Mike Frysinger | f1ba7ad | 2022-09-12 05:42:57 -0400 | [diff] [blame] | 1 | # Copyright 2018 The ChromiumOS Authors |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 2 | # Use of this source code is governed by a BSD-style license that can be |
| 3 | # found in the LICENSE file. |
| 4 | |
| 5 | """Script for performing tasks that are useful for fuzzer development. |
| 6 | |
| 7 | Run "cros_fuzz" in the chroot for a list of command or "cros_fuzz $COMMAND |
| 8 | --help" for their full details. Below is a summary of commands that the script |
| 9 | can perform: |
| 10 | |
| 11 | coverage: Generate a coverage report for a given fuzzer (specified by "--fuzzer" |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 12 | option). You almost certainly want to specify the package to build (using |
| 13 | the "--package" option) so that a coverage build is done, since a coverage |
| 14 | build is needed to generate a report. If your fuzz target is running on |
| 15 | ClusterFuzz already, you can use the "--download" option to download the |
| 16 | corpus from ClusterFuzz. Otherwise, you can use the "--corpus" option to |
| 17 | specify the path of the corpus to run the fuzzer on and generate a report. |
| 18 | The corpus will be copied to the sysroot so that the fuzzer can use it. |
| 19 | Note that "--download" and "--corpus" are mutually exclusive. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 20 | |
| 21 | reproduce: Runs the fuzzer specified by the "--fuzzer" option on a testcase |
| 22 | (path specified by the "--testcase" argument). Optionally does a build when |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 23 | the "--package" option is used. The type of build can be specified using the |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 24 | "--build_type" argument. |
| 25 | |
| 26 | download: Downloads the corpus from ClusterFuzz of the fuzzer specified by the |
| 27 | "--fuzzer" option. The path of the directory the corpus directory is |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 28 | downloaded to can be specified using the "--directory" option. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 29 | |
| 30 | shell: Sets up the sysroot for fuzzing and then chroots into the sysroot giving |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 31 | you a shell that is ready to fuzz. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 32 | |
| 33 | setup: Sets up the sysroot for fuzzing (done prior to doing "reproduce", "shell" |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 34 | and "coverage" commands). |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 35 | |
| 36 | cleanup: Undoes "setup". |
| 37 | |
| 38 | Note that cros_fuzz will print every shell command it runs if you set the |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 39 | log-level to debug ("--log-level debug"). Otherwise, it will print commands that |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 40 | fail. |
| 41 | """ |
| 42 | |
Chris McDonald | 59650c3 | 2021-07-20 15:29:28 -0600 | [diff] [blame] | 43 | import logging |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 44 | import os |
| 45 | import shutil |
| 46 | |
Chris McDonald | 59650c3 | 2021-07-20 15:29:28 -0600 | [diff] [blame] | 47 | from chromite.third_party import lddtree |
| 48 | from chromite.third_party.pyelftools.elftools.elf.elffile import ELFFile |
| 49 | |
Mike Frysinger | 06a51c8 | 2021-04-06 11:39:17 -0400 | [diff] [blame] | 50 | from chromite.lib import build_target_lib |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 51 | from chromite.lib import commandline |
| 52 | from chromite.lib import constants |
| 53 | from chromite.lib import cros_build_lib |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 54 | from chromite.lib import gs |
| 55 | from chromite.lib import osutils |
Manoj Gupta | e5e1e61 | 2019-10-21 12:39:57 -0700 | [diff] [blame] | 56 | from chromite.lib import portage_util |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 57 | |
Mike Frysinger | 03b983f | 2020-02-21 02:31:49 -0500 | [diff] [blame] | 58 | |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 59 | # Directory in sysroot's /tmp directory that this script will use for files it |
| 60 | # needs to write. We need a directory to write files to because this script uses |
| 61 | # external programs that must write and read to/from files and because these |
| 62 | # must be run inside the sysroot and thus are usually unable to read or write |
| 63 | # from directories in the chroot environment this script is executed in. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 64 | SCRIPT_STORAGE_DIRECTORY = "fuzz" |
| 65 | SCRIPT_STORAGE_PATH = os.path.join("/", "tmp", SCRIPT_STORAGE_DIRECTORY) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 66 | |
| 67 | # Names of subdirectories in "fuzz" directory used by this script to store |
| 68 | # things. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 69 | CORPUS_DIRECTORY_NAME = "corpus" |
| 70 | TESTCASE_DIRECTORY_NAME = "testcase" |
| 71 | COVERAGE_REPORT_DIRECTORY_NAME = "coverage-report" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 72 | |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 73 | # Constants for names of libFuzzer command line options. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 74 | RUNS_OPTION_NAME = "runs" |
| 75 | MAX_TOTAL_TIME_OPTION_NAME = "max_total_time" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 76 | |
| 77 | # The default path a profraw file written by a clang coverage instrumented |
| 78 | # binary when run by this script (default is current working directory). |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 79 | DEFAULT_PROFRAW_PATH = "/default.profraw" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 80 | |
| 81 | # Constants for libFuzzer command line values. |
| 82 | # 0 runs means execute everything in the corpus and do no mutations. |
| 83 | RUNS_DEFAULT_VALUE = 0 |
| 84 | # An arbitrary but short amount of time to run a fuzzer to get some coverage |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 85 | # data (when a corpus hasn't been provided and we aren't told to download one). |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 86 | MAX_TOTAL_TIME_DEFAULT_VALUE = 30 |
| 87 | |
| 88 | |
Alex Klein | 074f94f | 2023-06-22 10:32:06 -0600 | [diff] [blame] | 89 | class BuildType: |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 90 | """Class to hold the different kinds of build types.""" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 91 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 92 | ASAN = "asan" |
| 93 | MSAN = "msan" |
| 94 | UBSAN = "ubsan" |
| 95 | COVERAGE = "coverage" |
| 96 | STANDARD = "" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 97 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 98 | # Build types that users can specify. |
| 99 | CHOICES = (ASAN, MSAN, UBSAN, COVERAGE) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 100 | |
| 101 | |
Alex Klein | 074f94f | 2023-06-22 10:32:06 -0600 | [diff] [blame] | 102 | class SysrootPath: |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 103 | """Class for representing a path that is in the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 104 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 105 | Useful for dealing with paths that we must interact with when chrooted into |
| 106 | the sysroot and outside of it. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 107 | |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 108 | For example, if we need to interact with the "/tmp" directory of the |
| 109 | sysroot, SysrootPath('/tmp').sysroot returns the path of the directory if we |
| 110 | are in chrooted into the sysroot, i.e. "/tmp". |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 111 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 112 | SysrootPath('/tmp').chroot returns the path of the directory when in the |
| 113 | cros_sdk i.e. SYSROOT_DIRECTORY + "/tmp" (this will probably be |
| 114 | "/build/amd64-generic/tmp" in most cases). |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 115 | """ |
| 116 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 117 | # The actual path to the sysroot (from within the chroot). |
| 118 | path_to_sysroot = None |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 119 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 120 | def __init__(self, path): |
| 121 | """Constructor. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 122 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 123 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 124 | path: An absolute path representing something in the sysroot. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 125 | """ |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 126 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 127 | assert path.startswith("/") |
| 128 | if self.IsPathInSysroot(path): |
| 129 | path = self.FromChrootPathInSysroot(os.path.abspath(path)) |
| 130 | self.path_list = path.split(os.sep)[1:] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 131 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 132 | @classmethod |
| 133 | def SetPathToSysroot(cls, board): |
| 134 | """Sets path_to_sysroot |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 135 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 136 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 137 | board: The board we will use for our sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 138 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 139 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 140 | The path to the sysroot (the value of path_to_sysroot). |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 141 | """ |
| 142 | cls.path_to_sysroot = build_target_lib.get_default_sysroot_path(board) |
| 143 | return cls.path_to_sysroot |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 144 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 145 | @property |
| 146 | def chroot(self): |
| 147 | """Get the path of the object in the Chrome OS SDK chroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 148 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 149 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 150 | The path this object represents when chrooted into the sysroot. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 151 | """ |
| 152 | assert ( |
| 153 | self.path_to_sysroot is not None |
| 154 | ), "set SysrootPath.path_to_sysroot" |
| 155 | return os.path.join(self.path_to_sysroot, *self.path_list) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 156 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 157 | @property |
| 158 | def sysroot(self): |
| 159 | """Get the path of the object when in the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 160 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 161 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 162 | The path this object represents when in the Chrome OS SDK . |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 163 | """ |
| 164 | return os.path.join("/", *self.path_list) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 165 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 166 | @classmethod |
| 167 | def IsPathInSysroot(cls, path): |
| 168 | """Is a path in the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 169 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 170 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 171 | path: The path we are checking is in the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 172 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 173 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 174 | True if path is within the sysroot's path in the chroot. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 175 | """ |
| 176 | assert cls.path_to_sysroot |
| 177 | return path.startswith(cls.path_to_sysroot) |
| 178 | |
| 179 | @classmethod |
| 180 | def FromChrootPathInSysroot(cls, path): |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 181 | """Converts a chroot-relative path in sysroot into sysroot-relative. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 182 | |
| 183 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 184 | path: The chroot-relative path we are converting to sysroot |
| 185 | relative. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 186 | |
| 187 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 188 | The sysroot relative version of |path|. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 189 | """ |
| 190 | assert cls.IsPathInSysroot(path) |
| 191 | common_prefix = os.path.commonprefix([cls.path_to_sysroot, path]) |
| 192 | return path[len(common_prefix) :] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 193 | |
| 194 | |
| 195 | def GetScriptStoragePath(relative_path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 196 | """Get the SysrootPath representing a script storage path. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 197 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 198 | Get a path of a directory this script will store things in. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 199 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 200 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 201 | relative_path: The path relative to the root of the script storage |
| 202 | directory. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 203 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 204 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 205 | The SysrootPath representing absolute path of |relative_path| in the |
| 206 | script storage directory. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 207 | """ |
| 208 | path = os.path.join(SCRIPT_STORAGE_PATH, relative_path) |
| 209 | return SysrootPath(path) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 210 | |
| 211 | |
| 212 | def GetSysrootPath(path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 213 | """Get the chroot-relative path of a path in the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 214 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 215 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 216 | path: An absolute path in the sysroot that we will get the path in the |
| 217 | chroot for. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 218 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 219 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 220 | The chroot-relative path of |path| in the sysroot. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 221 | """ |
| 222 | return SysrootPath(path).chroot |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 223 | |
| 224 | |
| 225 | def GetCoverageDirectory(fuzzer): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 226 | """Get a coverage report directory for a fuzzer |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 227 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 228 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 229 | fuzzer: The fuzzer to get the coverage report directory for. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 230 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 231 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 232 | The location of the coverage report directory for the |fuzzer|. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 233 | """ |
| 234 | relative_path = os.path.join(COVERAGE_REPORT_DIRECTORY_NAME, fuzzer) |
| 235 | return GetScriptStoragePath(relative_path) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 236 | |
| 237 | |
| 238 | def GetFuzzerSysrootPath(fuzzer): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 239 | """Get the path in the sysroot of a fuzzer. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 240 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 241 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 242 | fuzzer: The fuzzer to get the path of. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 243 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 244 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 245 | The path of |fuzzer| in the sysroot. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 246 | """ |
| 247 | return SysrootPath(os.path.join("/", "usr", "libexec", "fuzzers", fuzzer)) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 248 | |
| 249 | |
| 250 | def GetProfdataPath(fuzzer): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 251 | """Get the profdata file of a fuzzer. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 252 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 253 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 254 | fuzzer: The fuzzer to get the profdata file of. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 255 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 256 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 257 | The path of the profdata file that should be used by |fuzzer|. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 258 | """ |
| 259 | return GetScriptStoragePath("%s.profdata" % fuzzer) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 260 | |
| 261 | |
| 262 | def GetPathForCopy(parent_directory, chroot_path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 263 | """Returns a path in the script storage directory to copy chroot_path. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 264 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 265 | Returns a SysrootPath representing the location where |chroot_path| should |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 266 | be copied. This path will be in the parent_directory which will be in the |
| 267 | script storage directory. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 268 | """ |
| 269 | basename = os.path.basename(chroot_path) |
| 270 | return GetScriptStoragePath(os.path.join(parent_directory, basename)) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 271 | |
| 272 | |
| 273 | def CopyCorpusToSysroot(src_corpus_path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 274 | """Copies corpus into the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 275 | |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 276 | Copies corpus into the sysroot. Doesn't copy if corpus is already in |
| 277 | sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 278 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 279 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 280 | src_corpus_path: A path (in the chroot) to a corpus that will be copied |
| 281 | into sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 282 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 283 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 284 | The path in the sysroot that the corpus was copied to. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 285 | """ |
| 286 | if src_corpus_path is None: |
| 287 | return None |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 288 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 289 | if SysrootPath.IsPathInSysroot(src_corpus_path): |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 290 | # Don't copy if |src_testcase_path| is already in sysroot. Just return |
| 291 | # it in the format expected by the caller. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 292 | return SysrootPath(src_corpus_path) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 293 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 294 | dest_corpus_path = GetPathForCopy(CORPUS_DIRECTORY_NAME, src_corpus_path) |
| 295 | osutils.RmDir(dest_corpus_path.chroot, ignore_missing=True) |
| 296 | shutil.copytree(src_corpus_path, dest_corpus_path.chroot) |
| 297 | return dest_corpus_path |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 298 | |
| 299 | |
| 300 | def CopyTestcaseToSysroot(src_testcase_path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 301 | """Copies a testcase into the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 302 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 303 | Copies a testcase into the sysroot. Doesn't copy if testcase is already in |
| 304 | sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 305 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 306 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 307 | src_testcase_path: A path (in the chroot) to a testcase that will be |
| 308 | copied into sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 309 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 310 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 311 | The path in the sysroot that the testcase was copied to. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 312 | """ |
| 313 | if SysrootPath.IsPathInSysroot(src_testcase_path): |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 314 | # Don't copy if |src_testcase_path| is already in sysroot. Just return |
| 315 | # it in the format expected by the caller. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 316 | return SysrootPath(src_testcase_path) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 317 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 318 | dest_testcase_path = GetPathForCopy( |
| 319 | TESTCASE_DIRECTORY_NAME, src_testcase_path |
| 320 | ) |
| 321 | osutils.SafeMakedirsNonRoot(os.path.dirname(dest_testcase_path.chroot)) |
| 322 | osutils.SafeUnlink(dest_testcase_path.chroot) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 323 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 324 | shutil.copy(src_testcase_path, dest_testcase_path.chroot) |
| 325 | return dest_testcase_path |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 326 | |
| 327 | |
Mike Frysinger | 45602c7 | 2019-09-22 02:15:11 -0400 | [diff] [blame] | 328 | def sudo_run(*args, **kwargs): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 329 | """Wrapper around cros_build_lib.sudo_run. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 330 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 331 | Wrapper that calls cros_build_lib.sudo_run but sets debug_level by |
| 332 | default. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 333 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 334 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 335 | *args: Positional arguments to pass to cros_build_lib.sudo_run. |
| 336 | **kwargs: Keyword arguments to pass to cros_build_lib.sudo_run. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 337 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 338 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 339 | The value returned by calling cros_build_lib.sudo_run. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 340 | """ |
| 341 | kwargs.setdefault("debug_level", logging.DEBUG) |
| 342 | return cros_build_lib.sudo_run(*args, **kwargs) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 343 | |
| 344 | |
| 345 | def GetLibFuzzerOption(option_name, option_value): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 346 | """Gets the libFuzzer command line option with the specified name and value. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 347 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 348 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 349 | option_name: The name of the libFuzzer option. |
| 350 | option_value: The value of the libFuzzer option. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 351 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 352 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 353 | The libFuzzer option composed of |option_name| and |option_value|. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 354 | """ |
| 355 | return "-%s=%s" % (option_name, option_value) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 356 | |
| 357 | |
| 358 | def IsOptionLimit(option): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 359 | """Determines if fuzzer option limits fuzzing time.""" |
| 360 | for limit_name in [MAX_TOTAL_TIME_OPTION_NAME, RUNS_OPTION_NAME]: |
| 361 | if option.startswith("-%s" % limit_name): |
| 362 | return True |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 363 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 364 | return False |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 365 | |
| 366 | |
| 367 | def LimitFuzzing(fuzz_command, corpus): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 368 | """Limits how long fuzzing will go if unspecified. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 369 | |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 370 | Adds a reasonable limit on how much fuzzing will be done unless there |
| 371 | already is some kind of limit. Mutates fuzz_command. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 372 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 373 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 374 | fuzz_command: A command to run a fuzzer. Used to determine if a limit |
| 375 | needs to be set. Mutated if it is needed to specify a limit. |
| 376 | corpus: The corpus that will be passed to the fuzzer. If not None then |
| 377 | fuzzing is limited by running everything in the corpus once. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 378 | """ |
| 379 | if any(IsOptionLimit(x) for x in fuzz_command[1:]): |
| 380 | # Don't do anything if there is already a limit. |
| 381 | return |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 382 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 383 | if corpus: |
| 384 | # If there is a corpus, just run everything in the corpus once. |
| 385 | fuzz_command.append( |
| 386 | GetLibFuzzerOption(RUNS_OPTION_NAME, RUNS_DEFAULT_VALUE) |
| 387 | ) |
| 388 | return |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 389 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 390 | # Since there is no corpus, just fuzz for 30 seconds. |
| 391 | logging.info( |
| 392 | "Limiting fuzzing to %s seconds.", MAX_TOTAL_TIME_DEFAULT_VALUE |
| 393 | ) |
| 394 | max_total_time_option = GetLibFuzzerOption( |
| 395 | MAX_TOTAL_TIME_OPTION_NAME, MAX_TOTAL_TIME_DEFAULT_VALUE |
| 396 | ) |
| 397 | fuzz_command.append(max_total_time_option) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 398 | |
| 399 | |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 400 | def GetFuzzExtraEnv(extra_options=None): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 401 | """Gets extra_env for fuzzing. |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 402 | |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 403 | Gets environment variables and values for running libFuzzer. Sets defaults |
| 404 | and allows user to specify extra sanitizer options. |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 405 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 406 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 407 | extra_options: A dict containing sanitizer options to set in addition to |
| 408 | the defaults. |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 409 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 410 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 411 | A dict containing environment variables and their values that can be |
| 412 | used in the environment libFuzzer runs in. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 413 | """ |
| 414 | if extra_options is None: |
| 415 | extra_options = {} |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 416 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 417 | # log_path must be set because Chrome OS's patched compiler changes it. |
| 418 | # disable odr violation since many fuzzers hit it and it is also disabled on |
| 419 | # clusterfuzz. |
Maksim Ivanov | b4a6c4f | 2022-12-09 02:32:39 +0000 | [diff] [blame] | 420 | # handle_sigtrap is useful for catching int3 in assertion checks in ChromeOS |
| 421 | # code. |
| 422 | options_dict = { |
| 423 | "log_path": "stderr", |
| 424 | "detect_odr_violation": "0", |
| 425 | "handle_sigtrap": "1", |
| 426 | } |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 427 | options_dict.update(extra_options) |
| 428 | sanitizer_options = ":".join("%s=%s" % x for x in options_dict.items()) |
| 429 | sanitizers = ("ASAN", "MSAN", "UBSAN") |
| 430 | return {x + "_OPTIONS": sanitizer_options for x in sanitizers} |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 431 | |
| 432 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 433 | def RunFuzzer( |
| 434 | fuzzer, |
| 435 | corpus_path=None, |
| 436 | fuzz_args="", |
| 437 | testcase_path=None, |
| 438 | crash_expected=False, |
| 439 | ): |
| 440 | """Runs the fuzzer while chrooted into the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 441 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 442 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 443 | fuzzer: The fuzzer to run. |
| 444 | corpus_path: A path to a corpus (not necessarily in the sysroot) to run |
| 445 | the fuzzer on. |
| 446 | fuzz_args: Additional arguments to pass to the fuzzer when running it. |
| 447 | testcase_path: A path to a testcase (not necessarily in the sysroot) to |
| 448 | run the fuzzer on. |
| 449 | crash_expected: Is it normal for the fuzzer to crash on this run? |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 450 | """ |
| 451 | logging.info("Running fuzzer: %s", fuzzer) |
| 452 | fuzzer_sysroot_path = GetFuzzerSysrootPath(fuzzer) |
| 453 | fuzz_command = [fuzzer_sysroot_path.sysroot] |
| 454 | fuzz_command += fuzz_args.split() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 455 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 456 | if testcase_path: |
| 457 | fuzz_command.append(testcase_path) |
| 458 | else: |
| 459 | LimitFuzzing(fuzz_command, corpus_path) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 460 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 461 | if corpus_path: |
| 462 | fuzz_command.append(corpus_path) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 463 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 464 | if crash_expected: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 465 | # Don't return nonzero when fuzzer OOMs, leaks, or timesout, since we |
| 466 | # don't want an exception in those cases. The user may be trying to |
| 467 | # reproduce those issues. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 468 | fuzz_command += ["-error_exitcode=0", "-timeout_exitcode=0"] |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 469 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 470 | # We must set exitcode=0 or else the fuzzer will return nonzero on |
| 471 | # successful reproduction. |
| 472 | sanitizer_options = {"exitcode": "0"} |
| 473 | else: |
| 474 | sanitizer_options = {} |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 475 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 476 | extra_env = GetFuzzExtraEnv(sanitizer_options) |
| 477 | RunSysrootCommand( |
| 478 | fuzz_command, extra_env=extra_env, debug_level=logging.INFO |
| 479 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 480 | |
| 481 | |
| 482 | def MergeProfraw(fuzzer): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 483 | """Merges profraw file from a fuzzer and creates a profdata file. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 484 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 485 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 486 | fuzzer: The fuzzer to merge the profraw file from. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 487 | """ |
| 488 | profdata_path = GetProfdataPath(fuzzer) |
| 489 | command = [ |
| 490 | "llvm-profdata", |
| 491 | "merge", |
| 492 | "-sparse", |
| 493 | DEFAULT_PROFRAW_PATH, |
| 494 | "-o", |
| 495 | profdata_path.sysroot, |
| 496 | ] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 497 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 498 | RunSysrootCommand(command) |
| 499 | return profdata_path |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 500 | |
| 501 | |
| 502 | def GenerateCoverageReport(fuzzer, shared_libraries): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 503 | """Generates an HTML coverage report from a fuzzer run. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 504 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 505 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 506 | fuzzer: The fuzzer to generate the coverage report for. |
| 507 | shared_libraries: Libraries loaded dynamically by |fuzzer|. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 508 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 509 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 510 | The path of the coverage report. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 511 | """ |
| 512 | fuzzer_path = GetFuzzerSysrootPath(fuzzer).chroot |
| 513 | command = ["llvm-cov", "show", "-object", fuzzer_path] |
| 514 | for library in shared_libraries: |
| 515 | command += ["-object", library] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 516 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 517 | coverage_directory = GetCoverageDirectory(fuzzer) |
| 518 | command += [ |
| 519 | "-format=html", |
| 520 | "-instr-profile=%s" % GetProfdataPath(fuzzer).chroot, |
| 521 | "-output-dir=%s" % coverage_directory.chroot, |
| 522 | ] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 523 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 524 | # TODO(metzman): Investigate error messages printed by this command. |
| 525 | cros_build_lib.run(command, stderr=True, debug_level=logging.DEBUG) |
| 526 | return coverage_directory |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 527 | |
| 528 | |
| 529 | def GetSharedLibraries(binary_path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 530 | """Gets the shared libraries used by a binary. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 531 | |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 532 | Gets the shared libraries used by the binary. Based on GetSharedLibraries |
| 533 | from src/tools/code_coverage/coverage_utils.py in Chromium. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 534 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 535 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 536 | binary_path: The path to the binary we want to find the shared libraries |
| 537 | of. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 538 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 539 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 540 | The shared libraries used by |binary_path|. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 541 | """ |
| 542 | logging.info("Finding shared libraries for targets (if any).") |
| 543 | shared_libraries = [] |
| 544 | elf_dict = lddtree.ParseELF( |
| 545 | binary_path.chroot, root=SysrootPath.path_to_sysroot |
| 546 | ) |
| 547 | for shared_library in elf_dict["libs"].values(): |
| 548 | shared_library_path = shared_library["path"] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 549 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 550 | if shared_library_path in shared_libraries: |
| 551 | continue |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 552 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 553 | assert os.path.exists(shared_library_path), ( |
| 554 | 'Shared library "%s" used by ' |
| 555 | "the given target(s) does not " |
| 556 | "exist." % shared_library_path |
| 557 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 558 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 559 | if IsInstrumentedWithClangCoverage(shared_library_path): |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 560 | # Do not add non-instrumented libraries. Otherwise, llvm-cov errors |
| 561 | # out. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 562 | shared_libraries.append(shared_library_path) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 563 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 564 | logging.debug( |
| 565 | "Found shared libraries (%d): %s.", |
| 566 | len(shared_libraries), |
| 567 | shared_libraries, |
| 568 | ) |
| 569 | logging.info("Finished finding shared libraries for targets.") |
| 570 | return shared_libraries |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 571 | |
| 572 | |
| 573 | def IsInstrumentedWithClangCoverage(binary_path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 574 | """Determines if a binary is instrumented with clang source based coverage. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 575 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 576 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 577 | binary_path: The path of the binary (executable or library) we are |
| 578 | checking is instrumented with clang source based coverage. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 579 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 580 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 581 | True if the binary is instrumented with clang source based coverage. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 582 | """ |
| 583 | with open(binary_path, "rb") as file_handle: |
| 584 | elf_file = ELFFile(file_handle) |
| 585 | return elf_file.get_section_by_name(b"__llvm_covmap") is not None |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 586 | |
| 587 | |
| 588 | def RunFuzzerAndGenerateCoverageReport(fuzzer, corpus, fuzz_args): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 589 | """Runs a fuzzer generates a coverage report and returns the report's path. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 590 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 591 | Gets a coverage report for a fuzzer. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 592 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 593 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 594 | fuzzer: The fuzzer to run and generate the coverage report for. |
| 595 | corpus: The path to a corpus to run the fuzzer on. |
| 596 | fuzz_args: Additional arguments to pass to the fuzzer. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 597 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 598 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 599 | The path to the coverage report. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 600 | """ |
| 601 | corpus_path = CopyCorpusToSysroot(corpus) |
| 602 | if corpus_path: |
| 603 | corpus_path = corpus_path.sysroot |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 604 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 605 | RunFuzzer(fuzzer, corpus_path=corpus_path, fuzz_args=fuzz_args) |
| 606 | MergeProfraw(fuzzer) |
| 607 | fuzzer_sysroot_path = GetFuzzerSysrootPath(fuzzer) |
| 608 | shared_libraries = GetSharedLibraries(fuzzer_sysroot_path) |
| 609 | return GenerateCoverageReport(fuzzer, shared_libraries) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 610 | |
| 611 | |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 612 | def RunSysrootCommand(command, **kwargs): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 613 | """Runs command while chrooted into sysroot and returns the output. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 614 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 615 | Args: |
Alex Klein | 361062b | 2023-04-05 09:45:28 -0600 | [diff] [blame] | 616 | command: A command to run in the sysroot. |
| 617 | **kwargs: Extra arguments to pass to cros_build_lib.sudo_run. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 618 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 619 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 620 | The result of a call to cros_build_lib.sudo_run. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 621 | """ |
| 622 | command = ["chroot", SysrootPath.path_to_sysroot] + command |
| 623 | return sudo_run(command, **kwargs) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 624 | |
| 625 | |
| 626 | def GetBuildExtraEnv(build_type): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 627 | """Gets the extra_env for building a package. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 628 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 629 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 630 | build_type: The type of build we want to do. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 631 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 632 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 633 | The extra_env to use when building. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 634 | """ |
| 635 | if build_type is None: |
| 636 | build_type = BuildType.ASAN |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 637 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 638 | use_flags = os.environ.get("USE", "").split() |
| 639 | # Check that the user hasn't already set USE flags that we can set. |
| 640 | # No good way to iterate over an enum in python2. |
| 641 | for use_flag in BuildType.CHOICES: |
| 642 | if use_flag in use_flags: |
| 643 | logging.warning( |
| 644 | "%s in USE flags. Please use --build_type instead.", use_flag |
| 645 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 646 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 647 | # Set USE flags. |
| 648 | fuzzer_build_type = "fuzzer" |
| 649 | use_flags += [fuzzer_build_type, build_type] |
| 650 | features_flags = os.environ.get("FEATURES", "").split() |
| 651 | if build_type == BuildType.COVERAGE: |
| 652 | # We must use ASan when doing coverage builds. |
| 653 | use_flags.append(BuildType.ASAN) |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 654 | # Use noclean so that a coverage report can be generated based on the |
| 655 | # source code. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 656 | features_flags.append("noclean") |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 657 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 658 | return { |
| 659 | "FEATURES": " ".join(features_flags), |
| 660 | "USE": " ".join(use_flags), |
| 661 | } |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 662 | |
| 663 | |
| 664 | def BuildPackage(package, board, build_type): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 665 | """Builds a package on a specified board. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 666 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 667 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 668 | package: The package to build. Nothing is built if None. |
| 669 | board: The board to build the package on. |
| 670 | build_type: The type of the build to do (e.g. asan, msan, ubsan, |
| 671 | coverage). |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 672 | """ |
| 673 | if package is None: |
| 674 | return |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 675 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 676 | logging.info("Building %s using %s.", package, build_type) |
| 677 | extra_env = GetBuildExtraEnv(build_type) |
| 678 | command = [ |
| 679 | "build_packages", |
| 680 | "--board", |
| 681 | board, |
| 682 | "--skip-chroot-upgrade", |
| 683 | package, |
| 684 | ] |
| 685 | # For msan builds, always use "--no-usepkg" since all package needs to be |
| 686 | # instrumented with msan. |
| 687 | if build_type == BuildType.MSAN: |
| 688 | command += ["--no-usepkg"] |
Manoj Gupta | 5ca1765 | 2019-05-13 11:15:33 -0700 | [diff] [blame] | 689 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 690 | # Print the output of the build command. Do this because it is familiar to |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 691 | # devs and we don't want to leave them not knowing about the build's |
| 692 | # progress for a long time. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 693 | cros_build_lib.run(command, extra_env=extra_env) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 694 | |
| 695 | |
| 696 | def DownloadFuzzerCorpus(fuzzer, dest_directory=None): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 697 | """Downloads a corpus and returns its path. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 698 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 699 | Downloads a corpus to a subdirectory of dest_directory if specified and |
| 700 | returns path on the filesystem of the corpus. Asks users to authenticate |
| 701 | if permission to read from bucket is denied. |
Jonathan Metzman | b2c3373 | 2018-11-08 11:33:35 -0800 | [diff] [blame] | 702 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 703 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 704 | fuzzer: The name of the fuzzer whose corpus we want to download. |
| 705 | dest_directory: The directory to download the corpus to. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 706 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 707 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 708 | The path to the downloaded corpus. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 709 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 710 | Raises: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 711 | gs.NoSuchKey: A corpus for the fuzzer doesn't exist. |
| 712 | gs.GSCommandError: The corpus failed to download for another reason. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 713 | """ |
| 714 | if not fuzzer.startswith("chromeos_"): |
| 715 | # ClusterFuzz internally appends "chromeos_" to chromeos targets' names. |
| 716 | # Therefore we must do so in order to find the corpus. |
| 717 | fuzzer = "chromeos_%s" % fuzzer |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 718 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 719 | if dest_directory is None: |
| 720 | dest_directory = GetScriptStoragePath(CORPUS_DIRECTORY_NAME).chroot |
| 721 | osutils.SafeMakedirsNonRoot(dest_directory) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 722 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 723 | clusterfuzz_gcs_corpus_bucket = "chromeos-corpus" |
| 724 | suburl = "libfuzzer/%s" % fuzzer |
| 725 | gcs_path = gs.GetGsURL( |
| 726 | clusterfuzz_gcs_corpus_bucket, |
| 727 | for_gsutil=True, |
| 728 | public=False, |
| 729 | suburl=suburl, |
| 730 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 731 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 732 | dest_path = os.path.join(dest_directory, fuzzer) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 733 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 734 | try: |
| 735 | logging.info("Downloading corpus to %s.", dest_path) |
| 736 | ctx = gs.GSContext() |
| 737 | ctx.Copy( |
| 738 | gcs_path, |
| 739 | dest_directory, |
| 740 | recursive=True, |
| 741 | parallel=True, |
| 742 | debug_level=logging.DEBUG, |
| 743 | ) |
| 744 | logging.info("Finished downloading corpus.") |
| 745 | except gs.GSNoSuchKey as exception: |
| 746 | logging.error("Corpus for fuzzer: %s does not exist.", fuzzer) |
| 747 | raise exception |
| 748 | # Try to authenticate if we were denied permission to access the corpus. |
| 749 | except gs.GSCommandError as exception: |
| 750 | logging.error( |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 751 | "gsutil failed to download the corpus. You may need to log in. " |
| 752 | "See:\n" |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 753 | "https://chromium.googlesource.com/chromiumos/docs/+/HEAD/gsutil.md" |
| 754 | "#setup\n" |
| 755 | "for instructions on doing this." |
| 756 | ) |
| 757 | raise exception |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 758 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 759 | return dest_path |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 760 | |
| 761 | |
| 762 | def Reproduce(fuzzer, testcase_path): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 763 | """Runs a fuzzer in the sysroot on a testcase. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 764 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 765 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 766 | fuzzer: The fuzzer to run. |
| 767 | testcase_path: The path (not necessarily in the sysroot) of the testcase |
| 768 | to run the fuzzer on. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 769 | """ |
| 770 | testcase_sysroot_path = CopyTestcaseToSysroot(testcase_path).sysroot |
| 771 | RunFuzzer(fuzzer, testcase_path=testcase_sysroot_path, crash_expected=True) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 772 | |
| 773 | |
| 774 | def SetUpSysrootForFuzzing(): |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 775 | """Sets up the sysroot for fuzzing |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 776 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 777 | Prepares the sysroot for fuzzing. Idempotent. |
| 778 | """ |
| 779 | logging.info("Setting up sysroot for fuzzing.") |
| 780 | # TODO(metzman): Don't create devices or mount /proc, use platform2_test.py |
| 781 | # instead. |
| 782 | # Mount /proc in sysroot and setup dev there because they are needed by |
| 783 | # sanitizers. |
| 784 | proc_manager = ProcManager() |
| 785 | proc_manager.Mount() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 786 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 787 | # Setup devices in /dev that are needed by libFuzzer. |
| 788 | device_manager = DeviceManager() |
| 789 | device_manager.SetUp() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 790 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 791 | # Set up asan_symbolize.py, llvm-symbolizer, and llvm-profdata in the |
| 792 | # sysroot so that fuzzer output (including stack traces) can be symbolized |
| 793 | # and so that coverage reports can be generated. |
| 794 | tool_manager = ToolManager() |
| 795 | tool_manager.Install() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 796 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 797 | osutils.SafeMakedirsNonRoot(GetSysrootPath(SCRIPT_STORAGE_PATH)) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 798 | |
| 799 | |
| 800 | def CleanUpSysroot(): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 801 | """Cleans up the the sysroot from SetUpSysrootForFuzzing. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 802 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 803 | Undoes SetUpSysrootForFuzzing. Idempotent. |
| 804 | """ |
| 805 | logging.info("Cleaning up the sysroot.") |
| 806 | proc_manager = ProcManager() |
| 807 | proc_manager.Unmount() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 808 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 809 | device_manager = DeviceManager() |
| 810 | device_manager.CleanUp() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 811 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 812 | tool_manager = ToolManager() |
| 813 | tool_manager.Uninstall() |
| 814 | osutils.RmDir(GetSysrootPath(SCRIPT_STORAGE_PATH), ignore_missing=True) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 815 | |
| 816 | |
Alex Klein | 074f94f | 2023-06-22 10:32:06 -0600 | [diff] [blame] | 817 | class ToolManager: |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 818 | """Class that installs or uninstalls fuzzing tools to/from the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 819 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 820 | Install and Uninstall methods are idempotent. Both are safe to call at any |
| 821 | point. |
| 822 | """ |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 823 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 824 | # Path to asan_symbolize.py. |
| 825 | ASAN_SYMBOLIZE_PATH = os.path.join("/", "usr", "bin", "asan_symbolize.py") |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 826 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 827 | # List of LLVM binaries we must install in sysroot. |
| 828 | LLVM_BINARY_NAMES = ["gdbserver", "llvm-symbolizer", "llvm-profdata"] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 829 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 830 | def __init__(self): |
| 831 | self.asan_symbolize_sysroot_path = GetSysrootPath( |
| 832 | self.ASAN_SYMBOLIZE_PATH |
| 833 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 834 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 835 | def Install(self): |
| 836 | """Installs tools to the sysroot.""" |
| 837 | # Install asan_symbolize.py. |
| 838 | sudo_run( |
| 839 | ["cp", self.ASAN_SYMBOLIZE_PATH, self.asan_symbolize_sysroot_path] |
| 840 | ) |
| 841 | # Install the LLVM binaries. |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 842 | # TODO(metzman): Build these tools so that we don't mess up when board |
| 843 | # is for a different ISA. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 844 | for llvm_binary in self._GetLLVMBinaries(): |
| 845 | llvm_binary.Install() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 846 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 847 | def Uninstall(self): |
| 848 | """Uninstalls tools from the sysroot. Undoes Install.""" |
| 849 | # Uninstall asan_symbolize.py. |
| 850 | osutils.SafeUnlink(self.asan_symbolize_sysroot_path, sudo=True) |
| 851 | # Uninstall the LLVM binaries. |
| 852 | for llvm_binary in self._GetLLVMBinaries(): |
| 853 | llvm_binary.Uninstall() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 854 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 855 | def _GetLLVMBinaries(self): |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 856 | """Creates LlvmBinary objects for each binary in LLVM_BINARY_NAMES.""" |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 857 | return [LlvmBinary(x) for x in self.LLVM_BINARY_NAMES] |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 858 | |
| 859 | |
Alex Klein | 074f94f | 2023-06-22 10:32:06 -0600 | [diff] [blame] | 860 | class LlvmBinary: |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 861 | """Class for representing installing/uninstalling an LLVM binary in sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 862 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 863 | Install and Uninstall methods are idempotent. Both are safe to call at any |
| 864 | time. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 865 | """ |
Manoj Gupta | feb1b7a | 2019-02-20 11:04:05 -0800 | [diff] [blame] | 866 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 867 | # Path to the lddtree chromite script. |
Mike Frysinger | 164ec03 | 2023-03-27 16:15:14 -0400 | [diff] [blame] | 868 | LDDTREE_SCRIPT_PATH = constants.CHROMITE_BIN_DIR / "lddtree" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 869 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 870 | def __init__(self, binary): |
| 871 | self.binary = binary |
| 872 | self.install_dir = GetSysrootPath( |
| 873 | os.path.join("/", "usr", "libexec", binary) |
| 874 | ) |
| 875 | self.binary_dir_path = GetSysrootPath(os.path.join("/", "usr", "bin")) |
| 876 | self.binary_chroot_dest_path = os.path.join( |
| 877 | self.binary_dir_path, binary |
| 878 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 879 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 880 | def Uninstall(self): |
| 881 | """Removes an LLVM binary from sysroot. Undoes Install.""" |
| 882 | osutils.RmDir(self.install_dir, ignore_missing=True, sudo=True) |
| 883 | osutils.SafeUnlink(self.binary_chroot_dest_path, sudo=True) |
| 884 | |
| 885 | def Install(self): |
| 886 | """Installs (sets up) an LLVM binary in the sysroot. |
| 887 | |
| 888 | Sets up an llvm binary in the sysroot so that it can be run there. |
| 889 | """ |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 890 | # Create a directory for installing |binary| and all of its dependencies |
| 891 | # in the sysroot. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 892 | binary_rel_path = ["usr", "bin", self.binary] |
| 893 | binary_chroot_path = os.path.join("/", *binary_rel_path) |
| 894 | if not os.path.exists(binary_chroot_path): |
| 895 | logging.warning( |
| 896 | "Cannot copy %s, file does not exist in chroot.", |
| 897 | binary_chroot_path, |
| 898 | ) |
| 899 | logging.warning( |
| 900 | "Functionality provided by %s will be missing.", |
| 901 | binary_chroot_path, |
| 902 | ) |
| 903 | return |
| 904 | |
| 905 | osutils.SafeMakedirsNonRoot(self.install_dir) |
| 906 | |
| 907 | # Copy the binary and everything needed to run it into the sysroot. |
| 908 | cmd = [ |
| 909 | self.LDDTREE_SCRIPT_PATH, |
| 910 | "-v", |
| 911 | "--generate-wrappers", |
| 912 | "--root", |
| 913 | "/", |
| 914 | "--copy-to-tree", |
| 915 | self.install_dir, |
| 916 | binary_chroot_path, |
| 917 | ] |
| 918 | sudo_run(cmd) |
| 919 | |
| 920 | # Create a symlink to the copy of the binary (we can't do lddtree in |
| 921 | # self.binary_dir_path). Note that symlink should be relative so that it |
| 922 | # will be valid when chrooted into the sysroot. |
| 923 | rel_path = os.path.relpath(self.install_dir, self.binary_dir_path) |
| 924 | link_path = os.path.join(rel_path, *binary_rel_path) |
| 925 | osutils.SafeSymlink(link_path, self.binary_chroot_dest_path, sudo=True) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 926 | |
| 927 | |
Alex Klein | 074f94f | 2023-06-22 10:32:06 -0600 | [diff] [blame] | 928 | class DeviceManager: |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 929 | """Class that creates or removes devices from /dev in sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 930 | |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 931 | SetUp and CleanUp methods are idempotent. Both are safe to call at any |
| 932 | point. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 933 | """ |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 934 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 935 | DEVICE_MKNOD_PARAMS = { |
| 936 | "null": (666, 3), |
| 937 | "random": (444, 8), |
| 938 | "urandom": (444, 9), |
| 939 | } |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 940 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 941 | MKNOD_MAJOR = "1" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 942 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 943 | def __init__(self): |
| 944 | self.dev_path_chroot = GetSysrootPath("/dev") |
| 945 | |
| 946 | def _GetDevicePath(self, device_name): |
| 947 | """Returns the path of |device_name| in sysroot's /dev.""" |
| 948 | return os.path.join(self.dev_path_chroot, device_name) |
| 949 | |
| 950 | def SetUp(self): |
| 951 | """Sets up devices in the sysroot's /dev. |
| 952 | |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 953 | Creates /dev/null, /dev/random, and /dev/urandom. If they already exist |
| 954 | then recreates them. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 955 | """ |
| 956 | self.CleanUp() |
| 957 | osutils.SafeMakedirsNonRoot(self.dev_path_chroot) |
| 958 | for device, mknod_params in self.DEVICE_MKNOD_PARAMS.items(): |
| 959 | device_path = self._GetDevicePath(device) |
| 960 | self._MakeCharDevice(device_path, *mknod_params) |
| 961 | |
| 962 | def CleanUp(self): |
| 963 | """Cleans up devices in the sysroot's /dev. Undoes SetUp. |
| 964 | |
| 965 | Removes /dev/null, /dev/random, and /dev/urandom if they exist. |
| 966 | """ |
| 967 | for device in self.DEVICE_MKNOD_PARAMS: |
| 968 | device_path = self._GetDevicePath(device) |
| 969 | if os.path.exists(device_path): |
| 970 | # Use -r since dev/null is sometimes a directory. |
| 971 | sudo_run(["rm", "-r", device_path]) |
| 972 | |
| 973 | def _MakeCharDevice(self, path, mode, minor): |
| 974 | """Make a character device.""" |
| 975 | mode = str(mode) |
| 976 | minor = str(minor) |
| 977 | command = ["mknod", "-m", mode, path, "c", self.MKNOD_MAJOR, minor] |
| 978 | sudo_run(command) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 979 | |
| 980 | |
Alex Klein | 074f94f | 2023-06-22 10:32:06 -0600 | [diff] [blame] | 981 | class ProcManager: |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 982 | """Class that mounts or unmounts /proc in sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 983 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 984 | Mount and Unmount are idempotent. Both are safe to call at any point. |
| 985 | """ |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 986 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 987 | PROC_PATH = "/proc" |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 988 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 989 | def __init__(self): |
| 990 | self.proc_path_chroot = GetSysrootPath(self.PROC_PATH) |
| 991 | self.is_mounted = osutils.IsMounted(self.proc_path_chroot) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 992 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 993 | def Unmount(self): |
| 994 | """Unmounts /proc in chroot. Undoes Mount.""" |
| 995 | if not self.is_mounted: |
| 996 | return |
| 997 | osutils.UmountDir(self.proc_path_chroot, cleanup=False) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 998 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 999 | def Mount(self): |
| 1000 | """Mounts /proc in chroot. Remounts it if already mounted.""" |
| 1001 | self.Unmount() |
| 1002 | osutils.MountDir( |
| 1003 | self.PROC_PATH, |
| 1004 | self.proc_path_chroot, |
| 1005 | "proc", |
| 1006 | debug_level=logging.DEBUG, |
| 1007 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1008 | |
| 1009 | |
| 1010 | def EnterSysrootShell(): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1011 | """Spawns and gives user access to a bash shell in the sysroot.""" |
| 1012 | command = ["/bin/bash", "-i"] |
| 1013 | return RunSysrootCommand( |
| 1014 | command, |
| 1015 | extra_env=GetFuzzExtraEnv(), |
| 1016 | debug_level=logging.INFO, |
| 1017 | check=False, |
| 1018 | ).returncode |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1019 | |
| 1020 | |
| 1021 | def StripFuzzerPrefixes(fuzzer_name): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1022 | """Strip the prefix ClusterFuzz uses in case they are specified. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1023 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1024 | Strip the prefixes used by ClusterFuzz if the users has included them by |
| 1025 | accident. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1026 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1027 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1028 | fuzzer_name: The fuzzer whose name may contain prefixes. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1029 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1030 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1031 | The name of the fuzz target without prefixes. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1032 | """ |
| 1033 | initial_name = fuzzer_name |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1034 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1035 | def StripPrefix(prefix): |
| 1036 | if fuzzer_name.startswith(prefix): |
| 1037 | return fuzzer_name[len(prefix) :] |
| 1038 | return fuzzer_name |
| 1039 | |
| 1040 | clusterfuzz_prefixes = ["libFuzzer_", "chromeos_"] |
| 1041 | |
| 1042 | for prefix in clusterfuzz_prefixes: |
| 1043 | fuzzer_name = StripPrefix(prefix) |
| 1044 | |
| 1045 | if initial_name != fuzzer_name: |
| 1046 | logging.warning( |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1047 | "%s contains a prefix from ClusterFuzz (one or more of %s) that is " |
| 1048 | "not part of the fuzzer's name. Interpreting --fuzzer as %s.", |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1049 | initial_name, |
| 1050 | clusterfuzz_prefixes, |
| 1051 | fuzzer_name, |
| 1052 | ) |
| 1053 | |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1054 | return fuzzer_name |
| 1055 | |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1056 | |
| 1057 | def ExecuteShellCommand(): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1058 | """Executes the "shell" command. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1059 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1060 | Sets up the sysroot for fuzzing and gives user access to a bash shell it |
| 1061 | spawns in the sysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1062 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1063 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1064 | The exit code of the shell command. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1065 | """ |
| 1066 | SetUpSysrootForFuzzing() |
| 1067 | return EnterSysrootShell() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1068 | |
| 1069 | |
| 1070 | def ExecuteSetupCommand(): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1071 | """Executes the "setup" command. Wrapper for SetUpSysrootForFuzzing. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1072 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1073 | Sets up the sysroot for fuzzing. |
| 1074 | """ |
| 1075 | SetUpSysrootForFuzzing() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1076 | |
| 1077 | |
| 1078 | def ExecuteCleanupCommand(): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1079 | """Executes the "cleanup" command. Wrapper for CleanUpSysroot. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1080 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1081 | Undoes pre-fuzzing setup. |
| 1082 | """ |
| 1083 | CleanUpSysroot() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1084 | |
| 1085 | |
| 1086 | def ExecuteCoverageCommand(options): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1087 | """Executes the "coverage" command. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1088 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1089 | Executes the "coverage" command by optionally doing a coverage build of a |
| 1090 | package, optionally downloading the fuzzer's corpus, optionally copying it |
| 1091 | into the sysroot, running the fuzzer and then generating a coverage report |
| 1092 | for the user to view. Causes program to exit if fuzzer is not instrumented |
| 1093 | with source based coverage. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1094 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1095 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1096 | options: The parsed arguments passed to this program. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1097 | """ |
| 1098 | BuildPackage(options.package, options.board, BuildType.COVERAGE) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1099 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1100 | fuzzer = StripFuzzerPrefixes(options.fuzzer) |
| 1101 | fuzzer_sysroot_path = GetFuzzerSysrootPath(fuzzer) |
| 1102 | if not IsInstrumentedWithClangCoverage(fuzzer_sysroot_path.chroot): |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1103 | # Don't run the fuzzer if it isn't instrumented with source based |
| 1104 | # coverage. Quit and let the user know how to build the fuzzer properly. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1105 | cros_build_lib.Die( |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1106 | "%s is not instrumented with source based coverage.\nSpecify " |
| 1107 | "--package to do a coverage build or build with USE flag: " |
| 1108 | '"coverage".', |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1109 | fuzzer, |
| 1110 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1111 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1112 | corpus = options.corpus |
| 1113 | if options.download: |
| 1114 | corpus = DownloadFuzzerCorpus(options.fuzzer) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1115 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1116 | # Set up sysroot for fuzzing. |
| 1117 | SetUpSysrootForFuzzing() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1118 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1119 | coverage_report_path = RunFuzzerAndGenerateCoverageReport( |
| 1120 | fuzzer, corpus, options.fuzz_args |
| 1121 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1122 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1123 | # Get path on host so user can access it with their browser. |
| 1124 | # TODO(metzman): Add the ability to convert to host paths to path_util. |
| 1125 | external_trunk_path = os.getenv("EXTERNAL_TRUNK_PATH") |
| 1126 | coverage_report_host_path = os.path.join( |
| 1127 | external_trunk_path, "chroot", coverage_report_path.chroot[1:] |
| 1128 | ) |
| 1129 | print( |
| 1130 | "Coverage report written to file://%s/index.html" |
| 1131 | % coverage_report_host_path |
| 1132 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1133 | |
| 1134 | |
| 1135 | def ExecuteDownloadCommand(options): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1136 | """Executes the "download" command. Wrapper around DownloadFuzzerCorpus.""" |
| 1137 | DownloadFuzzerCorpus(StripFuzzerPrefixes(options.fuzzer), options.directory) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1138 | |
| 1139 | |
| 1140 | def ExecuteReproduceCommand(options): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1141 | """Executes the "reproduce" command. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1142 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1143 | Executes the "reproduce" command by Running a fuzzer on a testcase. |
| 1144 | May build the fuzzer before running. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1145 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1146 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1147 | options: The parsed arguments passed to this program. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1148 | """ |
| 1149 | if options.build_type and not options.package: |
| 1150 | raise Exception( |
| 1151 | "Cannot specify --build_type without specifying --package." |
| 1152 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1153 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1154 | # Verify that "msan-fuzzer" profile is being used with msan. |
| 1155 | # Check presence of "-fsanitize=memory" in CFLAGS. |
| 1156 | if options.build_type == BuildType.MSAN: |
| 1157 | cmd = ["portageq-%s" % options.board, "envvar", "CFLAGS"] |
| 1158 | cflags = cros_build_lib.run( |
| 1159 | cmd, capture_output=True, encoding="utf-8" |
| 1160 | ).stdout.splitlines() |
| 1161 | check_string = "-fsanitize=memory" |
| 1162 | if not any(check_string in s for s in cflags): |
| 1163 | logging.error( |
| 1164 | "-fsanitize=memory not found in CFLAGS. " |
| 1165 | 'Use "setup_board --board=amd64-generic --profile=msan-fuzzer" ' |
| 1166 | "for MSan Fuzzing Builds." |
| 1167 | ) |
| 1168 | raise Exception("Incompatible profile used for msan fuzzing.") |
Manoj Gupta | 5ca1765 | 2019-05-13 11:15:33 -0700 | [diff] [blame] | 1169 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1170 | BuildPackage(options.package, options.board, options.build_type) |
| 1171 | SetUpSysrootForFuzzing() |
| 1172 | Reproduce(StripFuzzerPrefixes(options.fuzzer), options.testcase) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1173 | |
Manoj Gupta | e5e1e61 | 2019-10-21 12:39:57 -0700 | [diff] [blame] | 1174 | |
Manoj Gupta | ec08b81 | 2019-10-10 14:21:16 -0700 | [diff] [blame] | 1175 | def InstallBaseDependencies(options): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1176 | """Installs the base packages needed to chroot in board sysroot. |
Manoj Gupta | ec08b81 | 2019-10-10 14:21:16 -0700 | [diff] [blame] | 1177 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1178 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1179 | options: The parsed arguments passed to this program. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1180 | """ |
| 1181 | package = "virtual/implicit-system" |
| 1182 | if not portage_util.IsPackageInstalled( |
| 1183 | package, sysroot=SysrootPath.path_to_sysroot |
| 1184 | ): |
| 1185 | build_type = getattr(options, "build_type", None) |
| 1186 | BuildPackage(package, options.board, build_type) |
Manoj Gupta | e5e1e61 | 2019-10-21 12:39:57 -0700 | [diff] [blame] | 1187 | |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1188 | |
| 1189 | def ParseArgs(argv): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1190 | """Parses program arguments. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1191 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1192 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1193 | argv: The program arguments we want to parse. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1194 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1195 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1196 | An options object which will tell us which command to run and which |
| 1197 | options to use for that command. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1198 | """ |
| 1199 | parser = commandline.ArgumentParser(description=__doc__) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1200 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1201 | parser.add_argument( |
| 1202 | "--board", |
| 1203 | default=cros_build_lib.GetDefaultBoard(), |
| 1204 | help="Board on which to run test.", |
| 1205 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1206 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1207 | subparsers = parser.add_subparsers(dest="command") |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1208 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1209 | subparsers.add_parser("cleanup", help="Undo setup command.") |
| 1210 | coverage_parser = subparsers.add_parser( |
| 1211 | "coverage", help="Get a coverage report for a fuzzer." |
| 1212 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1213 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1214 | coverage_parser.add_argument("--package", help="Package to build.") |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1215 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1216 | corpus_parser = coverage_parser.add_mutually_exclusive_group() |
| 1217 | corpus_parser.add_argument("--corpus", help="Corpus to run fuzzer on.") |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1218 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1219 | corpus_parser.add_argument( |
| 1220 | "--download", |
| 1221 | action="store_true", |
| 1222 | help="Generate coverage report based on corpus from ClusterFuzz.", |
| 1223 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1224 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1225 | coverage_parser.add_argument( |
| 1226 | "--fuzzer", |
| 1227 | required=True, |
| 1228 | help="The fuzz target to generate a coverage report for.", |
| 1229 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1230 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1231 | coverage_parser.add_argument( |
| 1232 | "--fuzz-args", |
| 1233 | default="", |
| 1234 | help="Arguments to pass libFuzzer. " |
| 1235 | "Please use an equals sign or parsing will fail " |
| 1236 | '(i.e. --fuzzer_args="-rss_limit_mb=2048 -print_funcs=1").', |
| 1237 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1238 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1239 | download_parser = subparsers.add_parser( |
| 1240 | "download", help="Download a corpus." |
| 1241 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1242 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1243 | download_parser.add_argument( |
| 1244 | "--directory", help="Path to directory to download the corpus to." |
| 1245 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1246 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1247 | download_parser.add_argument( |
| 1248 | "--fuzzer", required=True, help="Fuzzer to download the corpus for." |
| 1249 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1250 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1251 | reproduce_parser = subparsers.add_parser( |
| 1252 | "reproduce", help="Run a fuzzer on a testcase." |
| 1253 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1254 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1255 | reproduce_parser.add_argument( |
| 1256 | "--testcase", required=True, help="Path of testcase to run fuzzer on." |
| 1257 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1258 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1259 | reproduce_parser.add_argument( |
| 1260 | "--fuzzer", required=True, help="Fuzzer to reproduce the crash on." |
| 1261 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1262 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1263 | reproduce_parser.add_argument("--package", help="Package to build.") |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1264 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1265 | reproduce_parser.add_argument( |
| 1266 | "--build-type", |
| 1267 | choices=BuildType.CHOICES, |
| 1268 | help="Type of build.", |
| 1269 | type=str.lower, |
| 1270 | ) # Ignore sanitizer case. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1271 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1272 | subparsers.add_parser("setup", help="Set up the sysroot to test fuzzing.") |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1273 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1274 | subparsers.add_parser( |
| 1275 | "shell", |
| 1276 | help="Set up sysroot for fuzzing and get a shell in the sysroot.", |
| 1277 | ) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1278 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1279 | opts = parser.parse_args(argv) |
| 1280 | opts.Freeze() |
| 1281 | return opts |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1282 | |
| 1283 | |
| 1284 | def main(argv): |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1285 | """Parses arguments and executes a command. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1286 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1287 | Args: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1288 | argv: The program arguments. |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1289 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1290 | Returns: |
Alex Klein | 8b44453 | 2023-04-11 16:35:24 -0600 | [diff] [blame] | 1291 | 0 on success. Non-zero on failure. |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1292 | """ |
| 1293 | cros_build_lib.AssertInsideChroot() |
| 1294 | options = ParseArgs(argv) |
| 1295 | if options.board is None: |
| 1296 | logging.error('Please specify "--board" or set ".default_board".') |
| 1297 | return 1 |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1298 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1299 | SysrootPath.SetPathToSysroot(options.board) |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1300 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1301 | InstallBaseDependencies(options) |
Manoj Gupta | ec08b81 | 2019-10-10 14:21:16 -0700 | [diff] [blame] | 1302 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1303 | if options.command == "cleanup": |
| 1304 | ExecuteCleanupCommand() |
| 1305 | elif options.command == "coverage": |
| 1306 | ExecuteCoverageCommand(options) |
| 1307 | elif options.command == "setup": |
| 1308 | ExecuteSetupCommand() |
| 1309 | elif options.command == "download": |
| 1310 | ExecuteDownloadCommand(options) |
| 1311 | elif options.command == "reproduce": |
| 1312 | ExecuteReproduceCommand(options) |
| 1313 | elif options.command == "shell": |
| 1314 | return ExecuteShellCommand() |
Jonathan Metzman | d5ee1c6 | 2018-11-05 10:33:08 -0800 | [diff] [blame] | 1315 | |
Alex Klein | 1699fab | 2022-09-08 08:46:06 -0600 | [diff] [blame] | 1316 | return 0 |