1#!/bin/bash -u 2# Copyright 2018 Google Inc. 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15# 16################################################################################ 17cd $OUT 18 19if (( $# > 0 )); then 20 FUZZ_TARGETS="$@" 21else 22 FUZZ_TARGETS="$(find . -maxdepth 1 -type f -executable -printf '%P\n')" 23fi 24 25DUMPS_DIR="$OUT/dumps" 26FUZZER_STATS_DIR="$OUT/fuzzer_stats" 27LOGS_DIR="$OUT/logs" 28REPORT_ROOT_DIR="$OUT/report" 29REPORT_PLATFORM_DIR="$OUT/report/linux" 30 31for directory in $DUMPS_DIR $FUZZER_STATS_DIR $LOGS_DIR $REPORT_ROOT_DIR \ 32 $REPORT_PLATFORM_DIR; do 33 rm -rf $directory 34 mkdir -p $directory 35done 36 37PROFILE_FILE="$DUMPS_DIR/merged.profdata" 38SUMMARY_FILE="$REPORT_PLATFORM_DIR/summary.json" 39 40# Use path mapping, as $SRC directory from the builder is copied into $OUT/$SRC. 41PATH_EQUIVALENCE_ARGS="-path-equivalence=/,$OUT" 42 43# It's important to use $COVERAGE_EXTRA_ARGS as the last argument, because it 44# can contain paths to source files / directories which are positional args. 45LLVM_COV_COMMON_ARGS="$PATH_EQUIVALENCE_ARGS \ 46 -ignore-filename-regex=.*src/libfuzzer/.* $COVERAGE_EXTRA_ARGS" 47 48# Timeout for running a single fuzz target. 49TIMEOUT=1h 50 51# This will be used by llvm-cov command to generate the actual report. 52objects="" 53 54# Number of CPUs available, this is needed for running tests in parallel. 55NPROC=$(nproc) 56 57function run_fuzz_target { 58 local target=$1 59 60 # '%1m' will produce separate dump files for every object. For example, if a 61 # fuzz target loads a shared library, we will have dumps for both of them. 62 local profraw_file="$DUMPS_DIR/$target.%1m.profraw" 63 local profraw_file_mask="$DUMPS_DIR/$target.*.profraw" 64 local profdata_file="$DUMPS_DIR/$target.profdata" 65 local corpus_real="/corpus/${target}" 66 67 # -merge=1 requires an output directory, create a dummy dir for that. 68 local corpus_dummy="$OUT/dummy_corpus_dir_for_${target}" 69 rm -rf $corpus_dummy && mkdir -p $corpus_dummy 70 71 # Use -merge=1 instead of -runs=0 because merge is crash resistant and would 72 # let to get coverage using all corpus files even if there are crash inputs. 73 # Merge should not introduce any significant overhead compared to -runs=0, 74 # because (A) corpuses are already minimized; (B) we do not use sancov, and so 75 # libFuzzer always finishes merge with an empty output dir. 76 # Use 100s timeout instead of 25s as code coverage builds can be very slow. 77 local args="-merge=1 -timeout=100 -close_fd_mask=3 $corpus_dummy $corpus_real" 78 79 export LLVM_PROFILE_FILE=$profraw_file 80 timeout $TIMEOUT $OUT/$target $args &> $LOGS_DIR/$target.log 81 if (( $? != 0 )); then 82 echo "Error occured while running $target:" 83 cat $LOGS_DIR/$target.log 84 fi 85 86 rm -rf $corpus_dummy 87 88 if (( $(du -c $profraw_file_mask | tail -n 1 | cut -f 1) == 0 )); then 89 # Skip fuzz targets that failed to produce profile dumps. 90 return 0 91 fi 92 93 llvm-profdata merge -j=1 -sparse $profraw_file_mask -o $profdata_file 94 95 # Delete unnecessary and (potentially) large .profraw files. 96 rm $profraw_file_mask 97 98 shared_libraries=$(coverage_helper shared_libs -build-dir=$OUT -object=$target) 99 llvm-cov export -summary-only -instr-profile=$profdata_file -object=$target \ 100 $shared_libraries $LLVM_COV_COMMON_ARGS > $FUZZER_STATS_DIR/$target.json 101} 102 103# Run each fuzz target, generate raw coverage dumps. 104for fuzz_target in $FUZZ_TARGETS; do 105 # Continue if not a fuzz target. 106 if [[ $FUZZING_ENGINE != "none" ]]; then 107 grep "LLVMFuzzerTestOneInput" $fuzz_target > /dev/null 2>&1 || continue 108 fi 109 110 echo "Running $fuzz_target" 111 run_fuzz_target $fuzz_target & 112 113 if [[ -z $objects ]]; then 114 # The first object needs to be passed without -object= flag. 115 objects="$fuzz_target" 116 else 117 objects="$objects -object=$fuzz_target" 118 fi 119 120 # Do not spawn more processes than the number of CPUs available. 121 n_child_proc=$(jobs -rp | wc -l) 122 while [ "$n_child_proc" -eq "$NPROC" ]; do 123 sleep 4 124 n_child_proc=$(jobs -rp | wc -l) 125 done 126done 127 128# Wait for background processes to finish. 129wait 130 131# From this point on the script does not tolerate any errors. 132set -e 133 134# Merge all dumps from the individual targets. 135rm -f $PROFILE_FILE 136llvm-profdata merge -sparse $DUMPS_DIR/*.profdata -o $PROFILE_FILE 137 138# TODO(mmoroz): add script from Chromium for rendering directory view reports. 139# The first path in $objects does not have -object= prefix (llvm-cov format). 140shared_libraries=$(coverage_helper shared_libs -build-dir=$OUT -object=$objects) 141objects="$objects $shared_libraries" 142 143# It's important to use $LLVM_COV_COMMON_ARGS as the last argument due to 144# positional arguments (SOURCES) that can be passed via $COVERAGE_EXTRA_ARGS. 145LLVM_COV_ARGS="-instr-profile=$PROFILE_FILE $objects $LLVM_COV_COMMON_ARGS" 146 147# Generate HTML report. 148llvm-cov show -format=html -output-dir=$REPORT_ROOT_DIR \ 149 -Xdemangler c++filt -Xdemangler -n $LLVM_COV_ARGS 150 151# Export coverage summary in JSON format. 152llvm-cov export -summary-only $LLVM_COV_ARGS > $SUMMARY_FILE 153 154# Post process HTML report. 155coverage_helper -v post_process -src-root-dir=/ -summary-file=$SUMMARY_FILE \ 156 -output-dir=$REPORT_ROOT_DIR $PATH_EQUIVALENCE_ARGS 157 158if [[ -n $HTTP_PORT ]]; then 159 # Serve the report locally. 160 echo "Serving the report on http://127.0.0.1:$HTTP_PORT/linux/index.html" 161 cd $REPORT_ROOT_DIR 162 python3 -m http.server $HTTP_PORT 163fi 164