Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromium / llvm-project / compiler-rt / lib / fuzzer / 98a8624429907ab017bc8c00178ece606f578b32 / . / FuzzerFork.cpp
blob: 41fb5c1c57fef3b277b8240b44d896e584c9fa9b [file] [log] [blame]
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]1//===- FuzzerFork.cpp - run fuzzing in separate subprocesses --------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]8// Spawn and orchestrate separate fuzzing processes.
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]9//===----------------------------------------------------------------------===//
10
11#include "FuzzerCommand.h"
12#include "FuzzerFork.h"
13#include "FuzzerIO.h"
14#include "FuzzerMerge.h"
15#include "FuzzerSHA1.h"
16#include "FuzzerUtil.h"
17
kccb1fa9e02019-02-14 01:11:29 +0000[diff] [blame]18#include <atomic>
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]19#include <fstream>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]20#include <mutex>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]21#include <queue>
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]22#include <sstream>
23#include <thread>
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]24
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]25namespace fuzzer {
26
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]27struct Stats {
28 size_t number_of_executed_units = 0;
29 size_t peak_rss_mb = 0;
30 size_t average_exec_per_sec = 0;
31};
32
33static Stats ParseFinalStatsFromLog(const std::string &LogPath) {
34 std::ifstream In(LogPath);
35 std::string Line;
36 Stats Res;
37 struct {
38 const char *Name;
39 size_t *Var;
40 } NameVarPairs[] = {
41 {"stat::number_of_executed_units:", &Res.number_of_executed_units},
42 {"stat::peak_rss_mb:", &Res.peak_rss_mb},
43 {"stat::average_exec_per_sec:", &Res.average_exec_per_sec},
44 {nullptr, nullptr},
45 };
46 while (std::getline(In, Line, '\n')) {
47 if (Line.find("stat::") != 0) continue;
48 std::istringstream ISS(Line);
49 std::string Name;
50 size_t Val;
51 ISS >> Name >> Val;
52 for (size_t i = 0; NameVarPairs[i].Name; i++)
53 if (Name == NameVarPairs[i].Name)
54 *NameVarPairs[i].Var = Val;
55 }
56 return Res;
57}
58
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]59struct FuzzJob {
60 // Inputs.
61 Command Cmd;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]62 std::string CorpusDir;
63 std::string LogPath;
64 std::string CFPath;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]65
66 // Fuzzing Outputs.
67 int ExitCode;
68};
69
70struct GlobalEnv {
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]71 Vector<std::string> Args;
72 Vector<std::string> CorpusDirs;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]73 std::string MainCorpusDir;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]74 std::string TempDir;
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame^]75 Set<uint32_t> Features, Cov;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]76 Vector<std::string> Files;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]77 Random *Rand;
78 int Verbosity = 0;
79
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]80 size_t NumRuns = 0;
81
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]82 FuzzJob *CreateNewJob(size_t JobId) {
83 Command Cmd(Args);
84 Cmd.removeFlag("fork");
85 for (auto &C : CorpusDirs) // Remove all corpora from the args.
86 Cmd.removeArgument(C);
87 Cmd.addFlag("reload", "0"); // working in an isolated dir, no reload.
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]88 Cmd.addFlag("print_final_stats", "1");
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]89 Cmd.addFlag("max_total_time", std::to_string(std::min((size_t)300, JobId)));
90
91 auto Job = new FuzzJob;
92 std::string Seeds;
93 if (size_t CorpusSubsetSize = std::min(Files.size(), (size_t)100))
94 for (size_t i = 0; i < CorpusSubsetSize; i++)
95 Seeds += (Seeds.empty() ? "" : ",") +
96 Files[Rand->SkewTowardsLast(Files.size())];
97 if (!Seeds.empty())
98 Cmd.addFlag("seed_inputs", Seeds);
99 Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
100 Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
101 Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
102
103
104 Cmd.addArgument(Job->CorpusDir);
105 RmDirRecursive(Job->CorpusDir);
106 MkDir(Job->CorpusDir);
107
108 Cmd.setOutputFile(Job->LogPath);
109 Cmd.combineOutAndErr();
110
111 Job->Cmd = Cmd;
112
113 if (Verbosity >= 2)
114 Printf("Job %zd/%p Created: %s\n", JobId, Job,
115 Job->Cmd.toString().c_str());
116 // Start from very short runs and gradually increase them.
117 return Job;
118 }
119
120 void RunOneMergeJob(FuzzJob *Job) {
121 Vector<SizedFile> TempFiles;
122 GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);
123
124 Vector<std::string> FilesToAdd;
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame^]125 Set<uint32_t> NewFeatures, NewCov;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]126 CrashResistantMerge(Args, {}, TempFiles, &FilesToAdd, Features,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame^]127 &NewFeatures, Cov, &NewCov, Job->CFPath, false);
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]128 RemoveFile(Job->CFPath);
129 for (auto &Path : FilesToAdd) {
130 auto U = FileToVector(Path);
131 auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));
132 WriteToFile(U, NewPath);
133 Files.push_back(NewPath);
134 }
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]135 RmDirRecursive(Job->CorpusDir);
136 Features.insert(NewFeatures.begin(), NewFeatures.end());
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame^]137 Cov.insert(NewCov.begin(), NewCov.end());
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]138 auto Stats = ParseFinalStatsFromLog(Job->LogPath);
139 NumRuns += Stats.number_of_executed_units;
140 if (!FilesToAdd.empty())
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame^]141 Printf("#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd\n", NumRuns,
142 Cov.size(), Features.size(), Files.size(),
kccdd391142019-02-14 21:09:32 +0000[diff] [blame]143 Stats.average_exec_per_sec);
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]144 }
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]145};
146
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]147struct JobQueue {
148 std::queue<FuzzJob *> Qu;
149 std::mutex Mu;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]150
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]151 void Push(FuzzJob *Job) {
152 std::lock_guard<std::mutex> Lock(Mu);
153 Qu.push(Job);
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]154 }
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]155 FuzzJob *Pop() {
156 std::lock_guard<std::mutex> Lock(Mu);
157 if (Qu.empty()) return nullptr;
158 auto Job = Qu.front();
159 Qu.pop();
160 return Job;
161 }
162};
163
164void WorkerThread(std::atomic<bool> *Stop, JobQueue *FuzzQ, JobQueue *MergeQ) {
kccb1fa9e02019-02-14 01:11:29 +0000[diff] [blame]165 while (!Stop->load()) {
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]166 auto Job = FuzzQ->Pop();
167 // Printf("WorkerThread: job %p\n", Job);
168 if (!Job) {
169 SleepSeconds(1);
170 continue;
171 }
172 Job->ExitCode = ExecuteCommand(Job->Cmd);
173 MergeQ->Push(Job);
174 }
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]175}
176
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]177// This is just a skeleton of an experimental -fork=1 feature.
178void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
179 const Vector<std::string> &Args,
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]180 const Vector<std::string> &CorpusDirs, int NumJobs) {
181 Printf("INFO: -fork=%d: doing fuzzing in a separate process in order to "
182 "be more resistant to crashes, timeouts, and OOMs\n", NumJobs);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]183
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]184 GlobalEnv Env;
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]185 Env.Args = Args;
186 Env.CorpusDirs = CorpusDirs;
187 Env.Rand = &Rand;
188 Env.Verbosity = Options.Verbosity;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]189
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]190 Vector<SizedFile> SeedFiles;
191 for (auto &Dir : CorpusDirs)
192 GetSizedFilesFromDir(Dir, &SeedFiles);
193 std::sort(SeedFiles.begin(), SeedFiles.end());
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]194 Env.TempDir = TempPath(".dir");
195 RmDirRecursive(Env.TempDir); // in case there is a leftover from old runs.
196 MkDir(Env.TempDir);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]197
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]198
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]199 if (CorpusDirs.empty())
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]200 MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]201 else
202 Env.MainCorpusDir = CorpusDirs[0];
203
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]204 auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");
205 CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, {}, &Env.Features,
kcc98a86242019-02-15 00:08:16 +0000[diff] [blame^]206 {}, &Env.Cov,
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]207 CFPath, false);
208 RemoveFile(CFPath);
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]209 Printf("INFO: -fork=%d: %zd seeds, starting to fuzz; scratch: %s\n",
210 NumJobs, Env.Files.size(), Env.TempDir.c_str());
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]211
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]212 int ExitCode = 0;
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]213
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]214 JobQueue FuzzQ, MergeQ;
215 std::atomic<bool> Stop(false);
kcc64bcb922019-02-13 04:04:45 +0000[diff] [blame]216
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]217 size_t JobId = 1;
218 Vector<std::thread> Threads;
219 for (int t = 0; t < NumJobs; t++) {
220 Threads.push_back(std::thread(WorkerThread, &Stop, &FuzzQ, &MergeQ));
221 FuzzQ.Push(Env.CreateNewJob(JobId++));
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]222 }
223
kcc6526f1d2019-02-14 00:25:43 +0000[diff] [blame]224 while (!Stop) {
225 auto Job = MergeQ.Pop();
226 if (!Job) {
227 SleepSeconds(1);
228 continue;
229 }
230 ExitCode = Job->ExitCode;
231 if (ExitCode != Options.InterruptExitCode)
232 Env.RunOneMergeJob(Job);
233
234 // Continue if our crash is one of the ignorred ones.
235 if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
236 ;
237 else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)
238 ;
239 else if (ExitCode == Options.InterruptExitCode)
240 Stop = true;
241 else if (ExitCode != 0) {
242 // And exit if we don't ignore this crash.
243 Printf("INFO: log from the inner process:\n%s",
244 FileToString(Job->LogPath).c_str());
245 Stop = true;
246 }
247 RemoveFile(Job->LogPath);
248 delete Job;
249 FuzzQ.Push(Env.CreateNewJob(JobId++));
250 }
251 Stop = true;
252
253 for (auto &T : Threads)
254 T.join();
255
256 RmDirRecursive(Env.TempDir);
kcc2e6ca5c2019-02-12 22:48:55 +0000[diff] [blame]257
258 // Use the exit code from the last child process.
259 Printf("Fork: exiting: %d\n", ExitCode);
260 exit(ExitCode);
261}
262
263} // namespace fuzzer
264