Optimize fuzzer

2026-01-20 12:13:57 +00:00 · 2025-05-28 21:09:56 +02:00
parent 28f704e408
commit 4199177aa0
4 changed files with 126 additions and 4 deletions
--- a/src/fuzzing-engine/fuzzer.cpp
+++ b/src/fuzzing-engine/fuzzer.cpp
@@ -3,6 +3,10 @@

 #include "input_generator.hpp"

+#include <utils/timer.hpp>
+#include <utils/string.hpp>
+#include <utils/finally.hpp>
+
 namespace fuzzer
 {
    namespace
@@ -45,6 +49,57 @@ namespace fuzzer
            std::atomic_bool stop_{false};
        };

+        std::string format_binary_data(const std::span<const uint8_t> input)
+        {
+            std::string data;
+            std::string bytes;
+            std::string text;
+
+            const auto wrap_line = [&] {
+                if (bytes.empty())
+                {
+                    return;
+                }
+
+                while (bytes.size() < 16 * 3)
+                {
+                    bytes.push_back(' ');
+                }
+
+                data += bytes;
+                data += "| ";
+                data += text;
+                data += "\n";
+
+                bytes.clear();
+                text.clear();
+            };
+
+            for (size_t i = 0; i < input.size(); ++i)
+            {
+                if (i % 16 == 0)
+                {
+                    wrap_line();
+                }
+
+                const auto in = input[i];
+                bytes += utils::string::va("%02X ", static_cast<uint32_t>(in));
+                text.push_back(isprint(in) ? static_cast<char>(in) : '.');
+            }
+
+            wrap_line();
+
+            return data;
+        }
+
+        void print_crash(const std::span<const uint8_t> input)
+        {
+            std::string text = utils::string::va("\nFound crash for input (length %zu):\n", input.size());
+            text += format_binary_data(input);
+
+            printf("%.*s\n", static_cast<int>(text.size()), text.c_str());
+        }
+
        void perform_fuzzing_iteration(fuzzing_context& context, executer& executer)
        {
            ++context.executions;
@@ -56,8 +111,7 @@ namespace fuzzer

                if (result == execution_result::error)
                {
-                    printf("Found error!\n");
-                    context.stop();
+                    print_crash(input);
                }

                return score;
@@ -111,6 +165,7 @@ namespace fuzzer

    void run(fuzzing_handler& handler, const size_t concurrency)
    {
+        const utils::timer<> t{};
        input_generator generator{};
        fuzzing_context context{generator, handler};
        worker_pool pool{context, concurrency};
@@ -125,5 +180,9 @@ namespace fuzzer
            printf("Executions/s: %" PRIu64 " - Score: %" PRIx64 " - Avg: %.3f\n", executions, highest_scorer.score,
                   avg_score);
        }
+
+        const auto duration = t.elapsed();
+        const int64_t seconds = std::chrono::duration_cast<std::chrono::seconds>(duration).count();
+        printf("Fuzzing stopped after %" PRIi64 "s\n", seconds);
    }
 }