def test_multi_armed_bandit_strategy_pool(self):
"""Ensures a call to the multi armed bandit strategy selection function
doesn't yield an exception through any of the experimental paths."""
environment.set_value('STRATEGY_SELECTION_METHOD', 'default')
strategy_selection.generate_weighted_strategy_pool(
strategy_list=strategy.AFL_STRATEGY_LIST,
use_generator=True,
engine_name='afl')
environment.set_value('STRATEGY_SELECTION_METHOD', 'multi_armed_bandit')
strategy_selection.generate_weighted_strategy_pool(
strategy_list=strategy.AFL_STRATEGY_LIST,
use_generator=True,
engine_name='afl')
def test_strategy_pool_low_temperature(self):
"""Tests whether a proper strategy pool is returned by the multi armed
bandit selection implementation with low temperature.
Based on deterministic strategy selection. Mutator plugin is patched to
be included in our strategy pool."""
environment.set_value('STRATEGY_SELECTION_METHOD',
'multi_armed_bandit_low')
strategy_pool = strategy_selection.generate_weighted_strategy_pool(
strategy_list=strategy.LIBFUZZER_STRATEGY_LIST, use_generator=True)
self.assertTrue(
strategy_pool.do_strategy(
strategy.CORPUS_MUTATION_ML_RNN_STRATEGY))
self.assertTrue(
strategy_pool.do_strategy(strategy.RANDOM_MAX_LENGTH_STRATEGY))
self.assertTrue(
strategy_pool.do_strategy(strategy.VALUE_PROFILE_STRATEGY))
self.assertTrue(
strategy_pool.do_strategy(
strategy.RECOMMENDED_DICTIONARY_STRATEGY))
self.assertFalse(
strategy_pool.do_strategy(
strategy.CORPUS_MUTATION_RADAMSA_STRATEGY))
self.assertFalse(
strategy_pool.do_strategy(strategy.CORPUS_SUBSET_STRATEGY))
self.assertFalse(strategy_pool.do_strategy(strategy.FORK_STRATEGY))
self.assertTrue(
strategy_pool.do_strategy(strategy.MUTATOR_PLUGIN_STRATEGY))
def test_weighted_strategy_pool(self):
"""Tests whether a proper strategy pool is returned by the multi armed
bandit selection implementation with medium temperature.
Based on deterministic strategy selection. Mutator plugin is patched to
be included in our strategy pool."""
environment.set_value('STRATEGY_SELECTION_METHOD', 'multi_armed_bandit')
strategy_pool = strategy_selection.generate_weighted_strategy_pool(
strategy_list=strategy.AFL_STRATEGY_LIST,
use_generator=True,
engine_name='afl')
self.assertTrue(
strategy_pool.do_strategy(strategy.CORPUS_MUTATION_ML_RNN_STRATEGY))
self.assertFalse(
strategy_pool.do_strategy(strategy.CORPUS_MUTATION_RADAMSA_STRATEGY))
self.assertTrue(strategy_pool.do_strategy(strategy.CORPUS_SUBSET_STRATEGY))
def prepare(self, corpus_dir, target_path, _):
"""Prepare for a fuzzing session, by generating options. Returns a
FuzzOptions object.
Args:
corpus_dir: The main corpus directory.
target_path: Path to the target.
build_dir: Path to the build directory.
Returns:
A FuzzOptions object.
"""
arguments = fuzzer.get_arguments(target_path)
strategy_pool = strategy_selection.generate_weighted_strategy_pool(
strategy_list=strategy.LIBFUZZER_STRATEGY_LIST,
use_generator=True,
engine_name=self.name)
strategy_info = launcher.pick_strategies(strategy_pool, target_path,
corpus_dir, arguments)
arguments.extend(strategy_info.arguments)
# Check for seed corpus and add it into corpus directory.
engine_common.unpack_seed_corpus_if_needed(target_path, corpus_dir)
# Pick a few testcases from our corpus to use as the initial corpus.
subset_size = engine_common.random_choice(
engine_common.CORPUS_SUBSET_NUM_TESTCASES)
if (not strategy_info.use_dataflow_tracing
and strategy_pool.do_strategy(strategy.CORPUS_SUBSET_STRATEGY)
and shell.get_directory_file_count(corpus_dir) > subset_size):
# Copy |subset_size| testcases into 'subset' directory.
corpus_subset_dir = self._create_temp_corpus_dir('subset')
launcher.copy_from_corpus(corpus_subset_dir, corpus_dir,
subset_size)
strategy_info.fuzzing_strategies.append(
strategy.CORPUS_SUBSET_STRATEGY.name + '_' + str(subset_size))
strategy_info.additional_corpus_dirs.append(corpus_subset_dir)
else:
strategy_info.additional_corpus_dirs.append(corpus_dir)
# Check dict argument to make sure that it's valid.
dict_argument = fuzzer_utils.extract_argument(arguments,
constants.DICT_FLAG,
remove=False)
if dict_argument and not os.path.exists(dict_argument):
logs.log_error('Invalid dict %s for %s.' %
(dict_argument, target_path))
fuzzer_utils.extract_argument(arguments, constants.DICT_FLAG)
# If there's no dict argument, check for %target_binary_name%.dict file.
if (not fuzzer_utils.extract_argument(
arguments, constants.DICT_FLAG, remove=False)):
default_dict_path = dictionary_manager.get_default_dictionary_path(
target_path)
if os.path.exists(default_dict_path):
arguments.append(constants.DICT_FLAG + default_dict_path)
return LibFuzzerOptions(corpus_dir, arguments,
strategy_info.fuzzing_strategies,
strategy_info.additional_corpus_dirs,
strategy_info.extra_env,
strategy_info.use_dataflow_tracing,
strategy_info.is_mutations_run)
def main(argv):
"""Run libFuzzer as specified by argv."""
atexit.register(fuzzer_utils.cleanup)
# Initialize variables.
arguments = argv[1:]
testcase_file_path = arguments.pop(0)
target_name = environment.get_value('FUZZ_TARGET')
if arguments and arguments[0] == target_name:
# Pop legacy fuzz target argument.
arguments.pop(0)
fuzzer_name = data_types.fuzz_target_project_qualified_name(
utils.current_project(), target_name)
# Initialize log handler.
logs.configure(
'run_fuzzer', {
'fuzzer': fuzzer_name,
'engine': 'libFuzzer',
'job_name': environment.get_value('JOB_NAME')
})
profiler.start_if_needed('libfuzzer_launcher')
# Make sure that the fuzzer binary exists.
build_directory = environment.get_value('BUILD_DIR')
fuzzer_path = engine_common.find_fuzzer_path(build_directory, target_name)
if not fuzzer_path:
return
# Install signal handler.
signal.signal(signal.SIGTERM, engine_common.signal_term_handler)
# Set up temp dir.
engine_common.recreate_directory(fuzzer_utils.get_temp_dir())
# Setup minijail if needed.
use_minijail = environment.get_value('USE_MINIJAIL')
runner = libfuzzer.get_runner(
fuzzer_path, temp_dir=fuzzer_utils.get_temp_dir())
if use_minijail:
minijail_chroot = runner.chroot
else:
minijail_chroot = None
# Get corpus directory.
corpus_directory = environment.get_value('FUZZ_CORPUS_DIR')
# Add common arguments which are necessary to be used for every run.
arguments = expand_with_common_arguments(arguments)
# Add sanitizer options to environment that were specified in the .options
# file and options that this script requires.
set_sanitizer_options(fuzzer_path)
# If we don't have a corpus, then that means this is not a fuzzing run.
if not corpus_directory:
load_testcase_if_exists(runner, testcase_file_path, fuzzer_name,
use_minijail, arguments)
return
# We don't have a crash testcase, fuzz.
# Check dict argument to make sure that it's valid.
dict_argument = fuzzer_utils.extract_argument(
arguments, constants.DICT_FLAG, remove=False)
if dict_argument and not os.path.exists(dict_argument):
logs.log_error('Invalid dict %s for %s.' % (dict_argument, fuzzer_name))
fuzzer_utils.extract_argument(arguments, constants.DICT_FLAG)
# If there's no dict argument, check for %target_binary_name%.dict file.
if (not fuzzer_utils.extract_argument(
arguments, constants.DICT_FLAG, remove=False)):
default_dict_path = dictionary_manager.get_default_dictionary_path(
fuzzer_path)
if os.path.exists(default_dict_path):
arguments.append(constants.DICT_FLAG + default_dict_path)
# Set up scratch directory for writing new units.
new_testcases_directory = create_corpus_directory('new')
# Strategy pool is the list of strategies that we attempt to enable, whereas
# fuzzing strategies is the list of strategies that are enabled. (e.g. if
# mutator is selected in the pool, but not available for a given target, it
# would not be added to fuzzing strategies.)
strategy_pool = strategy_selection.generate_weighted_strategy_pool(
strategy_list=strategy.LIBFUZZER_STRATEGY_LIST,
use_generator=True,
engine_name='libFuzzer')
strategy_info = pick_strategies(
strategy_pool,
fuzzer_path,
corpus_directory,
arguments,
minijail_chroot=minijail_chroot)
arguments.extend(strategy_info.arguments)
# Timeout for fuzzer run.
fuzz_timeout = get_fuzz_timeout(strategy_info.is_mutations_run)
# Get list of corpus directories.
# TODO(flowerhack): Implement this to handle corpus sync'ing.
if environment.platform() == 'FUCHSIA':
corpus_directories = []
else:
corpus_directories = get_corpus_directories(
corpus_directory,
new_testcases_directory,
fuzzer_path,
strategy_info.fuzzing_strategies,
strategy_pool,
minijail_chroot=minijail_chroot,
allow_corpus_subset=not strategy_info.use_dataflow_tracing)
corpus_directories.extend(strategy_info.additional_corpus_dirs)
artifact_prefix = os.path.abspath(os.path.dirname(testcase_file_path))
# Execute the fuzzer binary with original arguments.
fuzz_result = runner.fuzz(
corpus_directories,
fuzz_timeout=fuzz_timeout,
artifact_prefix=artifact_prefix,
additional_args=arguments,
extra_env=strategy_info.extra_env)
if (not use_minijail and
fuzz_result.return_code == constants.LIBFUZZER_ERROR_EXITCODE):
# Minijail returns 1 if the exit code is nonzero.
# Otherwise: we can assume that a return code of 1 means that libFuzzer
# itself ran into an error.
logs.log_error(ENGINE_ERROR_MESSAGE, engine_output=fuzz_result.output)
log_lines = fuzz_result.output.splitlines()
# Output can be large, so save some memory by removing reference to the
# original output which is no longer needed.
fuzz_result.output = None
# Check if we crashed, and get the crash testcase path.
crash_testcase_file_path = runner.get_testcase_path(log_lines)
if crash_testcase_file_path:
# Copy crash testcase contents into the main testcase path.
shutil.move(crash_testcase_file_path, testcase_file_path)
# Print the command output.
bot_name = environment.get_value('BOT_NAME', '')
command = fuzz_result.command
if use_minijail:
# Remove minijail prefix.
command = engine_common.strip_minijail_command(command, fuzzer_path)
print(engine_common.get_log_header(command, bot_name,
fuzz_result.time_executed))
# Parse stats information based on libFuzzer output.
parsed_stats = parse_log_stats(log_lines)
# Extend parsed stats by additional performance features.
parsed_stats.update(
stats.parse_performance_features(
log_lines, strategy_info.fuzzing_strategies, arguments))
# Set some initial stat overrides.
timeout_limit = fuzzer_utils.extract_argument(
arguments, constants.TIMEOUT_FLAG, remove=False)
expected_duration = runner.get_max_total_time(fuzz_timeout)
actual_duration = int(fuzz_result.time_executed)
fuzzing_time_percent = 100 * actual_duration / float(expected_duration)
stat_overrides = {
'timeout_limit': int(timeout_limit),
'expected_duration': expected_duration,
'actual_duration': actual_duration,
'fuzzing_time_percent': fuzzing_time_percent,
}
# Remove fuzzing arguments before merge and dictionary analysis step.
remove_fuzzing_arguments(arguments)
# Make a decision on whether merge step is needed at all. If there are no
# new units added by libFuzzer run, then no need to do merge at all.
new_units_added = shell.get_directory_file_count(new_testcases_directory)
merge_error = None
if new_units_added:
# Merge the new units with the initial corpus.
if corpus_directory not in corpus_directories:
corpus_directories.append(corpus_directory)
# If this times out, it's possible that we will miss some units. However, if
# we're taking >10 minutes to load/merge the corpus something is going very
# wrong and we probably don't want to make things worse by adding units
# anyway.
merge_tmp_dir = None
if not use_minijail:
merge_tmp_dir = os.path.join(fuzzer_utils.get_temp_dir(), 'merge_workdir')
engine_common.recreate_directory(merge_tmp_dir)
old_corpus_len = shell.get_directory_file_count(corpus_directory)
merge_directory = create_merge_directory()
corpus_directories.insert(0, merge_directory)
if use_minijail:
bind_corpus_dirs(minijail_chroot, [merge_directory])
merge_result = runner.merge(
corpus_directories,
merge_timeout=engine_common.get_merge_timeout(DEFAULT_MERGE_TIMEOUT),
tmp_dir=merge_tmp_dir,
additional_args=arguments)
move_mergeable_units(merge_directory, corpus_directory)
new_corpus_len = shell.get_directory_file_count(corpus_directory)
new_units_added = 0
merge_error = None
if merge_result.timed_out:
merge_error = 'Merging new testcases timed out:'
elif merge_result.return_code != 0:
merge_error = 'Merging new testcases failed:'
else:
new_units_added = new_corpus_len - old_corpus_len
stat_overrides['new_units_added'] = new_units_added
if merge_result.output:
stat_overrides.update(
stats.parse_stats_from_merge_log(merge_result.output.splitlines()))
else:
stat_overrides['new_units_added'] = 0
logs.log('Skipped corpus merge since no new units added by fuzzing.')
# Get corpus size after merge. This removes the duplicate units that were
# created during this fuzzing session.
# TODO(flowerhack): Remove this workaround once we can handle corpus sync.
if environment.platform() != 'FUCHSIA':
stat_overrides['corpus_size'] = shell.get_directory_file_count(
corpus_directory)
# Delete all corpus directories except for the main one. These were temporary
# directories to store new testcase mutations and have already been merged to
# main corpus directory.
if corpus_directory in corpus_directories:
corpus_directories.remove(corpus_directory)
for directory in corpus_directories:
shutil.rmtree(directory, ignore_errors=True)
if use_minijail:
unbind_corpus_dirs(minijail_chroot, corpus_directories)
# Apply overridden stats to the parsed stats prior to dumping.
parsed_stats.update(stat_overrides)
# Dump stats data for further uploading to BigQuery.
engine_common.dump_big_query_data(parsed_stats, testcase_file_path, command)
# Add custom crash state based on fuzzer name (if needed).
add_custom_crash_state_if_needed(fuzzer_name, log_lines, parsed_stats)
for line in log_lines:
print(line)
# Add fuzzing strategies used.
print(engine_common.format_fuzzing_strategies(
strategy_info.fuzzing_strategies))
# Add merge error (if any).
if merge_error:
print(data_types.CRASH_STACKTRACE_END_MARKER)
print(merge_error)
print('Command:',
get_printable_command(merge_result.command, fuzzer_path,
use_minijail))
print(merge_result.output)
analyze_and_update_recommended_dictionary(runner, fuzzer_name, log_lines,
corpus_directory, arguments)
# Close minijail chroot.
if use_minijail:
minijail_chroot.close()
# Record the stats to make them easily searchable in stackdriver.
if new_units_added:
logs.log(
'New units added to corpus: %d.' % new_units_added, stats=parsed_stats)
else:
logs.log('No new units found.', stats=parsed_stats)
