1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
//===- FuzzerMain.cpp - main() function and flags -------------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// main() and flags.
//===----------------------------------------------------------------------===//
#include "FuzzerInternal.h"
#include <climits>
#include <cstring>
#include <unistd.h>
#include <iostream>
// ASAN options:
// * don't dump the coverage to disk.
// * enable coverage by default.
extern "C" const char *__asan_default_options() {
return "coverage_pcs=0:coverage=1";
}
// Program arguments.
struct FlagDescription {
const char *Name;
const char *Description;
int Default;
int *Flag;
};
struct {
#define FUZZER_FLAG(Type, Name, Default, Description) Type Name;
#include "FuzzerFlags.def"
#undef FUZZER_FLAG
} Flags;
static FlagDescription FlagDescriptions [] {
#define FUZZER_FLAG(Type, Name, Default, Description) {#Name, Description, Default, &Flags.Name},
#include "FuzzerFlags.def"
#undef FUZZER_FLAG
};
static const size_t kNumFlags =
sizeof(FlagDescriptions) / sizeof(FlagDescriptions[0]);
static std::vector<std::string> inputs;
static const char *ProgName;
static void PrintHelp() {
std::cerr << "Usage: " << ProgName
<< " [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]\n";
std::cerr << "\nFlags: (strictly in form -flag=value)\n";
size_t MaxFlagLen = 0;
for (size_t F = 0; F < kNumFlags; F++)
MaxFlagLen = std::max(strlen(FlagDescriptions[F].Name), MaxFlagLen);
for (size_t F = 0; F < kNumFlags; F++) {
const auto &D = FlagDescriptions[F];
std::cerr << " " << D.Name;
for (size_t i = 0, n = MaxFlagLen - strlen(D.Name); i < n; i++)
std::cerr << " ";
std::cerr << "\t";
std::cerr << D.Default << "\t" << D.Description << "\n";
}
}
static const char *FlagValue(const char *Param, const char *Name) {
size_t Len = strlen(Name);
if (Param[0] == '-' && strstr(Param + 1, Name) == Param + 1 &&
Param[Len + 1] == '=')
return &Param[Len + 2];
return nullptr;
}
static bool ParseOneFlag(const char *Param) {
if (Param[0] != '-') return false;
for (size_t F = 0; F < kNumFlags; F++) {
const char *Name = FlagDescriptions[F].Name;
const char *Str = FlagValue(Param, Name);
if (Str) {
int Val = std::stol(Str);
*FlagDescriptions[F].Flag = Val;
if (Flags.verbosity >= 2)
std::cerr << "Flag: " << Name << " " << Val << "\n";
return true;
}
}
PrintHelp();
exit(1);
}
// We don't use any library to minimize dependencies.
static void ParseFlags(int argc, char **argv) {
for (size_t F = 0; F < kNumFlags; F++)
*FlagDescriptions[F].Flag = FlagDescriptions[F].Default;
for (int A = 1; A < argc; A++) {
if (ParseOneFlag(argv[A])) continue;
inputs.push_back(argv[A]);
}
}
int main(int argc, char **argv) {
using namespace fuzzer;
ProgName = argv[0];
ParseFlags(argc, argv);
if (Flags.help) {
PrintHelp();
return 0;
}
Fuzzer::FuzzingOptions Options;
Options.Verbosity = Flags.verbosity;
Options.MaxLen = Flags.max_len;
Options.DoCrossOver = Flags.cross_over;
Options.MutateDepth = Flags.mutate_depth;
Options.ExitOnFirst = Flags.exit_on_first;
if (!inputs.empty())
Options.OutputCorpus = inputs[0];
Fuzzer F(Options);
unsigned seed = Flags.seed;
// Initialize seed.
if (seed == 0)
seed = time(0) * 10000 + getpid();
if (Flags.verbosity)
std::cerr << "Seed: " << seed << "\n";
srand(seed);
// Timer
if (Flags.timeout > 0)
SetTimer(Flags.timeout);
for (auto &inp : inputs)
F.ReadDir(inp);
if (F.CorpusSize() == 0)
F.AddToCorpus(Unit()); // Can't fuzz empty corpus, so add an empty input.
F.ShuffleAndMinimize();
if (Flags.save_minimized_corpus)
F.SaveCorpus();
F.Loop(Flags.iterations < 0 ? INT_MAX : Flags.iterations);
if (Flags.verbosity)
std::cerr << "Done\n";
return 1;
}
|
