honggfuzz  2.2
About: honggfuzz is a security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with powerful analysis options.
  Fossies Dox: honggfuzz-2.2.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

instrument.c File Reference
#include "instrument.h"
#include <ctype.h>
#include <dlfcn.h>
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "honggfuzz.h"
#include "libhfcommon/common.h"
#include "libhfcommon/files.h"
#include "libhfcommon/log.h"
#include "libhfcommon/util.h"
Include dependency graph for instrument.c:

Go to the source code of this file.

Macros

#define HF_REQUIRE_SSE42_POPCNT
 

Functions

static int _memcmp (const void *m1, const void *m2, size_t n)
 
static void * getsym (const char *sym)
 
static void initializeLibcFunctions (void)
 
static void * initialzeTryMapHugeTLB (int fd, size_t sz)
 
static void initializeCmpFeedback (void)
 
static bool initializeLocalCovFeedback (void)
 
static bool initializeGlobalCovFeedback (void)
 
static void initializeInstrument (void)
 
void hfuzzInstrumentInit (void)
 
size_t instrumentReserveGuard (size_t cnt)
 
void instrumentResetLocalCovFeedback (void)
 
static bool instrumentLimitEvery (uint64_t step)
 
static void instrumentAddConstMemInternal (const void *mem, size_t len)
 
void __cyg_profile_func_enter (void *func, void *caller)
 
void __cyg_profile_func_exit (void *func, void *caller)
 
static void hfuzz_trace_pc_internal (uintptr_t pc)
 
void __sanitizer_cov_trace_pc (void)
 
void hfuzz_trace_pc (uintptr_t pc)
 
static void hfuzz_trace_cmp1_internal (uintptr_t pc, uint8_t Arg1, uint8_t Arg2)
 
static void hfuzz_trace_cmp2_internal (uintptr_t pc, uint16_t Arg1, uint16_t Arg2)
 
static void hfuzz_trace_cmp4_internal (uintptr_t pc, uint32_t Arg1, uint32_t Arg2)
 
static void hfuzz_trace_cmp8_internal (uintptr_t pc, uint64_t Arg1, uint64_t Arg2)
 
void __sanitizer_cov_trace_cmp1 (uint8_t Arg1, uint8_t Arg2)
 
void __sanitizer_cov_trace_cmp2 (uint16_t Arg1, uint16_t Arg2)
 
void __sanitizer_cov_trace_cmp4 (uint32_t Arg1, uint32_t Arg2)
 
void __sanitizer_cov_trace_cmp8 (uint64_t Arg1, uint64_t Arg2)
 
void __sanitizer_cov_trace_const_cmp1 (uint8_t Arg1, uint8_t Arg2)
 
void __sanitizer_cov_trace_const_cmp2 (uint16_t Arg1, uint16_t Arg2)
 
void __sanitizer_cov_trace_const_cmp4 (uint32_t Arg1, uint32_t Arg2)
 
void __sanitizer_cov_trace_const_cmp8 (uint64_t Arg1, uint64_t Arg2)
 
void hfuzz_trace_cmp1 (uintptr_t pc, uint8_t Arg1, uint8_t Arg2)
 
void hfuzz_trace_cmp2 (uintptr_t pc, uint16_t Arg1, uint16_t Arg2)
 
void hfuzz_trace_cmp4 (uintptr_t pc, uint32_t Arg1, uint32_t Arg2)
 
void hfuzz_trace_cmp8 (uintptr_t pc, uint64_t Arg1, uint64_t Arg2)
 
void __sanitizer_cov_trace_cmp (uint64_t SizeAndType, uint64_t Arg1, uint64_t Arg2)
 
void __sanitizer_cov_trace_switch (uint64_t Val, uint64_t *Cases)
 
void __sanitizer_cov_trace_cmpf (float Arg1, float Arg2)
 
void __sanitizer_cov_trace_cmpd (double Arg1, double Arg2)
 
void __sanitizer_cov_trace_div8 (uint64_t Val)
 
void __sanitizer_cov_trace_div4 (uint32_t Val)
 
void __sanitizer_cov_trace_pc_indir (uintptr_t callee)
 
void __sanitizer_cov_indir_call16 (void *callee, void *callee_cache16[])
 
void __sanitizer_cov_trace_pc_guard_init (uint32_t *start, uint32_t *stop)
 
void __sanitizer_cov_trace_pc_guard (uint32_t *guard_ptr)
 
void instrument8BitCountersCount (void)
 
void __sanitizer_cov_8bit_counters_init (char *start, char *end)
 
void __sanitizer_cov_pcs_init (const uintptr_t *pcs_beg, const uintptr_t *pcs_end)
 
unsigned instrumentThreadNo (void)
 
bool instrumentUpdateCmpMap (uintptr_t addr, uint32_t v)
 
void instrumentClearNewCov ()
 
void instrumentAddConstMem (const void *mem, size_t len, bool check_if_ro)
 
void instrumentAddConstStr (const char *s)
 
void instrumentAddConstStrN (const char *s, size_t n)
 
bool instrumentConstAvail (void)
 

Variables

const char *const LIBHFUZZ_module_instrument = "LIBHFUZZ_module_instrument"
 
static feedback_t bbMapFb
 
feedback_tglobalCovFeedback = &bbMapFb
 
feedback_tlocalCovFeedback = &bbMapFb
 
cmpfeedback_tglobalCmpFeedback = NULL
 
uint32_t my_thread_no = 0
 
int(* libc_memcmp )(const void *s1, const void *s2, size_t n) = _memcmp
 
static __thread pthread_once_t localInitOnce = PTHREAD_ONCE_INIT
 
static bool guards_initialized = false
 
static uint8_t const instrumentCntMap [256]
 
struct {
   uint8_t *   start
 
   size_t   cnt
 
   size_t   guard
 
hf8bitcounters [256] = {}
 
__thread uintptr_t __sancov_lowest_stack = 0
 

Macro Definition Documentation

◆ HF_REQUIRE_SSE42_POPCNT

#define HF_REQUIRE_SSE42_POPCNT

Definition at line 41 of file instrument.c.

Function Documentation

◆ __cyg_profile_func_enter()

void __cyg_profile_func_enter ( void *  func,
void *  caller 
)

◆ __cyg_profile_func_exit()

void __cyg_profile_func_exit ( void *  func,
void *  caller 
)

Definition at line 298 of file instrument.c.

◆ __sanitizer_cov_8bit_counters_init()

void __sanitizer_cov_8bit_counters_init ( char *  start,
char *  end 
)

◆ __sanitizer_cov_indir_call16()

void __sanitizer_cov_indir_call16 ( void *  callee,
void *  callee_cache16[] 
)

◆ __sanitizer_cov_pcs_init()

void __sanitizer_cov_pcs_init ( const uintptr_t *  pcs_beg,
const uintptr_t *  pcs_end 
)

Definition at line 762 of file instrument.c.

◆ __sanitizer_cov_trace_cmp()

void __sanitizer_cov_trace_cmp ( uint64_t  SizeAndType,
uint64_t  Arg1,
uint64_t  Arg2 
)

◆ __sanitizer_cov_trace_cmp1()

void __sanitizer_cov_trace_cmp1 ( uint8_t  Arg1,
uint8_t  Arg2 
)

Definition at line 376 of file instrument.c.

References hfuzz_trace_cmp1_internal().

◆ __sanitizer_cov_trace_cmp2()

void __sanitizer_cov_trace_cmp2 ( uint16_t  Arg1,
uint16_t  Arg2 
)

Definition at line 380 of file instrument.c.

References hfuzz_trace_cmp2_internal().

◆ __sanitizer_cov_trace_cmp4()

void __sanitizer_cov_trace_cmp4 ( uint32_t  Arg1,
uint32_t  Arg2 
)

◆ __sanitizer_cov_trace_cmp8()

void __sanitizer_cov_trace_cmp8 ( uint64_t  Arg1,
uint64_t  Arg2 
)

◆ __sanitizer_cov_trace_cmpd()

void __sanitizer_cov_trace_cmpd ( double  Arg1,
double  Arg2 
)

Definition at line 524 of file instrument.c.

◆ __sanitizer_cov_trace_cmpf()

void __sanitizer_cov_trace_cmpf ( float  Arg1,
float  Arg2 
)

Definition at line 521 of file instrument.c.

◆ __sanitizer_cov_trace_const_cmp1()

void __sanitizer_cov_trace_const_cmp1 ( uint8_t  Arg1,
uint8_t  Arg2 
)

Definition at line 429 of file instrument.c.

References hfuzz_trace_cmp1_internal(), and instrumentAddConstMem().

◆ __sanitizer_cov_trace_const_cmp2()

void __sanitizer_cov_trace_const_cmp2 ( uint16_t  Arg1,
uint16_t  Arg2 
)

Definition at line 434 of file instrument.c.

References hfuzz_trace_cmp2_internal(), and instrumentAddConstMem().

◆ __sanitizer_cov_trace_const_cmp4()

void __sanitizer_cov_trace_const_cmp4 ( uint32_t  Arg1,
uint32_t  Arg2 
)

Definition at line 443 of file instrument.c.

References hfuzz_trace_cmp4_internal(), and instrumentAddConstMem().

◆ __sanitizer_cov_trace_const_cmp8()

void __sanitizer_cov_trace_const_cmp8 ( uint64_t  Arg1,
uint64_t  Arg2 
)

Definition at line 452 of file instrument.c.

References hfuzz_trace_cmp8_internal(), and instrumentAddConstMem().

◆ __sanitizer_cov_trace_div4()

void __sanitizer_cov_trace_div4 ( uint32_t  Val)

◆ __sanitizer_cov_trace_div8()

void __sanitizer_cov_trace_div8 ( uint64_t  Val)

◆ __sanitizer_cov_trace_pc()

void __sanitizer_cov_trace_pc ( void  )

Definition at line 316 of file instrument.c.

References hfuzz_trace_pc_internal().

◆ __sanitizer_cov_trace_pc_guard()

◆ __sanitizer_cov_trace_pc_guard_init()

void __sanitizer_cov_trace_pc_guard_init ( uint32_t *  start,
uint32_t *  stop 
)

◆ __sanitizer_cov_trace_pc_indir()

void __sanitizer_cov_trace_pc_indir ( uintptr_t  callee)

◆ __sanitizer_cov_trace_switch()

void __sanitizer_cov_trace_switch ( uint64_t  Val,
uint64_t *  Cases 
)

◆ _memcmp()

static int _memcmp ( const void *  m1,
const void *  m2,
size_t  n 
)
static

Definition at line 55 of file instrument.c.

References m2, n, and s2.

Referenced by initializeLibcFunctions().

◆ getsym()

static void* getsym ( const char *  sym)
static

Definition at line 70 of file instrument.c.

Referenced by initializeLibcFunctions().

◆ hfuzz_trace_cmp1()

void hfuzz_trace_cmp1 ( uintptr_t  pc,
uint8_t  Arg1,
uint8_t  Arg2 
)

Definition at line 462 of file instrument.c.

References hfuzz_trace_cmp1_internal().

◆ hfuzz_trace_cmp1_internal()

static void hfuzz_trace_cmp1_internal ( uintptr_t  pc,
uint8_t  Arg1,
uint8_t  Arg2 
)
inlinestatic

◆ hfuzz_trace_cmp2()

void hfuzz_trace_cmp2 ( uintptr_t  pc,
uint16_t  Arg1,
uint16_t  Arg2 
)

Definition at line 466 of file instrument.c.

References hfuzz_trace_cmp2_internal().

◆ hfuzz_trace_cmp2_internal()

static void hfuzz_trace_cmp2_internal ( uintptr_t  pc,
uint16_t  Arg1,
uint16_t  Arg2 
)
inlinestatic

◆ hfuzz_trace_cmp4()

void hfuzz_trace_cmp4 ( uintptr_t  pc,
uint32_t  Arg1,
uint32_t  Arg2 
)

Definition at line 470 of file instrument.c.

References hfuzz_trace_cmp4_internal().

◆ hfuzz_trace_cmp4_internal()

static void hfuzz_trace_cmp4_internal ( uintptr_t  pc,
uint32_t  Arg1,
uint32_t  Arg2 
)
inlinestatic

◆ hfuzz_trace_cmp8()

void hfuzz_trace_cmp8 ( uintptr_t  pc,
uint64_t  Arg1,
uint64_t  Arg2 
)

Definition at line 474 of file instrument.c.

References hfuzz_trace_cmp8_internal().

◆ hfuzz_trace_cmp8_internal()

static void hfuzz_trace_cmp8_internal ( uintptr_t  pc,
uint64_t  Arg1,
uint64_t  Arg2 
)
inlinestatic

◆ hfuzz_trace_pc()

void hfuzz_trace_pc ( uintptr_t  pc)

Definition at line 320 of file instrument.c.

References hfuzz_trace_pc_internal().

◆ hfuzz_trace_pc_internal()

static void hfuzz_trace_pc_internal ( uintptr_t  pc)
inlinestatic

◆ hfuzzInstrumentInit()

void hfuzzInstrumentInit ( void  )

◆ initializeCmpFeedback()

static void initializeCmpFeedback ( void  )
static

◆ initializeGlobalCovFeedback()

static bool initializeGlobalCovFeedback ( void  )
static

Definition at line 157 of file instrument.c.

References _HF_COV_BITMAP_FD, globalCovFeedback, initialzeTryMapHugeTLB(), LOG_W, and PLOG_W.

Referenced by initializeInstrument().

◆ initializeInstrument()

◆ initializeLibcFunctions()

static void initializeLibcFunctions ( void  )
static

Definition at line 82 of file instrument.c.

References _memcmp(), getsym(), libc_memcmp, LOG_D, LOG_W, n, and s2.

Referenced by initializeInstrument().

◆ initializeLocalCovFeedback()

static bool initializeLocalCovFeedback ( void  )
static

◆ initialzeTryMapHugeTLB()

static void* initialzeTryMapHugeTLB ( int  fd,
size_t  sz 
)
static

◆ instrument8BitCountersCount()

◆ instrumentAddConstMem()

◆ instrumentAddConstMemInternal()

◆ instrumentAddConstStr()

void instrumentAddConstStr ( const char *  s)

◆ instrumentAddConstStrN()

void instrumentAddConstStrN ( const char *  s,
size_t  n 
)

◆ instrumentClearNewCov()

◆ instrumentConstAvail()

◆ instrumentLimitEvery()

static bool instrumentLimitEvery ( uint64_t  step)
inlinestatic

◆ instrumentReserveGuard()

◆ instrumentResetLocalCovFeedback()

void instrumentResetLocalCovFeedback ( void  )

◆ instrumentThreadNo()

unsigned instrumentThreadNo ( void  )

Definition at line 766 of file instrument.c.

References my_thread_no.

Referenced by performanceInit(), and performanceTooSlow().

◆ instrumentUpdateCmpMap()

bool instrumentUpdateCmpMap ( uintptr_t  addr,
uint32_t  v 
)

Variable Documentation

◆ __sancov_lowest_stack

__thread uintptr_t __sancov_lowest_stack = 0

Definition at line 774 of file instrument.c.

◆ bbMapFb

feedback_t bbMapFb
static

Definition at line 47 of file instrument.c.

Referenced by initializeInstrument().

◆ cnt

◆ globalCmpFeedback

◆ globalCovFeedback

◆ guard

◆ guards_initialized

bool guards_initialized = false
static

◆ hf8bitcounters

struct { ... } hf8bitcounters[256]

◆ instrumentCntMap

uint8_t const instrumentCntMap[256]
static
Initial value:
= {
[0] = 0,
[1] = 1U << 0,
[2] = 1U << 1,
[3] = 1U << 2,
[4 ... 5] = 1U << 3,
[6 ... 10] = 1U << 4,
[11 ... 32] = 1U << 5,
[33 ... 64] = 1U << 6,
[65 ... 255] = 1U << 7,
}

Definition at line 616 of file instrument.c.

Referenced by __sanitizer_cov_trace_pc_guard(), and instrument8BitCountersCount().

◆ libc_memcmp

int(* libc_memcmp) (const void *s1, const void *s2, size_t n) = _memcmp

Definition at line 68 of file instrument.c.

Referenced by initializeLibcFunctions(), and instrumentAddConstMemInternal().

◆ LIBHFUZZ_module_instrument

const char* const LIBHFUZZ_module_instrument = "LIBHFUZZ_module_instrument"

Definition at line 31 of file instrument.c.

Referenced by HonggfuzzRunOneInput().

◆ localCovFeedback

◆ localInitOnce

__thread pthread_once_t localInitOnce = PTHREAD_ONCE_INIT
static

Definition at line 218 of file instrument.c.

Referenced by hfuzzInstrumentInit().

◆ my_thread_no

◆ start