//===- FuzzerDataFlowTrace.h - Internal header for the Fuzzer ---*- C++ -* ===// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // fuzzer::DataFlowTrace; reads and handles a data-flow trace. // // A data flow trace is generated by e.g. dataflow/DataFlow.cpp // and is stored on disk in a separate directory. // // The trace dir contains a file 'functions.txt' which lists function names, // oner per line, e.g. // ==> functions.txt <== // Func2 // LLVMFuzzerTestOneInput // Func1 // // All other files in the dir are the traces, see dataflow/DataFlow.cpp. // The name of the file is sha1 of the input used to generate the trace. // // Current status: // the data is parsed and the summary is printed, but the data is not yet // used in any other way. //===----------------------------------------------------------------------===// #ifndef LLVM_FUZZER_DATA_FLOW_TRACE #define LLVM_FUZZER_DATA_FLOW_TRACE #include "FuzzerDefs.h" #include "FuzzerIO.h" #include #include #include #include namespace fuzzer { int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath, const std::vector &CorporaFiles); class BlockCoverage { public: // These functions guarantee no CoverageVector is longer than UINT32_MAX. bool AppendCoverage(std::istream &IN); bool AppendCoverage(const std::string &S); size_t NumCoveredFunctions() const { return Functions.size(); } uint32_t GetCounter(size_t FunctionId, size_t BasicBlockId) { auto It = Functions.find(FunctionId); if (It == Functions.end()) return 0; const auto &Counters = It->second; if (BasicBlockId < Counters.size()) return Counters[BasicBlockId]; return 0; } uint32_t GetNumberOfBlocks(size_t FunctionId) { auto It = Functions.find(FunctionId); if (It == Functions.end()) return 0; const auto &Counters = It->second; return static_cast(Counters.size()); } uint32_t GetNumberOfCoveredBlocks(size_t FunctionId) { auto It = Functions.find(FunctionId); if (It == Functions.end()) return 0; const auto &Counters = It->second; uint32_t Result = 0; for (auto Cnt: Counters) if (Cnt) Result++; return Result; } std::vector FunctionWeights(size_t NumFunctions) const; void clear() { Functions.clear(); } private: typedef std::vector CoverageVector; uint32_t NumberOfCoveredBlocks(const CoverageVector &Counters) const { uint32_t Res = 0; for (auto Cnt : Counters) if (Cnt) Res++; return Res; } uint32_t NumberOfUncoveredBlocks(const CoverageVector &Counters) const { return static_cast(Counters.size()) - NumberOfCoveredBlocks(Counters); } uint32_t SmallestNonZeroCounter(const CoverageVector &Counters) const { assert(!Counters.empty()); uint32_t Res = Counters[0]; for (auto Cnt : Counters) if (Cnt) Res = Min(Res, Cnt); assert(Res); return Res; } // Function ID => vector of counters. // Each counter represents how many input files trigger the given basic block. std::unordered_map Functions; // Functions that have DFT entry. std::unordered_set FunctionsWithDFT; }; class DataFlowTrace { public: void ReadCoverage(const std::string &DirPath); bool Init(const std::string &DirPath, std::string *FocusFunction, std::vector &CorporaFiles, Random &Rand); void Clear() { Traces.clear(); } const std::vector *Get(const std::string &InputSha1) const { auto It = Traces.find(InputSha1); if (It != Traces.end()) return &It->second; return nullptr; } private: // Input's sha1 => DFT for the FocusFunction. std::unordered_map> Traces; BlockCoverage Coverage; std::unordered_set CorporaHashes; }; } // namespace fuzzer #endif // LLVM_FUZZER_DATA_FLOW_TRACE