This is an archive of the discontinued LLVM Phabricator instance.

Differential D47880

[Fuzzer] Afl driver changing iterations handling
ClosedPublic

Authored by devnexen on Jun 7 2018, 6:10 AM.

Details

Reviewers
morehouse
kcc
Commits
rG301855fb0d93: [Fuzzer] Afl driver changing iterations handling
rCRT334510: [Fuzzer] Afl driver changing iterations handling
rL334510: [Fuzzer] Afl driver changing iterations handling
Summary

Handling differently the iterations with type limit and eventually error message.

Diff Detail

Repository
rL LLVM

Event Timeline

devnexen created this revision.Jun 7 2018, 6:10 AM
morehouse added a reviewer: kcc.Jun 7 2018, 9:05 AM
morehouse added inline comments.
lib/fuzzer/afl/afl_driver.cpp
309 ↗(On Diff #150310)

Maybe next_char would be a more descriptive name here.

314 ↗(On Diff #150310)

Would it make more sense to just exit if iterations is invalid?

315 ↗(On Diff #150310)

Since the if-block returns, else is unnecessary here.

316 ↗(On Diff #150310)

Please use static_cast here.

devnexen added inline comments.Jun 7 2018, 9:10 AM
lib/fuzzer/afl/afl_driver.cpp
316 ↗(On Diff #150310)

I usually prefer indeed but was not sure if you prefered C's cast style. Ok will address all points.

devnexen updated this revision to Diff 150349.Jun 7 2018, 9:18 AM
kcc added a comment.Jun 7 2018, 2:39 PM

is this testable (somewhere in test/fuzzer/afl-driver*)?

devnexen updated this revision to Diff 150414.Jun 7 2018, 3:15 PM

To avoid breaking tests, not exiting directly but keeping the default to 1000.

kcc added inline comments.Jun 7 2018, 3:18 PM
test/fuzzer/afl-driver.test
31 ↗(On Diff #150414)

if you use "not" in the test command line you can have a test like that is expected to break

devnexen updated this revision to Diff 150422.Jun 7 2018, 3:42 PM
devnexen added a comment.Jun 11 2018, 6:15 AM

ping

morehouse added inline comments.Jun 11 2018, 10:17 AM
test/fuzzer/afl-driver.test
25 ↗(On Diff #150422)

Why have you changed these two lines?

devnexen added inline comments.Jun 11 2018, 1:12 PM
test/fuzzer/afl-driver.test
25 ↗(On Diff #150422)

Most likely because of the exit call. Without this, the previous test passes.

morehouse added inline comments.Jun 11 2018, 1:38 PM
test/fuzzer/afl-driver.test
25 ↗(On Diff #150422)

If I understand the code correctly, this should cause N to default to 1000. So I don't think exit should be called.

devnexen added inline comments.Jun 11 2018, 2:04 PM
test/fuzzer/afl-driver.test
25 ↗(On Diff #150422)

If I change the signature of set_iterations to return a value and bring back the else if (argc == 2 && ...) as it was the test passes somehow.

morehouse added inline comments.Jun 11 2018, 4:12 PM
test/fuzzer/afl-driver.test
25 ↗(On Diff #150422)

Ah, I see. The driver doesn't support specifying N with the deprecated call style. Let's move the deprecation warning to before the call to set_iterations, and change the above test to check for the deprecation warning + the iterations invalid warning.

devnexen updated this revision to Diff 150889.Jun 11 2018, 9:31 PM
devnexen added inline comments.
test/fuzzer/afl-driver.test
25 ↗(On Diff #150422)

I changed it as asked and realised it indeed exited, i.e the second warning (i.e iterations invalid) displays the path of the file as argument making the conversion to number failing for sure.

morehouse accepted this revision.Jun 12 2018, 8:44 AM
This revision is now accepted and ready to land.Jun 12 2018, 8:44 AM
Closed by commit rL334510: [Fuzzer] Afl driver changing iterations handling (authored by devnexen). · Explain WhyJun 12 2018, 8:54 AM
This revision was automatically updated to reflect the committed changes.
Herald added subscribers: llvm-commits, delcypher. · View Herald TranscriptJun 12 2018, 8:54 AM
metzman added a subscriber: metzman.Jul 10 2018, 12:57 PM

Reposting my comments here from https://reviews.llvm.org/D49141

I think this patch should be reverted.
It breaks afl_driver's command line interface by causing invocations such as ./fuzzer inputfile to fail.
I don't think this breakage was intentional since ./fuzzer inputfile1 inputfile2 still works and I don't think there is a reason to break this.
I've created a revert here: https://reviews.llvm.org/D49141

lib/fuzzer/afl/afl_driver.cpp
335 ↗(On Diff #150422)

I don't think (N = atoi(argv[1])) > 0) should have been removed.
It allowed a single file to be passed to afl_driver.

test/fuzzer/afl-driver.test
25 ↗(On Diff #150422)

I think changing this test was incorrect. The test verified that the command line interface worked a certain way.
Thus the test WAI if this patch causes it to fail.

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
fuzzer/
afl/
24 lines
test/
fuzzer/
11 lines

Diff 150957

compiler-rt/trunk/lib/fuzzer/afl/afl_driver.cpp

Show First 20 LinesShow All 53 Lines▼ Show 20 Lines
#include <signal.h> #include <signal.h>
#include <stdint.h> #include <stdint.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <sys/resource.h> #include <sys/resource.h>
#include <sys/time.h> #include <sys/time.h>
#include <unistd.h> #include <unistd.h>
#include <limits.h>
#include <fstream> #include <fstream>
#include <iostream> #include <iostream>
#include <vector> #include <vector>
// Platform detection. Copied from FuzzerInternal.h // Platform detection. Copied from FuzzerInternal.h
#ifdef __linux__ #ifdef __linux__
#define LIBFUZZER_LINUX 1 #define LIBFUZZER_LINUX 1
▲ Show 20 LinesShow All 230 Lines▼ Show 20 Lines for (int i = 1; i < argc; i++) {
assert(in); assert(in);
LLVMFuzzerTestOneInput(reinterpret_cast<const uint8_t *>(bytes.data()), LLVMFuzzerTestOneInput(reinterpret_cast<const uint8_t *>(bytes.data()),
bytes.size()); bytes.size());
std::cout << "Execution successful" << std::endl; std::cout << "Execution successful" << std::endl;
} }
return 0; return 0;
} }
static void set_iterations(int *N, const char *arg) {
char *next_char;
long NL = strtol(arg, &next_char, 10);
if (NL < 1 || NL > INT_MAX || *next_char != '\0') {
fprintf(stderr, "WARNING: iterations invalid `%s`\n",
arg);
::exit(-1);
}
*N = static_cast<int>(NL);
}
int main(int argc, char **argv) { int main(int argc, char **argv) {
fprintf(stderr, fprintf(stderr,
"======================= INFO =========================\n" "======================= INFO =========================\n"
"This binary is built for AFL-fuzz.\n" "This binary is built for AFL-fuzz.\n"
"To run the target function on individual input(s) execute this:\n" "To run the target function on individual input(s) execute this:\n"
" %s < INPUT_FILE\n" " %s < INPUT_FILE\n"
"or\n" "or\n"
" %s INPUT_FILE1 [INPUT_FILE2 ... ]\n" " %s INPUT_FILE1 [INPUT_FILE2 ... ]\n"
Show All 10 Linesint main(int argc, char **argv) {
maybe_duplicate_stderr(); maybe_duplicate_stderr();
maybe_initialize_extra_stats(); maybe_initialize_extra_stats();
if (!getenv("AFL_DRIVER_DONT_DEFER")) if (!getenv("AFL_DRIVER_DONT_DEFER"))
__afl_manual_init(); __afl_manual_init();
int N = 1000; int N = 1000;
if (argc == 2 && argv[1][0] == '-') if (argc == 2 && argv[1][0] == '-')
N = atoi(argv[1] + 1); set_iterations(&N, argv[1] + 1);
else if(argc == 2 && (N = atoi(argv[1])) > 0) else if(argc == 2) {
fprintf(stderr, "WARNING: using the deprecated call style `%s %d`\n", fprintf(stderr, "WARNING: using the deprecated call style `%s %d`\n",
argv[0], N); argv[0], N);
else if (argc > 1) set_iterations(&N, argv[1]);
} else if (argc > 1)
return ExecuteFilesOnyByOne(argc, argv); return ExecuteFilesOnyByOne(argc, argv);
assert(N > 0); assert(N > 0);
// Call LLVMFuzzerTestOneInput here so that coverage caused by initialization // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization
// on the first execution of LLVMFuzzerTestOneInput is ignored. // on the first execution of LLVMFuzzerTestOneInput is ignored.
uint8_t dummy_input[1] = {0}; uint8_t dummy_input[1] = {0};
LLVMFuzzerTestOneInput(dummy_input, 1); LLVMFuzzerTestOneInput(dummy_input, 1);
Show All 32 Lines

compiler-rt/trunk/test/fuzzer/afl-driver.test

Show All 15 Lines
RUN: %run %t-AFLDriverTest < %t.file3 666 2>&1 | FileCheck %s --check-prefix=CHECK3 RUN: %run %t-AFLDriverTest < %t.file3 666 2>&1 | FileCheck %s --check-prefix=CHECK3
CHECK3: WARNING: using the deprecated call style CHECK3: WARNING: using the deprecated call style
CHECK3: __afl_persistent_loop calle, Count = 666 CHECK3: __afl_persistent_loop calle, Count = 666
CHECK3: LLVMFuzzerTestOneInput called; Size = 3 CHECK3: LLVMFuzzerTestOneInput called; Size = 3
RUN: %run %t-AFLDriverTest %t.file3 2>&1 | FileCheck %s --check-prefix=CHECK4 RUN: not %run %t-AFLDriverTest %t.file3 2>&1 | FileCheck %s --check-prefix=CHECK4
CHECK4: LLVMFuzzerTestOneInput called; Size = 3 CHECK4: WARNING: using the deprecated call style `{{.*}} 1000`
CHECK4: WARNING: iterations invalid `{{.*}}`
RUN: %run %t-AFLDriverTest %t.file3 %t.file4 2>&1 | FileCheck %s --check-prefix=CHECK5 RUN: %run %t-AFLDriverTest %t.file3 %t.file4 2>&1 | FileCheck %s --check-prefix=CHECK5
CHECK5: LLVMFuzzerTestOneInput called; Size = 3 CHECK5: LLVMFuzzerTestOneInput called; Size = 3
CHECK5: LLVMFuzzerTestOneInput called; Size = 4 CHECK5: LLVMFuzzerTestOneInput called; Size = 4
RUN: not %run %t-AFLDriverTest < %t.file3 --1 2>&1 | FileCheck %s --check-prefix=CHECK6
CHECK6: WARNING: iterations invalid `-1`
RUN: not %run %t-AFLDriverTest < %t.file3 -Invalid 2>&1 | FileCheck %s --check-prefix=CHECK7
CHECK7: WARNING: iterations invalid `Invalid`