summaryrefslogtreecommitdiffstats
path: root/llvm/lib
diff options
context:
space:
mode:
Diffstat (limited to 'llvm/lib')
-rw-r--r--llvm/lib/Fuzzer/FuzzerCorpus.h70
-rw-r--r--llvm/lib/Fuzzer/FuzzerDriver.cpp1
-rw-r--r--llvm/lib/Fuzzer/FuzzerInternal.h6
-rw-r--r--llvm/lib/Fuzzer/FuzzerLoop.cpp15
-rw-r--r--llvm/lib/Fuzzer/test/CMakeLists.txt1
-rw-r--r--llvm/lib/Fuzzer/test/FuzzerUnittest.cpp2
-rw-r--r--llvm/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp19
-rw-r--r--llvm/lib/Fuzzer/test/reduce_inputs.test2
-rw-r--r--llvm/lib/Fuzzer/test/shrink.test2
9 files changed, 102 insertions, 16 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerCorpus.h b/llvm/lib/Fuzzer/FuzzerCorpus.h
index 0f0573994a0..c4d1db74014 100644
--- a/llvm/lib/Fuzzer/FuzzerCorpus.h
+++ b/llvm/lib/Fuzzer/FuzzerCorpus.h
@@ -34,6 +34,7 @@ struct InputInfo {
size_t NumExecutedMutations = 0;
size_t NumSuccessfullMutations = 0;
bool MayDeleteFile = false;
+ std::vector<uint32_t> FeatureSet;
};
class InputCorpus {
@@ -68,24 +69,81 @@ class InputCorpus {
}
bool empty() const { return Inputs.empty(); }
const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
- void AddToCorpus(const Unit &U, size_t NumFeatures,
- bool MayDeleteFile = false) {
+ void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
+ const std::vector<uint32_t> &FeatureSet) {
assert(!U.empty());
- uint8_t Hash[kSHA1NumBytes];
if (FeatureDebug)
Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
- ComputeSHA1(U.data(), U.size(), Hash);
- Hashes.insert(Sha1ToString(Hash));
Inputs.push_back(new InputInfo());
InputInfo &II = *Inputs.back();
II.U = U;
II.NumFeatures = NumFeatures;
II.MayDeleteFile = MayDeleteFile;
- memcpy(II.Sha1, Hash, kSHA1NumBytes);
+ II.FeatureSet = FeatureSet;
+ ComputeSHA1(U.data(), U.size(), II.Sha1);
+ Hashes.insert(Sha1ToString(II.Sha1));
UpdateCorpusDistribution();
+ PrintCorpus();
// ValidateFeatureSet();
}
+ // Debug-only
+ void PrintUnit(const Unit &U) {
+ if (!FeatureDebug) return;
+ for (uint8_t C : U) {
+ if (C != 'F' && C != 'U' && C != 'Z')
+ C = '.';
+ Printf("%c", C);
+ }
+ }
+
+ // Debug-only
+ void PrintFeatureSet(const std::vector<uint32_t> &FeatureSet) {
+ if (!FeatureDebug) return;
+ Printf("{");
+ for (uint32_t Feature: FeatureSet)
+ Printf("%u,", Feature);
+ Printf("}");
+ }
+
+ // Debug-only
+ void PrintCorpus() {
+ if (!FeatureDebug) return;
+ Printf("======= CORPUS:\n");
+ int i = 0;
+ for (auto II : Inputs) {
+ if (std::find(II->U.begin(), II->U.end(), 'F') != II->U.end()) {
+ Printf("[%2d] ", i);
+ Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
+ PrintUnit(II->U);
+ Printf(" ");
+ PrintFeatureSet(II->FeatureSet);
+ Printf("\n");
+ }
+ i++;
+ }
+ }
+
+ // If FeatureSet is that same as in II, replace II->U with {Data,Size}.
+ bool TryToReplace(InputInfo *II, const uint8_t *Data, size_t Size,
+ const std::vector<uint32_t> &FeatureSet) {
+ if (II->U.size() > Size && II->FeatureSet.size() &&
+ II->FeatureSet == FeatureSet) {
+ if (FeatureDebug)
+ Printf("Replace: %zd => %zd\n", II->U.size(), Size);
+ Replace(II, {Data, Data + Size});
+ PrintCorpus();
+ return true;
+ }
+ return false;
+ }
+
+ void Replace(InputInfo *II, const Unit &U) {
+ ComputeSHA1(U.data(), U.size(), II->Sha1);
+ Hashes.insert(Sha1ToString(II->Sha1));
+ II->U = U;
+ }
+
bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
bool HasUnit(const std::string &H) { return Hashes.count(H); }
InputInfo &ChooseUnitToMutate(Random &Rand) {
diff --git a/llvm/lib/Fuzzer/FuzzerDriver.cpp b/llvm/lib/Fuzzer/FuzzerDriver.cpp
index f88b5b7c2bb..87968893853 100644
--- a/llvm/lib/Fuzzer/FuzzerDriver.cpp
+++ b/llvm/lib/Fuzzer/FuzzerDriver.cpp
@@ -441,7 +441,6 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
Printf("INFO: The input is small enough, exiting\n");
exit(0);
}
- Corpus->AddToCorpus(U, 0);
F->SetMaxInputLen(U.size());
F->SetMaxMutationLen(U.size() - 1);
F->MinimizeCrashLoop(U);
diff --git a/llvm/lib/Fuzzer/FuzzerInternal.h b/llvm/lib/Fuzzer/FuzzerInternal.h
index 573923fddc8..a732f895375 100644
--- a/llvm/lib/Fuzzer/FuzzerInternal.h
+++ b/llvm/lib/Fuzzer/FuzzerInternal.h
@@ -65,7 +65,8 @@ public:
static void StaticFileSizeExceedCallback();
void ExecuteCallback(const uint8_t *Data, size_t Size);
- bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false);
+ bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
+ InputInfo *II = nullptr);
// Merge Corpora[1:] into Corpora[0].
void Merge(const std::vector<std::string> &Corpora);
@@ -101,7 +102,6 @@ private:
void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0);
void PrintStatusForNewUnit(const Unit &U);
void ShuffleCorpus(UnitVector *V);
- void AddToCorpus(const Unit &U);
void CheckExitOnSrcPosOrItem();
// Trace-based fuzzing: we run a unit with some kind of tracing
@@ -142,7 +142,7 @@ private:
size_t MaxInputLen = 0;
size_t MaxMutationLen = 0;
- std::vector<size_t> FeatureSetTmp;
+ std::vector<uint32_t> FeatureSetTmp;
// Need to know our own thread.
static thread_local bool IsMyThread;
diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp
index 431c33a1211..6816f3af8a6 100644
--- a/llvm/lib/Fuzzer/FuzzerLoop.cpp
+++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp
@@ -397,7 +397,8 @@ void Fuzzer::PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size) {
}
}
-bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile) {
+bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile,
+ InputInfo *II) {
if (!Size) return false;
ExecuteCallback(Data, Size);
@@ -412,10 +413,16 @@ bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile) {
PrintPulseAndReportSlowInput(Data, Size);
size_t NumNewFeatures = Corpus.NumFeatureUpdates() - NumUpdatesBefore;
if (NumNewFeatures) {
+ Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile,
+ FeatureSetTmp);
CheckExitOnSrcPosOrItem();
- Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile);
+ return true;
}
- return NumNewFeatures > 0;
+ if (II && Corpus.TryToReplace(II, Data, Size, FeatureSetTmp)) {
+ CheckExitOnSrcPosOrItem();
+ return true;
+ }
+ return false;
}
size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
@@ -596,7 +603,7 @@ void Fuzzer::MutateAndTestOne() {
if (i == 0)
StartTraceRecording();
II.NumExecutedMutations++;
- if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true))
+ if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II))
ReportNewCoverage(&II, {CurrentUnitData, CurrentUnitData + Size});
StopTraceRecording();
diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt
index 6438bc9e5c5..30566bdc87a 100644
--- a/llvm/lib/Fuzzer/test/CMakeLists.txt
+++ b/llvm/lib/Fuzzer/test/CMakeLists.txt
@@ -118,6 +118,7 @@ set(Tests
SingleStrncmpTest
SpamyTest
ShrinkControlFlowTest
+ ShrinkControlFlowSimpleTest
ShrinkValueProfileTest
StrcmpTest
StrncmpOOBTest
diff --git a/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp b/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp
index 129519ca5bc..1053c28527b 100644
--- a/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp
+++ b/llvm/lib/Fuzzer/test/FuzzerUnittest.cpp
@@ -593,7 +593,7 @@ TEST(Corpus, Distribution) {
size_t N = 10;
size_t TriesPerUnit = 1<<16;
for (size_t i = 0; i < N; i++)
- C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0);
+ C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0, false, {});
std::vector<size_t> Hist(N);
for (size_t i = 0; i < N * TriesPerUnit; i++) {
diff --git a/llvm/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp b/llvm/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp
new file mode 100644
index 00000000000..0afd26df23a
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp
@@ -0,0 +1,19 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
+#include <cstddef>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ if (Size < 2) return 0;
+ if (Data[0] == 'F' && Data[Size / 2] == 'U' && Data[Size - 1] == 'Z')
+ Sink++;
+ return 0;
+}
+
diff --git a/llvm/lib/Fuzzer/test/reduce_inputs.test b/llvm/lib/Fuzzer/test/reduce_inputs.test
new file mode 100644
index 00000000000..cc803d789d8
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/reduce_inputs.test
@@ -0,0 +1,2 @@
+CHECK: INFO: found item with checksum '0eb8e4ed029b774d80f2b66408203801cb982a60'
+RUN: LLVMFuzzer-ShrinkControlFlowSimpleTest -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -reduce_inputs=1 -runs=1000000 2>&1 | FileCheck %s
diff --git a/llvm/lib/Fuzzer/test/shrink.test b/llvm/lib/Fuzzer/test/shrink.test
index 9352eb16994..edb86cb1938 100644
--- a/llvm/lib/Fuzzer/test/shrink.test
+++ b/llvm/lib/Fuzzer/test/shrink.test
@@ -1,4 +1,4 @@
-RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=10000000 -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
+RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=0 2>&1 | FileCheck %s --check-prefix=SHRINK0
RUN: LLVMFuzzer-ShrinkValueProfileTest -seed=1 -exit_on_item=aea2e3923af219a8956f626558ef32f30a914ebc -runs=100000 -shrink=1 -use_value_profile=1 2>&1 | FileCheck %s --check-prefix=SHRINK1_VP
OpenPOWER on IntegriCloud