Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromium / llvm-project / compiler-rt / lib / fuzzer / 1ee7f41e3409073be2c82714bc0612ef449400b9 / . / FuzzerDriver.cpp
blob: 54c7ff0795857ab676d09206b03c243b3817e639 [file] [log] [blame]
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]1//===- FuzzerDriver.cpp - FuzzerDriver function and flags -----------------===//
2//
chandlerc40284492019-01-19 08:50:56 +0000[diff] [blame]3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]6//
7//===----------------------------------------------------------------------===//
8// FuzzerDriver and flag parsing.
9//===----------------------------------------------------------------------===//
10
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]11#include "FuzzerCommand.h"
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]12#include "FuzzerCorpus.h"
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]13#include "FuzzerFork.h"
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]14#include "FuzzerIO.h"
15#include "FuzzerInterface.h"
16#include "FuzzerInternal.h"
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]17#include "FuzzerMerge.h"
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]18#include "FuzzerMutate.h"
19#include "FuzzerRandom.h"
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]20#include "FuzzerTracePC.h"
21#include <algorithm>
22#include <atomic>
23#include <chrono>
24#include <cstdlib>
25#include <cstring>
26#include <mutex>
27#include <string>
28#include <thread>
kcca3815862019-02-08 21:27:23 +0000[diff] [blame]29#include <fstream>
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]30
31// This function should be present in the libFuzzer so that the client
32// binary can test for its existence.
metzman2fe66e62019-01-17 16:36:05 +0000[diff] [blame]33#if LIBFUZZER_MSVC
34extern "C" void __libfuzzer_is_present() {}
35#pragma comment(linker, "/include:__libfuzzer_is_present")
36#else
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]37extern "C" __attribute__((used)) void __libfuzzer_is_present() {}
metzman2fe66e62019-01-17 16:36:05 +0000[diff] [blame]38#endif // LIBFUZZER_MSVC
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]39
40namespace fuzzer {
41
42// Program arguments.
43struct FlagDescription {
44 const char *Name;
45 const char *Description;
46 int Default;
47 int *IntFlag;
48 const char **StrFlag;
49 unsigned int *UIntFlag;
50};
51
52struct {
53#define FUZZER_DEPRECATED_FLAG(Name)
54#define FUZZER_FLAG_INT(Name, Default, Description) int Name;
55#define FUZZER_FLAG_UNSIGNED(Name, Default, Description) unsigned int Name;
56#define FUZZER_FLAG_STRING(Name, Description) const char *Name;
57#include "FuzzerFlags.def"
58#undef FUZZER_DEPRECATED_FLAG
59#undef FUZZER_FLAG_INT
60#undef FUZZER_FLAG_UNSIGNED
61#undef FUZZER_FLAG_STRING
62} Flags;
63
64static const FlagDescription FlagDescriptions [] {
65#define FUZZER_DEPRECATED_FLAG(Name) \
66 {#Name, "Deprecated; don't use", 0, nullptr, nullptr, nullptr},
67#define FUZZER_FLAG_INT(Name, Default, Description) \
68 {#Name, Description, Default, &Flags.Name, nullptr, nullptr},
69#define FUZZER_FLAG_UNSIGNED(Name, Default, Description) \
70 {#Name, Description, static_cast<int>(Default), \
71 nullptr, nullptr, &Flags.Name},
72#define FUZZER_FLAG_STRING(Name, Description) \
73 {#Name, Description, 0, nullptr, &Flags.Name, nullptr},
74#include "FuzzerFlags.def"
75#undef FUZZER_DEPRECATED_FLAG
76#undef FUZZER_FLAG_INT
77#undef FUZZER_FLAG_UNSIGNED
78#undef FUZZER_FLAG_STRING
79};
80
81static const size_t kNumFlags =
82 sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]);
83
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]84static Vector<std::string> *Inputs;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]85static std::string *ProgName;
86
87static void PrintHelp() {
88 Printf("Usage:\n");
89 auto Prog = ProgName->c_str();
90 Printf("\nTo run fuzzing pass 0 or more directories.\n");
91 Printf("%s [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n", Prog);
92
93 Printf("\nTo run individual tests without fuzzing pass 1 or more files:\n");
94 Printf("%s [-flag1=val1 [-flag2=val2 ...] ] file1 [file2 ...]\n", Prog);
95
96 Printf("\nFlags: (strictly in form -flag=value)\n");
97 size_t MaxFlagLen = 0;
98 for (size_t F = 0; F < kNumFlags; F++)
99 MaxFlagLen = std::max(strlen(FlagDescriptions[F].Name), MaxFlagLen);
100
101 for (size_t F = 0; F < kNumFlags; F++) {
102 const auto &D = FlagDescriptions[F];
103 if (strstr(D.Description, "internal flag") == D.Description) continue;
104 Printf(" %s", D.Name);
105 for (size_t i = 0, n = MaxFlagLen - strlen(D.Name); i < n; i++)
106 Printf(" ");
107 Printf("\t");
108 Printf("%d\t%s\n", D.Default, D.Description);
109 }
110 Printf("\nFlags starting with '--' will be ignored and "
dor1se6729cb2018-07-16 15:15:34 +0000[diff] [blame]111 "will be passed verbatim to subprocesses.\n");
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]112}
113
114static const char *FlagValue(const char *Param, const char *Name) {
115 size_t Len = strlen(Name);
116 if (Param[0] == '-' && strstr(Param + 1, Name) == Param + 1 &&
117 Param[Len + 1] == '=')
dor1se6729cb2018-07-16 15:15:34 +0000[diff] [blame]118 return &Param[Len + 2];
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]119 return nullptr;
120}
121
122// Avoid calling stol as it triggers a bug in clang/glibc build.
123static long MyStol(const char *Str) {
124 long Res = 0;
125 long Sign = 1;
126 if (*Str == '-') {
127 Str++;
128 Sign = -1;
129 }
130 for (size_t i = 0; Str[i]; i++) {
131 char Ch = Str[i];
132 if (Ch < '0' || Ch > '9')
133 return Res;
134 Res = Res * 10 + (Ch - '0');
135 }
136 return Res * Sign;
137}
138
139static bool ParseOneFlag(const char *Param) {
140 if (Param[0] != '-') return false;
141 if (Param[1] == '-') {
142 static bool PrintedWarning = false;
143 if (!PrintedWarning) {
144 PrintedWarning = true;
145 Printf("INFO: libFuzzer ignores flags that start with '--'\n");
146 }
147 for (size_t F = 0; F < kNumFlags; F++)
148 if (FlagValue(Param + 1, FlagDescriptions[F].Name))
149 Printf("WARNING: did you mean '%s' (single dash)?\n", Param + 1);
150 return true;
151 }
152 for (size_t F = 0; F < kNumFlags; F++) {
153 const char *Name = FlagDescriptions[F].Name;
154 const char *Str = FlagValue(Param, Name);
155 if (Str) {
156 if (FlagDescriptions[F].IntFlag) {
157 int Val = MyStol(Str);
158 *FlagDescriptions[F].IntFlag = Val;
159 if (Flags.verbosity >= 2)
160 Printf("Flag: %s %d\n", Name, Val);
161 return true;
162 } else if (FlagDescriptions[F].UIntFlag) {
163 unsigned int Val = std::stoul(Str);
164 *FlagDescriptions[F].UIntFlag = Val;
165 if (Flags.verbosity >= 2)
166 Printf("Flag: %s %u\n", Name, Val);
167 return true;
168 } else if (FlagDescriptions[F].StrFlag) {
169 *FlagDescriptions[F].StrFlag = Str;
170 if (Flags.verbosity >= 2)
171 Printf("Flag: %s %s\n", Name, Str);
172 return true;
173 } else { // Deprecated flag.
174 Printf("Flag: %s: deprecated, don't use\n", Name);
175 return true;
176 }
177 }
178 }
179 Printf("\n\nWARNING: unrecognized flag '%s'; "
180 "use -help=1 to list all flags\n\n", Param);
181 return true;
182}
183
184// We don't use any library to minimize dependencies.
dor1se7579d62019-06-14 19:34:11 +0000[diff] [blame]185static void ParseFlags(const Vector<std::string> &Args,
186 const ExternalFunctions *EF) {
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]187 for (size_t F = 0; F < kNumFlags; F++) {
188 if (FlagDescriptions[F].IntFlag)
189 *FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;
190 if (FlagDescriptions[F].UIntFlag)
191 *FlagDescriptions[F].UIntFlag =
192 static_cast<unsigned int>(FlagDescriptions[F].Default);
193 if (FlagDescriptions[F].StrFlag)
194 *FlagDescriptions[F].StrFlag = nullptr;
195 }
dor1se7579d62019-06-14 19:34:11 +0000[diff] [blame]196
197 // Disable len_control by default, if LLVMFuzzerCustomMutator is used.
198 if (EF->LLVMFuzzerCustomMutator)
199 Flags.len_control = 0;
200
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]201 Inputs = new Vector<std::string>;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]202 for (size_t A = 1; A < Args.size(); A++) {
203 if (ParseOneFlag(Args[A].c_str())) {
204 if (Flags.ignore_remaining_args)
205 break;
206 continue;
207 }
208 Inputs->push_back(Args[A]);
209 }
210}
211
212static std::mutex Mu;
213
214static void PulseThread() {
215 while (true) {
216 SleepSeconds(600);
217 std::lock_guard<std::mutex> Lock(Mu);
218 Printf("pulse...\n");
219 }
220}
221
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]222static void WorkerThread(const Command &BaseCmd, std::atomic<unsigned> *Counter,
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]223 unsigned NumJobs, std::atomic<bool> *HasErrors) {
224 while (true) {
225 unsigned C = (*Counter)++;
226 if (C >= NumJobs) break;
227 std::string Log = "fuzz-" + std::to_string(C) + ".log";
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]228 Command Cmd(BaseCmd);
229 Cmd.setOutputFile(Log);
230 Cmd.combineOutAndErr();
231 if (Flags.verbosity) {
232 std::string CommandLine = Cmd.toString();
kccf5628b32017-12-06 22:12:24 +0000[diff] [blame]233 Printf("%s\n", CommandLine.c_str());
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]234 }
235 int ExitCode = ExecuteCommand(Cmd);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]236 if (ExitCode != 0)
237 *HasErrors = true;
238 std::lock_guard<std::mutex> Lock(Mu);
239 Printf("================== Job %u exited with exit code %d ============\n",
240 C, ExitCode);
241 fuzzer::CopyFileToErr(Log);
242 }
243}
244
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]245std::string CloneArgsWithoutX(const Vector<std::string> &Args,
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]246 const char *X1, const char *X2) {
247 std::string Cmd;
248 for (auto &S : Args) {
249 if (FlagValue(S.c_str(), X1) || FlagValue(S.c_str(), X2))
250 continue;
251 Cmd += S + " ";
252 }
253 return Cmd;
254}
255
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]256static int RunInMultipleProcesses(const Vector<std::string> &Args,
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]257 unsigned NumWorkers, unsigned NumJobs) {
258 std::atomic<unsigned> Counter(0);
259 std::atomic<bool> HasErrors(false);
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]260 Command Cmd(Args);
261 Cmd.removeFlag("jobs");
262 Cmd.removeFlag("workers");
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]263 Vector<std::thread> V;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]264 std::thread Pulse(PulseThread);
265 Pulse.detach();
266 for (unsigned i = 0; i < NumWorkers; i++)
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]267 V.push_back(std::thread(WorkerThread, std::ref(Cmd), &Counter, NumJobs, &HasErrors));
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]268 for (auto &T : V)
269 T.join();
270 return HasErrors ? 1 : 0;
271}
272
273static void RssThread(Fuzzer *F, size_t RssLimitMb) {
274 while (true) {
275 SleepSeconds(1);
276 size_t Peak = GetPeakRSSMb();
277 if (Peak > RssLimitMb)
278 F->RssLimitCallback();
279 }
280}
281
282static void StartRssThread(Fuzzer *F, size_t RssLimitMb) {
283 if (!RssLimitMb) return;
284 std::thread T(RssThread, F, RssLimitMb);
285 T.detach();
286}
287
288int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) {
289 Unit U = FileToVector(InputFilePath);
290 if (MaxLen && MaxLen < U.size())
291 U.resize(MaxLen);
292 F->ExecuteCallback(U.data(), U.size());
293 F->TryDetectingAMemoryLeak(U.data(), U.size(), true);
294 return 0;
295}
296
297static bool AllInputsAreFiles() {
298 if (Inputs->empty()) return false;
299 for (auto &Path : *Inputs)
300 if (!IsFile(Path))
301 return false;
302 return true;
303}
304
305static std::string GetDedupTokenFromFile(const std::string &Path) {
306 auto S = FileToString(Path);
307 auto Beg = S.find("DEDUP_TOKEN:");
308 if (Beg == std::string::npos)
309 return "";
310 auto End = S.find('\n', Beg);
311 if (End == std::string::npos)
312 return "";
313 return S.substr(Beg, End - Beg);
314}
315
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]316int CleanseCrashInput(const Vector<std::string> &Args,
dor1se6729cb2018-07-16 15:15:34 +0000[diff] [blame]317 const FuzzingOptions &Options) {
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]318 if (Inputs->size() != 1 || !Flags.exact_artifact_path) {
319 Printf("ERROR: -cleanse_crash should be given one input file and"
dor1se6729cb2018-07-16 15:15:34 +0000[diff] [blame]320 " -exact_artifact_path\n");
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]321 exit(1);
322 }
323 std::string InputFilePath = Inputs->at(0);
324 std::string OutputFilePath = Flags.exact_artifact_path;
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]325 Command Cmd(Args);
326 Cmd.removeFlag("cleanse_crash");
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]327
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]328 assert(Cmd.hasArgument(InputFilePath));
329 Cmd.removeArgument(InputFilePath);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]330
kcca3815862019-02-08 21:27:23 +0000[diff] [blame]331 auto LogFilePath = TempPath(".txt");
332 auto TmpFilePath = TempPath(".repro");
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]333 Cmd.addArgument(TmpFilePath);
334 Cmd.setOutputFile(LogFilePath);
335 Cmd.combineOutAndErr();
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]336
337 std::string CurrentFilePath = InputFilePath;
338 auto U = FileToVector(CurrentFilePath);
339 size_t Size = U.size();
340
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]341 const Vector<uint8_t> ReplacementBytes = {' ', 0xff};
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]342 for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) {
343 bool Changed = false;
344 for (size_t Idx = 0; Idx < Size; Idx++) {
345 Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts,
346 Idx, Size);
347 uint8_t OriginalByte = U[Idx];
348 if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(),
349 ReplacementBytes.end(),
350 OriginalByte))
351 continue;
352 for (auto NewByte : ReplacementBytes) {
353 U[Idx] = NewByte;
354 WriteToFile(U, TmpFilePath);
355 auto ExitCode = ExecuteCommand(Cmd);
356 RemoveFile(TmpFilePath);
357 if (!ExitCode) {
358 U[Idx] = OriginalByte;
359 } else {
360 Changed = true;
361 Printf("CLEANSE: Replaced byte %zd with 0x%x\n", Idx, NewByte);
362 WriteToFile(U, OutputFilePath);
363 break;
364 }
365 }
366 }
367 if (!Changed) break;
368 }
369 RemoveFile(LogFilePath);
370 return 0;
371}
372
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]373int MinimizeCrashInput(const Vector<std::string> &Args,
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]374 const FuzzingOptions &Options) {
375 if (Inputs->size() != 1) {
376 Printf("ERROR: -minimize_crash should be given one input file\n");
377 exit(1);
378 }
379 std::string InputFilePath = Inputs->at(0);
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]380 Command BaseCmd(Args);
381 BaseCmd.removeFlag("minimize_crash");
382 BaseCmd.removeFlag("exact_artifact_path");
383 assert(BaseCmd.hasArgument(InputFilePath));
384 BaseCmd.removeArgument(InputFilePath);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]385 if (Flags.runs <= 0 && Flags.max_total_time == 0) {
386 Printf("INFO: you need to specify -runs=N or "
387 "-max_total_time=N with -minimize_crash=1\n"
388 "INFO: defaulting to -max_total_time=600\n");
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]389 BaseCmd.addFlag("max_total_time", "600");
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]390 }
391
kcca3815862019-02-08 21:27:23 +0000[diff] [blame]392 auto LogFilePath = TempPath(".txt");
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]393 BaseCmd.setOutputFile(LogFilePath);
394 BaseCmd.combineOutAndErr();
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]395
396 std::string CurrentFilePath = InputFilePath;
397 while (true) {
398 Unit U = FileToVector(CurrentFilePath);
399 Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
400 CurrentFilePath.c_str(), U.size());
401
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]402 Command Cmd(BaseCmd);
403 Cmd.addArgument(CurrentFilePath);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]404
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]405 std::string CommandLine = Cmd.toString();
406 Printf("CRASH_MIN: executing: %s\n", CommandLine.c_str());
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]407 int ExitCode = ExecuteCommand(Cmd);
408 if (ExitCode == 0) {
409 Printf("ERROR: the input %s did not crash\n", CurrentFilePath.c_str());
410 exit(1);
411 }
412 Printf("CRASH_MIN: '%s' (%zd bytes) caused a crash. Will try to minimize "
413 "it further\n",
414 CurrentFilePath.c_str(), U.size());
415 auto DedupToken1 = GetDedupTokenFromFile(LogFilePath);
416 if (!DedupToken1.empty())
417 Printf("CRASH_MIN: DedupToken1: %s\n", DedupToken1.c_str());
418
419 std::string ArtifactPath =
420 Flags.exact_artifact_path
421 ? Flags.exact_artifact_path
422 : Options.ArtifactPrefix + "minimized-from-" + Hash(U);
morehousea80f6452017-12-04 19:25:59 +0000[diff] [blame]423 Cmd.addFlag("minimize_crash_internal_step", "1");
424 Cmd.addFlag("exact_artifact_path", ArtifactPath);
425 CommandLine = Cmd.toString();
426 Printf("CRASH_MIN: executing: %s\n", CommandLine.c_str());
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]427 ExitCode = ExecuteCommand(Cmd);
428 CopyFileToErr(LogFilePath);
429 if (ExitCode == 0) {
430 if (Flags.exact_artifact_path) {
431 CurrentFilePath = Flags.exact_artifact_path;
432 WriteToFile(U, CurrentFilePath);
433 }
434 Printf("CRASH_MIN: failed to minimize beyond %s (%d bytes), exiting\n",
435 CurrentFilePath.c_str(), U.size());
436 break;
437 }
438 auto DedupToken2 = GetDedupTokenFromFile(LogFilePath);
439 if (!DedupToken2.empty())
440 Printf("CRASH_MIN: DedupToken2: %s\n", DedupToken2.c_str());
441
442 if (DedupToken1 != DedupToken2) {
443 if (Flags.exact_artifact_path) {
444 CurrentFilePath = Flags.exact_artifact_path;
445 WriteToFile(U, CurrentFilePath);
446 }
447 Printf("CRASH_MIN: mismatch in dedup tokens"
448 " (looks like a different bug). Won't minimize further\n");
449 break;
450 }
451
452 CurrentFilePath = ArtifactPath;
453 Printf("*********************************\n");
454 }
455 RemoveFile(LogFilePath);
456 return 0;
457}
458
459int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
460 assert(Inputs->size() == 1);
461 std::string InputFilePath = Inputs->at(0);
462 Unit U = FileToVector(InputFilePath);
463 Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size());
464 if (U.size() < 2) {
465 Printf("INFO: The input is small enough, exiting\n");
466 exit(0);
467 }
468 F->SetMaxInputLen(U.size());
469 F->SetMaxMutationLen(U.size() - 1);
470 F->MinimizeCrashLoop(U);
471 Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");
472 exit(0);
473 return 0;
474}
475
kccd1449be2019-02-08 22:59:03 +0000[diff] [blame]476void Merge(Fuzzer *F, FuzzingOptions &Options, const Vector<std::string> &Args,
477 const Vector<std::string> &Corpora, const char *CFPathOrNull) {
478 if (Corpora.size() < 2) {
479 Printf("INFO: Merge requires two or more corpus dirs\n");
480 exit(0);
481 }
482
483 Vector<SizedFile> OldCorpus, NewCorpus;
484 GetSizedFilesFromDir(Corpora[0], &OldCorpus);
485 for (size_t i = 1; i < Corpora.size(); i++)
486 GetSizedFilesFromDir(Corpora[i], &NewCorpus);
487 std::sort(OldCorpus.begin(), OldCorpus.end());
488 std::sort(NewCorpus.begin(), NewCorpus.end());
489
490 std::string CFPath = CFPathOrNull ? CFPathOrNull : TempPath(".txt");
kcc4b5aa122019-02-09 00:16:21 +0000[diff] [blame]491 Vector<std::string> NewFiles;
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]492 Set<uint32_t> NewFeatures, NewCov;
kcc4b5aa122019-02-09 00:16:21 +0000[diff] [blame]493 CrashResistantMerge(Args, OldCorpus, NewCorpus, &NewFiles, {}, &NewFeatures,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]494 {}, &NewCov, CFPath, true);
kcc4b5aa122019-02-09 00:16:21 +0000[diff] [blame]495 for (auto &Path : NewFiles)
kccd1449be2019-02-08 22:59:03 +0000[diff] [blame]496 F->WriteToOutputCorpus(FileToVector(Path, Options.MaxLen));
497 // We are done, delete the control file if it was a temporary one.
498 if (!Flags.merge_control_file)
499 RemoveFile(CFPath);
500
501 exit(0);
502}
503
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]504int AnalyzeDictionary(Fuzzer *F, const Vector<Unit>& Dict,
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]505 UnitVector& Corpus) {
506 Printf("Started dictionary minimization (up to %d tests)\n",
507 Dict.size() * Corpus.size() * 2);
508
509 // Scores and usage count for each dictionary unit.
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]510 Vector<int> Scores(Dict.size());
511 Vector<int> Usages(Dict.size());
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]512
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]513 Vector<size_t> InitialFeatures;
514 Vector<size_t> ModifiedFeatures;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]515 for (auto &C : Corpus) {
516 // Get coverage for the testcase without modifications.
517 F->ExecuteCallback(C.data(), C.size());
518 InitialFeatures.clear();
kccc924e382017-09-15 22:10:36 +0000[diff] [blame]519 TPC.CollectFeatures([&](size_t Feature) {
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]520 InitialFeatures.push_back(Feature);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]521 });
522
523 for (size_t i = 0; i < Dict.size(); ++i) {
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]524 Vector<uint8_t> Data = C;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]525 auto StartPos = std::search(Data.begin(), Data.end(),
526 Dict[i].begin(), Dict[i].end());
527 // Skip dictionary unit, if the testcase does not contain it.
528 if (StartPos == Data.end())
529 continue;
530
531 ++Usages[i];
532 while (StartPos != Data.end()) {
533 // Replace all occurrences of dictionary unit in the testcase.
534 auto EndPos = StartPos + Dict[i].size();
535 for (auto It = StartPos; It != EndPos; ++It)
536 *It ^= 0xFF;
537
538 StartPos = std::search(EndPos, Data.end(),
539 Dict[i].begin(), Dict[i].end());
540 }
541
542 // Get coverage for testcase with masked occurrences of dictionary unit.
543 F->ExecuteCallback(Data.data(), Data.size());
544 ModifiedFeatures.clear();
kccc924e382017-09-15 22:10:36 +0000[diff] [blame]545 TPC.CollectFeatures([&](size_t Feature) {
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]546 ModifiedFeatures.push_back(Feature);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]547 });
548
549 if (InitialFeatures == ModifiedFeatures)
550 --Scores[i];
551 else
552 Scores[i] += 2;
553 }
554 }
555
556 Printf("###### Useless dictionary elements. ######\n");
557 for (size_t i = 0; i < Dict.size(); ++i) {
558 // Dictionary units with positive score are treated as useful ones.
559 if (Scores[i] > 0)
dor1se6729cb2018-07-16 15:15:34 +0000[diff] [blame]560 continue;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]561
562 Printf("\"");
563 PrintASCII(Dict[i].data(), Dict[i].size(), "\"");
564 Printf(" # Score: %d, Used: %d\n", Scores[i], Usages[i]);
565 }
566 Printf("###### End of useless dictionary elements. ######\n");
567 return 0;
568}
569
kcc908220a2019-05-10 00:59:32 +0000[diff] [blame]570Vector<std::string> ParseSeedInuts(const char *seed_inputs) {
571 // Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file
572 Vector<std::string> Files;
573 if (!seed_inputs) return Files;
574 std::string SeedInputs;
575 if (Flags.seed_inputs[0] == '@')
576 SeedInputs = FileToString(Flags.seed_inputs + 1); // File contains list.
577 else
578 SeedInputs = Flags.seed_inputs; // seed_inputs contains the list.
579 if (SeedInputs.empty()) {
580 Printf("seed_inputs is empty or @file does not exist.\n");
581 exit(1);
582 }
583 // Parse SeedInputs.
584 size_t comma_pos = 0;
585 while ((comma_pos = SeedInputs.find_last_of(',')) != std::string::npos) {
586 Files.push_back(SeedInputs.substr(comma_pos + 1));
587 SeedInputs = SeedInputs.substr(0, comma_pos);
588 }
589 Files.push_back(SeedInputs);
590 return Files;
591}
592
kcc11883b22019-05-10 01:34:26 +0000[diff] [blame]593static Vector<SizedFile> ReadCorpora(const Vector<std::string> &CorpusDirs,
594 const Vector<std::string> &ExtraSeedFiles) {
595 Vector<SizedFile> SizedFiles;
596 size_t LastNumFiles = 0;
597 for (auto &Dir : CorpusDirs) {
598 GetSizedFilesFromDir(Dir, &SizedFiles);
599 Printf("INFO: % 8zd files found in %s\n", SizedFiles.size() - LastNumFiles,
600 Dir.c_str());
601 LastNumFiles = SizedFiles.size();
602 }
603 for (auto &File : ExtraSeedFiles)
604 if (auto Size = FileSize(File))
605 SizedFiles.push_back({File, Size});
606 return SizedFiles;
607}
608
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]609int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
610 using namespace fuzzer;
611 assert(argc && argv && "Argument pointers cannot be nullptr");
612 std::string Argv0((*argv)[0]);
613 EF = new ExternalFunctions();
614 if (EF->LLVMFuzzerInitialize)
615 EF->LLVMFuzzerInitialize(argc, argv);
morehouse1467b792018-07-09 23:51:08 +0000[diff] [blame]616 if (EF->__msan_scoped_disable_interceptor_checks)
617 EF->__msan_scoped_disable_interceptor_checks();
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]618 const Vector<std::string> Args(*argv, *argv + *argc);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]619 assert(!Args.empty());
620 ProgName = new std::string(Args[0]);
621 if (Argv0 != *ProgName) {
622 Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
623 exit(1);
624 }
dor1se7579d62019-06-14 19:34:11 +0000[diff] [blame]625 ParseFlags(Args, EF);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]626 if (Flags.help) {
627 PrintHelp();
628 return 0;
629 }
630
631 if (Flags.close_fd_mask & 2)
632 DupAndCloseStderr();
633 if (Flags.close_fd_mask & 1)
634 CloseStdout();
635
636 if (Flags.jobs > 0 && Flags.workers == 0) {
637 Flags.workers = std::min(NumberOfCpuCores() / 2, Flags.jobs);
638 if (Flags.workers > 1)
639 Printf("Running %u workers\n", Flags.workers);
640 }
641
642 if (Flags.workers > 0 && Flags.jobs > 0)
643 return RunInMultipleProcesses(Args, Flags.workers, Flags.jobs);
644
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]645 FuzzingOptions Options;
646 Options.Verbosity = Flags.verbosity;
647 Options.MaxLen = Flags.max_len;
morehouse8c42ada2018-02-13 20:52:15 +0000[diff] [blame]648 Options.LenControl = Flags.len_control;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]649 Options.UnitTimeoutSec = Flags.timeout;
650 Options.ErrorExitCode = Flags.error_exitcode;
651 Options.TimeoutExitCode = Flags.timeout_exitcode;
kcca7b741c2019-02-12 02:18:53 +0000[diff] [blame]652 Options.IgnoreTimeouts = Flags.ignore_timeouts;
653 Options.IgnoreOOMs = Flags.ignore_ooms;
kcc55e54ed2019-02-15 21:51:15 +0000[diff] [blame]654 Options.IgnoreCrashes = Flags.ignore_crashes;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]655 Options.MaxTotalTimeSec = Flags.max_total_time;
656 Options.DoCrossOver = Flags.cross_over;
657 Options.MutateDepth = Flags.mutate_depth;
kccb6836be2017-12-01 19:18:38 +0000[diff] [blame]658 Options.ReduceDepth = Flags.reduce_depth;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]659 Options.UseCounters = Flags.use_counters;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]660 Options.UseMemmem = Flags.use_memmem;
661 Options.UseCmp = Flags.use_cmp;
662 Options.UseValueProfile = Flags.use_value_profile;
663 Options.Shrink = Flags.shrink;
664 Options.ReduceInputs = Flags.reduce_inputs;
665 Options.ShuffleAtStartUp = Flags.shuffle;
666 Options.PreferSmall = Flags.prefer_small;
667 Options.ReloadIntervalSec = Flags.reload;
668 Options.OnlyASCII = Flags.only_ascii;
669 Options.DetectLeaks = Flags.detect_leaks;
alekseyshld995b552017-10-23 22:04:30 +0000[diff] [blame]670 Options.PurgeAllocatorIntervalSec = Flags.purge_allocator_interval;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]671 Options.TraceMalloc = Flags.trace_malloc;
672 Options.RssLimitMb = Flags.rss_limit_mb;
kcc120e40b2017-12-01 22:12:04 +0000[diff] [blame]673 Options.MallocLimitMb = Flags.malloc_limit_mb;
674 if (!Options.MallocLimitMb)
675 Options.MallocLimitMb = Options.RssLimitMb;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]676 if (Flags.runs >= 0)
677 Options.MaxNumberOfRuns = Flags.runs;
678 if (!Inputs->empty() && !Flags.minimize_crash_internal_step)
679 Options.OutputCorpus = (*Inputs)[0];
680 Options.ReportSlowUnits = Flags.report_slow_units;
681 if (Flags.artifact_prefix)
682 Options.ArtifactPrefix = Flags.artifact_prefix;
683 if (Flags.exact_artifact_path)
684 Options.ExactArtifactPath = Flags.exact_artifact_path;
george.karpenkovfbfa45c2017-08-27 23:20:09 +0000[diff] [blame]685 Vector<Unit> Dictionary;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]686 if (Flags.dict)
687 if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))
688 return 1;
689 if (Flags.verbosity > 0 && !Dictionary.empty())
690 Printf("Dictionary: %zd entries\n", Dictionary.size());
kcc11883b22019-05-10 01:34:26 +0000[diff] [blame]691 bool RunIndividualFiles = AllInputsAreFiles();
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]692 Options.SaveArtifacts =
kcc11883b22019-05-10 01:34:26 +0000[diff] [blame]693 !RunIndividualFiles || Flags.minimize_crash_internal_step;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]694 Options.PrintNewCovPcs = Flags.print_pcs;
kcc00da6482017-08-25 20:09:25 +0000[diff] [blame]695 Options.PrintNewCovFuncs = Flags.print_funcs;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]696 Options.PrintFinalStats = Flags.print_final_stats;
697 Options.PrintCorpusStats = Flags.print_corpus_stats;
698 Options.PrintCoverage = Flags.print_coverage;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]699 if (Flags.exit_on_src_pos)
700 Options.ExitOnSrcPos = Flags.exit_on_src_pos;
701 if (Flags.exit_on_item)
702 Options.ExitOnItem = Flags.exit_on_item;
kcc3acbe072018-05-16 23:26:37 +0000[diff] [blame]703 if (Flags.focus_function)
704 Options.FocusFunction = Flags.focus_function;
kcc86e43882018-06-06 01:23:29 +0000[diff] [blame]705 if (Flags.data_flow_trace)
706 Options.DataFlowTrace = Flags.data_flow_trace;
kcc6f1e9bc2019-04-13 00:20:31 +0000[diff] [blame]707 if (Flags.features_dir)
708 Options.FeaturesDir = Flags.features_dir;
kccd701d9e2019-05-23 00:22:46 +0000[diff] [blame]709 if (Flags.collect_data_flow)
710 Options.CollectDataFlow = Flags.collect_data_flow;
kccc0a0b1f2019-01-31 01:40:14 +0000[diff] [blame]711 Options.LazyCounters = Flags.lazy_counters;
kcc1ee7f412019-06-14 22:56:50 +0000[diff] [blame^]712 if (Flags.stop_file)
713 Options.StopFile = Flags.stop_file;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]714
715 unsigned Seed = Flags.seed;
716 // Initialize Seed.
717 if (Seed == 0)
718 Seed =
719 std::chrono::system_clock::now().time_since_epoch().count() + GetPid();
720 if (Flags.verbosity)
721 Printf("INFO: Seed: %u\n", Seed);
722
kccd701d9e2019-05-23 00:22:46 +0000[diff] [blame]723 if (Flags.collect_data_flow && !Flags.fork && !Flags.merge) {
kcc11883b22019-05-10 01:34:26 +0000[diff] [blame]724 if (RunIndividualFiles)
725 return CollectDataFlow(Flags.collect_data_flow, Flags.data_flow_trace,
726 ReadCorpora({}, *Inputs));
727 else
728 return CollectDataFlow(Flags.collect_data_flow, Flags.data_flow_trace,
729 ReadCorpora(*Inputs, {}));
730 }
kcc908220a2019-05-10 00:59:32 +0000[diff] [blame]731
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]732 Random Rand(Seed);
733 auto *MD = new MutationDispatcher(Rand, Options);
734 auto *Corpus = new InputCorpus(Options.OutputCorpus);
735 auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
736
737 for (auto &U: Dictionary)
738 if (U.size() <= Word::GetMaxSize())
739 MD->AddWordToManualDictionary(Word(U.data(), U.size()));
740
741 StartRssThread(F, Flags.rss_limit_mb);
742
743 Options.HandleAbrt = Flags.handle_abrt;
744 Options.HandleBus = Flags.handle_bus;
745 Options.HandleFpe = Flags.handle_fpe;
746 Options.HandleIll = Flags.handle_ill;
747 Options.HandleInt = Flags.handle_int;
748 Options.HandleSegv = Flags.handle_segv;
749 Options.HandleTerm = Flags.handle_term;
750 Options.HandleXfsz = Flags.handle_xfsz;
kcc1239a992017-11-09 20:30:19 +0000[diff] [blame]751 Options.HandleUsr1 = Flags.handle_usr1;
752 Options.HandleUsr2 = Flags.handle_usr2;
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]753 SetSignalHandler(Options);
754
755 std::atexit(Fuzzer::StaticExitCallback);
756
757 if (Flags.minimize_crash)
758 return MinimizeCrashInput(Args, Options);
759
760 if (Flags.minimize_crash_internal_step)
761 return MinimizeCrashInputInternalStep(F, Corpus);
762
763 if (Flags.cleanse_crash)
764 return CleanseCrashInput(Args, Options);
765
kcc11883b22019-05-10 01:34:26 +0000[diff] [blame]766 if (RunIndividualFiles) {
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]767 Options.SaveArtifacts = false;
768 int Runs = std::max(1, Flags.runs);
769 Printf("%s: Running %zd inputs %d time(s) each.\n", ProgName->c_str(),
770 Inputs->size(), Runs);
771 for (auto &Path : *Inputs) {
772 auto StartTime = system_clock::now();
773 Printf("Running: %s\n", Path.c_str());
774 for (int Iter = 0; Iter < Runs; Iter++)
775 RunOneTest(F, Path.c_str(), Options.MaxLen);
776 auto StopTime = system_clock::now();
777 auto MS = duration_cast<milliseconds>(StopTime - StartTime).count();
778 Printf("Executed %s in %zd ms\n", Path.c_str(), (long)MS);
779 }
780 Printf("***\n"
781 "*** NOTE: fuzzing was not performed, you have only\n"
782 "*** executed the target code on a fixed set of inputs.\n"
783 "***\n");
784 F->PrintFinalStats();
785 exit(0);
786 }
787
kcca3815862019-02-08 21:27:23 +0000[diff] [blame]788 if (Flags.fork)
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]789 FuzzWithFork(F->GetMD().GetRand(), Options, Args, *Inputs, Flags.fork);
kcca3815862019-02-08 21:27:23 +0000[diff] [blame]790
kccd1449be2019-02-08 22:59:03 +0000[diff] [blame]791 if (Flags.merge)
792 Merge(F, Options, Args, *Inputs, Flags.merge_control_file);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]793
kccc51afd72017-11-09 01:05:29 +0000[diff] [blame]794 if (Flags.merge_inner) {
795 const size_t kDefaultMaxMergeLen = 1 << 20;
796 if (Options.MaxLen == 0)
797 F->SetMaxInputLen(kDefaultMaxMergeLen);
798 assert(Flags.merge_control_file);
799 F->CrashResistantMergeInternalStep(Flags.merge_control_file);
800 exit(0);
801 }
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]802
803 if (Flags.analyze_dict) {
kcc2e93b3f2017-08-29 02:05:01 +0000[diff] [blame]804 size_t MaxLen = INT_MAX; // Large max length.
805 UnitVector InitialCorpus;
806 for (auto &Inp : *Inputs) {
807 Printf("Loading corpus dir: %s\n", Inp.c_str());
808 ReadDirToVectorOfUnits(Inp.c_str(), &InitialCorpus, nullptr,
809 MaxLen, /*ExitOnError=*/false);
810 }
811
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]812 if (Dictionary.empty() || Inputs->empty()) {
813 Printf("ERROR: can't analyze dict without dict and corpus provided\n");
814 return 1;
815 }
816 if (AnalyzeDictionary(F, Dictionary, InitialCorpus)) {
817 Printf("Dictionary analysis failed\n");
818 exit(1);
819 }
sylvestrea9eb8572018-03-13 14:35:10 +0000[diff] [blame]820 Printf("Dictionary analysis succeeded\n");
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]821 exit(0);
822 }
823
kcc11883b22019-05-10 01:34:26 +0000[diff] [blame]824 auto CorporaFiles = ReadCorpora(*Inputs, ParseSeedInuts(Flags.seed_inputs));
825 F->Loop(CorporaFiles);
george.karpenkov29efa6d2017-08-21 23:25:50 +0000[diff] [blame]826
827 if (Flags.verbosity)
828 Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(),
829 F->secondsSinceProcessStartUp());
830 F->PrintFinalStats();
831
832 exit(0); // Don't let F destroy itself.
833}
834
835// Storage for global ExternalFunctions object.
836ExternalFunctions *EF = nullptr;
837
838} // namespace fuzzer