Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromium / llvm-project / compiler-rt / lib / fuzzer / 6f1e9bc5ddbae79e1554584d58a5aa59d1762589 / . / FuzzerFork.cpp
blob: 20c9950b349037c464ba3d7c998df7d36825be7b [file] [log] [blame]
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]1//===- FuzzerFork.cpp - run fuzzing in separate subprocesses --------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]8// Spawn and orchestrate separate fuzzing processes.
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]9//===----------------------------------------------------------------------===//
10
11#include "FuzzerCommand.h"
12#include "FuzzerFork.h"
13#include "FuzzerIO.h"
14#include "FuzzerMerge.h"
15#include "FuzzerSHA1.h"
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]16#include "FuzzerTracePC.h"
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]17#include "FuzzerUtil.h"
18
kccb1fa9e02019-02-14 01:11:29 +0000[diff] [blame]19#include <atomic>
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]20#include <chrono>
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]21#include <fstream>
kccedefdf32019-02-16 00:14:16 +0000[diff] [blame]22#include <memory>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]23#include <mutex>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]24#include <queue>
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]25#include <sstream>
26#include <thread>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]27
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]28namespace fuzzer {
29
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]30struct Stats {
31 size_t number_of_executed_units = 0;
32 size_t peak_rss_mb = 0;
33 size_t average_exec_per_sec = 0;
34};
35
36static Stats ParseFinalStatsFromLog(const std::string &LogPath) {
37 std::ifstream In(LogPath);
38 std::string Line;
39 Stats Res;
40 struct {
41 const char *Name;
42 size_t *Var;
43 } NameVarPairs[] = {
44 {"stat::number_of_executed_units:", &Res.number_of_executed_units},
45 {"stat::peak_rss_mb:", &Res.peak_rss_mb},
46 {"stat::average_exec_per_sec:", &Res.average_exec_per_sec},
47 {nullptr, nullptr},
48 };
49 while (std::getline(In, Line, '\n')) {
50 if (Line.find("stat::") != 0) continue;
51 std::istringstream ISS(Line);
52 std::string Name;
53 size_t Val;
54 ISS >> Name >> Val;
55 for (size_t i = 0; NameVarPairs[i].Name; i++)
56 if (Name == NameVarPairs[i].Name)
57 *NameVarPairs[i].Var = Val;
58 }
59 return Res;
60}
61
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]62struct FuzzJob {
63 // Inputs.
64 Command Cmd;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]65 std::string CorpusDir;
66 std::string LogPath;
67 std::string CFPath;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]68
69 // Fuzzing Outputs.
70 int ExitCode;
kccedefdf32019-02-16 00:14:16 +0000[diff] [blame]71
72 ~FuzzJob() {
73 RemoveFile(CFPath);
74 RemoveFile(LogPath);
75 RmDirRecursive(CorpusDir);
76 }
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]77};
78
79struct GlobalEnv {
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]80 Vector<std::string> Args;
81 Vector<std::string> CorpusDirs;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]82 std::string MainCorpusDir;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]83 std::string TempDir;
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]84 Set<uint32_t> Features, Cov;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]85 Vector<std::string> Files;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]86 Random *Rand;
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]87 std::chrono::system_clock::time_point ProcessStartTime;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]88 int Verbosity = 0;
89
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]90 size_t NumTimeouts = 0;
91 size_t NumOOMs = 0;
92 size_t NumCrashes = 0;
93
94
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]95 size_t NumRuns = 0;
96
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]97 size_t secondsSinceProcessStartUp() const {
98 return std::chrono::duration_cast<std::chrono::seconds>(
99 std::chrono::system_clock::now() - ProcessStartTime)
100 .count();
101 }
102
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]103 FuzzJob *CreateNewJob(size_t JobId) {
104 Command Cmd(Args);
105 Cmd.removeFlag("fork");
kcc18b370a2019-04-12 20:20:57 +0000[diff] [blame]106 Cmd.removeFlag("runs");
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]107 for (auto &C : CorpusDirs) // Remove all corpora from the args.
108 Cmd.removeArgument(C);
109 Cmd.addFlag("reload", "0"); // working in an isolated dir, no reload.
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]110 Cmd.addFlag("print_final_stats", "1");
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]111 Cmd.addFlag("print_funcs", "0"); // no need to spend time symbolizing.
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]112 Cmd.addFlag("max_total_time", std::to_string(std::min((size_t)300, JobId)));
113
114 auto Job = new FuzzJob;
115 std::string Seeds;
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]116 if (size_t CorpusSubsetSize =
117 std::min(Files.size(), (size_t)sqrt(Files.size() + 2)))
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]118 for (size_t i = 0; i < CorpusSubsetSize; i++)
119 Seeds += (Seeds.empty() ? "" : ",") +
120 Files[Rand->SkewTowardsLast(Files.size())];
121 if (!Seeds.empty())
122 Cmd.addFlag("seed_inputs", Seeds);
123 Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
124 Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
125 Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
126
127
128 Cmd.addArgument(Job->CorpusDir);
129 RmDirRecursive(Job->CorpusDir);
130 MkDir(Job->CorpusDir);
131
132 Cmd.setOutputFile(Job->LogPath);
133 Cmd.combineOutAndErr();
134
135 Job->Cmd = Cmd;
136
137 if (Verbosity >= 2)
138 Printf("Job %zd/%p Created: %s\n", JobId, Job,
139 Job->Cmd.toString().c_str());
140 // Start from very short runs and gradually increase them.
141 return Job;
142 }
143
144 void RunOneMergeJob(FuzzJob *Job) {
145 Vector<SizedFile> TempFiles;
146 GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);
147
148 Vector<std::string> FilesToAdd;
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]149 Set<uint32_t> NewFeatures, NewCov;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]150 CrashResistantMerge(Args, {}, TempFiles, &FilesToAdd, Features,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]151 &NewFeatures, Cov, &NewCov, Job->CFPath, false);
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]152 for (auto &Path : FilesToAdd) {
153 auto U = FileToVector(Path);
154 auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));
155 WriteToFile(U, NewPath);
156 Files.push_back(NewPath);
157 }
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]158 Features.insert(NewFeatures.begin(), NewFeatures.end());
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]159 Cov.insert(NewCov.begin(), NewCov.end());
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]160 for (auto Idx : NewCov)
161 if (auto *TE = TPC.PCTableEntryByIdx(Idx))
162 if (TPC.PcIsFuncEntry(TE))
163 PrintPC(" NEW_FUNC: %p %F %L\n", "",
164 TPC.GetNextInstructionPc(TE->PC));
165
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]166 auto Stats = ParseFinalStatsFromLog(Job->LogPath);
167 NumRuns += Stats.number_of_executed_units;
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]168 if (!FilesToAdd.empty() || Job->ExitCode != 0)
169 Printf("#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd "
170 "oom/timeout/crash: %zd/%zd/%zd time: %zds\n", NumRuns,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]171 Cov.size(), Features.size(), Files.size(),
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]172 Stats.average_exec_per_sec,
173 NumOOMs, NumTimeouts, NumCrashes, secondsSinceProcessStartUp());
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]174 }
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]175};
176
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]177struct JobQueue {
178 std::queue<FuzzJob *> Qu;
179 std::mutex Mu;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]180
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]181 void Push(FuzzJob *Job) {
182 std::lock_guard<std::mutex> Lock(Mu);
183 Qu.push(Job);
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]184 }
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]185 FuzzJob *Pop() {
186 std::lock_guard<std::mutex> Lock(Mu);
187 if (Qu.empty()) return nullptr;
188 auto Job = Qu.front();
189 Qu.pop();
190 return Job;
191 }
192};
193
194void WorkerThread(std::atomic<bool> *Stop, JobQueue *FuzzQ, JobQueue *MergeQ) {
kccb1fa9e02019-02-14 01:11:29 +0000[diff] [blame]195 while (!Stop->load()) {
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]196 auto Job = FuzzQ->Pop();
197 // Printf("WorkerThread: job %p\n", Job);
198 if (!Job) {
199 SleepSeconds(1);
200 continue;
201 }
202 Job->ExitCode = ExecuteCommand(Job->Cmd);
203 MergeQ->Push(Job);
204 }
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]205}
206
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]207// This is just a skeleton of an experimental -fork=1 feature.
208void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
209 const Vector<std::string> &Args,
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]210 const Vector<std::string> &CorpusDirs, int NumJobs) {
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]211 Printf("INFO: -fork=%d: fuzzing in separate process(s)\n", NumJobs);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]212
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]213 GlobalEnv Env;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]214 Env.Args = Args;
215 Env.CorpusDirs = CorpusDirs;
216 Env.Rand = &Rand;
217 Env.Verbosity = Options.Verbosity;
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]218 Env.ProcessStartTime = std::chrono::system_clock::now();
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]219
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]220 Vector<SizedFile> SeedFiles;
221 for (auto &Dir : CorpusDirs)
222 GetSizedFilesFromDir(Dir, &SeedFiles);
223 std::sort(SeedFiles.begin(), SeedFiles.end());
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]224 Env.TempDir = TempPath(".dir");
225 RmDirRecursive(Env.TempDir); // in case there is a leftover from old runs.
226 MkDir(Env.TempDir);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]227
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]228
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]229 if (CorpusDirs.empty())
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]230 MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]231 else
232 Env.MainCorpusDir = CorpusDirs[0];
233
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]234 auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");
235 CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, {}, &Env.Features,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]236 {}, &Env.Cov,
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]237 CFPath, false);
238 RemoveFile(CFPath);
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]239 Printf("INFO: -fork=%d: %zd seed inputs, starting to fuzz in %s\n", NumJobs,
240 Env.Files.size(), Env.TempDir.c_str());
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]241
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]242 int ExitCode = 0;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]243
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]244 JobQueue FuzzQ, MergeQ;
245 std::atomic<bool> Stop(false);
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]246
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]247 size_t JobId = 1;
248 Vector<std::thread> Threads;
249 for (int t = 0; t < NumJobs; t++) {
250 Threads.push_back(std::thread(WorkerThread, &Stop, &FuzzQ, &MergeQ));
251 FuzzQ.Push(Env.CreateNewJob(JobId++));
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]252 }
253
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]254 while (true) {
kccedefdf32019-02-16 00:14:16 +0000[diff] [blame]255 std::unique_ptr<FuzzJob> Job(MergeQ.Pop());
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]256 if (!Job) {
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]257 if (Stop)
258 break;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]259 SleepSeconds(1);
260 continue;
261 }
262 ExitCode = Job->ExitCode;
kccedefdf32019-02-16 00:14:16 +0000[diff] [blame]263 if (ExitCode == Options.InterruptExitCode) {
264 Printf("==%lu== libFuzzer: a child was interrupted; exiting\n", GetPid());
265 Stop = true;
266 break;
267 }
268
269 Env.RunOneMergeJob(Job.get());
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]270
271 // Continue if our crash is one of the ignorred ones.
272 if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]273 Env.NumTimeouts++;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]274 else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]275 Env.NumOOMs++;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]276 else if (ExitCode != 0) {
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]277 Env.NumCrashes++;
278 if (Options.IgnoreCrashes) {
279 std::ifstream In(Job->LogPath);
280 std::string Line;
281 while (std::getline(In, Line, '\n'))
kcc18b370a2019-04-12 20:20:57 +0000[diff] [blame]282 if (Line.find("ERROR:") != Line.npos ||
283 Line.find("runtime error:") != Line.npos)
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]284 Printf("%s\n", Line.c_str());
285 } else {
286 // And exit if we don't ignore this crash.
287 Printf("INFO: log from the inner process:\n%s",
288 FileToString(Job->LogPath).c_str());
289 Stop = true;
290 }
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]291 }
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]292
293 // Stop if we are over the time budget.
294 // This is not precise, since other threads are still running
295 // and we will wait while joining them.
296 // We also don't stop instantly: other jobs need to finish.
297 if (Options.MaxTotalTimeSec > 0 && !Stop &&
298 Env.secondsSinceProcessStartUp() >= (size_t)Options.MaxTotalTimeSec) {
299 Printf("INFO: fuzzed for %zd seconds, wrapping up soon\n",
300 Env.secondsSinceProcessStartUp());
301 Stop = true;
302 }
kcc18b370a2019-04-12 20:20:57 +0000[diff] [blame]303 if (Options.MaxNumberOfRuns >= 0 && !Stop &&
304 Env.NumRuns >= Options.MaxNumberOfRuns) {
305 Printf("INFO: fuzzed for %zd iterations, wrapping up soon\n",
306 Env.NumRuns);
307 Stop = true;
308 }
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]309
310 if (!Stop)
311 FuzzQ.Push(Env.CreateNewJob(JobId++));
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]312 }
313 Stop = true;
314
315 for (auto &T : Threads)
316 T.join();
317
metzmane847d8a2019-02-27 19:27:16 +0000[diff] [blame]318 // The workers have terminated. Don't try to remove the directory before they
319 // terminate to avoid a race condition preventing cleanup on Windows.
320 RmDirRecursive(Env.TempDir);
321
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]322 // Use the exit code from the last child process.
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]323 Printf("INFO: exiting: %d time: %zds\n", ExitCode,
324 Env.secondsSinceProcessStartUp());
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]325 exit(ExitCode);
326}
327
328} // namespace fuzzer