Skip to content

Commit

Permalink
honggfuzz: even more fields into substructs
Browse files Browse the repository at this point in the history
  • Loading branch information
@robertswiecki
robertswiecki committed Mar 7, 2018
1 parent 5e26bd9 commit a5b918a
Show file tree
Hide file tree
Showing 16 changed files with 261 additions and 246 deletions.
121 changes: 63 additions & 58 deletions cmdline.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,15 +210,15 @@ static bool cmdlineVerify(honggfuzz_t* hfuzz) {
hfuzz->threads.threadsMax = 1;
}

if (hfuzz->mutate.mutationsPerRun == 0U && hfuzz->useVerifier) {
if (hfuzz->mutate.mutationsPerRun == 0U && hfuzz->cfg.useVerifier) {
LOG_I("Verifier enabled with mutationsPerRun == 0, activating the dry run mode");
}

/*
* 'enableSanitizers' can be auto enabled when san_cov is used, although it's probably
* better to let user know about the features that each flag control.
*/
if ((hfuzz->dynFileMethod & _HF_DYNFILE_SANCOV) && !hfuzz->enableSanitizers) {
if ((hfuzz->feedback.dynFileMethod & _HF_DYNFILE_SANCOV) && !hfuzz->sanitizer.enable) {
LOG_E("Sanitizer coverage cannot be used without enabling sanitizers '-S/--sanitizers'");
return false;
}
Expand Down Expand Up @@ -290,20 +290,35 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
.serverSocket = -1,
.clientSocket = -1,
},
.useVerifier = false,
.blacklistFile = NULL,
.blacklistCnt = 0,
.blacklist = NULL,
.reportFile = NULL,
.skipFeedbackOnTimeout = false,
.enableSanitizers = false,
.cfg =
{
.useVerifier = false,
.exitUponCrash = false,
.report_mutex = PTHREAD_MUTEX_INITIALIZER,
.reportFile = NULL,
.dynFileIterExpire = 0,
#if defined(__ANDROID__)
.monitorSIGABRT = false,
.monitorSIGABRT = false,
#else
.monitorSIGABRT = true,
.monitorSIGABRT = true,
#endif
.exitUponCrash = false,

},
.sanitizer =
{
.enable = false,
.sanCov_mutex = PTHREAD_MUTEX_INITIALIZER,
.extSanOpts = NULL,
.covMetadata = NULL,
.sanCovCnts =
{
.hitBBCnt = 0ULL,
.totalBBCnt = 0ULL,
.dsoCnt = 0ULL,
.iDsoCnt = 0ULL,
.newBBCnt = 0ULL,
.crashesCnt = 0ULL,
},
},
.threads =
{
.threadsFinished = 0,
Expand All @@ -313,16 +328,23 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
.mainThread = pthread_self(),
.mainPid = getpid(),
},

.state = _HF_STATE_UNSET,
.feedback = NULL,
.bbFd = -1,

.dynfileqCnt = 0U,
.dynfileq_mutex = PTHREAD_RWLOCK_INITIALIZER,

.feedback_mutex = PTHREAD_MUTEX_INITIALIZER,

.feedback =
{
.feedbackMap = NULL,
.feedback_mutex = PTHREAD_MUTEX_INITIALIZER,
.bbFd = -1,
.blacklistFile = NULL,
.blacklist = NULL,
.blacklistCnt = 0,
.skipFeedbackOnTimeout = false,
.dynFileMethod = _HF_DYNFILE_SOFT,
},
.state =
{
.state = _HF_STATE_UNSET,
.dynfileqCnt = 0U,
.dynfileq_mutex = PTHREAD_RWLOCK_INITIALIZER,
},
.cnts =
{
.mutationsCnt = 0,
Expand All @@ -333,23 +355,6 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
.timeoutedCnt = 0,
},

.dynFileMethod = _HF_DYNFILE_SOFT,
.sanCovCnts =
{
.hitBBCnt = 0ULL,
.totalBBCnt = 0ULL,
.dsoCnt = 0ULL,
.iDsoCnt = 0ULL,
.newBBCnt = 0ULL,
.crashesCnt = 0ULL,
},

.sanCov_mutex = PTHREAD_MUTEX_INITIALIZER,
.extSanOpts = NULL,
.covMetadata = NULL,

.report_mutex = PTHREAD_MUTEX_INITIALIZER,

/* Linux code */
.linux =
{
Expand Down Expand Up @@ -383,7 +388,7 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
};
*hfuzz = tmp;

TAILQ_INIT(&hfuzz->dynfileq);
TAILQ_INIT(&hfuzz->state.dynfileq);
TAILQ_INIT(&hfuzz->mutate.dictq);

// clang-format off
Expand Down Expand Up @@ -477,7 +482,7 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
}
break;
case 'x':
hfuzz->dynFileMethod = _HF_DYNFILE_NONE;
hfuzz->feedback.dynFileMethod = _HF_DYNFILE_NONE;
break;
case 'Q':
hfuzz->exe.nullifyStdio = false;
Expand All @@ -486,7 +491,7 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
hfuzz->display.useScreen = false;
break;
case 'V':
hfuzz->useVerifier = true;
hfuzz->cfg.useVerifier = true;
break;
case 's':
hfuzz->exe.fuzzStdin = true;
Expand Down Expand Up @@ -525,20 +530,20 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
hfuzz->exe.externalCommand = optarg;
break;
case 'C':
hfuzz->dynFileMethod |= _HF_DYNFILE_SANCOV;
hfuzz->feedback.dynFileMethod |= _HF_DYNFILE_SANCOV;
break;
case 'S':
hfuzz->enableSanitizers = true;
hfuzz->sanitizer.enable = true;
break;
case 0x10A:
hfuzz->extSanOpts = optarg;
hfuzz->sanitizer.extSanOpts = optarg;
break;
case 0x10B:
hfuzz->socketFuzzer.enabled = true;
hfuzz->timing.tmOut = 0; // Disable process timeout checks
break;
case 'z':
hfuzz->dynFileMethod |= _HF_DYNFILE_SOFT;
hfuzz->feedback.dynFileMethod |= _HF_DYNFILE_SOFT;
break;
case 'F':
hfuzz->mutate.maxFileSz = strtoul(optarg, NULL, 0);
Expand All @@ -547,7 +552,7 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
hfuzz->timing.tmOut = atol(optarg);
break;
case 'R':
hfuzz->reportFile = optarg;
hfuzz->cfg.reportFile = optarg;
break;
case 'n':
hfuzz->threads.threadsMax = atol(optarg);
Expand Down Expand Up @@ -575,16 +580,16 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
break;
case 0x105:
if ((strcasecmp(optarg, "0") == 0) || (strcasecmp(optarg, "false") == 0)) {
hfuzz->monitorSIGABRT = false;
hfuzz->cfg.monitorSIGABRT = false;
} else {
hfuzz->monitorSIGABRT = true;
hfuzz->cfg.monitorSIGABRT = true;
}
break;
case 0x106:
hfuzz->skipFeedbackOnTimeout = true;
hfuzz->feedback.skipFeedbackOnTimeout = true;
break;
case 0x107:
hfuzz->exitUponCrash = true;
hfuzz->cfg.exitUponCrash = true;
break;
case 0x108:
hfuzz->exe.clearEnv = true;
Expand Down Expand Up @@ -621,7 +626,7 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
hfuzz->mutate.dictionaryFile = optarg;
break;
case 'B':
hfuzz->blacklistFile = optarg;
hfuzz->feedback.blacklistFile = optarg;
break;
#if defined(_HF_ARCH_LINUX)
case 0x500:
Expand All @@ -640,16 +645,16 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
hfuzz->linux.symsWlFile = optarg;
break;
case 0x510:
hfuzz->dynFileMethod |= _HF_DYNFILE_INSTR_COUNT;
hfuzz->feedback.dynFileMethod |= _HF_DYNFILE_INSTR_COUNT;
break;
case 0x511:
hfuzz->dynFileMethod |= _HF_DYNFILE_BRANCH_COUNT;
hfuzz->feedback.dynFileMethod |= _HF_DYNFILE_BRANCH_COUNT;
break;
case 0x513:
hfuzz->dynFileMethod |= _HF_DYNFILE_BTS_EDGE;
hfuzz->feedback.dynFileMethod |= _HF_DYNFILE_BTS_EDGE;
break;
case 0x514:
hfuzz->dynFileMethod |= _HF_DYNFILE_IPT_BLOCK;
hfuzz->feedback.dynFileMethod |= _HF_DYNFILE_IPT_BLOCK;
break;
case 0x515:
hfuzz->linux.kernelOnly = true;
Expand Down Expand Up @@ -706,7 +711,7 @@ bool cmdlineParse(int argc, char* argv[], honggfuzz_t* hfuzz) {
(int)hfuzz->timing.runEndTime, (long)hfuzz->timing.tmOut, hfuzz->mutate.mutationsMax,
hfuzz->threads.threadsMax, hfuzz->io.fileExtn, hfuzz->exe.asLimit, hfuzz->exe.rssLimit,
hfuzz->exe.dataLimit, hfuzz->exe.cmdline[0], hfuzz->linux.pid,
cmdlineYesNo(hfuzz->monitorSIGABRT));
cmdlineYesNo(hfuzz->cfg.monitorSIGABRT));

return true;
}
28 changes: 14 additions & 14 deletions display.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ static void display_displayLocked(honggfuzz_t* hfuzz) {
display_put(" (out of: " ESC_BOLD "%" _HF_NONMON_SEP "zu" ESC_RESET " [%.2f%%])",
hfuzz->mutate.mutationsMax, exeProgress);
}
switch (ATOMIC_GET(hfuzz->state)) {
switch (ATOMIC_GET(hfuzz->state.state)) {
case _HF_STATE_STATIC:
display_put("\n Mode : " ESC_BOLD "Static" ESC_RESET "\n");
break;
Expand Down Expand Up @@ -210,31 +210,31 @@ static void display_displayLocked(honggfuzz_t* hfuzz) {
display_put(" Corpus Size : " ESC_BOLD "%" _HF_NONMON_SEP "zu" ESC_RESET ", max size: " ESC_BOLD
"%" _HF_NONMON_SEP "zu" ESC_RESET " bytes, init dir: " ESC_BOLD "%" _HF_NONMON_SEP
"zu" ESC_RESET " files\n",
hfuzz->dynfileqCnt, hfuzz->mutate.maxFileSz, ATOMIC_GET(hfuzz->io.fileCnt));
hfuzz->state.dynfileqCnt, hfuzz->mutate.maxFileSz, ATOMIC_GET(hfuzz->io.fileCnt));
display_put(" Cov Update : " ESC_BOLD "%s" ESC_RESET " ago\n" ESC_RESET, lastCovStr);
display_put(" Coverage :");

/* HW perf specific counters */
if (hfuzz->dynFileMethod == 0) {
if (hfuzz->feedback.dynFileMethod == 0) {
display_put(" [none]");
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_INSTR_COUNT) {
if (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_INSTR_COUNT) {
display_put(" hwi: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET,
ATOMIC_GET(hfuzz->linux.hwCnts.cpuInstrCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BRANCH_COUNT) {
if (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_BRANCH_COUNT) {
display_put(" hwb: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET,
ATOMIC_GET(hfuzz->linux.hwCnts.cpuBranchCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_BTS_EDGE) {
if (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_BTS_EDGE) {
display_put(" bts: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET,
ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_IPT_BLOCK) {
if (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_IPT_BLOCK) {
display_put(" ipt: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET,
ATOMIC_GET(hfuzz->linux.hwCnts.bbCnt));
}
if (hfuzz->dynFileMethod & _HF_DYNFILE_SOFT) {
if (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_SOFT) {
uint64_t softCntPc = ATOMIC_GET(hfuzz->linux.hwCnts.softCntPc);
uint64_t softCntEdge = ATOMIC_GET(hfuzz->linux.hwCnts.softCntEdge);
uint64_t softCntCmp = ATOMIC_GET(hfuzz->linux.hwCnts.softCntCmp);
Expand All @@ -244,19 +244,19 @@ static void display_displayLocked(honggfuzz_t* hfuzz) {
}

/* Sanitizer coverage specific counters */
if (hfuzz->dynFileMethod & _HF_DYNFILE_SANCOV) {
uint64_t hitBB = ATOMIC_GET(hfuzz->sanCovCnts.hitBBCnt);
uint64_t totalBB = ATOMIC_GET(hfuzz->sanCovCnts.totalBBCnt);
if (hfuzz->feedback.dynFileMethod & _HF_DYNFILE_SANCOV) {
uint64_t hitBB = ATOMIC_GET(hfuzz->sanitizer.sanCovCnts.hitBBCnt);
uint64_t totalBB = ATOMIC_GET(hfuzz->sanitizer.sanCovCnts.totalBBCnt);
float covPer = totalBB ? (((float)hitBB * 100) / totalBB) : 0.0;
display_put(" #sancov_bb: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET " (cov: " ESC_BOLD
"%.2f" ESC_RESET "%%)",
hitBB, covPer);
display_put(" #dso: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET,
ATOMIC_GET(hfuzz->sanCovCnts.iDsoCnt));
ATOMIC_GET(hfuzz->sanitizer.sanCovCnts.iDsoCnt));
display_put(" #newbb: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET,
ATOMIC_GET(hfuzz->sanCovCnts.newBBCnt));
ATOMIC_GET(hfuzz->sanitizer.sanCovCnts.newBBCnt));
display_put(" #crashes: " ESC_BOLD "%" _HF_NONMON_SEP PRIu64 ESC_RESET,
ATOMIC_GET(hfuzz->sanCovCnts.crashesCnt));
ATOMIC_GET(hfuzz->sanitizer.sanCovCnts.crashesCnt));
}
display_put("\n---------------------------------- [ " ESC_BOLD "LOGS" ESC_RESET
" ] ------------------/ " ESC_BOLD "%s %s " ESC_RESET "/-",
Expand Down
Loading

0 comments on commit a5b918a

Please sign in to comment.