Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sanitizer coverage feedback evolution support part2 #47

Merged
merged 36 commits into from
Jan 14, 2016
Merged

Add sanitizer coverage feedback evolution support part2 #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
97ac3bf
ANDROID: SIGABRT not important signal
anestisb Jan 3, 2016
a16f70f
SANCOV: Upgrade data collection
anestisb Jan 3, 2016
5a31141
SANCOV: Update dynFile counter after blacklist check
anestisb Jan 3, 2016
18891ab
ANDROID: Disable ASan abort_on_error
anestisb Jan 3, 2016
e97e944
Merge branch 'sancov' into sancov-dev
anestisb Jan 6, 2016
c34451a
ANDROID: ASan abort code change
anestisb Jan 7, 2016
1fd10c7
SANCOV: Thread safety improvements
anestisb Jan 7, 2016
b78cf60
SANCOV: Comments update
anestisb Jan 7, 2016
45cc1a2
Merge branch 'sancov' into sancov-dev
anestisb Jan 7, 2016
39bf6cf
ANDROID: ASan exitcode fixes
anestisb Jan 7, 2016
a6458d9
SANCOV: Fix newPC counter bug when initial runs
anestisb Jan 7, 2016
ac05480
SANCOV: Don't mangle 1st iteration
anestisb Jan 7, 2016
995b47b
Comments update
anestisb Jan 7, 2016
3e0ea96
LINUX: Cleanup sanitizer flags
anestisb Jan 8, 2016
267f0d8
SANCOV: Fix memory leaks & off-by-1 OOB
anestisb Jan 8, 2016
61b5ab1
LINUX: Refactor sanitizer flags
anestisb Jan 8, 2016
56ccf1d
LINUX: Make stack hash #MajorFrames dynamic
anestisb Jan 8, 2016
a1b0a65
LINUX: Add missing definition
anestisb Jan 8, 2016
ccdf28c
INDENT: Small edits so that OS X indent can be used
anestisb Jan 10, 2016
58c45d2
SANCOV: Log bitmap overflow for big target bins
anestisb Jan 10, 2016
3a8e16f
FILES: Fix memory leaks
anestisb Jan 10, 2016
e520810
LINUX: Add ASan report parsing
anestisb Jan 10, 2016
3a6de2c
LINUX: Don't save reports if abort enabled
anestisb Jan 10, 2016
ea0bcb6
LINUX: Fix ASan report parse memory leak
anestisb Jan 10, 2016
c28e5ed
LINUX: Add blacklist & ignoreAddr filterers to ASan exitcode crashes
anestisb Jan 10, 2016
6b43204
SANCOV: counter updates
anestisb Jan 10, 2016
7a53b07
LINUX: Remove dead macro
anestisb Jan 11, 2016
56e360f
SANCOV: Rename variables
anestisb Jan 11, 2016
7739272
SANCOV: Remove perf timer used for dev
anestisb Jan 11, 2016
ca556e6
LINUX: Fix ASan reports parsing bug
anestisb Jan 12, 2016
6ef24e4
PERF: Empty input seed checks
anestisb Jan 13, 2016
8e634c3
LINUX: Abstract SIGABRT monitor logic
anestisb Jan 13, 2016
c0d2830
LINUX: Increase #MajorFrames for non-sancov runs too
anestisb Jan 13, 2016
97633cc
LINUX: Clean-up verifier ASan reports pollution
anestisb Jan 13, 2016
e680477
make indent
anestisb Jan 13, 2016
70f2fbd
FILES: Fix dictionary parsing bug
anestisb Jan 14, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion cmdline.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,12 @@ bool cmdlineParse(int argc, char *argv[], honggfuzz_t * hfuzz)
.customCnt = 0ULL,
},
.sanCovCnts = {
.pcCnt = 0ULL,
.hitBBCnt = 0ULL,
.totalBBCnt = 0ULL,
.dsoCnt = 0ULL,
.iDsoCnt = 0ULL,
.newBBCnt = 0ULL,
.crashesCnt = 0ULL,
},
.dynamicCutOffAddr = ~(0ULL),
.dynamicFile_mutex = PTHREAD_MUTEX_INITIALIZER,
Expand All @@ -201,7 +206,17 @@ bool cmdlineParse(int argc, char *argv[], honggfuzz_t * hfuzz)
.msanReportUMRS = false,
.ignoreAddr = NULL,
.useSanCov = false,
.covMetadata = NULL,
.clearCovMetadata = false,
.dynFileIterExpire = _HF_MAX_DYNFILE_ITER,
.sanCov_mutex = PTHREAD_MUTEX_INITIALIZER,
.workersBlock_mutex = PTHREAD_MUTEX_INITIALIZER,
.sanOpts = {
.asanOpts = NULL,
.msanOpts = NULL,
.ubsanOpts = NULL,
},
.numMajorFrames = 7,
};
/* *INDENT-ON* */

Expand Down
68 changes: 66 additions & 2 deletions common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,18 @@
#define _HF_MAX_DYNFILE_ITER 0x2000UL
#define _HF_DYNFILE_SUB_MASK 0xFFFUL // Zero-set two MSB

/* Bitmap size */
#define _HF_BITMAP_SIZE 0xAFFFFF

/* Directory in workspace to store sanitizer coverage data */
#define _HF_SANCOV_DIR "HF_SANCOV"

#if defined(__ANDROID__)
#define _HF_MONITOR_SIGABRT 0
#else
#define _HF_MONITOR_SIGABRT 1
#endif

typedef enum {
_HF_DYNFILE_NONE = 0x0,
_HF_DYNFILE_INSTR_COUNT = 0x1,
Expand All @@ -88,10 +100,55 @@ typedef struct {
uint64_t customCnt;
} hwcnt_t;

/* Sanitizer coverage specific data structures */
typedef struct {
uint64_t pcCnt;
uint64_t hitBBCnt;
uint64_t totalBBCnt;
uint64_t dsoCnt;
uint64_t iDsoCnt;
uint64_t newBBCnt;
uint64_t crashesCnt;
} sancovcnt_t;

typedef struct {
uint32_t capacity;
uint32_t *pChunks;
uint32_t nChunks;
} bitmap_t;

/* Memory map struct */
typedef struct __attribute__ ((packed)) {
uint64_t start; // region start addr
uint64_t end; // region end addr
uint64_t base; // region base addr
char mapName[NAME_MAX]; // bin/DSO name
uint64_t bbCnt;
uint64_t newBBCnt;
} memMap_t;

/* Trie node data struct */
typedef struct __attribute__ ((packed)) {
bitmap_t *pBM;
} trieData_t;

/* Trie node struct */
typedef struct __attribute__ ((packed)) node {
char key;
trieData_t data;
struct node *next;
struct node *prev;
struct node *children;
struct node *parent;
} node_t;

/* EOF Sanitizer coverage specific data structures */

typedef struct {
char *asanOpts;
char *msanOpts;
char *ubsanOpts;
} sanOpts_t;

typedef struct {
char **cmdline;
char *inputFile;
Expand All @@ -105,7 +162,7 @@ typedef struct {
double flipRate;
char *externalCommand;
const char *dictionaryFile;
const char **dictionary;
char **dictionary;
const char *blacklistFile;
uint64_t *blacklist;
size_t blacklistCnt;
Expand Down Expand Up @@ -143,7 +200,13 @@ typedef struct {
bool msanReportUMRS;
void *ignoreAddr;
bool useSanCov;
node_t *covMetadata;
bool clearCovMetadata;
size_t dynFileIterExpire;
pthread_mutex_t sanCov_mutex;
pthread_mutex_t workersBlock_mutex;
sanOpts_t sanOpts;
size_t numMajorFrames;
} honggfuzz_t;

typedef struct fuzzer_t {
Expand All @@ -164,6 +227,7 @@ typedef struct fuzzer_t {
hwcnt_t hwCnts;
sancovcnt_t sanCovCnts;
size_t dynamicFileSz;
bool isDynFileLocked;
} fuzzer_t;

#define _HF_MAX_FUNCS 80
Expand Down
13 changes: 11 additions & 2 deletions display.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,8 +144,17 @@ static void display_displayLocked(honggfuzz_t * hfuzz)

/* Sanitizer coverage specific counters */
if (hfuzz->useSanCov) {
display_put(" - total #pc: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->sanCovCnts.pcCnt, 0UL));
uint64_t hitBB = __sync_fetch_and_add(&hfuzz->sanCovCnts.hitBBCnt, 0UL);
uint64_t totalBB = __sync_fetch_and_add(&hfuzz->sanCovCnts.totalBBCnt, 0UL);
uint8_t covPer = totalBB ? ((hitBB * 100) / totalBB) : 0;
display_put(" - total hit #bb: " ESC_BOLD "%" PRIu64 ESC_RESET " (coverage %d%%)\n",
hitBB, covPer);
display_put(" - total #dso: " ESC_BOLD "%" PRIu64 ESC_RESET " (instrumented only)\n",
__sync_fetch_and_add(&hfuzz->sanCovCnts.iDsoCnt, 0UL));
display_put(" - discovered #bb: " ESC_BOLD "%" PRIu64 ESC_RESET " (new from input seed)\n",
__sync_fetch_and_add(&hfuzz->sanCovCnts.newBBCnt, 0UL));
display_put(" - crashes: " ESC_BOLD "%" PRIu64 ESC_RESET "\n",
__sync_fetch_and_add(&hfuzz->sanCovCnts.crashesCnt, 0UL));
}
display_put("============================== LOGS ==============================\n");
}
Expand Down
22 changes: 17 additions & 5 deletions files.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,9 +290,9 @@ bool files_parseDictionary(honggfuzz_t * hfuzz)
return false;
}

char *lineptr = NULL;
size_t n = 0;
for (;;) {
char *lineptr = NULL;
size_t n = 0;
if (getdelim(&lineptr, &n, '\0', fDict) == -1) {
break;
}
Expand All @@ -302,16 +302,25 @@ bool files_parseDictionary(honggfuzz_t * hfuzz)
PLOG_E("Realloc failed (sz=%zu)",
(hfuzz->dictionaryCnt + 1) * sizeof(hfuzz->dictionary[0]));
fclose(fDict);
free(lineptr);
return false;
}
hfuzz->dictionary[hfuzz->dictionaryCnt] = lineptr;
hfuzz->dictionary[hfuzz->dictionaryCnt] = malloc(strlen(lineptr));
if (!hfuzz->dictionary[hfuzz->dictionaryCnt]) {
PLOG_E("malloc(%zu) failed", strlen(lineptr));
fclose(fDict);
free(lineptr);
return false;
}
strncpy(hfuzz->dictionary[hfuzz->dictionaryCnt], lineptr, strlen(lineptr));;
LOG_D("Dictionary: loaded word: '%s' (len=%zu)",
hfuzz->dictionary[hfuzz->dictionaryCnt],
strlen(hfuzz->dictionary[hfuzz->dictionaryCnt]));
hfuzz->dictionaryCnt += 1;
}
LOG_I("Loaded %zu words from the dictionary", hfuzz->dictionaryCnt);
fclose(fDict);
free(lineptr);
return true;
}

Expand Down Expand Up @@ -412,9 +421,9 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
return false;
}

char *lineptr = NULL;
size_t n = 0;
for (;;) {
char *lineptr = NULL;
size_t n = 0;
if (getline(&lineptr, &n, fBl) == -1) {
break;
}
Expand All @@ -425,6 +434,7 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
PLOG_E("realloc failed (sz=%zu)",
(hfuzz->blacklistCnt + 1) * sizeof(hfuzz->blacklist[0]));
fclose(fBl);
free(lineptr);
return false;
}

Expand All @@ -437,6 +447,7 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
LOG_F
("Blacklist file not sorted. Use 'tools/createStackBlacklist.sh' to sort records");
fclose(fBl);
free(lineptr);
return false;
}
}
Expand All @@ -449,6 +460,7 @@ bool files_parseBlacklist(honggfuzz_t * hfuzz)
LOG_F("Empty stack hashes blacklist file '%s'", hfuzz->blacklistFile);
}
fclose(fBl);
free(lineptr);
return true;
}

Expand Down
Loading