size_t Fuzzer::MutateAndTestOne(Unit *U) { size_t NewUnits = 0; for (size_t i = 0; i < Options.MutateDepth; i++) { Mutate(U, Options.MaxLen); if (U->empty()) continue; size_t NewCoverage = RunOne(*U); if (NewCoverage) { Corpus.push_back(*U); NewUnits++; if (Options.Verbosity) { std::cerr << "#" << TotalNumberOfRuns << "\tNEW: " << NewCoverage << " L: " << U->size() << "\t"; if (U->size() < 30) { PrintASCII(*U); std::cerr << "\t"; Print(*U); } std::cerr << "\n"; } WriteToOutputCorpus(*U); if (Options.ExitOnFirst) exit(0); } } return NewUnits; }
void Fuzzer::AlarmCallback() { assert(Options.UnitTimeoutSec > 0); if (!CurrentUnitSize) return; // We have not started running units yet. size_t Seconds = duration_cast<seconds>(system_clock::now() - UnitStartTime).count(); if (Seconds == 0) return; if (Options.Verbosity >= 2) Printf("AlarmCallback %zd\n", Seconds); if (Seconds >= (size_t)Options.UnitTimeoutSec) { Printf("ALARM: working on the last Unit for %zd seconds\n", Seconds); Printf(" and the timeout value is %d (use -timeout=N to change)\n", Options.UnitTimeoutSec); if (CurrentUnitSize <= kMaxUnitSizeToPrint) { PrintHexArray(CurrentUnitData, CurrentUnitSize, "\n"); PrintASCII(CurrentUnitData, CurrentUnitSize, "\n"); } WriteUnitToFileWithPrefix( {CurrentUnitData, CurrentUnitData + CurrentUnitSize}, "timeout-"); Printf("==%d== ERROR: libFuzzer: timeout after %d seconds\n", GetPid(), Seconds); if (__sanitizer_print_stack_trace) __sanitizer_print_stack_trace(); Printf("SUMMARY: libFuzzer: timeout\n"); if (Options.AbortOnTimeout) abort(); exit(Options.TimeoutExitCode); } }
void Fuzzer::DumpCurrentUnit(const char *Prefix) { if (CurrentUnitSize <= kMaxUnitSizeToPrint) { PrintHexArray(CurrentUnitData, CurrentUnitSize, "\n"); PrintASCII(CurrentUnitData, CurrentUnitSize, "\n"); } WriteUnitToFileWithPrefix( {CurrentUnitData, CurrentUnitData + CurrentUnitSize}, Prefix); }
void Fuzzer::PrintUnitInASCIIOrTokens(const Unit &U, const char *PrintAfter) { if (Options.Tokens.empty()) { PrintASCII(U, PrintAfter); } else { auto T = SubstituteTokens(U); T.push_back(0); Printf("%s%s", T.data(), PrintAfter); } }
void Fuzzer::DeathCallback() { if (!CurrentUnitSize) return; Printf("DEATH:\n"); if (CurrentUnitSize <= kMaxUnitSizeToPrint) { PrintHexArray(CurrentUnitData, CurrentUnitSize, "\n"); PrintASCII(CurrentUnitData, CurrentUnitSize, "\n"); } WriteUnitToFileWithPrefix( {CurrentUnitData, CurrentUnitData + CurrentUnitSize}, "crash-"); }
void Fuzzer::AlarmCallback() { size_t Seconds = duration_cast<seconds>(system_clock::now() - UnitStartTime).count(); std::cerr << "ALARM: working on the last Unit for " << Seconds << " seconds" << std::endl; if (Seconds >= 3) { Print(CurrentUnit, "\n"); PrintASCII(CurrentUnit, "\n"); WriteToCrash(CurrentUnit, "timeout-"); } exit(1); }
void MutationDispatcher::PrintMutationSequence() { Printf("MS: %zd ", CurrentMutatorSequence.size()); for (auto M : CurrentMutatorSequence) Printf("%s-", M.Name); if (!CurrentDictionaryEntrySequence.empty()) { Printf(" DE: "); for (auto DE : CurrentDictionaryEntrySequence) { Printf("\""); PrintASCII(DE->GetW(), "\"-"); } } }
void MutationDispatcher::PrintMutationSequence() { Printf("MS: %zd ", MDImpl->CurrentMutatorSequence.size()); for (auto M : MDImpl->CurrentMutatorSequence) Printf("%s-", M.Name); if (!MDImpl->CurrentDictionaryEntrySequence.empty()) { Printf(" DE: "); for (auto &DE : MDImpl->CurrentDictionaryEntrySequence) { Printf("\""); PrintASCII(DE.W, "\"-"); } } }
void MutationDispatcher::PrintRecommendedDictionary() { std::vector<Word> V; for (auto &DE : MDImpl->PersistentAutoDictionary) if (!MDImpl->ManualDictionary.ContainsWord(DE.W)) V.push_back(DE.W); if (V.empty()) return; Printf("###### Recommended dictionary. ######\n"); for (auto &U: V) { Printf("\""); PrintASCII(U, "\"\n"); } Printf("###### End of recommended dictionary. ######\n"); }
void MutationDispatcher::PrintRecommendedDictionary() { std::vector<DictionaryEntry> V; for (auto &DE : PersistentAutoDictionary) if (!ManualDictionary.ContainsWord(DE.GetW())) V.push_back(DE); if (V.empty()) return; Printf("###### Recommended dictionary. ######\n"); for (auto &DE: V) { Printf("\""); PrintASCII(DE.GetW(), "\""); Printf(" # Uses: %zd\n", DE.GetUseCount()); } Printf("###### End of recommended dictionary. ######\n"); }
void Fuzzer::PrintUnitInASCII(const Unit &U, const char *PrintAfter) { PrintASCII(U, PrintAfter); }
void PrintASCII(const Unit &U, const char *PrintAfter) { PrintASCII(U.data(), U.size(), PrintAfter); }
void PrintASCII(const Word &W, const char *PrintAfter) { PrintASCII(W.data(), W.size(), PrintAfter); }
void Fuzzer::DeathCallback() { std::cerr << "DEATH: " << std::endl; Print(CurrentUnit, "\n"); PrintASCII(CurrentUnit, "\n"); WriteToCrash(CurrentUnit, "crash-"); }