//===- FuzzerLoop.cpp - Fuzzer's main loop --------------------------------===// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // Fuzzer's main loop. //===----------------------------------------------------------------------===// #include "FuzzerCorpus.h" #include "FuzzerIO.h" #include "FuzzerInternal.h" #include "FuzzerMutate.h" #include "FuzzerPlatform.h" #include "FuzzerRandom.h" #include "FuzzerTracePC.h" #include <algorithm> #include <cstring> #include <memory> #include <mutex> #include <set> #if defined(__has_include) #if __has_include(<sanitizer / lsan_interface.h>) #include <sanitizer/lsan_interface.h> #endif #endif #define NO_SANITIZE_MEMORY #if defined(__has_feature) #if __has_feature(memory_sanitizer) #undef NO_SANITIZE_MEMORY #define NO_SANITIZE_MEMORY … #endif #endif namespace fuzzer { static const size_t kMaxUnitSizeToPrint = …; thread_local bool Fuzzer::IsMyThread; bool RunningUserCallback = …; // Only one Fuzzer per process. static Fuzzer *F; // Leak detection is expensive, so we first check if there were more mallocs // than frees (using the sanitizer malloc hooks) and only then try to call lsan. struct MallocFreeTracer { … }; static MallocFreeTracer AllocTracer; // Locks printing and avoids nested hooks triggered from mallocs/frees in // sanitizer. class TraceLock { … }; ATTRIBUTE_NO_SANITIZE_MEMORY void MallocHook(const volatile void *ptr, size_t size) { … } ATTRIBUTE_NO_SANITIZE_MEMORY void FreeHook(const volatile void *ptr) { … } // Crash on a single malloc that exceeds the rss limit. void Fuzzer::HandleMalloc(size_t Size) { … } Fuzzer::Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD, const FuzzingOptions &Options) : … { … } void Fuzzer::AllocateCurrentUnitData() { … } void Fuzzer::StaticDeathCallback() { … } void Fuzzer::DumpCurrentUnit(const char *Prefix) { … } NO_SANITIZE_MEMORY void Fuzzer::DeathCallback() { … } void Fuzzer::StaticAlarmCallback() { … } void Fuzzer::StaticCrashSignalCallback() { … } void Fuzzer::StaticExitCallback() { … } void Fuzzer::StaticInterruptCallback() { … } void Fuzzer::StaticGracefulExitCallback() { … } void Fuzzer::StaticFileSizeExceedCallback() { … } void Fuzzer::CrashCallback() { … } void Fuzzer::ExitCallback() { … } void Fuzzer::MaybeExitGracefully() { … } int Fuzzer::InterruptExitCode() { … } void Fuzzer::InterruptCallback() { … } NO_SANITIZE_MEMORY void Fuzzer::AlarmCallback() { … } void Fuzzer::RssLimitCallback() { … } void Fuzzer::PrintStats(const char *Where, const char *End, size_t Units, size_t Features) { … } void Fuzzer::PrintFinalStats() { … } void Fuzzer::SetMaxInputLen(size_t MaxInputLen) { … } void Fuzzer::SetMaxMutationLen(size_t MaxMutationLen) { … } void Fuzzer::CheckExitOnSrcPosOrItem() { … } void Fuzzer::RereadOutputCorpus(size_t MaxSize) { … } void Fuzzer::PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size) { … } static void WriteFeatureSetToFile(const std::string &FeaturesDir, const std::string &FileName, const std::vector<uint32_t> &FeatureSet) { … } static void RenameFeatureSetFile(const std::string &FeaturesDir, const std::string &OldFile, const std::string &NewFile) { … } static void WriteEdgeToMutationGraphFile(const std::string &MutationGraphFile, const InputInfo *II, const InputInfo *BaseII, const std::string &MS) { … } bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile, InputInfo *II, bool ForceAddToCorpus, bool *FoundUniqFeatures) { … } void Fuzzer::TPCUpdateObservedPCs() { … } size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const { … } void Fuzzer::CrashOnOverwrittenData() { … } // Compare two arrays, but not all bytes if the arrays are large. static bool LooseMemeq(const uint8_t *A, const uint8_t *B, size_t Size) { … } // This method is not inlined because it would cause a test to fail where it // is part of the stack unwinding. See D97975 for details. ATTRIBUTE_NOINLINE bool Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) { … } std::string Fuzzer::WriteToOutputCorpus(const Unit &U) { … } void Fuzzer::WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix) { … } void Fuzzer::PrintStatusForNewUnit(const Unit &U, const char *Text) { … } void Fuzzer::ReportNewCoverage(InputInfo *II, const Unit &U) { … } // Tries detecting a memory leak on the particular input that we have just // executed before calling this function. void Fuzzer::TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size, bool DuringInitialCorpusExecution) { … } void Fuzzer::MutateAndTestOne() { … } void Fuzzer::PurgeAllocator() { … } void Fuzzer::ReadAndExecuteSeedCorpora(std::vector<SizedFile> &CorporaFiles) { … } void Fuzzer::Loop(std::vector<SizedFile> &CorporaFiles) { … } void Fuzzer::MinimizeCrashLoop(const Unit &U) { … } } // namespace fuzzer extern "C" { ATTRIBUTE_INTERFACE size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { … } } // extern "C"
Codebase Browser
llvm