Changeset 77544 in vbox for trunk

Timestamp:

Mar 3, 2019 8:07:01 PM (6 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

129148

Message:

Runtime/fuzz: Updates, add a target state recording mechanism to record changes in target behavior caused by mutated inputs. This allows to decide which mutated input gets added to the input corpus and which one gets discarded. Currently this is only able to record the stdout/stderr channels of the fuzzed process but other sources to detect changed behvior will get added in the future

Location:

trunk

Files:

• include/iprt/fuzz.h (modified) (3 diffs)
• include/iprt/mangling.h (modified) (1 diff)
• src/VBox/Runtime/common/fuzz/fuzz-observer.cpp (modified) (18 diffs)
• src/VBox/Runtime/common/fuzz/fuzz-target-recorder.cpp (added)
• src/VBox/Runtime/common/fuzz/fuzz.cpp (modified) (9 diffs)

trunk/include/iprt/fuzz.h

@@ -42 +42 @@
 
 /** A fuzzer context handle. */
-typedef struct RTFUZZCTXINT    *RTFUZZCTX;
+typedef struct RTFUZZCTXINT      *RTFUZZCTX;
 /** Pointer to a fuzzer context handle. */
-typedef RTFUZZCTX              *PRTFUZZCTX;
+typedef RTFUZZCTX                *PRTFUZZCTX;
 /** NIL fuzzer context handle. */
-#define NIL_RTFUZZCTX           ((RTFUZZCTX)~(uintptr_t)0)
+#define NIL_RTFUZZCTX            ((RTFUZZCTX)~(uintptr_t)0)
 /** A fuzzer input handle. */
-typedef struct RTFUZZINPUTINT  *RTFUZZINPUT;
+typedef struct RTFUZZINPUTINT    *RTFUZZINPUT;
 /** Pointer to a fuzzer input handle. */
-typedef RTFUZZINPUT            *PRTFUZZINPUT;
+typedef RTFUZZINPUT              *PRTFUZZINPUT;
 /** NIL fuzzer input handle. */
-#define NIL_RTFUZZINPUT        ((RTFUZZINPUT)~(uintptr_t)0)
+#define NIL_RTFUZZINPUT          ((RTFUZZINPUT)~(uintptr_t)0)
+
+
+/** A fuzzer target recorder handler. */
+typedef struct RTFUZZTGTRECINT   *RTFUZZTGTREC;
+/** Pointer to a fuzzer target recorder handle. */
+typedef RTFUZZTGTREC             *PRTFUZZTGTREC;
+/** NIL fuzzer target recorder handle. */
+#define NIL_RTFUZZTGTREC         ((RTFUZZTGTREC)~(uintptr_t)0)
+/** A fuzzed target state handle. */
+typedef struct RTFUZZTGTSTATEINT *RTFUZZTGTSTATE;
+/** Pointer to a fuzzed target state handle. */
+typedef RTFUZZTGTSTATE           *PRTFUZZTGTSTATE;
+/** NIL fuzzed target state handle. */
+#define NIL_RTFUZZTGTSTATE       ((RTFUZZTGTSTATE)~(uintptr_t)0)
 
 
 /** Fuzzing observer handle. */
-typedef struct RTFUZZOBSINT    *RTFUZZOBS;
+typedef struct RTFUZZOBSINT      *RTFUZZOBS;
 /** Pointer to a fuzzing observer handle. */
-typedef RTFUZZOBS              *PRTFUZZOBS;
+typedef RTFUZZOBS                *PRTFUZZOBS;
 /** NIL fuzzing observer handle. */
-#define NIL_RTFUZZOBS           ((RTFUZZOBS)~(uintptr_t)0)
+#define NIL_RTFUZZOBS             ((RTFUZZOBS)~(uintptr_t)0)
 
 
@@ -319 +333 @@
 
 /**
- * Releases a reference from the given fuzzing input handle, destroying it when reaaching 0.
+ * Releases a reference from the given fuzzing input handle, destroying it when reaching 0.
  *
  * @returns New reference count on success, 0 if the fuzzing input got destroyed.
@@ -383 +397 @@
  */
 RTDECL(int) RTFuzzInputRemoveFromCtxCorpus(RTFUZZINPUT hFuzzInput);
+
+
+/**
+ * Creates a new fuzzed target recorder.
+ *
+ * @returns IPRT status code.
+ * @param   phFuzzTgtRec        Where to store the handle to the fuzzed target recorder on success.
+ */
+RTDECL(int) RTFuzzTgtRecorderCreate(PRTFUZZTGTREC phFuzzTgtRec);
+
+/**
+ * Retains a reference to the given fuzzed target recorder handle.
+ *
+ * @returns New reference count on success.
+ * @param   hFuzzTgtRec         The fuzzed target recorder handle.
+ */
+RTDECL(uint32_t) RTFuzzTgtRecorderRetain(RTFUZZTGTREC hFuzzTgtRec);
+
+/**
+ * Releases a reference from the given fuzzed target recorder handle, destroying it when reaching 0.
+ *
+ * @returns New reference count on success, 0 if the fuzzed target recorder got destroyed.
+ * @param   hFuzzTgtRec         The fuzzed target recorder handle.
+ */
+RTDECL(uint32_t) RTFuzzTgtRecorderRelease(RTFUZZTGTREC hFuzzTgtRec);
+
+/**
+ * Creates a new empty fuzzed target state.
+ *
+ * @returns IPRT status code.
+ * @param   hFuzzTgtRec         The fuzzed target recorder handle.
+ * @param   phFuzzTgtState      Where to store the handle to the fuzzed target state on success.
+ */
+RTDECL(int) RTFuzzTgtRecorderCreateNewState(RTFUZZTGTREC hFuzzTgtRec, PRTFUZZTGTSTATE phFuzzTgtState);
+
+/**
+ * Retains a reference to the given fuzzed target state handle.
+ *
+ * @returns New reference count on success.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ */
+RTDECL(uint32_t) RTFuzzTgtStateRetain(RTFUZZTGTSTATE hFuzzTgtState);
+
+/**
+ * Releases a reference from the given fuzzed target state handle, destroying it when reaching 0.
+ *
+ * @returns New reference count on success, 0 if the fuzzed target recorder got destroyed.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ */
+RTDECL(uint32_t) RTFuzzTgtStateRelease(RTFUZZTGTSTATE hFuzzTgtState);
+
+/**
+ * Resets the given fuzzed target state to an empty state (keeping allocated memory).
+ *
+ * @returns IPRT status code.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ *
+ * @note Useful when the state is not added to the recorded set to avoid allocating memory.
+ */
+RTDECL(int) RTFuzzTgtStateReset(RTFUZZTGTSTATE hFuzzTgtState);
+
+/**
+ * Finalizes the given fuzzed target state, making it readonly.
+ *
+ * @returns IPRT status code.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ */
+RTDECL(int) RTFuzzTgtStateFinalize(RTFUZZTGTSTATE hFuzzTgtState);
+
+/**
+ * Adds the given state to the set for the owning target recorder.
+ *
+ * @returns IPRT status code.
+ * @retval  VERR_ALREADY_EXISTS if the state is already existing in the recorder set.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ *
+ * @note This also finalizes the target state if not already done.
+ */
+RTDECL(int) RTFuzzTgtStateAddToRecorder(RTFUZZTGTSTATE hFuzzTgtState);
+
+/**
+ * Appends the given stdout output to the given target state.
+ *
+ * @returns IPRT status code.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ * @param   pvStdOut            Pointer to the stdout data buffer.
+ * @param   cbStdOut            Size of the stdout data buffer in bytes.
+ */
+RTDECL(int) RTFuzzTgtStateAppendStdoutFromBuf(RTFUZZTGTSTATE hFuzzTgtState, const void *pvStdOut, size_t cbStdOut);
+
+/**
+ * Appends the given stderr output to the given target state.
+ *
+ * @returns IPRT status code.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ * @param   pvStdErr            Pointer to the stderr data buffer.
+ * @param   cbStdErr            Size of the stderr data buffer in bytes.
+ */
+RTDECL(int) RTFuzzTgtStateAppendStderrFromBuf(RTFUZZTGTSTATE hFuzzTgtState, const void *pvStdErr, size_t cbStdErr);
+
+/**
+ * Appends the given stdout output to the given target state, reading from the given pipe.
+ *
+ * @returns IPRT status code.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ * @param   hPipe               The stdout pipe to read the data from.
+ */
+RTDECL(int) RTFuzzTgtStateAppendStdoutFromPipe(RTFUZZTGTSTATE hFuzzTgtState, RTPIPE hPipe);
+
+/**
+ * Appends the given stderr output to the given target state, reading from the given pipe.
+ *
+ * @returns IPRT status code.
+ * @param   hFuzzTgtState       The fuzzed target state handle.
+ * @param   hPipe               The stdout pipe to read the data from.
+ */
+RTDECL(int) RTFuzzTgtStateAppendStderrFromPipe(RTFUZZTGTSTATE hFuzzTgtState, RTPIPE hPipe);
 
 

trunk/include/iprt/mangling.h

@@ -1063 +1063 @@
 # define RTFuzzObsSetTestBinaryArgs                     RT_MANGLER(RTFuzzObsSetTestBinaryArgs)
 # define RTFuzzObsSetTmpDirectory                       RT_MANGLER(RTFuzzObsSetTmpDirectory)
+# define RTFuzzTgtRecorderCreate                        RT_MANGLER(RTFuzzTgtRecorderCreate)
+# define RTFuzzTgtRecorderCreateNewState                RT_MANGLER(RTFuzzTgtRecorderCreateNewState)
+# define RTFuzzTgtRecorderRelease                       RT_MANGLER(RTFuzzTgtRecorderRelease)
+# define RTFuzzTgtRecorderRetain                        RT_MANGLER(RTFuzzTgtRecorderRetain)
+# define RTFuzzTgtStateAddToRecorder                    RT_MANGLER(RTFuzzTgtStateAddToRecorder)
+# define RTFuzzTgtStateAppendStderrFromBuf              RT_MANGLER(RTFuzzTgtStateAppendStderrFromBuf)
+# define RTFuzzTgtStateAppendStderrFromPipe             RT_MANGLER(RTFuzzTgtStateAppendStderrFromPipe)
+# define RTFuzzTgtStateAppendStdoutFromBuf              RT_MANGLER(RTFuzzTgtStateAppendStdoutFromBuf)
+# define RTFuzzTgtStateAppendStdoutFromPipe             RT_MANGLER(RTFuzzTgtStateAppendStdoutFromPipe)
+# define RTFuzzTgtStateFinalize                         RT_MANGLER(RTFuzzTgtStateFinalize)
+# define RTFuzzTgtStateRelease                          RT_MANGLER(RTFuzzTgtStateRelease)
+# define RTFuzzTgtStateReset                            RT_MANGLER(RTFuzzTgtStateReset)
+# define RTFuzzTgtStateRetain                           RT_MANGLER(RTFuzzTgtStateRetain)
 # define RTGetOpt                                       RT_MANGLER(RTGetOpt)
 # define RTGetOptArgvFree                               RT_MANGLER(RTGetOptArgvFree)

trunk/src/VBox/Runtime/common/fuzz/fuzz-observer.cpp

@@ -104 +104 @@
     /** The fuzzing context used for this observer. */
     RTFUZZCTX                   hFuzzCtx;
+    /** The target state recorder. */
+    RTFUZZTGTREC                hTgtRec;
     /** Temp directory for input files. */
     char                       *pszTmpDir;
@@ -141 +143 @@
 
 /**
- * Stdout/Stderr buffer.
- */
-typedef struct RTFUZZOBSSTDOUTERRBUF
-{
-    /** Current amount buffered. */
-    size_t                      cbBuf;
-    /** Maxmium amount to buffer. */
-    size_t                      cbBufMax;
-    /** Base pointer to the data buffer. */
-    uint8_t                     *pbBase;
-} RTFUZZOBSSTDOUTERRBUF;
-/** Pointer to a stdout/stderr buffer. */
-typedef RTFUZZOBSSTDOUTERRBUF *PRTFUZZOBSSTDOUTERRBUF;
-
-
-/**
  * Worker execution context.
  */
@@ -185 +171 @@
     /** Execution time of the process. */
     RTMSINTERVAL                msExec;
+    /** The recording state handle. */
+    RTFUZZTGTSTATE              hTgtState;
     /** Current input data pointer. */
     uint8_t                     *pbInputCur;
     /** Number of bytes left for the input. */
     size_t                      cbInputLeft;
-    /** The stdout data buffer. */
-    RTFUZZOBSSTDOUTERRBUF       StdOutBuf;
-    /** The stderr data buffer. */
-    RTFUZZOBSSTDOUTERRBUF       StdErrBuf;
     /** Modified arguments vector - variable in size. */
     char                        *apszArgs[1];
@@ -217 +201 @@
 typedef RTFUZZOBSVARIABLE *PRTFUZZOBSVARIABLE;
 
-
-/**
- * Initializes the given stdout/stderr buffer.
- *
- * @returns nothing.
- * @param   pBuf                The buffer to initialize.
- */
-static void rtFuzzObsStdOutErrBufInit(PRTFUZZOBSSTDOUTERRBUF pBuf)
-{
-    pBuf->cbBuf    = 0;
-    pBuf->cbBufMax = 0;
-    pBuf->pbBase   = NULL;
-}
-
-
-/**
- * Frees all allocated resources in the given stdout/stderr buffer.
- *
- * @returns nothing.
- * @param   pBuf                The buffer to free.
- */
-static void rtFuzzObsStdOutErrBufFree(PRTFUZZOBSSTDOUTERRBUF pBuf)
-{
-    if (pBuf->pbBase)
-        RTMemFree(pBuf->pbBase);
-}
-
-
-/**
- * Clears the given stdout/stderr buffer.
- *
- * @returns nothing.
- * @param   pBuf                The buffer to clear.
- */
-static void rtFuzzObsStdOutErrBufClear(PRTFUZZOBSSTDOUTERRBUF pBuf)
-{
-    pBuf->cbBuf = 0;
-}
-
-
-/**
- * Fills the given stdout/stderr buffer from the given pipe.
- *
- * @returns IPRT status code.
- * @param   pBuf                The buffer to fill.
- * @param   hPipeRead           The pipe to read from.
- */
-static int rtFuzzObsStdOutErrBufFill(PRTFUZZOBSSTDOUTERRBUF pBuf, RTPIPE hPipeRead)
-{
-    int rc = VINF_SUCCESS;
-
-    size_t cbRead = 0;
-    size_t cbThisRead = 0;
-    do
-    {
-        cbThisRead = pBuf->cbBufMax - pBuf->cbBuf;
-        if (!cbThisRead)
-        {
-            /* Try to increase the buffer. */
-            uint8_t *pbNew = (uint8_t *)RTMemRealloc(pBuf->pbBase, pBuf->cbBufMax + _4K);
-            if (RT_LIKELY(pbNew))
-            {
-                pBuf->cbBufMax += _4K;
-                pBuf->pbBase   = pbNew;
-            }
-            cbThisRead = pBuf->cbBufMax - pBuf->cbBuf;
-        }
-
-        if (cbThisRead)
-        {
-            rc = RTPipeRead(hPipeRead, pBuf->pbBase + pBuf->cbBuf, cbThisRead, &cbRead);
-            if (RT_SUCCESS(rc))
-                pBuf->cbBuf += cbRead;
-        }
-        else
-            rc = VERR_NO_MEMORY;
-    } while (   RT_SUCCESS(rc)
-             && cbRead == cbThisRead);
-
-    return rc;
-}
-
-
-/**
- * Writes the given stdout/stderr buffer to the given filename.
- *
- * @returns IPRT status code.
- * @param   pBuf                The buffer to write.
- * @param   pszFilename         The filename to write the buffer to.
- */
-static int rtFuzzStdOutErrBufWriteToFile(PRTFUZZOBSSTDOUTERRBUF pBuf, const char *pszFilename)
-{
-    RTFILE hFile;
-    int rc = RTFileOpen(&hFile, pszFilename, RTFILE_O_CREATE | RTFILE_O_WRITE | RTFILE_O_DENY_NONE);
-    if (RT_SUCCESS(rc))
-    {
-        rc = RTFileWrite(hFile, pBuf->pbBase, pBuf->cbBuf, NULL);
-        AssertRC(rc);
-        RTFileClose(hFile);
-
-        if (RT_FAILURE(rc))
-            RTFileDelete(pszFilename);
-    }
-
-    return rc;
-}
 
 
@@ -456 +334 @@
         pExecCtx->hProc            = NIL_RTPROCESS;
         pExecCtx->msExec           = 0;
-        rtFuzzObsStdOutErrBufInit(&pExecCtx->StdOutBuf);
-        rtFuzzObsStdOutErrBufInit(&pExecCtx->StdErrBuf);
-
-        rc = RTPollSetCreate(&pExecCtx->hPollSet);
+
+        rc = RTFuzzTgtRecorderCreateNewState(pThis->hTgtRec, &pExecCtx->hTgtState);
         if (RT_SUCCESS(rc))
         {
-            rc = RTPipeCreate(&pExecCtx->hPipeStdoutR, &pExecCtx->hPipeStdoutW, RTPIPE_C_INHERIT_WRITE);
+            rc = RTPollSetCreate(&pExecCtx->hPollSet);
             if (RT_SUCCESS(rc))
             {
-                RTHANDLE Handle;
-                Handle.enmType = RTHANDLETYPE_PIPE;
-                Handle.u.hPipe = pExecCtx->hPipeStdoutR;
-                rc = RTPollSetAdd(pExecCtx->hPollSet, &Handle, RTPOLL_EVT_READ, RTFUZZOBS_EXEC_CTX_POLL_ID_STDOUT);
-                AssertRC(rc);
-
-                rc = RTPipeCreate(&pExecCtx->hPipeStderrR, &pExecCtx->hPipeStderrW, RTPIPE_C_INHERIT_WRITE);
+                rc = RTPipeCreate(&pExecCtx->hPipeStdoutR, &pExecCtx->hPipeStdoutW, RTPIPE_C_INHERIT_WRITE);
                 if (RT_SUCCESS(rc))
                 {
-                    Handle.u.hPipe = pExecCtx->hPipeStderrR;
-                    rc = RTPollSetAdd(pExecCtx->hPollSet, &Handle, RTPOLL_EVT_READ, RTFUZZOBS_EXEC_CTX_POLL_ID_STDERR);
+                    RTHANDLE Handle;
+                    Handle.enmType = RTHANDLETYPE_PIPE;
+                    Handle.u.hPipe = pExecCtx->hPipeStdoutR;
+                    rc = RTPollSetAdd(pExecCtx->hPollSet, &Handle, RTPOLL_EVT_READ, RTFUZZOBS_EXEC_CTX_POLL_ID_STDOUT);
                     AssertRC(rc);
 
-                    /* Create the stdin pipe handles if not a file input. */
-                    if (pThis->enmInputChan == RTFUZZOBSINPUTCHAN_STDIN || pThis->enmInputChan == RTFUZZOBSINPUTCHAN_FUZZING_AWARE_CLIENT)
+                    rc = RTPipeCreate(&pExecCtx->hPipeStderrR, &pExecCtx->hPipeStderrW, RTPIPE_C_INHERIT_WRITE);
+                    if (RT_SUCCESS(rc))
                     {
-                        rc = RTPipeCreate(&pExecCtx->hPipeStdinR, &pExecCtx->hPipeStdinW, RTPIPE_C_INHERIT_READ);
+                        Handle.u.hPipe = pExecCtx->hPipeStderrR;
+                        rc = RTPollSetAdd(pExecCtx->hPollSet, &Handle, RTPOLL_EVT_READ, RTFUZZOBS_EXEC_CTX_POLL_ID_STDERR);
+                        AssertRC(rc);
+
+                        /* Create the stdin pipe handles if not a file input. */
+                        if (pThis->enmInputChan == RTFUZZOBSINPUTCHAN_STDIN || pThis->enmInputChan == RTFUZZOBSINPUTCHAN_FUZZING_AWARE_CLIENT)
+                        {
+                            rc = RTPipeCreate(&pExecCtx->hPipeStdinR, &pExecCtx->hPipeStdinW, RTPIPE_C_INHERIT_READ);
+                            if (RT_SUCCESS(rc))
+                            {
+                                pExecCtx->StdinHandle.enmType = RTHANDLETYPE_PIPE;
+                                pExecCtx->StdinHandle.u.hPipe = pExecCtx->hPipeStdinR;
+
+                                Handle.u.hPipe = pExecCtx->hPipeStdinW;
+                                rc = RTPollSetAdd(pExecCtx->hPollSet, &Handle, RTPOLL_EVT_WRITE, RTFUZZOBS_EXEC_CTX_POLL_ID_STDIN);
+                                AssertRC(rc);
+                            }
+                        }
+                        else
+                        {
+                            pExecCtx->StdinHandle.enmType = RTHANDLETYPE_PIPE;
+                            pExecCtx->StdinHandle.u.hPipe = NIL_RTPIPE;
+                        }
+
                         if (RT_SUCCESS(rc))
                         {
-                            pExecCtx->StdinHandle.enmType = RTHANDLETYPE_PIPE;
-                            pExecCtx->StdinHandle.u.hPipe = pExecCtx->hPipeStdinR;
-
-                            Handle.u.hPipe = pExecCtx->hPipeStdinW;
-                            rc = RTPollSetAdd(pExecCtx->hPollSet, &Handle, RTPOLL_EVT_WRITE, RTFUZZOBS_EXEC_CTX_POLL_ID_STDIN);
-                            AssertRC(rc);
+                            pExecCtx->StdoutHandle.enmType = RTHANDLETYPE_PIPE;
+                            pExecCtx->StdoutHandle.u.hPipe = pExecCtx->hPipeStdoutW;
+                            pExecCtx->StderrHandle.enmType = RTHANDLETYPE_PIPE;
+                            pExecCtx->StderrHandle.u.hPipe = pExecCtx->hPipeStderrW;
+                            *ppExecCtx = pExecCtx;
+                            return VINF_SUCCESS;
                         }
+
+                        RTPipeClose(pExecCtx->hPipeStderrR);
+                        RTPipeClose(pExecCtx->hPipeStderrW);
                     }
-                    else
-                    {
-                        pExecCtx->StdinHandle.enmType = RTHANDLETYPE_PIPE;
-                        pExecCtx->StdinHandle.u.hPipe = NIL_RTPIPE;
-                    }
-
-                    if (RT_SUCCESS(rc))
-                    {
-                        pExecCtx->StdoutHandle.enmType = RTHANDLETYPE_PIPE;
-                        pExecCtx->StdoutHandle.u.hPipe = pExecCtx->hPipeStdoutW;
-                        pExecCtx->StderrHandle.enmType = RTHANDLETYPE_PIPE;
-                        pExecCtx->StderrHandle.u.hPipe = pExecCtx->hPipeStderrW;
-                        *ppExecCtx = pExecCtx;
-                        return VINF_SUCCESS;
-                    }
-
-                    RTPipeClose(pExecCtx->hPipeStderrR);
-                    RTPipeClose(pExecCtx->hPipeStderrW);
+
+                    RTPipeClose(pExecCtx->hPipeStdoutR);
+                    RTPipeClose(pExecCtx->hPipeStdoutW);
                 }
 
-                RTPipeClose(pExecCtx->hPipeStdoutR);
-                RTPipeClose(pExecCtx->hPipeStdoutW);
-            }
-
-            RTPollSetDestroy(pExecCtx->hPollSet);
+                RTPollSetDestroy(pExecCtx->hPollSet);
+            }
+
+            RTFuzzTgtStateRelease(pExecCtx->hTgtState);
         }
 
@@ -557 +439 @@
     }
 
-    rtFuzzObsStdOutErrBufFree(&pExecCtx->StdOutBuf);
-    rtFuzzObsStdOutErrBufFree(&pExecCtx->StdErrBuf);
+    if (pExecCtx->hTgtState != NIL_RTFUZZTGTSTATE)
+        RTFuzzTgtStateRelease(pExecCtx->hTgtState);
     RTMemFree(pExecCtx);
 }
@@ -574 +456 @@
 static int rtFuzzObsExecCtxClientRun(PRTFUZZOBSINT pThis, PRTFUZZOBSEXECCTX pExecCtx, PRTPROCSTATUS pProcStat)
 {
-    rtFuzzObsStdOutErrBufClear(&pExecCtx->StdOutBuf);
-    rtFuzzObsStdOutErrBufClear(&pExecCtx->StdErrBuf);
-
     int rc = RTProcCreateEx(pThis->pszBinary, &pExecCtx->apszArgs[0], RTENV_DEFAULT, 0 /*fFlags*/, &pExecCtx->StdinHandle,
                             &pExecCtx->StdoutHandle, &pExecCtx->StderrHandle, NULL, NULL, &pExecCtx->hProc);
@@ -593 +472 @@
                 {
                     Assert(fEvtsRecv & RTPOLL_EVT_READ);
-                    rc = rtFuzzObsStdOutErrBufFill(&pExecCtx->StdOutBuf, pExecCtx->hPipeStdoutR);
+                    rc = RTFuzzTgtStateAppendStdoutFromPipe(pExecCtx->hTgtState, pExecCtx->hPipeStdoutR);
                     AssertRC(rc);
                 }
@@ -599 +478 @@
                 {
                     Assert(fEvtsRecv & RTPOLL_EVT_READ);
-                    rc = rtFuzzObsStdOutErrBufFill(&pExecCtx->StdErrBuf, pExecCtx->hPipeStderrR);
+                    rc = RTFuzzTgtStateAppendStderrFromPipe(pExecCtx->hTgtState, pExecCtx->hPipeStderrR);
                     AssertRC(rc);
                 }
@@ -665 +544 @@
 static int rtFuzzObsExecCtxClientRunFuzzingAware(PRTFUZZOBSINT pThis, PRTFUZZOBSEXECCTX pExecCtx, PRTPROCSTATUS pProcStat)
 {
-    rtFuzzObsStdOutErrBufClear(&pExecCtx->StdOutBuf);
-    rtFuzzObsStdOutErrBufClear(&pExecCtx->StdErrBuf);
-
     int rc = RTProcCreateEx(pThis->pszBinary, &pExecCtx->apszArgs[0], RTENV_DEFAULT, 0 /*fFlags*/, &pExecCtx->StdinHandle,
                             &pExecCtx->StdoutHandle, &pExecCtx->StderrHandle, NULL, NULL, &pExecCtx->hProc);
@@ -731 +607 @@
                         {
                             Assert(fEvtsRecv & RTPOLL_EVT_READ);
-                            rc = rtFuzzObsStdOutErrBufFill(&pExecCtx->StdErrBuf, pExecCtx->hPipeStderrR);
+                            rc = RTFuzzTgtStateAppendStderrFromPipe(pExecCtx->hTgtState, pExecCtx->hPipeStderrR);
                             AssertRC(rc);
                         }
@@ -806 +682 @@
             if (RT_SUCCESS(rc))
             {
+                RT_NOREF(pExecCtx);
+#if 0
                 /* Stdout and Stderr. */
                 rc = RTPathJoin(szTmp, sizeof(szTmp), &szPath[0], "stdout");
@@ -816 +694 @@
                     rc = rtFuzzStdOutErrBufWriteToFile(&pExecCtx->StdOutBuf, &szTmp[0]);
                 }
+#endif
             }
         }
@@ -841 +720 @@
         return rc;
 
+    char szInput[RTPATH_MAX]; RT_ZERO(szInput);
+    if (pThis->enmInputChan == RTFUZZOBSINPUTCHAN_FILE)
+    {
+        char szFilename[32];
+
+        ssize_t cbBuf = RTStrPrintf2(&szFilename[0], sizeof(szFilename), "%u", pObsThrd->idObs);
+        Assert(cbBuf > 0); RT_NOREF(cbBuf);
+
+        rc = RTPathJoin(szInput, sizeof(szInput), pThis->pszTmpDir, &szFilename[0]);
+        AssertRC(rc);
+
+        RTFUZZOBSVARIABLE aVar[2] =
+        {
+            { "${INPUT}", sizeof("${INPUT}") - 1, &szInput[0] },
+            { NULL,       0,                      NULL        }
+        };
+        rc = rtFuzzObsExecCtxArgvPrepare(pThis, pExecCtx, &aVar[0]);
+        if (RT_FAILURE(rc))
+            return rc;
+    }
+
     while (!pObsThrd->fShutdown)
     {
-        char szInput[RTPATH_MAX];
-
         /* Wait for work. */
         if (!ASMAtomicReadU32(&pObsThrd->cInputs))
@@ -868 +766 @@
 
         if (pThis->enmInputChan == RTFUZZOBSINPUTCHAN_FILE)
-        {
-            char szFilename[32];
-
-            ssize_t cbBuf = RTStrPrintf2(&szFilename[0], sizeof(szFilename), "%u", pObsThrd->idObs);
-            Assert(cbBuf > 0); RT_NOREF(cbBuf);
-
-            RT_ZERO(szInput);
-            rc = RTPathJoin(szInput, sizeof(szInput), pThis->pszTmpDir, &szFilename[0]);
-            AssertRC(rc);
-
             rc = RTFuzzInputWriteToFile(hFuzzInput, &szInput[0]);
-            if (RT_SUCCESS(rc))
-            {
-                RTFUZZOBSVARIABLE aVar[2] = {
-                    { "${INPUT}", sizeof("${INPUT}") - 1, &szInput[0] },
-                    { NULL,       0,                      NULL        }
-                };
-                rc = rtFuzzObsExecCtxArgvPrepare(pThis, pExecCtx, &aVar[0]);
-            }
-        }
         else if (pThis->enmInputChan == RTFUZZOBSINPUTCHAN_STDIN)
         {
@@ -923 +802 @@
                 AssertFailed();
 
-            RTFuzzInputAddToCtxCorpus(hFuzzInput);
+            /*
+             * Check whether we reached a known target state and add the input to the
+             * corpus in that case.
+             */
+            rc = RTFuzzTgtStateAddToRecorder(pExecCtx->hTgtState);
+            if (RT_SUCCESS(rc))
+            {
+                /* Add to corpus and create a new target state for the next run. */
+                RTFuzzInputAddToCtxCorpus(hFuzzInput);
+                RTFuzzTgtStateRelease(pExecCtx->hTgtState);
+                pExecCtx->hTgtState = NIL_RTFUZZTGTSTATE;
+                rc = RTFuzzTgtRecorderCreateNewState(pThis->hTgtRec, &pExecCtx->hTgtState);
+                AssertRC(rc);
+            }
+            else
+            {
+                Assert(rc == VERR_ALREADY_EXISTS);
+                /* Reset the state for the next run. */
+                rc = RTFuzzTgtStateReset(pExecCtx->hTgtState);
+                AssertRC(rc);
+            }
             RTFuzzInputRelease(hFuzzInput);
 
@@ -1126 +1025 @@
         if (RT_SUCCESS(rc))
         {
-            *phFuzzObs = pThis;
-            return VINF_SUCCESS;
+            rc = RTFuzzTgtRecorderCreate(&pThis->hTgtRec);
+            if (RT_SUCCESS(rc))
+            {
+                *phFuzzObs = pThis;
+                return VINF_SUCCESS;
+            }
+            RTFuzzCtxRelease(pThis->hFuzzCtx);
         }
 
@@ -1161 +1065 @@
     if (pThis->pszBinary)
         RTStrFree(pThis->pszBinary);
+    RTFuzzTgtRecorderRelease(pThis->hTgtRec);
     RTFuzzCtxRelease(pThis->hFuzzCtx);
     RTMemFree(pThis);

trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp

@@ -190 +190 @@
     /** Size of the mutation dependent data. */
     size_t                      cbMutation;
+    /** Flag whether the mutation is contained in the tree of the context. */
+    bool                        fInTree;
     /** Mutation dependent data, variable in size. */
     uint8_t                     abMutation[1];
@@ -471 +473 @@
 
 /**
+ * Destroys the given mutation.
+ *
+ * @returns nothing.
+ * @param   pMutation           The mutation to destroy.
+ */
+static void rtFuzzMutationDestroy(PRTFUZZMUTATION pMutation)
+{
+    rtFuzzCtxMemoryFree(pMutation->pFuzzer, pMutation);
+}
+
+
+/**
  * Retains an external reference to the given mutation.
  *
@@ -479 +493 @@
 {
     uint32_t cRefs = ASMAtomicIncU32(&pMutation->cRefs);
-    AssertMsg(cRefs > 1 && cRefs < _1M, ("%#x %p\n", cRefs, pMutation));
+    AssertMsg(   (   cRefs > 1
+                  || pMutation->fInTree)
+              && cRefs < _1M, ("%#x %p\n", cRefs, pMutation));
     return cRefs;
 }
 
 
-#if 0 /* unused */
 /**
  * Releases an external reference from the given mutation.
@@ -495 +510 @@
     uint32_t cRefs = ASMAtomicDecU32(&pMutation->cRefs);
     AssertMsg(cRefs < _1M, ("%#x %p\n", cRefs, pMutation));
+    if (cRefs == 0 && !pMutation->fInTree)
+        rtFuzzMutationDestroy(pMutation);
     return cRefs;
 }
-#endif
 
 
@@ -519 +535 @@
     AssertRC(rc); RT_NOREF(rc);
 
+    pMutation->fInTree = true;
     return rc;
 }
@@ -531 +548 @@
 static PRTFUZZMUTATION rtFuzzCtxMutationPickRnd(PRTFUZZCTXINT pThis)
 {
-    uint64_t idxMutation = RTRandAdvU64Ex(pThis->hRand, 0, ASMAtomicReadU64(&pThis->cMutations));
+    uint64_t idxMutation = RTRandAdvU64Ex(pThis->hRand, 1, ASMAtomicReadU64(&pThis->cMutations));
 
     int rc = RTSemRWRequestRead(pThis->hSemRwMutations, RT_INDEFINITE_WAIT);
@@ -575 +592 @@
         pMutation->pMutationParent = pMutationParent;
         pMutation->cbMutation      = cbAdditional;
+        pMutation->fInTree         = false;
 
         if (pMutationParent)
@@ -583 +601 @@
 
     return pMutation;
-}
-
-
-/**
- * Destroys the given mutation.
- *
- * @returns nothing.
- * @param   pMutation           The mutation to destroy.
- */
-static void rtFuzzMutationDestroy(PRTFUZZMUTATION pMutation)
-{
-    rtFuzzCtxMemoryFree(pMutation->pFuzzer, pMutation);
 }
 
@@ -888 +894 @@
         rtFuzzCtxMemoryFree(pFuzzer, pThis->u.Blob.pvInput);
 
+    rtFuzzMutationRelease(pThis->pMutationTop);
     rtFuzzCtxMemoryFree(pFuzzer, pThis);
     RTFuzzCtxRelease(pFuzzer);