void ShuffleCorpus(UnitVector *V);
void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
bool DuringInitialCorpusExecution);
+ void AddToCorpusAndMaybeRerun(const Unit &U);
bool UpdateMaxCoverage();
this->MaxMutationLen = MaxMutationLen;
}
+void Fuzzer::AddToCorpusAndMaybeRerun(const Unit &U) {
+ Corpus.AddToCorpus(U);
+ if (TPC.GetTotalPCCoverage()) {
+ TPC.ResetMaps();
+ TPC.ResetGuards();
+ ExecuteCallback(U.data(), U.size());
+ TPC.FinalizeTrace();
+ TPC.UpdateFeatureSet(Corpus.size() - 1, U.size());
+ // TPC.PrintFeatureSet();
+ }
+}
+
void Fuzzer::RereadOutputCorpus(size_t MaxSize) {
if (Options.OutputCorpus.empty() || !Options.Reload) return;
std::vector<Unit> AdditionalCorpus;
X.resize(MaxSize);
if (!Corpus.HasUnit(X)) {
if (RunOne(X)) {
- Corpus.AddToCorpus(X);
+ AddToCorpusAndMaybeRerun(X);
PrintStats("RELOAD");
}
}
for (const auto &U : *InitialCorpus) {
bool NewCoverage = RunOne(U);
if (!Options.PruneCorpus || NewCoverage) {
- Corpus.AddToCorpus(U);
+ AddToCorpusAndMaybeRerun(U);
if (Options.Verbosity >= 2)
Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size());
}
UnitStartTime = system_clock::now();
ResetCounters(); // Reset coverage right before the callback.
TPC.ResetMaps();
+ TPC.ResetGuards();
int Res = CB(DataCopy, Size);
UnitStopTime = system_clock::now();
(void)Res;
void Fuzzer::ReportNewCoverage(InputInfo *II, const Unit &U) {
II->NumSuccessfullMutations++;
- Corpus.AddToCorpus(U);
MD.RecordSuccessfulMutationSequence();
PrintStatusForNewUnit(U);
WriteToOutputCorpus(U);
NumberOfNewUnitsAdded++;
PrintNewPCs();
+ AddToCorpusAndMaybeRerun(U);
}
// Finds minimal number of units in 'Extra' that add coverage to 'Initial'.
void TracePC::HandleTrace(uintptr_t *Guard, uintptr_t PC) {
uintptr_t Idx = *Guard;
if (!Idx) return;
- uint8_t Counter = Counters[Idx % kNumCounters];
+ uint8_t *CounterPtr = &Counters[Idx % kNumCounters];
+ uint8_t Counter = *CounterPtr;
if (Counter == 0) {
- AddNewPCID(Idx);
if (!PCs[Idx]) {
+ AddNewPCID(Idx);
TotalPCCoverage++;
PCs[Idx] = PC;
}
}
- if (Counter < 128)
- Counters[Idx % kNumCounters] = Counter + 1;
- if (Counter >= 128 || !UseCounters)
+ if (UseCounters) {
+ if (Counter < 128)
+ *CounterPtr = Counter + 1;
+ else
+ *Guard = 0;
+ } else {
+ *CounterPtr = 1;
*Guard = 0;
+ }
}
void TracePC::HandleInit(uintptr_t *Start, uintptr_t *Stop) {
}
}
+
+void TracePC::UpdateFeatureSet(size_t CurrentElementIdx, size_t CurrentElementSize) {
+ if (!CurrentElementSize) return;
+ for (size_t Idx = 0; Idx < kFeatureSetSize; Idx++) {
+ if (!CounterMap.Get(Idx)) continue;
+ Feature &Fe = FeatureSet[Idx];
+ Fe.Count++;
+ if (!Fe.SmallestElementSize || Fe.SmallestElementSize > CurrentElementSize) {
+ Fe.SmallestElementIdx = CurrentElementIdx;
+ Fe.SmallestElementSize = CurrentElementSize;
+ }
+ }
+}
+
+void TracePC::PrintFeatureSet() {
+ Printf("[id: cnt idx sz] ");
+ for (size_t i = 0; i < kFeatureSetSize; i++) {
+ auto &Fe = FeatureSet[i];
+ if (!Fe.Count) continue;
+ Printf("[%zd: %zd %zd %zd] ", i, Fe.Count, Fe.SmallestElementIdx,
+ Fe.SmallestElementSize);
+ }
+ Printf("\n");
+}
+
} // namespace fuzzer
extern "C" {
memset(Counters, 0, sizeof(Counters));
}
+ void UpdateFeatureSet(size_t CurrentElementIdx, size_t CurrentElementSize);
+ void PrintFeatureSet();
+
void ResetGuards();
void PrintModuleInfo();
ValueBitMap CounterMap;
ValueBitMap ValueProfileMap;
+
+ struct Feature {
+ size_t Count;
+ size_t SmallestElementIdx;
+ size_t SmallestElementSize;
+ };
+
+ static const size_t kFeatureSetSize = ValueBitMap::kNumberOfItems;
+ Feature FeatureSet[kFeatureSetSize];
};
extern TracePC TPC;
static const size_t kBitsInWord = (sizeof(uintptr_t) * 8);
static const size_t kMapSizeInWords = kMapSizeInBitsAligned / kBitsInWord;
public:
+ static const size_t kNumberOfItems = kMapSizeInBits;
// Clears all bits.
void Reset() { memset(Map, 0, sizeof(Map)); }
return New != Old;
}
+ inline bool Get(uintptr_t Idx) {
+ assert(Idx < kMapSizeInBits);
+ uintptr_t WordIdx = Idx / kBitsInWord;
+ uintptr_t BitIdx = Idx % kBitsInWord;
+ return Map[WordIdx] & (1UL << BitIdx);
+ }
+
size_t GetNumBitsSinceLastMerge() const { return NumBits; }
// Merges 'Other' into 'this', clears 'Other', updates NumBits,
[ -e $(basename $0) ] && echo "PLEASE USE THIS SCRIPT FROM ANOTHER DIR" && exit 1
SCRIPT_DIR=$(dirname $0)
+EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR)
LIBFUZZER_SRC=$(dirname $(dirname $SCRIPT_DIR))
FUZZ_CXXFLAGS="-O2 -g -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div"
get
build_lib
$LIBFUZZER_SRC/build.sh
-clang++ -g $SCRIPT_DIR/target.cc -I BUILD BUILD/obj/libre2.a libFuzzer.a $FUZZ_CXXFLAGS
+clang++ -g $SCRIPT_DIR/target.cc -I BUILD BUILD/obj/libre2.a libFuzzer.a $FUZZ_CXXFLAGS -o $EXECUTABLE_NAME_BASE
projects / llvm / commitdiff