FuzzerInternal.h revision 326943 
1//===- FuzzerInternal.h - Internal header for the Fuzzer --------*- C++ -* ===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9// Define the main class fuzzer::Fuzzer and most functions.
10//===----------------------------------------------------------------------===//
11
12#ifndef LLVM_FUZZER_INTERNAL_H
13#define LLVM_FUZZER_INTERNAL_H
14
15#include "FuzzerDefs.h"
16#include "FuzzerExtFunctions.h"
17#include "FuzzerInterface.h"
18#include "FuzzerOptions.h"
19#include "FuzzerSHA1.h"
20#include "FuzzerValueBitMap.h"
21#include <algorithm>
22#include <atomic>
23#include <chrono>
24#include <climits>
25#include <cstdlib>
26#include <string.h>
27
28namespace fuzzer {
29
30using namespace std::chrono;
31
32class Fuzzer {
33public:
34
35  Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD,
36         FuzzingOptions Options);
37  ~Fuzzer();
38  void Loop(const Vector<std::string> &CorpusDirs);
39  void ReadAndExecuteSeedCorpora(const Vector<std::string> &CorpusDirs);
40  void MinimizeCrashLoop(const Unit &U);
41  void RereadOutputCorpus(size_t MaxSize);
42
43  size_t secondsSinceProcessStartUp() {
44    return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
45        .count();
46  }
47
48  bool TimedOut() {
49    return Options.MaxTotalTimeSec > 0 &&
50           secondsSinceProcessStartUp() >
51               static_cast<size_t>(Options.MaxTotalTimeSec);
52  }
53
54  size_t execPerSec() {
55    size_t Seconds = secondsSinceProcessStartUp();
56    return Seconds ? TotalNumberOfRuns / Seconds : 0;
57  }
58
59  size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; }
60
61  static void StaticAlarmCallback();
62  static void StaticCrashSignalCallback();
63  static void StaticExitCallback();
64  static void StaticInterruptCallback();
65  static void StaticFileSizeExceedCallback();
66  static void StaticGracefulExitCallback();
67
68  void ExecuteCallback(const uint8_t *Data, size_t Size);
69  bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
70              InputInfo *II = nullptr, bool *FoundUniqFeatures = nullptr);
71
72  // Merge Corpora[1:] into Corpora[0].
73  void Merge(const Vector<std::string> &Corpora);
74  void CrashResistantMerge(const Vector<std::string> &Args,
75                           const Vector<std::string> &Corpora,
76                           const char *CoverageSummaryInputPathOrNull,
77                           const char *CoverageSummaryOutputPathOrNull,
78                           const char *MergeControlFilePathOrNull);
79  void CrashResistantMergeInternalStep(const std::string &ControlFilePath);
80  MutationDispatcher &GetMD() { return MD; }
81  void PrintFinalStats();
82  void SetMaxInputLen(size_t MaxInputLen);
83  void SetMaxMutationLen(size_t MaxMutationLen);
84  void RssLimitCallback();
85
86  bool InFuzzingThread() const { return IsMyThread; }
87  size_t GetCurrentUnitInFuzzingThead(const uint8_t **Data) const;
88  void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
89                               bool DuringInitialCorpusExecution);
90
91  void HandleMalloc(size_t Size);
92  void AnnounceOutput(const uint8_t *Data, size_t Size);
93
94private:
95  void AlarmCallback();
96  void CrashCallback();
97  void ExitCallback();
98  void MaybeExitGracefully();
99  void CrashOnOverwrittenData();
100  void InterruptCallback();
101  void MutateAndTestOne();
102  void PurgeAllocator();
103  void ReportNewCoverage(InputInfo *II, const Unit &U);
104  void PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size);
105  void WriteToOutputCorpus(const Unit &U);
106  void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix);
107  void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0);
108  void PrintStatusForNewUnit(const Unit &U, const char *Text);
109  void CheckExitOnSrcPosOrItem();
110
111  static void StaticDeathCallback();
112  void DumpCurrentUnit(const char *Prefix);
113  void DeathCallback();
114
115  void AllocateCurrentUnitData();
116  uint8_t *CurrentUnitData = nullptr;
117  std::atomic<size_t> CurrentUnitSize;
118  uint8_t BaseSha1[kSHA1NumBytes];  // Checksum of the base unit.
119  bool RunningCB = false;
120
121  bool GracefulExitRequested = false;
122
123  size_t TotalNumberOfRuns = 0;
124  size_t NumberOfNewUnitsAdded = 0;
125
126  size_t LastCorpusUpdateRun = 0;
127
128  bool HasMoreMallocsThanFrees = false;
129  size_t NumberOfLeakDetectionAttempts = 0;
130
131  system_clock::time_point LastAllocatorPurgeAttemptTime = system_clock::now();
132
133  UserCallback CB;
134  InputCorpus &Corpus;
135  MutationDispatcher &MD;
136  FuzzingOptions Options;
137
138  system_clock::time_point ProcessStartTime = system_clock::now();
139  system_clock::time_point UnitStartTime, UnitStopTime;
140  long TimeOfLongestUnitInSeconds = 0;
141  long EpochOfLastReadOfOutputCorpus = 0;
142
143  size_t MaxInputLen = 0;
144  size_t MaxMutationLen = 0;
145  size_t TmpMaxMutationLen = 0;
146
147  Vector<uint32_t> UniqFeatureSetTmp;
148
149  // Need to know our own thread.
150  static thread_local bool IsMyThread;
151};
152
153} // namespace fuzzer
154
155#endif // LLVM_FUZZER_INTERNAL_H
156