Merge pull request #47 from anestisb/sancov-dev

Add sanitizer coverage feedback evolution support part2
google · Jan 14, 2016 · aeb4c4c · aeb4c4c
2 parents 2d484db + 70f2fbd
commit aeb4c4c
Show file tree

Hide file tree

Showing 12 changed files with 1,436 additions and 184 deletions.
diff --git a/cmdline.c b/cmdline.c
@@ -192,7 +192,12 @@ bool cmdlineParse(int argc, char *argv[], honggfuzz_t * hfuzz)
                    .customCnt = 0ULL,
                    },
         .sanCovCnts = {
-                       .pcCnt = 0ULL,  
+                       .hitBBCnt = 0ULL,
+                       .totalBBCnt = 0ULL,
+                       .dsoCnt = 0ULL,
+                       .iDsoCnt = 0ULL,
+                       .newBBCnt = 0ULL,
+                       .crashesCnt = 0ULL,
                       },
         .dynamicCutOffAddr = ~(0ULL),
         .dynamicFile_mutex = PTHREAD_MUTEX_INITIALIZER,
@@ -201,7 +206,17 @@ bool cmdlineParse(int argc, char *argv[], honggfuzz_t * hfuzz)
         .msanReportUMRS = false,
         .ignoreAddr = NULL,
         .useSanCov = false,
+        .covMetadata = NULL,
+        .clearCovMetadata = false,
         .dynFileIterExpire = _HF_MAX_DYNFILE_ITER,
+        .sanCov_mutex = PTHREAD_MUTEX_INITIALIZER,
+        .workersBlock_mutex = PTHREAD_MUTEX_INITIALIZER,
+        .sanOpts = { 
+                    .asanOpts = NULL,
+                    .msanOpts = NULL,
+                    .ubsanOpts = NULL,
+        },
+        .numMajorFrames = 7,
     };
     /*  *INDENT-ON* */
 

diff --git a/common.h b/common.h
@@ -71,6 +71,18 @@
 #define _HF_MAX_DYNFILE_ITER 0x2000UL
 #define _HF_DYNFILE_SUB_MASK 0xFFFUL    // Zero-set two MSB
 
+/* Bitmap size */
+#define _HF_BITMAP_SIZE 0xAFFFFF
+
+/* Directory in workspace to store sanitizer coverage data */
+#define _HF_SANCOV_DIR "HF_SANCOV"
+
+#if defined(__ANDROID__)
+#define _HF_MONITOR_SIGABRT 0
+#else
+#define _HF_MONITOR_SIGABRT 1
+#endif
+
 typedef enum {
     _HF_DYNFILE_NONE = 0x0,
     _HF_DYNFILE_INSTR_COUNT = 0x1,
@@ -88,10 +100,55 @@ typedef struct {
     uint64_t customCnt;
 } hwcnt_t;
 
+/* Sanitizer coverage specific data structures */
 typedef struct {
-    uint64_t pcCnt;
+    uint64_t hitBBCnt;
+    uint64_t totalBBCnt;
+    uint64_t dsoCnt;
+    uint64_t iDsoCnt;
+    uint64_t newBBCnt;
+    uint64_t crashesCnt;
 } sancovcnt_t;
 
+typedef struct {
+    uint32_t capacity;
+    uint32_t *pChunks;
+    uint32_t nChunks;
+} bitmap_t;
+
+/* Memory map struct */
+typedef struct __attribute__ ((packed)) {
+    uint64_t start;             // region start addr
+    uint64_t end;               // region end addr
+    uint64_t base;              // region base addr
+    char mapName[NAME_MAX];     // bin/DSO name
+    uint64_t bbCnt;
+    uint64_t newBBCnt;
+} memMap_t;
+
+/* Trie node data struct */
+typedef struct __attribute__ ((packed)) {
+    bitmap_t *pBM;
+} trieData_t;
+
+/* Trie node struct */
+typedef struct __attribute__ ((packed)) node {
+    char key;
+    trieData_t data;
+    struct node *next;
+    struct node *prev;
+    struct node *children;
+    struct node *parent;
+} node_t;
+
+/* EOF Sanitizer coverage specific data structures */
+
+typedef struct {
+    char *asanOpts;
+    char *msanOpts;
+    char *ubsanOpts;
+} sanOpts_t;
+
 typedef struct {
     char **cmdline;
     char *inputFile;
@@ -105,7 +162,7 @@ typedef struct {
     double flipRate;
     char *externalCommand;
     const char *dictionaryFile;
-    const char **dictionary;
+    char **dictionary;
     const char *blacklistFile;
     uint64_t *blacklist;
     size_t blacklistCnt;
@@ -143,7 +200,13 @@ typedef struct {
     bool msanReportUMRS;
     void *ignoreAddr;
     bool useSanCov;
+    node_t *covMetadata;
+    bool clearCovMetadata;
     size_t dynFileIterExpire;
+    pthread_mutex_t sanCov_mutex;
+    pthread_mutex_t workersBlock_mutex;
+    sanOpts_t sanOpts;
+    size_t numMajorFrames;
 } honggfuzz_t;
 
 typedef struct fuzzer_t {
@@ -164,6 +227,7 @@ typedef struct fuzzer_t {
     hwcnt_t hwCnts;
     sancovcnt_t sanCovCnts;
     size_t dynamicFileSz;
+    bool isDynFileLocked;
 } fuzzer_t;
 
 #define _HF_MAX_FUNCS 80

diff --git a/display.c b/display.c
@@ -144,8 +144,17 @@ static void display_displayLocked(honggfuzz_t * hfuzz)
 
     /* Sanitizer coverage specific counters */
     if (hfuzz->useSanCov) {
-        display_put("  - total #pc: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
-                    __sync_fetch_and_add(&hfuzz->sanCovCnts.pcCnt, 0UL));
+        uint64_t hitBB = __sync_fetch_and_add(&hfuzz->sanCovCnts.hitBBCnt, 0UL);
+        uint64_t totalBB = __sync_fetch_and_add(&hfuzz->sanCovCnts.totalBBCnt, 0UL);
+        uint8_t covPer = totalBB ? ((hitBB * 100) / totalBB) : 0;
+        display_put("  - total hit #bb:  " ESC_BOLD "%" PRIu64 ESC_RESET " (coverage %d%%)\n",
+                    hitBB, covPer);
+        display_put("  - total #dso:     " ESC_BOLD "%" PRIu64 ESC_RESET " (instrumented only)\n",
+                    __sync_fetch_and_add(&hfuzz->sanCovCnts.iDsoCnt, 0UL));
+        display_put("  - discovered #bb: " ESC_BOLD "%" PRIu64 ESC_RESET " (new from input seed)\n",
+                    __sync_fetch_and_add(&hfuzz->sanCovCnts.newBBCnt, 0UL));
+        display_put("  - crashes:        " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
+                    __sync_fetch_and_add(&hfuzz->sanCovCnts.crashesCnt, 0UL));
     }
     display_put("============================== LOGS ==============================\n");
 }

diff --git a/files.c b/files.c
@@ -290,9 +290,9 @@ bool files_parseDictionary(honggfuzz_t * hfuzz)
         return false;
     }
 
+    char *lineptr = NULL;
+    size_t n = 0;
     for (;;) {
-        char *lineptr = NULL;
-        size_t n = 0;
         if (getdelim(&lineptr, &n, '\0', fDict) == -1) {
             break;
         }
@@ -302,16 +302,25 @@ bool files_parseDictionary(honggfuzz_t * hfuzz)
             PLOG_E("Realloc failed (sz=%zu)",
                    (hfuzz->dictionaryCnt + 1) * sizeof(hfuzz->dictionary[0]));
             fclose(fDict);
+            free(lineptr);
             return false;
         }
-        hfuzz->dictionary[hfuzz->dictionaryCnt] = lineptr;
+        hfuzz->dictionary[hfuzz->dictionaryCnt] = malloc(strlen(lineptr));
+        if (!hfuzz->dictionary[hfuzz->dictionaryCnt]) {
+            PLOG_E("malloc(%zu) failed", strlen(lineptr));
+            fclose(fDict);
+            free(lineptr);
+            return false;
+        }
+        strncpy(hfuzz->dictionary[hfuzz->dictionaryCnt], lineptr, strlen(lineptr));;
         LOG_D("Dictionary: loaded word: '%s' (len=%zu)",
               hfuzz->dictionary[hfuzz->dictionaryCnt],
               strlen(hfuzz->dictionary[hfuzz->dictionaryCnt]));
         hfuzz->dictionaryCnt += 1;
     }
     LOG_I("Loaded %zu words from the dictionary", hfuzz->dictionaryCnt);
     fclose(fDict);
+    free(lineptr);
     return true;
 }
 
@@ -412,9 +421,9 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
         return false;
     }
 
+    char *lineptr = NULL;
+    size_t n = 0;
     for (;;) {
-        char *lineptr = NULL;
-        size_t n = 0;
         if (getline(&lineptr, &n, fBl) == -1) {
             break;
         }
@@ -425,6 +434,7 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
             PLOG_E("realloc failed (sz=%zu)",
                    (hfuzz->blacklistCnt + 1) * sizeof(hfuzz->blacklist[0]));
             fclose(fBl);
+            free(lineptr);
             return false;
         }
 
@@ -437,6 +447,7 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
                 LOG_F
                     ("Blacklist file not sorted. Use 'tools/createStackBlacklist.sh' to sort records");
                 fclose(fBl);
+                free(lineptr);
                 return false;
             }
         }
@@ -449,6 +460,7 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
         LOG_F("Empty stack hashes blacklist file '%s'", hfuzz->blacklistFile);
     }
     fclose(fBl);
+    free(lineptr);
     return true;
 }