void Fuzzer::Loop() {
while (true) {
size_t J1 = ChooseUnitIdxToMutate();;
SyncCorpus();
RereadOutputCorpus();
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
return;
if (Options.MaxTotalTimeSec > 0 &&
secondsSinceProcessStartUp() >
static_cast<size_t>(Options.MaxTotalTimeSec))
return;
CurrentUnit = Corpus[J1];
// Optionally, cross with another unit.
if (Options.DoCrossOver && USF.GetRand().RandBool()) {
size_t J2 = ChooseUnitIdxToMutate();
if (!Corpus[J1].empty() && !Corpus[J2].empty()) {
assert(!Corpus[J2].empty());
CurrentUnit.resize(Options.MaxLen);
size_t NewSize = USF.CrossOver(
Corpus[J1].data(), Corpus[J1].size(), Corpus[J2].data(),
Corpus[J2].size(), CurrentUnit.data(), CurrentUnit.size());
assert(NewSize > 0 && "CrossOver returned empty unit");
assert(NewSize <= (size_t)Options.MaxLen &&
"CrossOver returned overisized unit");
CurrentUnit.resize(NewSize);
}
}
// Perform several mutations and runs.
MutateAndTestOne(&CurrentUnit);
}
}
void Fuzzer::PrintStats(const char *Where, const char *End) {
size_t Seconds = secondsSinceProcessStartUp();
size_t ExecPerSec = (Seconds ? TotalNumberOfRuns / Seconds : 0);
if (Options.OutputCSV) {
static bool csvHeaderPrinted = false;
if (!csvHeaderPrinted) {
csvHeaderPrinted = true;
Printf("runs,block_cov,bits,cc_cov,corpus,execs_per_sec,tbms,reason\n");
}
Printf("%zd,%zd,%zd,%zd,%zd,%zd,%zd,%s\n", TotalNumberOfRuns,
LastRecordedBlockCoverage, TotalBits(),
LastRecordedCallerCalleeCoverage, Corpus.size(), ExecPerSec,
TotalNumberOfExecutedTraceBasedMutations, Where);
}
if (!Options.Verbosity)
return;
Printf("#%zd\t%s", TotalNumberOfRuns, Where);
if (LastRecordedBlockCoverage)
Printf(" cov: %zd", LastRecordedBlockCoverage);
if (auto TB = TotalBits())
Printf(" bits: %zd", TB);
if (LastRecordedCallerCalleeCoverage)
Printf(" indir: %zd", LastRecordedCallerCalleeCoverage);
Printf(" units: %zd exec/s: %zd", Corpus.size(), ExecPerSec);
if (TotalNumberOfExecutedTraceBasedMutations)
Printf(" tbm: %zd", TotalNumberOfExecutedTraceBasedMutations);
Printf("%s", End);
}
void Fuzzer::PrintStats(const char *Where, size_t Cov, const char *End) {
if (!Options.Verbosity) return;
size_t Seconds = secondsSinceProcessStartUp();
size_t ExecPerSec = (Seconds ? TotalNumberOfRuns / Seconds : 0);
Printf("#%zd\t%s cov %zd bits %zd units %zd exec/s %zd %s", TotalNumberOfRuns,
Where, Cov, TotalBits(), Corpus.size(), ExecPerSec, End);
}
void Fuzzer::PrintStats(const char *Where, size_t Cov, const char *End) {
if (!Options.Verbosity) return;
size_t Seconds = secondsSinceProcessStartUp();
size_t ExecPerSec = (Seconds ? TotalNumberOfRuns / Seconds : 0);
std::cerr
<< "#" << TotalNumberOfRuns
<< "\t" << Where
<< " cov " << Cov
<< " bits " << TotalBits()
<< " units " << Corpus.size()
<< " exec/s " << ExecPerSec
<< End;
}
void Fuzzer::PrintStats(const char *Where, const char *End) {
if (!Options.Verbosity) return;
size_t Seconds = secondsSinceProcessStartUp();
size_t ExecPerSec = (Seconds ? TotalNumberOfRuns / Seconds : 0);
Printf("#%zd\t%s", TotalNumberOfRuns, Where);
if (LastRecordedBlockCoverage)
Printf(" cov: %zd", LastRecordedBlockCoverage);
if (auto TB = TotalBits())
Printf(" bits: %zd", TB);
if (LastRecordedCallerCalleeCoverage)
Printf(" indir: %zd", LastRecordedCallerCalleeCoverage);
Printf(" units: %zd exec/s: %zd", Corpus.size(), ExecPerSec);
if (TotalNumberOfExecutedTraceBasedMutations)
Printf(" tbm: %zd", TotalNumberOfExecutedTraceBasedMutations);
Printf("%s", End);
}
bool Fuzzer::RunOne(const uint8_t *Data, size_t Size) {
TotalNumberOfRuns++;
// TODO(aizatsky): this Reset call seems to be not needed.
CoverageController::ResetCounters(Options);
ExecuteCallback(Data, Size);
bool Res = UpdateMaxCoverage();
auto UnitStopTime = system_clock::now();
auto TimeOfUnit =
duration_cast<seconds>(UnitStopTime - UnitStartTime).count();
if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)) &&
secondsSinceProcessStartUp() >= 2)
PrintStats("pulse ");
if (TimeOfUnit > TimeOfLongestUnitInSeconds &&
TimeOfUnit >= Options.ReportSlowUnits) {
TimeOfLongestUnitInSeconds = TimeOfUnit;
Printf("Slowest unit: %zd s:\n", TimeOfLongestUnitInSeconds);
WriteUnitToFileWithPrefix({Data, Data + Size}, "slow-unit-");
}
return Res;
}
bool Fuzzer::RunOne(const uint8_t *Data, size_t Size) {
UnitStartTime = system_clock::now();
TotalNumberOfRuns++;
PrepareCoverageBeforeRun();
ExecuteCallback(Data, Size);
bool Res = CheckCoverageAfterRun();
auto UnitStopTime = system_clock::now();
auto TimeOfUnit =
duration_cast<seconds>(UnitStopTime - UnitStartTime).count();
if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)) &&
secondsSinceProcessStartUp() >= 2)
PrintStats("pulse ");
if (TimeOfUnit > TimeOfLongestUnitInSeconds &&
TimeOfUnit >= Options.ReportSlowUnits) {
TimeOfLongestUnitInSeconds = TimeOfUnit;
Printf("Slowest unit: %zd s:\n", TimeOfLongestUnitInSeconds);
WriteUnitToFileWithPrefix({Data, Data + Size}, "slow-unit-");
}
return Res;
}
void Fuzzer::Loop() {
system_clock::time_point LastCorpusReload = system_clock::now();
if (Options.DoCrossOver)
MD.SetCorpus(&Corpus);
while (true) {
auto Now = system_clock::now();
if (duration_cast<seconds>(Now - LastCorpusReload).count()) {
RereadOutputCorpus(Options.MaxLen);
LastCorpusReload = Now;
}
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
break;
if (Options.MaxTotalTimeSec > 0 &&
secondsSinceProcessStartUp() >
static_cast<size_t>(Options.MaxTotalTimeSec))
break;
// Perform several mutations and runs.
MutateAndTestOne();
}
PrintStats("DONE ", "\n");
MD.PrintRecommendedDictionary();
}