diff options
Diffstat (limited to 'lib/Fuzzer')
| -rw-r--r-- | lib/Fuzzer/FuzzerDriver.cpp | 64 | ||||
| -rw-r--r-- | lib/Fuzzer/FuzzerFlags.def | 12 | ||||
| -rw-r--r-- | lib/Fuzzer/FuzzerLoop.cpp | 11 | ||||
| -rw-r--r-- | lib/Fuzzer/FuzzerOptions.h | 1 | ||||
| -rw-r--r-- | lib/Fuzzer/test/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | lib/Fuzzer/test/CleanseTest.cpp | 16 | ||||
| -rw-r--r-- | lib/Fuzzer/test/cleanse.test | 3 | ||||
| -rw-r--r-- | lib/Fuzzer/test/fuzzer-oom.test | 1 |
8 files changed, 93 insertions, 16 deletions
diff --git a/lib/Fuzzer/FuzzerDriver.cpp b/lib/Fuzzer/FuzzerDriver.cpp index 0fb83ca64de6..b85ba210afb3 100644 --- a/lib/Fuzzer/FuzzerDriver.cpp +++ b/lib/Fuzzer/FuzzerDriver.cpp @@ -289,6 +289,66 @@ static std::string GetDedupTokenFromFile(const std::string &Path) { return S.substr(Beg, End - Beg); } +int CleanseCrashInput(const std::vector<std::string> &Args, + const FuzzingOptions &Options) { + if (Inputs->size() != 1 || !Flags.exact_artifact_path) { + Printf("ERROR: -cleanse_crash should be given one input file and" + " -exact_artifact_path\n"); + exit(1); + } + std::string InputFilePath = Inputs->at(0); + std::string OutputFilePath = Flags.exact_artifact_path; + std::string BaseCmd = + CloneArgsWithoutX(Args, "cleanse_crash", "cleanse_crash"); + + auto InputPos = BaseCmd.find(" " + InputFilePath + " "); + assert(InputPos != std::string::npos); + BaseCmd.erase(InputPos, InputFilePath.size() + 1); + + auto LogFilePath = DirPlusFile( + TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".txt"); + auto TmpFilePath = DirPlusFile( + TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".repro"); + auto LogFileRedirect = " > " + LogFilePath + " 2>&1 "; + + auto Cmd = BaseCmd + " " + TmpFilePath + LogFileRedirect; + + std::string CurrentFilePath = InputFilePath; + auto U = FileToVector(CurrentFilePath); + size_t Size = U.size(); + + const std::vector<uint8_t> ReplacementBytes = {' ', 0xff}; + for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) { + bool Changed = false; + for (size_t Idx = 0; Idx < Size; Idx++) { + Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts, + Idx, Size); + uint8_t OriginalByte = U[Idx]; + if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(), + ReplacementBytes.end(), + OriginalByte)) + continue; + for (auto NewByte : ReplacementBytes) { + U[Idx] = NewByte; + WriteToFile(U, TmpFilePath); + auto ExitCode = ExecuteCommand(Cmd); + RemoveFile(TmpFilePath); + if (!ExitCode) { + U[Idx] = OriginalByte; + } else { + Changed = true; + Printf("CLEANSE: Replaced byte %zd with 0x%x\n", Idx, NewByte); + WriteToFile(U, OutputFilePath); + break; + } + } + } + if (!Changed) break; + } + RemoveFile(LogFilePath); + return 0; +} + int MinimizeCrashInput(const std::vector<std::string> &Args, const FuzzingOptions &Options) { if (Inputs->size() != 1) { @@ -516,7 +576,6 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.PreferSmall = Flags.prefer_small; Options.ReloadIntervalSec = Flags.reload; Options.OnlyASCII = Flags.only_ascii; - Options.OutputCSV = Flags.output_csv; Options.DetectLeaks = Flags.detect_leaks; Options.TraceMalloc = Flags.trace_malloc; Options.RssLimitMb = Flags.rss_limit_mb; @@ -583,6 +642,9 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { if (Flags.minimize_crash_internal_step) return MinimizeCrashInputInternalStep(F, Corpus); + if (Flags.cleanse_crash) + return CleanseCrashInput(Args, Options); + if (auto Name = Flags.run_equivalence_server) { SMR.Destroy(Name); if (!SMR.Create(Name)) { diff --git a/lib/Fuzzer/FuzzerFlags.def b/lib/Fuzzer/FuzzerFlags.def index 28bf0ca8ce69..0a1ff1b1df6a 100644 --- a/lib/Fuzzer/FuzzerFlags.def +++ b/lib/Fuzzer/FuzzerFlags.def @@ -48,7 +48,15 @@ FUZZER_FLAG_STRING(load_coverage_summary, "Experimental:" " Used with -merge=1") FUZZER_FLAG_INT(minimize_crash, 0, "If 1, minimizes the provided" " crash input. Use with -runs=N or -max_total_time=N to limit " - "the number attempts") + "the number attempts." + " Use with -exact_artifact_path to specify the output." + " Combine with ASAN_OPTIONS=dedup_token_length=3 (or similar) to ensure that" + " the minimized input triggers the same crash." + ) +FUZZER_FLAG_INT(cleanse_crash, 0, "If 1, tries to cleanse the provided" + " crash input to make it contain fewer original bytes." + " Use with -exact_artifact_path to specify the output." + ) FUZZER_FLAG_INT(minimize_crash_internal_step, 0, "internal flag") FUZZER_FLAG_INT(use_counters, 1, "Use coverage counters") FUZZER_FLAG_INT(use_indir_calls, 1, "Use indirect caller-callee counters") @@ -80,7 +88,6 @@ FUZZER_FLAG_STRING(exact_artifact_path, "as $(exact_artifact_path). This overrides -artifact_prefix " "and will not use checksum in the file name. Do not " "use the same path for several parallel processes.") -FUZZER_FLAG_INT(output_csv, 0, "Enable pulse output in CSV format.") FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.") FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.") FUZZER_FLAG_INT(print_corpus_stats, 0, @@ -124,3 +131,4 @@ FUZZER_DEPRECATED_FLAG(sync_timeout) FUZZER_DEPRECATED_FLAG(test_single_input) FUZZER_DEPRECATED_FLAG(drill) FUZZER_DEPRECATED_FLAG(truncate_units) +FUZZER_DEPRECATED_FLAG(output_csv) diff --git a/lib/Fuzzer/FuzzerLoop.cpp b/lib/Fuzzer/FuzzerLoop.cpp index 704092896eb6..4e4def8cb87e 100644 --- a/lib/Fuzzer/FuzzerLoop.cpp +++ b/lib/Fuzzer/FuzzerLoop.cpp @@ -253,17 +253,6 @@ void Fuzzer::RssLimitCallback() { void Fuzzer::PrintStats(const char *Where, const char *End, size_t Units) { size_t ExecPerSec = execPerSec(); - if (Options.OutputCSV) { - static bool csvHeaderPrinted = false; - if (!csvHeaderPrinted) { - csvHeaderPrinted = true; - Printf("runs,block_cov,bits,cc_cov,corpus,execs_per_sec,tbms,reason\n"); - } - Printf("%zd,%zd,%zd,%zd,%s\n", TotalNumberOfRuns, - TPC.GetTotalPCCoverage(), - Corpus.size(), ExecPerSec, Where); - } - if (!Options.Verbosity) return; Printf("#%zd\t%s", TotalNumberOfRuns, Where); diff --git a/lib/Fuzzer/FuzzerOptions.h b/lib/Fuzzer/FuzzerOptions.h index 872def0326f0..b1366789be00 100644 --- a/lib/Fuzzer/FuzzerOptions.h +++ b/lib/Fuzzer/FuzzerOptions.h @@ -45,7 +45,6 @@ struct FuzzingOptions { std::string ExitOnItem; bool SaveArtifacts = true; bool PrintNEW = true; // Print a status line when new units are found; - bool OutputCSV = false; bool PrintNewCovPcs = false; bool PrintFinalStats = false; bool PrintCorpusStats = false; diff --git a/lib/Fuzzer/test/CMakeLists.txt b/lib/Fuzzer/test/CMakeLists.txt index f72bc3909a3c..cd049d3f03d8 100644 --- a/lib/Fuzzer/test/CMakeLists.txt +++ b/lib/Fuzzer/test/CMakeLists.txt @@ -80,6 +80,7 @@ set(Tests BogusInitializeTest BufferOverflowOnInput CallerCalleeTest + CleanseTest CounterTest CustomCrossOverAndMutateTest CustomCrossOverTest diff --git a/lib/Fuzzer/test/CleanseTest.cpp b/lib/Fuzzer/test/CleanseTest.cpp new file mode 100644 index 000000000000..faea8dcb3c30 --- /dev/null +++ b/lib/Fuzzer/test/CleanseTest.cpp @@ -0,0 +1,16 @@ +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. + +// Test the the fuzzer is able to 'cleanse' the reproducer +// by replacing all irrelevant bytes with garbage. +#include <cstdint> +#include <cstdlib> +#include <cstddef> + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + if (Size >= 20 && Data[1] == '1' && Data[5] == '5' && Data[10] == 'A' && + Data[19] == 'Z') + abort(); + return 0; +} + diff --git a/lib/Fuzzer/test/cleanse.test b/lib/Fuzzer/test/cleanse.test new file mode 100644 index 000000000000..ad08591d2fa3 --- /dev/null +++ b/lib/Fuzzer/test/cleanse.test @@ -0,0 +1,3 @@ +RUN: echo -n 0123456789ABCDEFGHIZ > %t-in +RUN: LLVMFuzzer-CleanseTest -cleanse_crash=1 %t-in -exact_artifact_path=%t-out +RUN: echo -n ' 1 5 A Z' | diff - %t-out diff --git a/lib/Fuzzer/test/fuzzer-oom.test b/lib/Fuzzer/test/fuzzer-oom.test index e9d33552723e..2db91915876e 100644 --- a/lib/Fuzzer/test/fuzzer-oom.test +++ b/lib/Fuzzer/test/fuzzer-oom.test @@ -1,4 +1,3 @@ -XFAIL: darwin RUN: not LLVMFuzzer-OutOfMemoryTest -rss_limit_mb=300 2>&1 | FileCheck %s CHECK: ERROR: libFuzzer: out-of-memory (used: {{.*}}; limit: 300Mb) |