X-Git-Url: http://plrg.eecs.uci.edu/git/?a=blobdiff_plain;f=lib%2FFuzzer%2FFuzzerInternal.h;h=0fa0b90b8034fe033181305f63e7d9688a36655a;hb=f41e3780b34ee80e2186bbd9fac2e57039c70ab2;hp=3049167c62bc59b579f29ce3b6951b6b7c5fecad;hpb=9906eefc84affaf8b63a2ae1682131a70fe12182;p=oota-llvm.git diff --git a/lib/Fuzzer/FuzzerInternal.h b/lib/Fuzzer/FuzzerInternal.h index 3049167c62b..0fa0b90b803 100644 --- a/lib/Fuzzer/FuzzerInternal.h +++ b/lib/Fuzzer/FuzzerInternal.h @@ -56,6 +56,7 @@ bool ToASCII(Unit &U); bool IsASCII(const Unit &U); int NumberOfCpuCores(); +int GetPid(); // Dictionary. @@ -78,9 +79,11 @@ class Fuzzer { int MutateDepth = 5; bool ExitOnFirst = false; bool UseCounters = false; + bool UseIndirCalls = true; bool UseTraces = false; bool UseFullCoverageSet = false; bool Reload = true; + bool ShuffleAtStartUp = true; int PreferSmallDuringInitialShuffle = -1; size_t MaxNumberOfRuns = ULONG_MAX; int SyncTimeout = 600; @@ -90,16 +93,19 @@ class Fuzzer { int TBMWidth = 10; std::string OutputCorpus; std::string SyncCommand; - std::vector Tokens; + std::string ArtifactPrefix = "./"; std::vector Dictionary; + bool SaveArtifacts = true; }; Fuzzer(UserSuppliedFuzzer &USF, FuzzingOptions Options); void AddToCorpus(const Unit &U) { Corpus.push_back(U); } + size_t ChooseUnitToMutate(); void Loop(); void ShuffleAndMinimize(); void InitializeTraceState(); size_t CorpusSize() const { return Corpus.size(); } void ReadDir(const std::string &Path, long *Epoch) { + Printf("Loading corpus: %s\n", Path.c_str()); ReadDirToVectorOfUnits(Path.c_str(), &Corpus, Epoch); } void RereadOutputCorpus(); @@ -115,24 +121,30 @@ class Fuzzer { static void StaticAlarmCallback(); - Unit SubstituteTokens(const Unit &U) const; void ExecuteCallback(const Unit &U); + // Merge Corpora[1:] into Corpora[0]. + void Merge(const std::vector &Corpora); + private: void AlarmCallback(); void MutateAndTestOne(Unit *U); - void ReportNewCoverage(size_t NewCoverage, const Unit &U); - size_t RunOne(const Unit &U); + void ReportNewCoverage(const Unit &U); + bool RunOne(const Unit &U); void RunOneAndUpdateCorpus(Unit &U); - size_t RunOneMaximizeTotalCoverage(const Unit &U); - size_t RunOneMaximizeCoveragePairs(const Unit &U); void WriteToOutputCorpus(const Unit &U); void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix); - void PrintStats(const char *Where, size_t Cov, const char *End = "\n"); - void PrintUnitInASCIIOrTokens(const Unit &U, const char *PrintAfter = ""); + void PrintStats(const char *Where, const char *End = "\n"); + void PrintUnitInASCII(const Unit &U, const char *PrintAfter = ""); void SyncCorpus(); + size_t RecordBlockCoverage(); + size_t RecordCallerCalleeCoverage(); + void PrepareCoverageBeforeRun(); + bool CheckCoverageAfterRun(); + + // Trace-based fuzzing: we run a unit with some kind of tracing // enabled and record potentially useful mutations. Then // We apply these mutations one by one to the unit and run it again. @@ -170,6 +182,8 @@ class Fuzzer { system_clock::time_point UnitStartTime; long TimeOfLongestUnitInSeconds = 0; long EpochOfLastReadOfOutputCorpus = 0; + size_t LastRecordedBlockCoverage = 0; + size_t LastRecordedCallerCalleeCoverage = 0; }; class SimpleUserSuppliedFuzzer: public UserSuppliedFuzzer { @@ -177,17 +191,11 @@ class SimpleUserSuppliedFuzzer: public UserSuppliedFuzzer { SimpleUserSuppliedFuzzer(FuzzerRandomBase *Rand, UserCallback Callback) : UserSuppliedFuzzer(Rand), Callback(Callback) {} - SimpleUserSuppliedFuzzer(FuzzerRandomBase *Rand, DeprecatedUserCallback Callback) - : UserSuppliedFuzzer(Rand), DeprecatedCallback(Callback) {} - virtual int TargetFunction(const uint8_t *Data, size_t Size) override { - if (Callback) return Callback(Data, Size); - DeprecatedCallback(Data, Size); - return 0; + return Callback(Data, Size); } private: - DeprecatedUserCallback DeprecatedCallback = nullptr; UserCallback Callback = nullptr; };