This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/
-
lib/fuzzer/
-
fuzzer/
4/5
FuzzerDriver.cpp
5/5
FuzzerFlags.def
2/2
FuzzerFork.cpp
-
FuzzerIO.h
-
FuzzerIO.cpp
-
test/fuzzer/
-
fuzzer/
3/3
seed_inputs.test

Differential D60980

[libFuzzer] Replace -seed_corpus to better support fork mode on Win
ClosedPublic

Authored by metzman on Apr 22 2019, 2:42 PM.

Download Raw Diff

Details

Reviewers

kcc
morehouse

Commits

rGf3ee97731eb5: [libFuzzer] Replace -seed_corpus to better support fork mode on Win
rCRT359610: [libFuzzer] Replace -seed_corpus to better support fork mode on Win
rL359610: [libFuzzer] Replace -seed_corpus to better support fork mode on Win

Summary

Pass seed corpus list in a file to get around argument length limits on Windows.
This limit was preventing many uses of fork mode on Windows.

Diff Detail

Repository

rG LLVM Github Monorepo

Build Status

Buildable 31171
Build 31170: arc lint + arc unit

Event Timeline

metzman created this revision.Apr 22 2019, 2:42 PM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 22 2019, 2:42 PM

Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B30849: Diff 196135.Apr 22 2019, 2:42 PM

I'm going to add a test for this.

Add test

improve comment

Harbormaster completed remote builds in B30857: Diff 196153.Apr 22 2019, 4:17 PM

Harbormaster completed remote builds in B30858: Diff 196154.

undo accidental

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
784	Removing the file is somewhat hostile to users but is the best way to prevent the accumulation of files in fork mode. Since the primary purpose of -seed_inputs_file is for fork mode, I think this is acceptable. Thoughts?
compiler-rt/test/fuzzer/cross_over.test
18 ↗	(On Diff #196154)	The reason why I do this hacky python thing is because echo leaves a trailing newline and printf didn't work well with the percent formatting. Is it OK to use python for this purpose (I think python is necessary to run lit commands anyway)? If not, I can use `echo` so long as I end with a trailing `,`, that way the last seed input is "\n" instead of a newline being added to a filename we actually care about. Does this sound better than the python hack?

PTAL.
This change allows fork mode to be used reasonably on Win.

Harbormaster completed remote builds in B30864: Diff 196165.Apr 22 2019, 6:26 PM

More context is here: https://github.com/google/clusterfuzz/issues/267

metzman retitled this revision from [libFuzzer] Replace -seed_corpus with -seed_corpus_file to [libFuzzer] Replace -seed_corpus to better support fork mode on Win.Apr 24 2019, 8:51 AM

metzman edited the summary of this revision. (Show Details)

kcc added inline comments.Apr 25 2019, 5:56 PM

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
784	A bit too hostile indeed, and in this case the file is deleted by a process that didn't create it, making it more confusing. I'd prefer to delete the file in the same place we delete other temporary files for a child.
compiler-rt/lib/fuzzer/FuzzerFlags.def
24–25	I found this flag to be useful by itself, outside the fork mode, so instead of replacing it with a new flag, I'd suggest enhancing it's behavior: --seed_inputs=aaa,bbb keeps working as is --seed_inputs=@file_path reads the list from the file
compiler-rt/lib/fuzzer/FuzzerFork.cpp
128	for readability, I'd prefer to introduce another variant of WriteToFile: void WriteToFile(const std::string &Str, const std::string &Path);
compiler-rt/test/fuzzer/cross_over.test
18 ↗	(On Diff #196154)	no need to change this test with the change I proposed.
compiler-rt/test/fuzzer/seed_inputs_file.test
4 ↗	(On Diff #196165)	will echo -n work in this case? python is indeed a bit unwelcome where.

metzman marked an inline comment as done.Apr 29 2019, 10:17 AM

metzman added inline comments.

compiler-rt/lib/fuzzer/FuzzerFlags.def
24–25	So that "@" will be necessary to distinguish between a case where we want to use one seed and a case where we want to use the file as the seed list?

kcc added inline comments.Apr 29 2019, 11:25 AM

compiler-rt/lib/fuzzer/FuzzerFlags.def
24–25	Yes. W/o @ the current behavior is preserved: the argument is a comma-separated list of seeds. W/ @ the argument (with @ stripped) will be treated as a file name, which contains the comma-separated list of seeds

change name of test
Get list argument working again
combine code
rename
Use old method

Harbormaster completed remote builds in B31162: Diff 197345.Apr 30 2019, 8:36 AM

improve comments

Harbormaster completed remote builds in B31163: Diff 197346.Apr 30 2019, 8:39 AM

metzman added inline comments.Apr 30 2019, 8:57 AM

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
784	Done.
compiler-rt/lib/fuzzer/FuzzerFlags.def
24–25	Done. Please let me know if you think the help message needs work.
compiler-rt/lib/fuzzer/FuzzerFork.cpp
128	Done.
compiler-rt/test/fuzzer/cross_over.test
18 ↗	(On Diff #196154)	Undid this change and the one in len_control.
compiler-rt/test/fuzzer/seed_inputs_file.test
4 ↗	(On Diff #196165)	Yeah good suggestion, that's much better. For some reason I thought it wouldn't work on Windows.

LGTM with several nits.

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
771	plz make this if-else more compact (no {}, comments on the same line)
compiler-rt/lib/fuzzer/FuzzerFlags.def
24–25	"of input files" repeated twice?
compiler-rt/test/fuzzer/seed_inputs.test
4	replace with CHECK: then remove all --check-prefix
18	terminate the file with a newline

This revision is now accepted and ready to land.Apr 30 2019, 9:41 AM

fmt
fix nits
fmt

Harbormaster completed remote builds in B31171: Diff 197369.Apr 30 2019, 10:29 AM

ideal but test failing
fix issue

remove extra newline

Harbormaster completed remote builds in B31172: Diff 197372.Apr 30 2019, 10:43 AM

Harbormaster completed remote builds in B31173: Diff 197373.

metzman added inline comments.Apr 30 2019, 10:43 AM

compiler-rt/test/fuzzer/seed_inputs.test
4	I added a test to ensure we handle a single file correctly instead.

use new format

Harbormaster completed remote builds in B31175: Diff 197375.Apr 30 2019, 10:58 AM

only use @ in argument

Harbormaster completed remote builds in B31180: Diff 197389.Apr 30 2019, 11:42 AM

metzman updated this revision to Diff 197391.Apr 30 2019, 11:42 AM

This comment was removed by metzman.

Harbormaster completed remote builds in B31181: Diff 197391.Apr 30 2019, 11:42 AM

fix bug

Harbormaster completed remote builds in B31182: Diff 197393.Apr 30 2019, 11:44 AM

Make LF fail if no seed list

Harbormaster completed remote builds in B31183: Diff 197396.Apr 30 2019, 11:57 AM

Add more tests to verify we catch empty lists

Harbormaster completed remote builds in B31184: Diff 197397.Apr 30 2019, 12:02 PM

@kcc I've changed things so that libFuzzer will fail if the argument to -seed_inputs is a non existent file or is empty? What do you think of this change?

add newline

Harbormaster completed remote builds in B31185: Diff 197399.Apr 30 2019, 12:05 PM

LGTM

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
784	use exit(1) instead

improve error message and look for it in tests

Harbormaster completed remote builds in B31186: Diff 197400.Apr 30 2019, 12:10 PM

improve message

Harbormaster completed remote builds in B31187: Diff 197401.Apr 30 2019, 12:12 PM

use exit(1)

Harbormaster completed remote builds in B31188: Diff 197404.Apr 30 2019, 12:13 PM

add missing period

Harbormaster completed remote builds in B31189: Diff 197405.Apr 30 2019, 12:17 PM

Closed by commit rL359610: [libFuzzer] Replace -seed_corpus to better support fork mode on Win (authored by metzman). · Explain WhyApr 30 2019, 1:57 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: delcypher. · View Herald TranscriptApr 30 2019, 1:57 PM

Revision Contents

Path

Size

compiler-rt/

lib/

fuzzer/

18 lines

3 lines

9 lines

2 lines

5 lines

test/

fuzzer/

seed_inputs.test

17 lines

Diff 197369

compiler-rt/lib/fuzzer/FuzzerDriver.cpp

Show First 20 Lines • Show All 757 Lines • ▼ Show 20 Lines	if (Flags.analyze_dict) {
if (AnalyzeDictionary(F, Dictionary, InitialCorpus)) {		if (AnalyzeDictionary(F, Dictionary, InitialCorpus)) {
Printf("Dictionary analysis failed\n");		Printf("Dictionary analysis failed\n");
exit(1);		exit(1);
}		}
Printf("Dictionary analysis succeeded\n");		Printf("Dictionary analysis succeeded\n");
exit(0);		exit(0);
}		}

// Parse -seed_inputs=file1,file2,...		// Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file
Vector<std::string> ExtraSeedFiles;		Vector<std::string> ExtraSeedFiles;

if (Flags.seed_inputs) {		if (Flags.seed_inputs) {
std::string s = Flags.seed_inputs;		std::string SeedInputs;
		if (Flags.seed_inputs[0] == '@')
		kccUnsubmitted Done Reply Inline Actions plz make this if-else more compact (no {}, comments on the same line) kcc: plz make this if-else more compact (no {}, comments on the same line)
		SeedInputs = FileToString(Flags.seed_inputs + 1); // File contains list.
		else
		SeedInputs = Flags.seed_inputs; // seed_inputs contains the list.
		// Parse SeedInputs.
size_t comma_pos;		size_t comma_pos;
while ((comma_pos = s.find_last_of(',')) != std::string::npos) {		while ((comma_pos = SeedInputs.find_last_of(',')) != std::string::npos) {
ExtraSeedFiles.push_back(s.substr(comma_pos + 1));		ExtraSeedFiles.push_back(SeedInputs.substr(comma_pos + 1));
s = s.substr(0, comma_pos);		SeedInputs = SeedInputs.substr(0, comma_pos);
}		}
ExtraSeedFiles.push_back(s);		ExtraSeedFiles.push_back(SeedInputs);
}		}

F->Loop(*Inputs, ExtraSeedFiles);		F->Loop(*Inputs, ExtraSeedFiles);
		metzmanAuthorUnsubmitted Done Reply Inline Actions Removing the file is somewhat hostile to users but is the best way to prevent the accumulation of files in fork mode. Since the primary purpose of -seed_inputs_file is for fork mode, I think this is acceptable. Thoughts? metzman: Removing the file is somewhat hostile to users but is the best way to prevent the accumulation…
		kccUnsubmitted Done Reply Inline Actions A bit too hostile indeed, and in this case the file is deleted by a process that didn't create it, making it more confusing. I'd prefer to delete the file in the same place we delete other temporary files for a child. kcc: A bit too hostile indeed, and in this case the file is deleted by a process that didn't create…
		metzmanAuthorUnsubmitted Done Reply Inline Actions Done. metzman: Done.
		kccUnsubmitted Not Done Reply Inline Actions use exit(1) instead kcc: use exit(1) instead

if (Flags.verbosity)		if (Flags.verbosity)
Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(),		Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(),
F->secondsSinceProcessStartUp());		F->secondsSinceProcessStartUp());
F->PrintFinalStats();		F->PrintFinalStats();

exit(0); // Don't let F destroy itself.		exit(0); // Don't let F destroy itself.
}		}

// Storage for global ExternalFunctions object.		// Storage for global ExternalFunctions object.
ExternalFunctions *EF = nullptr;		ExternalFunctions *EF = nullptr;

} // namespace fuzzer		} // namespace fuzzer

compiler-rt/lib/fuzzer/FuzzerFlags.def

	Show All 15 Lines
	FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "			FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
	"If 0, libFuzzer tries to guess a good value based on the corpus "			"If 0, libFuzzer tries to guess a good value based on the corpus "
	"and reports it. ")			"and reports it. ")
	FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, "			FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, "
	"then try larger inputs over time. Specifies the rate at which the length "			"then try larger inputs over time. Specifies the rate at which the length "
	"limit is increased (smaller == faster). If 0, immediately try inputs with "			"limit is increased (smaller == faster). If 0, immediately try inputs with "
	"size up to max_len.")			"size up to max_len.")
	FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "			FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "
	"to use as an additional seed corpus")			"to use as an additional seed corpus. Alternatively, an \"@\" followed by "
				"the name of a file containing the comma-seperated list.")
				kccUnsubmitted Done Reply Inline Actions I found this flag to be useful by itself, outside the fork mode, so instead of replacing it with a new flag, I'd suggest enhancing it's behavior: --seed_inputs=aaa,bbb keeps working as is --seed_inputs=@file_path reads the list from the file kcc: I found this flag to be useful by itself, outside the fork mode, so instead of replacing it…
				metzmanAuthorUnsubmitted Done Reply Inline Actions So that "@" will be necessary to distinguish between a case where we want to use one seed and a case where we want to use the file as the seed list? metzman: So that "@" will be necessary to distinguish between a case where we want to use one seed and a…
				kccUnsubmitted Done Reply Inline Actions Yes. W/o @ the current behavior is preserved: the argument is a comma-separated list of seeds. W/ @ the argument (with @ stripped) will be treated as a file name, which contains the comma-separated list of seeds kcc: Yes. W/o @ the current behavior is preserved: the argument is a comma-separated list of seeds.
				metzmanAuthorUnsubmitted Done Reply Inline Actions Done. Please let me know if you think the help message needs work. metzman: Done. Please let me know if you think the help message needs work.
				kccUnsubmitted Done Reply Inline Actions "of input files" repeated twice? kcc: "of input files" repeated twice?
	FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")			FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
	FUZZER_FLAG_INT(mutate_depth, 5,			FUZZER_FLAG_INT(mutate_depth, 5,
	"Apply this number of consecutive mutations to each input.")			"Apply this number of consecutive mutations to each input.")
	FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "			FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "
	"Reduce depth if mutations lose unique features")			"Reduce depth if mutations lose unique features")
	FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup")			FUZZER_FLAG_INT(shuffle, 1, "Shuffle inputs at startup")
	FUZZER_FLAG_INT(prefer_small, 1,			FUZZER_FLAG_INT(prefer_small, 1,
	"If 1, always prefer smaller inputs during the corpus shuffle.")			"If 1, always prefer smaller inputs during the corpus shuffle.")
	▲ Show 20 Lines • Show All 125 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerFork.cpp

Show First 20 Lines • Show All 60 Lines • ▼ Show 20 Lines
}		}

struct FuzzJob {		struct FuzzJob {
// Inputs.		// Inputs.
Command Cmd;		Command Cmd;
std::string CorpusDir;		std::string CorpusDir;
std::string FeaturesDir;		std::string FeaturesDir;
std::string LogPath;		std::string LogPath;
		std::string SeedListPath;
std::string CFPath;		std::string CFPath;

// Fuzzing Outputs.		// Fuzzing Outputs.
int ExitCode;		int ExitCode;

~FuzzJob() {		~FuzzJob() {
RemoveFile(CFPath);		RemoveFile(CFPath);
RemoveFile(LogPath);		RemoveFile(LogPath);
		RemoveFile(SeedListPath);
RmDirRecursive(CorpusDir);		RmDirRecursive(CorpusDir);
RmDirRecursive(FeaturesDir);		RmDirRecursive(FeaturesDir);
}		}
};		};

struct GlobalEnv {		struct GlobalEnv {
Vector<std::string> Args;		Vector<std::string> Args;
Vector<std::string> CorpusDirs;		Vector<std::string> CorpusDirs;
Show All 31 Lines	FuzzJob *CreateNewJob(size_t JobId) {

auto Job = new FuzzJob;		auto Job = new FuzzJob;
std::string Seeds;		std::string Seeds;
if (size_t CorpusSubsetSize =		if (size_t CorpusSubsetSize =
std::min(Files.size(), (size_t)sqrt(Files.size() + 2)))		std::min(Files.size(), (size_t)sqrt(Files.size() + 2)))
for (size_t i = 0; i < CorpusSubsetSize; i++)		for (size_t i = 0; i < CorpusSubsetSize; i++)
Seeds += (Seeds.empty() ? "" : ",") +		Seeds += (Seeds.empty() ? "" : ",") +
Files[Rand->SkewTowardsLast(Files.size())];		Files[Rand->SkewTowardsLast(Files.size())];
if (!Seeds.empty())		if (!Seeds.empty()) {
Cmd.addFlag("seed_inputs", Seeds);		Job->SeedListPath = std::to_string(JobId) + ".seeds";
		WriteToFile(Seeds, Job->SeedListPath);
		kccUnsubmitted Done Reply Inline Actions for readability, I'd prefer to introduce another variant of WriteToFile: void WriteToFile(const std::string &Str, const std::string &Path); kcc: for readability, I'd prefer to introduce another variant of WriteToFile: void WriteToFile…
		metzmanAuthorUnsubmitted Done Reply Inline Actions Done. metzman: Done.
		Cmd.addFlag("seed_inputs", Job->SeedListPath);
		}
Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");		Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));		Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));		Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));
Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");		Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");


Cmd.addArgument(Job->CorpusDir);		Cmd.addArgument(Job->CorpusDir);
Cmd.addFlag("features_dir", Job->FeaturesDir);		Cmd.addFlag("features_dir", Job->FeaturesDir);
▲ Show 20 Lines • Show All 222 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerIO.h

	Show All 19 Lines
	Unit FileToVector(const std::string &Path, size_t MaxSize = 0,			Unit FileToVector(const std::string &Path, size_t MaxSize = 0,
	bool ExitOnError = true);			bool ExitOnError = true);

	std::string FileToString(const std::string &Path);			std::string FileToString(const std::string &Path);

	void CopyFileToErr(const std::string &Path);			void CopyFileToErr(const std::string &Path);

	void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);			void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path);
				// Write Data.c_str() to the file without terminating null character.
				void WriteToFile(const std::string &Data, const std::string &Path);
	void WriteToFile(const Unit &U, const std::string &Path);			void WriteToFile(const Unit &U, const std::string &Path);

	void ReadDirToVectorOfUnits(const char Path, Vector<Unit> V,			void ReadDirToVectorOfUnits(const char Path, Vector<Unit> V,
	long *Epoch, size_t MaxSize, bool ExitOnError);			long *Epoch, size_t MaxSize, bool ExitOnError);

	// Returns "Dir/FileName" or equivalent for the current OS.			// Returns "Dir/FileName" or equivalent for the current OS.
	std::string DirPlusFile(const std::string &DirPath,			std::string DirPlusFile(const std::string &DirPath,
	const std::string &FileName);			const std::string &FileName);
	▲ Show 20 Lines • Show All 71 Lines • Show Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerIO.cpp

	Show First 20 Lines • Show All 58 Lines • ▼ Show 20 Lines
	void CopyFileToErr(const std::string &Path) {			void CopyFileToErr(const std::string &Path) {
	Printf("%s", FileToString(Path).c_str());			Printf("%s", FileToString(Path).c_str());
	}			}

	void WriteToFile(const Unit &U, const std::string &Path) {			void WriteToFile(const Unit &U, const std::string &Path) {
	WriteToFile(U.data(), U.size(), Path);			WriteToFile(U.data(), U.size(), Path);
	}			}

				void WriteToFile(const std::string &Data, const std::string &Path) {
				WriteToFile(reinterpret_cast<const uint8_t *>(Data.c_str()), Data.size(),
				Path);
				}

	void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path) {			void WriteToFile(const uint8_t *Data, size_t Size, const std::string &Path) {
	// Use raw C interface because this function may be called from a sig handler.			// Use raw C interface because this function may be called from a sig handler.
	FILE *Out = fopen(Path.c_str(), "wb");			FILE *Out = fopen(Path.c_str(), "wb");
	if (!Out) return;			if (!Out) return;
	fwrite(Data, sizeof(Data[0]), Size, Out);			fwrite(Data, sizeof(Data[0]), Size, Out);
	fclose(Out);			fclose(Out);
	}			}

	▲ Show 20 Lines • Show All 80 Lines • Show Last 20 Lines

compiler-rt/test/fuzzer/seed_inputs.test

This file was added.

				RUN: %cpp_compiler %S/SimpleTest.cpp -o %t-SimpleTest

				USE-1: INFO: seed corpus: files: 1
				RUN: echo -n "%t-SimpleTest" > %t.seed-inputs
				kccUnsubmitted Done Reply Inline Actions replace with CHECK: then remove all --check-prefix kcc: replace with CHECK: then remove all --check-prefix
				metzmanAuthorUnsubmitted Done Reply Inline Actions I added a test to ensure we handle a single file correctly instead. metzman: I added a test to ensure we handle a single file correctly instead.
				# Test both formats of -seed_inputs argument.
				RUN: %run %t-SimpleTest -runs=1 -seed_inputs=@%t.seed-inputs 2>&1 \| FileCheck %s
				RUN: %run %t-SimpleTest -runs=1 -seed_inputs=%t-SimpleTest 2>&1 \| FileCheck %s --check-prefix=USE-1

				USE-2: INFO: seed corpus: files: 2
				RUN: echo -n "%t-SimpleTest,%t-SimpleTest" > %t.seed-inputs
				RUN: %run %t-SimpleTest -runs=1 -seed_inputs=@%t.seed-inputs 2>&1 \| FileCheck %s
				RUN: %run %t-SimpleTest -runs=1 -seed_inputs=%t-SimpleTest,%t-SimpleTest 2>&1 \| FileCheck %s --check-prefix=USE-2

				# Test that missing files and trailing commas are tolerated.
				RUN: echo -n "%t-SimpleTest,%t-SimpleTest,nonexistent-file," > %t.seed-inputs
				RUN: %run %t-SimpleTest -runs=1 -seed_inputs=@%t.seed-inputs 2>&1 \| FileCheck %s --check-prefix=USE-2
				RUN: %run %t-SimpleTest -runs=1 -seed_inputs=%t-SimpleTest,%t-SimpleTest,nonexistent-file, 2>&1 \| FileCheck %s --check-prefix=USE-2
				kccUnsubmitted Done Reply Inline Actions terminate the file with a newline kcc: terminate the file with a newline