-
-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introspection #58
Introspection #58
Changes from all commits
12b9584
c017d72
23061ef
9469776
542738c
fedb5f8
7423cef
4ad9c10
b9a0c7c
2a96fe3
55703cb
042bfce
2b6b369
8219da3
33df973
b9e75c0
3fb4626
0ac407a
6cc1e96
1fa893e
5d1eb27
f56f340
1e61748
92116b9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
PWD=`pwd` | ||
FUZZER_NAME="fuzzer_libpng" | ||
|
||
all: | ||
# Build the libpng libfuzzer library | ||
cargo build --release | ||
|
||
# Build the libpng harness | ||
$(PWD)/target/release/libafl_cxx \ | ||
$(PWD)/harness.cc \ | ||
$(PWD)/libpng-1.6.37/.libs/libpng16.a \ | ||
-I$(PWD)/libpng-1.6.37/ \ | ||
-o $(FUZZER_NAME) \ | ||
-lm -lz | ||
|
||
run: all | ||
./$(FUZZER_NAME) & | ||
sleep 0.2 | ||
./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
|
||
short_test: all | ||
timeout 11s ./$(FUZZER_NAME) & | ||
sleep 0.2 | ||
timeout 10s taskset -c 0 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
timeout 10s taskset -c 1 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
timeout 10s taskset -c 2 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
timeout 10s taskset -c 3 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
|
||
test: all | ||
timeout 60s ./$(FUZZER_NAME) & | ||
sleep 0.2 | ||
timeout 59s taskset 0x00000001 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
timeout 59s taskset 0x00000002 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
timeout 59s taskset 0x00000004 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
timeout 59s taskset 0x00000008 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000010 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000020 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000040 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000080 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000100 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000200 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000400 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00000800 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00001000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00002000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00004000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00008000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00010000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00020000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00040000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00080000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00100000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00200000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00400000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x00800000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x01000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x02000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x04000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x08000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x10000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x20000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x40000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & | ||
# timeout 59s taskset 0x80000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null & |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
[package] | ||
name = "libafl" | ||
version = "0.2.0" | ||
version = "0.2.1" | ||
authors = ["Andrea Fioraldi <[email protected]>", "Dominik Maier <[email protected]>"] | ||
description = "Slot your own fuzzers together and extend their features using Rust" | ||
documentation = "https://docs.rs/libafl" | ||
|
@@ -40,10 +40,11 @@ default = ["std", "anymap_debug", "derive", "llmp_compression"] | |
std = [] # print, sharedmap, ... support | ||
anymap_debug = ["serde_json"] # uses serde_json to Debug the anymap trait. Disable for smaller footprint. | ||
derive = ["libafl_derive"] # provide derive(SerdeAny) macro. | ||
llmp_small_maps = [] # reduces initial map size for llmp | ||
llmp_debug = ["backtrace"] # Enables debug output for LLMP | ||
llmp_compression = [] # llmp compression using GZip | ||
llmp_bind_public = [] # If set, llmp will bind to 0.0.0.0, allowing cross-device communication. Binds to localhost by default. | ||
llmp_compression = [] # llmp compression using GZip | ||
llmp_debug = ["backtrace"] # Enables debug output for LLMP | ||
llmp_small_maps = [] # reduces initial map size for llmp | ||
introspection = [] # Include performance statistics of the fuzzing pipeline | ||
|
||
[[example]] | ||
name = "llmp_test" | ||
|
@@ -60,7 +61,7 @@ erased-serde = "0.3.12" | |
postcard = { version = "0.5.1", features = ["alloc"] } # no_std compatible serde serialization fromat | ||
static_assertions = "1.1.0" | ||
ctor = "0.1.20" | ||
libafl_derive = { version = "0.1.0", optional = true, path = "../libafl_derive" } | ||
libafl_derive = { optional = true, path = "../libafl_derive", version = "0.2.1" } | ||
serde_json = { version = "1.0", optional = true, default-features = false, features = ["alloc"] } # an easy way to debug print SerdeAnyMap | ||
compression = { version = "0.1.5" } | ||
num_enum = "0.5.1" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
//! Architecture agnostic processor features | ||
|
||
#[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] | ||
use crate::utils::current_nanos; | ||
|
||
// TODO: Add more architectures, using C code, see | ||
// https://github.com/google/benchmark/blob/master/src/cycleclock.h | ||
// Or using llvm intrinsics (if they ever should become available in stable rust?) | ||
|
||
/// Read a timestamp for measurements. | ||
/// | ||
/// This function is a wrapper around different ways to get a timestamp, fast | ||
/// In this way, an experiment only has to | ||
/// change this implementation rather than every instead of [`cpu::read_time_counter`] | ||
/// It is using [`rdtsc`] on `x86_64` and `x86`. | ||
#[cfg(any(target_arch = "x86_64", target_arch = "x86"))] | ||
#[must_use] | ||
pub fn read_time_counter() -> u64 { | ||
unsafe { core::arch::x86_64::_rdtsc() } | ||
} | ||
|
||
/// Read a timestamp for measurements. | ||
/// | ||
/// This function is a wrapper around different ways to get a timestamp, fast | ||
/// In this way, an experiment only has to | ||
/// change this implementation rather than every instead of [`cpu::read_time_counter`] | ||
/// On unsupported architectures, it's falling back to normal system time, in millis. | ||
#[cfg(not(any(target_arch = "x86_64", target_arch = "x86")))] | ||
pub fn read_time_counter() -> u64 { | ||
current_nanos() | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -230,7 +230,7 @@ where | |
let client = stats.client_stats_mut_for(sender_id); | ||
client.update_corpus_size(*corpus_size as u64); | ||
client.update_executions(*executions as u64, *time); | ||
stats.display(event.name().to_string() + " #" + &sender_id.to_string()); | ||
// stats.display(event.name().to_string() + " #" + &sender_id.to_string()); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @domenukk porcodio, now we have to release again because this line was commented |
||
Ok(BrokerEventResult::Forward) | ||
} | ||
Event::UpdateStats { | ||
|
@@ -241,7 +241,35 @@ where | |
// TODO: The stats buffer should be added on client add. | ||
let client = stats.client_stats_mut_for(sender_id); | ||
client.update_executions(*executions as u64, *time); | ||
stats.display(event.name().to_string() + " #" + &sender_id.to_string()); | ||
if sender_id == 1 { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't be needed, I agree |
||
stats.display(event.name().to_string() + " #" + &sender_id.to_string()); | ||
} | ||
Ok(BrokerEventResult::Handled) | ||
} | ||
#[cfg(feature = "introspection")] | ||
Event::UpdatePerfStats { | ||
time, | ||
executions, | ||
introspection_stats, | ||
phantom: _, | ||
} => { | ||
// TODO: The stats buffer should be added on client add. | ||
|
||
// Get the client for the sender ID | ||
let client = stats.client_stats_mut_for(sender_id); | ||
|
||
// Update the normal stats for this client | ||
client.update_executions(*executions as u64, *time); | ||
|
||
// Update the performance stats for this client | ||
client.update_introspection_stats(**introspection_stats); | ||
|
||
// Display the stats via `.display` only on core #1 | ||
if sender_id == 1 { | ||
stats.display(event.name().to_string() + " #" + &sender_id.to_string()); | ||
} | ||
|
||
// Correctly handled the event | ||
Ok(BrokerEventResult::Handled) | ||
} | ||
Event::Objective { objective_size } => { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be worth using https://docs.rs/llvmint/0.0.3/llvmint/fn.readcyclecounter.html, as that will automatically do the right thing for each arch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds really useful for more obscure platforms!
We should only add the dependency for this feature flag though (and maybe even only for the platforms we can not reach otherwise?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh sure! Didn't know about the llvm intrinsic. If we're okay with the
llvmint
dependency then I'm fine with using it.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original thought was to add those specific instructions similar to Google's benchmark: https://github.com/google/benchmark/blob/master/src/cycleclock.h
I think that would mitigate the external dependency just for one instruction per arch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But that would require asm... which is not stable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's go with
libc
, if available for this archllvmint
dependency otherwise?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or since it's a feature flag anyway, just llvmint is fine too, if it's too much work otherwise
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just pushed a fix using
llvmint::readcyclecounter
. Looks like the feature needed requiresnightly
. I think you guys are wanting to stay onstable
as far as I'm aware, which would mean neither this or theasm!
fix would work. I guess we could also requirenightly
for theperf_stats
feature as well.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Edit from the last comment.. i had the wrong
cfg_attr
. I've ripped out only the needed extern fromllvmint
so we don't need to add that dependency directly tosrc/cpu.rs
and it seems to work fine now.