| 1 | //===- FuzzerDataFlowTrace.h - Internal header for the Fuzzer ---*- C++ -* ===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // fuzzer::DataFlowTrace; reads and handles a data-flow trace. |
| 9 | // |
| 10 | // A data flow trace is generated by e.g. dataflow/DataFlow.cpp |
| 11 | // and is stored on disk in a separate directory. |
| 12 | // |
| 13 | // The trace dir contains a file 'functions.txt' which lists function names, |
| 14 | // oner per line, e.g. |
| 15 | // ==> functions.txt <== |
| 16 | // Func2 |
| 17 | // LLVMFuzzerTestOneInput |
| 18 | // Func1 |
| 19 | // |
| 20 | // All other files in the dir are the traces, see dataflow/DataFlow.cpp. |
| 21 | // The name of the file is sha1 of the input used to generate the trace. |
| 22 | // |
| 23 | // Current status: |
| 24 | // the data is parsed and the summary is printed, but the data is not yet |
| 25 | // used in any other way. |
| 26 | //===----------------------------------------------------------------------===// |
| 27 | |
| 28 | #ifndef LLVM_FUZZER_DATA_FLOW_TRACE |
| 29 | #define LLVM_FUZZER_DATA_FLOW_TRACE |
| 30 | |
| 31 | #include "FuzzerDefs.h" |
| 32 | #include "FuzzerIO.h" |
| 33 | |
| 34 | #include <unordered_map> |
| 35 | #include <unordered_set> |
| 36 | #include <vector> |
| 37 | #include <string> |
| 38 | |
| 39 | namespace fuzzer { |
| 40 | |
| 41 | int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath, |
| 42 | const std::vector<SizedFile> &CorporaFiles); |
| 43 | |
| 44 | class BlockCoverage { |
| 45 | public: |
| 46 | // These functions guarantee no CoverageVector is longer than UINT32_MAX. |
| 47 | bool AppendCoverage(std::istream &IN); |
| 48 | bool AppendCoverage(const std::string &S); |
| 49 | |
| 50 | size_t NumCoveredFunctions() const { return Functions.size(); } |
| 51 | |
| 52 | uint32_t GetCounter(size_t FunctionId, size_t BasicBlockId) { |
| 53 | auto It = Functions.find(k: FunctionId); |
| 54 | if (It == Functions.end()) |
| 55 | return 0; |
| 56 | const auto &Counters = It->second; |
| 57 | if (BasicBlockId < Counters.size()) |
| 58 | return Counters[BasicBlockId]; |
| 59 | return 0; |
| 60 | } |
| 61 | |
| 62 | uint32_t GetNumberOfBlocks(size_t FunctionId) { |
| 63 | auto It = Functions.find(k: FunctionId); |
| 64 | if (It == Functions.end()) return 0; |
| 65 | const auto &Counters = It->second; |
| 66 | return static_cast<uint32_t>(Counters.size()); |
| 67 | } |
| 68 | |
| 69 | uint32_t GetNumberOfCoveredBlocks(size_t FunctionId) { |
| 70 | auto It = Functions.find(k: FunctionId); |
| 71 | if (It == Functions.end()) return 0; |
| 72 | const auto &Counters = It->second; |
| 73 | uint32_t Result = 0; |
| 74 | for (auto Cnt: Counters) |
| 75 | if (Cnt) |
| 76 | Result++; |
| 77 | return Result; |
| 78 | } |
| 79 | |
| 80 | std::vector<double> FunctionWeights(size_t NumFunctions) const; |
| 81 | void clear() { Functions.clear(); } |
| 82 | |
| 83 | private: |
| 84 | typedef std::vector<uint32_t> CoverageVector; |
| 85 | |
| 86 | uint32_t NumberOfCoveredBlocks(const CoverageVector &Counters) const { |
| 87 | uint32_t Res = 0; |
| 88 | for (auto Cnt : Counters) |
| 89 | if (Cnt) |
| 90 | Res++; |
| 91 | return Res; |
| 92 | } |
| 93 | |
| 94 | uint32_t NumberOfUncoveredBlocks(const CoverageVector &Counters) const { |
| 95 | return static_cast<uint32_t>(Counters.size()) - |
| 96 | NumberOfCoveredBlocks(Counters); |
| 97 | } |
| 98 | |
| 99 | uint32_t SmallestNonZeroCounter(const CoverageVector &Counters) const { |
| 100 | assert(!Counters.empty()); |
| 101 | uint32_t Res = Counters[0]; |
| 102 | for (auto Cnt : Counters) |
| 103 | if (Cnt) |
| 104 | Res = Min(a: Res, b: Cnt); |
| 105 | assert(Res); |
| 106 | return Res; |
| 107 | } |
| 108 | |
| 109 | // Function ID => vector of counters. |
| 110 | // Each counter represents how many input files trigger the given basic block. |
| 111 | std::unordered_map<size_t, CoverageVector> Functions; |
| 112 | // Functions that have DFT entry. |
| 113 | std::unordered_set<size_t> FunctionsWithDFT; |
| 114 | }; |
| 115 | |
| 116 | class DataFlowTrace { |
| 117 | public: |
| 118 | void ReadCoverage(const std::string &DirPath); |
| 119 | bool Init(const std::string &DirPath, std::string *FocusFunction, |
| 120 | std::vector<SizedFile> &CorporaFiles, Random &Rand); |
| 121 | void Clear() { Traces.clear(); } |
| 122 | const std::vector<uint8_t> *Get(const std::string &InputSha1) const { |
| 123 | auto It = Traces.find(k: InputSha1); |
| 124 | if (It != Traces.end()) |
| 125 | return &It->second; |
| 126 | return nullptr; |
| 127 | } |
| 128 | |
| 129 | private: |
| 130 | // Input's sha1 => DFT for the FocusFunction. |
| 131 | std::unordered_map<std::string, std::vector<uint8_t>> Traces; |
| 132 | BlockCoverage Coverage; |
| 133 | std::unordered_set<std::string> CorporaHashes; |
| 134 | }; |
| 135 | } // namespace fuzzer |
| 136 | |
| 137 | #endif // LLVM_FUZZER_DATA_FLOW_TRACE |
| 138 |
Generated while processing llvm_runtimes/compiler-rt/lib/fuzzer/FuzzerDataFlowTrace.cpp
Generated on 2025-Jul-04 from project llvm_runtimes revision main-0ba59587f
Powered by 
Code Browser 2.1
Generator usage only permitted with license.