1 //===- FuzzerLoop.cpp - Fuzzer's main loop --------------------------------===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 //===----------------------------------------------------------------------===//
12 #include "FuzzerInternal.h"
13 #include <sanitizer/coverage_interface.h>
17 __attribute__((weak)) void __sanitizer_print_stack_trace();
21 static const size_t kMaxUnitSizeToPrint = 256;
23 // Only one Fuzzer per process.
26 Fuzzer::Fuzzer(UserSuppliedFuzzer &USF, FuzzingOptions Options)
27 : USF(USF), Options(Options) {
29 InitializeTraceState();
34 void Fuzzer::SetDeathCallback() {
35 __sanitizer_set_death_callback(StaticDeathCallback);
38 void Fuzzer::PrintUnitInASCII(const Unit &U, const char *PrintAfter) {
39 PrintASCII(U, PrintAfter);
42 void Fuzzer::StaticDeathCallback() {
47 void Fuzzer::DeathCallback() {
49 if (CurrentUnit.size() <= kMaxUnitSizeToPrint) {
50 Print(CurrentUnit, "\n");
51 PrintUnitInASCII(CurrentUnit, "\n");
53 WriteUnitToFileWithPrefix(CurrentUnit, "crash-");
56 void Fuzzer::StaticAlarmCallback() {
61 void Fuzzer::AlarmCallback() {
62 assert(Options.UnitTimeoutSec > 0);
64 duration_cast<seconds>(system_clock::now() - UnitStartTime).count();
65 if (Seconds == 0) return;
66 if (Options.Verbosity >= 2)
67 Printf("AlarmCallback %zd\n", Seconds);
68 if (Seconds >= (size_t)Options.UnitTimeoutSec) {
69 Printf("ALARM: working on the last Unit for %zd seconds\n", Seconds);
70 Printf(" and the timeout value is %d (use -timeout=N to change)\n",
71 Options.UnitTimeoutSec);
72 if (CurrentUnit.size() <= kMaxUnitSizeToPrint) {
73 Print(CurrentUnit, "\n");
74 PrintUnitInASCII(CurrentUnit, "\n");
76 WriteUnitToFileWithPrefix(CurrentUnit, "timeout-");
77 Printf("==%d== ERROR: libFuzzer: timeout after %d seconds\n", GetPid(),
79 if (__sanitizer_print_stack_trace)
80 __sanitizer_print_stack_trace();
81 Printf("SUMMARY: libFuzzer: timeout\n");
86 void Fuzzer::PrintStats(const char *Where, size_t Cov, const char *End) {
87 if (!Options.Verbosity) return;
88 size_t Seconds = secondsSinceProcessStartUp();
89 size_t ExecPerSec = (Seconds ? TotalNumberOfRuns / Seconds : 0);
90 Printf("#%zd\t%s", TotalNumberOfRuns, Where);
91 Printf(" cov: %zd", Cov);
92 if (auto TB = TotalBits())
93 Printf(" bits: %zd", TB);
94 Printf(" units: %zd exec/s: %zd", Corpus.size(), ExecPerSec);
95 if (TotalNumberOfExecutedTraceBasedMutations)
96 Printf(" tbm: %zd", TotalNumberOfExecutedTraceBasedMutations);
100 void Fuzzer::RereadOutputCorpus() {
101 if (Options.OutputCorpus.empty()) return;
102 std::vector<Unit> AdditionalCorpus;
103 ReadDirToVectorOfUnits(Options.OutputCorpus.c_str(), &AdditionalCorpus,
104 &EpochOfLastReadOfOutputCorpus);
105 if (Corpus.empty()) {
106 Corpus = AdditionalCorpus;
109 if (!Options.Reload) return;
110 if (Options.Verbosity >= 2)
111 Printf("Reload: read %zd new units.\n", AdditionalCorpus.size());
112 for (auto &X : AdditionalCorpus) {
113 if (X.size() > (size_t)Options.MaxLen)
114 X.resize(Options.MaxLen);
115 if (UnitHashesAddedToCorpus.insert(Hash(X)).second) {
117 CurrentUnit.insert(CurrentUnit.begin(), X.begin(), X.end());
118 if (RunOne(CurrentUnit)) {
120 if (Options.Verbosity >= 1)
121 PrintStats("RELOAD", LastRecordedBlockCoverage);
127 void Fuzzer::ShuffleAndMinimize() {
128 bool PreferSmall = (Options.PreferSmallDuringInitialShuffle == 1 ||
129 (Options.PreferSmallDuringInitialShuffle == -1 &&
130 USF.GetRand().RandBool()));
131 if (Options.Verbosity)
132 Printf("PreferSmall: %d\n", PreferSmall);
133 PrintStats("READ ", 0);
134 std::vector<Unit> NewCorpus;
135 if (Options.ShuffleAtStartUp) {
136 std::random_shuffle(Corpus.begin(), Corpus.end(), USF.GetRand());
139 Corpus.begin(), Corpus.end(),
140 [](const Unit &A, const Unit &B) { return A.size() < B.size(); });
142 Unit &U = CurrentUnit;
143 for (const auto &C : Corpus) {
144 for (size_t First = 0; First < 1; First++) {
146 size_t Last = std::min(First + Options.MaxLen, C.size());
147 U.insert(U.begin(), C.begin() + First, C.begin() + Last);
148 if (Options.OnlyASCII)
151 NewCorpus.push_back(U);
152 if (Options.Verbosity >= 2)
153 Printf("NEW0: %zd L %zd\n", LastRecordedBlockCoverage, U.size());
158 for (auto &X : Corpus)
159 UnitHashesAddedToCorpus.insert(Hash(X));
160 PrintStats("INITED", LastRecordedBlockCoverage);
163 bool Fuzzer::RunOne(const Unit &U) {
164 UnitStartTime = system_clock::now();
167 PrepareCoverageBeforeRun();
169 bool Res = CheckCoverageAfterRun();
171 auto UnitStopTime = system_clock::now();
173 duration_cast<seconds>(UnitStopTime - UnitStartTime).count();
174 if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)) && Options.Verbosity)
175 PrintStats("pulse ", LastRecordedBlockCoverage);
176 if (TimeOfUnit > TimeOfLongestUnitInSeconds &&
177 TimeOfUnit >= Options.ReportSlowUnits) {
178 TimeOfLongestUnitInSeconds = TimeOfUnit;
179 Printf("Slowest unit: %zd s:\n", TimeOfLongestUnitInSeconds);
180 WriteUnitToFileWithPrefix(U, "slow-unit-");
185 void Fuzzer::RunOneAndUpdateCorpus(Unit &U) {
186 if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
188 if (Options.OnlyASCII)
191 ReportNewCoverage(U);
194 void Fuzzer::ExecuteCallback(const Unit &U) {
195 int Res = USF.TargetFunction(U.data(), U.size());
200 size_t Fuzzer::RecordBlockCoverage() {
201 return LastRecordedBlockCoverage = __sanitizer_get_total_unique_coverage();
204 void Fuzzer::PrepareCoverageBeforeRun() {
205 if (Options.UseCounters) {
206 size_t NumCounters = __sanitizer_get_number_of_counters();
207 CounterBitmap.resize(NumCounters);
208 __sanitizer_update_counter_bitset_and_clear_counters(0);
210 RecordBlockCoverage();
213 bool Fuzzer::CheckCoverageAfterRun() {
214 size_t OldCoverage = LastRecordedBlockCoverage;
215 size_t NewCoverage = RecordBlockCoverage();
216 size_t NumNewBits = 0;
217 if (Options.UseCounters)
218 NumNewBits = __sanitizer_update_counter_bitset_and_clear_counters(
219 CounterBitmap.data());
220 return NewCoverage > OldCoverage || NumNewBits;
223 void Fuzzer::WriteToOutputCorpus(const Unit &U) {
224 if (Options.OutputCorpus.empty()) return;
225 std::string Path = DirPlusFile(Options.OutputCorpus, Hash(U));
226 WriteToFile(U, Path);
227 if (Options.Verbosity >= 2)
228 Printf("Written to %s\n", Path.c_str());
229 assert(!Options.OnlyASCII || IsASCII(U));
232 void Fuzzer::WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix) {
233 if (!Options.SaveArtifacts)
235 std::string Path = Options.ArtifactPrefix + Prefix + Hash(U);
236 WriteToFile(U, Path);
237 Printf("artifact_prefix='%s'; Test unit written to %s\n",
238 Options.ArtifactPrefix.c_str(), Path.c_str());
239 if (U.size() <= kMaxUnitSizeToPrint) {
241 PrintFileAsBase64(Path);
245 void Fuzzer::SaveCorpus() {
246 if (Options.OutputCorpus.empty()) return;
247 for (const auto &U : Corpus)
248 WriteToFile(U, DirPlusFile(Options.OutputCorpus, Hash(U)));
249 if (Options.Verbosity)
250 Printf("Written corpus of %zd files to %s\n", Corpus.size(),
251 Options.OutputCorpus.c_str());
254 void Fuzzer::ReportNewCoverage(const Unit &U) {
256 UnitHashesAddedToCorpus.insert(Hash(U));
257 PrintStats("NEW ", LastRecordedBlockCoverage, "");
258 if (Options.Verbosity) {
259 Printf(" L: %zd", U.size());
262 PrintUnitInASCII(U, "\t");
267 WriteToOutputCorpus(U);
268 if (Options.ExitOnFirst)
272 void Fuzzer::MutateAndTestOne(Unit *U) {
273 for (int i = 0; i < Options.MutateDepth; i++) {
274 StartTraceRecording();
275 size_t Size = U->size();
276 U->resize(Options.MaxLen);
277 size_t NewSize = USF.Mutate(U->data(), Size, U->size());
278 assert(NewSize > 0 && "Mutator returned empty unit");
279 assert(NewSize <= (size_t)Options.MaxLen &&
280 "Mutator return overisized unit");
282 RunOneAndUpdateCorpus(*U);
283 size_t NumTraceBasedMutations = StopTraceRecording();
285 std::min((size_t)Options.TBMWidth, NumTraceBasedMutations);
287 std::min((size_t)Options.TBMDepth, NumTraceBasedMutations);
289 for (size_t w = 0; w < TBMWidth; w++) {
291 for (size_t d = 0; d < TBMDepth; d++) {
292 TotalNumberOfExecutedTraceBasedMutations++;
293 ApplyTraceBasedMutation(USF.GetRand()(NumTraceBasedMutations), U);
294 RunOneAndUpdateCorpus(*U);
300 void Fuzzer::Loop() {
301 for (auto &U: Options.Dictionary)
302 USF.GetMD().AddWordToDictionary(U.data(), U.size());
305 for (size_t J1 = 0; J1 < Corpus.size(); J1++) {
307 RereadOutputCorpus();
308 if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
310 if (Options.MaxTotalTimeSec > 0 &&
311 secondsSinceProcessStartUp() >
312 static_cast<size_t>(Options.MaxTotalTimeSec))
314 CurrentUnit = Corpus[J1];
315 // Optionally, cross with another unit.
316 if (Options.DoCrossOver && USF.GetRand().RandBool()) {
317 size_t J2 = USF.GetRand()(Corpus.size());
318 if (!Corpus[J1].empty() && !Corpus[J2].empty()) {
319 assert(!Corpus[J2].empty());
320 CurrentUnit.resize(Options.MaxLen);
321 size_t NewSize = USF.CrossOver(
322 Corpus[J1].data(), Corpus[J1].size(), Corpus[J2].data(),
323 Corpus[J2].size(), CurrentUnit.data(), CurrentUnit.size());
324 assert(NewSize > 0 && "CrossOver returned empty unit");
325 assert(NewSize <= (size_t)Options.MaxLen &&
326 "CrossOver returned overisized unit");
327 CurrentUnit.resize(NewSize);
330 // Perform several mutations and runs.
331 MutateAndTestOne(&CurrentUnit);
336 void Fuzzer::SyncCorpus() {
337 if (Options.SyncCommand.empty() || Options.OutputCorpus.empty()) return;
338 auto Now = system_clock::now();
339 if (duration_cast<seconds>(Now - LastExternalSync).count() <
342 LastExternalSync = Now;
343 ExecuteCommand(Options.SyncCommand + " " + Options.OutputCorpus);
346 } // namespace fuzzer
projects / oota-llvm.git / blob