This is an archive of the discontinued LLVM Phabricator instance.

Differential D48509

Improve crash unwinding on Fuchsia
ClosedPublic

Authored by aarongreen on Jun 22 2018, 4:53 PM.

Details

Reviewers
kcc
mcgrathr
phosek
jfb
Commits
rG4915d3a1ec3e: [Fuzzer] Improve crash unwinding on Fuchsia
rL337418: [Fuzzer] Improve crash unwinding on Fuchsia
rCRT337418: [Fuzzer] Improve crash unwinding on Fuchsia
Summary

Fuchsia doesn't have signals; instead it expects processes to have a dedicated exception thread that binds to the process' exception port and waits for exception packets to be delivered. On the other hand, libFuzzer and sanitizer_common use expect to collect crash information via libunwind from the same thread that caused the exception.

The long term fix is to improve support for remote unwinding in libunbwind, plumb this through sanitizer_common and libFuzzer, and handle the exception exclusively on the exception thread. In the meantime, this revision has the exception thread "resurrect" the crashing thread by:

  • saving its general purpose register state onto the crashing thread's stack,
  • setting the crashing thread's program counter to an assembly trampoline with the CFI information needed by libunwind, and
  • resuming the crashed thread.

Diff Detail

Event Timeline

aarongreen created this revision.Jun 22 2018, 4:53 PM
Herald added a reviewer: jfb. · View Herald TranscriptJun 22 2018, 4:53 PM
Herald added subscribers: Restricted Project, llvm-commits, chrib. · View Herald Transcript
phosek added inline comments.Jun 25 2018, 5:51 PM
lib/fuzzer/FuzzerUtilFuchsia.cpp
82–83

Do you care about atexit hooks being executed? I think this should probably use _exit instead.

187

I'd use an explicit #elif defined(__aarch64__) and #error in the #else case. You never know when someone tries to compile this on some other architecture.

aarongreen updated this revision to Diff 153135.Jun 27 2018, 11:36 AM
aarongreen marked 2 inline comments as done.

Addressed Petr's comment, and modified the visibility of CrashTrampolineAsm and MakeTrampoline to suppress their warnings.

mcgrathr added a comment.Jul 10 2018, 5:12 PM

Almost there, but some nits.

lib/fuzzer/FuzzerUtilFuchsia.cpp
45

Clarify in the comment that this appears to have external linkage to C++ and that's why it's not in the anonymous namespace, but the assembly definition inside MakeTrampoline(), below, actually defines the symbol with internal linkage only.

63

You don't want this printf for the success case in production code.

84

typo: s/and/an/

86

typo: trailing slash should be period

91

Alternatively, Fuchsia may in future actually implement basic signal handling for the machine trap signals.

144

lr is not special, it's just an alias for x30 so I'd use OP_NUM(30) here.
Only sp (and pc) are really special.

159

This can use offsetof(..., r[num]) instead of local arithmetic. It's not standard but it works in Clang and GCC and always will.

165

Make this static (no extern "C") and pass it into the asm.

175

Clarify that this function is never really used as such and that's why the attribute is necessary.
It's just a container around the asm so it can use operands for compile-time computed constants.

178

No need for a variable here.

183

This can be ".cfi_startproc simple" because you supply all the details explicitly.

189

This can be "call %c[StaticCrashHandler]" with the operand being "i' (StaticCrashHandler).

196

This can be "bl %[StaticCrashHandler]" with the operand being "i' (StaticCrashHandler).
Make this the last operand and it solves to comma-eating problem too.

209

Just use "i" (0) here.

216

Can use initialized member decls and default constructor.
I'd make a ScopedHandle instead and just have two of them.

265

This should use __unsanitized_memcpy from <zircon/sanitizer.h>.
Otherwise it's theoretically possible for this thread to reenter the sanitizer runtime and that could go badly.

271

Also needs rounded down to modulo 16.

309–310

typo: s/its/it's/

aarongreen updated this revision to Diff 155374.Jul 13 2018, 6:52 AM
aarongreen marked 18 inline comments as done.

Addressed Roland's comments.

mcgrathr accepted this revision.Jul 14 2018, 12:30 AM

Looks great!

lib/fuzzer/FuzzerUtilFuchsia.cpp
182

superfluous ;

This revision is now accepted and ready to land.Jul 14 2018, 12:30 AM
aarongreen updated this revision to Diff 155717.Jul 16 2018, 10:47 AM
aarongreen marked an inline comment as done.

Scrubbed superfluous semicolon.

Closed by commit rCRT337418: [Fuzzer] Improve crash unwinding on Fuchsia (authored by phosek). · Explain WhyJul 18 2018, 12:25 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
fuzzer/
275 lines

Diff 156129

lib/fuzzer/FuzzerUtilFuchsia.cpp

Show All 19 Lines
#include <fcntl.h> #include <fcntl.h>
#include <lib/fdio/spawn.h> #include <lib/fdio/spawn.h>
#include <string> #include <string>
#include <sys/select.h> #include <sys/select.h>
#include <thread> #include <thread>
#include <unistd.h> #include <unistd.h>
#include <zircon/errors.h> #include <zircon/errors.h>
#include <zircon/process.h> #include <zircon/process.h>
#include <zircon/sanitizer.h>
#include <zircon/status.h> #include <zircon/status.h>
#include <zircon/syscalls.h> #include <zircon/syscalls.h>
#include <zircon/syscalls/debug.h>
#include <zircon/syscalls/exception.h>
#include <zircon/syscalls/port.h> #include <zircon/syscalls/port.h>
#include <zircon/types.h> #include <zircon/types.h>
namespace fuzzer { namespace fuzzer {
// Given that Fuchsia doesn't have the POSIX signals that libFuzzer was written
// around, the general approach is to spin up dedicated threads to watch for
// each requested condition (alarm, interrupt, crash). Of these, the crash
// handler is the most involved, as it requires resuming the crashed thread in
// order to invoke the sanitizers to get the needed state.
// Forward declaration of assembly trampoline needed to resume crashed threads.
// This appears to have external linkage to C++, which is why it's not in the
mcgrathrUnsubmitted
Done
ReplyInline Actions

Clarify in the comment that this appears to have external linkage to C++ and that's why it's not in the anonymous namespace, but the assembly definition inside MakeTrampoline(), below, actually defines the symbol with internal linkage only.

mcgrathr: Clarify in the comment that this appears to have external linkage to C++ and that's why it's…
// anonymous namespace. The assembly definition inside MakeTrampoline()
// actually defines the symbol with internal linkage only.
void CrashTrampolineAsm() __asm__("CrashTrampolineAsm");
namespace { namespace {
// A magic value for the Zircon exception port, chosen to spell 'FUZZING' // A magic value for the Zircon exception port, chosen to spell 'FUZZING'
// when interpreted as a byte sequence on little-endian platforms. // when interpreted as a byte sequence on little-endian platforms.
const uint64_t kFuzzingCrash = 0x474e495a5a5546; const uint64_t kFuzzingCrash = 0x474e495a5a5546;
// Helper function to handle Zircon syscall failures.
void ExitOnErr(zx_status_t Status, const char *Syscall) {
if (Status != ZX_OK) {
Printf("libFuzzer: %s failed: %s\n", Syscall,
_zx_status_get_string(Status));
exit(1);
}
}
mcgrathrUnsubmitted
Done
ReplyInline Actions

You don't want this printf for the success case in production code.

mcgrathr: You don't want this printf for the success case in production code.
void AlarmHandler(int Seconds) { void AlarmHandler(int Seconds) {
while (true) { while (true) {
SleepSeconds(Seconds); SleepSeconds(Seconds);
Fuzzer::StaticAlarmCallback(); Fuzzer::StaticAlarmCallback();
} }
} }
void InterruptHandler() { void InterruptHandler() {
fd_set readfds; fd_set readfds;
// Ctrl-C sends ETX in Zircon. // Ctrl-C sends ETX in Zircon.
do { do {
FD_ZERO(&readfds); FD_ZERO(&readfds);
FD_SET(STDIN_FILENO, &readfds); FD_SET(STDIN_FILENO, &readfds);
select(STDIN_FILENO + 1, &readfds, nullptr, nullptr, nullptr); select(STDIN_FILENO + 1, &readfds, nullptr, nullptr, nullptr);
} while(!FD_ISSET(STDIN_FILENO, &readfds) || getchar() != 0x03); } while(!FD_ISSET(STDIN_FILENO, &readfds) || getchar() != 0x03);
Fuzzer::StaticInterruptCallback(); Fuzzer::StaticInterruptCallback();
} }
void CrashHandler(zx_handle_t *Port) { // For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback
phosekUnsubmitted
Done
ReplyInline Actions

Do you care about atexit hooks being executed? I think this should probably use _exit instead.

phosek: Do you care about `atexit` hooks being executed? I think this should probably use `_exit`…
std::unique_ptr<zx_handle_t> ExceptionPort(Port); // without POSIX signal handlers. To achieve this, we use an assembly function
mcgrathrUnsubmitted
Done
ReplyInline Actions

typo: s/and/an/

mcgrathr: typo: s/and/an/
zx_port_packet_t Packet; // to add the necessary CFI unwinding information and a C function to bridge
_zx_port_wait(*ExceptionPort, ZX_TIME_INFINITE, &Packet); // from that back into C++.
mcgrathrUnsubmitted
Done
ReplyInline Actions

typo: trailing slash should be period

mcgrathr: typo: trailing slash should be period
// Unbind as soon as possible so we don't receive exceptions from this thread.
if (_zx_task_bind_exception_port(ZX_HANDLE_INVALID, ZX_HANDLE_INVALID, // FIXME: This works as a short-term solution, but this code really shouldn't be
kFuzzingCrash, 0) != ZX_OK) { // architecture dependent. A better long term solution is to implement remote
// Shouldn't happen; if it does the safest option is to just exit. // unwinding and expose the necessary APIs through sanitizer_common and/or ASAN
Printf("libFuzzer: unable to unbind exception port; aborting!\n"); // to allow the exception handling thread to gather the crash state directly.
mcgrathrUnsubmitted
Done
ReplyInline Actions

Alternatively, Fuchsia may in future actually implement basic signal handling for the machine trap signals.

mcgrathr: Alternatively, Fuchsia may in future actually implement basic signal handling for the machine…
exit(1); //
// Alternatively, Fuchsia may in future actually implement basic signal
// handling for the machine trap signals.
#if defined(__x86_64__)
#define FOREACH_REGISTER(OP_REG, OP_NUM) \
OP_REG(rax) \
OP_REG(rbx) \
OP_REG(rcx) \
OP_REG(rdx) \
OP_REG(rsi) \
OP_REG(rdi) \
OP_REG(rbp) \
OP_REG(rsp) \
OP_REG(r8) \
OP_REG(r9) \
OP_REG(r10) \
OP_REG(r11) \
OP_REG(r12) \
OP_REG(r13) \
OP_REG(r14) \
OP_REG(r15) \
OP_REG(rip)
#elif defined(__aarch64__)
#define FOREACH_REGISTER(OP_REG, OP_NUM) \
OP_NUM(0) \
OP_NUM(1) \
OP_NUM(2) \
OP_NUM(3) \
OP_NUM(4) \
OP_NUM(5) \
OP_NUM(6) \
OP_NUM(7) \
OP_NUM(8) \
OP_NUM(9) \
OP_NUM(10) \
OP_NUM(11) \
OP_NUM(12) \
OP_NUM(13) \
OP_NUM(14) \
OP_NUM(15) \
OP_NUM(16) \
OP_NUM(17) \
OP_NUM(18) \
OP_NUM(19) \
OP_NUM(20) \
OP_NUM(21) \
OP_NUM(22) \
OP_NUM(23) \
OP_NUM(24) \
OP_NUM(25) \
OP_NUM(26) \
OP_NUM(27) \
mcgrathrUnsubmitted
Done
ReplyInline Actions

lr is not special, it's just an alias for x30 so I'd use OP_NUM(30) here.
Only sp (and pc) are really special.

mcgrathr: lr is not special, it's just an alias for x30 so I'd use OP_NUM(30) here. Only sp (and pc) are…
OP_NUM(28) \
OP_NUM(29) \
OP_NUM(30) \
OP_REG(sp)
#else
#error "Unsupported architecture for fuzzing on Fuchsia"
#endif
// Produces a CFI directive for the named or numbered register.
#define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n"
#define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(r##num)
// Produces an assembler input operand for the named or numbered register.
#define ASM_OPERAND_REG(reg) \
mcgrathrUnsubmitted
Done
ReplyInline Actions

This can use offsetof(..., r[num]) instead of local arithmetic. It's not standard but it works in Clang and GCC and always will.

mcgrathr: This can use offsetof(..., r[num]) instead of local arithmetic. It's not standard but it works…
[reg] "i"(offsetof(zx_thread_state_general_regs_t, reg)),
#define ASM_OPERAND_NUM(num) \
[r##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num])),
// Trampoline to bridge from the assembly below to the static C++ crash
// callback.
mcgrathrUnsubmitted
Done
ReplyInline Actions

Make this static (no extern "C") and pass it into the asm.

mcgrathr: Make this static (no extern "C") and pass it into the asm.
__attribute__((noreturn))
static void StaticCrashHandler() {
Fuzzer::StaticCrashSignalCallback();
for (;;) {
_Exit(1);
} }
if (Packet.key != kFuzzingCrash) {
Printf("libFuzzer: invalid crash key: %" PRIx64 "; aborting!\n",
Packet.key);
exit(1);
} }
// CrashCallback should not return from this call
Fuzzer::StaticCrashSignalCallback(); // Creates the trampoline with the necessary CFI information to unwind through
// to the crashing call stack. The attribute is necessary because the function
mcgrathrUnsubmitted
Done
ReplyInline Actions

Clarify that this function is never really used as such and that's why the attribute is necessary.
It's just a container around the asm so it can use operands for compile-time computed constants.

mcgrathr: Clarify that this function is never really used as such and that's why the attribute is…
// is never called; it's just a container around the assembly to allow it to
// use operands for compile-time computed constants.
__attribute__((used))
mcgrathrUnsubmitted
Done
ReplyInline Actions

No need for a variable here.

mcgrathr: No need for a variable here.
void MakeTrampoline() {
__asm__(".cfi_endproc\n"
".pushsection .text.CrashTrampolineAsm\n"
".type CrashTrampolineAsm,STT_FUNC\n"
mcgrathrUnsubmitted
Done
ReplyInline Actions

superfluous ;

mcgrathr: superfluous ;
"CrashTrampolineAsm:\n"
mcgrathrUnsubmitted
Done
ReplyInline Actions

This can be ".cfi_startproc simple" because you supply all the details explicitly.

mcgrathr: This can be ".cfi_startproc simple" because you supply all the details explicitly.
".cfi_startproc simple\n"
".cfi_signal_frame\n"
#if defined(__x86_64__)
".cfi_return_column rip\n"
phosekUnsubmitted
Done
ReplyInline Actions

I'd use an explicit #elif defined(__aarch64__) and #error in the #else case. You never know when someone tries to compile this on some other architecture.

phosek: I'd use an explicit `#elif defined(__aarch64__)` and `#error` in the `#else` case. You never…
".cfi_def_cfa rsp, 0\n"
FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
mcgrathrUnsubmitted
Done
ReplyInline Actions

This can be "call %c[StaticCrashHandler]" with the operand being "i' (StaticCrashHandler).

mcgrathr: This can be "call %c[StaticCrashHandler]" with the operand being "i' (StaticCrashHandler).
"call %c[StaticCrashHandler]\n"
"ud2\n"
#elif defined(__aarch64__)
".cfi_return_column 33\n"
".cfi_def_cfa sp, 0\n"
".cfi_offset 33, %c[pc]\n"
FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
mcgrathrUnsubmitted
Done
ReplyInline Actions

This can be "bl %[StaticCrashHandler]" with the operand being "i' (StaticCrashHandler).
Make this the last operand and it solves to comma-eating problem too.

mcgrathr: This can be "bl %[StaticCrashHandler]" with the operand being "i' (StaticCrashHandler). Make…
"bl %[StaticCrashHandler]\n"
#else
#error "Unsupported architecture for fuzzing on Fuchsia"
#endif
".cfi_endproc\n"
".size CrashTrampolineAsm, . - CrashTrampolineAsm\n"
".popsection\n"
".cfi_startproc\n"
: // No outputs
: FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
#if defined(__aarch64__)
ASM_OPERAND_REG(pc)
#endif
mcgrathrUnsubmitted
Done
ReplyInline Actions

Just use "i" (0) here.

mcgrathr: Just use "i" (0) here.
[StaticCrashHandler] "i" (StaticCrashHandler));
}
void CrashHandler(zx_handle_t *Event) {
// This structure is used to ensure we close handles to objects we create in
// this handler.
struct ScopedHandle {
mcgrathrUnsubmitted
Done
ReplyInline Actions

Can use initialized member decls and default constructor.
I'd make a ScopedHandle instead and just have two of them.

mcgrathr: Can use initialized member decls and default constructor. I'd make a ScopedHandle instead and…
~ScopedHandle() { _zx_handle_close(Handle); }
zx_handle_t Handle = ZX_HANDLE_INVALID;
};
// Create and bind the exception port. We need to claim to be a "debugger" so
// the kernel will allow us to modify and resume dying threads (see below).
// Once the port is set, we can signal the main thread to continue and wait
// for the exception to arrive.
ScopedHandle Port;
ExitOnErr(_zx_port_create(0, &Port.Handle), "_zx_port_create");
zx_handle_t Self = _zx_process_self();
ExitOnErr(_zx_task_bind_exception_port(Self, Port.Handle, kFuzzingCrash,
ZX_EXCEPTION_PORT_DEBUGGER),
"_zx_task_bind_exception_port");
ExitOnErr(_zx_object_signal(*Event, 0, ZX_USER_SIGNAL_0),
"_zx_object_signal");
zx_port_packet_t Packet;
ExitOnErr(_zx_port_wait(Port.Handle, ZX_TIME_INFINITE, &Packet),
"_zx_port_wait");
// At this point, we want to get the state of the crashing thread, but
// libFuzzer and the sanitizers assume this will happen from that same thread
// via a POSIX signal handler. "Resurrecting" the thread in the middle of the
// appropriate callback is as simple as forcibly setting the instruction
// pointer/program counter, provided we NEVER EVER return from that function
// (since otherwise our stack will not be valid).
ScopedHandle Thread;
ExitOnErr(_zx_object_get_child(Self, Packet.exception.tid,
ZX_RIGHT_SAME_RIGHTS, &Thread.Handle),
"_zx_object_get_child");
zx_thread_state_general_regs_t GeneralRegisters;
ExitOnErr(_zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
&GeneralRegisters, sizeof(GeneralRegisters)),
"_zx_thread_read_state");
// To unwind properly, we need to push the crashing thread's register state
// onto the stack and jump into a trampoline with CFI instructions on how
// to restore it.
#if defined(__x86_64__)
uintptr_t StackPtr =
(GeneralRegisters.rsp - (128 + sizeof(GeneralRegisters))) &
-(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
sizeof(GeneralRegisters));
GeneralRegisters.rsp = StackPtr;
mcgrathrUnsubmitted
Done
ReplyInline Actions

This should use __unsanitized_memcpy from <zircon/sanitizer.h>.
Otherwise it's theoretically possible for this thread to reenter the sanitizer runtime and that could go badly.

mcgrathr: This should use __unsanitized_memcpy from <zircon/sanitizer.h>. Otherwise it's theoretically…
GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
#elif defined(__aarch64__)
uintptr_t StackPtr =
(GeneralRegisters.sp - sizeof(GeneralRegisters)) & -(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
mcgrathrUnsubmitted
Done
ReplyInline Actions

Also needs rounded down to modulo 16.

mcgrathr: Also needs rounded down to modulo 16.
sizeof(GeneralRegisters));
GeneralRegisters.sp = StackPtr;
GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
#else
#error "Unsupported architecture for fuzzing on Fuchsia"
#endif
// Now force the crashing thread's state.
ExitOnErr(_zx_thread_write_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
&GeneralRegisters, sizeof(GeneralRegisters)),
"_zx_thread_write_state");
ExitOnErr(_zx_task_resume_from_exception(Thread.Handle, Port.Handle, 0),
"_zx_task_resume_from_exception");
} }
} // namespace } // namespace
// Platform specific functions. // Platform specific functions.
void SetSignalHandler(const FuzzingOptions &Options) { void SetSignalHandler(const FuzzingOptions &Options) {
zx_status_t rc;
// Set up alarm handler if needed. // Set up alarm handler if needed.
if (Options.UnitTimeoutSec > 0) { if (Options.UnitTimeoutSec > 0) {
std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1); std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1);
T.detach(); T.detach();
} }
// Set up interrupt handler if needed. // Set up interrupt handler if needed.
if (Options.HandleInt || Options.HandleTerm) { if (Options.HandleInt || Options.HandleTerm) {
std::thread T(InterruptHandler); std::thread T(InterruptHandler);
T.detach(); T.detach();
} }
// Early exit if no crash handler needed. // Early exit if no crash handler needed.
if (!Options.HandleSegv && !Options.HandleBus && !Options.HandleIll && if (!Options.HandleSegv && !Options.HandleBus && !Options.HandleIll &&
!Options.HandleFpe && !Options.HandleAbrt) !Options.HandleFpe && !Options.HandleAbrt)
return; return;
// Create an exception port // Set up the crash handler and wait until it is ready before proceeding.
mcgrathrUnsubmitted
Done
ReplyInline Actions

typo: s/its/it's/

mcgrathr: typo: s/its/it's/
zx_handle_t *ExceptionPort = new zx_handle_t; zx_handle_t Event;
if ((rc = _zx_port_create(0, ExceptionPort)) != ZX_OK) { ExitOnErr(_zx_event_create(0, &Event), "_zx_event_create");
Printf("libFuzzer: zx_port_create failed: %s\n", _zx_status_get_string(rc));
exit(1); std::thread T(CrashHandler, &Event);
} zx_status_t Status =
_zx_object_wait_one(Event, ZX_USER_SIGNAL_0, ZX_TIME_INFINITE, nullptr);
// Bind the port to receive exceptions from our process _zx_handle_close(Event);
if ((rc = _zx_task_bind_exception_port(_zx_process_self(), *ExceptionPort, ExitOnErr(Status, "_zx_object_wait_one");
kFuzzingCrash, 0)) != ZX_OK) {
Printf("libFuzzer: unable to bind exception port: %s\n",
_zx_status_get_string(rc));
exit(1);
}
// Set up the crash handler.
std::thread T(CrashHandler, ExceptionPort);
T.detach(); T.detach();
} }
void SleepSeconds(int Seconds) { void SleepSeconds(int Seconds) {
_zx_nanosleep(_zx_deadline_after(ZX_SEC(Seconds))); _zx_nanosleep(_zx_deadline_after(ZX_SEC(Seconds)));
} }
unsigned long GetPid() { unsigned long GetPid() {
zx_status_t rc; zx_status_t rc;
zx_info_handle_basic_t Info; zx_info_handle_basic_t Info;
if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_HANDLE_BASIC, &Info, if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_HANDLE_BASIC, &Info,
sizeof(Info), NULL, NULL)) != ZX_OK) { sizeof(Info), NULL, NULL)) != ZX_OK) {
Printf("libFuzzer: unable to get info about self: %s\n", Printf("libFuzzer: unable to get info about self: %s\n",
_zx_status_get_string(rc)); _zx_status_get_string(rc));
exit(1); exit(1);
} }
return Info.koid; return Info.koid;
} }
size_t GetPeakRSSMb() { size_t GetPeakRSSMb() {
zx_status_t rc; zx_status_t rc;
zx_info_task_stats_t Info; zx_info_task_stats_t Info;
if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_TASK_STATS, &Info, if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_TASK_STATS, &Info,
sizeof(Info), NULL, NULL)) != ZX_OK) { sizeof(Info), NULL, NULL)) != ZX_OK) {
Printf("libFuzzer: unable to get info about self: %s\n", Printf("libFuzzer: unable to get info about self: %s\n",
_zx_status_get_string(rc)); _zx_status_get_string(rc));
exit(1); exit(1);
} }
return (Info.mem_private_bytes + Info.mem_shared_bytes) >> 20; return (Info.mem_private_bytes + Info.mem_shared_bytes) >> 20;
} }
template <typename Fn> template <typename Fn>
▲ Show 20 LinesShow All 113 LinesShow Last 20 Lines