From: George Dunlap <george.dunlap@citrix.com>
To: xen-devel@lists.xenproject.org
Cc: Ian Jackson <ian.jackson@citrix.com>,
Wei Liu <wei.liu2@citrix.com>,
George Dunlap <george.dunlap@citrix.com>,
Jan Beulich <jbeulich@suse.com>,
Andrew Cooper <andrew.cooper3@citrix.com>
Subject: [PATCH 09/14] fuzz/x86_emulate: Take multiple test files for inputs
Date: Fri, 25 Aug 2017 17:43:38 +0100 [thread overview]
Message-ID: <20170825164343.29015-9-george.dunlap@citrix.com> (raw)
In-Reply-To: <20170825164343.29015-1-george.dunlap@citrix.com>
Finding aggregate coverage for a set of test files means running each
afl-generated test case through the harness. At the moment, this is
done by re-executing afl-harness-cov with each input file. When a
large number of test cases have been generated, this can take a
significant amonut of time; a recent test with 30k total files
generated by 4 parallel fuzzers took over 7 minutes.
The vast majority of this time is taken up with 'exec', however.
Since the harness is already designed to loop over multiple inputs for
llvm "persistent mode", just allow it to take a large number of inputs
on the same when *not* running in llvm "persistent mode".. Then the
command can be efficiently executed like this:
ls */queue/id* | xargs $path/afl-harness-cov
For the above-mentioned test on 30k files, the time to generate
coverage data was reduced from 7 minutes to under 30 seconds.
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
---
CC: Ian Jackson <ian.jackson@citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Jan Beulich <jbeulich@suse.com>
---
tools/fuzz/README.afl | 7 +++++++
tools/fuzz/x86_instruction_emulator/afl-harness.c | 23 ++++++++++++++++-------
2 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
index 0d955b2687..e8c23d734c 100644
--- a/tools/fuzz/README.afl
+++ b/tools/fuzz/README.afl
@@ -49,6 +49,13 @@ generate coverage data. To do this, use the target `afl-cov`:
$ make afl-cov #produces afl-harness-cov
+In order to speed up the process of checking total coverage,
+`afl-harness-cov` can take several test inputs on its command-line;
+the speed-up effect should be similar to that of using afl-clang-fast.
+You can use xargs to do this most efficiently, like so:
+
+ $ ls queue/id* | xargs $path/afl-harness-cov
+
NOTE: Please also note that the coverage instrumentation hard-codes
the absolute path for the instrumentation read and write files in the
binary; so coverage data will always show up in the build directory no
diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c
index 51e0183356..79f8aec653 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
@@ -16,6 +16,8 @@ int main(int argc, char **argv)
{
size_t size;
FILE *fp = NULL;
+ int count = 0;
+ int max;
setbuf(stdin, NULL);
setbuf(stdout, NULL);
@@ -42,8 +44,7 @@ int main(int argc, char **argv)
break;
case '?':
- usage:
- printf("Usage: %s $FILE | [--min-input-size]\n", argv[0]);
+ printf("Usage: %s $FILE [$FILE...] | [--min-input-size]\n", argv[0]);
exit(-1);
break;
@@ -54,21 +55,27 @@ int main(int argc, char **argv)
}
}
- if ( optind == argc ) /* No positional parameters. Use stdin. */
+ max = argc - optind;
+
+ if ( !max ) /* No positional parameters. Use stdin. */
+ {
+ max = 1;
fp = stdin;
- else if ( optind != (argc - 1) )
- goto usage;
+ }
if ( LLVMFuzzerInitialize(&argc, &argv) )
exit(-1);
#ifdef __AFL_HAVE_MANUAL_CONTROL
while ( __AFL_LOOP(1000) )
+#else
+ for( count = 0; count < max; count++ )
#endif
{
if ( fp != stdin ) /* If not using stdin, open the provided file. */
{
- fp = fopen(argv[optind], "rb");
+ printf("Opening file %s\n", argv[optind]);
+ fp = fopen(argv[optind + count], "rb");
if ( fp == NULL )
{
perror("fopen");
@@ -87,7 +94,9 @@ int main(int argc, char **argv)
if ( !feof(fp) || size > INPUT_SIZE )
{
printf("Input too large\n");
- exit(-1);
+ if ( optind + 1 == argc )
+ exit(-1);
+ continue;
}
if ( fp != stdin )
--
2.14.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-08-25 16:43 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-25 16:43 [PATCH 01/14] fuzz/x86_emulate: Remove redundant AFL hook George Dunlap
2017-08-25 16:43 ` [PATCH 02/14] x86emul/fuzz: add rudimentary limit checking George Dunlap
2017-08-25 16:43 ` [PATCH 03/14] fuzz/x86_emulate: Actually use cpu_regs input George Dunlap
2017-09-15 11:21 ` Wei Liu
2017-08-25 16:43 ` [PATCH 04/14] fuzz/x86_emulate: Add a better input size check George Dunlap
2017-08-25 17:42 ` Andrew Cooper
2017-09-15 11:39 ` Wei Liu
2017-09-25 9:36 ` George Dunlap
2017-09-25 11:08 ` George Dunlap
2017-08-25 16:43 ` [PATCH 05/14] fuzz/x86_emulate: Improve failure descriptions in x86_emulate harness George Dunlap
2017-09-15 11:41 ` Wei Liu
2017-09-15 11:47 ` George Dunlap
2017-08-25 16:43 ` [PATCH 06/14] fuzz/x86_emulate: Implement dread() and davail() George Dunlap
2017-08-25 17:45 ` Andrew Cooper
2017-09-14 17:06 ` George Dunlap
2017-09-25 11:40 ` George Dunlap
2017-08-25 16:43 ` [PATCH 07/14] fuzz/x86_emulate: Rename the file containing the wrapper code George Dunlap
2017-09-15 11:45 ` Wei Liu
2017-08-25 16:43 ` [PATCH 08/14] fuzz/x86_emulate: Add 'afl-cov' target George Dunlap
2017-09-15 12:55 ` Wei Liu
2017-09-15 12:57 ` Wei Liu
2017-09-15 13:28 ` George Dunlap
2017-08-25 16:43 ` George Dunlap [this message]
2017-09-15 13:07 ` [PATCH 09/14] fuzz/x86_emulate: Take multiple test files for inputs Wei Liu
2017-09-15 13:27 ` George Dunlap
2017-09-15 13:42 ` Wei Liu
2017-08-25 16:43 ` [PATCH 10/14] fuzz/x86_emulate: Move all state into fuzz_state George Dunlap
2017-08-25 16:43 ` [PATCH 11/14] fuzz/x86_emulate: Make input more compact George Dunlap
2017-08-25 16:52 ` George Dunlap
2017-08-25 17:59 ` Andrew Cooper
2017-08-28 9:10 ` George Dunlap
2017-08-25 16:43 ` [PATCH 12/14] fuzz/x86_emulate: Add --rerun option to try to track down instability George Dunlap
2017-09-15 13:30 ` Wei Liu
2017-08-25 16:43 ` [PATCH 13/14] fuzz/x86_emulate: Set and fuzz more CPU state George Dunlap
2017-08-25 16:43 ` [PATCH 14/14] fuzz/x86_emulate: Add an option to limit the number of instructions executed George Dunlap
2017-09-15 13:38 ` Wei Liu
2017-09-15 13:55 ` George Dunlap
2017-09-19 10:05 ` Wei Liu
2017-08-25 17:37 ` [PATCH 01/14] fuzz/x86_emulate: Remove redundant AFL hook Andrew Cooper
2017-08-28 10:34 ` George Dunlap
2017-09-14 15:26 ` George Dunlap
2017-09-22 15:47 ` George Dunlap
2017-09-22 16:09 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170825164343.29015-9-george.dunlap@citrix.com \
--to=george.dunlap@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@citrix.com \
--cc=jbeulich@suse.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).