Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / 11cafc82b72a80fb9a7266bbda7fc7a0cc1b51a0 / . / llvm / lib / Fuzzer / FuzzerCorpus.h
blob: 218ae5b6ac4d405b72e5e70ad694921c97ff2b5e [file] [log] [blame]
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]1//===- FuzzerCorpus.h - Internal header for the Fuzzer ----------*- C++ -* ===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9// fuzzer::InputCorpus
10//===----------------------------------------------------------------------===//
11
12#ifndef LLVM_FUZZER_CORPUS
13#define LLVM_FUZZER_CORPUS
14
15#include "FuzzerDefs.h"
Zachary Turner24a148b2016-11-30 19:06:14 +0000[diff] [blame]16#include "FuzzerIO.h"
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]17#include "FuzzerRandom.h"
Zachary Turner24a148b2016-11-30 19:06:14 +0000[diff] [blame]18#include "FuzzerSHA1.h"
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]19#include "FuzzerTracePC.h"
Reid Klecknere8ee89f2016-12-30 00:15:40 +0000[diff] [blame]20#include <algorithm>
Marcos Pividori178fe582016-12-13 17:46:11 +0000[diff] [blame]21#include <numeric>
22#include <random>
23#include <unordered_set>
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]24
25namespace fuzzer {
26
27struct InputInfo {
28 Unit U; // The actual input data.
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]29 uint8_t Sha1[kSHA1NumBytes]; // Checksum.
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]30 // Number of features that this input has and no smaller input has.
31 size_t NumFeatures = 0;
32 size_t Tmp = 0; // Used by ValidateFeatureSet.
Kostya Serebryany29bb6642016-09-21 22:42:17 +0000[diff] [blame]33 // Stats.
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]34 size_t NumExecutedMutations = 0;
35 size_t NumSuccessfullMutations = 0;
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]36 bool MayDeleteFile = false;
Kostya Serebryany1ca73882017-07-13 01:08:53 +0000[diff] [blame]37 std::vector<uint32_t> FeatureSet;
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]38};
39
40class InputCorpus {
Kostya Serebryany382730a2017-03-24 00:45:15 +0000[diff] [blame]41 static const size_t kFeatureSetSize = 1 << 21;
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]42 public:
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]43 InputCorpus(const std::string &OutputCorpus) : OutputCorpus(OutputCorpus) {
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]44 memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));
45 memset(SmallestElementPerFeature, 0, sizeof(SmallestElementPerFeature));
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]46 }
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]47 ~InputCorpus() {
48 for (auto II : Inputs)
49 delete II;
50 }
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]51 size_t size() const { return Inputs.size(); }
Kostya Serebryany2455f0d2016-10-05 00:25:17 +0000[diff] [blame]52 size_t SizeInBytes() const {
53 size_t Res = 0;
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]54 for (auto II : Inputs)
55 Res += II->U.size();
Kostya Serebryany2455f0d2016-10-05 00:25:17 +0000[diff] [blame]56 return Res;
57 }
58 size_t NumActiveUnits() const {
59 size_t Res = 0;
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]60 for (auto II : Inputs)
61 Res += !II->U.empty();
Kostya Serebryany2455f0d2016-10-05 00:25:17 +0000[diff] [blame]62 return Res;
63 }
Kostya Serebryany2a8440d2016-12-27 23:24:55 +0000[diff] [blame]64 size_t MaxInputSize() const {
65 size_t Res = 0;
66 for (auto II : Inputs)
67 Res = std::max(Res, II->U.size());
68 return Res;
69 }
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]70 bool empty() const { return Inputs.empty(); }
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]71 const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
Kostya Serebryany1ca73882017-07-13 01:08:53 +0000[diff] [blame]72 void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
73 const std::vector<uint32_t> &FeatureSet) {
Kostya Serebryany2455f0d2016-10-05 00:25:17 +0000[diff] [blame]74 assert(!U.empty());
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]75 if (FeatureDebug)
76 Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]77 Inputs.push_back(new InputInfo());
78 InputInfo &II = *Inputs.back();
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]79 II.U = U;
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]80 II.NumFeatures = NumFeatures;
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]81 II.MayDeleteFile = MayDeleteFile;
Kostya Serebryany1ca73882017-07-13 01:08:53 +0000[diff] [blame]82 II.FeatureSet = FeatureSet;
83 ComputeSHA1(U.data(), U.size(), II.Sha1);
84 Hashes.insert(Sha1ToString(II.Sha1));
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]85 UpdateCorpusDistribution();
Kostya Serebryany1ca73882017-07-13 01:08:53 +0000[diff] [blame]86 PrintCorpus();
Kostya Serebryany382730a2017-03-24 00:45:15 +0000[diff] [blame]87 // ValidateFeatureSet();
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]88 }
89
Kostya Serebryany1ca73882017-07-13 01:08:53 +0000[diff] [blame]90 // Debug-only
91 void PrintUnit(const Unit &U) {
92 if (!FeatureDebug) return;
93 for (uint8_t C : U) {
94 if (C != 'F' && C != 'U' && C != 'Z')
95 C = '.';
96 Printf("%c", C);
97 }
98 }
99
100 // Debug-only
101 void PrintFeatureSet(const std::vector<uint32_t> &FeatureSet) {
102 if (!FeatureDebug) return;
103 Printf("{");
104 for (uint32_t Feature: FeatureSet)
105 Printf("%u,", Feature);
106 Printf("}");
107 }
108
109 // Debug-only
110 void PrintCorpus() {
111 if (!FeatureDebug) return;
112 Printf("======= CORPUS:\n");
113 int i = 0;
114 for (auto II : Inputs) {
115 if (std::find(II->U.begin(), II->U.end(), 'F') != II->U.end()) {
116 Printf("[%2d] ", i);
117 Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
118 PrintUnit(II->U);
119 Printf(" ");
120 PrintFeatureSet(II->FeatureSet);
121 Printf("\n");
122 }
123 i++;
124 }
125 }
126
127 // If FeatureSet is that same as in II, replace II->U with {Data,Size}.
128 bool TryToReplace(InputInfo *II, const uint8_t *Data, size_t Size,
129 const std::vector<uint32_t> &FeatureSet) {
130 if (II->U.size() > Size && II->FeatureSet.size() &&
131 II->FeatureSet == FeatureSet) {
132 if (FeatureDebug)
133 Printf("Replace: %zd => %zd\n", II->U.size(), Size);
134 Replace(II, {Data, Data + Size});
135 PrintCorpus();
136 return true;
137 }
138 return false;
139 }
140
141 void Replace(InputInfo *II, const Unit &U) {
Kostya Serebryany8050ea12017-07-13 01:56:37 +0000[diff] [blame]142 assert(II->U.size());
143 Hashes.erase(Sha1ToString(II->Sha1));
144 DeleteFile(*II);
Kostya Serebryany1ca73882017-07-13 01:08:53 +0000[diff] [blame]145 ComputeSHA1(U.data(), U.size(), II->Sha1);
146 Hashes.insert(Sha1ToString(II->Sha1));
147 II->U = U;
148 }
149
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]150 bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
Kostya Serebryanyd2169222016-10-01 01:04:29 +0000[diff] [blame]151 bool HasUnit(const std::string &H) { return Hashes.count(H); }
Kostya Serebryany29bb6642016-09-21 22:42:17 +0000[diff] [blame]152 InputInfo &ChooseUnitToMutate(Random &Rand) {
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]153 InputInfo &II = *Inputs[ChooseUnitIdxToMutate(Rand)];
Kostya Serebryany2455f0d2016-10-05 00:25:17 +0000[diff] [blame]154 assert(!II.U.empty());
155 return II;
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]156 };
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]157
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]158 // Returns an index of random unit from the corpus to mutate.
159 // Hypothesis: units added to the corpus last are more likely to be
160 // interesting. This function gives more weight to the more recent units.
161 size_t ChooseUnitIdxToMutate(Random &Rand) {
Kostya Serebryany6ac64c32017-02-07 22:37:34 +0000[diff] [blame]162 size_t Idx = static_cast<size_t>(CorpusDistribution(Rand));
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]163 assert(Idx < Inputs.size());
164 return Idx;
165 }
166
Kostya Serebryany29bb6642016-09-21 22:42:17 +0000[diff] [blame]167 void PrintStats() {
168 for (size_t i = 0; i < Inputs.size(); i++) {
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]169 const auto &II = *Inputs[i];
Kostya Serebryany16a145f2016-09-23 01:58:51 +0000[diff] [blame]170 Printf(" [%zd %s]\tsz: %zd\truns: %zd\tsucc: %zd\n", i,
Kostya Serebryany29bb6642016-09-21 22:42:17 +0000[diff] [blame]171 Sha1ToString(II.Sha1).c_str(), II.U.size(),
Kostya Serebryany16a145f2016-09-23 01:58:51 +0000[diff] [blame]172 II.NumExecutedMutations, II.NumSuccessfullMutations);
Kostya Serebryany29bb6642016-09-21 22:42:17 +0000[diff] [blame]173 }
174 }
175
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]176 void PrintFeatureSet() {
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]177 for (size_t i = 0; i < kFeatureSetSize; i++) {
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]178 if(size_t Sz = GetFeature(i))
179 Printf("[%zd: id %zd sz%zd] ", i, SmallestElementPerFeature[i], Sz);
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]180 }
181 Printf("\n\t");
182 for (size_t i = 0; i < Inputs.size(); i++)
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]183 if (size_t N = Inputs[i]->NumFeatures)
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]184 Printf(" %zd=>%zd ", i, N);
185 Printf("\n");
186 }
187
Kostya Serebryany8050ea12017-07-13 01:56:37 +0000[diff] [blame]188 void DeleteFile(const InputInfo &II) {
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]189 if (!OutputCorpus.empty() && II.MayDeleteFile)
Marcos Pividori7c1defd2016-12-13 17:46:40 +0000[diff] [blame]190 RemoveFile(DirPlusFile(OutputCorpus, Sha1ToString(II.Sha1)));
Kostya Serebryany8050ea12017-07-13 01:56:37 +0000[diff] [blame]191 }
192
193 void DeleteInput(size_t Idx) {
194 InputInfo &II = *Inputs[Idx];
195 DeleteFile(II);
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]196 Unit().swap(II.U);
197 if (FeatureDebug)
198 Printf("EVICTED %zd\n", Idx);
199 }
200
Kostya Serebryanya617e162017-03-31 04:17:45 +0000[diff] [blame]201 void AddFeature(size_t Idx, uint32_t NewSize, bool Shrink) {
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]202 assert(NewSize);
203 Idx = Idx % kFeatureSetSize;
204 uint32_t OldSize = GetFeature(Idx);
205 if (OldSize == 0 || (Shrink && OldSize > NewSize)) {
206 if (OldSize > 0) {
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]207 size_t OldIdx = SmallestElementPerFeature[Idx];
208 InputInfo &II = *Inputs[OldIdx];
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]209 assert(II.NumFeatures > 0);
210 II.NumFeatures--;
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]211 if (II.NumFeatures == 0)
212 DeleteInput(OldIdx);
Kostya Serebryany382730a2017-03-24 00:45:15 +0000[diff] [blame]213 } else {
214 NumAddedFeatures++;
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]215 }
Kostya Serebryanya617e162017-03-31 04:17:45 +0000[diff] [blame]216 NumUpdatedFeatures++;
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]217 if (FeatureDebug)
218 Printf("ADD FEATURE %zd sz %d\n", Idx, NewSize);
219 SmallestElementPerFeature[Idx] = Inputs.size();
220 InputSizesPerFeature[Idx] = NewSize;
221 CountingFeatures = true;
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]222 }
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]223 }
224
Kostya Serebryany382730a2017-03-24 00:45:15 +0000[diff] [blame]225 size_t NumFeatures() const { return NumAddedFeatures; }
Kostya Serebryanya617e162017-03-31 04:17:45 +0000[diff] [blame]226 size_t NumFeatureUpdates() const { return NumUpdatedFeatures; }
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]227
Kostya Serebryanya5f94fb2016-10-14 20:20:33 +0000[diff] [blame]228 void ResetFeatureSet() {
229 assert(Inputs.empty());
230 memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));
231 memset(SmallestElementPerFeature, 0, sizeof(SmallestElementPerFeature));
232 }
233
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]234private:
235
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]236 static const bool FeatureDebug = false;
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]237
238 size_t GetFeature(size_t Idx) const { return InputSizesPerFeature[Idx]; }
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]239
240 void ValidateFeatureSet() {
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]241 if (!CountingFeatures) return;
242 if (FeatureDebug)
243 PrintFeatureSet();
244 for (size_t Idx = 0; Idx < kFeatureSetSize; Idx++)
245 if (GetFeature(Idx))
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]246 Inputs[SmallestElementPerFeature[Idx]]->Tmp++;
247 for (auto II: Inputs) {
248 if (II->Tmp != II->NumFeatures)
249 Printf("ZZZ %zd %zd\n", II->Tmp, II->NumFeatures);
250 assert(II->Tmp == II->NumFeatures);
251 II->Tmp = 0;
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]252 }
253 }
254
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]255 // Updates the probability distribution for the units in the corpus.
256 // Must be called whenever the corpus or unit weights are changed.
257 void UpdateCorpusDistribution() {
258 size_t N = Inputs.size();
Kostya Serebryany5a52a112016-10-04 01:51:44 +0000[diff] [blame]259 Intervals.resize(N + 1);
260 Weights.resize(N);
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]261 std::iota(Intervals.begin(), Intervals.end(), 0);
Kostya Serebryany5a52a112016-10-04 01:51:44 +0000[diff] [blame]262 if (CountingFeatures)
263 for (size_t i = 0; i < N; i++)
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]264 Weights[i] = Inputs[i]->NumFeatures * (i + 1);
Kostya Serebryany5a52a112016-10-04 01:51:44 +0000[diff] [blame]265 else
266 std::iota(Weights.begin(), Weights.end(), 1);
Kostya Serebryany20801e12016-09-21 21:41:48 +0000[diff] [blame]267 CorpusDistribution = std::piecewise_constant_distribution<double>(
268 Intervals.begin(), Intervals.end(), Weights.begin());
269 }
270 std::piecewise_constant_distribution<double> CorpusDistribution;
271
Kostya Serebryany5a52a112016-10-04 01:51:44 +0000[diff] [blame]272 std::vector<double> Intervals;
273 std::vector<double> Weights;
274
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]275 std::unordered_set<std::string> Hashes;
Kostya Serebryanycd04ec22016-10-08 21:57:48 +0000[diff] [blame]276 std::vector<InputInfo*> Inputs;
Kostya Serebryany2c556132016-09-30 01:19:56 +0000[diff] [blame]277
Kostya Serebryany5a52a112016-10-04 01:51:44 +0000[diff] [blame]278 bool CountingFeatures = false;
Kostya Serebryany382730a2017-03-24 00:45:15 +0000[diff] [blame]279 size_t NumAddedFeatures = 0;
Kostya Serebryanya617e162017-03-31 04:17:45 +0000[diff] [blame]280 size_t NumUpdatedFeatures = 0;
Kostya Serebryany1c73f1b2016-10-05 22:56:21 +0000[diff] [blame]281 uint32_t InputSizesPerFeature[kFeatureSetSize];
282 uint32_t SmallestElementPerFeature[kFeatureSetSize];
Kostya Serebryanyc5325ed2016-10-08 23:24:45 +0000[diff] [blame]283
284 std::string OutputCorpus;
Kostya Serebryany6f5a8042016-09-21 01:50:50 +0000[diff] [blame]285};
286
287} // namespace fuzzer
288
289#endif // LLVM_FUZZER_CORPUS