Changeset 77544 in vbox for trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp

Timestamp:

Mar 3, 2019 8:07:01 PM (6 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

129148

Message:

Runtime/fuzz: Updates, add a target state recording mechanism to record changes in target behavior caused by mutated inputs. This allows to decide which mutated input gets added to the input corpus and which one gets discarded. Currently this is only able to record the stdout/stderr channels of the fuzzed process but other sources to detect changed behvior will get added in the future

File:

• trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp (modified) (9 diffs)

trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp

@@ -190 +190 @@
     /** Size of the mutation dependent data. */
     size_t                      cbMutation;
+    /** Flag whether the mutation is contained in the tree of the context. */
+    bool                        fInTree;
     /** Mutation dependent data, variable in size. */
     uint8_t                     abMutation[1];
@@ -471 +473 @@
 
 /**
+ * Destroys the given mutation.
+ *
+ * @returns nothing.
+ * @param   pMutation           The mutation to destroy.
+ */
+static void rtFuzzMutationDestroy(PRTFUZZMUTATION pMutation)
+{
+    rtFuzzCtxMemoryFree(pMutation->pFuzzer, pMutation);
+}
+
+
+/**
  * Retains an external reference to the given mutation.
  *
@@ -479 +493 @@
 {
     uint32_t cRefs = ASMAtomicIncU32(&pMutation->cRefs);
-    AssertMsg(cRefs > 1 && cRefs < _1M, ("%#x %p\n", cRefs, pMutation));
+    AssertMsg(   (   cRefs > 1
+                  || pMutation->fInTree)
+              && cRefs < _1M, ("%#x %p\n", cRefs, pMutation));
     return cRefs;
 }
 
 
-#if 0 /* unused */
 /**
  * Releases an external reference from the given mutation.
@@ -495 +510 @@
     uint32_t cRefs = ASMAtomicDecU32(&pMutation->cRefs);
     AssertMsg(cRefs < _1M, ("%#x %p\n", cRefs, pMutation));
+    if (cRefs == 0 && !pMutation->fInTree)
+        rtFuzzMutationDestroy(pMutation);
     return cRefs;
 }
-#endif
 
 
@@ -519 +535 @@
     AssertRC(rc); RT_NOREF(rc);
 
+    pMutation->fInTree = true;
     return rc;
 }
@@ -531 +548 @@
 static PRTFUZZMUTATION rtFuzzCtxMutationPickRnd(PRTFUZZCTXINT pThis)
 {
-    uint64_t idxMutation = RTRandAdvU64Ex(pThis->hRand, 0, ASMAtomicReadU64(&pThis->cMutations));
+    uint64_t idxMutation = RTRandAdvU64Ex(pThis->hRand, 1, ASMAtomicReadU64(&pThis->cMutations));
 
     int rc = RTSemRWRequestRead(pThis->hSemRwMutations, RT_INDEFINITE_WAIT);
@@ -575 +592 @@
         pMutation->pMutationParent = pMutationParent;
         pMutation->cbMutation      = cbAdditional;
+        pMutation->fInTree         = false;
 
         if (pMutationParent)
@@ -583 +601 @@
 
     return pMutation;
-}
-
-
-/**
- * Destroys the given mutation.
- *
- * @returns nothing.
- * @param   pMutation           The mutation to destroy.
- */
-static void rtFuzzMutationDestroy(PRTFUZZMUTATION pMutation)
-{
-    rtFuzzCtxMemoryFree(pMutation->pFuzzer, pMutation);
 }
 
@@ -888 +894 @@
         rtFuzzCtxMemoryFree(pFuzzer, pThis->u.Blob.pvInput);
 
+    rtFuzzMutationRelease(pThis->pMutationTop);
     rtFuzzCtxMemoryFree(pFuzzer, pThis);
     RTFuzzCtxRelease(pFuzzer);