func main() {
flag.Parse()
if flag.NArg() != 1 {
fmt.Fprintf(os.Stderr, "usage: mutate program\n")
os.Exit(1)
}
data, err := ioutil.ReadFile(flag.Arg(0))
if err != nil {
fmt.Fprintf(os.Stderr, "failed to read prog file: %v\n", err)
os.Exit(1)
}
p, err := prog.Deserialize(data)
if err != nil {
fmt.Fprintf(os.Stderr, "failed to deserialize the program: %v\n", err)
os.Exit(1)
}
prios := prog.CalculatePriorities(nil)
ct := prog.BuildChoiceTable(prios, nil)
seed := time.Now().UnixNano()
if *flagSeed != -1 {
seed = int64(*flagSeed)
}
rs := rand.NewSource(seed)
p.Mutate(rs, len(p.Calls)+10, ct)
fmt.Printf("%s\n", p.Serialize())
}
func (mgr *Manager) minimizeCorpus() {
if !mgr.cfg.Nocover && len(mgr.corpus) != 0 {
// First, sort corpus per call.
type Call struct {
inputs []RpcInput
cov []cover.Cover
}
calls := make(map[string]Call)
for _, inp := range mgr.corpus {
c := calls[inp.Call]
c.inputs = append(c.inputs, inp)
c.cov = append(c.cov, inp.Cover)
calls[inp.Call] = c
}
// Now minimize and build new corpus.
var newCorpus []RpcInput
for _, c := range calls {
for _, idx := range cover.Minimize(c.cov) {
newCorpus = append(newCorpus, c.inputs[idx])
}
}
logf(1, "minimized corpus: %v -> %v", len(mgr.corpus), len(newCorpus))
mgr.corpus = newCorpus
}
var corpus []*prog.Prog
for _, inp := range mgr.corpus {
p, err := prog.Deserialize(inp.Prog)
if err != nil {
panic(err)
}
corpus = append(corpus, p)
}
mgr.prios = prog.CalculatePriorities(corpus)
}
func main() {
flag.Parse()
corpus := readCorpus()
log.Printf("parsed %v programs", len(corpus))
calls := buildCallList()
prios := prog.CalculatePriorities(corpus)
ct := prog.BuildChoiceTable(prios, calls)
var flags uint64
if *flagThreaded {
flags |= ipc.FlagThreaded
}
if *flagCollide {
flags |= ipc.FlagCollide
}
if *flagNobody {
flags |= ipc.FlagDropPrivs
}
if *flagDebug {
flags |= ipc.FlagDebug
}
if *flagNoPgid {
flags |= ipc.FlagNoSetpgid
}
gate = ipc.NewGate(2 * *flagProcs)
for pid := 0; pid < *flagProcs; pid++ {
pid := pid
go func() {
env, err := ipc.MakeEnv(*flagExecutor, *flagTimeout, flags)
if err != nil {
failf("failed to create execution environment: %v", err)
}
rs := rand.NewSource(time.Now().UnixNano() + int64(pid)*1e12)
rnd := rand.New(rs)
for i := 0; ; i++ {
var p *prog.Prog
if len(corpus) == 0 || i%4 != 0 {
p = prog.Generate(rs, programLength, ct)
execute(pid, env, p)
p.Mutate(rs, programLength, ct)
execute(pid, env, p)
} else {
p = corpus[rnd.Intn(len(corpus))].Clone()
p.Mutate(rs, programLength, ct)
execute(pid, env, p)
p.Mutate(rs, programLength, ct)
execute(pid, env, p)
}
}
}()
}
for range time.NewTicker(5 * time.Second).C {
log.Printf("executed %v programs", atomic.LoadUint64(&statExec))
}
}
func (mgr *Manager) minimizeCorpus() {
if mgr.cfg.Cover && len(mgr.corpus) != 0 {
// First, sort corpus per call.
type Call struct {
inputs []RpcInput
cov []cover.Cover
}
calls := make(map[string]Call)
for _, inp := range mgr.corpus {
c := calls[inp.Call]
c.inputs = append(c.inputs, inp)
c.cov = append(c.cov, inp.Cover)
calls[inp.Call] = c
}
// Now minimize and build new corpus.
var newCorpus []RpcInput
for _, c := range calls {
for _, idx := range cover.Minimize(c.cov) {
newCorpus = append(newCorpus, c.inputs[idx])
}
}
Logf(1, "minimized corpus: %v -> %v", len(mgr.corpus), len(newCorpus))
mgr.corpus = newCorpus
}
var corpus []*prog.Prog
for _, inp := range mgr.corpus {
p, err := prog.Deserialize(inp.Prog)
if err != nil {
panic(err)
}
corpus = append(corpus, p)
}
mgr.prios = prog.CalculatePriorities(corpus)
// Don't minimize persistent corpus until fuzzers have triaged all inputs from it.
if len(mgr.candidates) == 0 {
hashes := make(map[string]bool)
for _, inp := range mgr.corpus {
h := hash(inp.Prog)
hashes[hex.EncodeToString(h[:])] = true
}
for _, h := range mgr.disabledHashes {
hashes[h] = true
}
mgr.persistentCorpus.minimize(hashes)
}
}
func main() {
flag.Parse()
corpus := readCorpus()
Logf(0, "parsed %v programs", len(corpus))
calls := buildCallList()
prios := prog.CalculatePriorities(corpus)
ct := prog.BuildChoiceTable(prios, calls)
flags, timeout, err := ipc.DefaultFlags()
if err != nil {
Fatalf("%v", err)
}
gate = ipc.NewGate(2**flagProcs, nil)
for pid := 0; pid < *flagProcs; pid++ {
pid := pid
go func() {
env, err := ipc.MakeEnv(*flagExecutor, timeout, flags, pid)
if err != nil {
Fatalf("failed to create execution environment: %v", err)
}
rs := rand.NewSource(time.Now().UnixNano() + int64(pid)*1e12)
rnd := rand.New(rs)
for i := 0; ; i++ {
var p *prog.Prog
if len(corpus) == 0 || i%4 != 0 {
p = prog.Generate(rs, programLength, ct)
execute(pid, env, p)
p.Mutate(rs, programLength, ct, corpus)
execute(pid, env, p)
} else {
p = corpus[rnd.Intn(len(corpus))].Clone()
p.Mutate(rs, programLength, ct, corpus)
execute(pid, env, p)
p.Mutate(rs, programLength, ct, corpus)
execute(pid, env, p)
}
}
}()
}
for range time.NewTicker(5 * time.Second).C {
Logf(0, "executed %v programs", atomic.LoadUint64(&statExec))
}
}