Lines Matching full:run

133     /* No need to add files to the new coverage dir, if this is just the dry-run phase */  in fuzz_addFileToFileQ()
143 static void fuzz_setDynamicMainState(run_t* run) { in fuzz_setDynamicMainState() argument
151 if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MAIN) { in fuzz_setDynamicMainState()
157 if (ATOMIC_GET(cnt) == run->global->threads.threadsMax) { in fuzz_setDynamicMainState()
167 snprintf(run->origFileName, sizeof(run->origFileName), "[DYNAMIC]"); in fuzz_setDynamicMainState()
168 ATOMIC_SET(run->global->feedback.state, _HF_STATE_DYNAMIC_MAIN); in fuzz_setDynamicMainState()
174 if (run->global->io.dynfileqCnt == 0) { in fuzz_setDynamicMainState()
175 const char* single_byte = run->global->cfg.only_printable ? " " : "\0"; in fuzz_setDynamicMainState()
176 fuzz_addFileToFileQ(run->global, (const uint8_t*)single_byte, 1U); in fuzz_setDynamicMainState()
180 static void fuzz_perfFeedback(run_t* run) { in fuzz_perfFeedback() argument
181 if (run->global->feedback.skipFeedbackOnTimeout && run->tmOutSignaled) { in fuzz_perfFeedback()
187 run->dynamicFileSz, run->linux.hwCnts.cpuInstrCnt, run->global->linux.hwCnts.cpuInstrCnt, in fuzz_perfFeedback()
188 run->linux.hwCnts.cpuBranchCnt, run->global->linux.hwCnts.cpuBranchCnt, in fuzz_perfFeedback()
189 run->linux.hwCnts.newBBCnt, run->global->linux.hwCnts.bbCnt); in fuzz_perfFeedback()
191 MX_SCOPED_LOCK(&run->global->feedback.feedback_mutex); in fuzz_perfFeedback()
196 if (run->global->feedback.bbFd != -1) { in fuzz_perfFeedback()
197 softCntPc = ATOMIC_GET(run->global->feedback.feedbackMap->pidFeedbackPc[run->fuzzNo]); in fuzz_perfFeedback()
198 ATOMIC_CLEAR(run->global->feedback.feedbackMap->pidFeedbackPc[run->fuzzNo]); in fuzz_perfFeedback()
199 softCntEdge = ATOMIC_GET(run->global->feedback.feedbackMap->pidFeedbackEdge[run->fuzzNo]); in fuzz_perfFeedback()
200 ATOMIC_CLEAR(run->global->feedback.feedbackMap->pidFeedbackEdge[run->fuzzNo]); in fuzz_perfFeedback()
201 softCntCmp = ATOMIC_GET(run->global->feedback.feedbackMap->pidFeedbackCmp[run->fuzzNo]); in fuzz_perfFeedback()
202 ATOMIC_CLEAR(run->global->feedback.feedbackMap->pidFeedbackCmp[run->fuzzNo]); in fuzz_perfFeedback()
205 int64_t diff0 = run->global->linux.hwCnts.cpuInstrCnt - run->linux.hwCnts.cpuInstrCnt; in fuzz_perfFeedback()
206 int64_t diff1 = run->global->linux.hwCnts.cpuBranchCnt - run->linux.hwCnts.cpuBranchCnt; in fuzz_perfFeedback()
209 if (run->linux.hwCnts.newBBCnt > 0 || softCntPc > 0 || softCntEdge > 0 || softCntCmp > 0 || in fuzz_perfFeedback()
212 run->global->linux.hwCnts.cpuInstrCnt = run->linux.hwCnts.cpuInstrCnt; in fuzz_perfFeedback()
215 run->global->linux.hwCnts.cpuBranchCnt = run->linux.hwCnts.cpuBranchCnt; in fuzz_perfFeedback()
217 run->global->linux.hwCnts.bbCnt += run->linux.hwCnts.newBBCnt; in fuzz_perfFeedback()
218 run->global->linux.hwCnts.softCntPc += softCntPc; in fuzz_perfFeedback()
219 run->global->linux.hwCnts.softCntEdge += softCntEdge; in fuzz_perfFeedback()
220 run->global->linux.hwCnts.softCntCmp += softCntCmp; in fuzz_perfFeedback()
225 run->dynamicFileSz, run->linux.hwCnts.cpuInstrCnt, run->linux.hwCnts.cpuBranchCnt, in fuzz_perfFeedback()
226 run->linux.hwCnts.newBBCnt, softCntEdge, softCntPc, softCntCmp, in fuzz_perfFeedback()
227 run->global->linux.hwCnts.cpuInstrCnt, run->global->linux.hwCnts.cpuBranchCnt, in fuzz_perfFeedback()
228 run->global->linux.hwCnts.bbCnt, run->global->linux.hwCnts.softCntEdge, in fuzz_perfFeedback()
229 run->global->linux.hwCnts.softCntPc, run->global->linux.hwCnts.softCntCmp); in fuzz_perfFeedback()
231 fuzz_addFileToFileQ(run->global, run->dynamicFile, run->dynamicFileSz); in fuzz_perfFeedback()
233 if (run->global->socketFuzzer.enabled) { in fuzz_perfFeedback()
235 fuzz_notifySocketFuzzerNewCov(run->global); in fuzz_perfFeedback()
241 static bool fuzz_runVerifier(run_t* run) { in fuzz_runVerifier() argument
242 if (!run->crashFileName[0] || !run->backtrace) { in fuzz_runVerifier()
246 uint64_t backtrace = run->backtrace; in fuzz_runVerifier()
249 snprintf(origCrashPath, sizeof(origCrashPath), "%s", run->crashFileName); in fuzz_runVerifier()
260 LOG_I("Launching verifier for HASH: %" PRIx64 " (iteration: %d out of %d)", run->backtrace, in fuzz_runVerifier()
262 run->timeStartedMillis = 0; in fuzz_runVerifier()
263 run->backtrace = 0; in fuzz_runVerifier()
264 run->access = 0; in fuzz_runVerifier()
265 run->exception = 0; in fuzz_runVerifier()
266 run->mainWorker = false; in fuzz_runVerifier()
268 if (!subproc_Run(run)) { in fuzz_runVerifier()
273 if (run->backtrace != backtrace) { in fuzz_runVerifier()
275 run->backtrace); in fuzz_runVerifier()
276 run->backtrace = backtrace; in fuzz_runVerifier()
280 LOG_I("Verifier for HASH: %" PRIx64 " (iteration: %d, left: %d). MATCH!", run->backtrace, in fuzz_runVerifier()
297 if (!files_writeToFd(fd, run->dynamicFile, run->dynamicFileSz)) { in fuzz_runVerifier()
304 ATOMIC_PRE_INC(run->global->cnts.verifiedCrashesCnt); in fuzz_runVerifier()
309 static bool fuzz_fetchInput(run_t* run) { in fuzz_fetchInput() argument
310 if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_DRY_RUN) { in fuzz_fetchInput()
311 run->mutationsPerRun = 0U; in fuzz_fetchInput()
312 if (input_prepareStaticFile(run, /* rewind= */ false)) { in fuzz_fetchInput()
315 fuzz_setDynamicMainState(run); in fuzz_fetchInput()
316 run->mutationsPerRun = run->global->mutate.mutationsPerRun; in fuzz_fetchInput()
319 if (fuzz_getState(run->global) == _HF_STATE_DYNAMIC_MAIN) { in fuzz_fetchInput()
320 if (run->global->exe.externalCommand) { in fuzz_fetchInput()
321 if (!input_prepareExternalFile(run)) { in fuzz_fetchInput()
325 } else if (!input_prepareDynamicInput(run)) { in fuzz_fetchInput()
331 if (fuzz_getState(run->global) == _HF_STATE_STATIC) { in fuzz_fetchInput()
332 if (run->global->exe.externalCommand) { in fuzz_fetchInput()
333 if (!input_prepareExternalFile(run)) { in fuzz_fetchInput()
337 } else if (!input_prepareStaticFile(run, true /* rewind */)) { in fuzz_fetchInput()
343 if (run->global->exe.postExternalCommand && !input_postProcessFile(run)) { in fuzz_fetchInput()
351 static void fuzz_fuzzLoop(run_t* run) { in fuzz_fuzzLoop() argument
352 run->timeStartedMillis = 0; in fuzz_fuzzLoop()
353 run->crashFileName[0] = '\0'; in fuzz_fuzzLoop()
354 run->pc = 0; in fuzz_fuzzLoop()
355 run->backtrace = 0; in fuzz_fuzzLoop()
356 run->access = 0; in fuzz_fuzzLoop()
357 run->exception = 0; in fuzz_fuzzLoop()
358 run->report[0] = '\0'; in fuzz_fuzzLoop()
359 run->mainWorker = true; in fuzz_fuzzLoop()
360 run->mutationsPerRun = run->global->mutate.mutationsPerRun; in fuzz_fuzzLoop()
361 run->dynamicFileSz = 0; in fuzz_fuzzLoop()
362 run->dynamicFileCopyFd = -1; in fuzz_fuzzLoop()
363 run->tmOutSignaled = false; in fuzz_fuzzLoop()
365 run->linux.hwCnts.cpuInstrCnt = 0; in fuzz_fuzzLoop()
366 run->linux.hwCnts.cpuBranchCnt = 0; in fuzz_fuzzLoop()
367 run->linux.hwCnts.bbCnt = 0; in fuzz_fuzzLoop()
368 run->linux.hwCnts.newBBCnt = 0; in fuzz_fuzzLoop()
370 if (!fuzz_fetchInput(run)) { in fuzz_fuzzLoop()
373 if (!subproc_Run(run)) { in fuzz_fuzzLoop()
374 LOG_F("Couldn't run fuzzed command"); in fuzz_fuzzLoop()
377 if (run->global->feedback.dynFileMethod != _HF_DYNFILE_NONE) { in fuzz_fuzzLoop()
378 fuzz_perfFeedback(run); in fuzz_fuzzLoop()
380 if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) { in fuzz_fuzzLoop()
383 report_Report(run); in fuzz_fuzzLoop()
386 static void fuzz_fuzzLoopSocket(run_t* run) { in fuzz_fuzzLoopSocket() argument
387 run->pid = 0; in fuzz_fuzzLoopSocket()
388 run->timeStartedMillis = 0; in fuzz_fuzzLoopSocket()
389 run->crashFileName[0] = '\0'; in fuzz_fuzzLoopSocket()
390 run->pc = 0; in fuzz_fuzzLoopSocket()
391 run->backtrace = 0; in fuzz_fuzzLoopSocket()
392 run->access = 0; in fuzz_fuzzLoopSocket()
393 run->exception = 0; in fuzz_fuzzLoopSocket()
394 run->report[0] = '\0'; in fuzz_fuzzLoopSocket()
395 run->mainWorker = true; in fuzz_fuzzLoopSocket()
396 run->mutationsPerRun = run->global->mutate.mutationsPerRun; in fuzz_fuzzLoopSocket()
397 run->dynamicFileSz = 0; in fuzz_fuzzLoopSocket()
398 run->dynamicFileCopyFd = -1; in fuzz_fuzzLoopSocket()
399 run->tmOutSignaled = false; in fuzz_fuzzLoopSocket()
401 run->linux.hwCnts.cpuInstrCnt = 0; in fuzz_fuzzLoopSocket()
402 run->linux.hwCnts.cpuBranchCnt = 0; in fuzz_fuzzLoopSocket()
403 run->linux.hwCnts.bbCnt = 0; in fuzz_fuzzLoopSocket()
404 run->linux.hwCnts.newBBCnt = 0; in fuzz_fuzzLoopSocket()
414 if (!subproc_Run(run)) { in fuzz_fuzzLoopSocket()
415 LOG_W("Couldn't run server"); in fuzz_fuzzLoopSocket()
422 if (!fuzz_waitForExternalInput(run)) { in fuzz_fuzzLoopSocket()
430 if (run->global->feedback.dynFileMethod != _HF_DYNFILE_NONE) { in fuzz_fuzzLoopSocket()
431 fuzz_perfFeedback(run); in fuzz_fuzzLoopSocket()
433 if (run->global->cfg.useVerifier && !fuzz_runVerifier(run)) { in fuzz_fuzzLoopSocket()
437 report_Report(run); in fuzz_fuzzLoopSocket()
445 run_t run = { in fuzz_threadNew() local
459 if (!(run.dynamicFile = files_mapSharedMem(hfuzz->mutate.maxFileSz, &run.dynamicFileFd, in fuzz_threadNew()
460 "hfuzz-input", run.global->io.workDir))) { in fuzz_threadNew()
465 if (run.dynamicFileFd != -1) { in fuzz_threadNew()
466 close(run.dynamicFileFd); in fuzz_threadNew()
470 if (!arch_archThreadInit(&run)) { in fuzz_threadNew()
475 /* Check if dry run mode with verifier enabled */ in fuzz_threadNew()
476 if (run.global->mutate.mutationsPerRun == 0U && run.global->cfg.useVerifier && in fuzz_threadNew()
478 if (ATOMIC_POST_INC(run.global->cnts.mutationsCnt) >= run.global->io.fileCnt) { in fuzz_threadNew()
483 else if ((ATOMIC_POST_INC(run.global->cnts.mutationsCnt) >= in fuzz_threadNew()
484 run.global->mutate.mutationsMax) && in fuzz_threadNew()
485 run.global->mutate.mutationsMax) { in fuzz_threadNew()
489 input_setSize(&run, run.global->mutate.maxFileSz); in fuzz_threadNew()
491 fuzz_fuzzLoopSocket(&run); in fuzz_threadNew()
493 fuzz_fuzzLoop(&run); in fuzz_threadNew()
500 if (run.global->cfg.exitUponCrash && ATOMIC_GET(run.global->cnts.crashesCnt) > 0) { in fuzz_threadNew()
507 if (run.pid) { in fuzz_threadNew()
508 kill(run.pid, SIGKILL); in fuzz_threadNew()
512 hfuzz->threads.threadsMax - ATOMIC_GET(run.global->threads.threadsFinished)); in fuzz_threadNew()
513 ATOMIC_POST_INC(run.global->threads.threadsFinished); in fuzz_threadNew()
526 /* Don't do dry run with socketFuzzer */ in fuzz_threadsStart()
530 LOG_I("Entering phase 1/2: Dry Run"); in fuzz_threadsStart()
539 PLOG_F("Couldn't run a thread #%zu", i); in fuzz_threadsStart()