From 75281e64361a9748893ee9b63c6038fab33bd1dd Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Sat, 15 Oct 2016 01:00:24 +0000 Subject: [PATCH] [libFuzzer] better algorithm for -minimize_crash git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@284299 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Fuzzer/FuzzerDriver.cpp | 2 +- lib/Fuzzer/FuzzerInternal.h | 8 ++++++++ lib/Fuzzer/FuzzerLoop.cpp | 20 ++++++++++++++++---- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/lib/Fuzzer/FuzzerDriver.cpp b/lib/Fuzzer/FuzzerDriver.cpp index 78d73927cf6..5f9f9351ea2 100644 --- a/lib/Fuzzer/FuzzerDriver.cpp +++ b/lib/Fuzzer/FuzzerDriver.cpp @@ -345,7 +345,7 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { Corpus->AddToCorpus(U, 0); F->SetMaxInputLen(U.size()); F->SetMaxMutationLen(U.size() - 1); - F->Loop(); + F->MinimizeCrashLoop(U); Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n"); exit(0); return 0; diff --git a/lib/Fuzzer/FuzzerInternal.h b/lib/Fuzzer/FuzzerInternal.h index 9ea5c96fe4b..a2f61283d4f 100644 --- a/lib/Fuzzer/FuzzerInternal.h +++ b/lib/Fuzzer/FuzzerInternal.h @@ -56,6 +56,7 @@ public: FuzzingOptions Options); ~Fuzzer(); void Loop(); + void MinimizeCrashLoop(const Unit &U); void ShuffleAndMinimize(UnitVector *V); void InitializeTraceState(); void RereadOutputCorpus(size_t MaxSize); @@ -64,6 +65,13 @@ public: return duration_cast(system_clock::now() - ProcessStartTime) .count(); } + + bool TimedOut() { + return Options.MaxTotalTimeSec > 0 && + secondsSinceProcessStartUp() > + static_cast(Options.MaxTotalTimeSec); + } + size_t execPerSec() { size_t Seconds = secondsSinceProcessStartUp(); return Seconds ? TotalNumberOfRuns / Seconds : 0; diff --git a/lib/Fuzzer/FuzzerLoop.cpp b/lib/Fuzzer/FuzzerLoop.cpp index a8f640307fc..c5cf3090b81 100644 --- a/lib/Fuzzer/FuzzerLoop.cpp +++ b/lib/Fuzzer/FuzzerLoop.cpp @@ -753,10 +753,7 @@ void Fuzzer::Loop() { } if (TotalNumberOfRuns >= Options.MaxNumberOfRuns) break; - if (Options.MaxTotalTimeSec > 0 && - secondsSinceProcessStartUp() > - static_cast(Options.MaxTotalTimeSec)) - break; + if (TimedOut()) break; // Perform several mutations and runs. MutateAndTestOne(); } @@ -765,6 +762,21 @@ void Fuzzer::Loop() { MD.PrintRecommendedDictionary(); } +void Fuzzer::MinimizeCrashLoop(const Unit &U) { + if (U.size() <= 2) return; + while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) { + MD.StartMutationSequence(); + memcpy(CurrentUnitData, U.data(), U.size()); + for (int i = 0; i < Options.MutateDepth; i++) { + size_t NewSize = MD.Mutate(CurrentUnitData, U.size(), MaxMutationLen); + assert(NewSize > 0 && NewSize <= MaxMutationLen); + RunOne(CurrentUnitData, NewSize); + TryDetectingAMemoryLeak(CurrentUnitData, NewSize, + /*DuringInitialCorpusExecution*/ false); + } + } +} + } // namespace fuzzer extern "C" { -- 2.11.0