Changeset 77758 in vbox for trunk/src/VBox
- Timestamp:
- Mar 18, 2019 1:17:30 PM (6 years ago)
- Location:
- trunk/src/VBox/Runtime/common/fuzz
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/Runtime/common/fuzz/fuzz-observer.cpp
r77693 r77758 489 489 { 490 490 Assert(fEvtsRecv & RTPOLL_EVT_READ); 491 //rc = RTFuzzTgtStateAppendStdoutFromPipe(pExecCtx->hTgtState, pExecCtx->hPipeStdoutR);492 //AssertRC(rc);491 rc = RTFuzzTgtStateAppendStdoutFromPipe(pExecCtx->hTgtState, pExecCtx->hPipeStdoutR); 492 AssertRC(rc); 493 493 } 494 494 else if (idEvt == RTFUZZOBS_EXEC_CTX_POLL_ID_STDERR) … … 496 496 Assert(fEvtsRecv & RTPOLL_EVT_READ); 497 497 498 /* 499 * Can't add the stderr buffer with sancov enabled as it dumps the resulting report file path 500 * (which includes the always changing pid) to stderr... 501 */ 502 if (!(pThis->fSanitizers & RTFUZZOBS_SANITIZER_F_SANCOV)) 503 { 504 rc = RTFuzzTgtStateAppendStderrFromPipe(pExecCtx->hTgtState, pExecCtx->hPipeStderrR); 505 AssertRC(rc); 506 } 507 else 508 { 509 /* Dump to /dev/null. */ 510 char abBitBucket[_4K]; 511 size_t cbRead = 0; 512 do 513 { 514 rc = RTPipeRead(pExecCtx->hPipeStderrR, &abBitBucket[0], sizeof(abBitBucket), &cbRead); 515 } while ( RT_SUCCESS(rc) 516 && cbRead == sizeof(abBitBucket)); 517 } 498 rc = RTFuzzTgtStateAppendStderrFromPipe(pExecCtx->hTgtState, pExecCtx->hPipeStderrR); 499 AssertRC(rc); 518 500 } 519 501 else if (idEvt == RTFUZZOBS_EXEC_CTX_POLL_ID_STDIN) … … 731 713 rc = RTFuzzInputWriteToFile(hFuzzInput, &szTmp[0]); 732 714 if (RT_SUCCESS(rc)) 733 { 734 RT_NOREF(pExecCtx); 735 #if 0 736 /* Stdout and Stderr. */ 737 rc = RTPathJoin(szTmp, sizeof(szTmp), &szPath[0], "stdout"); 738 AssertRC(rc); 739 rc = rtFuzzStdOutErrBufWriteToFile(&pExecCtx->StdOutBuf, &szTmp[0]); 740 if (RT_SUCCESS(rc)) 741 { 742 rc = RTPathJoin(szTmp, sizeof(szTmp), &szPath[0], "stderr"); 743 AssertRC(rc); 744 rc = rtFuzzStdOutErrBufWriteToFile(&pExecCtx->StdOutBuf, &szTmp[0]); 745 } 746 #endif 747 } 715 rc = RTFuzzTgtStateDumpToDir(pExecCtx->hTgtState, &szPath[0]); 748 716 } 749 717 } … … 838 806 if (RT_SUCCESS(rc)) 839 807 { 808 rc = RTFuzzTgtStateAddProcSts(pExecCtx->hTgtState, &ProcSts); 809 AssertRC(rc); 810 840 811 if (ProcSts.enmReason != RTPROCEXITREASON_NORMAL) 841 812 { … … 853 824 854 825 /* 855 * Check whether we reached a 826 * Check whether we reached an unknown target state and add the input to the 856 827 * corpus in that case. 857 828 */ … … 1108 1079 1109 1080 1110 RTDECL(int) RTFuzzObsCreate(PRTFUZZOBS phFuzzObs, RTFUZZCTXTYPE enmType )1081 RTDECL(int) RTFuzzObsCreate(PRTFUZZOBS phFuzzObs, RTFUZZCTXTYPE enmType, uint32_t fTgtRecFlags) 1111 1082 { 1112 1083 AssertPtrReturn(phFuzzObs, VERR_INVALID_POINTER); … … 1134 1105 if (RT_SUCCESS(rc)) 1135 1106 { 1136 rc = RTFuzzTgtRecorderCreate(&pThis->hTgtRec );1107 rc = RTFuzzTgtRecorderCreate(&pThis->hTgtRec, fTgtRecFlags); 1137 1108 if (RT_SUCCESS(rc)) 1138 1109 { -
trunk/src/VBox/Runtime/common/fuzz/fuzz-target-recorder.cpp
r77693 r77758 41 41 #include <iprt/list.h> 42 42 #include <iprt/mem.h> 43 #include <iprt/path.h> 43 44 #include <iprt/pipe.h> 45 #include <iprt/process.h> 44 46 #include <iprt/semaphore.h> 45 47 #include <iprt/string.h> … … 93 95 /** The stderr data buffer. */ 94 96 RTFUZZTGTSTDOUTERRBUF StdErrBuf; 97 /** Process status. */ 98 RTPROCSTATUS ProcSts; 95 99 /** Coverage report buffer. */ 96 100 void *pvCovReport; … … 141 145 /** Reference counter. */ 142 146 volatile uint32_t cRefs; 147 /** Flags passed when the recorder was created. */ 148 uint32_t fRecFlags; 143 149 /** Semaphore protecting the states tree. */ 144 150 RTSEMRW hSemRwStates; … … 237 243 238 244 /** 245 * Writes the given buffer to the given file. 246 * 247 * @returns IPRT status code. 248 * @param pBuf The buffer to write. 249 * @param pszFilename Where to write the buffer. 250 */ 251 static int rtFuzzTgtStateStdOutErrBufWriteToFile(PRTFUZZTGTSTDOUTERRBUF pBuf, const char *pszFilename) 252 { 253 RTFILE hFile; 254 int rc = RTFileOpen(&hFile, pszFilename, RTFILE_O_CREATE | RTFILE_O_WRITE | RTFILE_O_DENY_NONE); 255 if (RT_SUCCESS(rc)) 256 { 257 rc = RTFileWrite(hFile, pBuf->pbBase, pBuf->cbBuf, NULL); 258 AssertRC(rc); 259 RTFileClose(hFile); 260 261 if (RT_FAILURE(rc)) 262 RTFileDelete(pszFilename); 263 } 264 265 return rc; 266 } 267 268 269 /** 239 270 * Scans the given target state for newly discovered edges in the coverage report. 240 271 * … … 341 372 342 373 343 RTDECL(int) RTFuzzTgtRecorderCreate(PRTFUZZTGTREC phFuzzTgtRec) 344 { 374 /** 375 * Compares two given target states, checking whether they match. 376 * 377 * @returns Flag whether the states are identical. 378 * @param pThis Target state 1. 379 * @param pThat Target state 2. 380 */ 381 static bool rtFuzzTgtStateDoMatch(PRTFUZZTGTSTATEINT pThis, PRTFUZZTGTSTATEINT pThat) 382 { 383 PRTFUZZTGTRECINT pTgtRec = pThis->pTgtRec; 384 Assert(pTgtRec == pThat->pTgtRec); 385 386 if ( (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_STDOUT) 387 && ( pThis->StdOutBuf.cbBuf != pThat->StdOutBuf.cbBuf 388 || ( pThis->StdOutBuf.cbBuf > 0 389 && memcmp(pThis->StdOutBuf.pbBase, pThat->StdOutBuf.pbBase, pThis->StdOutBuf.cbBuf)))) 390 return false; 391 392 if ( (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_STDERR) 393 && ( pThis->StdErrBuf.cbBuf != pThat->StdErrBuf.cbBuf 394 || ( pThis->StdErrBuf.cbBuf > 0 395 && memcmp(pThis->StdErrBuf.pbBase, pThat->StdErrBuf.pbBase, pThis->StdErrBuf.cbBuf)))) 396 return false; 397 398 if ( (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_PROCSTATUS) 399 && memcmp(&pThis->ProcSts, &pThat->ProcSts, sizeof(RTPROCSTATUS))) 400 return false; 401 402 if ( (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_SANCOV) 403 && ( pThis->cbCovReport != pThat->cbCovReport 404 || ( pThis->cbCovReport > 0 405 && memcmp(pThis->pvCovReport, pThat->pvCovReport, pThis->cbCovReport)))) 406 return false; 407 408 return true; 409 } 410 411 412 RTDECL(int) RTFuzzTgtRecorderCreate(PRTFUZZTGTREC phFuzzTgtRec, uint32_t fRecFlags) 413 { 414 AssertPtrReturn(phFuzzTgtRec, VERR_INVALID_POINTER); 415 AssertReturn(!(fRecFlags & ~RTFUZZTGT_REC_STATE_F_VALID), VERR_INVALID_PARAMETER); 416 345 417 int rc; 346 418 PRTFUZZTGTRECINT pThis = (PRTFUZZTGTRECINT)RTMemAllocZ(sizeof(*pThis)); … … 352 424 pThis->TreeEdges = NULL; 353 425 pThis->cbCovOff = 0; 426 pThis->fRecFlags = fRecFlags; 354 427 355 428 rc = RTSemRWCreate(&pThis->hSemRwStates); … … 462 535 pThis->StdOutBuf.cbBuf = 0; 463 536 pThis->StdErrBuf.cbBuf = 0; 537 RT_ZERO(pThis->ProcSts); 464 538 if (pThis->pvCovReport) 465 539 RTMemFree(pThis->pvCovReport); … … 476 550 477 551 /* Create the checksum. */ 552 PRTFUZZTGTRECINT pTgtRec = pThis->pTgtRec; 478 553 uint64_t uChkSum = RTCrc64Start(); 479 if (pThis->StdOutBuf.cbBuf) 554 if ( (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_STDOUT) 555 && pThis->StdOutBuf.cbBuf) 480 556 uChkSum = RTCrc64Process(uChkSum, pThis->StdOutBuf.pbBase, pThis->StdOutBuf.cbBuf); 481 if (pThis->StdErrBuf.cbBuf) 557 if ( (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_STDERR) 558 && pThis->StdErrBuf.cbBuf) 482 559 uChkSum = RTCrc64Process(uChkSum, pThis->StdErrBuf.pbBase, pThis->StdErrBuf.cbBuf); 483 if (pThis->pvCovReport) 560 if (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_PROCSTATUS) 561 uChkSum = RTCrc64Process(uChkSum, &pThis->ProcSts, sizeof(RTPROCSTATUS)); 562 if ( (pTgtRec->fRecFlags & RTFUZZTGT_REC_STATE_F_SANCOV) 563 && pThis->pvCovReport) 484 564 uChkSum = RTCrc64Process(uChkSum, pThis->pvCovReport, pThis->cbCovReport); 485 565 … … 514 594 RTListForEach(&pNode->LstStates, pIt, RTFUZZTGTSTATEINT, NdStates) 515 595 { 516 Assert( pThis->StdOutBuf.cbBuf == pIt->StdOutBuf.cbBuf 517 && pThis->StdErrBuf.cbBuf == pIt->StdErrBuf.cbBuf); 518 if ( ( !pThis->StdOutBuf.cbBuf 519 || !memcmp(pThis->StdOutBuf.pbBase, pIt->StdOutBuf.pbBase, pThis->StdOutBuf.cbBuf)) 520 && ( !pThis->StdErrBuf.cbBuf 521 || !memcmp(pThis->StdErrBuf.pbBase, pIt->StdErrBuf.pbBase, pThis->StdErrBuf.cbBuf)) 522 && ( pThis->cbCovReport != pIt->cbCovReport 523 || ( pThis->cbCovReport > 0 524 && !memcmp(pThis->pvCovReport, pIt->pvCovReport, pThis->cbCovReport)))) 596 if (rtFuzzTgtStateDoMatch(pThis, pIt)) 525 597 { 526 598 fMatchFound = true; … … 678 750 } 679 751 752 753 RTDECL(int) RTFuzzTgtStateAddProcSts(RTFUZZTGTSTATE hFuzzTgtState, PCRTPROCSTATUS pProcSts) 754 { 755 PRTFUZZTGTSTATEINT pThis = hFuzzTgtState; 756 AssertPtrReturn(pThis, VERR_INVALID_HANDLE); 757 AssertPtrReturn(pProcSts, VERR_INVALID_POINTER); 758 AssertReturn(!pThis->fFinalized, VERR_WRONG_ORDER); 759 760 pThis->ProcSts = *pProcSts; 761 return VINF_SUCCESS; 762 } 763 764 765 RTDECL(int) RTFuzzTgtStateDumpToDir(RTFUZZTGTSTATE hFuzzTgtState, const char *pszDirPath) 766 { 767 PRTFUZZTGTSTATEINT pThis = hFuzzTgtState; 768 AssertPtrReturn(pThis, VERR_INVALID_HANDLE); 769 AssertPtrReturn(pszDirPath, VERR_INVALID_POINTER); 770 AssertReturn(!pThis->fFinalized, VERR_WRONG_ORDER); 771 772 int rc = VINF_SUCCESS; 773 char szPath[RTPATH_MAX]; 774 if (pThis->StdOutBuf.cbBuf) 775 { 776 rc = RTPathJoin(szPath, sizeof(szPath), pszDirPath, "stdout"); AssertRC(rc); 777 if (RT_SUCCESS(rc)) 778 rc = rtFuzzTgtStateStdOutErrBufWriteToFile(&pThis->StdOutBuf, &szPath[0]); 779 } 780 781 if ( RT_SUCCESS(rc) 782 && pThis->StdErrBuf.cbBuf) 783 { 784 rc = RTPathJoin(szPath, sizeof(szPath), pszDirPath, "stderr"); AssertRC(rc); 785 if (RT_SUCCESS(rc)) 786 rc = rtFuzzTgtStateStdOutErrBufWriteToFile(&pThis->StdErrBuf, &szPath[0]); 787 } 788 789 return rc; 790 } 791 -
trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp
r77693 r77758 560 560 static void rtFuzzCtxMemoryFree(PRTFUZZCTXINT pThis, void *pv) 561 561 { 562 AssertReturnVoid(pv != NULL); 562 563 PRTFUZZMEMHDR pMemHdr = ((PRTFUZZMEMHDR)pv) - 1; 563 564 … … 708 709 if (cRefs == 0) 709 710 { 710 rtFuzzCtxMutationMaybeEnterCache(pMutation->pFuzzer, pMutation);711 712 711 if (!pMutation->fInTree) 713 712 rtFuzzMutationDestroy(pMutation); 713 else 714 rtFuzzCtxMutationMaybeEnterCache(pMutation->pFuzzer, pMutation); 714 715 } 715 716 -
trunk/src/VBox/Runtime/common/fuzz/fuzzmastercmd.cpp
r77693 r77758 67 67 /** Number of processes. */ 68 68 uint32_t cProcs; 69 /** Target recorder flags. */ 70 uint32_t fTgtRecFlags; 69 71 /** The fuzzing observer state handle. */ 70 72 RTFUZZOBS hFuzzObs; … … 785 787 786 788 /** 789 * Processes target recording related configs for the given fuzzing run. 790 * 791 * @returns IPRT status code. 792 * @param pFuzzRun The fuzzing run. 793 * @param hJsonRoot The root node of the JSON request. 794 * @param pErrInfo Where to store the error information on failure, optional. 795 */ 796 static int rtFuzzCmdMasterFuzzRunProcessTgtRecFlags(PRTFUZZRUN pFuzzRun, RTJSONVAL hJsonRoot, PRTERRINFO pErrInfo) 797 { 798 RTJSONVAL hJsonValTgt; 799 int rc = RTJsonValueQueryByName(hJsonRoot, "TgtRec", &hJsonValTgt); 800 if (RT_SUCCESS(rc)) 801 { 802 uint32_t fTgtRecFlags = 0; 803 RTJSONIT hTgtIt; 804 rc = RTJsonIteratorBeginArray(hJsonValTgt, &hTgtIt); 805 if (RT_SUCCESS(rc)) 806 { 807 do 808 { 809 RTJSONVAL hVal; 810 rc = RTJsonIteratorQueryValue(hTgtIt, &hVal, NULL); 811 if (RT_SUCCESS(rc)) 812 { 813 const char *pszTgtRec = RTJsonValueGetString(hVal); 814 if (!RTStrICmp(pszTgtRec, "StdOut")) 815 fTgtRecFlags |= RTFUZZTGT_REC_STATE_F_STDOUT; 816 else if (!RTStrICmp(pszTgtRec, "StdErr")) 817 fTgtRecFlags |= RTFUZZTGT_REC_STATE_F_STDERR; 818 else if (!RTStrICmp(pszTgtRec, "ProcSts")) 819 fTgtRecFlags |= RTFUZZTGT_REC_STATE_F_PROCSTATUS; 820 else if (!RTStrICmp(pszTgtRec, "SanCov")) 821 fTgtRecFlags |= RTFUZZTGT_REC_STATE_F_SANCOV; 822 else 823 rc = rtFuzzCmdMasterErrorRc(pErrInfo, VERR_NOT_FOUND, "JSON request malformed: The recording flags '%s' is not known", pszTgtRec); 824 RTJsonValueRelease(hVal); 825 } 826 rc = RTJsonIteratorNext(hTgtIt); 827 } while (RT_SUCCESS(rc)); 828 829 if ( rc == VERR_JSON_IS_EMPTY 830 || rc == VERR_JSON_ITERATOR_END) 831 rc = VINF_SUCCESS; 832 else 833 rc = rtFuzzCmdMasterErrorRc(pErrInfo, rc, "JSON request malformed: Failed to parse target recording flags"); 834 835 RTJsonIteratorFree(hTgtIt); 836 } 837 else if (rc == VERR_JSON_IS_EMPTY) 838 rc = VINF_SUCCESS; 839 else 840 rc = rtFuzzCmdMasterErrorRc(pErrInfo, rc, "JSON request malformed: \"TgtRec\" is not an array"); 841 842 pFuzzRun->fTgtRecFlags = fTgtRecFlags; 843 844 RTJsonValueRelease(hJsonValTgt); 845 } 846 else if (rc == VERR_NOT_FOUND) 847 { 848 pFuzzRun->fTgtRecFlags = RTFUZZTGT_REC_STATE_F_PROCSTATUS; 849 rc = VINF_SUCCESS; /* Just keep using the defaults. */ 850 } 851 else 852 rc = rtFuzzCmdMasterErrorRc(pErrInfo, rc, "JSON request malformed: Failed to query \"TgtRec\""); 853 854 return rc; 855 } 856 857 858 /** 787 859 * Sets up the directories for the given fuzzing run. 788 860 * … … 852 924 if (RT_LIKELY(pFuzzRun->pszId)) 853 925 { 854 rc = RTFuzzObsCreate(&pFuzzRun->hFuzzObs, RTFUZZCTXTYPE_BLOB);926 rc = rtFuzzCmdMasterFuzzRunProcessTgtRecFlags(pFuzzRun, hJsonRoot, pErrInfo); 855 927 if (RT_SUCCESS(rc)) 856 928 { 857 rc = rtFuzzCmdMasterFuzzRunProcessBinaryCfg(pFuzzRun, hJsonRoot, pErrInfo); 858 if (RT_SUCCESS(rc)) 859 rc = rtFuzzCmdMasterFuzzRunProcessArgCfg(pFuzzRun, hJsonRoot, pErrInfo); 860 if (RT_SUCCESS(rc)) 861 rc = rtFuzzCmdMasterFuzzRunProcessEnvironment(pFuzzRun, hJsonRoot, pErrInfo); 862 if (RT_SUCCESS(rc)) 863 rc = rtFuzzCmdMasterFuzzRunProcessInputSeeds(pFuzzRun, hJsonRoot, pErrInfo); 864 if (RT_SUCCESS(rc)) 865 rc = rtFuzzCmdMasterFuzzRunProcessMiscCfg(pFuzzRun, hJsonRoot, pErrInfo); 866 if (RT_SUCCESS(rc)) 867 rc = rtFuzzCmdMasterFuzzRunProcessSanitizers(pFuzzRun, hJsonRoot, pErrInfo); 868 if (RT_SUCCESS(rc)) 869 rc = rtFuzzCmdMasterFuzzRunSetupDirectories(pThis, pFuzzRun, pErrInfo); 870 929 rc = RTFuzzObsCreate(&pFuzzRun->hFuzzObs, RTFUZZCTXTYPE_BLOB, pFuzzRun->fTgtRecFlags); 871 930 if (RT_SUCCESS(rc)) 872 931 { 873 /* Start fuzzing. */ 874 RTListAppend(&pThis->LstFuzzed, &pFuzzRun->NdFuzzed); 875 rc = RTFuzzObsExecStart(pFuzzRun->hFuzzObs, pFuzzRun->cProcs); 932 rc = rtFuzzCmdMasterFuzzRunProcessBinaryCfg(pFuzzRun, hJsonRoot, pErrInfo); 933 if (RT_SUCCESS(rc)) 934 rc = rtFuzzCmdMasterFuzzRunProcessArgCfg(pFuzzRun, hJsonRoot, pErrInfo); 935 if (RT_SUCCESS(rc)) 936 rc = rtFuzzCmdMasterFuzzRunProcessEnvironment(pFuzzRun, hJsonRoot, pErrInfo); 937 if (RT_SUCCESS(rc)) 938 rc = rtFuzzCmdMasterFuzzRunProcessInputSeeds(pFuzzRun, hJsonRoot, pErrInfo); 939 if (RT_SUCCESS(rc)) 940 rc = rtFuzzCmdMasterFuzzRunProcessMiscCfg(pFuzzRun, hJsonRoot, pErrInfo); 941 if (RT_SUCCESS(rc)) 942 rc = rtFuzzCmdMasterFuzzRunProcessSanitizers(pFuzzRun, hJsonRoot, pErrInfo); 943 if (RT_SUCCESS(rc)) 944 rc = rtFuzzCmdMasterFuzzRunSetupDirectories(pThis, pFuzzRun, pErrInfo); 945 876 946 if (RT_SUCCESS(rc)) 877 947 { 878 RTTIMESPEC TimeSpec; 879 RTTimeNow(&TimeSpec); 880 RTTimeLocalExplode(&pFuzzRun->TimeCreated, &TimeSpec); 881 pFuzzRun->tsCreatedMs = RTTimeMilliTS(); 882 pFuzzRun->fStarted = true; 948 /* Start fuzzing. */ 949 RTListAppend(&pThis->LstFuzzed, &pFuzzRun->NdFuzzed); 950 rc = RTFuzzObsExecStart(pFuzzRun->hFuzzObs, pFuzzRun->cProcs); 951 if (RT_SUCCESS(rc)) 952 { 953 RTTIMESPEC TimeSpec; 954 RTTimeNow(&TimeSpec); 955 RTTimeLocalExplode(&pFuzzRun->TimeCreated, &TimeSpec); 956 pFuzzRun->tsCreatedMs = RTTimeMilliTS(); 957 pFuzzRun->fStarted = true; 958 } 959 else 960 rc = rtFuzzCmdMasterErrorRc(pErrInfo, rc, "Request error: Failed to start fuzzing with %Rrc", rc); 883 961 } 884 else885 rc = rtFuzzCmdMasterErrorRc(pErrInfo, rc, "Request error: Failed to start fuzzing with %Rrc", rc);886 962 } 887 963 }
Note:
See TracChangeset
for help on using the changeset viewer.