Bug Summary

File:projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp
Warning:line 37, column 5
Null pointer passed as an argument to a 'nonnull' parameter

Annotated Source Code

/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp

1//===- FuzzerDriver.cpp - FuzzerDriver function and flags -----------------===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9// FuzzerDriver and flag parsing.
10//===----------------------------------------------------------------------===//
11
12#include "FuzzerCorpus.h"
13#include "FuzzerIO.h"
14#include "FuzzerInterface.h"
15#include "FuzzerInternal.h"
16#include "FuzzerMutate.h"
17#include "FuzzerRandom.h"
18#include "FuzzerShmem.h"
19#include "FuzzerTracePC.h"
20#include <algorithm>
21#include <atomic>
22#include <chrono>
23#include <cstdlib>
24#include <cstring>
25#include <mutex>
26#include <string>
27#include <thread>
28
29// This function should be present in the libFuzzer so that the client
30// binary can test for its existence.
31extern "C" __attribute__((used)) void __libfuzzer_is_present() {}
32
33namespace fuzzer {
34
35// Program arguments.
36struct FlagDescription {
37 const char *Name;
38 const char *Description;
39 int Default;
40 int *IntFlag;
41 const char **StrFlag;
42 unsigned int *UIntFlag;
43};
44
45struct {
46#define FUZZER_DEPRECATED_FLAG(Name)
47#define FUZZER_FLAG_INT(Name, Default, Description) int Name;
48#define FUZZER_FLAG_UNSIGNED(Name, Default, Description) unsigned int Name;
49#define FUZZER_FLAG_STRING(Name, Description) const char *Name;
50#include "FuzzerFlags.def"
51#undef FUZZER_DEPRECATED_FLAG
52#undef FUZZER_FLAG_INT
53#undef FUZZER_FLAG_UNSIGNED
54#undef FUZZER_FLAG_STRING
55} Flags;
56
57static const FlagDescription FlagDescriptions [] {
58#define FUZZER_DEPRECATED_FLAG(Name) \
59 {#Name, "Deprecated; don't use", 0, nullptr, nullptr, nullptr},
60#define FUZZER_FLAG_INT(Name, Default, Description) \
61 {#Name, Description, Default, &Flags.Name, nullptr, nullptr},
62#define FUZZER_FLAG_UNSIGNED(Name, Default, Description) \
63 {#Name, Description, static_cast<int>(Default), \
64 nullptr, nullptr, &Flags.Name},
65#define FUZZER_FLAG_STRING(Name, Description) \
66 {#Name, Description, 0, nullptr, &Flags.Name, nullptr},
67#include "FuzzerFlags.def"
68#undef FUZZER_DEPRECATED_FLAG
69#undef FUZZER_FLAG_INT
70#undef FUZZER_FLAG_UNSIGNED
71#undef FUZZER_FLAG_STRING
72};
73
74static const size_t kNumFlags =
75 sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]);
76
77static Vector<std::string> *Inputs;
78static std::string *ProgName;
79
80static void PrintHelp() {
81 Printf("Usage:\n");
82 auto Prog = ProgName->c_str();
83 Printf("\nTo run fuzzing pass 0 or more directories.\n");
84 Printf("%s [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n", Prog);
85
86 Printf("\nTo run individual tests without fuzzing pass 1 or more files:\n");
87 Printf("%s [-flag1=val1 [-flag2=val2 ...] ] file1 [file2 ...]\n", Prog);
88
89 Printf("\nFlags: (strictly in form -flag=value)\n");
90 size_t MaxFlagLen = 0;
91 for (size_t F = 0; F < kNumFlags; F++)
92 MaxFlagLen = std::max(strlen(FlagDescriptions[F].Name), MaxFlagLen);
93
94 for (size_t F = 0; F < kNumFlags; F++) {
95 const auto &D = FlagDescriptions[F];
96 if (strstr(D.Description, "internal flag") == D.Description) continue;
97 Printf(" %s", D.Name);
98 for (size_t i = 0, n = MaxFlagLen - strlen(D.Name); i < n; i++)
99 Printf(" ");
100 Printf("\t");
101 Printf("%d\t%s\n", D.Default, D.Description);
102 }
103 Printf("\nFlags starting with '--' will be ignored and "
104 "will be passed verbatim to subprocesses.\n");
105}
106
107static const char *FlagValue(const char *Param, const char *Name) {
108 size_t Len = strlen(Name);
109 if (Param[0] == '-' && strstr(Param + 1, Name) == Param + 1 &&
110 Param[Len + 1] == '=')
111 return &Param[Len + 2];
112 return nullptr;
113}
114
115// Avoid calling stol as it triggers a bug in clang/glibc build.
116static long MyStol(const char *Str) {
117 long Res = 0;
118 long Sign = 1;
119 if (*Str == '-') {
120 Str++;
121 Sign = -1;
122 }
123 for (size_t i = 0; Str[i]; i++) {
124 char Ch = Str[i];
125 if (Ch < '0' || Ch > '9')
126 return Res;
127 Res = Res * 10 + (Ch - '0');
128 }
129 return Res * Sign;
130}
131
132static bool ParseOneFlag(const char *Param) {
133 if (Param[0] != '-') return false;
134 if (Param[1] == '-') {
135 static bool PrintedWarning = false;
136 if (!PrintedWarning) {
137 PrintedWarning = true;
138 Printf("INFO: libFuzzer ignores flags that start with '--'\n");
139 }
140 for (size_t F = 0; F < kNumFlags; F++)
141 if (FlagValue(Param + 1, FlagDescriptions[F].Name))
142 Printf("WARNING: did you mean '%s' (single dash)?\n", Param + 1);
143 return true;
144 }
145 for (size_t F = 0; F < kNumFlags; F++) {
146 const char *Name = FlagDescriptions[F].Name;
147 const char *Str = FlagValue(Param, Name);
148 if (Str) {
149 if (FlagDescriptions[F].IntFlag) {
150 int Val = MyStol(Str);
151 *FlagDescriptions[F].IntFlag = Val;
152 if (Flags.verbosity >= 2)
153 Printf("Flag: %s %d\n", Name, Val);
154 return true;
155 } else if (FlagDescriptions[F].UIntFlag) {
156 unsigned int Val = std::stoul(Str);
157 *FlagDescriptions[F].UIntFlag = Val;
158 if (Flags.verbosity >= 2)
159 Printf("Flag: %s %u\n", Name, Val);
160 return true;
161 } else if (FlagDescriptions[F].StrFlag) {
162 *FlagDescriptions[F].StrFlag = Str;
163 if (Flags.verbosity >= 2)
164 Printf("Flag: %s %s\n", Name, Str);
165 return true;
166 } else { // Deprecated flag.
167 Printf("Flag: %s: deprecated, don't use\n", Name);
168 return true;
169 }
170 }
171 }
172 Printf("\n\nWARNING: unrecognized flag '%s'; "
173 "use -help=1 to list all flags\n\n", Param);
174 return true;
175}
176
177// We don't use any library to minimize dependencies.
178static void ParseFlags(const Vector<std::string> &Args) {
179 for (size_t F = 0; F < kNumFlags; F++) {
180 if (FlagDescriptions[F].IntFlag)
181 *FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;
182 if (FlagDescriptions[F].UIntFlag)
183 *FlagDescriptions[F].UIntFlag =
184 static_cast<unsigned int>(FlagDescriptions[F].Default);
185 if (FlagDescriptions[F].StrFlag)
186 *FlagDescriptions[F].StrFlag = nullptr;
187 }
188 Inputs = new Vector<std::string>;
189 for (size_t A = 1; A < Args.size(); A++) {
190 if (ParseOneFlag(Args[A].c_str())) {
191 if (Flags.ignore_remaining_args)
192 break;
193 continue;
194 }
195 Inputs->push_back(Args[A]);
196 }
197}
198
199static std::mutex Mu;
200
201static void PulseThread() {
202 while (true) {
203 SleepSeconds(600);
204 std::lock_guard<std::mutex> Lock(Mu);
205 Printf("pulse...\n");
206 }
207}
208
209static void WorkerThread(const std::string &Cmd, std::atomic<unsigned> *Counter,
210 unsigned NumJobs, std::atomic<bool> *HasErrors) {
211 while (true) {
212 unsigned C = (*Counter)++;
213 if (C >= NumJobs) break;
214 std::string Log = "fuzz-" + std::to_string(C) + ".log";
215 std::string ToRun = Cmd + " > " + Log + " 2>&1\n";
216 if (Flags.verbosity)
217 Printf("%s", ToRun.c_str());
218 int ExitCode = ExecuteCommand(ToRun);
219 if (ExitCode != 0)
220 *HasErrors = true;
221 std::lock_guard<std::mutex> Lock(Mu);
222 Printf("================== Job %u exited with exit code %d ============\n",
223 C, ExitCode);
224 fuzzer::CopyFileToErr(Log);
225 }
226}
227
228std::string CloneArgsWithoutX(const Vector<std::string> &Args,
229 const char *X1, const char *X2) {
230 std::string Cmd;
231 for (auto &S : Args) {
232 if (FlagValue(S.c_str(), X1) || FlagValue(S.c_str(), X2))
233 continue;
234 Cmd += S + " ";
235 }
236 return Cmd;
237}
238
239static int RunInMultipleProcesses(const Vector<std::string> &Args,
240 unsigned NumWorkers, unsigned NumJobs) {
241 std::atomic<unsigned> Counter(0);
242 std::atomic<bool> HasErrors(false);
243 std::string Cmd = CloneArgsWithoutX(Args, "jobs", "workers");
244 Vector<std::thread> V;
245 std::thread Pulse(PulseThread);
246 Pulse.detach();
247 for (unsigned i = 0; i < NumWorkers; i++)
248 V.push_back(std::thread(WorkerThread, Cmd, &Counter, NumJobs, &HasErrors));
249 for (auto &T : V)
250 T.join();
251 return HasErrors ? 1 : 0;
252}
253
254static void RssThread(Fuzzer *F, size_t RssLimitMb) {
255 while (true) {
256 SleepSeconds(1);
257 size_t Peak = GetPeakRSSMb();
258 if (Peak > RssLimitMb)
259 F->RssLimitCallback();
260 }
261}
262
263static void StartRssThread(Fuzzer *F, size_t RssLimitMb) {
264 if (!RssLimitMb) return;
265 std::thread T(RssThread, F, RssLimitMb);
266 T.detach();
267}
268
269int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) {
270 Unit U = FileToVector(InputFilePath);
271 if (MaxLen && MaxLen < U.size())
272 U.resize(MaxLen);
273 F->ExecuteCallback(U.data(), U.size());
274 F->TryDetectingAMemoryLeak(U.data(), U.size(), true);
275 return 0;
276}
277
278static bool AllInputsAreFiles() {
279 if (Inputs->empty()) return false;
280 for (auto &Path : *Inputs)
281 if (!IsFile(Path))
282 return false;
283 return true;
284}
285
286static std::string GetDedupTokenFromFile(const std::string &Path) {
287 auto S = FileToString(Path);
288 auto Beg = S.find("DEDUP_TOKEN:");
289 if (Beg == std::string::npos)
290 return "";
291 auto End = S.find('\n', Beg);
292 if (End == std::string::npos)
293 return "";
294 return S.substr(Beg, End - Beg);
295}
296
297int CleanseCrashInput(const Vector<std::string> &Args,
298 const FuzzingOptions &Options) {
299 if (Inputs->size() != 1 || !Flags.exact_artifact_path) {
300 Printf("ERROR: -cleanse_crash should be given one input file and"
301 " -exact_artifact_path\n");
302 exit(1);
303 }
304 std::string InputFilePath = Inputs->at(0);
305 std::string OutputFilePath = Flags.exact_artifact_path;
306 std::string BaseCmd =
307 CloneArgsWithoutX(Args, "cleanse_crash", "cleanse_crash");
308
309 auto InputPos = BaseCmd.find(" " + InputFilePath + " ");
310 assert(InputPos != std::string::npos)(static_cast <bool> (InputPos != std::string::npos) ? void
(0) : __assert_fail ("InputPos != std::string::npos", "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp"
, 310, __extension__ __PRETTY_FUNCTION__))
;
311 BaseCmd.erase(InputPos, InputFilePath.size() + 1);
312
313 auto LogFilePath = DirPlusFile(
314 TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".txt");
315 auto TmpFilePath = DirPlusFile(
316 TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".repro");
317 auto LogFileRedirect = " > " + LogFilePath + " 2>&1 ";
318
319 auto Cmd = BaseCmd + " " + TmpFilePath + LogFileRedirect;
320
321 std::string CurrentFilePath = InputFilePath;
322 auto U = FileToVector(CurrentFilePath);
323 size_t Size = U.size();
324
325 const Vector<uint8_t> ReplacementBytes = {' ', 0xff};
326 for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) {
327 bool Changed = false;
328 for (size_t Idx = 0; Idx < Size; Idx++) {
329 Printf("CLEANSE[%d]: Trying to replace byte %zd of %zd\n", NumAttempts,
330 Idx, Size);
331 uint8_t OriginalByte = U[Idx];
332 if (ReplacementBytes.end() != std::find(ReplacementBytes.begin(),
333 ReplacementBytes.end(),
334 OriginalByte))
335 continue;
336 for (auto NewByte : ReplacementBytes) {
337 U[Idx] = NewByte;
338 WriteToFile(U, TmpFilePath);
339 auto ExitCode = ExecuteCommand(Cmd);
340 RemoveFile(TmpFilePath);
341 if (!ExitCode) {
342 U[Idx] = OriginalByte;
343 } else {
344 Changed = true;
345 Printf("CLEANSE: Replaced byte %zd with 0x%x\n", Idx, NewByte);
346 WriteToFile(U, OutputFilePath);
347 break;
348 }
349 }
350 }
351 if (!Changed) break;
352 }
353 RemoveFile(LogFilePath);
354 return 0;
355}
356
357int MinimizeCrashInput(const Vector<std::string> &Args,
358 const FuzzingOptions &Options) {
359 if (Inputs->size() != 1) {
360 Printf("ERROR: -minimize_crash should be given one input file\n");
361 exit(1);
362 }
363 std::string InputFilePath = Inputs->at(0);
364 auto BaseCmd = SplitBefore(
365 "-ignore_remaining_args=1",
366 CloneArgsWithoutX(Args, "minimize_crash", "exact_artifact_path"));
367 auto InputPos = BaseCmd.first.find(" " + InputFilePath + " ");
368 assert(InputPos != std::string::npos)(static_cast <bool> (InputPos != std::string::npos) ? void
(0) : __assert_fail ("InputPos != std::string::npos", "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp"
, 368, __extension__ __PRETTY_FUNCTION__))
;
369 BaseCmd.first.erase(InputPos, InputFilePath.size() + 1);
370 if (Flags.runs <= 0 && Flags.max_total_time == 0) {
371 Printf("INFO: you need to specify -runs=N or "
372 "-max_total_time=N with -minimize_crash=1\n"
373 "INFO: defaulting to -max_total_time=600\n");
374 BaseCmd.first += " -max_total_time=600";
375 }
376
377 auto LogFilePath = DirPlusFile(
378 TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".txt");
379 auto LogFileRedirect = " > " + LogFilePath + " 2>&1 ";
380
381 std::string CurrentFilePath = InputFilePath;
382 while (true) {
383 Unit U = FileToVector(CurrentFilePath);
384 Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
385 CurrentFilePath.c_str(), U.size());
386
387 auto Cmd = BaseCmd.first + " " + CurrentFilePath + LogFileRedirect + " " +
388 BaseCmd.second;
389
390 Printf("CRASH_MIN: executing: %s\n", Cmd.c_str());
391 int ExitCode = ExecuteCommand(Cmd);
392 if (ExitCode == 0) {
393 Printf("ERROR: the input %s did not crash\n", CurrentFilePath.c_str());
394 exit(1);
395 }
396 Printf("CRASH_MIN: '%s' (%zd bytes) caused a crash. Will try to minimize "
397 "it further\n",
398 CurrentFilePath.c_str(), U.size());
399 auto DedupToken1 = GetDedupTokenFromFile(LogFilePath);
400 if (!DedupToken1.empty())
401 Printf("CRASH_MIN: DedupToken1: %s\n", DedupToken1.c_str());
402
403 std::string ArtifactPath =
404 Flags.exact_artifact_path
405 ? Flags.exact_artifact_path
406 : Options.ArtifactPrefix + "minimized-from-" + Hash(U);
407 Cmd += " -minimize_crash_internal_step=1 -exact_artifact_path=" +
408 ArtifactPath;
409 Printf("CRASH_MIN: executing: %s\n", Cmd.c_str());
410 ExitCode = ExecuteCommand(Cmd);
411 CopyFileToErr(LogFilePath);
412 if (ExitCode == 0) {
413 if (Flags.exact_artifact_path) {
414 CurrentFilePath = Flags.exact_artifact_path;
415 WriteToFile(U, CurrentFilePath);
416 }
417 Printf("CRASH_MIN: failed to minimize beyond %s (%d bytes), exiting\n",
418 CurrentFilePath.c_str(), U.size());
419 break;
420 }
421 auto DedupToken2 = GetDedupTokenFromFile(LogFilePath);
422 if (!DedupToken2.empty())
423 Printf("CRASH_MIN: DedupToken2: %s\n", DedupToken2.c_str());
424
425 if (DedupToken1 != DedupToken2) {
426 if (Flags.exact_artifact_path) {
427 CurrentFilePath = Flags.exact_artifact_path;
428 WriteToFile(U, CurrentFilePath);
429 }
430 Printf("CRASH_MIN: mismatch in dedup tokens"
431 " (looks like a different bug). Won't minimize further\n");
432 break;
433 }
434
435 CurrentFilePath = ArtifactPath;
436 Printf("*********************************\n");
437 }
438 RemoveFile(LogFilePath);
439 return 0;
440}
441
442int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
443 assert(Inputs->size() == 1)(static_cast <bool> (Inputs->size() == 1) ? void (0)
: __assert_fail ("Inputs->size() == 1", "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp"
, 443, __extension__ __PRETTY_FUNCTION__))
;
444 std::string InputFilePath = Inputs->at(0);
445 Unit U = FileToVector(InputFilePath);
446 Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size());
447 if (U.size() < 2) {
448 Printf("INFO: The input is small enough, exiting\n");
449 exit(0);
450 }
451 F->SetMaxInputLen(U.size());
452 F->SetMaxMutationLen(U.size() - 1);
453 F->MinimizeCrashLoop(U);
454 Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");
455 exit(0);
456 return 0;
457}
458
459int AnalyzeDictionary(Fuzzer *F, const Vector<Unit>& Dict,
460 UnitVector& Corpus) {
461 Printf("Started dictionary minimization (up to %d tests)\n",
462 Dict.size() * Corpus.size() * 2);
463
464 // Scores and usage count for each dictionary unit.
465 Vector<int> Scores(Dict.size());
466 Vector<int> Usages(Dict.size());
467
468 Vector<size_t> InitialFeatures;
469 Vector<size_t> ModifiedFeatures;
470 for (auto &C : Corpus) {
471 // Get coverage for the testcase without modifications.
472 F->ExecuteCallback(C.data(), C.size());
473 InitialFeatures.clear();
474 TPC.CollectFeatures([&](size_t Feature) {
475 InitialFeatures.push_back(Feature);
476 });
477
478 for (size_t i = 0; i < Dict.size(); ++i) {
479 Vector<uint8_t> Data = C;
480 auto StartPos = std::search(Data.begin(), Data.end(),
481 Dict[i].begin(), Dict[i].end());
482 // Skip dictionary unit, if the testcase does not contain it.
483 if (StartPos == Data.end())
484 continue;
485
486 ++Usages[i];
487 while (StartPos != Data.end()) {
488 // Replace all occurrences of dictionary unit in the testcase.
489 auto EndPos = StartPos + Dict[i].size();
490 for (auto It = StartPos; It != EndPos; ++It)
491 *It ^= 0xFF;
492
493 StartPos = std::search(EndPos, Data.end(),
494 Dict[i].begin(), Dict[i].end());
495 }
496
497 // Get coverage for testcase with masked occurrences of dictionary unit.
498 F->ExecuteCallback(Data.data(), Data.size());
499 ModifiedFeatures.clear();
500 TPC.CollectFeatures([&](size_t Feature) {
501 ModifiedFeatures.push_back(Feature);
502 });
503
504 if (InitialFeatures == ModifiedFeatures)
505 --Scores[i];
506 else
507 Scores[i] += 2;
508 }
509 }
510
511 Printf("###### Useless dictionary elements. ######\n");
512 for (size_t i = 0; i < Dict.size(); ++i) {
513 // Dictionary units with positive score are treated as useful ones.
514 if (Scores[i] > 0)
515 continue;
516
517 Printf("\"");
518 PrintASCII(Dict[i].data(), Dict[i].size(), "\"");
519 Printf(" # Score: %d, Used: %d\n", Scores[i], Usages[i]);
520 }
521 Printf("###### End of useless dictionary elements. ######\n");
522 return 0;
523}
524
525int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
526 using namespace fuzzer;
527 assert(argc && argv && "Argument pointers cannot be nullptr")(static_cast <bool> (argc && argv && "Argument pointers cannot be nullptr"
) ? void (0) : __assert_fail ("argc && argv && \"Argument pointers cannot be nullptr\""
, "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp"
, 527, __extension__ __PRETTY_FUNCTION__))
;
528 std::string Argv0((*argv)[0]);
529 EF = new ExternalFunctions();
530 if (EF->LLVMFuzzerInitialize)
1
Assuming the condition is false
2
Taking false branch
531 EF->LLVMFuzzerInitialize(argc, argv);
532 const Vector<std::string> Args(*argv, *argv + *argc);
533 assert(!Args.empty())(static_cast <bool> (!Args.empty()) ? void (0) : __assert_fail
("!Args.empty()", "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp"
, 533, __extension__ __PRETTY_FUNCTION__))
;
534 ProgName = new std::string(Args[0]);
535 if (Argv0 != *ProgName) {
3
Taking false branch
536 Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
537 exit(1);
538 }
539 ParseFlags(Args);
540 if (Flags.help) {
4
Assuming the condition is false
5
Taking false branch
541 PrintHelp();
542 return 0;
543 }
544
545 if (Flags.close_fd_mask & 2)
6
Assuming the condition is false
7
Taking false branch
546 DupAndCloseStderr();
547 if (Flags.close_fd_mask & 1)
8
Assuming the condition is false
9
Taking false branch
548 CloseStdout();
549
550 if (Flags.jobs > 0 && Flags.workers == 0) {
10
Assuming the condition is false
551 Flags.workers = std::min(NumberOfCpuCores() / 2, Flags.jobs);
552 if (Flags.workers > 1)
553 Printf("Running %u workers\n", Flags.workers);
554 }
555
556 if (Flags.workers > 0 && Flags.jobs > 0)
11
Assuming the condition is false
557 return RunInMultipleProcesses(Args, Flags.workers, Flags.jobs);
558
559 FuzzingOptions Options;
560 Options.Verbosity = Flags.verbosity;
561 Options.MaxLen = Flags.max_len;
562 Options.ExperimentalLenControl = Flags.experimental_len_control;
563 Options.UnitTimeoutSec = Flags.timeout;
564 Options.ErrorExitCode = Flags.error_exitcode;
565 Options.TimeoutExitCode = Flags.timeout_exitcode;
566 Options.MaxTotalTimeSec = Flags.max_total_time;
567 Options.DoCrossOver = Flags.cross_over;
568 Options.MutateDepth = Flags.mutate_depth;
569 Options.UseCounters = Flags.use_counters;
570 Options.UseIndirCalls = Flags.use_indir_calls;
571 Options.UseMemmem = Flags.use_memmem;
572 Options.UseCmp = Flags.use_cmp;
573 Options.UseValueProfile = Flags.use_value_profile;
574 Options.Shrink = Flags.shrink;
575 Options.ReduceInputs = Flags.reduce_inputs;
576 Options.ShuffleAtStartUp = Flags.shuffle;
577 Options.PreferSmall = Flags.prefer_small;
578 Options.ReloadIntervalSec = Flags.reload;
579 Options.OnlyASCII = Flags.only_ascii;
580 Options.DetectLeaks = Flags.detect_leaks;
581 Options.PurgeAllocatorIntervalSec = Flags.purge_allocator_interval;
582 Options.TraceMalloc = Flags.trace_malloc;
583 Options.RssLimitMb = Flags.rss_limit_mb;
584 if (Flags.runs >= 0)
12
Assuming the condition is false
13
Taking false branch
585 Options.MaxNumberOfRuns = Flags.runs;
586 if (!Inputs->empty() && !Flags.minimize_crash_internal_step)
14
Assuming the condition is false
587 Options.OutputCorpus = (*Inputs)[0];
588 Options.ReportSlowUnits = Flags.report_slow_units;
589 if (Flags.artifact_prefix)
15
Assuming the condition is false
16
Taking false branch
590 Options.ArtifactPrefix = Flags.artifact_prefix;
591 if (Flags.exact_artifact_path)
17
Assuming the condition is false
18
Taking false branch
592 Options.ExactArtifactPath = Flags.exact_artifact_path;
593 Vector<Unit> Dictionary;
594 if (Flags.dict)
19
Assuming the condition is false
20
Taking false branch
595 if (!ParseDictionaryFile(FileToString(Flags.dict), &Dictionary))
596 return 1;
597 if (Flags.verbosity > 0 && !Dictionary.empty())
21
Assuming the condition is false
598 Printf("Dictionary: %zd entries\n", Dictionary.size());
599 bool DoPlainRun = AllInputsAreFiles();
600 Options.SaveArtifacts =
601 !DoPlainRun || Flags.minimize_crash_internal_step;
602 Options.PrintNewCovPcs = Flags.print_pcs;
603 Options.PrintNewCovFuncs = Flags.print_funcs;
604 Options.PrintFinalStats = Flags.print_final_stats;
605 Options.PrintCorpusStats = Flags.print_corpus_stats;
606 Options.PrintCoverage = Flags.print_coverage;
607 Options.DumpCoverage = Flags.dump_coverage;
608 Options.UseClangCoverage = Flags.use_clang_coverage;
609 Options.UseFeatureFrequency = Flags.use_feature_frequency;
610 if (Flags.exit_on_src_pos)
22
Assuming the condition is false
23
Taking false branch
611 Options.ExitOnSrcPos = Flags.exit_on_src_pos;
612 if (Flags.exit_on_item)
24
Assuming the condition is false
25
Taking false branch
613 Options.ExitOnItem = Flags.exit_on_item;
614
615 unsigned Seed = Flags.seed;
616 // Initialize Seed.
617 if (Seed == 0)
26
Assuming 'Seed' is not equal to 0
27
Taking false branch
618 Seed =
619 std::chrono::system_clock::now().time_since_epoch().count() + GetPid();
620 if (Flags.verbosity)
28
Assuming the condition is false
29
Taking false branch
621 Printf("INFO: Seed: %u\n", Seed);
622
623 Random Rand(Seed);
624 auto *MD = new MutationDispatcher(Rand, Options);
625 auto *Corpus = new InputCorpus(Options.OutputCorpus);
626 auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
627
628 for (auto &U: Dictionary)
629 if (U.size() <= Word::GetMaxSize())
630 MD->AddWordToManualDictionary(Word(U.data(), U.size()));
631
632 StartRssThread(F, Flags.rss_limit_mb);
633
634 Options.HandleAbrt = Flags.handle_abrt;
635 Options.HandleBus = Flags.handle_bus;
636 Options.HandleFpe = Flags.handle_fpe;
637 Options.HandleIll = Flags.handle_ill;
638 Options.HandleInt = Flags.handle_int;
639 Options.HandleSegv = Flags.handle_segv;
640 Options.HandleTerm = Flags.handle_term;
641 Options.HandleXfsz = Flags.handle_xfsz;
642 Options.HandleUsr1 = Flags.handle_usr1;
643 Options.HandleUsr2 = Flags.handle_usr2;
644 SetSignalHandler(Options);
645
646 std::atexit(Fuzzer::StaticExitCallback);
647
648 if (Flags.minimize_crash)
30
Assuming the condition is false
31
Taking false branch
649 return MinimizeCrashInput(Args, Options);
650
651 if (Flags.minimize_crash_internal_step)
32
Assuming the condition is false
33
Taking false branch
652 return MinimizeCrashInputInternalStep(F, Corpus);
653
654 if (Flags.cleanse_crash)
34
Assuming the condition is false
35
Taking false branch
655 return CleanseCrashInput(Args, Options);
656
657 if (auto Name = Flags.run_equivalence_server) {
36
Assuming 'Name' is non-null
37
Taking true branch
658 SMR.Destroy(Name);
659 if (!SMR.Create(Name)) {
38
Assuming the condition is false
39
Taking false branch
660 Printf("ERROR: can't create shared memory region\n");
661 return 1;
662 }
663 Printf("INFO: EQUIVALENCE SERVER UP\n");
664 while (true) {
40
Loop condition is true. Entering loop body
665 SMR.WaitClient();
666 size_t Size = SMR.ReadByteArraySize();
667 SMR.WriteByteArray(nullptr, 0);
41
Passing null pointer value via 1st parameter 'Bytes'
42
Calling 'SharedMemoryRegion::WriteByteArray'
668 const Unit tmp(SMR.GetByteArray(), SMR.GetByteArray() + Size);
669 F->ExecuteCallback(tmp.data(), tmp.size());
670 SMR.PostServer();
671 }
672 return 0;
673 }
674
675 if (auto Name = Flags.use_equivalence_server) {
676 if (!SMR.Open(Name)) {
677 Printf("ERROR: can't open shared memory region\n");
678 return 1;
679 }
680 Printf("INFO: EQUIVALENCE CLIENT UP\n");
681 }
682
683 if (DoPlainRun) {
684 Options.SaveArtifacts = false;
685 int Runs = std::max(1, Flags.runs);
686 Printf("%s: Running %zd inputs %d time(s) each.\n", ProgName->c_str(),
687 Inputs->size(), Runs);
688 for (auto &Path : *Inputs) {
689 auto StartTime = system_clock::now();
690 Printf("Running: %s\n", Path.c_str());
691 for (int Iter = 0; Iter < Runs; Iter++)
692 RunOneTest(F, Path.c_str(), Options.MaxLen);
693 auto StopTime = system_clock::now();
694 auto MS = duration_cast<milliseconds>(StopTime - StartTime).count();
695 Printf("Executed %s in %zd ms\n", Path.c_str(), (long)MS);
696 }
697 Printf("***\n"
698 "*** NOTE: fuzzing was not performed, you have only\n"
699 "*** executed the target code on a fixed set of inputs.\n"
700 "***\n");
701 F->PrintFinalStats();
702 exit(0);
703 }
704
705 if (Flags.merge) {
706 F->CrashResistantMerge(Args, *Inputs,
707 Flags.load_coverage_summary,
708 Flags.save_coverage_summary,
709 Flags.merge_control_file);
710 exit(0);
711 }
712
713 if (Flags.merge_inner) {
714 const size_t kDefaultMaxMergeLen = 1 << 20;
715 if (Options.MaxLen == 0)
716 F->SetMaxInputLen(kDefaultMaxMergeLen);
717 assert(Flags.merge_control_file)(static_cast <bool> (Flags.merge_control_file) ? void (
0) : __assert_fail ("Flags.merge_control_file", "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp"
, 717, __extension__ __PRETTY_FUNCTION__))
;
718 F->CrashResistantMergeInternalStep(Flags.merge_control_file);
719 exit(0);
720 }
721
722 if (Flags.analyze_dict) {
723 size_t MaxLen = INT_MAX2147483647; // Large max length.
724 UnitVector InitialCorpus;
725 for (auto &Inp : *Inputs) {
726 Printf("Loading corpus dir: %s\n", Inp.c_str());
727 ReadDirToVectorOfUnits(Inp.c_str(), &InitialCorpus, nullptr,
728 MaxLen, /*ExitOnError=*/false);
729 }
730
731 if (Dictionary.empty() || Inputs->empty()) {
732 Printf("ERROR: can't analyze dict without dict and corpus provided\n");
733 return 1;
734 }
735 if (AnalyzeDictionary(F, Dictionary, InitialCorpus)) {
736 Printf("Dictionary analysis failed\n");
737 exit(1);
738 }
739 Printf("Dictionary analysis suceeded\n");
740 exit(0);
741 }
742
743 F->Loop(*Inputs);
744
745 if (Flags.verbosity)
746 Printf("Done %zd runs in %zd second(s)\n", F->getTotalNumberOfRuns(),
747 F->secondsSinceProcessStartUp());
748 F->PrintFinalStats();
749
750 exit(0); // Don't let F destroy itself.
751}
752
753// Storage for global ExternalFunctions object.
754ExternalFunctions *EF = nullptr;
755
756} // namespace fuzzer

/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerShmem.h

1//===- FuzzerShmem.h - shared memory interface ------------------*- C++ -* ===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9// SharedMemoryRegion
10//===----------------------------------------------------------------------===//
11
12#ifndef LLVM_FUZZER_SHMEM_H
13#define LLVM_FUZZER_SHMEM_H
14
15#include <algorithm>
16#include <cstring>
17#include <string>
18
19#include "FuzzerDefs.h"
20
21namespace fuzzer {
22
23class SharedMemoryRegion {
24 public:
25 bool Create(const char *Name);
26 bool Open(const char *Name);
27 bool Destroy(const char *Name);
28 uint8_t *GetData() { return Data; }
29 void PostServer() {Post(0);}
30 void WaitServer() {Wait(0);}
31 void PostClient() {Post(1);}
32 void WaitClient() {Wait(1);}
33
34 size_t WriteByteArray(const uint8_t *Bytes, size_t N) {
35 assert(N <= kShmemSize - sizeof(N))(static_cast <bool> (N <= kShmemSize - sizeof(N)) ? void
(0) : __assert_fail ("N <= kShmemSize - sizeof(N)", "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerShmem.h"
, 35, __extension__ __PRETTY_FUNCTION__))
;
36 memcpy(GetData(), &N, sizeof(N));
37 memcpy(GetData() + sizeof(N), Bytes, N);
43
Null pointer passed as an argument to a 'nonnull' parameter
38 assert(N == ReadByteArraySize())(static_cast <bool> (N == ReadByteArraySize()) ? void (
0) : __assert_fail ("N == ReadByteArraySize()", "/build/llvm-toolchain-snapshot-6.0~svn318601/projects/compiler-rt/lib/fuzzer/FuzzerShmem.h"
, 38, __extension__ __PRETTY_FUNCTION__))
;
39 return N;
40 }
41 size_t ReadByteArraySize() {
42 size_t Res;
43 memcpy(&Res, GetData(), sizeof(Res));
44 return Res;
45 }
46 uint8_t *GetByteArray() { return GetData() + sizeof(size_t); }
47
48 bool IsServer() const { return Data && IAmServer; }
49 bool IsClient() const { return Data && !IAmServer; }
50
51private:
52
53 static const size_t kShmemSize = 1 << 22;
54 bool IAmServer;
55 std::string Path(const char *Name);
56 std::string SemName(const char *Name, int Idx);
57 void Post(int Idx);
58 void Wait(int Idx);
59
60 bool Map(int fd);
61 uint8_t *Data = nullptr;
62 void *Semaphore[2];
63};
64
65extern SharedMemoryRegion SMR;
66
67} // namespace fuzzer
68
69#endif // LLVM_FUZZER_SHMEM_H