Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / 3898a0468c63b66c0533cf313f16cb8b5edab5b9 / . / llvm / lib / Fuzzer / FuzzerInternal.h
blob: d27ac8684fc08a80d722d5d999e5383f9c845597 [file] [log] [blame]
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]1//===- FuzzerInternal.h - Internal header for the Fuzzer --------*- C++ -* ===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9// Define the main class fuzzer::Fuzzer and most functions.
10//===----------------------------------------------------------------------===//
Yaron Keren347663b2015-08-10 16:37:40 +0000[diff] [blame]11
12#ifndef LLVM_FUZZER_INTERNAL_H
13#define LLVM_FUZZER_INTERNAL_H
14
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]15#include <algorithm>
Kostya Serebryany0edb5632016-05-27 00:54:15 +0000[diff] [blame]16#include <atomic>
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]17#include <cassert>
18#include <chrono>
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]19#include <climits>
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]20#include <cstddef>
21#include <cstdlib>
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]22#include <random>
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]23#include <string.h>
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]24#include <string>
Kostya Serebryany2c1b33b2015-01-29 23:01:07 +0000[diff] [blame]25#include <unordered_set>
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]26#include <vector>
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]27
Dan Liewd3c33112016-06-02 05:48:02 +0000[diff] [blame]28#include "FuzzerExtFunctions.h"
Kostya Serebryany016852c2015-02-19 18:45:37 +0000[diff] [blame]29#include "FuzzerInterface.h"
Mike Aizatsky1aa501e2016-05-10 23:43:15 +0000[diff] [blame]30#include "FuzzerTracePC.h"
Kostya Serebryany016852c2015-02-19 18:45:37 +0000[diff] [blame]31
Dan Liew3868e462016-05-19 22:00:33 +0000[diff] [blame]32// Platform detection.
33#ifdef __linux__
34#define LIBFUZZER_LINUX 1
35#define LIBFUZZER_APPLE 0
36#elif __APPLE__
37#define LIBFUZZER_LINUX 0
38#define LIBFUZZER_APPLE 1
39#else
40#error "Support for your platform has not been implemented"
41#endif
42
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]43namespace fuzzer {
Kostya Serebryany8b0d90a2016-05-13 18:04:35 +0000[diff] [blame]44
45typedef int (*UserCallback)(const uint8_t *Data, size_t Size);
Dan Liewd3c33112016-06-02 05:48:02 +0000[diff] [blame]46int FuzzerDriver(int *argc, char ***argv, UserCallback Callback);
Kostya Serebryany8b0d90a2016-05-13 18:04:35 +0000[diff] [blame]47
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]48using namespace std::chrono;
Kostya Serebryanyaca76962016-01-16 01:23:12 +0000[diff] [blame]49typedef std::vector<uint8_t> Unit;
Kostya Serebryany945761b2016-03-18 00:23:29 +0000[diff] [blame]50typedef std::vector<Unit> UnitVector;
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]51
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]52// A simple POD sized array of bytes.
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]53template <size_t kMaxSize> class FixedWord {
54public:
Kostya Serebryany160dcba2016-01-22 23:55:14 +0000[diff] [blame]55 FixedWord() {}
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]56 FixedWord(const uint8_t *B, uint8_t S) { Set(B, S); }
57
58 void Set(const uint8_t *B, uint8_t S) {
59 assert(S <= kMaxSize);
60 memcpy(Data, B, S);
61 Size = S;
62 }
63
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]64 bool operator==(const FixedWord<kMaxSize> &w) const {
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]65 return Size == w.Size && 0 == memcmp(Data, w.Data, Size);
66 }
67
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]68 bool operator<(const FixedWord<kMaxSize> &w) const {
69 if (Size != w.Size)
70 return Size < w.Size;
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]71 return memcmp(Data, w.Data, Size) < 0;
72 }
73
74 static size_t GetMaxSize() { return kMaxSize; }
75 const uint8_t *data() const { return Data; }
76 uint8_t size() const { return Size; }
77
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]78private:
Kostya Serebryany160dcba2016-01-22 23:55:14 +0000[diff] [blame]79 uint8_t Size = 0;
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]80 uint8_t Data[kMaxSize];
81};
82
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]83typedef FixedWord<27> Word; // 28 bytes.
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]84
Kostya Serebryanybfbe7fc2016-02-02 03:03:47 +0000[diff] [blame]85bool IsFile(const std::string &Path);
Kostya Serebryany52a788e2015-03-31 20:13:20 +0000[diff] [blame]86std::string FileToString(const std::string &Path);
Kostya Serebryanya35f7d32016-02-18 21:49:10 +0000[diff] [blame]87Unit FileToVector(const std::string &Path, size_t MaxSize = 0);
Kostya Serebryany1ac80552015-05-08 21:30:55 +0000[diff] [blame]88void ReadDirToVectorOfUnits(const char *Path, std::vector<Unit> *V,
Kostya Serebryanya35f7d32016-02-18 21:49:10 +0000[diff] [blame]89 long *Epoch, size_t MaxSize);
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]90void WriteToFile(const Unit &U, const std::string &Path);
Kostya Serebryany5b266a82015-02-04 19:10:20 +0000[diff] [blame]91void CopyFileToErr(const std::string &Path);
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]92// Returns "Dir/FileName" or equivalent for the current OS.
93std::string DirPlusFile(const std::string &DirPath,
94 const std::string &FileName);
95
Kostya Serebryany49e40902016-03-18 20:58:29 +0000[diff] [blame]96void DupAndCloseStderr();
97void CloseStdout();
Kostya Serebryany20e9bcb2015-05-23 01:07:46 +0000[diff] [blame]98void Printf(const char *Fmt, ...);
Kostya Serebryany98abb2c2016-01-13 23:46:01 +0000[diff] [blame]99void PrintHexArray(const Unit &U, const char *PrintAfter = "");
100void PrintHexArray(const uint8_t *Data, size_t Size,
101 const char *PrintAfter = "");
Kostya Serebryany41740052016-01-12 02:36:59 +0000[diff] [blame]102void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter = "");
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]103void PrintASCII(const Unit &U, const char *PrintAfter = "");
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]104void PrintASCII(const Word &W, const char *PrintAfter = "");
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]105std::string Hash(const Unit &U);
106void SetTimer(int Seconds);
Kostya Serebryany228d5b12016-03-01 22:19:21 +0000[diff] [blame]107void SetSigSegvHandler();
108void SetSigBusHandler();
109void SetSigAbrtHandler();
110void SetSigIllHandler();
111void SetSigFpeHandler();
112void SetSigIntHandler();
Kostya Serebryanyf389ae12016-03-24 21:03:58 +0000[diff] [blame]113void SetSigTermHandler();
Kostya Serebryany9e48cda2015-12-04 22:29:39 +0000[diff] [blame]114std::string Base64(const Unit &U);
Kostya Serebryanydc3135d2015-11-12 01:02:01 +0000[diff] [blame]115int ExecuteCommand(const std::string &Command);
Kostya Serebryany66ff0752016-02-26 22:42:23 +0000[diff] [blame]116size_t GetPeakRSSMb();
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]117
Kostya Serebryany96eab652015-05-14 22:41:49 +0000[diff] [blame]118// Private copy of SHA1 implementation.
119static const int kSHA1NumBytes = 20;
120// Computes SHA1 hash of 'Len' bytes in 'Data', writes kSHA1NumBytes to 'Out'.
121void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out);
122
Kostya Serebryanybc7c0ad2015-08-11 01:44:42 +0000[diff] [blame]123// Changes U to contain only ASCII (isprint+isspace) characters.
124// Returns true iff U has been changed.
Kostya Serebryany8a5bef02016-02-13 17:56:51 +0000[diff] [blame]125bool ToASCII(uint8_t *Data, size_t Size);
Kostya Serebryanya9346c22015-09-02 19:08:08 +0000[diff] [blame]126bool IsASCII(const Unit &U);
Kostya Serebryanyf1f3f932016-05-26 20:03:02 +0000[diff] [blame]127bool IsASCII(const uint8_t *Data, size_t Size);
Kostya Serebryanybc7c0ad2015-08-11 01:44:42 +0000[diff] [blame]128
Kostya Serebryany9690fcf2015-05-12 18:51:57 +0000[diff] [blame]129int NumberOfCpuCores();
Kostya Serebryanyd6edce92015-10-16 23:04:31 +0000[diff] [blame]130int GetPid();
Kostya Serebryany8b8f7a32016-05-06 23:38:07 +0000[diff] [blame]131void SleepSeconds(int Seconds);
Kostya Serebryany9690fcf2015-05-12 18:51:57 +0000[diff] [blame]132
Kostya Serebryanya3992212016-02-13 03:00:53 +0000[diff] [blame]133class Random {
Kostya Serebryanyecab57b2016-02-13 02:39:30 +0000[diff] [blame]134 public:
Kostya Serebryanya3992212016-02-13 03:00:53 +0000[diff] [blame]135 Random(unsigned int seed) : R(seed) {}
136 size_t Rand() { return R(); }
137 size_t RandBool() { return Rand() % 2; }
Kostya Serebryanyecab57b2016-02-13 02:39:30 +0000[diff] [blame]138 size_t operator()(size_t n) { return n ? Rand() % n : 0; }
Kostya Serebryany7ec0c562016-02-13 03:25:16 +0000[diff] [blame]139 std::mt19937 &Get_mt19937() { return R; }
Kostya Serebryanyecab57b2016-02-13 02:39:30 +0000[diff] [blame]140 private:
Kostya Serebryanya3992212016-02-13 03:00:53 +0000[diff] [blame]141 std::mt19937 R;
Kostya Serebryanyecab57b2016-02-13 02:39:30 +0000[diff] [blame]142};
143
Kostya Serebryany9838b2b2015-09-03 20:23:46 +0000[diff] [blame]144// Dictionary.
145
146// Parses one dictionary entry.
147// If successfull, write the enty to Unit and returns true,
148// otherwise returns false.
149bool ParseOneDictionaryEntry(const std::string &Str, Unit *U);
150// Parses the dictionary file, fills Units, returns true iff all lines
151// were parsed succesfully.
152bool ParseDictionaryFile(const std::string &Text, std::vector<Unit> *Units);
153
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]154class DictionaryEntry {
155 public:
156 DictionaryEntry() {}
157 DictionaryEntry(Word W) : W(W) {}
158 DictionaryEntry(Word W, size_t PositionHint) : W(W), PositionHint(PositionHint) {}
159 const Word &GetW() const { return W; }
160
161 bool HasPositionHint() const { return PositionHint != std::numeric_limits<size_t>::max(); }
162 size_t GetPositionHint() const {
163 assert(HasPositionHint());
164 return PositionHint;
165 }
166 void IncUseCount() { UseCount++; }
167 void IncSuccessCount() { SuccessCount++; }
168 size_t GetUseCount() const { return UseCount; }
169 size_t GetSuccessCount() const {return SuccessCount; }
170
171private:
172 Word W;
173 size_t PositionHint = std::numeric_limits<size_t>::max();
174 size_t UseCount = 0;
175 size_t SuccessCount = 0;
176};
177
178class Dictionary {
179 public:
180 static const size_t kMaxDictSize = 1 << 14;
181
182 bool ContainsWord(const Word &W) const {
183 return std::any_of(begin(), end(), [&](const DictionaryEntry &DE) {
184 return DE.GetW() == W;
185 });
186 }
187 const DictionaryEntry *begin() const { return &DE[0]; }
188 const DictionaryEntry *end() const { return begin() + Size; }
189 DictionaryEntry & operator[] (size_t Idx) {
190 assert(Idx < Size);
191 return DE[Idx];
192 }
193 void push_back(DictionaryEntry DE) {
194 if (Size < kMaxDictSize)
195 this->DE[Size++] = DE;
196 }
197 void clear() { Size = 0; }
198 bool empty() const { return Size == 0; }
199 size_t size() const { return Size; }
200
201private:
202 DictionaryEntry DE[kMaxDictSize];
203 size_t Size = 0;
204};
205
Mike Aizatskyf0b3e852016-06-23 20:44:48 +0000[diff] [blame]206struct FuzzingOptions {
207 int Verbosity = 1;
208 size_t MaxLen = 0;
209 int UnitTimeoutSec = 300;
210 int TimeoutExitCode = 77;
211 int ErrorExitCode = 77;
212 int MaxTotalTimeSec = 0;
213 int RssLimitMb = 0;
214 bool DoCrossOver = true;
215 int MutateDepth = 5;
216 bool UseCounters = false;
217 bool UseIndirCalls = true;
218 bool UseTraces = false;
219 bool UseMemcmp = true;
220 bool UseFullCoverageSet = false;
221 bool Reload = true;
222 bool ShuffleAtStartUp = true;
223 bool PreferSmall = true;
224 size_t MaxNumberOfRuns = ULONG_MAX;
225 int ReportSlowUnits = 10;
226 bool OnlyASCII = false;
227 std::string OutputCorpus;
228 std::string ArtifactPrefix = "./";
229 std::string ExactArtifactPath;
230 bool SaveArtifacts = true;
231 bool PrintNEW = true; // Print a status line when new units are found;
232 bool OutputCSV = false;
233 bool PrintNewCovPcs = false;
234 bool PrintFinalStats = false;
235 bool DetectLeaks = true;
236 bool TruncateUnits = false;
237 bool PruneCorpus = true;
238};
239
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]240class MutationDispatcher {
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]241public:
Mike Aizatskyf0b3e852016-06-23 20:44:48 +0000[diff] [blame]242 MutationDispatcher(Random &Rand, const FuzzingOptions &Options);
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]243 ~MutationDispatcher() {}
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]244 /// Indicate that we are about to start a new sequence of mutations.
245 void StartMutationSequence();
246 /// Print the current sequence of mutations.
247 void PrintMutationSequence();
248 /// Indicate that the current sequence of mutations was successfull.
249 void RecordSuccessfulMutationSequence();
Mike Aizatsky70fd3e42016-06-03 21:34:29 +0000[diff] [blame]250 /// Mutates data by invoking user-provided mutator.
251 size_t Mutate_Custom(uint8_t *Data, size_t Size, size_t MaxSize);
Mike Aizatsky41d66832016-06-07 20:22:15 +0000[diff] [blame]252 /// Mutates data by invoking user-provided crossover.
253 size_t Mutate_CustomCrossOver(uint8_t *Data, size_t Size, size_t MaxSize);
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]254 /// Mutates data by shuffling bytes.
255 size_t Mutate_ShuffleBytes(uint8_t *Data, size_t Size, size_t MaxSize);
256 /// Mutates data by erasing a byte.
257 size_t Mutate_EraseByte(uint8_t *Data, size_t Size, size_t MaxSize);
258 /// Mutates data by inserting a byte.
259 size_t Mutate_InsertByte(uint8_t *Data, size_t Size, size_t MaxSize);
260 /// Mutates data by chanding one byte.
261 size_t Mutate_ChangeByte(uint8_t *Data, size_t Size, size_t MaxSize);
262 /// Mutates data by chanding one bit.
263 size_t Mutate_ChangeBit(uint8_t *Data, size_t Size, size_t MaxSize);
264
265 /// Mutates data by adding a word from the manual dictionary.
266 size_t Mutate_AddWordFromManualDictionary(uint8_t *Data, size_t Size,
267 size_t MaxSize);
268
269 /// Mutates data by adding a word from the temporary automatic dictionary.
270 size_t Mutate_AddWordFromTemporaryAutoDictionary(uint8_t *Data, size_t Size,
271 size_t MaxSize);
272
273 /// Mutates data by adding a word from the persistent automatic dictionary.
274 size_t Mutate_AddWordFromPersistentAutoDictionary(uint8_t *Data, size_t Size,
275 size_t MaxSize);
276
277 /// Tries to find an ASCII integer in Data, changes it to another ASCII int.
278 size_t Mutate_ChangeASCIIInteger(uint8_t *Data, size_t Size, size_t MaxSize);
279
280 /// CrossOver Data with some other element of the corpus.
281 size_t Mutate_CrossOver(uint8_t *Data, size_t Size, size_t MaxSize);
282
Mike Aizatsky70fd3e42016-06-03 21:34:29 +0000[diff] [blame]283 /// Applies one of the configured mutations.
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]284 /// Returns the new size of data which could be up to MaxSize.
285 size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize);
Mike Aizatsky70fd3e42016-06-03 21:34:29 +0000[diff] [blame]286 /// Applies one of the default mutations. Provided as a service
287 /// to mutation authors.
288 size_t DefaultMutate(uint8_t *Data, size_t Size, size_t MaxSize);
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]289
290 /// Creates a cross-over of two pieces of Data, returns its size.
291 size_t CrossOver(const uint8_t *Data1, size_t Size1, const uint8_t *Data2,
292 size_t Size2, uint8_t *Out, size_t MaxOutSize);
293
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]294 void AddWordToManualDictionary(const Word &W);
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]295
Kostya Serebryany476f0ce2016-01-16 03:53:32 +0000[diff] [blame]296 void AddWordToAutoDictionary(const Word &W, size_t PositionHint);
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]297 void ClearAutoDictionary();
298 void PrintRecommendedDictionary();
299
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]300 void SetCorpus(const std::vector<Unit> *Corpus) { this->Corpus = Corpus; }
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]301
Kostya Serebryany7ec0c562016-02-13 03:25:16 +0000[diff] [blame]302 Random &GetRand() { return Rand; }
303
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]304private:
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]305
306 struct Mutator {
307 size_t (MutationDispatcher::*Fn)(uint8_t *Data, size_t Size, size_t Max);
308 const char *Name;
309 };
310
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]311 size_t AddWordFromDictionary(Dictionary &D, uint8_t *Data, size_t Size,
312 size_t MaxSize);
Mike Aizatsky70fd3e42016-06-03 21:34:29 +0000[diff] [blame]313 size_t MutateImpl(uint8_t *Data, size_t Size, size_t MaxSize,
314 const std::vector<Mutator> &Mutators);
315
Kostya Serebryanya3992212016-02-13 03:00:53 +0000[diff] [blame]316 Random &Rand;
Mike Aizatskyf0b3e852016-06-23 20:44:48 +0000[diff] [blame]317 const FuzzingOptions Options;
318
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]319 // Dictionary provided by the user via -dict=DICT_FILE.
320 Dictionary ManualDictionary;
321 // Temporary dictionary modified by the fuzzer itself,
322 // recreated periodically.
323 Dictionary TempAutoDictionary;
324 // Persistent dictionary modified by the fuzzer, consists of
325 // entries that led to successfull discoveries in the past mutations.
326 Dictionary PersistentAutoDictionary;
Kostya Serebryany292cf032016-02-13 03:37:24 +0000[diff] [blame]327 std::vector<Mutator> CurrentMutatorSequence;
328 std::vector<DictionaryEntry *> CurrentDictionaryEntrySequence;
329 const std::vector<Unit> *Corpus = nullptr;
Kostya Serebryany8a5bef02016-02-13 17:56:51 +0000[diff] [blame]330 std::vector<uint8_t> MutateInPlaceHere;
Kostya Serebryany23194962016-02-13 03:46:26 +0000[diff] [blame]331
Mike Aizatsky70fd3e42016-06-03 21:34:29 +0000[diff] [blame]332 std::vector<Mutator> Mutators;
333 std::vector<Mutator> DefaultMutators;
Kostya Serebryany628bc3e2016-01-16 00:04:36 +0000[diff] [blame]334};
335
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]336class Fuzzer {
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]337public:
Mike Aizatsky1aa501e2016-05-10 23:43:15 +0000[diff] [blame]338
339 // Aggregates all available coverage measurements.
340 struct Coverage {
341 Coverage() { Reset(); }
342
343 void Reset() {
344 BlockCoverage = 0;
345 CallerCalleeCoverage = 0;
346 PcMapBits = 0;
347 CounterBitmapBits = 0;
348 PcBufferLen = 0;
349 CounterBitmap.clear();
350 PCMap.Reset();
351 }
352
353 std::string DebugString() const;
354
355 size_t BlockCoverage;
356 size_t CallerCalleeCoverage;
357
358 size_t PcBufferLen;
359 // Precalculated number of bits in CounterBitmap.
360 size_t CounterBitmapBits;
361 std::vector<uint8_t> CounterBitmap;
362 // Precalculated number of bits in PCMap.
363 size_t PcMapBits;
364 PcCoverageMap PCMap;
365 };
366
Kostya Serebryany7ec0c562016-02-13 03:25:16 +0000[diff] [blame]367 Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options);
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]368 void AddToCorpus(const Unit &U) {
369 Corpus.push_back(U);
370 UpdateCorpusDistribution();
371 }
Kostya Serebryanydc3135d2015-11-12 01:02:01 +0000[diff] [blame]372 size_t ChooseUnitIdxToMutate();
373 const Unit &ChooseUnitToMutate() { return Corpus[ChooseUnitIdxToMutate()]; };
Mike Aizatskyaf432a42016-05-24 23:14:29 +0000[diff] [blame]374 void TruncateUnits(std::vector<Unit> *NewCorpus);
Kostya Serebryany468ed782015-09-08 17:30:35 +0000[diff] [blame]375 void Loop();
Kostya Serebryanydc3135d2015-11-12 01:02:01 +0000[diff] [blame]376 void Drill();
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]377 void ShuffleAndMinimize();
Kostya Serebryany22526252015-05-11 21:16:27 +0000[diff] [blame]378 void InitializeTraceState();
Kostya Serebryanyd50a3ee2016-01-13 23:02:30 +0000[diff] [blame]379 void AssignTaintLabels(uint8_t *Data, size_t Size);
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]380 size_t CorpusSize() const { return Corpus.size(); }
Kostya Serebryany64d24572016-03-12 01:57:04 +0000[diff] [blame]381 size_t MaxUnitSizeInCorpus() const;
Kostya Serebryanya35f7d32016-02-18 21:49:10 +0000[diff] [blame]382 void ReadDir(const std::string &Path, long *Epoch, size_t MaxSize) {
Kostya Serebryany9cc3b0d2015-10-24 01:16:40 +0000[diff] [blame]383 Printf("Loading corpus: %s\n", Path.c_str());
Kostya Serebryanya35f7d32016-02-18 21:49:10 +0000[diff] [blame]384 ReadDirToVectorOfUnits(Path.c_str(), &Corpus, Epoch, MaxSize);
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]385 }
Kostya Serebryany64d24572016-03-12 01:57:04 +0000[diff] [blame]386 void RereadOutputCorpus(size_t MaxSize);
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]387 // Save the current corpus to OutputCorpus.
388 void SaveCorpus();
389
Kostya Serebryany92e04762015-02-04 23:42:42 +0000[diff] [blame]390 size_t secondsSinceProcessStartUp() {
391 return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
392 .count();
393 }
Kostya Serebryany66ff0752016-02-26 22:42:23 +0000[diff] [blame]394 size_t execPerSec() {
395 size_t Seconds = secondsSinceProcessStartUp();
396 return Seconds ? TotalNumberOfRuns / Seconds : 0;
397 }
Kostya Serebryany92e04762015-02-04 23:42:42 +0000[diff] [blame]398
399 size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; }
400
Kostya Serebryany52a788e2015-03-31 20:13:20 +0000[diff] [blame]401 static void StaticAlarmCallback();
Kostya Serebryany228d5b12016-03-01 22:19:21 +0000[diff] [blame]402 static void StaticCrashSignalCallback();
403 static void StaticInterruptCallback();
Kostya Serebryany52a788e2015-03-31 20:13:20 +0000[diff] [blame]404
Kostya Serebryany8a5bef02016-02-13 17:56:51 +0000[diff] [blame]405 void ExecuteCallback(const uint8_t *Data, size_t Size);
Kostya Serebryanybaf7fd02016-05-04 20:44:50 +0000[diff] [blame]406 bool RunOne(const uint8_t *Data, size_t Size);
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]407
Kostya Serebryany9cc3b0d2015-10-24 01:16:40 +0000[diff] [blame]408 // Merge Corpora[1:] into Corpora[0].
409 void Merge(const std::vector<std::string> &Corpora);
Kostya Serebryany945761b2016-03-18 00:23:29 +0000[diff] [blame]410 // Returns a subset of 'Extra' that adds coverage to 'Initial'.
411 UnitVector FindExtraUnits(const UnitVector &Initial, const UnitVector &Extra);
Kostya Serebryany1deb0492016-02-13 06:24:18 +0000[diff] [blame]412 MutationDispatcher &GetMD() { return MD; }
Kostya Serebryany66ff0752016-02-26 22:42:23 +0000[diff] [blame]413 void PrintFinalStats();
Kostya Serebryany64d24572016-03-12 01:57:04 +0000[diff] [blame]414 void SetMaxLen(size_t MaxLen);
Kostya Serebryany8b8f7a32016-05-06 23:38:07 +0000[diff] [blame]415 void RssLimitCallback();
Kostya Serebryany9cc3b0d2015-10-24 01:16:40 +0000[diff] [blame]416
Mike Aizatskyaf432a42016-05-24 23:14:29 +0000[diff] [blame]417 // Public for tests.
418 void ResetCoverage();
419
Kostya Serebryanyf26017b2016-05-26 21:32:30 +0000[diff] [blame]420 bool InFuzzingThread() const { return IsMyThread; }
Kostya Serebryanyd8384122016-05-26 22:17:32 +0000[diff] [blame]421 size_t GetCurrentUnitInFuzzingThead(const uint8_t **Data) const;
Kostya Serebryanyf26017b2016-05-26 21:32:30 +0000[diff] [blame]422
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]423private:
Kostya Serebryany52a788e2015-03-31 20:13:20 +0000[diff] [blame]424 void AlarmCallback();
Kostya Serebryany228d5b12016-03-01 22:19:21 +0000[diff] [blame]425 void CrashCallback();
426 void InterruptCallback();
Kostya Serebryany27ab2d72015-12-19 02:49:09 +0000[diff] [blame]427 void MutateAndTestOne();
Kostya Serebryany007c9b22015-10-22 22:50:47 +0000[diff] [blame]428 void ReportNewCoverage(const Unit &U);
Kostya Serebryany8a5bef02016-02-13 17:56:51 +0000[diff] [blame]429 bool RunOne(const Unit &U) { return RunOne(U.data(), U.size()); }
Kostya Serebryanyf1f3f932016-05-26 20:03:02 +0000[diff] [blame]430 void RunOneAndUpdateCorpus(const uint8_t *Data, size_t Size);
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]431 void WriteToOutputCorpus(const Unit &U);
Kostya Serebryany2b7d2e92015-07-23 18:37:22 +0000[diff] [blame]432 void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
Kostya Serebryany09d2a5f2015-10-22 22:56:45 +0000[diff] [blame]433 void PrintStats(const char *Where, const char *End = "\n");
Kostya Serebryanydc3135d2015-11-12 01:02:01 +0000[diff] [blame]434 void PrintStatusForNewUnit(const Unit &U);
Kostya Serebryany945761b2016-03-18 00:23:29 +0000[diff] [blame]435 void ShuffleCorpus(UnitVector *V);
Kostya Serebryany4b923262016-05-26 20:25:49 +0000[diff] [blame]436 void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
437 bool DuringInitialCorpusExecution);
Kostya Serebryany945761b2016-03-18 00:23:29 +0000[diff] [blame]438
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]439 // Updates the probability distribution for the units in the corpus.
440 // Must be called whenever the corpus or unit weights are changed.
441 void UpdateCorpusDistribution();
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]442
Mike Aizatsky1aa501e2016-05-10 23:43:15 +0000[diff] [blame]443 bool UpdateMaxCoverage();
Kostya Serebryany007c9b22015-10-22 22:50:47 +0000[diff] [blame]444
Kostya Serebryanybeb24c32015-05-07 21:02:11 +0000[diff] [blame]445 // Trace-based fuzzing: we run a unit with some kind of tracing
446 // enabled and record potentially useful mutations. Then
447 // We apply these mutations one by one to the unit and run it again.
448
449 // Start tracing; forget all previously proposed mutations.
450 void StartTraceRecording();
Kostya Serebryanyb65805a2016-01-09 03:08:58 +0000[diff] [blame]451 // Stop tracing.
452 void StopTraceRecording();
Kostya Serebryanybeb24c32015-05-07 21:02:11 +0000[diff] [blame]453
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]454 void SetDeathCallback();
Kostya Serebryany52a788e2015-03-31 20:13:20 +0000[diff] [blame]455 static void StaticDeathCallback();
Kostya Serebryany228d5b12016-03-01 22:19:21 +0000[diff] [blame]456 void DumpCurrentUnit(const char *Prefix);
Kostya Serebryany52a788e2015-03-31 20:13:20 +0000[diff] [blame]457 void DeathCallback();
Kostya Serebryany98abb2c2016-01-13 23:46:01 +0000[diff] [blame]458
Kostya Serebryany8fc3a272016-05-27 00:21:33 +0000[diff] [blame]459 void LazyAllocateCurrentUnitData();
460 uint8_t *CurrentUnitData = nullptr;
Kostya Serebryany0edb5632016-05-27 00:54:15 +0000[diff] [blame]461 std::atomic<size_t> CurrentUnitSize;
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]462
463 size_t TotalNumberOfRuns = 0;
Kostya Serebryany66ff0752016-02-26 22:42:23 +0000[diff] [blame]464 size_t NumberOfNewUnitsAdded = 0;
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]465
Kostya Serebryany1bfd5832016-04-20 00:24:21 +0000[diff] [blame]466 bool HasMoreMallocsThanFrees = false;
Kostya Serebryany7018a1a2016-04-27 19:52:34 +0000[diff] [blame]467 size_t NumberOfLeakDetectionAttempts = 0;
Kostya Serebryany1bfd5832016-04-20 00:24:21 +0000[diff] [blame]468
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]469 std::vector<Unit> Corpus;
Kostya Serebryanycbb23342015-05-19 01:06:07 +0000[diff] [blame]470 std::unordered_set<std::string> UnitHashesAddedToCorpus;
Kostya Serebryany8a5bef02016-02-13 17:56:51 +0000[diff] [blame]471
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]472 std::piecewise_constant_distribution<double> CorpusDistribution;
Kostya Serebryany7ec0c562016-02-13 03:25:16 +0000[diff] [blame]473 UserCallback CB;
474 MutationDispatcher &MD;
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]475 FuzzingOptions Options;
476 system_clock::time_point ProcessStartTime = system_clock::now();
Kostya Serebryany52a788e2015-03-31 20:13:20 +0000[diff] [blame]477 system_clock::time_point UnitStartTime;
Kostya Serebryany16901a92015-03-30 23:04:35 +0000[diff] [blame]478 long TimeOfLongestUnitInSeconds = 0;
Kostya Serebryany1ac80552015-05-08 21:30:55 +0000[diff] [blame]479 long EpochOfLastReadOfOutputCorpus = 0;
Mike Aizatsky1aa501e2016-05-10 23:43:15 +0000[diff] [blame]480
481 // Maximum recorded coverage.
482 Coverage MaxCoverage;
Kostya Serebryanyf26017b2016-05-26 21:32:30 +0000[diff] [blame]483
484 // Need to know our own thread.
485 static thread_local bool IsMyThread;
Aaron Ballmanef116982015-01-29 16:58:29 +0000[diff] [blame]486};
487
Dan Liew1873a492016-06-07 23:32:50 +0000[diff] [blame]488// Global interface to functions that may or may not be available.
489extern ExternalFunctions *EF;
490
Ivan Krasindf919102016-01-22 22:28:27 +0000[diff] [blame]491}; // namespace fuzzer
Yaron Keren347663b2015-08-10 16:37:40 +0000[diff] [blame]492
493#endif // LLVM_FUZZER_INTERNAL_H