MEMORY_COUNTERS info;
if (!GetProcessMemoryInfo(GetCurrentProcess(), &info, sizeof(info)))
return 0;
return info.PeakWorkingSetSize >> 20;
}
bool ExecuteCommandAndReadOutput(const std::string &Command, std::string *Out) {
FILE *Pipe = _popen(Command.c_str(), "r");
if (!Pipe) return false;
zturnerUnsubmitted
Not Done
ReplyInline Actions

This function appears almost entirely the same except _popen vs popen. Perhaps this could be hidden behind a function called OpenProcessPipe and then ExecuteCommandAndReadOutput could be shared.

zturner: This function appears almost entirely the same except `_popen` vs `popen`. Perhaps this could…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@zturner thanks. Yes, I agree. I will add that modification.

mpividori: @zturner thanks. Yes, I agree. I will add that modification.
char Buff[1024];
size_t N;
while ((N = fread(Buff, 1, sizeof(Buff), Pipe)) > 0)
Out->append(Buff, N);
return true;
zturnerUnsubmitted
Not Done
ReplyInline Actions

This looks wrong to me. fread does not indicate an error by returning a value less than 0, it indicates an error by returning a value different from the requested number of bytes. Then, you check feof and ferr to determine whether it was an error or an end of file. This code doesn't seem to handle the case where there was an error reading the process output.

zturner: This looks wrong to me. `fread` does not indicate an error by returning a value less than 0…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@zturner, Yes you are right. This code was moved from the previous implementation for Posix. Anyway, I will fix this.

mpividori: @zturner, Yes you are right. This code was moved from the previous implementation for Posix.
}
const void *memmem(const void *Data, size_t DataLen, const void *Patt,
size_t PattLen)
{
//TODO: make this implementation more efficient.
const char *Cdata = (const char*) Data;
const char *Cpatt = (const char*) Patt;
if (!Data || !Patt || DataLen == 0 || PattLen == 0 || DataLen < PattLen)
return NULL;
amccarthUnsubmitted
Not Done
ReplyInline Actions

I'm not sure if libfuzzer has its own coding style guidelines, but I'd probably use nullptr rather than NULL.

amccarth: I'm not sure if libfuzzer has its own coding style guidelines, but I'd probably use `nullptr`…
mpividoriAuthorUnsubmitted
Not Done
ReplyInline Actions

@amccarth it doesn't have own style guidelines... I think we should follow LLVM guidelines. But this requires many changes... If @kcc agrees I can update the code to follow LLVM code guidelines in a new diff.

mpividori: @amccarth it doesn't have own style guidelines... I think we should follow LLVM guidelines. But…
if (PattLen == 1)
return memchr(Data, *Cpatt, DataLen);
const char *End = Cdata + DataLen - PattLen;
for (const char *It = Cdata; It < End; ++It)
if (It[0] == Cpatt[0] && memcmp(It, Cpatt, PattLen) == 0)
return It;
return NULL;
}
int ExecuteCommand(const std::string &Command) {
return system(Command.c_str());
}
} // namespace fuzzer
#endif // LIBFUZZER_WINDOWS