forked from HexHive/FuzzGen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlayout.h
275 lines (217 loc) · 8.93 KB
/
layout.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
// ------------------------------------------------------------------------------------------------
/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*
* ___ ___ ___ ___ ___ ___ ___
* /\__\ /\ \ /\__\ /\__\ /\__\ /\__\ /\ \
* /:/ _/_ \:\ \ /::| | /::| | /:/ _/_ /:/ _/_ \:\ \
* /:/ /\__\ \:\ \ /:/:| | /:/:| | /:/ /\ \ /:/ /\__\ \:\ \
* /:/ /:/ / ___ \:\ \ /:/|:| |__ /:/|:| |__ /:/ /::\ \ /:/ /:/ _/_ _____\:\ \
* /:/_/:/ / /\ \ \:\__\ /:/ |:| /\__\ /:/ |:| /\__\ /:/__\/\:\__\ /:/_/:/ /\__\ /::::::::\__\
* \:\/:/ / \:\ \ /:/ / \/__|:|/:/ / \/__|:|/:/ / \:\ \ /:/ / \:\/:/ /:/ / \:\~~\~~\/__/
* \::/__/ \:\ /:/ / |:/:/ / |:/:/ / \:\ /:/ / \::/_/:/ / \:\ \
* \:\ \ \:\/:/ / |::/ / |::/ / \:\/:/ / \:\/:/ / \:\ \
* \:\__\ \::/ / |:/ / |:/ / \::/ / \::/ / \:\__\
* \/__/ \/__/ |/__/ |/__/ \/__/ \/__/ \/__/
*
* FuzzGen - Automatic Fuzzer Generation
*
*
*
* layout.h
*
* Header file for layout.cpp.
*
*/
// ------------------------------------------------------------------------------------------------
#ifndef LIBRARY_LAYOUT_H
#define LIBRARY_LAYOUT_H
#include "common.h" // local includes
#include "interwork.h"
#include "root.h"
#include "dig.h"
#include "llvm/Pass.h" // llvm includes
#include "llvm/IR/Module.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/BasicBlock.h"
#include "llvm/IR/CFG.h"
#include "llvm/IR/User.h"
#include "llvm/IR/Constants.h"
#include "llvm/IR/Instruction.h"
#include "llvm/IR/CallSite.h"
#include "llvm/IR/InstIterator.h"
#include "llvm/IR/Dominators.h"
#include "llvm/IR/LegacyPassManager.h"
#include "llvm/Analysis/Passes.h"
#include "llvm/Analysis/CallGraph.h"
#include "llvm/Analysis/Interval.h"
#include "llvm/Analysis/PostDominators.h"
#include <typeinfo> // c++ includes
#include <iostream>
#include <iomanip>
#include <sstream>
#include <fstream>
#include <cstring>
#include <cstdlib>
#include <string>
#include <list>
#include <map>
#include <stack>
#include <deque>
#include <vector>
#include <algorithm>
#include <boost/graph/graph_traits.hpp> // boost libraries
#include <boost/graph/adjacency_list.hpp>
#include <boost/property_map/property_map.hpp>
#include <boost/graph/dominator_tree.hpp>
#include <boost/graph/copy.hpp>
#define UID_INVALID 0x0000ffff
using namespace std;
using namespace boost;
using namespace llvm;
// ------------------------------------------------------------------------------------------------
// * Abstract API Dependence Graph Node*
//
// Elements of an AADG node.
//
class AADGNode {
public:
/* node attributes */
enum nodeAttr {
ATTR_NONE=0x00,
ATTR_IS_ROOT=0x01,
ATTR_IS_LEAF=0x02,
ATTR_NEW=0x10,
ATTR_COMMON=0x20,
ATTR_IGNORE=0x80
};
unsigned uid; // a unique ID
unsigned funID; // function ID (embedded functions have the same value)
const CallInst *inst; // current instruction
const BasicBlock *bb; // current basic block
bool hasFailure; // true iff Failure Heuristic is satisfied
vector<uint64_t> val; // check return value against this value
vector<string> op; // using this operator
int attr; // node attributes
interwork::APICall *APICall; // interwork object for call instruction
/* class constructor */
AADGNode() : uid(0), funID(0), inst(nullptr), bb(nullptr), hasFailure(false) { }
/* clear all fields */
void clear() {
uid = 0;
funID = 0;
inst = nullptr;
bb = nullptr;
hasFailure = false;
attr = ATTR_NONE;
APICall = nullptr;
val.clear();
op.clear();
}
};
// ------------------------------------------------------------------------------------------------
// * AADG types *
//
// Boost type definitions for AADG
//
/* directed graph type */
// setS = no parallel edges, bidirectionalS = in_edges()
typedef adjacency_list<setS, vecS, bidirectionalS, AADGNode> Graph;
/* edge iterator types */
typedef graph_traits<Graph>::edge_iterator edge_iterator;
typedef graph_traits<Graph>::in_edge_iterator in_edge_iterator;
typedef graph_traits<Graph>::out_edge_iterator out_edge_iterator;
/* vertex iterator type */
typedef graph_traits<Graph>::vertex_iterator vertex_iterator;
/* vertex descriptor type */
typedef graph_traits<Graph>::vertex_descriptor vertex_t;
/* vertex descriptor type */
typedef graph_traits<Graph>::vertex_descriptor vertex_t;
typedef graph_traits<Graph>::edge_descriptor edge_t;
/* property to index and iterate over vertices */
typedef typename property_map<Graph, vertex_index_t>::type property_map_t;
typedef typename boost::iterator_property_map<vector<vertex_t>::iterator, property_map_t>
property_iterator;
/* adjacency list as a vector of lists */
typedef vector<list<int>> adjacency_list_t;
// ------------------------------------------------------------------------------------------------
// * Layout module *
//
// Build the fuzzer layout
//
class Layout {
public:
Graph AADG; // Abstract API Dependence Graph
// adjacency_list_t domTree; // dominator tree
adjacency_list_t pools; // function pools
map<vertex_t, int> iPools; // inverse index for function pools
/* class constructor */
Layout(const Module &, DominatorTree *, set<string> &, vector<interwork::APICall *> &);
/* check whether an AADG edge is a backward edge */
bool isBackwardEdge(vertex_t, vertex_t);
/* check whether there a path between 2 AADG vertices in CFG */
bool isCFGReachable(vertex_t, vertex_t);
/* visualize AADG */
bool visualizeAADG(const string filename);
// /* visualize Dominator Tree */
// bool visualizeDomTree(const string filename);
/* return the root node of AADG (is unique) */
vertex_t AADGroot();
/* return the size of the AADG */
unsigned AADGsize();
/* return the number of edges in the AADG */
unsigned AADGedges();
/* find backward edges in AADG */
void findBackEdges();
/* Delete a node from AADG */
bool deleteNode(vertex_t);
/* create the fuzzer layout */
bool makeAPICallLayout(const Function &);
/* update the fuzzer layout */
void updateAPICallLayout();
private:
const Module &module; // LLVM module
DominatorTree *CFG_domTree; // CFG dominator tree
set<string> &libAPI; // set of API functions
vector<interwork::APICall*> &APICalls; // APICall object from internal module
map<pair<int, int>, bool> backEdges; // AADG's backward edges
set<string> AADGCallStack; // call stack to catch recursions in AADG
/* create the AADG */
size_t makeAbstractAPIDependenceGraph(const Function &, Graph &, int);
// /* build the dominator tree */
// adjacency_list_t makeDominatorTree(Graph &);
//
// /* create the pools from dominator tree */
// adjacency_list_t makePools(adjacency_list_t &);
/* create the pools from dominator tree */
adjacency_list_t makePools(Graph &);
/* find the APICall object for a given API function */
interwork::APICall *findAPICall(string name);
/* find the AADG node for a given call instruction */
AADGNode *findAADGNode(const CallInst *);
/* search for nodes inside AADG (slow) */
vertex_t find(const BasicBlock *bb, Graph &G);
vertex_t find(unsigned uid, Graph &G);
/* generate a padding of n tabs */
inline string pad(int n) {
string indentation;
for (int i=0; i<n<<2; ++i, indentation+=" ")
{ }
return indentation;
}
};
// ------------------------------------------------------------------------------------------------
#endif