def fuzz(self,
target_path,
options,
unused_reproducers_dir=None,
max_time=0) -> engine.FuzzResult:
"""Run a fuzz session.
Args:
target_path: Path to the target.
options: The FuzzOptions object returned by prepare().
reproducers_dir: The directory to put reproducers in when crashes
are found.
max_time: Maximum allowed time for the fuzzing to run.
Returns:
A FuzzResult object.
"""
profiler.start_if_needed('syzkaller_kasan')
syzkaller_runner = runner.get_runner(target_path)
# Directory to place new units.
self._create_temp_corpus_dir('new')
args = options.arguments
self.init_corpus(options.corpus_dir, runner.get_work_dir())
fuzz_result = syzkaller_runner.fuzz(max_time, additional_args=args)
self.save_corpus(runner.get_work_dir(), options.corpus_dir)
return fuzz_result
def test_profiler(self):
"""Test profiler."""
profiler.start_if_needed('python_profiler_unit_test_service')
# A dummy code to spend a few moments on.
counter = 12345
for _ in range(5):
time.sleep(0.01)
counter *= counter
self.assertLess(
0, len(self.mock._collect_and_upload_profile.call_args_list)) # pylint: disable=protected-access
self.assertEqual(
(self.fake_profile, ),
self.mock._collect_and_upload_profile.call_args[0][1:]) # pylint: disable=protected-access
def fuzz(self, target_path, options, reproducers_dir, max_time):
"""Run a fuzz session.
Args:
target_path: Path to the target.
options: The FuzzOptions object returned by prepare().
reproducers_dir: The directory to put reproducers in when crashes
are found.
max_time: Maximum allowed time for the fuzzing to run.
Returns:
A FuzzResult object.
"""
profiler.start_if_needed('libfuzzer_fuzz')
runner = libfuzzer.get_runner(target_path)
libfuzzer.set_sanitizer_options(target_path, fuzz_options=options)
# Directory to place new units.
if options.merge_back_new_testcases:
new_corpus_dir = self._create_temp_corpus_dir('new')
corpus_directories = [new_corpus_dir] + options.fuzz_corpus_dirs
else:
corpus_directories = options.fuzz_corpus_dirs
fuzz_result = runner.fuzz(corpus_directories,
fuzz_timeout=max_time,
additional_args=options.arguments,
artifact_prefix=reproducers_dir,
extra_env=options.extra_env)
project_qualified_fuzzer_name = (
engine_common.get_project_qualified_fuzzer_name(target_path))
dict_error_match = DICT_PARSING_FAILED_REGEX.search(fuzz_result.output)
if dict_error_match:
logs.log_error(
'Dictionary parsing failed '
f'(target={project_qualified_fuzzer_name}, '
f'line={dict_error_match.group(1)}).',
engine_output=fuzz_result.output)
elif (not environment.get_value('USE_MINIJAIL') and
fuzz_result.return_code == constants.LIBFUZZER_ERROR_EXITCODE):
# Minijail returns 1 if the exit code is nonzero.
# Otherwise: we can assume that a return code of 1 means that libFuzzer
# itself ran into an error.
logs.log_error(ENGINE_ERROR_MESSAGE +
f' (target={project_qualified_fuzzer_name}).',
engine_output=fuzz_result.output)
log_lines = fuzz_result.output.splitlines()
# Output can be large, so save some memory by removing reference to the
# original output which is no longer needed.
fuzz_result.output = None
# Check if we crashed, and get the crash testcase path.
crash_testcase_file_path = runner.get_testcase_path(log_lines)
# If we exited with a non-zero return code with no crash file in output from
# libFuzzer, this is most likely a startup crash. Use an empty testcase to
# to store it as a crash.
if (not crash_testcase_file_path and fuzz_result.return_code
not in constants.NONCRASH_RETURN_CODES):
crash_testcase_file_path = self._create_empty_testcase_file(
reproducers_dir)
# Parse stats information based on libFuzzer output.
parsed_stats = libfuzzer.parse_log_stats(log_lines)
# Extend parsed stats by additional performance features.
parsed_stats.update(
stats.parse_performance_features(log_lines, options.strategies,
options.arguments))
# Set some initial stat overrides.
timeout_limit = fuzzer_utils.extract_argument(options.arguments,
constants.TIMEOUT_FLAG,
remove=False)
actual_duration = int(fuzz_result.time_executed)
fuzzing_time_percent = 100 * actual_duration / float(max_time)
parsed_stats.update({
'timeout_limit': int(timeout_limit),
'expected_duration': int(max_time),
'actual_duration': actual_duration,
'fuzzing_time_percent': fuzzing_time_percent,
})
# Remove fuzzing arguments before merge and dictionary analysis step.
non_fuzz_arguments = options.arguments.copy()
libfuzzer.remove_fuzzing_arguments(non_fuzz_arguments, is_merge=True)
if options.merge_back_new_testcases:
self._merge_new_units(target_path, options.corpus_dir,
new_corpus_dir, options.fuzz_corpus_dirs,
non_fuzz_arguments, parsed_stats)
fuzz_logs = '\n'.join(log_lines)
crashes = []
if crash_testcase_file_path:
reproduce_arguments = options.arguments[:]
libfuzzer.remove_fuzzing_arguments(reproduce_arguments)
# Use higher timeout for reproduction.
libfuzzer.fix_timeout_argument_for_reproduction(
reproduce_arguments)
# Write the new testcase.
# Copy crash testcase contents into the main testcase path.
crashes.append(
engine.Crash(crash_testcase_file_path, fuzz_logs,
reproduce_arguments, actual_duration))
if options.analyze_dictionary:
libfuzzer.analyze_and_update_recommended_dictionary(
runner, project_qualified_fuzzer_name, log_lines,
options.corpus_dir, non_fuzz_arguments)
return engine.FuzzResult(fuzz_logs, fuzz_result.command, crashes,
parsed_stats, fuzz_result.time_executed)
def main():
"""Prepare the configuration options and start requesting tasks."""
logs.configure('run_bot')
root_directory = environment.get_value('ROOT_DIR')
if not root_directory:
print('Please set ROOT_DIR environment variable to the root of the source '
'checkout before running. Exiting.')
print('For an example, check init.bash in the local directory.')
return
dates.initialize_timezone_from_environment()
environment.set_bot_environment()
monitor.initialize()
if not profiler.start_if_needed('python_profiler_bot'):
sys.exit(-1)
fuzzers_init.run()
if environment.is_trusted_host(ensure_connected=False):
from clusterfuzz._internal.bot.untrusted_runner import host
host.init()
if environment.is_untrusted_worker():
# Track revision since we won't go into the task_loop.
update_task.track_revision()
from clusterfuzz._internal.bot.untrusted_runner import \
untrusted as untrusted_worker
untrusted_worker.start_server()
assert False, 'Unreachable code'
while True:
# task_loop should be an infinite loop,
# unless we run into an exception.
error_stacktrace, clean_exit, task_payload = task_loop()
# Print the error trace to the console.
if not clean_exit:
print('Exception occurred while running "%s".' % task_payload)
print('-' * 80)
print(error_stacktrace)
print('-' * 80)
should_terminate = (
clean_exit or errors.error_in_list(error_stacktrace,
errors.BOT_ERROR_TERMINATION_LIST))
if should_terminate:
return
logs.log_error(
'Task exited with exception (payload="%s").' % task_payload,
error_stacktrace=error_stacktrace)
should_hang = errors.error_in_list(error_stacktrace,
errors.BOT_ERROR_HANG_LIST)
if should_hang:
logs.log('Start hanging forever.')
while True:
# Sleep to avoid consuming 100% of CPU.
time.sleep(60)
# See if our run timed out, if yes bail out.
if data_handler.bot_run_timed_out():
return