Global Metrics
path: .metrics.cyclomatic.average
old: 2.6140350877192984
new: 3.5
path: .metrics.cyclomatic.sum
old: 149.0
new: 63.0
path: .metrics.nexits.sum
old: 52.0
new: 9.0
path: .metrics.nexits.average
old: 1.0833333333333333
new: 0.6923076923076923
path: .metrics.mi.mi_original
old: -27.68739003629574
new: 8.641931135536353
path: .metrics.mi.mi_sei
old: -74.97880305628635
new: -35.22045349917997
path: .metrics.mi.mi_visual_studio
old: 0.0
new: 5.053760897974476
path: .metrics.loc.lloc
old: 306.0
new: 157.0
path: .metrics.loc.blank
old: 150.0
new: 46.0
path: .metrics.loc.cloc
old: 115.0
new: 34.0
path: .metrics.loc.sloc
old: 964.0
new: 409.0
path: .metrics.loc.ploc
old: 699.0
new: 329.0
path: .metrics.nom.closures
old: 0.0
new: 2.0
path: .metrics.nom.functions
old: 48.0
new: 11.0
path: .metrics.nom.total
old: 48.0
new: 13.0
path: .metrics.cognitive.sum
old: 114.0
new: 56.0
path: .metrics.cognitive.average
old: 2.375
new: 4.3076923076923075
path: .metrics.nargs.sum
old: 56.0
new: 11.0
path: .metrics.nargs.average
old: 1.1666666666666667
new: 0.8461538461538461
path: .metrics.halstead.volume
old: 27245.311847611734
new: 16336.07956426438
path: .metrics.halstead.vocabulary
old: 383.0
new: 282.0
path: .metrics.halstead.length
old: 3175.0
new: 2007.0
path: .metrics.halstead.purity_ratio
old: 0.9873482902781048
new: 1.0622123193382325
path: .metrics.halstead.N1
old: 1831.0
new: 1164.0
path: .metrics.halstead.bugs
old: 4.475935459836841
new: 3.562989809119565
path: .metrics.halstead.difficulty
old: 57.110481586402265
new: 67.64814814814815
path: .metrics.halstead.n1
old: 30.0
new: 39.0
path: .metrics.halstead.n2
old: 353.0
new: 243.0
path: .metrics.halstead.N2
old: 1344.0
new: 843.0
path: .metrics.halstead.estimated_program_length
old: 3134.8308216329824
new: 2131.8601249118324
path: .metrics.halstead.level
old: 0.017509920634920635
new: 0.014782370654256777
path: .metrics.halstead.effort
old: 1555992.8805888176
new: 1105105.5305232925
path: .metrics.halstead.time
old: 86444.04892160097
new: 61394.75169573846
Spaces Data
Minimal test - lines (32, 36)
path: .spaces[0].spaces[0].metrics.nargs.average
old: 1.1666666666666667
new: null
path: .spaces[0].spaces[0].metrics.nargs.sum
old: 56.0
new: 0.0
path: .spaces[0].spaces[0].metrics.halstead.length
old: 3156.0
new: 17.0
path: .spaces[0].spaces[0].metrics.halstead.N1
old: 1830.0
new: 10.0
path: .spaces[0].spaces[0].metrics.halstead.effort
old: 1594945.9327000452
new: 150.88843006865403
path: .spaces[0].spaces[0].metrics.halstead.volume
old: 26863.09137528985
new: 53.8887250245193
path: .spaces[0].spaces[0].metrics.halstead.level
old: 0.016842634489693312
new: 0.35714285714285715
path: .spaces[0].spaces[0].metrics.halstead.purity_ratio
old: 0.9370064982442572
new: 1.1535082632021652
path: .spaces[0].spaces[0].metrics.halstead.vocabulary
old: 365.0
new: 9.0
path: .spaces[0].spaces[0].metrics.halstead.difficulty
old: 59.37313432835821
new: 2.8
path: .spaces[0].spaces[0].metrics.halstead.n2
old: 335.0
new: 5.0
path: .spaces[0].spaces[0].metrics.halstead.N2
old: 1326.0
new: 7.0
path: .spaces[0].spaces[0].metrics.halstead.estimated_program_length
old: 2957.192508458876
new: 19.60964047443681
path: .spaces[0].spaces[0].metrics.halstead.time
old: 88608.10737222474
new: 8.382690559369669
path: .spaces[0].spaces[0].metrics.halstead.n1
old: 30.0
new: 4.0
path: .spaces[0].spaces[0].metrics.halstead.bugs
old: 4.550328202466399
new: 0.009447481247557812
path: .spaces[0].spaces[0].metrics.mi.mi_original
old: -26.659098263648104
new: 123.96511519993206
path: .spaces[0].spaces[0].metrics.mi.mi_sei
old: -74.17375406238229
new: 103.24482480956276
path: .spaces[0].spaces[0].metrics.mi.mi_visual_studio
old: 0.0
new: 72.49421941516495
path: .spaces[0].spaces[0].metrics.nexits.average
old: 1.0833333333333333
new: null
path: .spaces[0].spaces[0].metrics.nexits.sum
old: 52.0
new: 0.0
path: .spaces[0].spaces[0].metrics.nom.total
old: 48.0
new: 0.0
path: .spaces[0].spaces[0].metrics.nom.functions
old: 48.0
new: 0.0
path: .spaces[0].spaces[0].metrics.cyclomatic.average
old: 2.672727272727273
new: 1.0
path: .spaces[0].spaces[0].metrics.cyclomatic.sum
old: 147.0
new: 1.0
path: .spaces[0].spaces[0].metrics.loc.blank
old: 148.0
new: 0.0
path: .spaces[0].spaces[0].metrics.loc.sloc
old: 935.0
new: 5.0
path: .spaces[0].spaces[0].metrics.loc.lloc
old: 306.0
new: 0.0
path: .spaces[0].spaces[0].metrics.loc.ploc
old: 680.0
new: 5.0
path: .spaces[0].spaces[0].metrics.loc.cloc
old: 107.0
new: 0.0
path: .spaces[0].spaces[0].metrics.cognitive.average
old: 2.375
new: null
path: .spaces[0].spaces[0].metrics.cognitive.sum
old: 114.0
new: 0.0
Code
struct Stats {
size_t number_of_executed_units = 0;
size_t peak_rss_mb = 0;
size_t average_exec_per_sec = 0;
};
Minimal test - lines (30, 409)
path: .spaces[0].metrics.loc.blank
old: 147.0
new: 44.0
path: .spaces[0].metrics.loc.ploc
old: 682.0
new: 312.0
path: .spaces[0].metrics.loc.lloc
old: 306.0
new: 157.0
path: .spaces[0].metrics.loc.sloc
old: 937.0
new: 380.0
path: .spaces[0].metrics.loc.cloc
old: 108.0
new: 24.0
path: .spaces[0].metrics.nargs.average
old: 1.1666666666666667
new: 0.8461538461538461
path: .spaces[0].metrics.nargs.sum
old: 56.0
new: 11.0
path: .spaces[0].metrics.nexits.average
old: 1.0833333333333333
new: 0.6923076923076923
path: .spaces[0].metrics.nexits.sum
old: 52.0
new: 9.0
path: .spaces[0].metrics.mi.mi_sei
old: -74.38054005828182
new: -35.822860960070365
path: .spaces[0].metrics.mi.mi_original
old: -26.9294187832958
new: 10.110703953440606
path: .spaces[0].metrics.mi.mi_visual_studio
old: 0.0
new: 5.912692370433103
path: .spaces[0].metrics.nom.functions
old: 48.0
new: 11.0
path: .spaces[0].metrics.nom.total
old: 48.0
new: 13.0
path: .spaces[0].metrics.nom.closures
old: 0.0
new: 2.0
path: .spaces[0].metrics.cognitive.sum
old: 114.0
new: 56.0
path: .spaces[0].metrics.cognitive.average
old: 2.375
new: 4.3076923076923075
path: .spaces[0].metrics.halstead.n1
old: 30.0
new: 39.0
path: .spaces[0].metrics.halstead.volume
old: 26892.58008930101
new: 16187.966133838094
path: .spaces[0].metrics.halstead.estimated_program_length
old: 2967.025371921919
new: 2057.1121689784027
path: .spaces[0].metrics.halstead.bugs
old: 4.546902713916889
new: 3.598397086272904
path: .spaces[0].metrics.halstead.effort
old: 1593145.2579688588
new: 1121619.398188165
path: .spaces[0].metrics.halstead.n2
old: 336.0
new: 235.0
path: .spaces[0].metrics.halstead.difficulty
old: 59.24107142857143
new: 69.2872340425532
path: .spaces[0].metrics.halstead.N2
old: 1327.0
new: 835.0
path: .spaces[0].metrics.halstead.N1
old: 1831.0
new: 1164.0
path: .spaces[0].metrics.halstead.length
old: 3158.0
new: 1999.0
path: .spaces[0].metrics.halstead.time
old: 88508.06988715882
new: 62312.18878823138
path: .spaces[0].metrics.halstead.level
old: 0.01688018085908063
new: 0.014432673115307843
path: .spaces[0].metrics.halstead.vocabulary
old: 366.0
new: 274.0
path: .spaces[0].metrics.halstead.purity_ratio
old: 0.9395267168847116
new: 1.0290706197991009
path: .spaces[0].metrics.cyclomatic.sum
old: 148.0
new: 62.0
path: .spaces[0].metrics.cyclomatic.average
old: 2.642857142857143
new: 3.647058823529412
Code
namespace fuzzer {
struct Stats {
size_t number_of_executed_units = 0;
size_t peak_rss_mb = 0;
size_t average_exec_per_sec = 0;
};
static Stats ParseFinalStatsFromLog(const std::string &LogPath) {
std::ifstream In(LogPath);
std::string Line;
Stats Res;
struct {
const char *Name;
size_t *Var;
} NameVarPairs[] = {
{"stat::number_of_executed_units:", &Res.number_of_executed_units},
{"stat::peak_rss_mb:", &Res.peak_rss_mb},
{"stat::average_exec_per_sec:", &Res.average_exec_per_sec},
{nullptr, nullptr},
};
while (std::getline(In, Line, '\n')) {
if (Line.find("stat::") != 0) continue;
std::istringstream ISS(Line);
std::string Name;
size_t Val;
ISS >> Name >> Val;
for (size_t i = 0; NameVarPairs[i].Name; i++)
if (Name == NameVarPairs[i].Name)
*NameVarPairs[i].Var = Val;
}
return Res;
}
struct FuzzJob {
// Inputs.
Command Cmd;
std::string CorpusDir;
std::string FeaturesDir;
std::string LogPath;
std::string SeedListPath;
std::string CFPath;
size_t JobId;
int DftTimeInSeconds = 0;
// Fuzzing Outputs.
int ExitCode;
~FuzzJob() {
RemoveFile(CFPath);
RemoveFile(LogPath);
RemoveFile(SeedListPath);
RmDirRecursive(CorpusDir);
RmDirRecursive(FeaturesDir);
}
};
struct GlobalEnv {
Vector Args;
Vector CorpusDirs;
std::string MainCorpusDir;
std::string TempDir;
std::string DFTDir;
std::string DataFlowBinary;
Set Features, Cov;
Set FilesWithDFT;
Vector Files;
Random *Rand;
std::chrono::system_clock::time_point ProcessStartTime;
int Verbosity = 0;
size_t NumTimeouts = 0;
size_t NumOOMs = 0;
size_t NumCrashes = 0;
size_t NumRuns = 0;
std::string StopFile() { return DirPlusFile(TempDir, "STOP"); }
size_t secondsSinceProcessStartUp() const {
return std::chrono::duration_cast(
std::chrono::system_clock::now() - ProcessStartTime)
.count();
}
FuzzJob *CreateNewJob(size_t JobId) {
Command Cmd(Args);
Cmd.removeFlag("fork");
Cmd.removeFlag("runs");
Cmd.removeFlag("collect_data_flow");
for (auto &C : CorpusDirs) // Remove all corpora from the args.
Cmd.removeArgument(C);
Cmd.addFlag("reload", "0"); // working in an isolated dir, no reload.
Cmd.addFlag("print_final_stats", "1");
Cmd.addFlag("print_funcs", "0"); // no need to spend time symbolizing.
Cmd.addFlag("max_total_time", std::to_string(std::min((size_t)300, JobId)));
Cmd.addFlag("stop_file", StopFile());
if (!DataFlowBinary.empty()) {
Cmd.addFlag("data_flow_trace", DFTDir);
if (!Cmd.hasFlag("focus_function"))
Cmd.addFlag("focus_function", "auto");
}
auto Job = new FuzzJob;
std::string Seeds;
if (size_t CorpusSubsetSize =
std::min(Files.size(), (size_t)sqrt(Files.size() + 2))) {
auto Time1 = std::chrono::system_clock::now();
for (size_t i = 0; i < CorpusSubsetSize; i++) {
auto &SF = Files[Rand->SkewTowardsLast(Files.size())];
Seeds += (Seeds.empty() ? "" : ",") + SF;
CollectDFT(SF);
}
auto Time2 = std::chrono::system_clock::now();
Job->DftTimeInSeconds = duration_cast(Time2 - Time1).count();
}
if (!Seeds.empty()) {
Job->SeedListPath =
DirPlusFile(TempDir, std::to_string(JobId) + ".seeds");
WriteToFile(Seeds, Job->SeedListPath);
Cmd.addFlag("seed_inputs", "@" + Job->SeedListPath);
}
Job->LogPath = DirPlusFile(TempDir, std::to_string(JobId) + ".log");
Job->CorpusDir = DirPlusFile(TempDir, "C" + std::to_string(JobId));
Job->FeaturesDir = DirPlusFile(TempDir, "F" + std::to_string(JobId));
Job->CFPath = DirPlusFile(TempDir, std::to_string(JobId) + ".merge");
Job->JobId = JobId;
Cmd.addArgument(Job->CorpusDir);
Cmd.addFlag("features_dir", Job->FeaturesDir);
for (auto &D : {Job->CorpusDir, Job->FeaturesDir}) {
RmDirRecursive(D);
MkDir(D);
}
Cmd.setOutputFile(Job->LogPath);
Cmd.combineOutAndErr();
Job->Cmd = Cmd;
if (Verbosity >= 2)
Printf("Job %zd/%p Created: %s\n", JobId, Job,
Job->Cmd.toString().c_str());
// Start from very short runs and gradually increase them.
return Job;
}
void RunOneMergeJob(FuzzJob *Job) {
auto Stats = ParseFinalStatsFromLog(Job->LogPath);
NumRuns += Stats.number_of_executed_units;
Vector TempFiles, MergeCandidates;
// Read all newly created inputs and their feature sets.
// Choose only those inputs that have new features.
GetSizedFilesFromDir(Job->CorpusDir, &TempFiles);
std::sort(TempFiles.begin(), TempFiles.end());
for (auto &F : TempFiles) {
auto FeatureFile = F.File;
FeatureFile.replace(0, Job->CorpusDir.size(), Job->FeaturesDir);
auto FeatureBytes = FileToVector(FeatureFile, 0, false);
assert((FeatureBytes.size() % sizeof(uint32_t)) == 0);
Vector NewFeatures(FeatureBytes.size() / sizeof(uint32_t));
memcpy(NewFeatures.data(), FeatureBytes.data(), FeatureBytes.size());
for (auto Ft : NewFeatures) {
if (!Features.count(Ft)) {
MergeCandidates.push_back(F);
break;
}
}
}
// if (!FilesToAdd.empty() || Job->ExitCode != 0)
Printf("#%zd: cov: %zd ft: %zd corp: %zd exec/s %zd "
"oom/timeout/crash: %zd/%zd/%zd time: %zds job: %zd dft_time: %d\n",
NumRuns, Cov.size(), Features.size(), Files.size(),
Stats.average_exec_per_sec, NumOOMs, NumTimeouts, NumCrashes,
secondsSinceProcessStartUp(), Job->JobId, Job->DftTimeInSeconds);
if (MergeCandidates.empty()) return;
Vector FilesToAdd;
Set NewFeatures, NewCov;
CrashResistantMerge(Args, {}, MergeCandidates, &FilesToAdd, Features,
&NewFeatures, Cov, &NewCov, Job->CFPath, false);
for (auto &Path : FilesToAdd) {
auto U = FileToVector(Path);
auto NewPath = DirPlusFile(MainCorpusDir, Hash(U));
WriteToFile(U, NewPath);
Files.push_back(NewPath);
}
Features.insert(NewFeatures.begin(), NewFeatures.end());
Cov.insert(NewCov.begin(), NewCov.end());
for (auto Idx : NewCov)
if (auto *TE = TPC.PCTableEntryByIdx(Idx))
if (TPC.PcIsFuncEntry(TE))
PrintPC(" NEW_FUNC: %p %F %L\n", "",
TPC.GetNextInstructionPc(TE->PC));
}
void CollectDFT(const std::string &InputPath) {
if (DataFlowBinary.empty()) return;
if (!FilesWithDFT.insert(InputPath).second) return;
Command Cmd(Args);
Cmd.removeFlag("fork");
Cmd.removeFlag("runs");
Cmd.addFlag("data_flow_trace", DFTDir);
Cmd.addArgument(InputPath);
for (auto &C : CorpusDirs) // Remove all corpora from the args.
Cmd.removeArgument(C);
Cmd.setOutputFile(DirPlusFile(TempDir, "dft.log"));
Cmd.combineOutAndErr();
// Printf("CollectDFT: %s\n", Cmd.toString().c_str());
ExecuteCommand(Cmd);
}
};
struct JobQueue {
std::queue Qu;
std::mutex Mu;
std::condition_variable Cv;
void Push(FuzzJob *Job) {
{
std::lock_guard Lock(Mu);
Qu.push(Job);
}
Cv.notify_one();
}
FuzzJob *Pop() {
std::unique_lock Lk(Mu);
// std::lock_guard Lock(Mu);
Cv.wait(Lk, [&]{return !Qu.empty();});
assert(!Qu.empty());
auto Job = Qu.front();
Qu.pop();
return Job;
}
};
void WorkerThread(JobQueue *FuzzQ, JobQueue *MergeQ) {
while (auto Job = FuzzQ->Pop()) {
// Printf("WorkerThread: job %p\n", Job);
Job->ExitCode = ExecuteCommand(Job->Cmd);
MergeQ->Push(Job);
}
}
// This is just a skeleton of an experimental -fork=1 feature.
void FuzzWithFork(Random &Rand, const FuzzingOptions &Options,
const Vector &Args,
const Vector &CorpusDirs, int NumJobs) {
Printf("INFO: -fork=%d: fuzzing in separate process(s)\n", NumJobs);
GlobalEnv Env;
Env.Args = Args;
Env.CorpusDirs = CorpusDirs;
Env.Rand = &Rand;
Env.Verbosity = Options.Verbosity;
Env.ProcessStartTime = std::chrono::system_clock::now();
Env.DataFlowBinary = Options.CollectDataFlow;
Vector SeedFiles;
for (auto &Dir : CorpusDirs)
GetSizedFilesFromDir(Dir, &SeedFiles);
std::sort(SeedFiles.begin(), SeedFiles.end());
Env.TempDir = TempPath("FuzzWithFork", ".dir");
Env.DFTDir = DirPlusFile(Env.TempDir, "DFT");
RmDirRecursive(Env.TempDir); // in case there is a leftover from old runs.
MkDir(Env.TempDir);
MkDir(Env.DFTDir);
if (CorpusDirs.empty())
MkDir(Env.MainCorpusDir = DirPlusFile(Env.TempDir, "C"));
else
Env.MainCorpusDir = CorpusDirs[0];
auto CFPath = DirPlusFile(Env.TempDir, "merge.txt");
CrashResistantMerge(Env.Args, {}, SeedFiles, &Env.Files, {}, &Env.Features,
{}, &Env.Cov,
CFPath, false);
RemoveFile(CFPath);
Printf("INFO: -fork=%d: %zd seed inputs, starting to fuzz in %s\n", NumJobs,
Env.Files.size(), Env.TempDir.c_str());
int ExitCode = 0;
JobQueue FuzzQ, MergeQ;
auto StopJobs = [&]() {
for (int i = 0; i < NumJobs; i++)
FuzzQ.Push(nullptr);
MergeQ.Push(nullptr);
WriteToFile(Unit({1}), Env.StopFile());
};
size_t JobId = 1;
Vector Threads;
for (int t = 0; t < NumJobs; t++) {
Threads.push_back(std::thread(WorkerThread, &FuzzQ, &MergeQ));
FuzzQ.Push(Env.CreateNewJob(JobId++));
}
while (true) {
std::unique_ptr Job(MergeQ.Pop());
if (!Job)
break;
ExitCode = Job->ExitCode;
if (ExitCode == Options.InterruptExitCode) {
Printf("==%lu== libFuzzer: a child was interrupted; exiting\n", GetPid());
StopJobs();
break;
}
Fuzzer::MaybeExitGracefully();
Env.RunOneMergeJob(Job.get());
// Continue if our crash is one of the ignorred ones.
if (Options.IgnoreTimeouts && ExitCode == Options.TimeoutExitCode)
Env.NumTimeouts++;
else if (Options.IgnoreOOMs && ExitCode == Options.OOMExitCode)
Env.NumOOMs++;
else if (ExitCode != 0) {
Env.NumCrashes++;
if (Options.IgnoreCrashes) {
std::ifstream In(Job->LogPath);
std::string Line;
while (std::getline(In, Line, '\n'))
if (Line.find("ERROR:") != Line.npos ||
Line.find("runtime error:") != Line.npos)
Printf("%s\n", Line.c_str());
} else {
// And exit if we don't ignore this crash.
Printf("INFO: log from the inner process:\n%s",
FileToString(Job->LogPath).c_str());
StopJobs();
break;
}
}
// Stop if we are over the time budget.
// This is not precise, since other threads are still running
// and we will wait while joining them.
// We also don't stop instantly: other jobs need to finish.
if (Options.MaxTotalTimeSec > 0 &&
Env.secondsSinceProcessStartUp() >= (size_t)Options.MaxTotalTimeSec) {
Printf("INFO: fuzzed for %zd seconds, wrapping up soon\n",
Env.secondsSinceProcessStartUp());
StopJobs();
break;
}
if (Env.NumRuns >= Options.MaxNumberOfRuns) {
Printf("INFO: fuzzed for %zd iterations, wrapping up soon\n",
Env.NumRuns);
StopJobs();
break;
}
FuzzQ.Push(Env.CreateNewJob(JobId++));
}
for (auto &T : Threads)
T.join();
// The workers have terminated. Don't try to remove the directory before they
// terminate to avoid a race condition preventing cleanup on Windows.
RmDirRecursive(Env.TempDir);
// Use the exit code from the last child process.
Printf("INFO: exiting: %d time: %zds\n", ExitCode,
Env.secondsSinceProcessStartUp());
exit(ExitCode);
}
} // namespace fuzzer