[libFuzzer] experimental feature -reduce_inputs (off by default) that tries to replace elements in the corpus with smaller ones that have the same feature set. Still needs tuning

llvm-svn: 307873
2024-11-22 18:54:02 +01:00 · 2017-07-13 01:08:53 +00:00 · 2017-07-13 01:08:53 +00:00 · 25dc7da1a2
commit 25dc7da1a2
parent b3ebcbb3bc
9 changed files with 102 additions and 16 deletions
--- a/lib/Fuzzer/FuzzerCorpus.h
+++ b/lib/Fuzzer/FuzzerCorpus.h
@ -34,6 +34,7 @@ struct InputInfo {
  size_t NumExecutedMutations = 0;
  size_t NumSuccessfullMutations = 0;
  bool MayDeleteFile = false;
+  std::vector<uint32_t> FeatureSet;
 };

 class InputCorpus {
@ -68,24 +69,81 @@ class InputCorpus {
  }
  bool empty() const { return Inputs.empty(); }
  const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }
-  void AddToCorpus(const Unit &U, size_t NumFeatures,
-                   bool MayDeleteFile = false) {
+  void AddToCorpus(const Unit &U, size_t NumFeatures, bool MayDeleteFile,
+                   const std::vector<uint32_t> &FeatureSet) {
    assert(!U.empty());
-    uint8_t Hash[kSHA1NumBytes];
    if (FeatureDebug)
      Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);
-    ComputeSHA1(U.data(), U.size(), Hash);
-    Hashes.insert(Sha1ToString(Hash));
    Inputs.push_back(new InputInfo());
    InputInfo &II = *Inputs.back();
    II.U = U;
    II.NumFeatures = NumFeatures;
    II.MayDeleteFile = MayDeleteFile;
-    memcpy(II.Sha1, Hash, kSHA1NumBytes);
+    II.FeatureSet = FeatureSet;
+    ComputeSHA1(U.data(), U.size(), II.Sha1);
+    Hashes.insert(Sha1ToString(II.Sha1));
    UpdateCorpusDistribution();
+    PrintCorpus();
    // ValidateFeatureSet();
  }

+  // Debug-only
+  void PrintUnit(const Unit &U) {
+    if (!FeatureDebug) return;
+    for (uint8_t C : U) {
+      if (C != 'F' && C != 'U' && C != 'Z')
+        C = '.';
+      Printf("%c", C);
+    }
+  }
+
+  // Debug-only
+  void PrintFeatureSet(const std::vector<uint32_t> &FeatureSet) {
+    if (!FeatureDebug) return;
+    Printf("{");
+    for (uint32_t Feature: FeatureSet)
+      Printf("%u,", Feature);
+    Printf("}");
+  }
+
+  // Debug-only
+  void PrintCorpus() {
+    if (!FeatureDebug) return;
+    Printf("======= CORPUS:\n");
+    int i = 0;
+    for (auto II : Inputs) {
+      if (std::find(II->U.begin(), II->U.end(), 'F') != II->U.end()) {
+        Printf("[%2d] ", i);
+        Printf("%s sz=%zd ", Sha1ToString(II->Sha1).c_str(), II->U.size());
+        PrintUnit(II->U);
+        Printf(" ");
+        PrintFeatureSet(II->FeatureSet);
+        Printf("\n");
+      }
+      i++;
+    }
+  }
+
+  // If FeatureSet is that same as in II, replace II->U with {Data,Size}.
+  bool TryToReplace(InputInfo *II, const uint8_t *Data, size_t Size,
+                    const std::vector<uint32_t> &FeatureSet) {
+    if (II->U.size() > Size && II->FeatureSet.size() &&
+        II->FeatureSet == FeatureSet) {
+      if (FeatureDebug)
+        Printf("Replace: %zd => %zd\n", II->U.size(), Size);
+      Replace(II, {Data, Data + Size});
+      PrintCorpus();
+      return true;
+    }
+    return false;
+  }
+
+  void Replace(InputInfo *II, const Unit &U) {
+    ComputeSHA1(U.data(), U.size(), II->Sha1);
+    Hashes.insert(Sha1ToString(II->Sha1));
+    II->U = U;
+  }
+
  bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }
  bool HasUnit(const std::string &H) { return Hashes.count(H); }
  InputInfo &ChooseUnitToMutate(Random &Rand) {
--- a/lib/Fuzzer/FuzzerDriver.cpp
+++ b/lib/Fuzzer/FuzzerDriver.cpp
@ -441,7 +441,6 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
    Printf("INFO: The input is small enough, exiting\n");
    exit(0);
  }
-  Corpus->AddToCorpus(U, 0);
  F->SetMaxInputLen(U.size());
  F->SetMaxMutationLen(U.size() - 1);
  F->MinimizeCrashLoop(U);
--- a/lib/Fuzzer/FuzzerInternal.h
+++ b/lib/Fuzzer/FuzzerInternal.h
@ -65,7 +65,8 @@ public:
  static void StaticFileSizeExceedCallback();

  void ExecuteCallback(const uint8_t *Data, size_t Size);
-  bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false);
+  bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
+              InputInfo *II = nullptr);

  // Merge Corpora[1:] into Corpora[0].
  void Merge(const std::vector<std::string> &Corpora);
@ -101,7 +102,6 @@ private:
  void PrintStats(const char *Where, const char *End = "\n", size_t Units = 0);
  void PrintStatusForNewUnit(const Unit &U);
  void ShuffleCorpus(UnitVector *V);
-  void AddToCorpus(const Unit &U);
  void CheckExitOnSrcPosOrItem();

  // Trace-based fuzzing: we run a unit with some kind of tracing
@ -142,7 +142,7 @@ private:
  size_t MaxInputLen = 0;
  size_t MaxMutationLen = 0;

-  std::vector<size_t> FeatureSetTmp;
+  std::vector<uint32_t> FeatureSetTmp;

  // Need to know our own thread.
  static thread_local bool IsMyThread;
--- a/lib/Fuzzer/FuzzerLoop.cpp
+++ b/lib/Fuzzer/FuzzerLoop.cpp
@ -397,7 +397,8 @@ void Fuzzer::PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size) {
  }
 }

-bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile) {
+bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile,
+                    InputInfo *II) {
  if (!Size) return false;

  ExecuteCallback(Data, Size);
@ -412,10 +413,16 @@ bool Fuzzer::RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile) {
  PrintPulseAndReportSlowInput(Data, Size);
  size_t NumNewFeatures = Corpus.NumFeatureUpdates() - NumUpdatesBefore;
  if (NumNewFeatures) {
+    Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile,
+                       FeatureSetTmp);
    CheckExitOnSrcPosOrItem();
-    Corpus.AddToCorpus({Data, Data + Size}, NumNewFeatures, MayDeleteFile);
+    return true;
  }
-  return NumNewFeatures > 0;
+  if (II && Corpus.TryToReplace(II, Data, Size, FeatureSetTmp)) {
+    CheckExitOnSrcPosOrItem();
+    return true;
+  }
+  return false;
 }

 size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
@ -596,7 +603,7 @@ void Fuzzer::MutateAndTestOne() {
    if (i == 0)
      StartTraceRecording();
    II.NumExecutedMutations++;
-    if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true))
+    if (RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II))
      ReportNewCoverage(&II, {CurrentUnitData, CurrentUnitData + Size});

    StopTraceRecording();
--- a/lib/Fuzzer/test/CMakeLists.txt
+++ b/lib/Fuzzer/test/CMakeLists.txt
@ -118,6 +118,7 @@ set(Tests
  SingleStrncmpTest
  SpamyTest
  ShrinkControlFlowTest
+  ShrinkControlFlowSimpleTest
  ShrinkValueProfileTest
  StrcmpTest
  StrncmpOOBTest
--- a/lib/Fuzzer/test/FuzzerUnittest.cpp
+++ b/lib/Fuzzer/test/FuzzerUnittest.cpp
@ -593,7 +593,7 @@ TEST(Corpus, Distribution) {
  size_t N = 10;
  size_t TriesPerUnit = 1<<16;
  for (size_t i = 0; i < N; i++)
-    C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0);
+    C->AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0, false, {});

  std::vector<size_t> Hist(N);
  for (size_t i = 0; i < N * TriesPerUnit; i++) {
--- a/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp
+++ b/lib/Fuzzer/test/ShrinkControlFlowSimpleTest.cpp
@ -0,0 +1,19 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
+#include <cstddef>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+#include <cstring>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 2) return 0;
+  if (Data[0] == 'F' && Data[Size / 2] == 'U' && Data[Size - 1] == 'Z')
+    Sink++;
+  return 0;
+}
+
--- a/lib/Fuzzer/test/reduce_inputs.test
+++ b/lib/Fuzzer/test/reduce_inputs.test
@ -0,0 +1,2 @@
+CHECK: INFO: found item with checksum '0eb8e4ed029b774d80f2b66408203801cb982a60'
+RUN: LLVMFuzzer-ShrinkControlFlowSimpleTest  -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60   -reduce_inputs=1 -runs=1000000 2>&1 | FileCheck %s
--- a/lib/Fuzzer/test/shrink.test
+++ b/lib/Fuzzer/test/shrink.test
@ -1,4 +1,4 @@
-RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=10000000  -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
+RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000  -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
 RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=0 2>&1 | FileCheck %s --check-prefix=SHRINK0
 RUN: LLVMFuzzer-ShrinkValueProfileTest -seed=1 -exit_on_item=aea2e3923af219a8956f626558ef32f30a914ebc -runs=100000 -shrink=1 -use_value_profile=1 2>&1 | FileCheck %s --check-prefix=SHRINK1_VP