| // Copyright 2020 The Fuchsia Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef SRC_SYS_FUZZING_FRAMEWORK_ENGINE_PROCESS_PROXY_H_ |
| #define SRC_SYS_FUZZING_FRAMEWORK_ENGINE_PROCESS_PROXY_H_ |
| |
| #include <fuchsia/fuzzer/cpp/fidl.h> |
| #include <fuchsia/mem/cpp/fidl.h> |
| #include <lib/fidl/cpp/interface_request.h> |
| #include <lib/fit/function.h> |
| #include <lib/zx/channel.h> |
| #include <lib/zx/eventpair.h> |
| #include <lib/zx/process.h> |
| #include <stddef.h> |
| #include <zircon/compiler.h> |
| |
| #include <memory> |
| #include <unordered_map> |
| |
| #include "src/sys/fuzzing/common/async-eventpair.h" |
| #include "src/sys/fuzzing/common/async-types.h" |
| #include "src/sys/fuzzing/common/options.h" |
| #include "src/sys/fuzzing/common/result.h" |
| #include "src/sys/fuzzing/common/shared-memory.h" |
| #include "src/sys/fuzzing/framework/engine/module-pool.h" |
| #include "src/sys/fuzzing/framework/engine/module-proxy.h" |
| #include "src/sys/fuzzing/framework/target/process.h" |
| |
| namespace fuzzing { |
| |
| using ::fuchsia::fuzzer::InstrumentedProcess; |
| using ::fuchsia::fuzzer::LlvmModule; |
| using ::fuchsia::fuzzer::ProcessStats; |
| |
| // This class presents an interface to the engine for a instrumented target process. It tracks the |
| // LLVM modules associated with the process and synchronizes coverage collection with fuzzing runs. |
| // It also monitors the process for crashes and abnormal exits. |
| class ProcessProxy final { |
| public: |
| ProcessProxy(ExecutorPtr executor, uint64_t target_id, const ModulePoolPtr& pool); |
| ~ProcessProxy(); |
| |
| uint64_t target_id() const { return target_id_; } |
| |
| // Adds default values to unspecified options that are needed by objects of this class. |
| static void AddDefaults(Options* options); |
| |
| // Sets options for this object. |
| void Configure(const OptionsPtr& options); |
| |
| // Coverage methods. |
| __WARN_UNUSED_RESULT zx_status_t Connect(InstrumentedProcess instrumented); |
| __WARN_UNUSED_RESULT zx_status_t AddLlvmModule(LlvmModule llvm_module); |
| |
| // Signals the associated process that a fuzzing run is starting and if it should |detect_leaks|. |
| // Returns a promise that completes when the process acknowledges the signal. |
| ZxPromise<> Start(bool detect_leaks); |
| |
| // Signals the associated process that a fuzzing run is finishing. |
| __WARN_UNUSED_RESULT zx_status_t Finish(); |
| |
| // Returns a promise that completes either when the process acknowledges a (possibly subsequent) |
| // call to |Finish|, or when it encounters an error. The promise returns whether any memory leaks |
| // are suspected when successful, and the proxy's target ID on error. |
| Promise<bool, uint64_t> AwaitFinish(); |
| |
| // Adds the associated process' |ProcessStats| to |out|. |
| __WARN_UNUSED_RESULT zx_status_t GetStats(ProcessStats* out); |
| |
| // Promises to return the fuzzing result from a process that encountered a fatal error. Waits for |
| // the process to terminate. |
| ZxPromise<FuzzResult> GetResult(); |
| |
| // Dumps information about all threads in a process to the provided buffer. Returns the number of |
| // bytes written, not including the null-terminator. |
| size_t Dump(void* buffer, size_t size); |
| |
| private: |
| // Sets signals for the process. This can be used to inform the process when fuzzing is starting |
| // or stopping. |
| void SignalPeer(Signal signal); |
| |
| // Promises to return the next received signals from the process, or an error if the process |
| // encounters a fatal error. |
| Promise<zx_signals_t> AwaitSignals(); |
| |
| ExecutorPtr executor_; |
| uint64_t target_id_ = kInvalidTargetId; |
| OptionsPtr options_; |
| |
| AsyncEventPair eventpair_; |
| ModulePoolPtr pool_; |
| std::unordered_map<ModuleProxy*, SharedMemory> modules_; |
| zx::process process_; |
| |
| // This is accessed from both the |ExecutorPtr| and the |Runner|. |
| FuzzResult result_ = FuzzResult::NO_ERRORS; |
| |
| Scope scope_; |
| |
| FXL_DISALLOW_COPY_ASSIGN_AND_MOVE(ProcessProxy); |
| }; |
| |
| } // namespace fuzzing |
| |
| #endif // SRC_SYS_FUZZING_FRAMEWORK_ENGINE_PROCESS_PROXY_H_ |