llvm.org GIT mirror llvm / bb9605f
[libFuzzer] experimental feature -reduce_inputs (off by default) that tries to replace elements in the corpus with smaller ones that have the same feature set. Still needs tuning git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@307873 91177308-0d34-0410-b5e6-96231b3b80d8 Kostya Serebryany 3 years ago
9 changed file(s) with 103 addition(s) and 17 deletion(s). Raw diff Collapse all Expand all
3333 size_t NumExecutedMutations = 0;
3434 size_t NumSuccessfullMutations = 0;
3535 bool MayDeleteFile = false;
36 std::vector FeatureSet;
3637 };
3738
3839 class InputCorpus {
6768 }
6869 bool empty() const { return Inputs.empty(); }
6970 const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
70 void AddToCorpus(const Unit &U, size_t NumFeatures,
71 bool MayDeleteFile = false) {
71 void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
72 const std::vector &FeatureSet) {
7273 assert(!U.empty());
73 uint8_t Hash[kSHA1NumBytes];
7474 if (FeatureDebug)
7575 Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
76 ComputeSHA1(U.data(), U.size(), Hash);
77 Hashes.insert(Sha1ToString(Hash));
7876 Inputs.push_back(new InputInfo());
7977 InputInfo &II = *Inputs.back();
8078 II.U = U;
8179 II.NumFeatures = NumFeatures;
8280 II.MayDeleteFile = MayDeleteFile;
83 memcpy(II.Sha1, Hash, kSHA1NumBytes);
81 II.FeatureSet = FeatureSet;
82 ComputeSHA1(U.data(), U.size(), II.Sha1);
83 Hashes.insert(Sha1ToString(II.Sha1));
8484 UpdateCorpusDistribution();
85 PrintCorpus();
8586 // ValidateFeatureSet();
87 }
88
89 // Debug-only
90 void PrintUnit(const Unit &U) {
91 if (!FeatureDebug) return;
92 for (uint8_t C : U) {
93 if (C != 'F' && C != 'U' && C != 'Z')
94 C = '.';
95 Printf("%c", C);
96 }
97 }
98
99 // Debug-only
100 void PrintFeatureSet(const std::vector &FeatureSet) {
101 if (!FeatureDebug) return;
102 Printf("{");
103 for (uint32_t Feature: FeatureSet)
104 Printf("%u,", Feature);
105 Printf("}");
106 }
107
108 // Debug-only
109 void PrintCorpus() {
110 if (!FeatureDebug) return;
111 Printf("======= CORPUS:\n");
112 int i = 0;
113 for (auto II : Inputs) {
114 if (std::find(II->U.begin(), II->U.end(), 'F') != II->U.end()) {
115 Printf("[%2d] ", i);
116 Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
117 PrintUnit(II->U);
118 Printf(" ");
119 PrintFeatureSet(II->FeatureSet);
120 Printf("\n");
121 }
122 i++;
123 }
124 }
125
126 // If FeatureSet is that same as in II, replace II->U with {Data,Size}.
127 bool TryToReplace(InputInfo *II, const uint8_t *Data, size_t Size,
128 const std::vector &FeatureSet) {
129 if (II->U.size() > Size && II->FeatureSet.size() &&
130 II->FeatureSet == FeatureSet) {
131 if (FeatureDebug)
132 Printf("Replace: %zd => %zd\n", II->U.size(), Size);
133 Replace(II, {Data, Data + Size});
134 PrintCorpus();
135 return true;
136 }
137 return false;
138 }
139
140 void Replace(InputInfo *II, const Unit &U) {
141 ComputeSHA1(U.data(), U.size(), II->Sha1);
142 Hashes.insert(Sha1ToString(II->Sha1));
143 II->U = U;
86144 }
87145
88146 bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
440440 Printf("INFO: The input is small enough, exiting\n");
441441 exit(0);
442442 }
443 Corpus->AddToCorpus(U, 0);
444443 F->SetMaxInputLen(U.size());
445444 F->SetMaxMutationLen(U.size() - 1);
446445 F->MinimizeCrashLoop(U);
6464 static void StaticFileSizeExceedCallback();
6565
6666 void ExecuteCallback(const uint8_t *Data, size_t Size);
67 bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false);
67 bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
68 InputInfo *II = nullptr);
6869
6970 // Merge Corpora[1:] into Corpora[0].
7071 void Merge(const std::vector &Corpora);
100101 void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0);
101102 void PrintStatusForNewUnit(const Unit &U);
102103 void ShuffleCorpus(UnitVector *V);
103 void AddToCorpus(const Unit &U);
104104 void CheckExitOnSrcPosOrItem();
105105
106106 // Trace-based fuzzing: we run a unit with some kind of tracing
141141 size_t MaxInputLen = 0;
142142 size_t MaxMutationLen = 0;
143143
144 std::vector<size_t> FeatureSetTmp;
144 std::vector<uint32_t> FeatureSetTmp;
145145
146146 // Need to know our own thread.
147147 static thread_local bool IsMyThread;
396396 }
397397 }
398398
399 bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile) {
399 bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile,
400 InputInfo *II) {
400401 if (!Size) return false;
401402
402403 ExecuteCallback(Data, Size);
411412 PrintPulseAndReportSlowInput(Data, Size);
412413 size_t NumNewFeatures = Corpus.NumFeatureUpdates() - NumUpdatesBefore;
413414 if (NumNewFeatures) {
415 Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile,
416 FeatureSetTmp);
414417 CheckExitOnSrcPosOrItem();
415 Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile);
416 }
417 return NumNewFeatures > 0;
418 return true;
419 }
420 if (II && Corpus.TryToReplace(II, Data, Size, FeatureSetTmp)) {
421 CheckExitOnSrcPosOrItem();
422 return true;
423 }
424 return false;
418425 }
419426
420427 size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
595602 if (i == 0)
596603 StartTraceRecording();
597604 II.NumExecutedMutations++;
598 if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true))
605 if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II))
599606 ReportNewCoverage(&II, {CurrentUnitData, CurrentUnitData + Size});
600607
601608 StopTraceRecording();
117117 SingleStrncmpTest
118118 SpamyTest
119119 ShrinkControlFlowTest
120 ShrinkControlFlowSimpleTest
120121 ShrinkValueProfileTest
121122 StrcmpTest
122123 StrncmpOOBTest
592592 size_t N = 10;
593593 size_t TriesPerUnit = 1<<16;
594594 for (size_t i = 0; i < N; i++)
595 C->AddToCorpus(Unit{ static_cast(i) }, 0);
595 C->AddToCorpus(Unit{ static_cast(i) }, 0, false, {});
596596
597597 std::vector Hist(N);
598598 for (size_t i = 0; i < N * TriesPerUnit; i++) {
0 // This file is distributed under the University of Illinois Open Source
1 // License. See LICENSE.TXT for details.
2
3 // Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
4 #include
5 #include
6 #include
7 #include
8 #include
9
10 static volatile int Sink;
11
12 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
13 if (Size < 2) return 0;
14 if (Data[0] == 'F' && Data[Size / 2] == 'U' && Data[Size - 1] == 'Z')
15 Sink++;
16 return 0;
17 }
18
0 CHECK: INFO: found item with checksum '0eb8e4ed029b774d80f2b66408203801cb982a60'
1 RUN: LLVMFuzzer-ShrinkControlFlowSimpleTest -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -reduce_inputs=1 -runs=1000000 2>&1 | FileCheck %s
None RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=10000000 -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
0 RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
11 RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=0 2>&1 | FileCheck %s --check-prefix=SHRINK0
22 RUN: LLVMFuzzer-ShrinkValueProfileTest -seed=1 -exit_on_item=aea2e3923af219a8956f626558ef32f30a914ebc -runs=100000 -shrink=1 -use_value_profile=1 2>&1 | FileCheck %s --check-prefix=SHRINK1_VP
33