This is an archive of the discontinued LLVM Phabricator instance.

Differential D37086

Use custom allocators for STL containers in libFuzzer
ClosedPublic

Authored by george.karpenkov on Aug 23 2017, 4:15 PM.

Details

Reviewers
kcc
kubamracek
Commits
rGbebcbfb46dc7: [libFuzzer] Use custom allocators for STL containers in libFuzzer.
rGd50410bfb1d1: [libFuzzer] Use custom allocators for STL containers in libFuzzer
rCRT311866: [libFuzzer] Use custom allocators for STL containers in libFuzzer.
rCRT311830: [libFuzzer] Use custom allocators for STL containers in libFuzzer
rL311866: [libFuzzer] Use custom allocators for STL containers in libFuzzer.
rL311830: [libFuzzer] Use custom allocators for STL containers in libFuzzer
Summary

Avoids ODR violations causing spurious ASAN warnings.

Diff Detail

Repository
rL LLVM

Event Timeline

george.karpenkov created this revision.Aug 23 2017, 4:15 PM

The fuzzer:: qualifier is often spurious, but might be a helpful indication that some magic is going on.

george.karpenkov added a comment.Aug 23 2017, 4:28 PM

Suggestions for a better test are welcome.

george.karpenkov updated this revision to Diff 112483.Aug 23 2017, 4:38 PM
kcc edited edge metadata.Aug 23 2017, 9:09 PM

Nice. Did this help?

lib/fuzzer/FuzzerDefs.h
22 ↗(On Diff #112483)

Why do you need this?

test/fuzzer/VectorTest.cpp
6 ↗(On Diff #112483)

Do some push_backs and pop_backs, just having a CTOR is not enough to trigger a warning.
Or maybe simply abandon the test and rely on having this tested with the rest of clang build.

george.karpenkov updated this revision to Diff 112605.Aug 24 2017, 1:39 PM

@kcc removed the test, I couldn't reproducibly get an error in this test. Let's just rely on fuzzers being able to run.

george.karpenkov added a comment.Aug 25 2017, 5:31 PM

@kcc is it good to go?

lib/fuzzer/FuzzerDefs.h
22 ↗(On Diff #112483)

to use std::allocator and std::set

kcc added inline comments.Aug 25 2017, 5:33 PM
lib/fuzzer/FuzzerDefs.h
22 ↗(On Diff #112483)

I am asking only about #include <iostream>
Isn't std::allocator defined in <memory>?

george.karpenkov updated this revision to Diff 112767.Aug 25 2017, 5:37 PM

@kcc seems to work either way.

kcc added a comment.Aug 25 2017, 10:05 PM
In D37086#853140, @george.karpenkov wrote:

@kcc seems to work either way.

<memory> is fine, <iostream> is not -- it brings too much unrelated stuff.

kcc accepted this revision.Aug 25 2017, 10:05 PM

LGTM

This revision is now accepted and ready to land.Aug 25 2017, 10:05 PM
Closed by commit rL311830: [libFuzzer] Use custom allocators for STL containers in libFuzzer (authored by george.karpenkov). · Explain WhyAug 26 2017, 10:19 AM
This revision was automatically updated to reflect the committed changes.
vitalybuka added a subscriber: vitalybuka.Aug 26 2017, 10:22 AM
vitalybuka added inline comments.
compiler-rt/trunk/lib/fuzzer/FuzzerMutate.h
145

It would be nicer with fuzzer::vector -> Vector

george.karpenkov added inline comments.Aug 26 2017, 10:25 AM
compiler-rt/trunk/lib/fuzzer/FuzzerMutate.h
145

I am not sure, Vector to me implies another datastructure. In any case, I have already committed the revision.

george.karpenkov added a comment.Aug 26 2017, 10:29 AM

@vitalybuka @kcc It seems it breaks build with GCC: http://lab.llvm.org:8011/builders/clang-x86_64-debian-fast/builds/6318/steps/build/logs/stdio
Any ideas before rollback?

vitalybuka added a comment.Aug 26 2017, 10:45 AM
In D37086#853332, @george.karpenkov wrote:

@vitalybuka @kcc It seems it breaks build with GCC: http://lab.llvm.org:8011/builders/clang-x86_64-debian-fast/builds/6318/steps/build/logs/stdio
Any ideas before rollback?

Maybe you need to do the same with string?

compiler-rt/trunk/lib/fuzzer/FuzzerMutate.h
145

It is another data structure and we use camel style for them.
So shorter more consistent naming would be nicer, but I will not insist.

george.karpenkov added a comment.Aug 26 2017, 10:52 AM

Reverted. The error message seems to be about const/non-const, but I couldn't figure it out right now.

george.karpenkov added a comment.Aug 27 2017, 2:10 PM

Maybe you need to do the same with string?

Why would it fail only under GCC though?

george.karpenkov reopened this revision.Aug 27 2017, 3:18 PM

@vitalybuka @kcc Got it down to:

#include<memory>
#include<vector>

template<typename T>
class my_allocator : public std::allocator<T> {};


template<typename T>
using Vector = std::vector<T, my_allocator<T>>;

int main() {
    Vector<Vector<uint8_t>> v;
    Vector<uint8_t> v2;
    v.push_back(v2);
}

which fails under Linux with:

In file included from allocators.cc:3:
In file included from /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/vector:64:
/usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_vector.h:319:9: error: no matching
      constructor for initialization of '_Vector_base<unsigned char, my_allocator<unsigned char> >'
      : _Base(__x.size(),
This revision is now accepted and ready to land.Aug 27 2017, 3:18 PM
george.karpenkov updated this revision to Diff 112840.Aug 27 2017, 3:40 PM

Got it working under GCC, struct rebind was missing.

kcc accepted this revision.Aug 27 2017, 3:45 PM

LGTM
wow!

george.karpenkov updated this revision to Diff 112842.Aug 27 2017, 3:54 PM

actually, even that was not sufficient: we seem to lose the ability to use initializer lists.

Closed by commit rL311866: [libFuzzer] Use custom allocators for STL containers in libFuzzer. (authored by george.karpenkov). · Explain WhyAug 27 2017, 4:22 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

Diff 112846

compiler-rt/trunk/lib/fuzzer/FuzzerCorpus.h

Show All 29 Linesstruct InputInfo {
// Number of features that this input has and no smaller input has. // Number of features that this input has and no smaller input has.
size_t NumFeatures = 0; size_t NumFeatures = 0;
size_t Tmp = 0; // Used by ValidateFeatureSet. size_t Tmp = 0; // Used by ValidateFeatureSet.
// Stats. // Stats.
size_t NumExecutedMutations = 0; size_t NumExecutedMutations = 0;
size_t NumSuccessfullMutations = 0; size_t NumSuccessfullMutations = 0;
bool MayDeleteFile = false; bool MayDeleteFile = false;
bool Reduced = false; bool Reduced = false;
std::vector<uint32_t> UniqFeatureSet; Vector<uint32_t> UniqFeatureSet;
}; };
class InputCorpus { class InputCorpus {
static const size_t kFeatureSetSize = 1 << 21; static const size_t kFeatureSetSize = 1 << 21;
public: public:
InputCorpus(const std::string &OutputCorpus) : OutputCorpus(OutputCorpus) { InputCorpus(const std::string &OutputCorpus) : OutputCorpus(OutputCorpus) {
memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature)); memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));
memset(SmallestElementPerFeature, 0, sizeof(SmallestElementPerFeature)); memset(SmallestElementPerFeature, 0, sizeof(SmallestElementPerFeature));
Show All 19 Lines size_t MaxInputSize() const {
size_t Res = 0; size_t Res = 0;
for (auto II : Inputs) for (auto II : Inputs)
Res = std::max(Res, II->U.size()); Res = std::max(Res, II->U.size());
return Res; return Res;
} }
bool empty() const { return Inputs.empty(); } bool empty() const { return Inputs.empty(); }
const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; } const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile, void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
const std::vector<uint32_t> &FeatureSet) { const Vector<uint32_t> &FeatureSet) {
assert(!U.empty()); assert(!U.empty());
if (FeatureDebug) if (FeatureDebug)
Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures); Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
Inputs.push_back(new InputInfo()); Inputs.push_back(new InputInfo());
InputInfo &II = *Inputs.back(); InputInfo &II = *Inputs.back();
II.U = U; II.U = U;
II.NumFeatures = NumFeatures; II.NumFeatures = NumFeatures;
II.MayDeleteFile = MayDeleteFile; II.MayDeleteFile = MayDeleteFile;
Show All 12 Lines void PrintUnit(const Unit &U) {
for (uint8_t C : U) { for (uint8_t C : U) {
if (C != 'F' && C != 'U' && C != 'Z') if (C != 'F' && C != 'U' && C != 'Z')
C = '.'; C = '.';
Printf("%c", C); Printf("%c", C);
} }
} }
// Debug-only // Debug-only
void PrintFeatureSet(const std::vector<uint32_t> &FeatureSet) { void PrintFeatureSet(const Vector<uint32_t> &FeatureSet) {
if (!FeatureDebug) return; if (!FeatureDebug) return;
Printf("{"); Printf("{");
for (uint32_t Feature: FeatureSet) for (uint32_t Feature: FeatureSet)
Printf("%u,", Feature); Printf("%u,", Feature);
Printf("}"); Printf("}");
} }
// Debug-only // Debug-only
▲ Show 20 LinesShow All 139 Lines▼ Show 20 Lines void UpdateCorpusDistribution() {
std::iota(Intervals.begin(), Intervals.end(), 0); std::iota(Intervals.begin(), Intervals.end(), 0);
for (size_t i = 0; i < N; i++) for (size_t i = 0; i < N; i++)
Weights[i] = Inputs[i]->NumFeatures * (i + 1); Weights[i] = Inputs[i]->NumFeatures * (i + 1);
CorpusDistribution = std::piecewise_constant_distribution<double>( CorpusDistribution = std::piecewise_constant_distribution<double>(
Intervals.begin(), Intervals.end(), Weights.begin()); Intervals.begin(), Intervals.end(), Weights.begin());
} }
std::piecewise_constant_distribution<double> CorpusDistribution; std::piecewise_constant_distribution<double> CorpusDistribution;
std::vector<double> Intervals; Vector<double> Intervals;
std::vector<double> Weights; Vector<double> Weights;
std::unordered_set<std::string> Hashes; std::unordered_set<std::string> Hashes;
std::vector<InputInfo*> Inputs; Vector<InputInfo*> Inputs;
size_t NumAddedFeatures = 0; size_t NumAddedFeatures = 0;
size_t NumUpdatedFeatures = 0; size_t NumUpdatedFeatures = 0;
uint32_t InputSizesPerFeature[kFeatureSetSize]; uint32_t InputSizesPerFeature[kFeatureSetSize];
uint32_t SmallestElementPerFeature[kFeatureSetSize]; uint32_t SmallestElementPerFeature[kFeatureSetSize];
std::string OutputCorpus; std::string OutputCorpus;
}; };
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_CORPUS #endif // LLVM_FUZZER_CORPUS

compiler-rt/trunk/lib/fuzzer/FuzzerDefs.h

Show All 12 Lines
#define LLVM_FUZZER_DEFS_H #define LLVM_FUZZER_DEFS_H
#include <cassert> #include <cassert>
#include <cstddef> #include <cstddef>
#include <cstdint> #include <cstdint>
#include <cstring> #include <cstring>
#include <string> #include <string>
#include <vector> #include <vector>
#include <set>
#include <memory>
// Platform detection. // Platform detection.
#ifdef __linux__ #ifdef __linux__
#define LIBFUZZER_APPLE 0 #define LIBFUZZER_APPLE 0
#define LIBFUZZER_LINUX 1 #define LIBFUZZER_LINUX 1
#define LIBFUZZER_WINDOWS 0 #define LIBFUZZER_WINDOWS 0
#elif __APPLE__ #elif __APPLE__
#define LIBFUZZER_APPLE 1 #define LIBFUZZER_APPLE 1
▲ Show 20 LinesShow All 68 Lines▼ Show 20 Lines
struct FuzzingOptions; struct FuzzingOptions;
class InputCorpus; class InputCorpus;
struct InputInfo; struct InputInfo;
struct ExternalFunctions; struct ExternalFunctions;
// Global interface to functions that may or may not be available. // Global interface to functions that may or may not be available.
extern ExternalFunctions *EF; extern ExternalFunctions *EF;
typedef std::vector<uint8_t> Unit; // We are using a custom allocator to give a different symbol name to STL
typedef std::vector<Unit> UnitVector; // containers in order to avoid ODR violations.
template<typename T>
class fuzzer_allocator: public std::allocator<T> {
public:
template<class Other>
struct rebind { typedef fuzzer_allocator<Other> other; };
};
template<typename T>
using Vector = std::vector<T, fuzzer_allocator<T>>;
template<typename T>
using Set = std::set<T, std::less<T>, fuzzer_allocator<T>>;
typedef Vector<uint8_t> Unit;
typedef Vector<Unit> UnitVector;
typedef int (*UserCallback)(const uint8_t *Data, size_t Size); typedef int (*UserCallback)(const uint8_t *Data, size_t Size);
int FuzzerDriver(int *argc, char ***argv, UserCallback Callback); int FuzzerDriver(int *argc, char ***argv, UserCallback Callback);
struct ScopedDoingMyOwnMemOrStr { struct ScopedDoingMyOwnMemOrStr {
ScopedDoingMyOwnMemOrStr() { DoingMyOwnMemOrStr++; } ScopedDoingMyOwnMemOrStr() { DoingMyOwnMemOrStr++; }
~ScopedDoingMyOwnMemOrStr() { DoingMyOwnMemOrStr--; } ~ScopedDoingMyOwnMemOrStr() { DoingMyOwnMemOrStr--; }
static int DoingMyOwnMemOrStr; static int DoingMyOwnMemOrStr;
Show All 18 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerDictionary.h

Show First 20 LinesShow All 114 Lines▼ Show 20 Lines
}; };
// Parses one dictionary entry. // Parses one dictionary entry.
// If successfull, write the enty to Unit and returns true, // If successfull, write the enty to Unit and returns true,
// otherwise returns false. // otherwise returns false.
bool ParseOneDictionaryEntry(const std::string &Str, Unit *U); bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);
// Parses the dictionary file, fills Units, returns true iff all lines // Parses the dictionary file, fills Units, returns true iff all lines
// were parsed succesfully. // were parsed succesfully.
bool ParseDictionaryFile(const std::string &Text, std::vector<Unit> *Units); bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units);
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_DICTIONARY_H #endif // LLVM_FUZZER_DICTIONARY_H

compiler-rt/trunk/lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 68 Lines▼ Show 20 Lines
#undef FUZZER_FLAG_INT #undef FUZZER_FLAG_INT
#undef FUZZER_FLAG_UNSIGNED #undef FUZZER_FLAG_UNSIGNED
#undef FUZZER_FLAG_STRING #undef FUZZER_FLAG_STRING
}; };
static const size_t kNumFlags = static const size_t kNumFlags =
sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]); sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]);
static std::vector<std::string> *Inputs; static Vector<std::string> *Inputs;
static std::string *ProgName; static std::string *ProgName;
static void PrintHelp() { static void PrintHelp() {
Printf("Usage:\n"); Printf("Usage:\n");
auto Prog = ProgName->c_str(); auto Prog = ProgName->c_str();
Printf("\nTo run fuzzing pass 0 or more directories.\n"); Printf("\nTo run fuzzing pass 0 or more directories.\n");
Printf("%s [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n", Prog); Printf("%s [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n", Prog);
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Lines for (size_t F = 0; F < kNumFlags; F++) {
} }
} }
Printf("\n\nWARNING: unrecognized flag '%s'; " Printf("\n\nWARNING: unrecognized flag '%s'; "
"use -help=1 to list all flags\n\n", Param); "use -help=1 to list all flags\n\n", Param);
return true; return true;
} }
// We don't use any library to minimize dependencies. // We don't use any library to minimize dependencies.
static void ParseFlags(const std::vector<std::string> &Args) { static void ParseFlags(const Vector<std::string> &Args) {
for (size_t F = 0; F < kNumFlags; F++) { for (size_t F = 0; F < kNumFlags; F++) {
if (FlagDescriptions[F].IntFlag) if (FlagDescriptions[F].IntFlag)
*FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default; *FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;
if (FlagDescriptions[F].UIntFlag) if (FlagDescriptions[F].UIntFlag)
*FlagDescriptions[F].UIntFlag = *FlagDescriptions[F].UIntFlag =
static_cast<unsigned int>(FlagDescriptions[F].Default); static_cast<unsigned int>(FlagDescriptions[F].Default);
if (FlagDescriptions[F].StrFlag) if (FlagDescriptions[F].StrFlag)
*FlagDescriptions[F].StrFlag = nullptr; *FlagDescriptions[F].StrFlag = nullptr;
} }
Inputs = new std::vector<std::string>; Inputs = new Vector<std::string>;
for (size_t A = 1; A < Args.size(); A++) { for (size_t A = 1; A < Args.size(); A++) {
if (ParseOneFlag(Args[A].c_str())) { if (ParseOneFlag(Args[A].c_str())) {
if (Flags.ignore_remaining_args) if (Flags.ignore_remaining_args)
break; break;
continue; continue;
} }
Inputs->push_back(Args[A]); Inputs->push_back(Args[A]);
} }
Show All 23 Lines if (ExitCode != 0)
*HasErrors = true; *HasErrors = true;
std::lock_guard<std::mutex> Lock(Mu); std::lock_guard<std::mutex> Lock(Mu);
Printf("================== Job %u exited with exit code %d ============\n", Printf("================== Job %u exited with exit code %d ============\n",
C, ExitCode); C, ExitCode);
fuzzer::CopyFileToErr(Log); fuzzer::CopyFileToErr(Log);
} }
} }
std::string CloneArgsWithoutX(const std::vector<std::string> &Args, std::string CloneArgsWithoutX(const Vector<std::string> &Args,
const char *X1, const char *X2) { const char *X1, const char *X2) {
std::string Cmd; std::string Cmd;
for (auto &S : Args) { for (auto &S : Args) {
if (FlagValue(S.c_str(), X1) || FlagValue(S.c_str(), X2)) if (FlagValue(S.c_str(), X1) || FlagValue(S.c_str(), X2))
continue; continue;
Cmd += S + " "; Cmd += S + " ";
} }
return Cmd; return Cmd;
} }
static int RunInMultipleProcesses(const std::vector<std::string> &Args, static int RunInMultipleProcesses(const Vector<std::string> &Args,
unsigned NumWorkers, unsigned NumJobs) { unsigned NumWorkers, unsigned NumJobs) {
std::atomic<unsigned> Counter(0); std::atomic<unsigned> Counter(0);
std::atomic<bool> HasErrors(false); std::atomic<bool> HasErrors(false);
std::string Cmd = CloneArgsWithoutX(Args, "jobs", "workers"); std::string Cmd = CloneArgsWithoutX(Args, "jobs", "workers");
std::vector<std::thread> V; Vector<std::thread> V;
std::thread Pulse(PulseThread); std::thread Pulse(PulseThread);
Pulse.detach(); Pulse.detach();
for (unsigned i = 0; i < NumWorkers; i++) for (unsigned i = 0; i < NumWorkers; i++)
V.push_back(std::thread(WorkerThread, Cmd, &Counter, NumJobs, &HasErrors)); V.push_back(std::thread(WorkerThread, Cmd, &Counter, NumJobs, &HasErrors));
for (auto &T : V) for (auto &T : V)
T.join(); T.join();
return HasErrors ? 1 : 0; return HasErrors ? 1 : 0;
} }
Show All 36 Linesstatic std::string GetDedupTokenFromFile(const std::string &Path) {
if (Beg == std::string::npos) if (Beg == std::string::npos)
return ""; return "";
auto End = S.find('\n', Beg); auto End = S.find('\n', Beg);
if (End == std::string::npos) if (End == std::string::npos)
return ""; return "";
return S.substr(Beg, End - Beg); return S.substr(Beg, End - Beg);
} }
int CleanseCrashInput(const std::vector<std::string> &Args, int CleanseCrashInput(const Vector<std::string> &Args,
const FuzzingOptions &Options) { const FuzzingOptions &Options) {
if (Inputs->size() != 1 || !Flags.exact_artifact_path) { if (Inputs->size() != 1 || !Flags.exact_artifact_path) {
Printf("ERROR: -cleanse_crash should be given one input file and" Printf("ERROR: -cleanse_crash should be given one input file and"
" -exact_artifact_path\n"); " -exact_artifact_path\n");
exit(1); exit(1);
} }
std::string InputFilePath = Inputs->at(0); std::string InputFilePath = Inputs->at(0);
std::string OutputFilePath = Flags.exact_artifact_path; std::string OutputFilePath = Flags.exact_artifact_path;
Show All 11 Linesint CleanseCrashInput(const Vector<std::string> &Args,
auto LogFileRedirect = " > " + LogFilePath + " 2>&1 "; auto LogFileRedirect = " > " + LogFilePath + " 2>&1 ";
auto Cmd = BaseCmd + " " + TmpFilePath + LogFileRedirect; auto Cmd = BaseCmd + " " + TmpFilePath + LogFileRedirect;
std::string CurrentFilePath = InputFilePath; std::string CurrentFilePath = InputFilePath;
auto U = FileToVector(CurrentFilePath); auto U = FileToVector(CurrentFilePath);
size_t Size = U.size(); size_t Size = U.size();
const std::vector<uint8_t> ReplacementBytes = {' ', 0xff}; const Vector<uint8_t> ReplacementBytes = {' ', 0xff};
for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) { for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) {
bool Changed = false; bool Changed = false;
for (size_t Idx = 0; Idx < Size; Idx++) { for (size_t Idx = 0; Idx < Size; Idx++) {
Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts, Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts,
Idx, Size); Idx, Size);
uint8_t OriginalByte = U[Idx]; uint8_t OriginalByte = U[Idx];
if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(), if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(),
ReplacementBytes.end(), ReplacementBytes.end(),
Show All 15 Lines for (size_t Idx = 0; Idx < Size; Idx++) {
} }
} }
if (!Changed) break; if (!Changed) break;
} }
RemoveFile(LogFilePath); RemoveFile(LogFilePath);
return 0; return 0;
} }
int MinimizeCrashInput(const std::vector<std::string> &Args, int MinimizeCrashInput(const Vector<std::string> &Args,
const FuzzingOptions &Options) { const FuzzingOptions &Options) {
if (Inputs->size() != 1) { if (Inputs->size() != 1) {
Printf("ERROR: -minimize_crash should be given one input file\n"); Printf("ERROR: -minimize_crash should be given one input file\n");
exit(1); exit(1);
} }
std::string InputFilePath = Inputs->at(0); std::string InputFilePath = Inputs->at(0);
auto BaseCmd = SplitBefore( auto BaseCmd = SplitBefore(
"-ignore_remaining_args=1", "-ignore_remaining_args=1",
▲ Show 20 LinesShow All 85 Lines▼ Show 20 Linesint MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
F->SetMaxInputLen(U.size()); F->SetMaxInputLen(U.size());
F->SetMaxMutationLen(U.size() - 1); F->SetMaxMutationLen(U.size() - 1);
F->MinimizeCrashLoop(U); F->MinimizeCrashLoop(U);
Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n"); Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");
exit(0); exit(0);
return 0; return 0;
} }
int AnalyzeDictionary(Fuzzer *F, const std::vector<Unit>& Dict, int AnalyzeDictionary(Fuzzer *F, const Vector<Unit>& Dict,
UnitVector& Corpus) { UnitVector& Corpus) {
Printf("Started dictionary minimization (up to %d tests)\n", Printf("Started dictionary minimization (up to %d tests)\n",
Dict.size() * Corpus.size() * 2); Dict.size() * Corpus.size() * 2);
// Scores and usage count for each dictionary unit. // Scores and usage count for each dictionary unit.
std::vector<int> Scores(Dict.size()); Vector<int> Scores(Dict.size());
std::vector<int> Usages(Dict.size()); Vector<int> Usages(Dict.size());
std::vector<size_t> InitialFeatures; Vector<size_t> InitialFeatures;
std::vector<size_t> ModifiedFeatures; Vector<size_t> ModifiedFeatures;
for (auto &C : Corpus) { for (auto &C : Corpus) {
// Get coverage for the testcase without modifications. // Get coverage for the testcase without modifications.
F->ExecuteCallback(C.data(), C.size()); F->ExecuteCallback(C.data(), C.size());
InitialFeatures.clear(); InitialFeatures.clear();
TPC.CollectFeatures([&](size_t Feature) -> bool { TPC.CollectFeatures([&](size_t Feature) -> bool {
InitialFeatures.push_back(Feature); InitialFeatures.push_back(Feature);
return true; return true;
}); });
for (size_t i = 0; i < Dict.size(); ++i) { for (size_t i = 0; i < Dict.size(); ++i) {
auto Data = C; Vector<uint8_t> Data = C;
auto StartPos = std::search(Data.begin(), Data.end(), auto StartPos = std::search(Data.begin(), Data.end(),
Dict[i].begin(), Dict[i].end()); Dict[i].begin(), Dict[i].end());
// Skip dictionary unit, if the testcase does not contain it. // Skip dictionary unit, if the testcase does not contain it.
if (StartPos == Data.end()) if (StartPos == Data.end())
continue; continue;
++Usages[i]; ++Usages[i];
while (StartPos != Data.end()) { while (StartPos != Data.end()) {
Show All 37 Lines
int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
using namespace fuzzer; using namespace fuzzer;
assert(argc && argv && "Argument pointers cannot be nullptr"); assert(argc && argv && "Argument pointers cannot be nullptr");
std::string Argv0((*argv)[0]); std::string Argv0((*argv)[0]);
EF = new ExternalFunctions(); EF = new ExternalFunctions();
if (EF->LLVMFuzzerInitialize) if (EF->LLVMFuzzerInitialize)
EF->LLVMFuzzerInitialize(argc, argv); EF->LLVMFuzzerInitialize(argc, argv);
const std::vector<std::string> Args(*argv, *argv + *argc); const Vector<std::string> Args(*argv, *argv + *argc);
assert(!Args.empty()); assert(!Args.empty());
ProgName = new std::string(Args[0]); ProgName = new std::string(Args[0]);
if (Argv0 != *ProgName) { if (Argv0 != *ProgName) {
Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n"); Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
exit(1); exit(1);
} }
ParseFlags(Args); ParseFlags(Args);
if (Flags.help) { if (Flags.help) {
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Lines if (Flags.runs >= 0)
Options.MaxNumberOfRuns = Flags.runs; Options.MaxNumberOfRuns = Flags.runs;
if (!Inputs->empty() && !Flags.minimize_crash_internal_step) if (!Inputs->empty() && !Flags.minimize_crash_internal_step)
Options.OutputCorpus = (*Inputs)[0]; Options.OutputCorpus = (*Inputs)[0];
Options.ReportSlowUnits = Flags.report_slow_units; Options.ReportSlowUnits = Flags.report_slow_units;
if (Flags.artifact_prefix) if (Flags.artifact_prefix)
Options.ArtifactPrefix = Flags.artifact_prefix; Options.ArtifactPrefix = Flags.artifact_prefix;
if (Flags.exact_artifact_path) if (Flags.exact_artifact_path)
Options.ExactArtifactPath = Flags.exact_artifact_path; Options.ExactArtifactPath = Flags.exact_artifact_path;
std::vector<Unit> Dictionary; Vector<Unit> Dictionary;
if (Flags.dict) if (Flags.dict)
if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary)) if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))
return 1; return 1;
if (Flags.verbosity > 0 && !Dictionary.empty()) if (Flags.verbosity > 0 && !Dictionary.empty())
Printf("Dictionary: %zd entries\n", Dictionary.size()); Printf("Dictionary: %zd entries\n", Dictionary.size());
bool DoPlainRun = AllInputsAreFiles(); bool DoPlainRun = AllInputsAreFiles();
Options.SaveArtifacts = Options.SaveArtifacts =
!DoPlainRun || Flags.minimize_crash_internal_step; !DoPlainRun || Flags.minimize_crash_internal_step;
▲ Show 20 LinesShow All 161 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerIO.h

Show All 21 LinesUnit FileToVector(const std::string &Path, size_t MaxSize = 0,
bool ExitOnError = true); bool ExitOnError = true);
std::string FileToString(const std::string &Path); std::string FileToString(const std::string &Path);
void CopyFileToErr(const std::string &Path); void CopyFileToErr(const std::string &Path);
void WriteToFile(const Unit &U, const std::string &Path); void WriteToFile(const Unit &U, const std::string &Path);
void ReadDirToVectorOfUnits(const char *Path, std::vector<Unit> *V, void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V,
long *Epoch, size_t MaxSize, bool ExitOnError); long *Epoch, size_t MaxSize, bool ExitOnError);
// Returns "Dir/FileName" or equivalent for the current OS. // Returns "Dir/FileName" or equivalent for the current OS.
std::string DirPlusFile(const std::string &DirPath, std::string DirPlusFile(const std::string &DirPath,
const std::string &FileName); const std::string &FileName);
// Returns the name of the dir, similar to the 'dirname' utility. // Returns the name of the dir, similar to the 'dirname' utility.
std::string DirName(const std::string &FileName); std::string DirName(const std::string &FileName);
Show All 11 Lines
// Print using raw syscalls, useful when printing at early init stages. // Print using raw syscalls, useful when printing at early init stages.
void RawPrint(const char *Str); void RawPrint(const char *Str);
// Platform specific functions: // Platform specific functions:
bool IsFile(const std::string &Path); bool IsFile(const std::string &Path);
void ListFilesInDirRecursive(const std::string &Dir, long *Epoch, void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
std::vector<std::string> *V, bool TopDir); Vector<std::string> *V, bool TopDir);
char GetSeparator(); char GetSeparator();
FILE* OpenFile(int Fd, const char *Mode); FILE* OpenFile(int Fd, const char *Mode);
int CloseFile(int Fd); int CloseFile(int Fd);
int DuplicateFile(int Fd); int DuplicateFile(int Fd);
Show All 10 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerIO.cpp

Show First 20 LinesShow All 62 Lines▼ Show 20 Lines
void WriteToFile(const Unit &U, const std::string &Path) { void WriteToFile(const Unit &U, const std::string &Path) {
// Use raw C interface because this function may be called from a sig handler. // Use raw C interface because this function may be called from a sig handler.
FILE *Out = fopen(Path.c_str(), "w"); FILE *Out = fopen(Path.c_str(), "w");
if (!Out) return; if (!Out) return;
fwrite(U.data(), sizeof(U[0]), U.size(), Out); fwrite(U.data(), sizeof(U[0]), U.size(), Out);
fclose(Out); fclose(Out);
} }
void ReadDirToVectorOfUnits(const char *Path, std::vector<Unit> *V, void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V,
long *Epoch, size_t MaxSize, bool ExitOnError) { long *Epoch, size_t MaxSize, bool ExitOnError) {
long E = Epoch ? *Epoch : 0; long E = Epoch ? *Epoch : 0;
std::vector<std::string> Files; Vector<std::string> Files;
ListFilesInDirRecursive(Path, Epoch, &Files, /*TopDir*/true); ListFilesInDirRecursive(Path, Epoch, &Files, /*TopDir*/true);
size_t NumLoaded = 0; size_t NumLoaded = 0;
for (size_t i = 0; i < Files.size(); i++) { for (size_t i = 0; i < Files.size(); i++) {
auto &X = Files[i]; auto &X = Files[i];
if (Epoch && GetEpoch(X) < E) continue; if (Epoch && GetEpoch(X) < E) continue;
NumLoaded++; NumLoaded++;
if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024) if ((NumLoaded & (NumLoaded - 1)) == 0 && NumLoaded >= 1024)
Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path); Printf("Loaded %zd/%zd files from %s\n", NumLoaded, Files.size(), Path);
Show All 38 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerIOPosix.cpp

Show All 27 Lines
bool IsFile(const std::string &Path) { bool IsFile(const std::string &Path) {
struct stat St; struct stat St;
if (stat(Path.c_str(), &St)) if (stat(Path.c_str(), &St))
return false; return false;
return S_ISREG(St.st_mode); return S_ISREG(St.st_mode);
} }
void ListFilesInDirRecursive(const std::string &Dir, long *Epoch, void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
std::vector<std::string> *V, bool TopDir) { Vector<std::string> *V, bool TopDir) {
auto E = GetEpoch(Dir); auto E = GetEpoch(Dir);
if (Epoch) if (Epoch)
if (E && *Epoch >= E) return; if (E && *Epoch >= E) return;
DIR *D = opendir(Dir.c_str()); DIR *D = opendir(Dir.c_str());
if (!D) { if (!D) {
Printf("No such directory: %s; exiting\n", Dir.c_str()); Printf("No such directory: %s; exiting\n", Dir.c_str());
exit(1); exit(1);
▲ Show 20 LinesShow All 79 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerIOWindows.cpp

Show First 20 LinesShow All 67 Lines▼ Show 20 Lines Printf("GetFileAttributesA() failed for \"%s\" (Error code: %lu).\n",
Path.c_str(), GetLastError()); Path.c_str(), GetLastError());
return false; return false;
} }
return IsFile(Path, Att); return IsFile(Path, Att);
} }
void ListFilesInDirRecursive(const std::string &Dir, long *Epoch, void ListFilesInDirRecursive(const std::string &Dir, long *Epoch,
std::vector<std::string> *V, bool TopDir) { Vector<std::string> *V, bool TopDir) {
auto E = GetEpoch(Dir); auto E = GetEpoch(Dir);
if (Epoch) if (Epoch)
if (E && *Epoch >= E) return; if (E && *Epoch >= E) return;
std::string Path(Dir); std::string Path(Dir);
assert(!Path.empty()); assert(!Path.empty());
if (Path.back() != '\\') if (Path.back() != '\\')
Path.push_back('\\'); Path.push_back('\\');
▲ Show 20 LinesShow All 239 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 63 Lines▼ Show 20 Linespublic:
static void StaticInterruptCallback(); static void StaticInterruptCallback();
static void StaticFileSizeExceedCallback(); static void StaticFileSizeExceedCallback();
void ExecuteCallback(const uint8_t *Data, size_t Size); void ExecuteCallback(const uint8_t *Data, size_t Size);
bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false, bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
InputInfo *II = nullptr); InputInfo *II = nullptr);
// Merge Corpora[1:] into Corpora[0]. // Merge Corpora[1:] into Corpora[0].
void Merge(const std::vector<std::string> &Corpora); void Merge(const Vector<std::string> &Corpora);
void CrashResistantMerge(const std::vector<std::string> &Args, void CrashResistantMerge(const Vector<std::string> &Args,
const std::vector<std::string> &Corpora, const Vector<std::string> &Corpora,
const char *CoverageSummaryInputPathOrNull, const char *CoverageSummaryInputPathOrNull,
const char *CoverageSummaryOutputPathOrNull); const char *CoverageSummaryOutputPathOrNull);
void CrashResistantMergeInternalStep(const std::string &ControlFilePath); void CrashResistantMergeInternalStep(const std::string &ControlFilePath);
MutationDispatcher &GetMD() { return MD; } MutationDispatcher &GetMD() { return MD; }
void PrintFinalStats(); void PrintFinalStats();
void SetMaxInputLen(size_t MaxInputLen); void SetMaxInputLen(size_t MaxInputLen);
void SetMaxMutationLen(size_t MaxMutationLen); void SetMaxMutationLen(size_t MaxMutationLen);
void RssLimitCallback(); void RssLimitCallback();
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Linesprivate:
system_clock::time_point UnitStartTime, UnitStopTime; system_clock::time_point UnitStartTime, UnitStopTime;
long TimeOfLongestUnitInSeconds = 0; long TimeOfLongestUnitInSeconds = 0;
long EpochOfLastReadOfOutputCorpus = 0; long EpochOfLastReadOfOutputCorpus = 0;
size_t MaxInputLen = 0; size_t MaxInputLen = 0;
size_t MaxMutationLen = 0; size_t MaxMutationLen = 0;
size_t TmpMaxMutationLen = 0; size_t TmpMaxMutationLen = 0;
std::vector<uint32_t> UniqFeatureSetTmp; Vector<uint32_t> UniqFeatureSetTmp;
// Need to know our own thread. // Need to know our own thread.
static thread_local bool IsMyThread; static thread_local bool IsMyThread;
}; };
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_INTERNAL_H #endif // LLVM_FUZZER_INTERNAL_H

compiler-rt/trunk/lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 321 Lines▼ Show 20 Lines
void Fuzzer::SetMaxMutationLen(size_t MaxMutationLen) { void Fuzzer::SetMaxMutationLen(size_t MaxMutationLen) {
assert(MaxMutationLen && MaxMutationLen <= MaxInputLen); assert(MaxMutationLen && MaxMutationLen <= MaxInputLen);
this->MaxMutationLen = MaxMutationLen; this->MaxMutationLen = MaxMutationLen;
} }
void Fuzzer::CheckExitOnSrcPosOrItem() { void Fuzzer::CheckExitOnSrcPosOrItem() {
if (!Options.ExitOnSrcPos.empty()) { if (!Options.ExitOnSrcPos.empty()) {
static auto *PCsSet = new std::set<uintptr_t>; static auto *PCsSet = new Set<uintptr_t>;
auto HandlePC = [&](uintptr_t PC) { auto HandlePC = [&](uintptr_t PC) {
if (!PCsSet->insert(PC).second) return; if (!PCsSet->insert(PC).second) return;
std::string Descr = DescribePC("%F %L", PC + 1); std::string Descr = DescribePC("%F %L", PC + 1);
if (Descr.find(Options.ExitOnSrcPos) != std::string::npos) { if (Descr.find(Options.ExitOnSrcPos) != std::string::npos) {
Printf("INFO: found line matching '%s', exiting.\n", Printf("INFO: found line matching '%s', exiting.\n",
Options.ExitOnSrcPos.c_str()); Options.ExitOnSrcPos.c_str());
_Exit(0); _Exit(0);
} }
}; };
TPC.ForEachObservedPC(HandlePC); TPC.ForEachObservedPC(HandlePC);
} }
if (!Options.ExitOnItem.empty()) { if (!Options.ExitOnItem.empty()) {
if (Corpus.HasUnit(Options.ExitOnItem)) { if (Corpus.HasUnit(Options.ExitOnItem)) {
Printf("INFO: found item with checksum '%s', exiting.\n", Printf("INFO: found item with checksum '%s', exiting.\n",
Options.ExitOnItem.c_str()); Options.ExitOnItem.c_str());
_Exit(0); _Exit(0);
} }
} }
} }
void Fuzzer::RereadOutputCorpus(size_t MaxSize) { void Fuzzer::RereadOutputCorpus(size_t MaxSize) {
if (Options.OutputCorpus.empty() || !Options.ReloadIntervalSec) return; if (Options.OutputCorpus.empty() || !Options.ReloadIntervalSec) return;
std::vector<Unit> AdditionalCorpus; Vector<Unit> AdditionalCorpus;
ReadDirToVectorOfUnits(Options.OutputCorpus.c_str(), &AdditionalCorpus, ReadDirToVectorOfUnits(Options.OutputCorpus.c_str(), &AdditionalCorpus,
&EpochOfLastReadOfOutputCorpus, MaxSize, &EpochOfLastReadOfOutputCorpus, MaxSize,
/*ExitOnError*/ false); /*ExitOnError*/ false);
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("Reload: read %zd new units.\n", AdditionalCorpus.size()); Printf("Reload: read %zd new units.\n", AdditionalCorpus.size());
bool Reloaded = false; bool Reloaded = false;
for (auto &U : AdditionalCorpus) { for (auto &U : AdditionalCorpus) {
if (U.size() > MaxSize) if (U.size() > MaxSize)
▲ Show 20 LinesShow All 362 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerMerge.h

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines
#include <set> #include <set>
#include <vector> #include <vector>
namespace fuzzer { namespace fuzzer {
struct MergeFileInfo { struct MergeFileInfo {
std::string Name; std::string Name;
size_t Size = 0; size_t Size = 0;
std::vector<uint32_t> Features; Vector<uint32_t> Features;
}; };
struct Merger { struct Merger {
std::vector<MergeFileInfo> Files; Vector<MergeFileInfo> Files;
size_t NumFilesInFirstCorpus = 0; size_t NumFilesInFirstCorpus = 0;
size_t FirstNotProcessedFile = 0; size_t FirstNotProcessedFile = 0;
std::string LastFailure; std::string LastFailure;
bool Parse(std::istream &IS, bool ParseCoverage); bool Parse(std::istream &IS, bool ParseCoverage);
bool Parse(const std::string &Str, bool ParseCoverage); bool Parse(const std::string &Str, bool ParseCoverage);
void ParseOrExit(std::istream &IS, bool ParseCoverage); void ParseOrExit(std::istream &IS, bool ParseCoverage);
void PrintSummary(std::ostream &OS); void PrintSummary(std::ostream &OS);
std::set<uint32_t> ParseSummary(std::istream &IS); Set<uint32_t> ParseSummary(std::istream &IS);
size_t Merge(const std::set<uint32_t> &InitialFeatures, size_t Merge(const Set<uint32_t> &InitialFeatures,
std::vector<std::string> *NewFiles); Vector<std::string> *NewFiles);
size_t Merge(std::vector<std::string> *NewFiles) { size_t Merge(Vector<std::string> *NewFiles) {
return Merge(std::set<uint32_t>{}, NewFiles); return Merge(Set<uint32_t>{}, NewFiles);
} }
size_t ApproximateMemoryConsumption() const; size_t ApproximateMemoryConsumption() const;
std::set<uint32_t> AllFeatures() const; Set<uint32_t> AllFeatures() const;
}; };
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_MERGE_H #endif // LLVM_FUZZER_MERGE_H

compiler-rt/trunk/lib/fuzzer/FuzzerMerge.cpp

Show First 20 LinesShow All 68 Lines▼ Show 20 Linesbool Merger::Parse(std::istream &IS, bool ParseCoverage) {
for (size_t i = 0; i < NumFiles; i++) for (size_t i = 0; i < NumFiles; i++)
if (!std::getline(IS, Files[i].Name, '\n')) if (!std::getline(IS, Files[i].Name, '\n'))
return false; return false;
// Parse STARTED and DONE lines. // Parse STARTED and DONE lines.
size_t ExpectedStartMarker = 0; size_t ExpectedStartMarker = 0;
const size_t kInvalidStartMarker = -1; const size_t kInvalidStartMarker = -1;
size_t LastSeenStartMarker = kInvalidStartMarker; size_t LastSeenStartMarker = kInvalidStartMarker;
std::vector<uint32_t> TmpFeatures; Vector<uint32_t> TmpFeatures;
while (std::getline(IS, Line, '\n')) { while (std::getline(IS, Line, '\n')) {
std::istringstream ISS1(Line); std::istringstream ISS1(Line);
std::string Marker; std::string Marker;
size_t N; size_t N;
ISS1 >> Marker; ISS1 >> Marker;
ISS1 >> N; ISS1 >> N;
if (Marker == "STARTED") { if (Marker == "STARTED") {
// STARTED FILE_ID FILE_SIZE // STARTED FILE_ID FILE_SIZE
Show All 31 Linessize_t Merger::ApproximateMemoryConsumption() const {
size_t Res = 0; size_t Res = 0;
for (const auto &F: Files) for (const auto &F: Files)
Res += sizeof(F) + F.Features.size() * sizeof(F.Features[0]); Res += sizeof(F) + F.Features.size() * sizeof(F.Features[0]);
return Res; return Res;
} }
// Decides which files need to be merged (add thost to NewFiles). // Decides which files need to be merged (add thost to NewFiles).
// Returns the number of new features added. // Returns the number of new features added.
size_t Merger::Merge(const std::set<uint32_t> &InitialFeatures, size_t Merger::Merge(const Set<uint32_t> &InitialFeatures,
std::vector<std::string> *NewFiles) { Vector<std::string> *NewFiles) {
NewFiles->clear(); NewFiles->clear();
assert(NumFilesInFirstCorpus <= Files.size()); assert(NumFilesInFirstCorpus <= Files.size());
std::set<uint32_t> AllFeatures(InitialFeatures); Set<uint32_t> AllFeatures(InitialFeatures);
// What features are in the initial corpus? // What features are in the initial corpus?
for (size_t i = 0; i < NumFilesInFirstCorpus; i++) { for (size_t i = 0; i < NumFilesInFirstCorpus; i++) {
auto &Cur = Files[i].Features; auto &Cur = Files[i].Features;
AllFeatures.insert(Cur.begin(), Cur.end()); AllFeatures.insert(Cur.begin(), Cur.end());
} }
size_t InitialNumFeatures = AllFeatures.size(); size_t InitialNumFeatures = AllFeatures.size();
// Remove all features that we already know from all other inputs. // Remove all features that we already know from all other inputs.
for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) { for (size_t i = NumFilesInFirstCorpus; i < Files.size(); i++) {
auto &Cur = Files[i].Features; auto &Cur = Files[i].Features;
std::vector<uint32_t> Tmp; Vector<uint32_t> Tmp;
std::set_difference(Cur.begin(), Cur.end(), AllFeatures.begin(), std::set_difference(Cur.begin(), Cur.end(), AllFeatures.begin(),
AllFeatures.end(), std::inserter(Tmp, Tmp.begin())); AllFeatures.end(), std::inserter(Tmp, Tmp.begin()));
Cur.swap(Tmp); Cur.swap(Tmp);
} }
// Sort. Give preference to // Sort. Give preference to
// * smaller files // * smaller files
// * files with more features. // * files with more features.
Show All 23 Lines for (auto &File : Files) {
OS << std::hex; OS << std::hex;
OS << File.Name << " size: " << File.Size << " features: "; OS << File.Name << " size: " << File.Size << " features: ";
for (auto Feature : File.Features) for (auto Feature : File.Features)
OS << " " << Feature; OS << " " << Feature;
OS << "\n"; OS << "\n";
} }
} }
std::set<uint32_t> Merger::AllFeatures() const { Set<uint32_t> Merger::AllFeatures() const {
std::set<uint32_t> S; Set<uint32_t> S;
for (auto &File : Files) for (auto &File : Files)
S.insert(File.Features.begin(), File.Features.end()); S.insert(File.Features.begin(), File.Features.end());
return S; return S;
} }
std::set<uint32_t> Merger::ParseSummary(std::istream &IS) { Set<uint32_t> Merger::ParseSummary(std::istream &IS) {
std::string Line, Tmp; std::string Line, Tmp;
std::set<uint32_t> Res; Set<uint32_t> Res;
while (std::getline(IS, Line, '\n')) { while (std::getline(IS, Line, '\n')) {
size_t N; size_t N;
std::istringstream ISS1(Line); std::istringstream ISS1(Line);
ISS1 >> Tmp; // Name ISS1 >> Tmp; // Name
ISS1 >> Tmp; // size: ISS1 >> Tmp; // size:
assert(Tmp == "size:" && "Corrupt summary file"); assert(Tmp == "size:" && "Corrupt summary file");
ISS1 >> std::hex; ISS1 >> std::hex;
ISS1 >> N; // File Size ISS1 >> N; // File Size
Show All 31 Lines for (size_t i = M.FirstNotProcessedFile; i < M.Files.size(); i++) {
std::ostringstream StartedLine; std::ostringstream StartedLine;
// Write the pre-run marker. // Write the pre-run marker.
OF << "STARTED " << std::dec << i << " " << U.size() << "\n"; OF << "STARTED " << std::dec << i << " " << U.size() << "\n";
OF.flush(); // Flush is important since ExecuteCommand may crash. OF.flush(); // Flush is important since ExecuteCommand may crash.
// Run. // Run.
TPC.ResetMaps(); TPC.ResetMaps();
ExecuteCallback(U.data(), U.size()); ExecuteCallback(U.data(), U.size());
// Collect coverage. // Collect coverage.
std::set<size_t> Features; Set<size_t> Features;
TPC.CollectFeatures([&](size_t Feature) -> bool { TPC.CollectFeatures([&](size_t Feature) -> bool {
Features.insert(Feature); Features.insert(Feature);
return true; return true;
}); });
// Show stats. // Show stats.
if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1))) if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)))
PrintStats("pulse "); PrintStats("pulse ");
// Write the post-run marker and the coverage. // Write the post-run marker and the coverage.
OF << "DONE " << i; OF << "DONE " << i;
for (size_t F : Features) for (size_t F : Features)
OF << " " << std::hex << F; OF << " " << std::hex << F;
OF << "\n"; OF << "\n";
} }
} }
// Outer process. Does not call the target code and thus sohuld not fail. // Outer process. Does not call the target code and thus sohuld not fail.
void Fuzzer::CrashResistantMerge(const std::vector<std::string> &Args, void Fuzzer::CrashResistantMerge(const Vector<std::string> &Args,
const std::vector<std::string> &Corpora, const Vector<std::string> &Corpora,
const char *CoverageSummaryInputPathOrNull, const char *CoverageSummaryInputPathOrNull,
const char *CoverageSummaryOutputPathOrNull) { const char *CoverageSummaryOutputPathOrNull) {
if (Corpora.size() <= 1) { if (Corpora.size() <= 1) {
Printf("Merge requires two or more corpus dirs\n"); Printf("Merge requires two or more corpus dirs\n");
return; return;
} }
std::vector<std::string> AllFiles; Vector<std::string> AllFiles;
ListFilesInDirRecursive(Corpora[0], nullptr, &AllFiles, /*TopDir*/true); ListFilesInDirRecursive(Corpora[0], nullptr, &AllFiles, /*TopDir*/true);
size_t NumFilesInFirstCorpus = AllFiles.size(); size_t NumFilesInFirstCorpus = AllFiles.size();
for (size_t i = 1; i < Corpora.size(); i++) for (size_t i = 1; i < Corpora.size(); i++)
ListFilesInDirRecursive(Corpora[i], nullptr, &AllFiles, /*TopDir*/true); ListFilesInDirRecursive(Corpora[i], nullptr, &AllFiles, /*TopDir*/true);
Printf("MERGE-OUTER: %zd files, %zd in the initial corpus\n", Printf("MERGE-OUTER: %zd files, %zd in the initial corpus\n",
AllFiles.size(), NumFilesInFirstCorpus); AllFiles.size(), NumFilesInFirstCorpus);
auto CFPath = DirPlusFile(TmpDir(), auto CFPath = DirPlusFile(TmpDir(),
"libFuzzerTemp." + std::to_string(GetPid()) + ".txt"); "libFuzzerTemp." + std::to_string(GetPid()) + ".txt");
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Linesvoid Fuzzer::CrashResistantMerge(const Vector<std::string> &Args,
Printf("MERGE-OUTER: consumed %zdMb (%zdMb rss) to parse the control file\n", Printf("MERGE-OUTER: consumed %zdMb (%zdMb rss) to parse the control file\n",
M.ApproximateMemoryConsumption() >> 20, GetPeakRSSMb()); M.ApproximateMemoryConsumption() >> 20, GetPeakRSSMb());
if (CoverageSummaryOutputPathOrNull) { if (CoverageSummaryOutputPathOrNull) {
Printf("MERGE-OUTER: writing coverage summary for %zd files to %s\n", Printf("MERGE-OUTER: writing coverage summary for %zd files to %s\n",
M.Files.size(), CoverageSummaryOutputPathOrNull); M.Files.size(), CoverageSummaryOutputPathOrNull);
std::ofstream SummaryOut(CoverageSummaryOutputPathOrNull); std::ofstream SummaryOut(CoverageSummaryOutputPathOrNull);
M.PrintSummary(SummaryOut); M.PrintSummary(SummaryOut);
} }
std::vector<std::string> NewFiles; Vector<std::string> NewFiles;
std::set<uint32_t> InitialFeatures; Set<uint32_t> InitialFeatures;
if (CoverageSummaryInputPathOrNull) { if (CoverageSummaryInputPathOrNull) {
std::ifstream SummaryIn(CoverageSummaryInputPathOrNull); std::ifstream SummaryIn(CoverageSummaryInputPathOrNull);
InitialFeatures = M.ParseSummary(SummaryIn); InitialFeatures = M.ParseSummary(SummaryIn);
Printf("MERGE-OUTER: coverage summary loaded from %s, %zd features found\n", Printf("MERGE-OUTER: coverage summary loaded from %s, %zd features found\n",
CoverageSummaryInputPathOrNull, InitialFeatures.size()); CoverageSummaryInputPathOrNull, InitialFeatures.size());
} }
size_t NumNewFeatures = M.Merge(InitialFeatures, &NewFiles); size_t NumNewFeatures = M.Merge(InitialFeatures, &NewFiles);
Printf("MERGE-OUTER: %zd new files with %zd new features added\n", Printf("MERGE-OUTER: %zd new files with %zd new features added\n",
NewFiles.size(), NumNewFeatures); NewFiles.size(), NumNewFeatures);
for (auto &F: NewFiles) for (auto &F: NewFiles)
WriteToOutputCorpus(FileToVector(F)); WriteToOutputCorpus(FileToVector(F));
// We are done, delete the control file. // We are done, delete the control file.
RemoveFile(CFPath); RemoveFile(CFPath);
} }
} // namespace fuzzer } // namespace fuzzer

compiler-rt/trunk/lib/fuzzer/FuzzerMutate.h

Show First 20 LinesShow All 90 Lines▼ Show 20 Linesprivate:
struct Mutator { struct Mutator {
size_t (MutationDispatcher::*Fn)(uint8_t *Data, size_t Size, size_t Max); size_t (MutationDispatcher::*Fn)(uint8_t *Data, size_t Size, size_t Max);
const char *Name; const char *Name;
}; };
size_t AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t Size, size_t AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t Size,
size_t MaxSize); size_t MaxSize);
size_t MutateImpl(uint8_t *Data, size_t Size, size_t MaxSize, size_t MutateImpl(uint8_t *Data, size_t Size, size_t MaxSize,
const std::vector<Mutator> &Mutators); Vector<Mutator> &Mutators);
size_t InsertPartOf(const uint8_t *From, size_t FromSize, uint8_t *To, size_t InsertPartOf(const uint8_t *From, size_t FromSize, uint8_t *To,
size_t ToSize, size_t MaxToSize); size_t ToSize, size_t MaxToSize);
size_t CopyPartOf(const uint8_t *From, size_t FromSize, uint8_t *To, size_t CopyPartOf(const uint8_t *From, size_t FromSize, uint8_t *To,
size_t ToSize); size_t ToSize);
size_t ApplyDictionaryEntry(uint8_t *Data, size_t Size, size_t MaxSize, size_t ApplyDictionaryEntry(uint8_t *Data, size_t Size, size_t MaxSize,
DictionaryEntry &DE); DictionaryEntry &DE);
Show All 15 Linesprivate:
Dictionary ManualDictionary; Dictionary ManualDictionary;
// Temporary dictionary modified by the fuzzer itself, // Temporary dictionary modified by the fuzzer itself,
// recreated periodically. // recreated periodically.
Dictionary TempAutoDictionary; Dictionary TempAutoDictionary;
// Persistent dictionary modified by the fuzzer, consists of // Persistent dictionary modified by the fuzzer, consists of
// entries that led to successfull discoveries in the past mutations. // entries that led to successfull discoveries in the past mutations.
Dictionary PersistentAutoDictionary; Dictionary PersistentAutoDictionary;
std::vector<Mutator> CurrentMutatorSequence; Vector<Mutator> CurrentMutatorSequence;
std::vector<DictionaryEntry *> CurrentDictionaryEntrySequence; Vector<DictionaryEntry *> CurrentDictionaryEntrySequence;
static const size_t kCmpDictionaryEntriesDequeSize = 16; static const size_t kCmpDictionaryEntriesDequeSize = 16;
DictionaryEntry CmpDictionaryEntriesDeque[kCmpDictionaryEntriesDequeSize]; DictionaryEntry CmpDictionaryEntriesDeque[kCmpDictionaryEntriesDequeSize];
size_t CmpDictionaryEntriesDequeIdx = 0; size_t CmpDictionaryEntriesDequeIdx = 0;
const InputCorpus *Corpus = nullptr; const InputCorpus *Corpus = nullptr;
std::vector<uint8_t> MutateInPlaceHere; Vector<uint8_t> MutateInPlaceHere;
// CustomCrossOver needs its own buffer as a custom implementation may call // CustomCrossOver needs its own buffer as a custom implementation may call
// LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere. // LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
std::vector<uint8_t> CustomCrossOverInPlaceHere; Vector<uint8_t> CustomCrossOverInPlaceHere;
std::vector<Mutator> Mutators; Vector<Mutator> Mutators;
std::vector<Mutator> DefaultMutators; Vector<Mutator> DefaultMutators;
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

It would be nicer with fuzzer::vector -> Vector

vitalybuka: It would be nicer with fuzzer::vector -> Vector
george.karpenkovAuthorUnsubmitted
Not Done
ReplyInline Actions

I am not sure, Vector to me implies another datastructure. In any case, I have already committed the revision.

george.karpenkov: I am not sure, `Vector` to me implies another datastructure. In any case, I have already…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

It is another data structure and we use camel style for them.
So shorter more consistent naming would be nicer, but I will not insist.

vitalybuka: It is another data structure and we use camel style for them. So shorter more consistent naming…
}; };
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_MUTATE_H #endif // LLVM_FUZZER_MUTATE_H

compiler-rt/trunk/lib/fuzzer/FuzzerMutate.cpp

Show First 20 LinesShow All 460 Lines▼ Show 20 Lines for (auto DE : CurrentDictionaryEntrySequence) {
assert(DE->GetW().size()); assert(DE->GetW().size());
// Linear search is fine here as this happens seldom. // Linear search is fine here as this happens seldom.
if (!PersistentAutoDictionary.ContainsWord(DE->GetW())) if (!PersistentAutoDictionary.ContainsWord(DE->GetW()))
PersistentAutoDictionary.push_back({DE->GetW(), 1}); PersistentAutoDictionary.push_back({DE->GetW(), 1});
} }
} }
void MutationDispatcher::PrintRecommendedDictionary() { void MutationDispatcher::PrintRecommendedDictionary() {
std::vector<DictionaryEntry> V; Vector<DictionaryEntry> V;
for (auto &DE : PersistentAutoDictionary) for (auto &DE : PersistentAutoDictionary)
if (!ManualDictionary.ContainsWord(DE.GetW())) if (!ManualDictionary.ContainsWord(DE.GetW()))
V.push_back(DE); V.push_back(DE);
if (V.empty()) return; if (V.empty()) return;
Printf("###### Recommended dictionary. ######\n"); Printf("###### Recommended dictionary. ######\n");
for (auto &DE: V) { for (auto &DE: V) {
assert(DE.GetW().size()); assert(DE.GetW().size());
Printf("\""); Printf("\"");
Show All 23 Lines
size_t MutationDispatcher::DefaultMutate(uint8_t *Data, size_t Size, size_t MutationDispatcher::DefaultMutate(uint8_t *Data, size_t Size,
size_t MaxSize) { size_t MaxSize) {
return MutateImpl(Data, Size, MaxSize, DefaultMutators); return MutateImpl(Data, Size, MaxSize, DefaultMutators);
} }
// Mutates Data in place, returns new size. // Mutates Data in place, returns new size.
size_t MutationDispatcher::MutateImpl(uint8_t *Data, size_t Size, size_t MutationDispatcher::MutateImpl(uint8_t *Data, size_t Size,
size_t MaxSize, size_t MaxSize,
const std::vector<Mutator> &Mutators) { Vector<Mutator> &Mutators) {
assert(MaxSize > 0); assert(MaxSize > 0);
// Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize), // Some mutations may fail (e.g. can't insert more bytes if Size == MaxSize),
// in which case they will return 0. // in which case they will return 0.
// Try several times before returning un-mutated data. // Try several times before returning un-mutated data.
for (int Iter = 0; Iter < 100; Iter++) { for (int Iter = 0; Iter < 100; Iter++) {
auto M = Mutators[Rand(Mutators.size())]; auto M = Mutators[Rand(Mutators.size())];
size_t NewSize = (this->*(M.Fn))(Data, Size, MaxSize); size_t NewSize = (this->*(M.Fn))(Data, Size, MaxSize);
if (NewSize && NewSize <= MaxSize) { if (NewSize && NewSize <= MaxSize) {
Show All 16 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h

Show First 20 LinesShow All 153 Lines▼ Show 20 Linesprivate:
struct { const PCTableEntry *Start, *Stop; } ModulePCTable[4096]; struct { const PCTableEntry *Start, *Stop; } ModulePCTable[4096];
size_t NumPCTables; size_t NumPCTables;
size_t NumPCsInPCTables; size_t NumPCsInPCTables;
uint8_t *Counters() const; uint8_t *Counters() const;
uintptr_t *PCs() const; uintptr_t *PCs() const;
std::set<uintptr_t> ObservedPCs; Set<uintptr_t> ObservedPCs;
std::set<uintptr_t> ObservedFuncs; Set<uintptr_t> ObservedFuncs;
ValueBitMap ValueProfileMap; ValueBitMap ValueProfileMap;
uintptr_t InitialStack; uintptr_t InitialStack;
}; };
template <class Callback> template <class Callback>
// void Callback(size_t FirstFeature, size_t Idx, uint8_t Value); // void Callback(size_t FirstFeature, size_t Idx, uint8_t Value);
ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_ALL
▲ Show 20 LinesShow All 93 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.cpp

Show First 20 LinesShow All 215 Lines▼ Show 20 Lines if (!EF->__sanitizer_symbolize_pc ||
Printf("INFO: __sanitizer_symbolize_pc or " Printf("INFO: __sanitizer_symbolize_pc or "
"__sanitizer_get_module_and_offset_for_pc is not available," "__sanitizer_get_module_and_offset_for_pc is not available,"
" not printing coverage\n"); " not printing coverage\n");
return; return;
} }
Printf("COVERAGE:\n"); Printf("COVERAGE:\n");
std::string LastFunctionName = ""; std::string LastFunctionName = "";
std::string LastFileStr = ""; std::string LastFileStr = "";
std::set<size_t> UncoveredLines; Set<size_t> UncoveredLines;
std::set<size_t> CoveredLines; Set<size_t> CoveredLines;
auto FunctionEndCallback = [&](const std::string &CurrentFunc, auto FunctionEndCallback = [&](const std::string &CurrentFunc,
const std::string &CurrentFile) { const std::string &CurrentFile) {
if (LastFunctionName != CurrentFunc) { if (LastFunctionName != CurrentFunc) {
if (CoveredLines.empty() && !UncoveredLines.empty()) { if (CoveredLines.empty() && !UncoveredLines.empty()) {
Printf("UNCOVERED_FUNC: %s\n", LastFunctionName.c_str()); Printf("UNCOVERED_FUNC: %s\n", LastFunctionName.c_str());
} else { } else {
for (auto Line : UncoveredLines) { for (auto Line : UncoveredLines) {
Show All 31 Lines for (auto Ptr = M.Start; Ptr < M.Stop; Ptr++) {
UncoveredLines.insert(Line); UncoveredLines.insert(Line);
} }
} }
FunctionEndCallback("", ""); FunctionEndCallback("", "");
} }
void TracePC::DumpCoverage() { void TracePC::DumpCoverage() {
if (EF->__sanitizer_dump_coverage) { if (EF->__sanitizer_dump_coverage) {
std::vector<uintptr_t> PCsCopy(GetNumPCs()); Vector<uintptr_t> PCsCopy(GetNumPCs());
for (size_t i = 0; i < GetNumPCs(); i++) for (size_t i = 0; i < GetNumPCs(); i++)
PCsCopy[i] = PCs()[i] ? GetPreviousInstructionPc(PCs()[i]) : 0; PCsCopy[i] = PCs()[i] ? GetPreviousInstructionPc(PCs()[i]) : 0;
EF->__sanitizer_dump_coverage(PCsCopy.data(), PCsCopy.size()); EF->__sanitizer_dump_coverage(PCsCopy.data(), PCsCopy.size());
} }
} }
// Value profile. // Value profile.
// We keep track of various values that affect control flow. // We keep track of various values that affect control flow.
▲ Show 20 LinesShow All 313 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerUtil.h

Show First 20 LinesShow All 51 Lines▼ Show 20 Lines
int ExecuteCommand(const std::string &Command); int ExecuteCommand(const std::string &Command);
FILE *OpenProcessPipe(const char *Command, const char *Mode); FILE *OpenProcessPipe(const char *Command, const char *Mode);
const void *SearchMemory(const void *haystack, size_t haystacklen, const void *SearchMemory(const void *haystack, size_t haystacklen,
const void *needle, size_t needlelen); const void *needle, size_t needlelen);
std::string CloneArgsWithoutX(const std::vector<std::string> &Args, std::string CloneArgsWithoutX(const Vector<std::string> &Args,
const char *X1, const char *X2); const char *X1, const char *X2);
inline std::string CloneArgsWithoutX(const std::vector<std::string> &Args, inline std::string CloneArgsWithoutX(const Vector<std::string> &Args,
const char *X) { const char *X) {
return CloneArgsWithoutX(Args, X, X); return CloneArgsWithoutX(Args, X, X);
} }
inline std::pair<std::string, std::string> SplitBefore(std::string X, inline std::pair<std::string, std::string> SplitBefore(std::string X,
std::string S) { std::string S) {
auto Pos = S.find(X); auto Pos = S.find(X);
if (Pos == std::string::npos) if (Pos == std::string::npos)
Show All 13 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerUtil.cpp

Show First 20 LinesShow All 118 Lines▼ Show 20 Lines for (size_t Pos = L; Pos <= R; Pos++) {
} else { } else {
// Any other character. // Any other character.
U->push_back(V); U->push_back(V);
} }
} }
return true; return true;
} }
bool ParseDictionaryFile(const std::string &Text, std::vector<Unit> *Units) { bool ParseDictionaryFile(const std::string &Text, Vector<Unit> *Units) {
if (Text.empty()) { if (Text.empty()) {
Printf("ParseDictionaryFile: file does not exist or is empty\n"); Printf("ParseDictionaryFile: file does not exist or is empty\n");
return false; return false;
} }
std::istringstream ISS(Text); std::istringstream ISS(Text);
Units->clear(); Units->clear();
Unit U; Unit U;
int LineNo = 0; int LineNo = 0;
▲ Show 20 LinesShow All 80 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/tests/FuzzerUnittest.cpp

Show First 20 LinesShow All 66 Lines▼ Show 20 Lines Unit Expected[] = {
{ 0, 5, 1, 2, 6, 7 }, { 0, 5, 1, 2, 6, 7 },
{ 0, 5, 1, 6, 2, 7 }, { 0, 5, 1, 6, 2, 7 },
{ 0, 5, 1, 6, 7, 2 }, { 0, 5, 1, 6, 7, 2 },
{ 0, 5, 6, 1, 2, 7 }, { 0, 5, 6, 1, 2, 7 },
{ 0, 5, 6, 1, 7, 2 }, { 0, 5, 6, 1, 7, 2 },
{ 0, 5, 6, 7, 1, 2 } { 0, 5, 6, 7, 1, 2 }
}; };
for (size_t Len = 1; Len < 8; Len++) { for (size_t Len = 1; Len < 8; Len++) {
std::set<Unit> FoundUnits, ExpectedUnitsWitThisLength; Set<Unit> FoundUnits, ExpectedUnitsWitThisLength;
for (int Iter = 0; Iter < 3000; Iter++) { for (int Iter = 0; Iter < 3000; Iter++) {
C.resize(Len); C.resize(Len);
size_t NewSize = MD.CrossOver(A.data(), A.size(), B.data(), B.size(), size_t NewSize = MD.CrossOver(A.data(), A.size(), B.data(), B.size(),
C.data(), C.size()); C.data(), C.size());
C.resize(NewSize); C.resize(NewSize);
FoundUnits.insert(C); FoundUnits.insert(C);
} }
for (const Unit &U : Expected) for (const Unit &U : Expected)
▲ Show 20 LinesShow All 437 Lines▼ Show 20 LinesTEST(FuzzerDictionary, ParseOneDictionaryEntry) {
EXPECT_EQ(U, Unit({0xAB, 'z', 0xDE})); EXPECT_EQ(U, Unit({0xAB, 'z', 0xDE}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U)); EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U));
EXPECT_EQ(U, Unit({'#'})); EXPECT_EQ(U, Unit({'#'}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U)); EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U));
EXPECT_EQ(U, Unit({'"'})); EXPECT_EQ(U, Unit({'"'}));
} }
TEST(FuzzerDictionary, ParseDictionaryFile) { TEST(FuzzerDictionary, ParseDictionaryFile) {
std::vector<Unit> Units; Vector<Unit> Units;
EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units)); EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units));
EXPECT_FALSE(ParseDictionaryFile("", &Units)); EXPECT_FALSE(ParseDictionaryFile("", &Units));
EXPECT_TRUE(ParseDictionaryFile("\n", &Units)); EXPECT_TRUE(ParseDictionaryFile("\n", &Units));
EXPECT_EQ(Units.size(), 0U); EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units)); EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units));
EXPECT_EQ(Units.size(), 0U); EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units)); EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
EXPECT_EQ(Units.size(), 0U); EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units)); EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
EXPECT_EQ(Units.size(), 0U); EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units)); EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units));
EXPECT_EQ(Units, std::vector<Unit>({Unit({'a', 'a'})})); EXPECT_EQ(Units, Vector<Unit>({Unit({'a', 'a'})}));
EXPECT_TRUE( EXPECT_TRUE(
ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units)); ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units));
EXPECT_EQ(Units, EXPECT_EQ(Units,
std::vector<Unit>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})})); Vector<Unit>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})}));
} }
TEST(FuzzerUtil, Base64) { TEST(FuzzerUtil, Base64) {
EXPECT_EQ("", Base64({})); EXPECT_EQ("", Base64({}));
EXPECT_EQ("YQ==", Base64({'a'})); EXPECT_EQ("YQ==", Base64({'a'}));
EXPECT_EQ("eA==", Base64({'x'})); EXPECT_EQ("eA==", Base64({'x'}));
EXPECT_EQ("YWI=", Base64({'a', 'b'})); EXPECT_EQ("YWI=", Base64({'a', 'b'}));
EXPECT_EQ("eHk=", Base64({'x', 'y'})); EXPECT_EQ("eHk=", Base64({'x', 'y'}));
EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'})); EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'}));
EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'})); EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'}));
EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'})); EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'}));
EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'})); EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'}));
EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'})); EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'}));
} }
TEST(Corpus, Distribution) { TEST(Corpus, Distribution) {
Random Rand(0); Random Rand(0);
std::unique_ptr<InputCorpus> C(new InputCorpus("")); std::unique_ptr<InputCorpus> C(new InputCorpus(""));
size_t N = 10; size_t N = 10;
size_t TriesPerUnit = 1<<16; size_t TriesPerUnit = 1<<16;
for (size_t i = 0; i < N; i++) for (size_t i = 0; i < N; i++)
C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 1, false, {}); C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 1, false, {});
std::vector<size_t> Hist(N); Vector<size_t> Hist(N);
for (size_t i = 0; i < N * TriesPerUnit; i++) { for (size_t i = 0; i < N * TriesPerUnit; i++) {
Hist[C->ChooseUnitIdxToMutate(Rand)]++; Hist[C->ChooseUnitIdxToMutate(Rand)]++;
} }
for (size_t i = 0; i < N; i++) { for (size_t i = 0; i < N; i++) {
// A weak sanity check that every unit gets invoked. // A weak sanity check that every unit gets invoked.
EXPECT_GT(Hist[i], TriesPerUnit / N / 3); EXPECT_GT(Hist[i], TriesPerUnit / N / 3);
} }
} }
Show All 13 LinesTEST(Merge, Bad) {
}; };
Merger M; Merger M;
for (auto S : kInvalidInputs) { for (auto S : kInvalidInputs) {
// fprintf(stderr, "TESTING:\n%s\n", S); // fprintf(stderr, "TESTING:\n%s\n", S);
EXPECT_FALSE(M.Parse(S, false)); EXPECT_FALSE(M.Parse(S, false));
} }
} }
void EQ(const std::vector<uint32_t> &A, const std::vector<uint32_t> &B) { void EQ(const Vector<uint32_t> &A, const Vector<uint32_t> &B) {
EXPECT_EQ(A, B); EXPECT_EQ(A, B);
} }
void EQ(const std::vector<std::string> &A, const std::vector<std::string> &B) { void EQ(const Vector<std::string> &A, const Vector<std::string> &B) {
std::set<std::string> a(A.begin(), A.end()); Set<std::string> a(A.begin(), A.end());
std::set<std::string> b(B.begin(), B.end()); Set<std::string> b(B.begin(), B.end());
EXPECT_EQ(a, b); EXPECT_EQ(a, b);
} }
static void Merge(const std::string &Input, static void Merge(const std::string &Input,
const std::vector<std::string> Result, const Vector<std::string> Result,
size_t NumNewFeatures) { size_t NumNewFeatures) {
Merger M; Merger M;
std::vector<std::string> NewFiles; Vector<std::string> NewFiles;
EXPECT_TRUE(M.Parse(Input, true)); EXPECT_TRUE(M.Parse(Input, true));
std::stringstream SS; std::stringstream SS;
M.PrintSummary(SS); M.PrintSummary(SS);
EXPECT_EQ(NumNewFeatures, M.Merge(&NewFiles)); EXPECT_EQ(NumNewFeatures, M.Merge(&NewFiles));
EXPECT_EQ(M.AllFeatures(), M.ParseSummary(SS)); EXPECT_EQ(M.AllFeatures(), M.ParseSummary(SS));
EQ(NewFiles, Result); EQ(NewFiles, Result);
} }
Show All 31 LinesTEST(Merge, Good) {
EXPECT_EQ(M.Files[2].Name, "C"); EXPECT_EQ(M.Files[2].Name, "C");
EXPECT_EQ(M.Files[2].Size, 1002U); EXPECT_EQ(M.Files[2].Size, 1002U);
EXPECT_EQ(M.LastFailure, "C"); EXPECT_EQ(M.LastFailure, "C");
EXPECT_EQ(M.FirstNotProcessedFile, 3U); EXPECT_EQ(M.FirstNotProcessedFile, 3U);
EQ(M.Files[0].Features, {1, 2, 3}); EQ(M.Files[0].Features, {1, 2, 3});
EQ(M.Files[1].Features, {4, 5, 6}); EQ(M.Files[1].Features, {4, 5, 6});
std::vector<std::string> NewFiles; Vector<std::string> NewFiles;
EXPECT_TRUE(M.Parse("3\n2\nAA\nBB\nC\n" EXPECT_TRUE(M.Parse("3\n2\nAA\nBB\nC\n"
"STARTED 0 1000\nDONE 0 1 2 3\n" "STARTED 0 1000\nDONE 0 1 2 3\n"
"STARTED 1 1001\nDONE 1 4 5 6 \n" "STARTED 1 1001\nDONE 1 4 5 6 \n"
"STARTED 2 1002\nDONE 2 6 1 3 \n" "STARTED 2 1002\nDONE 2 6 1 3 \n"
"", true)); "", true));
EXPECT_EQ(M.Files.size(), 3U); EXPECT_EQ(M.Files.size(), 3U);
EXPECT_EQ(M.NumFilesInFirstCorpus, 2U); EXPECT_EQ(M.NumFilesInFirstCorpus, 2U);
Show All 18 LinesTEST(Merge, Good) {
// Same as the above, but with InitialFeatures. // Same as the above, but with InitialFeatures.
EXPECT_TRUE(M.Parse("2\n0\nB\nC\n" EXPECT_TRUE(M.Parse("2\n0\nB\nC\n"
"STARTED 0 1001\nDONE 0 4 5 6 \n" "STARTED 0 1001\nDONE 0 4 5 6 \n"
"STARTED 1 1002\nDONE 1 6 1 3\n" "STARTED 1 1002\nDONE 1 6 1 3\n"
"", true)); "", true));
EQ(M.Files[0].Features, {4, 5, 6}); EQ(M.Files[0].Features, {4, 5, 6});
EQ(M.Files[1].Features, {1, 3, 6}); EQ(M.Files[1].Features, {1, 3, 6});
EXPECT_EQ(3U, M.Merge({1, 2, 3}, &NewFiles)); Set<uint32_t> InitialFeatures;
InitialFeatures.insert(1);
InitialFeatures.insert(2);
InitialFeatures.insert(3);
EXPECT_EQ(3U, M.Merge(InitialFeatures, &NewFiles));
EQ(NewFiles, {"B"}); EQ(NewFiles, {"B"});
} }
TEST(Merge, Merge) { TEST(Merge, Merge) {
Merge("3\n1\nA\nB\nC\n" Merge("3\n1\nA\nB\nC\n"
"STARTED 0 1000\nDONE 0 1 2 3\n" "STARTED 0 1000\nDONE 0 1 2 3\n"
"STARTED 1 1001\nDONE 1 4 5 6 \n" "STARTED 1 1001\nDONE 1 4 5 6 \n"
Show All 29 Lines alignas(64) uint8_t Ar[N + 8] = {
0, 0, 3, 0, 4, 0, 0, 0, 0, 0, 3, 0, 4, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 5, 0, 6, 0, 0, 0, 0, 0, 5, 0, 6, 0, 0,
0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0, 7, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 8,
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9,
}; };
typedef std::vector<std::pair<size_t, uint8_t> > Vec; typedef Vector<std::pair<size_t, uint8_t> > Vec;
Vec Res, Expected; Vec Res, Expected;
auto CB = [&](size_t FirstFeature, size_t Idx, uint8_t V) { auto CB = [&](size_t FirstFeature, size_t Idx, uint8_t V) {
Res.push_back({FirstFeature + Idx, V}); Res.push_back({FirstFeature + Idx, V});
}; };
ForEachNonZeroByte(Ar, Ar + N, 100, CB); ForEachNonZeroByte(Ar, Ar + N, 100, CB);
Expected = {{108, 1}, {109, 2}, {118, 3}, {120, 4}, Expected = {{108, 1}, {109, 2}, {118, 3}, {120, 4},
{135, 5}, {137, 6}, {146, 7}, {163, 8}}; {135, 5}, {137, 6}, {146, 7}, {163, 8}};
EXPECT_EQ(Res, Expected); EXPECT_EQ(Res, Expected);
Show All 18 Lines