From 380051868a7531830d94d312f0f11b0e19e3284f Mon Sep 17 00:00:00 2001 From: van Hauser Date: Thu, 10 Sep 2020 15:26:46 +0200 Subject: add libfuzzer custom mutator, minor enhancements and fixes --- custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp | 344 ++++++++++++++++++++++ 1 file changed, 344 insertions(+) create mode 100644 custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp (limited to 'custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp') diff --git a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp new file mode 100644 index 00000000..797a52a7 --- /dev/null +++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp @@ -0,0 +1,344 @@ +//===- FuzzerDataFlowTrace.cpp - DataFlowTrace ---*- C++ -* ===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// fuzzer::DataFlowTrace +//===----------------------------------------------------------------------===// + +#include "FuzzerDataFlowTrace.h" + +#include "FuzzerCommand.h" +#include "FuzzerIO.h" +#include "FuzzerRandom.h" +#include "FuzzerSHA1.h" +#include "FuzzerUtil.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +namespace fuzzer { + +static const char *kFunctionsTxt = "functions.txt"; + +bool BlockCoverage::AppendCoverage(const std::string &S) { + + std::stringstream SS(S); + return AppendCoverage(SS); + +} + +// Coverage lines have this form: +// CN X Y Z T +// where N is the number of the function, T is the total number of instrumented +// BBs, and X,Y,Z, if present, are the indecies of covered BB. +// BB #0, which is the entry block, is not explicitly listed. +bool BlockCoverage::AppendCoverage(std::istream &IN) { + + std::string L; + while (std::getline(IN, L, '\n')) { + + if (L.empty()) continue; + std::stringstream SS(L.c_str() + 1); + size_t FunctionId = 0; + SS >> FunctionId; + if (L[0] == 'F') { + + FunctionsWithDFT.insert(FunctionId); + continue; + + } + + if (L[0] != 'C') continue; + Vector CoveredBlocks; + while (true) { + + uint32_t BB = 0; + SS >> BB; + if (!SS) break; + CoveredBlocks.push_back(BB); + + } + + if (CoveredBlocks.empty()) return false; + uint32_t NumBlocks = CoveredBlocks.back(); + CoveredBlocks.pop_back(); + for (auto BB : CoveredBlocks) + if (BB >= NumBlocks) return false; + auto It = Functions.find(FunctionId); + auto &Counters = + It == Functions.end() + ? Functions.insert({FunctionId, Vector(NumBlocks)}) + .first->second + : It->second; + + if (Counters.size() != NumBlocks) return false; // wrong number of blocks. + + Counters[0]++; + for (auto BB : CoveredBlocks) + Counters[BB]++; + + } + + return true; + +} + +// Assign weights to each function. +// General principles: +// * any uncovered function gets weight 0. +// * a function with lots of uncovered blocks gets bigger weight. +// * a function with a less frequently executed code gets bigger weight. +Vector BlockCoverage::FunctionWeights(size_t NumFunctions) const { + + Vector Res(NumFunctions); + for (auto It : Functions) { + + auto FunctionID = It.first; + auto Counters = It.second; + assert(FunctionID < NumFunctions); + auto &Weight = Res[FunctionID]; + // Give higher weight if the function has a DFT. + Weight = FunctionsWithDFT.count(FunctionID) ? 1000. : 1; + // Give higher weight to functions with less frequently seen basic blocks. + Weight /= SmallestNonZeroCounter(Counters); + // Give higher weight to functions with the most uncovered basic blocks. + Weight *= NumberOfUncoveredBlocks(Counters) + 1; + + } + + return Res; + +} + +void DataFlowTrace::ReadCoverage(const std::string &DirPath) { + + Vector Files; + GetSizedFilesFromDir(DirPath, &Files); + for (auto &SF : Files) { + + auto Name = Basename(SF.File); + if (Name == kFunctionsTxt) continue; + if (!CorporaHashes.count(Name)) continue; + std::ifstream IF(SF.File); + Coverage.AppendCoverage(IF); + + } + +} + +static void DFTStringAppendToVector(Vector * DFT, + const std::string &DFTString) { + + assert(DFT->size() == DFTString.size()); + for (size_t I = 0, Len = DFT->size(); I < Len; I++) + (*DFT)[I] = DFTString[I] == '1'; + +} + +// converts a string of '0' and '1' into a Vector +static Vector DFTStringToVector(const std::string &DFTString) { + + Vector DFT(DFTString.size()); + DFTStringAppendToVector(&DFT, DFTString); + return DFT; + +} + +static bool ParseError(const char *Err, const std::string &Line) { + + Printf("DataFlowTrace: parse error: %s: Line: %s\n", Err, Line.c_str()); + return false; + +} + +// TODO(metzman): replace std::string with std::string_view for +// better performance. Need to figure our how to use string_view on Windows. +static bool ParseDFTLine(const std::string &Line, size_t *FunctionNum, + std::string *DFTString) { + + if (!Line.empty() && Line[0] != 'F') return false; // Ignore coverage. + size_t SpacePos = Line.find(' '); + if (SpacePos == std::string::npos) + return ParseError("no space in the trace line", Line); + if (Line.empty() || Line[0] != 'F') + return ParseError("the trace line doesn't start with 'F'", Line); + *FunctionNum = std::atol(Line.c_str() + 1); + const char *Beg = Line.c_str() + SpacePos + 1; + const char *End = Line.c_str() + Line.size(); + assert(Beg < End); + size_t Len = End - Beg; + for (size_t I = 0; I < Len; I++) { + + if (Beg[I] != '0' && Beg[I] != '1') + return ParseError("the trace should contain only 0 or 1", Line); + + } + + *DFTString = Beg; + return true; + +} + +bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction, + Vector &CorporaFiles, Random &Rand) { + + if (DirPath.empty()) return false; + Printf("INFO: DataFlowTrace: reading from '%s'\n", DirPath.c_str()); + Vector Files; + GetSizedFilesFromDir(DirPath, &Files); + std::string L; + size_t FocusFuncIdx = SIZE_MAX; + Vector FunctionNames; + + // Collect the hashes of the corpus files. + for (auto &SF : CorporaFiles) + CorporaHashes.insert(Hash(FileToVector(SF.File))); + + // Read functions.txt + std::ifstream IF(DirPlusFile(DirPath, kFunctionsTxt)); + size_t NumFunctions = 0; + while (std::getline(IF, L, '\n')) { + + FunctionNames.push_back(L); + NumFunctions++; + if (*FocusFunction == L) FocusFuncIdx = NumFunctions - 1; + + } + + if (!NumFunctions) return false; + + if (*FocusFunction == "auto") { + + // AUTOFOCUS works like this: + // * reads the coverage data from the DFT files. + // * assigns weights to functions based on coverage. + // * chooses a random function according to the weights. + ReadCoverage(DirPath); + auto Weights = Coverage.FunctionWeights(NumFunctions); + Vector Intervals(NumFunctions + 1); + std::iota(Intervals.begin(), Intervals.end(), 0); + auto Distribution = std::piecewise_constant_distribution( + Intervals.begin(), Intervals.end(), Weights.begin()); + FocusFuncIdx = static_cast(Distribution(Rand)); + *FocusFunction = FunctionNames[FocusFuncIdx]; + assert(FocusFuncIdx < NumFunctions); + Printf("INFO: AUTOFOCUS: %zd %s\n", FocusFuncIdx, + FunctionNames[FocusFuncIdx].c_str()); + for (size_t i = 0; i < NumFunctions; i++) { + + if (!Weights[i]) continue; + Printf(" [%zd] W %g\tBB-tot %u\tBB-cov %u\tEntryFreq %u:\t%s\n", i, + Weights[i], Coverage.GetNumberOfBlocks(i), + Coverage.GetNumberOfCoveredBlocks(i), Coverage.GetCounter(i, 0), + FunctionNames[i].c_str()); + + } + + } + + if (!NumFunctions || FocusFuncIdx == SIZE_MAX || Files.size() <= 1) + return false; + + // Read traces. + size_t NumTraceFiles = 0; + size_t NumTracesWithFocusFunction = 0; + for (auto &SF : Files) { + + auto Name = Basename(SF.File); + if (Name == kFunctionsTxt) continue; + if (!CorporaHashes.count(Name)) continue; // not in the corpus. + NumTraceFiles++; + // Printf("=== %s\n", Name.c_str()); + std::ifstream IF(SF.File); + while (std::getline(IF, L, '\n')) { + + size_t FunctionNum = 0; + std::string DFTString; + if (ParseDFTLine(L, &FunctionNum, &DFTString) && + FunctionNum == FocusFuncIdx) { + + NumTracesWithFocusFunction++; + + if (FunctionNum >= NumFunctions) + return ParseError("N is greater than the number of functions", L); + Traces[Name] = DFTStringToVector(DFTString); + // Print just a few small traces. + if (NumTracesWithFocusFunction <= 3 && DFTString.size() <= 16) + Printf("%s => |%s|\n", Name.c_str(), std::string(DFTString).c_str()); + break; // No need to parse the following lines. + + } + + } + + } + + Printf( + "INFO: DataFlowTrace: %zd trace files, %zd functions, " + "%zd traces with focus function\n", + NumTraceFiles, NumFunctions, NumTracesWithFocusFunction); + return NumTraceFiles > 0; + +} + +int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath, + const Vector &CorporaFiles) { + + Printf("INFO: collecting data flow: bin: %s dir: %s files: %zd\n", + DFTBinary.c_str(), DirPath.c_str(), CorporaFiles.size()); + if (CorporaFiles.empty()) { + + Printf("ERROR: can't collect data flow without corpus provided."); + return 1; + + } + + static char DFSanEnv[] = "DFSAN_OPTIONS=warn_unimplemented=0"; + putenv(DFSanEnv); + MkDir(DirPath); + for (auto &F : CorporaFiles) { + + // For every input F we need to collect the data flow and the coverage. + // Data flow collection may fail if we request too many DFSan tags at once. + // So, we start from requesting all tags in range [0,Size) and if that fails + // we then request tags in [0,Size/2) and [Size/2, Size), and so on. + // Function number => DFT. + auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File))); + std::unordered_map> DFTMap; + std::unordered_set Cov; + Command Cmd; + Cmd.addArgument(DFTBinary); + Cmd.addArgument(F.File); + Cmd.addArgument(OutPath); + Printf("CMD: %s\n", Cmd.toString().c_str()); + ExecuteCommand(Cmd); + + } + + // Write functions.txt if it's currently empty or doesn't exist. + auto FunctionsTxtPath = DirPlusFile(DirPath, kFunctionsTxt); + if (FileToString(FunctionsTxtPath).empty()) { + + Command Cmd; + Cmd.addArgument(DFTBinary); + Cmd.setOutputFile(FunctionsTxtPath); + ExecuteCommand(Cmd); + + } + + return 0; + +} + +} // namespace fuzzer + -- cgit 1.4.1 From 33a7d6f1688856c050b0ac71ac1df4018e4d531c Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 4 Jan 2021 15:14:20 +0100 Subject: code cleanups (from cppcheck) --- custom_mutators/honggfuzz/mangle.c | 2 +- custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp | 10 +++++----- custom_mutators/libfuzzer/FuzzerDefs.h | 2 +- custom_mutators/libfuzzer/FuzzerDictionary.h | 4 ++-- custom_mutators/libfuzzer/FuzzerRandom.h | 2 +- custom_mutators/libfuzzer/FuzzerTracePC.h | 8 ++++---- include/debug.h | 6 +++--- unicorn_mode/unicornafl | 2 +- utils/defork/defork.c | 2 +- utils/persistent_mode/Makefile | 8 ++++---- utils/qemu_persistent_hook/test.c | 2 +- 11 files changed, 24 insertions(+), 24 deletions(-) (limited to 'custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp') diff --git a/custom_mutators/honggfuzz/mangle.c b/custom_mutators/honggfuzz/mangle.c index c2988319..9c3d1ed4 100644 --- a/custom_mutators/honggfuzz/mangle.c +++ b/custom_mutators/honggfuzz/mangle.c @@ -995,7 +995,7 @@ void mangle_mangleContent(run_t *run, int speed_factor) { } - uint64_t changesCnt = run->global->mutate.mutationsPerRun; + uint64_t changesCnt; if (speed_factor < 5) { diff --git a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp index 797a52a7..489665f7 100644 --- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp +++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp @@ -246,7 +246,7 @@ bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction, } - if (!NumFunctions || FocusFuncIdx == SIZE_MAX || Files.size() <= 1) + if (FocusFuncIdx == SIZE_MAX || Files.size() <= 1) return false; // Read traces. @@ -259,8 +259,8 @@ bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction, if (!CorporaHashes.count(Name)) continue; // not in the corpus. NumTraceFiles++; // Printf("=== %s\n", Name.c_str()); - std::ifstream IF(SF.File); - while (std::getline(IF, L, '\n')) { + std::ifstream IF2(SF.File); + while (std::getline(IF2, L, '\n')) { size_t FunctionNum = 0; std::string DFTString; @@ -314,8 +314,8 @@ int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath, // we then request tags in [0,Size/2) and [Size/2, Size), and so on. // Function number => DFT. auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File))); - std::unordered_map> DFTMap; - std::unordered_set Cov; +// std::unordered_map> DFTMap; +// std::unordered_set Cov; Command Cmd; Cmd.addArgument(DFTBinary); Cmd.addArgument(F.File); diff --git a/custom_mutators/libfuzzer/FuzzerDefs.h b/custom_mutators/libfuzzer/FuzzerDefs.h index 1a2752af..3952ac51 100644 --- a/custom_mutators/libfuzzer/FuzzerDefs.h +++ b/custom_mutators/libfuzzer/FuzzerDefs.h @@ -46,7 +46,7 @@ template fuzzer_allocator() = default; template - fuzzer_allocator(const fuzzer_allocator&) {} + explicit fuzzer_allocator(const fuzzer_allocator&) {} template struct rebind { typedef fuzzer_allocator other; }; diff --git a/custom_mutators/libfuzzer/FuzzerDictionary.h b/custom_mutators/libfuzzer/FuzzerDictionary.h index 301c5d9a..ddd2d2f1 100644 --- a/custom_mutators/libfuzzer/FuzzerDictionary.h +++ b/custom_mutators/libfuzzer/FuzzerDictionary.h @@ -49,7 +49,7 @@ typedef FixedWord<64> Word; class DictionaryEntry { public: DictionaryEntry() {} - DictionaryEntry(Word W) : W(W) {} + explicit DictionaryEntry(Word W) : W(W) {} DictionaryEntry(Word W, size_t PositionHint) : W(W), PositionHint(PositionHint) {} const Word &GetW() const { return W; } @@ -92,7 +92,7 @@ class Dictionary { assert(Idx < Size); return DE[Idx]; } - void push_back(DictionaryEntry DE) { + void push_back(const DictionaryEntry &DE) { if (Size < kMaxDictSize) this->DE[Size++] = DE; } diff --git a/custom_mutators/libfuzzer/FuzzerRandom.h b/custom_mutators/libfuzzer/FuzzerRandom.h index 659283ee..7b1e1b1d 100644 --- a/custom_mutators/libfuzzer/FuzzerRandom.h +++ b/custom_mutators/libfuzzer/FuzzerRandom.h @@ -16,7 +16,7 @@ namespace fuzzer { class Random : public std::minstd_rand { public: - Random(unsigned int seed) : std::minstd_rand(seed) {} + explicit Random(unsigned int seed) : std::minstd_rand(seed) {} result_type operator()() { return this->std::minstd_rand::operator()(); } size_t Rand() { return this->operator()(); } size_t RandBool() { return Rand() % 2; } diff --git a/custom_mutators/libfuzzer/FuzzerTracePC.h b/custom_mutators/libfuzzer/FuzzerTracePC.h index 4601300c..a58fdf8d 100644 --- a/custom_mutators/libfuzzer/FuzzerTracePC.h +++ b/custom_mutators/libfuzzer/FuzzerTracePC.h @@ -145,10 +145,10 @@ private: }; Region *Regions; size_t NumRegions; - uint8_t *Start() { return Regions[0].Start; } - uint8_t *Stop() { return Regions[NumRegions - 1].Stop; } - size_t Size() { return Stop() - Start(); } - size_t Idx(uint8_t *P) { + uint8_t *Start() const { return Regions[0].Start; } + uint8_t *Stop() const { return Regions[NumRegions - 1].Stop; } + size_t Size() const { return Stop() - Start(); } + size_t Idx(uint8_t *P) const { assert(P >= Start() && P < Stop()); return P - Start(); } diff --git a/include/debug.h b/include/debug.h index 7f4a6be1..ef5b195b 100644 --- a/include/debug.h +++ b/include/debug.h @@ -295,7 +295,7 @@ static inline const char *colorfilter(const char *x) { \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] PROGRAM ABORT : " cRST x); \ - SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \ + SAYF(cLRD "\n Location : " cRST "%s(), %s:%d\n\n", __func__, \ __FILE__, __LINE__); \ exit(1); \ \ @@ -308,7 +308,7 @@ static inline const char *colorfilter(const char *x) { \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] PROGRAM ABORT : " cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n\n", __func__, \ __FILE__, __LINE__); \ abort(); \ \ @@ -322,7 +322,7 @@ static inline const char *colorfilter(const char *x) { fflush(stdout); \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] SYSTEM ERROR : " cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n", __func__, \ __FILE__, __LINE__); \ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ exit(1); \ diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 8cca4801..768e6bb2 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 8cca4801adb767dce7cf72202d7d25bdb420cf7d +Subproject commit 768e6bb29b7cb98bb2b9c4526ae3d234db5c1615 diff --git a/utils/defork/defork.c b/utils/defork/defork.c index f71d1124..f50b9a4b 100644 --- a/utils/defork/defork.c +++ b/utils/defork/defork.c @@ -1,4 +1,4 @@ -#define __GNU_SOURCE +#define _GNU_SOURCE #include #include #include diff --git a/utils/persistent_mode/Makefile b/utils/persistent_mode/Makefile index 6fa1c30e..e348c46c 100644 --- a/utils/persistent_mode/Makefile +++ b/utils/persistent_mode/Makefile @@ -1,10 +1,10 @@ all: - afl-clang-fast -o persistent_demo persistent_demo.c - afl-clang-fast -o persistent_demo_new persistent_demo_new.c - AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c + ../../afl-clang-fast -o persistent_demo persistent_demo.c + ../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c + AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c document: - AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: rm -f persistent_demo persistent_demo_new test-instr diff --git a/utils/qemu_persistent_hook/test.c b/utils/qemu_persistent_hook/test.c index afeff202..a0e815dc 100644 --- a/utils/qemu_persistent_hook/test.c +++ b/utils/qemu_persistent_hook/test.c @@ -2,7 +2,7 @@ int target_func(unsigned char *buf, int size) { - printf("buffer:%p, size:%p\n", buf, size); + printf("buffer:%p, size:%d\n", buf, size); switch (buf[0]) { case 1: -- cgit 1.4.1 From 5cdbfeef4a84b9dc2e5f8e88ee018c6c6e72fa44 Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 4 Jan 2021 15:17:39 +0100 Subject: Revert "code cleanups (from cppcheck)" This reverts commit 33a7d6f1688856c050b0ac71ac1df4018e4d531c. --- custom_mutators/honggfuzz/mangle.c | 2 +- custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp | 10 +++++----- custom_mutators/libfuzzer/FuzzerDefs.h | 2 +- custom_mutators/libfuzzer/FuzzerDictionary.h | 4 ++-- custom_mutators/libfuzzer/FuzzerRandom.h | 2 +- custom_mutators/libfuzzer/FuzzerTracePC.h | 8 ++++---- include/debug.h | 6 +++--- unicorn_mode/unicornafl | 2 +- utils/defork/defork.c | 2 +- utils/persistent_mode/Makefile | 8 ++++---- utils/qemu_persistent_hook/test.c | 2 +- 11 files changed, 24 insertions(+), 24 deletions(-) (limited to 'custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp') diff --git a/custom_mutators/honggfuzz/mangle.c b/custom_mutators/honggfuzz/mangle.c index 9c3d1ed4..c2988319 100644 --- a/custom_mutators/honggfuzz/mangle.c +++ b/custom_mutators/honggfuzz/mangle.c @@ -995,7 +995,7 @@ void mangle_mangleContent(run_t *run, int speed_factor) { } - uint64_t changesCnt; + uint64_t changesCnt = run->global->mutate.mutationsPerRun; if (speed_factor < 5) { diff --git a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp index 489665f7..797a52a7 100644 --- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp +++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp @@ -246,7 +246,7 @@ bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction, } - if (FocusFuncIdx == SIZE_MAX || Files.size() <= 1) + if (!NumFunctions || FocusFuncIdx == SIZE_MAX || Files.size() <= 1) return false; // Read traces. @@ -259,8 +259,8 @@ bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction, if (!CorporaHashes.count(Name)) continue; // not in the corpus. NumTraceFiles++; // Printf("=== %s\n", Name.c_str()); - std::ifstream IF2(SF.File); - while (std::getline(IF2, L, '\n')) { + std::ifstream IF(SF.File); + while (std::getline(IF, L, '\n')) { size_t FunctionNum = 0; std::string DFTString; @@ -314,8 +314,8 @@ int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath, // we then request tags in [0,Size/2) and [Size/2, Size), and so on. // Function number => DFT. auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File))); -// std::unordered_map> DFTMap; -// std::unordered_set Cov; + std::unordered_map> DFTMap; + std::unordered_set Cov; Command Cmd; Cmd.addArgument(DFTBinary); Cmd.addArgument(F.File); diff --git a/custom_mutators/libfuzzer/FuzzerDefs.h b/custom_mutators/libfuzzer/FuzzerDefs.h index 3952ac51..1a2752af 100644 --- a/custom_mutators/libfuzzer/FuzzerDefs.h +++ b/custom_mutators/libfuzzer/FuzzerDefs.h @@ -46,7 +46,7 @@ template fuzzer_allocator() = default; template - explicit fuzzer_allocator(const fuzzer_allocator&) {} + fuzzer_allocator(const fuzzer_allocator&) {} template struct rebind { typedef fuzzer_allocator other; }; diff --git a/custom_mutators/libfuzzer/FuzzerDictionary.h b/custom_mutators/libfuzzer/FuzzerDictionary.h index ddd2d2f1..301c5d9a 100644 --- a/custom_mutators/libfuzzer/FuzzerDictionary.h +++ b/custom_mutators/libfuzzer/FuzzerDictionary.h @@ -49,7 +49,7 @@ typedef FixedWord<64> Word; class DictionaryEntry { public: DictionaryEntry() {} - explicit DictionaryEntry(Word W) : W(W) {} + DictionaryEntry(Word W) : W(W) {} DictionaryEntry(Word W, size_t PositionHint) : W(W), PositionHint(PositionHint) {} const Word &GetW() const { return W; } @@ -92,7 +92,7 @@ class Dictionary { assert(Idx < Size); return DE[Idx]; } - void push_back(const DictionaryEntry &DE) { + void push_back(DictionaryEntry DE) { if (Size < kMaxDictSize) this->DE[Size++] = DE; } diff --git a/custom_mutators/libfuzzer/FuzzerRandom.h b/custom_mutators/libfuzzer/FuzzerRandom.h index 7b1e1b1d..659283ee 100644 --- a/custom_mutators/libfuzzer/FuzzerRandom.h +++ b/custom_mutators/libfuzzer/FuzzerRandom.h @@ -16,7 +16,7 @@ namespace fuzzer { class Random : public std::minstd_rand { public: - explicit Random(unsigned int seed) : std::minstd_rand(seed) {} + Random(unsigned int seed) : std::minstd_rand(seed) {} result_type operator()() { return this->std::minstd_rand::operator()(); } size_t Rand() { return this->operator()(); } size_t RandBool() { return Rand() % 2; } diff --git a/custom_mutators/libfuzzer/FuzzerTracePC.h b/custom_mutators/libfuzzer/FuzzerTracePC.h index a58fdf8d..4601300c 100644 --- a/custom_mutators/libfuzzer/FuzzerTracePC.h +++ b/custom_mutators/libfuzzer/FuzzerTracePC.h @@ -145,10 +145,10 @@ private: }; Region *Regions; size_t NumRegions; - uint8_t *Start() const { return Regions[0].Start; } - uint8_t *Stop() const { return Regions[NumRegions - 1].Stop; } - size_t Size() const { return Stop() - Start(); } - size_t Idx(uint8_t *P) const { + uint8_t *Start() { return Regions[0].Start; } + uint8_t *Stop() { return Regions[NumRegions - 1].Stop; } + size_t Size() { return Stop() - Start(); } + size_t Idx(uint8_t *P) { assert(P >= Start() && P < Stop()); return P - Start(); } diff --git a/include/debug.h b/include/debug.h index ef5b195b..7f4a6be1 100644 --- a/include/debug.h +++ b/include/debug.h @@ -295,7 +295,7 @@ static inline const char *colorfilter(const char *x) { \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] PROGRAM ABORT : " cRST x); \ - SAYF(cLRD "\n Location : " cRST "%s(), %s:%d\n\n", __func__, \ + SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \ __FILE__, __LINE__); \ exit(1); \ \ @@ -308,7 +308,7 @@ static inline const char *colorfilter(const char *x) { \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] PROGRAM ABORT : " cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n\n", __func__, \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \ __FILE__, __LINE__); \ abort(); \ \ @@ -322,7 +322,7 @@ static inline const char *colorfilter(const char *x) { fflush(stdout); \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] SYSTEM ERROR : " cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n", __func__, \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \ __FILE__, __LINE__); \ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ exit(1); \ diff --git a/unicorn_mode/unicornafl b/unicorn_mode/unicornafl index 768e6bb2..8cca4801 160000 --- a/unicorn_mode/unicornafl +++ b/unicorn_mode/unicornafl @@ -1 +1 @@ -Subproject commit 768e6bb29b7cb98bb2b9c4526ae3d234db5c1615 +Subproject commit 8cca4801adb767dce7cf72202d7d25bdb420cf7d diff --git a/utils/defork/defork.c b/utils/defork/defork.c index f50b9a4b..f71d1124 100644 --- a/utils/defork/defork.c +++ b/utils/defork/defork.c @@ -1,4 +1,4 @@ -#define _GNU_SOURCE +#define __GNU_SOURCE #include #include #include diff --git a/utils/persistent_mode/Makefile b/utils/persistent_mode/Makefile index e348c46c..6fa1c30e 100644 --- a/utils/persistent_mode/Makefile +++ b/utils/persistent_mode/Makefile @@ -1,10 +1,10 @@ all: - ../../afl-clang-fast -o persistent_demo persistent_demo.c - ../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c - AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c + afl-clang-fast -o persistent_demo persistent_demo.c + afl-clang-fast -o persistent_demo_new persistent_demo_new.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c document: - AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: rm -f persistent_demo persistent_demo_new test-instr diff --git a/utils/qemu_persistent_hook/test.c b/utils/qemu_persistent_hook/test.c index a0e815dc..afeff202 100644 --- a/utils/qemu_persistent_hook/test.c +++ b/utils/qemu_persistent_hook/test.c @@ -2,7 +2,7 @@ int target_func(unsigned char *buf, int size) { - printf("buffer:%p, size:%d\n", buf, size); + printf("buffer:%p, size:%p\n", buf, size); switch (buf[0]) { case 1: -- cgit 1.4.1 From b7af98e94561ebe44ea37304a357b00499d1104d Mon Sep 17 00:00:00 2001 From: hexcoder- Date: Mon, 4 Jan 2021 15:32:22 +0100 Subject: code cleanups (from cppcheck mostly) --- custom_mutators/honggfuzz/mangle.c | 2 +- custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp | 10 +++++----- custom_mutators/libfuzzer/FuzzerDefs.h | 2 +- custom_mutators/libfuzzer/FuzzerDictionary.h | 4 ++-- custom_mutators/libfuzzer/FuzzerRandom.h | 2 +- custom_mutators/libfuzzer/FuzzerTracePC.h | 8 ++++---- include/debug.h | 6 +++--- utils/defork/defork.c | 2 +- utils/persistent_mode/Makefile | 8 ++++---- utils/qemu_persistent_hook/test.c | 2 +- 10 files changed, 23 insertions(+), 23 deletions(-) (limited to 'custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp') diff --git a/custom_mutators/honggfuzz/mangle.c b/custom_mutators/honggfuzz/mangle.c index c2988319..9c3d1ed4 100644 --- a/custom_mutators/honggfuzz/mangle.c +++ b/custom_mutators/honggfuzz/mangle.c @@ -995,7 +995,7 @@ void mangle_mangleContent(run_t *run, int speed_factor) { } - uint64_t changesCnt = run->global->mutate.mutationsPerRun; + uint64_t changesCnt; if (speed_factor < 5) { diff --git a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp index 797a52a7..489665f7 100644 --- a/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp +++ b/custom_mutators/libfuzzer/FuzzerDataFlowTrace.cpp @@ -246,7 +246,7 @@ bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction, } - if (!NumFunctions || FocusFuncIdx == SIZE_MAX || Files.size() <= 1) + if (FocusFuncIdx == SIZE_MAX || Files.size() <= 1) return false; // Read traces. @@ -259,8 +259,8 @@ bool DataFlowTrace::Init(const std::string &DirPath, std::string *FocusFunction, if (!CorporaHashes.count(Name)) continue; // not in the corpus. NumTraceFiles++; // Printf("=== %s\n", Name.c_str()); - std::ifstream IF(SF.File); - while (std::getline(IF, L, '\n')) { + std::ifstream IF2(SF.File); + while (std::getline(IF2, L, '\n')) { size_t FunctionNum = 0; std::string DFTString; @@ -314,8 +314,8 @@ int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath, // we then request tags in [0,Size/2) and [Size/2, Size), and so on. // Function number => DFT. auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File))); - std::unordered_map> DFTMap; - std::unordered_set Cov; +// std::unordered_map> DFTMap; +// std::unordered_set Cov; Command Cmd; Cmd.addArgument(DFTBinary); Cmd.addArgument(F.File); diff --git a/custom_mutators/libfuzzer/FuzzerDefs.h b/custom_mutators/libfuzzer/FuzzerDefs.h index 1a2752af..3952ac51 100644 --- a/custom_mutators/libfuzzer/FuzzerDefs.h +++ b/custom_mutators/libfuzzer/FuzzerDefs.h @@ -46,7 +46,7 @@ template fuzzer_allocator() = default; template - fuzzer_allocator(const fuzzer_allocator&) {} + explicit fuzzer_allocator(const fuzzer_allocator&) {} template struct rebind { typedef fuzzer_allocator other; }; diff --git a/custom_mutators/libfuzzer/FuzzerDictionary.h b/custom_mutators/libfuzzer/FuzzerDictionary.h index 301c5d9a..ddd2d2f1 100644 --- a/custom_mutators/libfuzzer/FuzzerDictionary.h +++ b/custom_mutators/libfuzzer/FuzzerDictionary.h @@ -49,7 +49,7 @@ typedef FixedWord<64> Word; class DictionaryEntry { public: DictionaryEntry() {} - DictionaryEntry(Word W) : W(W) {} + explicit DictionaryEntry(Word W) : W(W) {} DictionaryEntry(Word W, size_t PositionHint) : W(W), PositionHint(PositionHint) {} const Word &GetW() const { return W; } @@ -92,7 +92,7 @@ class Dictionary { assert(Idx < Size); return DE[Idx]; } - void push_back(DictionaryEntry DE) { + void push_back(const DictionaryEntry &DE) { if (Size < kMaxDictSize) this->DE[Size++] = DE; } diff --git a/custom_mutators/libfuzzer/FuzzerRandom.h b/custom_mutators/libfuzzer/FuzzerRandom.h index 659283ee..7b1e1b1d 100644 --- a/custom_mutators/libfuzzer/FuzzerRandom.h +++ b/custom_mutators/libfuzzer/FuzzerRandom.h @@ -16,7 +16,7 @@ namespace fuzzer { class Random : public std::minstd_rand { public: - Random(unsigned int seed) : std::minstd_rand(seed) {} + explicit Random(unsigned int seed) : std::minstd_rand(seed) {} result_type operator()() { return this->std::minstd_rand::operator()(); } size_t Rand() { return this->operator()(); } size_t RandBool() { return Rand() % 2; } diff --git a/custom_mutators/libfuzzer/FuzzerTracePC.h b/custom_mutators/libfuzzer/FuzzerTracePC.h index 4601300c..a58fdf8d 100644 --- a/custom_mutators/libfuzzer/FuzzerTracePC.h +++ b/custom_mutators/libfuzzer/FuzzerTracePC.h @@ -145,10 +145,10 @@ private: }; Region *Regions; size_t NumRegions; - uint8_t *Start() { return Regions[0].Start; } - uint8_t *Stop() { return Regions[NumRegions - 1].Stop; } - size_t Size() { return Stop() - Start(); } - size_t Idx(uint8_t *P) { + uint8_t *Start() const { return Regions[0].Start; } + uint8_t *Stop() const { return Regions[NumRegions - 1].Stop; } + size_t Size() const { return Stop() - Start(); } + size_t Idx(uint8_t *P) const { assert(P >= Start() && P < Stop()); return P - Start(); } diff --git a/include/debug.h b/include/debug.h index 7f4a6be1..ef5b195b 100644 --- a/include/debug.h +++ b/include/debug.h @@ -295,7 +295,7 @@ static inline const char *colorfilter(const char *x) { \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] PROGRAM ABORT : " cRST x); \ - SAYF(cLRD "\n Location : " cRST "%s(), %s:%u\n\n", __func__, \ + SAYF(cLRD "\n Location : " cRST "%s(), %s:%d\n\n", __func__, \ __FILE__, __LINE__); \ exit(1); \ \ @@ -308,7 +308,7 @@ static inline const char *colorfilter(const char *x) { \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] PROGRAM ABORT : " cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n\n", __func__, \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n\n", __func__, \ __FILE__, __LINE__); \ abort(); \ \ @@ -322,7 +322,7 @@ static inline const char *colorfilter(const char *x) { fflush(stdout); \ SAYF(bSTOP RESET_G1 CURSOR_SHOW cRST cLRD \ "\n[-] SYSTEM ERROR : " cRST x); \ - SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%u\n", __func__, \ + SAYF(cLRD "\n Stop location : " cRST "%s(), %s:%d\n", __func__, \ __FILE__, __LINE__); \ SAYF(cLRD " OS message : " cRST "%s\n", strerror(errno)); \ exit(1); \ diff --git a/utils/defork/defork.c b/utils/defork/defork.c index f71d1124..f50b9a4b 100644 --- a/utils/defork/defork.c +++ b/utils/defork/defork.c @@ -1,4 +1,4 @@ -#define __GNU_SOURCE +#define _GNU_SOURCE #include #include #include diff --git a/utils/persistent_mode/Makefile b/utils/persistent_mode/Makefile index 6fa1c30e..e348c46c 100644 --- a/utils/persistent_mode/Makefile +++ b/utils/persistent_mode/Makefile @@ -1,10 +1,10 @@ all: - afl-clang-fast -o persistent_demo persistent_demo.c - afl-clang-fast -o persistent_demo_new persistent_demo_new.c - AFL_DONT_OPTIMIZE=1 afl-clang-fast -o test-instr test-instr.c + ../../afl-clang-fast -o persistent_demo persistent_demo.c + ../../afl-clang-fast -o persistent_demo_new persistent_demo_new.c + AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -o test-instr test-instr.c document: - AFL_DONT_OPTIMIZE=1 afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c + AFL_DONT_OPTIMIZE=1 ../../afl-clang-fast -D_AFL_DOCUMENT_MUTATIONS -o test-instr test-instr.c clean: rm -f persistent_demo persistent_demo_new test-instr diff --git a/utils/qemu_persistent_hook/test.c b/utils/qemu_persistent_hook/test.c index afeff202..a0e815dc 100644 --- a/utils/qemu_persistent_hook/test.c +++ b/utils/qemu_persistent_hook/test.c @@ -2,7 +2,7 @@ int target_func(unsigned char *buf, int size) { - printf("buffer:%p, size:%p\n", buf, size); + printf("buffer:%p, size:%d\n", buf, size); switch (buf[0]) { case 1: -- cgit 1.4.1