1 //===- FuzzerInternal.h - Internal header for the Fuzzer --------*- C++ -* ===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // Define the main class fuzzer::Fuzzer and most functions. 9 //===----------------------------------------------------------------------===// 10 11 #ifndef LLVM_FUZZER_INTERNAL_H 12 #define LLVM_FUZZER_INTERNAL_H 13 14 #include "FuzzerDataFlowTrace.h" 15 #include "FuzzerDefs.h" 16 #include "FuzzerExtFunctions.h" 17 #include "FuzzerInterface.h" 18 #include "FuzzerOptions.h" 19 #include "FuzzerSHA1.h" 20 #include "FuzzerValueBitMap.h" 21 #include <algorithm> 22 #include <atomic> 23 #include <chrono> 24 #include <climits> 25 #include <cstdlib> 26 #include <string.h> 27 28 namespace fuzzer { 29 30 using namespace std::chrono; 31 32 class Fuzzer { 33 public: 34 35 Fuzzer(UserCallback CB, InputCorpus &Corpus, MutationDispatcher &MD, 36 FuzzingOptions Options); 37 ~Fuzzer(); 38 void Loop(std::vector<SizedFile> &CorporaFiles); 39 void ReadAndExecuteSeedCorpora(std::vector<SizedFile> &CorporaFiles); 40 void MinimizeCrashLoop(const Unit &U); 41 void RereadOutputCorpus(size_t MaxSize); 42 43 size_t secondsSinceProcessStartUp() { 44 return duration_cast<seconds>(system_clock::now() - ProcessStartTime) 45 .count(); 46 } 47 48 bool TimedOut() { 49 return Options.MaxTotalTimeSec > 0 && 50 secondsSinceProcessStartUp() > 51 static_cast<size_t>(Options.MaxTotalTimeSec); 52 } 53 54 size_t execPerSec() { 55 size_t Seconds = secondsSinceProcessStartUp(); 56 return Seconds ? TotalNumberOfRuns / Seconds : 0; 57 } 58 59 size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; } 60 61 static void StaticAlarmCallback(); 62 static void StaticCrashSignalCallback(); 63 static void StaticExitCallback(); 64 static void StaticInterruptCallback(); 65 static void StaticFileSizeExceedCallback(); 66 static void StaticGracefulExitCallback(); 67 68 void ExecuteCallback(const uint8_t *Data, size_t Size); 69 bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false, 70 InputInfo *II = nullptr, bool ForceAddToCorpus = false, 71 bool *FoundUniqFeatures = nullptr); 72 void TPCUpdateObservedPCs(); 73 74 // Merge Corpora[1:] into Corpora[0]. 75 void Merge(const std::vector<std::string> &Corpora); 76 void CrashResistantMergeInternalStep(const std::string &ControlFilePath, 77 bool IsSetCoverMerge); 78 MutationDispatcher &GetMD() { return MD; } 79 void PrintFinalStats(); 80 void SetMaxInputLen(size_t MaxInputLen); 81 void SetMaxMutationLen(size_t MaxMutationLen); 82 void RssLimitCallback(); 83 84 bool InFuzzingThread() const { return IsMyThread; } 85 size_t GetCurrentUnitInFuzzingThead(const uint8_t **Data) const; 86 void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size, 87 bool DuringInitialCorpusExecution); 88 89 void HandleMalloc(size_t Size); 90 static void MaybeExitGracefully(); 91 std::string WriteToOutputCorpus(const Unit &U); 92 93 private: 94 void AlarmCallback(); 95 void CrashCallback(); 96 void ExitCallback(); 97 void CrashOnOverwrittenData(); 98 void InterruptCallback(); 99 void MutateAndTestOne(); 100 void PurgeAllocator(); 101 void ReportNewCoverage(InputInfo *II, const Unit &U); 102 void PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size); 103 void WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix); 104 void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0, 105 size_t Features = 0); 106 void PrintStatusForNewUnit(const Unit &U, const char *Text); 107 void CheckExitOnSrcPosOrItem(); 108 109 static void StaticDeathCallback(); 110 void DumpCurrentUnit(const char *Prefix); 111 void DeathCallback(); 112 113 void AllocateCurrentUnitData(); 114 uint8_t *CurrentUnitData = nullptr; 115 std::atomic<size_t> CurrentUnitSize; 116 uint8_t BaseSha1[kSHA1NumBytes]; // Checksum of the base unit. 117 118 bool GracefulExitRequested = false; 119 120 size_t TotalNumberOfRuns = 0; 121 size_t NumberOfNewUnitsAdded = 0; 122 123 size_t LastCorpusUpdateRun = 0; 124 125 bool HasMoreMallocsThanFrees = false; 126 size_t NumberOfLeakDetectionAttempts = 0; 127 128 system_clock::time_point LastAllocatorPurgeAttemptTime = system_clock::now(); 129 130 UserCallback CB; 131 InputCorpus &Corpus; 132 MutationDispatcher &MD; 133 FuzzingOptions Options; 134 DataFlowTrace DFT; 135 136 system_clock::time_point ProcessStartTime = system_clock::now(); 137 system_clock::time_point UnitStartTime, UnitStopTime; 138 long TimeOfLongestUnitInSeconds = 0; 139 long EpochOfLastReadOfOutputCorpus = 0; 140 141 size_t MaxInputLen = 0; 142 size_t MaxMutationLen = 0; 143 size_t TmpMaxMutationLen = 0; 144 145 std::vector<uint32_t> UniqFeatureSetTmp; 146 147 // Need to know our own thread. 148 static thread_local bool IsMyThread; 149 }; 150 151 struct ScopedEnableMsanInterceptorChecks { 152 ScopedEnableMsanInterceptorChecks() { 153 if (EF->__msan_scoped_enable_interceptor_checks) 154 EF->__msan_scoped_enable_interceptor_checks(); 155 } 156 ~ScopedEnableMsanInterceptorChecks() { 157 if (EF->__msan_scoped_disable_interceptor_checks) 158 EF->__msan_scoped_disable_interceptor_checks(); 159 } 160 }; 161 162 struct ScopedDisableMsanInterceptorChecks { 163 ScopedDisableMsanInterceptorChecks() { 164 if (EF->__msan_scoped_disable_interceptor_checks) 165 EF->__msan_scoped_disable_interceptor_checks(); 166 } 167 ~ScopedDisableMsanInterceptorChecks() { 168 if (EF->__msan_scoped_enable_interceptor_checks) 169 EF->__msan_scoped_enable_interceptor_checks(); 170 } 171 }; 172 173 } // namespace fuzzer 174 175 #endif // LLVM_FUZZER_INTERNAL_H 176