squiid/llvm
1
0
Fork 0
Code Issues Pull requests Activity
llvm/compiler-rt/lib/fuzzer/FuzzerDriver.cpp
gtt1995 a30dbbe924 Redistribute energy for Corpus 
I found that the initial corpus allocation of fork mode has certain defects.
I designed a new initial corpus allocation strategy based on size grouping.
This method can give more energy to the small seeds in the corpus and
increase the throughput of the test.

Fuzzbench data (glibfuzzer is -fork_corpus_groups=1):
https://www.fuzzbench.com/reports/experimental/2021-08-05-parallel/index.html

Reviewed By: morehouse

Differential Revision: https://reviews.llvm.org/D105084
2021-09-08 09:22:45 -07:00

932 lines
31 KiB
C++
Raw Blame History

//===- FuzzerDriver.cpp - FuzzerDriver function and flags -----------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// FuzzerDriver and flag parsing.
//===----------------------------------------------------------------------===//
#include "FuzzerCommand.h"
#include "FuzzerCorpus.h"
#include "FuzzerFork.h"
#include "FuzzerIO.h"
#include "FuzzerInterface.h"
#include "FuzzerInternal.h"
#include "FuzzerMerge.h"
#include "FuzzerMutate.h"
#include "FuzzerPlatform.h"
#include "FuzzerRandom.h"
#include "FuzzerTracePC.h"
#include <algorithm>
#include <atomic>
#include <chrono>
#include <cstdlib>
#include <cstring>
#include <mutex>
#include <string>
#include <thread>
#include <fstream>
// This function should be present in the libFuzzer so that the client
// binary can test for its existence.
#if LIBFUZZER_MSVC
extern "C" void __libfuzzer_is_present() {}
#if defined(_M_IX86) || defined(__i386__)
#pragma comment(linker, "/include:___libfuzzer_is_present")
#else
#pragma comment(linker, "/include:__libfuzzer_is_present")
#endif
#else
extern "C" __attribute__((used)) void __libfuzzer_is_present() {}
#endif // LIBFUZZER_MSVC
namespace fuzzer {
// Program arguments.
struct FlagDescription {
const char *Name;
const char *Description;
int Default;
int *IntFlag;
const char **StrFlag;
unsigned int *UIntFlag;
};
struct {
#define FUZZER_DEPRECATED_FLAG(Name)
#define FUZZER_FLAG_INT(Name, Default, Description) int Name;
#define FUZZER_FLAG_UNSIGNED(Name, Default, Description) unsigned int Name;
#define FUZZER_FLAG_STRING(Name, Description) const char *Name;
#include "FuzzerFlags.def"
#undef FUZZER_DEPRECATED_FLAG
#undef FUZZER_FLAG_INT
#undef FUZZER_FLAG_UNSIGNED
#undef FUZZER_FLAG_STRING
} Flags;
static const FlagDescription FlagDescriptions [] {
#define FUZZER_DEPRECATED_FLAG(Name) \
{#Name, "Deprecated; don't use", 0, nullptr, nullptr, nullptr},
#define FUZZER_FLAG_INT(Name, Default, Description) \
{#Name, Description, Default, &Flags.Name, nullptr, nullptr},
#define FUZZER_FLAG_UNSIGNED(Name, Default, Description) \
{#Name, Description, static_cast<int>(Default), \
nullptr, nullptr, &Flags.Name},
#define FUZZER_FLAG_STRING(Name, Description) \
{#Name, Description, 0, nullptr, &Flags.Name, nullptr},
#include "FuzzerFlags.def"
#undef FUZZER_DEPRECATED_FLAG
#undef FUZZER_FLAG_INT
#undef FUZZER_FLAG_UNSIGNED
#undef FUZZER_FLAG_STRING
};
static const size_t kNumFlags =
sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]);
static std::vector<std::string> *Inputs;
static std::string *ProgName;
static void PrintHelp() {
Printf("Usage:\n");
auto Prog = ProgName->c_str();
Printf("\nTo run fuzzing pass 0 or more directories.\n");
Printf("%s [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n", Prog);
Printf("\nTo run individual tests without fuzzing pass 1 or more files:\n");
Printf("%s [-flag1=val1 [-flag2=val2 ...] ] file1 [file2 ...]\n", Prog);
Printf("\nFlags: (strictly in form -flag=value)\n");
size_t MaxFlagLen = 0;
for (size_t F = 0; F < kNumFlags; F++)
MaxFlagLen = std::max(strlen(FlagDescriptions[F].Name), MaxFlagLen);
for (size_t F = 0; F < kNumFlags; F++) {
const auto &D = FlagDescriptions[F];
if (strstr(D.Description, "internal flag") == D.Description) continue;
Printf(" %s", D.Name);
for (size_t i = 0, n = MaxFlagLen - strlen(D.Name); i < n; i++)
Printf(" ");
Printf("\t");
Printf("%d\t%s\n", D.Default, D.Description);
}
Printf("\nFlags starting with '--' will be ignored and "
"will be passed verbatim to subprocesses.\n");
}
static const char *FlagValue(const char *Param, const char *Name) {
size_t Len = strlen(Name);
if (Param[0] == '-' && strstr(Param + 1, Name) == Param + 1 &&
Param[Len + 1] == '=')
return &Param[Len + 2];
return nullptr;
}
// Avoid calling stol as it triggers a bug in clang/glibc build.
static long MyStol(const char *Str) {
long Res = 0;
long Sign = 1;
if (*Str == '-') {
Str++;
Sign = -1;
}
for (size_t i = 0; Str[i]; i++) {
char Ch = Str[i];
if (Ch < '0' || Ch > '9')
return Res;
Res = Res * 10 + (Ch - '0');
}
return Res * Sign;
}
static bool ParseOneFlag(const char *Param) {
if (Param[0] != '-') return false;
if (Param[1] == '-') {
static bool PrintedWarning = false;
if (!PrintedWarning) {
PrintedWarning = true;
Printf("INFO: libFuzzer ignores flags that start with '--'\n");
}
for (size_t F = 0; F < kNumFlags; F++)
if (FlagValue(Param + 1, FlagDescriptions[F].Name))
Printf("WARNING: did you mean '%s' (single dash)?\n", Param + 1);
return true;
}
for (size_t F = 0; F < kNumFlags; F++) {
const char *Name = FlagDescriptions[F].Name;
const char *Str = FlagValue(Param, Name);
if (Str) {
if (FlagDescriptions[F].IntFlag) {
auto Val = MyStol(Str);
*FlagDescriptions[F].IntFlag = static_cast<int>(Val);
if (Flags.verbosity >= 2)
Printf("Flag: %s %d\n", Name, Val);
return true;
} else if (FlagDescriptions[F].UIntFlag) {
auto Val = std::stoul(Str);
*FlagDescriptions[F].UIntFlag = static_cast<unsigned int>(Val);
if (Flags.verbosity >= 2)
Printf("Flag: %s %u\n", Name, Val);
return true;
} else if (FlagDescriptions[F].StrFlag) {
*FlagDescriptions[F].StrFlag = Str;
if (Flags.verbosity >= 2)
Printf("Flag: %s %s\n", Name, Str);
return true;
} else { // Deprecated flag.
Printf("Flag: %s: deprecated, don't use\n", Name);
return true;
}
}
}
Printf("\n\nWARNING: unrecognized flag '%s'; "
"use -help=1 to list all flags\n\n", Param);
return true;
}
// We don't use any library to minimize dependencies.
static void ParseFlags(const std::vector<std::string> &Args,
const ExternalFunctions *EF) {
for (size_t F = 0; F < kNumFlags; F++) {
if (FlagDescriptions[F].IntFlag)
*FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;
if (FlagDescriptions[F].UIntFlag)
*FlagDescriptions[F].UIntFlag =
static_cast<unsigned int>(FlagDescriptions[F].Default);
if (FlagDescriptions[F].StrFlag)
*FlagDescriptions[F].StrFlag = nullptr;
}
// Disable len_control by default, if LLVMFuzzerCustomMutator is used.
if (EF->LLVMFuzzerCustomMutator) {
Flags.len_control = 0;
Printf("INFO: found LLVMFuzzerCustomMutator (%p). "
"Disabling -len_control by default.\n", EF->LLVMFuzzerCustomMutator);
}
Inputs = new std::vector<std::string>;
for (size_t A = 1; A < Args.size(); A++) {
if (ParseOneFlag(Args[A].c_str())) {
if (Flags.ignore_remaining_args)
break;
continue;
}
Inputs->push_back(Args[A]);
}
}
static std::mutex Mu;
static void PulseThread() {
while (true) {
SleepSeconds(600);
std::lock_guard<std::mutex> Lock(Mu);
Printf("pulse...\n");
}
}
static void WorkerThread(const Command &BaseCmd, std::atomic<unsigned> *Counter,
unsigned NumJobs, std::atomic<bool> *HasErrors) {
while (true) {
unsigned C = (*Counter)++;
if (C >= NumJobs) break;
std::string Log = "fuzz-" + std::to_string(C) + ".log";
Command Cmd(BaseCmd);
Cmd.setOutputFile(Log);
Cmd.combineOutAndErr();
if (Flags.verbosity) {
std::string CommandLine = Cmd.toString();
Printf("%s\n", CommandLine.c_str());
}
int ExitCode = ExecuteCommand(Cmd);
if (ExitCode != 0)
*HasErrors = true;
std::lock_guard<std::mutex> Lock(Mu);
Printf("================== Job %u exited with exit code %d ============\n",
C, ExitCode);
fuzzer::CopyFileToErr(Log);
}
}
static void ValidateDirectoryExists(const std::string &Path,
bool CreateDirectory) {
if (Path.empty()) {
Printf("ERROR: Provided directory path is an empty string\n");
exit(1);
}
if (IsDirectory(Path))
return;
if (CreateDirectory) {
if (!MkDirRecursive(Path)) {
Printf("ERROR: Failed to create directory \"%s\"\n", Path.c_str());
exit(1);
}
return;
}
Printf("ERROR: The required directory \"%s\" does not exist\n", Path.c_str());
exit(1);
}
std::string CloneArgsWithoutX(const std::vector<std::string> &Args,
const char *X1, const char *X2) {
std::string Cmd;
for (auto &S : Args) {
if (FlagValue(S.c_str(), X1) || FlagValue(S.c_str(), X2))
continue;
Cmd += S + " ";
}
return Cmd;
}
static int RunInMultipleProcesses(const std::vector<std::string> &Args,
unsigned NumWorkers, unsigned NumJobs) {
std::atomic<unsigned> Counter(0);
std::atomic<bool> HasErrors(false);
Command Cmd(Args);
Cmd.removeFlag("jobs");
Cmd.removeFlag("workers");
std::vector<std::thread> V;
std::thread Pulse(PulseThread);
Pulse.detach();
for (unsigned i = 0; i < NumWorkers; i++)
V.push_back(std::thread(WorkerThread, std::ref(Cmd), &Counter, NumJobs,
&HasErrors));
for (auto &T : V)
T.join();
return HasErrors ? 1 : 0;
}
static void RssThread(Fuzzer *F, size_t RssLimitMb) {
while (true) {
SleepSeconds(1);
size_t Peak = GetPeakRSSMb();
if (Peak > RssLimitMb)
F->RssLimitCallback();
}
}
static void StartRssThread(Fuzzer *F, size_t RssLimitMb) {
if (!RssLimitMb)
return;
std::thread T(RssThread, F, RssLimitMb);
T.detach();
}
int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) {
Unit U = FileToVector(InputFilePath);
if (MaxLen && MaxLen < U.size())
U.resize(MaxLen);
F->ExecuteCallback(U.data(), U.size());
if (Flags.print_full_coverage) {
// Leak detection is not needed when collecting full coverage data.
F->TPCUpdateObservedPCs();
} else {
F->TryDetectingAMemoryLeak(U.data(), U.size(), true);
}
return 0;
}
static bool AllInputsAreFiles() {
if (Inputs->empty()) return false;
for (auto &Path : *Inputs)
if (!IsFile(Path))
return false;
return true;
}
static std::string GetDedupTokenFromCmdOutput(const std::string &S) {
auto Beg = S.find("DEDUP_TOKEN:");
if (Beg == std::string::npos)
return "";
auto End = S.find('\n', Beg);
if (End == std::string::npos)
return "";
return S.substr(Beg, End - Beg);
}
int CleanseCrashInput(const std::vector<std::string> &Args,
const FuzzingOptions &Options) {
if (Inputs->size() != 1 || !Flags.exact_artifact_path) {
Printf("ERROR: -cleanse_crash should be given one input file and"
" -exact_artifact_path\n");
exit(1);
}
std::string InputFilePath = Inputs->at(0);
std::string OutputFilePath = Flags.exact_artifact_path;
Command Cmd(Args);
Cmd.removeFlag("cleanse_crash");
assert(Cmd.hasArgument(InputFilePath));
Cmd.removeArgument(InputFilePath);
auto TmpFilePath = TempPath("CleanseCrashInput", ".repro");
Cmd.addArgument(TmpFilePath);
Cmd.setOutputFile(getDevNull());
Cmd.combineOutAndErr();
std::string CurrentFilePath = InputFilePath;
auto U = FileToVector(CurrentFilePath);
size_t Size = U.size();
const std::vector<uint8_t> ReplacementBytes = {' ', 0xff};
for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) {
bool Changed = false;
for (size_t Idx = 0; Idx < Size; Idx++) {
Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts,
Idx, Size);
uint8_t OriginalByte = U[Idx];
if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(),
ReplacementBytes.end(),
OriginalByte))
continue;
for (auto NewByte : ReplacementBytes) {
U[Idx] = NewByte;
WriteToFile(U, TmpFilePath);
auto ExitCode = ExecuteCommand(Cmd);
RemoveFile(TmpFilePath);
if (!ExitCode) {
U[Idx] = OriginalByte;
} else {
Changed = true;
Printf("CLEANSE: Replaced byte %zd with 0x%x\n", Idx, NewByte);
WriteToFile(U, OutputFilePath);
break;
}
}
}
if (!Changed) break;
}
return 0;
}
int MinimizeCrashInput(const std::vector<std::string> &Args,
const FuzzingOptions &Options) {
if (Inputs->size() != 1) {
Printf("ERROR: -minimize_crash should be given one input file\n");
exit(1);
}
std::string InputFilePath = Inputs->at(0);
Command BaseCmd(Args);
BaseCmd.removeFlag("minimize_crash");
BaseCmd.removeFlag("exact_artifact_path");
assert(BaseCmd.hasArgument(InputFilePath));
BaseCmd.removeArgument(InputFilePath);
if (Flags.runs <= 0 && Flags.max_total_time == 0) {
Printf("INFO: you need to specify -runs=N or "
"-max_total_time=N with -minimize_crash=1\n"
"INFO: defaulting to -max_total_time=600\n");
BaseCmd.addFlag("max_total_time", "600");
}
BaseCmd.combineOutAndErr();
std::string CurrentFilePath = InputFilePath;
while (true) {
Unit U = FileToVector(CurrentFilePath);
Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
CurrentFilePath.c_str(), U.size());
Command Cmd(BaseCmd);
Cmd.addArgument(CurrentFilePath);
Printf("CRASH_MIN: executing: %s\n", Cmd.toString().c_str());
std::string CmdOutput;
bool Success = ExecuteCommand(Cmd, &CmdOutput);
if (Success) {
Printf("ERROR: the input %s did not crash\n", CurrentFilePath.c_str());
exit(1);
}
Printf("CRASH_MIN: '%s' (%zd bytes) caused a crash. Will try to minimize "
"it further\n",
CurrentFilePath.c_str(), U.size());
auto DedupToken1 = GetDedupTokenFromCmdOutput(CmdOutput);
if (!DedupToken1.empty())
Printf("CRASH_MIN: DedupToken1: %s\n", DedupToken1.c_str());
std::string ArtifactPath =
Flags.exact_artifact_path
? Flags.exact_artifact_path
: Options.ArtifactPrefix + "minimized-from-" + Hash(U);
Cmd.addFlag("minimize_crash_internal_step", "1");
Cmd.addFlag("exact_artifact_path", ArtifactPath);
Printf("CRASH_MIN: executing: %s\n", Cmd.toString().c_str());
CmdOutput.clear();
Success = ExecuteCommand(Cmd, &CmdOutput);
Printf("%s", CmdOutput.c_str());
if (Success) {
if (Flags.exact_artifact_path) {
CurrentFilePath = Flags.exact_artifact_path;
WriteToFile(U, CurrentFilePath);
}
Printf("CRASH_MIN: failed to minimize beyond %s (%d bytes), exiting\n",
CurrentFilePath.c_str(), U.size());
break;
}
auto DedupToken2 = GetDedupTokenFromCmdOutput(CmdOutput);
if (!DedupToken2.empty())
Printf("CRASH_MIN: DedupToken2: %s\n", DedupToken2.c_str());
if (DedupToken1 != DedupToken2) {
if (Flags.exact_artifact_path) {
CurrentFilePath = Flags.exact_artifact_path;
WriteToFile(U, CurrentFilePath);
}
Printf("CRASH_MIN: mismatch in dedup tokens"
" (looks like a different bug). Won't minimize further\n");
break;
}
CurrentFilePath = ArtifactPath;
Printf("*********************************\n");
}
return 0;
}
int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
assert(Inputs->size() == 1);
std::string InputFilePath = Inputs->at(0);
Unit U = FileToVector(InputFilePath);
Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size());
if (U.size() < 2) {
Printf("INFO: The input is small enough, exiting\n");
exit(0);
}
F->SetMaxInputLen(U.size());
F->SetMaxMutationLen(U.size() - 1);
F->MinimizeCrashLoop(U);
Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");
exit(0);
return 0;
}
void Merge(Fuzzer *F, FuzzingOptions &Options,
const std::vector<std::string> &Args,
const std::vector<std::string> &Corpora, const char *CFPathOrNull) {
if (Corpora.size() < 2) {
Printf("INFO: Merge requires two or more corpus dirs\n");
exit(0);
}
std::vector<SizedFile> OldCorpus, NewCorpus;
GetSizedFilesFromDir(Corpora[0], &OldCorpus);
for (size_t i = 1; i < Corpora.size(); i++)
GetSizedFilesFromDir(Corpora[i], &NewCorpus);
std::sort(OldCorpus.begin(), OldCorpus.end());
std::sort(NewCorpus.begin(), NewCorpus.end());
std::string CFPath = CFPathOrNull ? CFPathOrNull : TempPath("Merge", ".txt");
std::vector<std::string> NewFiles;
std::set<uint32_t> NewFeatures, NewCov;
CrashResistantMerge(Args, OldCorpus, NewCorpus, &NewFiles, {}, &NewFeatures,
{}, &NewCov, CFPath, true, Flags.set_cover_merge);
for (auto &Path : NewFiles)
F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen));
// We are done, delete the control file if it was a temporary one.
if (!Flags.merge_control_file)
RemoveFile(CFPath);
exit(0);
}
int AnalyzeDictionary(Fuzzer *F, const std::vector<Unit> &Dict,
UnitVector &Corpus) {
Printf("Started dictionary minimization (up to %d tests)\n",
Dict.size() * Corpus.size() * 2);
// Scores and usage count for each dictionary unit.
std::vector<int> Scores(Dict.size());
std::vector<int> Usages(Dict.size());
std::vector<size_t> InitialFeatures;
std::vector<size_t> ModifiedFeatures;
for (auto &C : Corpus) {
// Get coverage for the testcase without modifications.
F->ExecuteCallback(C.data(), C.size());
InitialFeatures.clear();
TPC.CollectFeatures([&](size_t Feature) {
InitialFeatures.push_back(Feature);
});
for (size_t i = 0; i < Dict.size(); ++i) {
std::vector<uint8_t> Data = C;
auto StartPos = std::search(Data.begin(), Data.end(),
Dict[i].begin(), Dict[i].end());
// Skip dictionary unit, if the testcase does not contain it.
if (StartPos == Data.end())
continue;
++Usages[i];
while (StartPos != Data.end()) {
// Replace all occurrences of dictionary unit in the testcase.
auto EndPos = StartPos + Dict[i].size();
for (auto It = StartPos; It != EndPos; ++It)
*It ^= 0xFF;
StartPos = std::search(EndPos, Data.end(),
Dict[i].begin(), Dict[i].end());
}
// Get coverage for testcase with masked occurrences of dictionary unit.
F->ExecuteCallback(Data.data(), Data.size());
ModifiedFeatures.clear();
TPC.CollectFeatures([&](size_t Feature) {
ModifiedFeatures.push_back(Feature);
});
if (InitialFeatures == ModifiedFeatures)
--Scores[i];
else
Scores[i] += 2;
}
}
Printf("###### Useless dictionary elements. ######\n");
for (size_t i = 0; i < Dict.size(); ++i) {
// Dictionary units with positive score are treated as useful ones.
if (Scores[i] > 0)
continue;
Printf("\"");
PrintASCII(Dict[i].data(), Dict[i].size(), "\"");
Printf(" # Score: %d, Used: %d\n", Scores[i], Usages[i]);
}
Printf("###### End of useless dictionary elements. ######\n");
return 0;
}
std::vector<std::string> ParseSeedInuts(const char *seed_inputs) {
// Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file
std::vector<std::string> Files;
if (!seed_inputs) return Files;
std::string SeedInputs;
if (Flags.seed_inputs[0] == '@')
SeedInputs = FileToString(Flags.seed_inputs + 1); // File contains list.
else
SeedInputs = Flags.seed_inputs; // seed_inputs contains the list.
if (SeedInputs.empty()) {
Printf("seed_inputs is empty or @file does not exist.\n");
exit(1);
}
// Parse SeedInputs.
size_t comma_pos = 0;
while ((comma_pos = SeedInputs.find_last_of(',')) != std::string::npos) {
Files.push_back(SeedInputs.substr(comma_pos + 1));
SeedInputs = SeedInputs.substr(0, comma_pos);
}
Files.push_back(SeedInputs);
return Files;
}
static std::vector<SizedFile>
ReadCorpora(const std::vector<std::string> &CorpusDirs,
const std::vector<std::string> &ExtraSeedFiles) {
std::vector<SizedFile> SizedFiles;
size_t LastNumFiles = 0;
for (auto &Dir : CorpusDirs) {
GetSizedFilesFromDir(Dir, &SizedFiles);
Printf("INFO: % 8zd files found in %s\n", SizedFiles.size() - LastNumFiles,
Dir.c_str());
LastNumFiles = SizedFiles.size();
}
for (auto &File : ExtraSeedFiles)
if (auto Size = FileSize(File))
SizedFiles.push_back({File, Size});
return SizedFiles;
}
int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
using namespace fuzzer;
assert(argc && argv && "Argument pointers cannot be nullptr");
std::string Argv0((*argv)[0]);
EF = new ExternalFunctions();
if (EF->LLVMFuzzerInitialize)
EF->LLVMFuzzerInitialize(argc, argv);
if (EF->__msan_scoped_disable_interceptor_checks)
EF->__msan_scoped_disable_interceptor_checks();
const std::vector<std::string> Args(*argv, *argv + *argc);
assert(!Args.empty());
ProgName = new std::string(Args[0]);
if (Argv0 != *ProgName) {
Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
exit(1);
}
ParseFlags(Args, EF);
if (Flags.help) {
PrintHelp();
return 0;
}
if (Flags.close_fd_mask & 2)
DupAndCloseStderr();
if (Flags.close_fd_mask & 1)
CloseStdout();
if (Flags.jobs > 0 && Flags.workers == 0) {
Flags.workers = std::min(NumberOfCpuCores() / 2, Flags.jobs);
if (Flags.workers > 1)
Printf("Running %u workers\n", Flags.workers);
}
if (Flags.workers > 0 && Flags.jobs > 0)
return RunInMultipleProcesses(Args, Flags.workers, Flags.jobs);
FuzzingOptions Options;
Options.Verbosity = Flags.verbosity;
Options.MaxLen = Flags.max_len;
Options.LenControl = Flags.len_control;
Options.KeepSeed = Flags.keep_seed;
Options.UnitTimeoutSec = Flags.timeout;
Options.ErrorExitCode = Flags.error_exitcode;
Options.TimeoutExitCode = Flags.timeout_exitcode;
Options.IgnoreTimeouts = Flags.ignore_timeouts;
Options.IgnoreOOMs = Flags.ignore_ooms;
Options.IgnoreCrashes = Flags.ignore_crashes;
Options.MaxTotalTimeSec = Flags.max_total_time;
Options.DoCrossOver = Flags.cross_over;
Options.CrossOverUniformDist = Flags.cross_over_uniform_dist;
Options.MutateDepth = Flags.mutate_depth;
Options.ReduceDepth = Flags.reduce_depth;
Options.UseCounters = Flags.use_counters;
Options.UseMemmem = Flags.use_memmem;
Options.UseCmp = Flags.use_cmp;
Options.UseValueProfile = Flags.use_value_profile;
Options.Shrink = Flags.shrink;
Options.ReduceInputs = Flags.reduce_inputs;
Options.ShuffleAtStartUp = Flags.shuffle;
Options.PreferSmall = Flags.prefer_small;
Options.ReloadIntervalSec = Flags.reload;
Options.OnlyASCII = Flags.only_ascii;
Options.DetectLeaks = Flags.detect_leaks;
Options.PurgeAllocatorIntervalSec = Flags.purge_allocator_interval;
Options.TraceMalloc = Flags.trace_malloc;
Options.RssLimitMb = Flags.rss_limit_mb;
Options.MallocLimitMb = Flags.malloc_limit_mb;
if (!Options.MallocLimitMb)
Options.MallocLimitMb = Options.RssLimitMb;
if (Flags.runs >= 0)
Options.MaxNumberOfRuns = Flags.runs;
if (!Inputs->empty() && !Flags.minimize_crash_internal_step) {
// Ensure output corpus assumed to be the first arbitrary argument input
// is not a path to an existing file.
std::string OutputCorpusDir = (*Inputs)[0];
if (!IsFile(OutputCorpusDir)) {
Options.OutputCorpus = OutputCorpusDir;
ValidateDirectoryExists(Options.OutputCorpus, Flags.create_missing_dirs);
}
}
Options.ReportSlowUnits = Flags.report_slow_units;
if (Flags.artifact_prefix) {
Options.ArtifactPrefix = Flags.artifact_prefix;
// Since the prefix could be a full path to a file name prefix, assume
// that if the path ends with the platform's separator that a directory
// is desired
std::string ArtifactPathDir = Options.ArtifactPrefix;
if (!IsSeparator(ArtifactPathDir[ArtifactPathDir.length() - 1])) {
ArtifactPathDir = DirName(ArtifactPathDir);
}
ValidateDirectoryExists(ArtifactPathDir, Flags.create_missing_dirs);
}
if (Flags.exact_artifact_path) {
Options.ExactArtifactPath = Flags.exact_artifact_path;
ValidateDirectoryExists(DirName(Options.ExactArtifactPath),
Flags.create_missing_dirs);
}
std::vector<Unit> Dictionary;
if (Flags.dict)
if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))
return 1;
if (Flags.verbosity > 0 && !Dictionary.empty())
Printf("Dictionary: %zd entries\n", Dictionary.size());
bool RunIndividualFiles = AllInputsAreFiles();
Options.SaveArtifacts =
!RunIndividualFiles || Flags.minimize_crash_internal_step;
Options.PrintNewCovPcs = Flags.print_pcs;
Options.PrintNewCovFuncs = Flags.print_funcs;
Options.PrintFinalStats = Flags.print_final_stats;
Options.PrintCorpusStats = Flags.print_corpus_stats;
Options.PrintCoverage = Flags.print_coverage;
Options.PrintFullCoverage = Flags.print_full_coverage;
if (Flags.exit_on_src_pos)
Options.ExitOnSrcPos = Flags.exit_on_src_pos;
if (Flags.exit_on_item)
Options.ExitOnItem = Flags.exit_on_item;
if (Flags.focus_function)
Options.FocusFunction = Flags.focus_function;
if (Flags.data_flow_trace)
Options.DataFlowTrace = Flags.data_flow_trace;
if (Flags.features_dir) {
Options.FeaturesDir = Flags.features_dir;
ValidateDirectoryExists(Options.FeaturesDir, Flags.create_missing_dirs);
}
if (Flags.mutation_graph_file)
Options.MutationGraphFile = Flags.mutation_graph_file;
if (Flags.collect_data_flow)
Options.CollectDataFlow = Flags.collect_data_flow;
if (Flags.stop_file)
Options.StopFile = Flags.stop_file;
Options.Entropic = Flags.entropic;
Options.EntropicFeatureFrequencyThreshold =
(size_t)Flags.entropic_feature_frequency_threshold;
Options.EntropicNumberOfRarestFeatures =
(size_t)Flags.entropic_number_of_rarest_features;
Options.EntropicScalePerExecTime = Flags.entropic_scale_per_exec_time;
if (!Options.FocusFunction.empty())
Options.Entropic = false; // FocusFunction overrides entropic scheduling.
if (Options.Entropic)
Printf("INFO: Running with entropic power schedule (0x%X, %d).\n",
Options.EntropicFeatureFrequencyThreshold,
Options.EntropicNumberOfRarestFeatures);
struct EntropicOptions Entropic;
Entropic.Enabled = Options.Entropic;
Entropic.FeatureFrequencyThreshold =
Options.EntropicFeatureFrequencyThreshold;
Entropic.NumberOfRarestFeatures = Options.EntropicNumberOfRarestFeatures;
Entropic.ScalePerExecTime = Options.EntropicScalePerExecTime;
unsigned Seed = Flags.seed;
// Initialize Seed.
if (Seed == 0)
Seed = static_cast<unsigned>(
std::chrono::system_clock::now().time_since_epoch().count() + GetPid());
if (Flags.verbosity)
Printf("INFO: Seed: %u\n", Seed);
if (Flags.collect_data_flow && !Flags.fork &&
!(Flags.merge || Flags.set_cover_merge)) {
if (RunIndividualFiles)
return CollectDataFlow(Flags.collect_data_flow, Flags.data_flow_trace,
ReadCorpora({}, *Inputs));
else
return CollectDataFlow(Flags.collect_data_flow, Flags.data_flow_trace,
ReadCorpora(*Inputs, {}));
}
Random Rand(Seed);
auto *MD = new MutationDispatcher(Rand, Options);
auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);
auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
for (auto &U: Dictionary)
if (U.size() <= Word::GetMaxSize())
MD->AddWordToManualDictionary(Word(U.data(), U.size()));
// Threads are only supported by Chrome. Don't use them with emscripten
// for now.
#if !LIBFUZZER_EMSCRIPTEN
StartRssThread(F, Flags.rss_limit_mb);
#endif // LIBFUZZER_EMSCRIPTEN
Options.HandleAbrt = Flags.handle_abrt;
Options.HandleAlrm = !Flags.minimize_crash;
Options.HandleBus = Flags.handle_bus;
Options.HandleFpe = Flags.handle_fpe;
Options.HandleIll = Flags.handle_ill;
Options.HandleInt = Flags.handle_int;
Options.HandleSegv = Flags.handle_segv;
Options.HandleTerm = Flags.handle_term;
Options.HandleXfsz = Flags.handle_xfsz;
Options.HandleUsr1 = Flags.handle_usr1;
Options.HandleUsr2 = Flags.handle_usr2;
Options.HandleWinExcept = Flags.handle_winexcept;
SetSignalHandler(Options);
std::atexit(Fuzzer::StaticExitCallback);
if (Flags.minimize_crash)
return MinimizeCrashInput(Args, Options);
if (Flags.minimize_crash_internal_step)
return MinimizeCrashInputInternalStep(F, Corpus);
if (Flags.cleanse_crash)
return CleanseCrashInput(Args, Options);
if (RunIndividualFiles) {
Options.SaveArtifacts = false;
int Runs = std::max(1, Flags.runs);
Printf("%s: Running %zd inputs %d time(s) each.\n", ProgName->c_str(),
Inputs->size(), Runs);
for (auto &Path : *Inputs) {
auto StartTime = system_clock::now();
Printf("Running: %s\n", Path.c_str());
for (int Iter = 0; Iter < Runs; Iter++)
RunOneTest(F, Path.c_str(), Options.MaxLen);
auto StopTime = system_clock::now();
auto MS = duration_cast<milliseconds>(StopTime - StartTime).count();
Printf("Executed %s in %zd ms\n", Path.c_str(), (long)MS);
}
Printf("***\n"
"*** NOTE: fuzzing was not performed, you have only\n"
"*** executed the target code on a fixed set of inputs.\n"
"***\n");
F->PrintFinalStats();
exit(0);
}
Options.ForkCorpusGroups = Flags.fork_corpus_groups;
if (Flags.fork)
FuzzWithFork(F->GetMD().GetRand(), Options, Args, *Inputs, Flags.fork);
if (Flags.merge || Flags.set_cover_merge)
Merge(F, Options, Args, *Inputs, Flags.merge_control_file);
if (Flags.merge_inner) {
const size_t kDefaultMaxMergeLen = 1 << 20;
if (Options.MaxLen == 0)
F->SetMaxInputLen(kDefaultMaxMergeLen);
assert(Flags.merge_control_file);
F->CrashResistantMergeInternalStep(Flags.merge_control_file,
!strncmp(Flags.merge_inner, "2", 1));
exit(0);
}
if (Flags.analyze_dict) {
size_t MaxLen = INT_MAX; // Large max length.
UnitVector InitialCorpus;
for (auto &Inp : *Inputs) {
Printf("Loading corpus dir: %s\n", Inp.c_str());
ReadDirToVectorOfUnits(Inp.c_str(), &InitialCorpus, nullptr,
MaxLen, /*ExitOnError=*/false);
}
if (Dictionary.empty() || Inputs->empty()) {
Printf("ERROR: can't analyze dict without dict and corpus provided\n");
return 1;
}
if (AnalyzeDictionary(F, Dictionary, InitialCorpus)) {
Printf("Dictionary analysis failed\n");
exit(1);
}
Printf("Dictionary analysis succeeded\n");
exit(0);
}
auto CorporaFiles = ReadCorpora(*Inputs, ParseSeedInuts(Flags.seed_inputs));
F->Loop(CorporaFiles);
if (Flags.verbosity)
Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(),
F->secondsSinceProcessStartUp());
F->PrintFinalStats();
exit(0); // Don't let F destroy itself.
}
extern "C" ATTRIBUTE_INTERFACE int
LLVMFuzzerRunDriver(int *argc, char ***argv,
int (*UserCb)(const uint8_t *Data, size_t Size)) {
return FuzzerDriver(argc, argv, UserCb);
}
// Storage for global ExternalFunctions object.
ExternalFunctions *EF = nullptr;
} // namespace fuzzer
Reference in a new issue View git blame Copy permalink