This is an archive of the discontinued LLVM Phabricator instance.

Differential D60980

[libFuzzer] Replace -seed_corpus to better support fork mode on Win
ClosedPublic

Authored by metzman on Apr 22 2019, 2:42 PM.

Details

Reviewers
kcc
morehouse
Commits
rGf3ee97731eb5: [libFuzzer] Replace -seed_corpus to better support fork mode on Win
rCRT359610: [libFuzzer] Replace -seed_corpus to better support fork mode on Win
rL359610: [libFuzzer] Replace -seed_corpus to better support fork mode on Win
Summary

Pass seed corpus list in a file to get around argument length limits on Windows.
This limit was preventing many uses of fork mode on Windows.

Diff Detail

Repository
rL LLVM

Event Timeline

metzman created this revision.Apr 22 2019, 2:42 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 22 2019, 2:42 PM
Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B30849: Diff 196135.Apr 22 2019, 2:42 PM
metzman planned changes to this revision.Apr 22 2019, 2:46 PM

I'm going to add a test for this.

metzman updated this revision to Diff 196153.Apr 22 2019, 4:16 PM

Add test

metzman updated this revision to Diff 196154.Apr 22 2019, 4:16 PM
  • improve comment
Harbormaster completed remote builds in B30857: Diff 196153.Apr 22 2019, 4:17 PM
Harbormaster completed remote builds in B30858: Diff 196154.
metzman updated this revision to Diff 196165.Apr 22 2019, 6:22 PM
metzman marked 2 inline comments as done.
  • undo accidental
compiler-rt/lib/fuzzer/FuzzerDriver.cpp
771 ↗(On Diff #196154)

Removing the file is somewhat hostile to users but is the best way to prevent the accumulation of files in fork mode.
Since the primary purpose of -seed_inputs_file is for fork mode, I think this is acceptable. Thoughts?

compiler-rt/test/fuzzer/cross_over.test
18 ↗(On Diff #196154)

The reason why I do this hacky python thing is because echo leaves a trailing newline and printf didn't work well with the percent formatting.
Is it OK to use python for this purpose (I think python is necessary to run lit commands anyway)?
If not, I can use echo so long as I end with a trailing ,, that way the last seed input is "\n" instead of a newline being added to a filename we actually care about. Does this sound better than the python hack?

metzman added reviewers: kcc, morehouse.Apr 22 2019, 6:24 PM

PTAL.
This change allows fork mode to be used reasonably on Win.

Harbormaster completed remote builds in B30864: Diff 196165.Apr 22 2019, 6:26 PM
metzman retitled this revision from [fuzzer] Replace -seed_corpus with -seed_corpus_file to [libFuzzer] Replace -seed_corpus with -seed_corpus_file.Apr 23 2019, 5:12 AM
metzman edited the summary of this revision. (Show Details)

More context is here: https://github.com/google/clusterfuzz/issues/267

metzman retitled this revision from [libFuzzer] Replace -seed_corpus with -seed_corpus_file to [libFuzzer] Replace -seed_corpus to better support fork mode on Win.Apr 24 2019, 8:51 AM
metzman edited the summary of this revision. (Show Details)
kcc added inline comments.Apr 25 2019, 5:56 PM
compiler-rt/lib/fuzzer/FuzzerDriver.cpp
771 ↗(On Diff #196154)

A bit too hostile indeed, and in this case the file is deleted by a process that didn't create it, making it more confusing.
I'd prefer to delete the file in the same place we delete other temporary files for a child.

compiler-rt/lib/fuzzer/FuzzerFlags.def
23 ↗(On Diff #196165)

I found this flag to be useful by itself, outside the fork mode, so instead of replacing it with a new flag,
I'd suggest enhancing it's behavior:

  • --seed_inputs=aaa,bbb keeps working as is
  • --seed_inputs=@file_path reads the list from the file
compiler-rt/lib/fuzzer/FuzzerFork.cpp
126 ↗(On Diff #196165)

for readability, I'd prefer to introduce another variant of WriteToFile:

void WriteToFile(const std::string &Str, const std::string &Path);
compiler-rt/test/fuzzer/cross_over.test
18 ↗(On Diff #196154)

no need to change this test with the change I proposed.

compiler-rt/test/fuzzer/seed_inputs_file.test
4 ↗(On Diff #196165)

will echo -n work in this case?
python is indeed a bit unwelcome where.

metzman marked an inline comment as done.Apr 29 2019, 10:17 AM
metzman added inline comments.
compiler-rt/lib/fuzzer/FuzzerFlags.def
23 ↗(On Diff #196165)

So that "@" will be necessary to distinguish between a case where we want to use one seed and a case where we want to use the file as the seed list?

kcc added inline comments.Apr 29 2019, 11:25 AM
compiler-rt/lib/fuzzer/FuzzerFlags.def
23 ↗(On Diff #196165)

Yes.
W/o @ the current behavior is preserved: the argument is a comma-separated list of seeds.
W/ @ the argument (with @ stripped) will be treated as a file name, which contains the comma-separated list of seeds

metzman updated this revision to Diff 197345.Apr 30 2019, 8:36 AM
metzman marked 10 inline comments as done.
  • change name of test
  • Get list argument working again
  • combine code
  • rename
  • Use old method
Harbormaster completed remote builds in B31162: Diff 197345.Apr 30 2019, 8:36 AM
metzman updated this revision to Diff 197346.Apr 30 2019, 8:39 AM
  • improve comments
Harbormaster completed remote builds in B31163: Diff 197346.Apr 30 2019, 8:39 AM
metzman added inline comments.Apr 30 2019, 8:57 AM
compiler-rt/lib/fuzzer/FuzzerDriver.cpp
771 ↗(On Diff #196154)

Done.

compiler-rt/lib/fuzzer/FuzzerFlags.def
23 ↗(On Diff #196165)

Done. Please let me know if you think the help message needs work.

compiler-rt/lib/fuzzer/FuzzerFork.cpp
126 ↗(On Diff #196165)

Done.

compiler-rt/test/fuzzer/cross_over.test
18 ↗(On Diff #196154)

Undid this change and the one in len_control.

compiler-rt/test/fuzzer/seed_inputs_file.test
4 ↗(On Diff #196165)

Yeah good suggestion, that's much better. For some reason I thought it wouldn't work on Windows.

kcc accepted this revision.Apr 30 2019, 9:41 AM

LGTM with several nits.

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
771 ↗(On Diff #197346)

plz make this if-else more compact (no {}, comments on the same line)

compiler-rt/lib/fuzzer/FuzzerFlags.def
24 ↗(On Diff #197346)

"of input files" repeated twice?

compiler-rt/test/fuzzer/seed_inputs.test
3 ↗(On Diff #197346)

replace with CHECK: then remove all --check-prefix

13 ↗(On Diff #197346)

terminate the file with a newline

This revision is now accepted and ready to land.Apr 30 2019, 9:41 AM
metzman updated this revision to Diff 197369.Apr 30 2019, 10:29 AM
metzman marked 5 inline comments as done.
  • fmt
  • fix nits
  • fmt
Harbormaster completed remote builds in B31171: Diff 197369.Apr 30 2019, 10:29 AM
metzman updated this revision to Diff 197372.Apr 30 2019, 10:40 AM
metzman marked an inline comment as done.
  • ideal but test failing
  • fix issue
metzman updated this revision to Diff 197373.Apr 30 2019, 10:42 AM
  • remove extra newline
Harbormaster completed remote builds in B31172: Diff 197372.Apr 30 2019, 10:43 AM
Harbormaster completed remote builds in B31173: Diff 197373.
metzman added inline comments.Apr 30 2019, 10:43 AM
compiler-rt/test/fuzzer/seed_inputs.test
3 ↗(On Diff #197346)

I added a test to ensure we handle a single file correctly instead.

metzman updated this revision to Diff 197375.Apr 30 2019, 10:53 AM
  • use new format
Harbormaster completed remote builds in B31175: Diff 197375.Apr 30 2019, 10:58 AM
metzman updated this revision to Diff 197389.Apr 30 2019, 11:37 AM
  • only use @ in argument
Harbormaster completed remote builds in B31180: Diff 197389.Apr 30 2019, 11:42 AM
metzman updated this revision to Diff 197391.Apr 30 2019, 11:42 AM
This comment was removed by metzman.
Harbormaster completed remote builds in B31181: Diff 197391.Apr 30 2019, 11:42 AM
metzman updated this revision to Diff 197393.Apr 30 2019, 11:44 AM
  • fix bug
Harbormaster completed remote builds in B31182: Diff 197393.Apr 30 2019, 11:44 AM
metzman updated this revision to Diff 197396.Apr 30 2019, 11:57 AM
  • Make LF fail if no seed list
Harbormaster completed remote builds in B31183: Diff 197396.Apr 30 2019, 11:57 AM
metzman updated this revision to Diff 197397.Apr 30 2019, 12:00 PM
  • Add more tests to verify we catch empty lists
Harbormaster completed remote builds in B31184: Diff 197397.Apr 30 2019, 12:02 PM
metzman added a comment.Apr 30 2019, 12:03 PM

@kcc I've changed things so that libFuzzer will fail if the argument to -seed_inputs is a non existent file or is empty? What do you think of this change?

metzman updated this revision to Diff 197399.Apr 30 2019, 12:03 PM
  • add newline
Harbormaster completed remote builds in B31185: Diff 197399.Apr 30 2019, 12:05 PM
kcc accepted this revision.Apr 30 2019, 12:07 PM

LGTM

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
776 ↗(On Diff #197399)

use exit(1) instead

metzman updated this revision to Diff 197400.Apr 30 2019, 12:09 PM
  • improve error message and look for it in tests
Harbormaster completed remote builds in B31186: Diff 197400.Apr 30 2019, 12:10 PM
metzman updated this revision to Diff 197401.Apr 30 2019, 12:11 PM
  • improve message
Harbormaster completed remote builds in B31187: Diff 197401.Apr 30 2019, 12:12 PM
metzman updated this revision to Diff 197404.Apr 30 2019, 12:13 PM
  • use exit(1)
Harbormaster completed remote builds in B31188: Diff 197404.Apr 30 2019, 12:13 PM
metzman updated this revision to Diff 197405.Apr 30 2019, 12:15 PM
  • add missing period
Harbormaster completed remote builds in B31189: Diff 197405.Apr 30 2019, 12:17 PM
Closed by commit rL359610: [libFuzzer] Replace -seed_corpus to better support fork mode on Win (authored by metzman). · Explain WhyApr 30 2019, 1:57 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptApr 30 2019, 1:57 PM

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
fuzzer/
23 lines
3 lines
9 lines
2 lines
5 lines
test/
fuzzer/
24 lines

Diff 197434

compiler-rt/trunk/lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 757 Lines▼ Show 20 Lines if (Flags.analyze_dict) {
if (AnalyzeDictionary(F, Dictionary, InitialCorpus)) { if (AnalyzeDictionary(F, Dictionary, InitialCorpus)) {
Printf("Dictionary analysis failed\n"); Printf("Dictionary analysis failed\n");
exit(1); exit(1);
} }
Printf("Dictionary analysis succeeded\n"); Printf("Dictionary analysis succeeded\n");
exit(0); exit(0);
} }
// Parse -seed_inputs=file1,file2,... // Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file
Vector<std::string> ExtraSeedFiles; Vector<std::string> ExtraSeedFiles;
if (Flags.seed_inputs) { if (Flags.seed_inputs) {
std::string s = Flags.seed_inputs; std::string SeedInputs;
size_t comma_pos; if (Flags.seed_inputs[0] == '@')
while ((comma_pos = s.find_last_of(',')) != std::string::npos) { SeedInputs = FileToString(Flags.seed_inputs + 1); // File contains list.
ExtraSeedFiles.push_back(s.substr(comma_pos + 1)); else
s = s.substr(0, comma_pos); SeedInputs = Flags.seed_inputs; // seed_inputs contains the list.
if (SeedInputs.empty()) {
Printf("seed_inputs is empty or @file does not exist.\n");
exit(1);
}
// Parse SeedInputs.
size_t comma_pos = 0;
while ((comma_pos = SeedInputs.find_last_of(',')) != std::string::npos) {
ExtraSeedFiles.push_back(SeedInputs.substr(comma_pos + 1));
SeedInputs = SeedInputs.substr(0, comma_pos);
} }
ExtraSeedFiles.push_back(s); ExtraSeedFiles.push_back(SeedInputs);
} }
F->Loop(*Inputs, ExtraSeedFiles); F->Loop(*Inputs, ExtraSeedFiles);
if (Flags.verbosity) if (Flags.verbosity)
Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(), Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(),
F->secondsSinceProcessStartUp()); F->secondsSinceProcessStartUp());
F->PrintFinalStats(); F->PrintFinalStats();
exit(0); // Don't let F destroy itself. exit(0); // Don't let F destroy itself.
} }
// Storage for global ExternalFunctions object. // Storage for global ExternalFunctions object.
ExternalFunctions *EF = nullptr; ExternalFunctions *EF = nullptr;
} // namespace fuzzer } // namespace fuzzer

compiler-rt/trunk/lib/fuzzer/FuzzerFlags.def

Show All 15 Lines
FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. " FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
"If 0, libFuzzer tries to guess a good value based on the corpus " "If 0, libFuzzer tries to guess a good value based on the corpus "
"and reports it. ") "and reports it. ")
FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, " FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, "
"then try larger inputs over time. Specifies the rate at which the length " "then try larger inputs over time. Specifies the rate at which the length "
"limit is increased (smaller == faster). If 0, immediately try inputs with " "limit is increased (smaller == faster). If 0, immediately try inputs with "
"size up to max_len.") "size up to max_len.")
FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files " FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "
"to use as an additional seed corpus") "to use as an additional seed corpus. Alternatively, an \"@\" followed by "
"the name of a file containing the comma-seperated list.")
FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.") FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
FUZZER_FLAG_INT(mutate_depth, 5, FUZZER_FLAG_INT(mutate_depth, 5,
"Apply this number of consecutive mutations to each input.") "Apply this number of consecutive mutations to each input.")
FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. " FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "
"Reduce depth if mutations lose unique features") "Reduce depth if mutations lose unique features")
FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup") FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup")
FUZZER_FLAG_INT(prefer_small, 1, FUZZER_FLAG_INT(prefer_small, 1,
"If 1, always prefer smaller inputs during the corpus shuffle.") "If 1, always prefer smaller inputs during the corpus shuffle.")
▲ Show 20 LinesShow All 125 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp

Show First 20 LinesShow All 60 Lines▼ Show 20 Lines
} }
struct FuzzJob { struct FuzzJob {
// Inputs. // Inputs.
Command Cmd; Command Cmd;
std::string CorpusDir; std::string CorpusDir;
std::string FeaturesDir; std::string FeaturesDir;
std::string LogPath; std::string LogPath;
std::string SeedListPath;
std::string CFPath; std::string CFPath;
// Fuzzing Outputs. // Fuzzing Outputs.
int ExitCode; int ExitCode;
~FuzzJob() { ~FuzzJob() {
RemoveFile(CFPath); RemoveFile(CFPath);
RemoveFile(LogPath); RemoveFile(LogPath);
RemoveFile(SeedListPath);
RmDirRecursive(CorpusDir); RmDirRecursive(CorpusDir);
RmDirRecursive(FeaturesDir); RmDirRecursive(FeaturesDir);
} }
}; };
struct GlobalEnv { struct GlobalEnv {
Vector<std::string> Args; Vector<std::string> Args;
Vector<std::string> CorpusDirs; Vector<std::string> CorpusDirs;
Show All 31 Lines FuzzJob *CreateNewJob(size_t JobId) {
auto Job = new FuzzJob; auto Job = new FuzzJob;
std::string Seeds; std::string Seeds;
if (size_t CorpusSubsetSize = if (size_t CorpusSubsetSize =
std::min(Files.size(), (size_t)sqrt(Files.size() + 2))) std::min(Files.size(), (size_t)sqrt(Files.size() + 2)))
for (size_t i = 0; i < CorpusSubsetSize; i++) for (size_t i = 0; i < CorpusSubsetSize; i++)
Seeds += (Seeds.empty() ? "" : ",") + Seeds += (Seeds.empty() ? "" : ",") +
Files[Rand->SkewTowardsLast(Files.size())]; Files[Rand->SkewTowardsLast(Files.size())];
if (!Seeds.empty()) if (!Seeds.empty()) {
Cmd.addFlag("seed_inputs", Seeds); Job->SeedListPath = std::to_string(JobId) + ".seeds";
WriteToFile(Seeds, Job->SeedListPath);
Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath);
}
Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log"); Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId)); Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId)); Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));
Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge"); Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
Cmd.addArgument(Job->CorpusDir); Cmd.addArgument(Job->CorpusDir);
Cmd.addFlag("features_dir", Job->FeaturesDir); Cmd.addFlag("features_dir", Job->FeaturesDir);
▲ Show 20 LinesShow All 222 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerIO.h

Show All 19 Lines
Unit FileToVector(const std::string &Path, size_t MaxSize = 0, Unit FileToVector(const std::string &Path, size_t MaxSize = 0,
bool ExitOnError = true); bool ExitOnError = true);
std::string FileToString(const std::string &Path); std::string FileToString(const std::string &Path);
void CopyFileToErr(const std::string &Path); void CopyFileToErr(const std::string &Path);
void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path); void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);
// Write Data.c_str() to the file without terminating null character.
void WriteToFile(const std::string &Data, const std::string &Path);
void WriteToFile(const Unit &U, const std::string &Path); void WriteToFile(const Unit &U, const std::string &Path);
void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V, void ReadDirToVectorOfUnits(const char *Path, Vector<Unit> *V,
long *Epoch, size_t MaxSize, bool ExitOnError); long *Epoch, size_t MaxSize, bool ExitOnError);
// Returns "Dir/FileName" or equivalent for the current OS. // Returns "Dir/FileName" or equivalent for the current OS.
std::string DirPlusFile(const std::string &DirPath, std::string DirPlusFile(const std::string &DirPath,
const std::string &FileName); const std::string &FileName);
▲ Show 20 LinesShow All 71 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerIO.cpp

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines
void CopyFileToErr(const std::string &Path) { void CopyFileToErr(const std::string &Path) {
Printf("%s", FileToString(Path).c_str()); Printf("%s", FileToString(Path).c_str());
} }
void WriteToFile(const Unit &U, const std::string &Path) { void WriteToFile(const Unit &U, const std::string &Path) {
WriteToFile(U.data(), U.size(), Path); WriteToFile(U.data(), U.size(), Path);
} }
void WriteToFile(const std::string &Data, const std::string &Path) {
WriteToFile(reinterpret_cast<const uint8_t *>(Data.c_str()), Data.size(),
Path);
}
void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path) { void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
// Use raw C interface because this function may be called from a sig handler. // Use raw C interface because this function may be called from a sig handler.
FILE *Out = fopen(Path.c_str(), "wb"); FILE *Out = fopen(Path.c_str(), "wb");
if (!Out) return; if (!Out) return;
fwrite(Data, sizeof(Data[0]), Size, Out); fwrite(Data, sizeof(Data[0]), Size, Out);
fclose(Out); fclose(Out);
} }
▲ Show 20 LinesShow All 80 LinesShow Last 20 Lines

compiler-rt/trunk/test/fuzzer/seed_inputs.test

RUN: %cpp_compiler %S/SimpleTest.cpp -o %t-SimpleTest
USE-1: INFO: seed corpus: files: 1
RUN: echo -n "%t-SimpleTest" > %t.seed-inputs
# Test both formats of -seed_inputs argument.
RUN: %run %t-SimpleTest -runs=1 -seed_inputs=@%t.seed-inputs 2>&1 | FileCheck %s --check-prefix=USE-1
RUN: %run %t-SimpleTest -runs=1 -seed_inputs=%t-SimpleTest 2>&1 | FileCheck %s --check-prefix=USE-1
USE-2: INFO: seed corpus: files: 2
RUN: echo -n "%t-SimpleTest,%t-SimpleTest" > %t.seed-inputs
RUN: %run %t-SimpleTest -runs=1 -seed_inputs=@%t.seed-inputs 2>&1 | FileCheck %s --check-prefix=USE-2
RUN: %run %t-SimpleTest -runs=1 -seed_inputs=%t-SimpleTest,%t-SimpleTest 2>&1 | FileCheck %s --check-prefix=USE-2
# Test that missing files and trailing commas are tolerated.
RUN: echo -n "%t-SimpleTest,%t-SimpleTest,nonexistent-file," > %t.seed-inputs
RUN: %run %t-SimpleTest -runs=1 -seed_inputs=@%t.seed-inputs 2>&1 | FileCheck %s --check-prefix=USE-2
RUN: %run %t-SimpleTest -runs=1 -seed_inputs=%t-SimpleTest,%t-SimpleTest,nonexistent-file, 2>&1 | FileCheck %s --check-prefix=USE-2
# Test that using a non existent file or an empty seed list fails.
EMPTY: seed_inputs is empty or @file does not exist.
RUN: not %run %t-SimpleTest -runs=1 -seed_inputs=@nonexistent-file 2>&1 | FileCheck %s --check-prefix=EMPTY
RUN: echo -n "" > %t.seed-inputs
RUN: not %run %t-SimpleTest -runs=1 -seed_inputs=@%t.seed-inputs 2>&1 | FileCheck %s --check-prefix=EMPTY
RUN: not %run %t-SimpleTest -runs=1 -seed_inputs= 2>&1 | FileCheck %s --check-prefix=EMPTY