138 lines
4.1 KiB
C++
138 lines
4.1 KiB
C++
//===- FuzzerDataFlowTrace.h - Internal header for the Fuzzer ---*- C++ -* ===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
// fuzzer::DataFlowTrace; reads and handles a data-flow trace.
|
|
//
|
|
// A data flow trace is generated by e.g. dataflow/DataFlow.cpp
|
|
// and is stored on disk in a separate directory.
|
|
//
|
|
// The trace dir contains a file 'functions.txt' which lists function names,
|
|
// oner per line, e.g.
|
|
// ==> functions.txt <==
|
|
// Func2
|
|
// LLVMFuzzerTestOneInput
|
|
// Func1
|
|
//
|
|
// All other files in the dir are the traces, see dataflow/DataFlow.cpp.
|
|
// The name of the file is sha1 of the input used to generate the trace.
|
|
//
|
|
// Current status:
|
|
// the data is parsed and the summary is printed, but the data is not yet
|
|
// used in any other way.
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#ifndef LLVM_FUZZER_DATA_FLOW_TRACE
|
|
#define LLVM_FUZZER_DATA_FLOW_TRACE
|
|
|
|
#include "FuzzerDefs.h"
|
|
#include "FuzzerIO.h"
|
|
|
|
#include <unordered_map>
|
|
#include <unordered_set>
|
|
#include <vector>
|
|
#include <string>
|
|
|
|
namespace fuzzer {
|
|
|
|
int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
|
|
const std::vector<SizedFile> &CorporaFiles);
|
|
|
|
class BlockCoverage {
|
|
public:
|
|
// These functions guarantee no CoverageVector is longer than UINT32_MAX.
|
|
bool AppendCoverage(std::istream &IN);
|
|
bool AppendCoverage(const std::string &S);
|
|
|
|
size_t NumCoveredFunctions() const { return Functions.size(); }
|
|
|
|
uint32_t GetCounter(size_t FunctionId, size_t BasicBlockId) {
|
|
auto It = Functions.find(FunctionId);
|
|
if (It == Functions.end())
|
|
return 0;
|
|
const auto &Counters = It->second;
|
|
if (BasicBlockId < Counters.size())
|
|
return Counters[BasicBlockId];
|
|
return 0;
|
|
}
|
|
|
|
uint32_t GetNumberOfBlocks(size_t FunctionId) {
|
|
auto It = Functions.find(FunctionId);
|
|
if (It == Functions.end()) return 0;
|
|
const auto &Counters = It->second;
|
|
return static_cast<uint32_t>(Counters.size());
|
|
}
|
|
|
|
uint32_t GetNumberOfCoveredBlocks(size_t FunctionId) {
|
|
auto It = Functions.find(FunctionId);
|
|
if (It == Functions.end()) return 0;
|
|
const auto &Counters = It->second;
|
|
uint32_t Result = 0;
|
|
for (auto Cnt: Counters)
|
|
if (Cnt)
|
|
Result++;
|
|
return Result;
|
|
}
|
|
|
|
std::vector<double> FunctionWeights(size_t NumFunctions) const;
|
|
void clear() { Functions.clear(); }
|
|
|
|
private:
|
|
typedef std::vector<uint32_t> CoverageVector;
|
|
|
|
uint32_t NumberOfCoveredBlocks(const CoverageVector &Counters) const {
|
|
uint32_t Res = 0;
|
|
for (auto Cnt : Counters)
|
|
if (Cnt)
|
|
Res++;
|
|
return Res;
|
|
}
|
|
|
|
uint32_t NumberOfUncoveredBlocks(const CoverageVector &Counters) const {
|
|
return static_cast<uint32_t>(Counters.size()) -
|
|
NumberOfCoveredBlocks(Counters);
|
|
}
|
|
|
|
uint32_t SmallestNonZeroCounter(const CoverageVector &Counters) const {
|
|
assert(!Counters.empty());
|
|
uint32_t Res = Counters[0];
|
|
for (auto Cnt : Counters)
|
|
if (Cnt)
|
|
Res = Min(Res, Cnt);
|
|
assert(Res);
|
|
return Res;
|
|
}
|
|
|
|
// Function ID => vector of counters.
|
|
// Each counter represents how many input files trigger the given basic block.
|
|
std::unordered_map<size_t, CoverageVector> Functions;
|
|
// Functions that have DFT entry.
|
|
std::unordered_set<size_t> FunctionsWithDFT;
|
|
};
|
|
|
|
class DataFlowTrace {
|
|
public:
|
|
void ReadCoverage(const std::string &DirPath);
|
|
bool Init(const std::string &DirPath, std::string *FocusFunction,
|
|
std::vector<SizedFile> &CorporaFiles, Random &Rand);
|
|
void Clear() { Traces.clear(); }
|
|
const std::vector<uint8_t> *Get(const std::string &InputSha1) const {
|
|
auto It = Traces.find(InputSha1);
|
|
if (It != Traces.end())
|
|
return &It->second;
|
|
return nullptr;
|
|
}
|
|
|
|
private:
|
|
// Input's sha1 => DFT for the FocusFunction.
|
|
std::unordered_map<std::string, std::vector<uint8_t>> Traces;
|
|
BlockCoverage Coverage;
|
|
std::unordered_set<std::string> CorporaHashes;
|
|
};
|
|
} // namespace fuzzer
|
|
|
|
#endif // LLVM_FUZZER_DATA_FLOW_TRACE
|