Path: blob/main/contrib/llvm-project/compiler-rt/lib/fuzzer/FuzzerMerge.h
35262 views
//===- FuzzerMerge.h - merging corpa ----------------------------*- C++ -* ===//1//2// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.3// See https://llvm.org/LICENSE.txt for license information.4// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception5//6//===----------------------------------------------------------------------===//7// Merging Corpora.8//9// The task:10// Take the existing corpus (possibly empty) and merge new inputs into11// it so that only inputs with new coverage ('features') are added.12// The process should tolerate the crashes, OOMs, leaks, etc.13//14// Algorithm:15// The outer process collects the set of files and writes their names16// into a temporary "control" file, then repeatedly launches the inner17// process until all inputs are processed.18// The outer process does not actually execute the target code.19//20// The inner process reads the control file and sees a) list of all the inputs21// and b) the last processed input. Then it starts processing the inputs one22// by one. Before processing every input it writes one line to control file:23// STARTED INPUT_ID INPUT_SIZE24// After processing an input it writes the following lines:25// FT INPUT_ID Feature1 Feature2 Feature3 ...26// COV INPUT_ID Coverage1 Coverage2 Coverage3 ...27// If a crash happens while processing an input the last line in the control28// file will be "STARTED INPUT_ID" and so the next process will know29// where to resume.30//31// Once all inputs are processed by the inner process(es) the outer process32// reads the control files and does the merge based entirely on the contents33// of control file.34// It uses a single pass greedy algorithm choosing first the smallest inputs35// within the same size the inputs that have more new features.36//37//===----------------------------------------------------------------------===//3839#ifndef LLVM_FUZZER_MERGE_H40#define LLVM_FUZZER_MERGE_H4142#include "FuzzerDefs.h"43#include "FuzzerIO.h"4445#include <istream>46#include <ostream>47#include <set>48#include <vector>4950namespace fuzzer {5152struct MergeFileInfo {53std::string Name;54size_t Size = 0;55std::vector<uint32_t> Features, Cov;56};5758struct Merger {59std::vector<MergeFileInfo> Files;60size_t NumFilesInFirstCorpus = 0;61size_t FirstNotProcessedFile = 0;62std::string LastFailure;6364bool Parse(std::istream &IS, bool ParseCoverage);65bool Parse(const std::string &Str, bool ParseCoverage);66void ParseOrExit(std::istream &IS, bool ParseCoverage);67size_t Merge(const std::set<uint32_t> &InitialFeatures,68std::set<uint32_t> *NewFeatures,69const std::set<uint32_t> &InitialCov, std::set<uint32_t> *NewCov,70std::vector<std::string> *NewFiles);71size_t SetCoverMerge(const std::set<uint32_t> &InitialFeatures,72std::set<uint32_t> *NewFeatures,73const std::set<uint32_t> &InitialCov,74std::set<uint32_t> *NewCov,75std::vector<std::string> *NewFiles);76size_t ApproximateMemoryConsumption() const;77std::set<uint32_t> AllFeatures() const;78};7980void CrashResistantMerge(const std::vector<std::string> &Args,81const std::vector<SizedFile> &OldCorpus,82const std::vector<SizedFile> &NewCorpus,83std::vector<std::string> *NewFiles,84const std::set<uint32_t> &InitialFeatures,85std::set<uint32_t> *NewFeatures,86const std::set<uint32_t> &InitialCov,87std::set<uint32_t> *NewCov, const std::string &CFPath,88bool Verbose, bool IsSetCoverMerge);8990} // namespace fuzzer9192#endif // LLVM_FUZZER_MERGE_H939495