Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromium / llvm-project / compiler-rt / lib / fuzzer / 38ace42b70dcb65c716423dd6b52ef2041f88517 / . / FuzzerFork.cpp
blob: eff90094dae7a5a47eac8de94c36a7b87633a1cd [file] [log] [blame]
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]1//===- FuzzerFork.cpp - run fuzzing in separate subprocesses --------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]8// Spawn and orchestrate separate fuzzing processes.
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]9//===----------------------------------------------------------------------===//
10
11#include "FuzzerCommand.h"
12#include "FuzzerFork.h"
13#include "FuzzerIO.h"
14#include "FuzzerMerge.h"
15#include "FuzzerSHA1.h"
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]16#include "FuzzerTracePC.h"
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]17#include "FuzzerUtil.h"
18
kccb1fa9e02019-02-14 01:11:29 +0000[diff] [blame]19#include <atomic>
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]20#include <fstream>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]21#include <mutex>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]22#include <queue>
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]23#include <sstream>
24#include <thread>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]25
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]26namespace fuzzer {
27
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]28struct Stats {
29 size_t number_of_executed_units = 0;
30 size_t peak_rss_mb = 0;
31 size_t average_exec_per_sec = 0;
32};
33
34static Stats ParseFinalStatsFromLog(const std::string &LogPath) {
35 std::ifstream In(LogPath);
36 std::string Line;
37 Stats Res;
38 struct {
39 const char *Name;
40 size_t *Var;
41 } NameVarPairs[] = {
42 {"stat::number_of_executed_units:", &Res.number_of_executed_units},
43 {"stat::peak_rss_mb:", &Res.peak_rss_mb},
44 {"stat::average_exec_per_sec:", &Res.average_exec_per_sec},
45 {nullptr, nullptr},
46 };
47 while (std::getline(In, Line, '\n')) {
48 if (Line.find("stat::") != 0) continue;
49 std::istringstream ISS(Line);
50 std::string Name;
51 size_t Val;
52 ISS >> Name >> Val;
53 for (size_t i = 0; NameVarPairs[i].Name; i++)
54 if (Name == NameVarPairs[i].Name)
55 *NameVarPairs[i].Var = Val;
56 }
57 return Res;
58}
59
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]60struct FuzzJob {
61 // Inputs.
62 Command Cmd;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]63 std::string CorpusDir;
64 std::string LogPath;
65 std::string CFPath;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]66
67 // Fuzzing Outputs.
68 int ExitCode;
69};
70
71struct GlobalEnv {
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]72 Vector<std::string> Args;
73 Vector<std::string> CorpusDirs;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]74 std::string MainCorpusDir;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]75 std::string TempDir;
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]76 Set<uint32_t> Features, Cov;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]77 Vector<std::string> Files;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]78 Random *Rand;
79 int Verbosity = 0;
80
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]81 size_t NumRuns = 0;
82
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]83 FuzzJob *CreateNewJob(size_t JobId) {
84 Command Cmd(Args);
85 Cmd.removeFlag("fork");
86 for (auto &C : CorpusDirs) // Remove all corpora from the args.
87 Cmd.removeArgument(C);
88 Cmd.addFlag("reload", "0"); // working in an isolated dir, no reload.
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]89 Cmd.addFlag("print_final_stats", "1");
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]90 Cmd.addFlag("print_funcs", "0"); // no need to spend time symbolizing.
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]91 Cmd.addFlag("max_total_time", std::to_string(std::min((size_t)300, JobId)));
92
93 auto Job = new FuzzJob;
94 std::string Seeds;
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]95 if (size_t CorpusSubsetSize =
96 std::min(Files.size(), (size_t)sqrt(Files.size() + 2)))
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]97 for (size_t i = 0; i < CorpusSubsetSize; i++)
98 Seeds += (Seeds.empty() ? "" : ",") +
99 Files[Rand->SkewTowardsLast(Files.size())];
100 if (!Seeds.empty())
101 Cmd.addFlag("seed_inputs", Seeds);
102 Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
103 Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
104 Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
105
106
107 Cmd.addArgument(Job->CorpusDir);
108 RmDirRecursive(Job->CorpusDir);
109 MkDir(Job->CorpusDir);
110
111 Cmd.setOutputFile(Job->LogPath);
112 Cmd.combineOutAndErr();
113
114 Job->Cmd = Cmd;
115
116 if (Verbosity >= 2)
117 Printf("Job %zd/%p Created: %s\n", JobId, Job,
118 Job->Cmd.toString().c_str());
119 // Start from very short runs and gradually increase them.
120 return Job;
121 }
122
123 void RunOneMergeJob(FuzzJob *Job) {
124 Vector<SizedFile> TempFiles;
125 GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);
126
127 Vector<std::string> FilesToAdd;
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]128 Set<uint32_t> NewFeatures, NewCov;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]129 CrashResistantMerge(Args, {}, TempFiles, &FilesToAdd, Features,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]130 &NewFeatures, Cov, &NewCov, Job->CFPath, false);
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]131 RemoveFile(Job->CFPath);
132 for (auto &Path : FilesToAdd) {
133 auto U = FileToVector(Path);
134 auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));
135 WriteToFile(U, NewPath);
136 Files.push_back(NewPath);
137 }
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]138 RmDirRecursive(Job->CorpusDir);
139 Features.insert(NewFeatures.begin(), NewFeatures.end());
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]140 Cov.insert(NewCov.begin(), NewCov.end());
kcc9c0ed932019-02-15 01:22:00 +0000[diff] [blame]141 for (auto Idx : NewCov)
142 if (auto *TE = TPC.PCTableEntryByIdx(Idx))
143 if (TPC.PcIsFuncEntry(TE))
144 PrintPC(" NEW_FUNC: %p %F %L\n", "",
145 TPC.GetNextInstructionPc(TE->PC));
146
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]147 auto Stats = ParseFinalStatsFromLog(Job->LogPath);
148 NumRuns += Stats.number_of_executed_units;
149 if (!FilesToAdd.empty())
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]150 Printf("#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd\n", NumRuns,
151 Cov.size(), Features.size(), Files.size(),
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]152 Stats.average_exec_per_sec);
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]153 }
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]154};
155
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]156struct JobQueue {
157 std::queue<FuzzJob *> Qu;
158 std::mutex Mu;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]159
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]160 void Push(FuzzJob *Job) {
161 std::lock_guard<std::mutex> Lock(Mu);
162 Qu.push(Job);
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]163 }
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]164 FuzzJob *Pop() {
165 std::lock_guard<std::mutex> Lock(Mu);
166 if (Qu.empty()) return nullptr;
167 auto Job = Qu.front();
168 Qu.pop();
169 return Job;
170 }
171};
172
173void WorkerThread(std::atomic<bool> *Stop, JobQueue *FuzzQ, JobQueue *MergeQ) {
kccb1fa9e02019-02-14 01:11:29 +0000[diff] [blame]174 while (!Stop->load()) {
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]175 auto Job = FuzzQ->Pop();
176 // Printf("WorkerThread: job %p\n", Job);
177 if (!Job) {
178 SleepSeconds(1);
179 continue;
180 }
181 Job->ExitCode = ExecuteCommand(Job->Cmd);
182 MergeQ->Push(Job);
183 }
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]184}
185
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]186// This is just a skeleton of an experimental -fork=1 feature.
187void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
188 const Vector<std::string> &Args,
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]189 const Vector<std::string> &CorpusDirs, int NumJobs) {
190 Printf("INFO: -fork=%d: doing fuzzing in a separate process in order to "
191 "be more resistant to crashes, timeouts, and OOMs\n", NumJobs);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]192
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]193 GlobalEnv Env;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]194 Env.Args = Args;
195 Env.CorpusDirs = CorpusDirs;
196 Env.Rand = &Rand;
197 Env.Verbosity = Options.Verbosity;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]198
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]199 Vector<SizedFile> SeedFiles;
200 for (auto &Dir : CorpusDirs)
201 GetSizedFilesFromDir(Dir, &SeedFiles);
202 std::sort(SeedFiles.begin(), SeedFiles.end());
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]203 Env.TempDir = TempPath(".dir");
204 RmDirRecursive(Env.TempDir); // in case there is a leftover from old runs.
205 MkDir(Env.TempDir);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]206
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]207
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]208 if (CorpusDirs.empty())
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]209 MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]210 else
211 Env.MainCorpusDir = CorpusDirs[0];
212
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]213 auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");
214 CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, {}, &Env.Features,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame]215 {}, &Env.Cov,
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]216 CFPath, false);
217 RemoveFile(CFPath);
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]218 Printf("INFO: -fork=%d: %zd seeds, starting to fuzz; scratch: %s\n",
219 NumJobs, Env.Files.size(), Env.TempDir.c_str());
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]220
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]221 int ExitCode = 0;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]222
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]223 JobQueue FuzzQ, MergeQ;
224 std::atomic<bool> Stop(false);
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]225
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]226 size_t JobId = 1;
227 Vector<std::thread> Threads;
228 for (int t = 0; t < NumJobs; t++) {
229 Threads.push_back(std::thread(WorkerThread, &Stop, &FuzzQ, &MergeQ));
230 FuzzQ.Push(Env.CreateNewJob(JobId++));
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]231 }
232
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]233 while (!Stop) {
234 auto Job = MergeQ.Pop();
235 if (!Job) {
236 SleepSeconds(1);
237 continue;
238 }
239 ExitCode = Job->ExitCode;
240 if (ExitCode != Options.InterruptExitCode)
241 Env.RunOneMergeJob(Job);
242
243 // Continue if our crash is one of the ignorred ones.
244 if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
245 ;
246 else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)
247 ;
248 else if (ExitCode == Options.InterruptExitCode)
249 Stop = true;
250 else if (ExitCode != 0) {
251 // And exit if we don't ignore this crash.
252 Printf("INFO: log from the inner process:\n%s",
253 FileToString(Job->LogPath).c_str());
254 Stop = true;
255 }
256 RemoveFile(Job->LogPath);
257 delete Job;
258 FuzzQ.Push(Env.CreateNewJob(JobId++));
259 }
260 Stop = true;
261
262 for (auto &T : Threads)
263 T.join();
264
265 RmDirRecursive(Env.TempDir);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]266
267 // Use the exit code from the last child process.
268 Printf("Fork: exiting: %d\n", ExitCode);
269 exit(ExitCode);
270}
271
272} // namespace fuzzer
273