FuzzerUtilFuchsia.cpp source code [compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp]

1	//===- FuzzerUtilFuchsia.cpp - Misc utils for Fuchsia. --------------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	// Misc utils implementation using Fuchsia/Zircon APIs.
9	//===----------------------------------------------------------------------===//
10	#include "FuzzerPlatform.h"
11
12	#if LIBFUZZER_FUCHSIA
13
14	#include "FuzzerInternal.h"
15	#include "FuzzerUtil.h"
16	#include <cassert>
17	#include <cerrno>
18	#include <cinttypes>
19	#include <cstdint>
20	#include <fcntl.h>
21	#include <lib/fdio/fdio.h>
22	#include <lib/fdio/spawn.h>
23	#include <string>
24	#include <sys/select.h>
25	#include <thread>
26	#include <unistd.h>
27	#include <zircon/errors.h>
28	#include <zircon/process.h>
29	#include <zircon/sanitizer.h>
30	#include <zircon/status.h>
31	#include <zircon/syscalls.h>
32	#include <zircon/syscalls/debug.h>
33	#include <zircon/syscalls/exception.h>
34	#include <zircon/syscalls/object.h>
35	#include <zircon/types.h>
36
37	#include <vector>
38
39	namespace fuzzer {
40
41	// Given that Fuchsia doesn't have the POSIX signals that libFuzzer was written
42	// around, the general approach is to spin up dedicated threads to watch for
43	// each requested condition (alarm, interrupt, crash). Of these, the crash
44	// handler is the most involved, as it requires resuming the crashed thread in
45	// order to invoke the sanitizers to get the needed state.
46
47	// Forward declaration of assembly trampoline needed to resume crashed threads.
48	// This appears to have external linkage to C++, which is why it's not in the
49	// anonymous namespace. The assembly definition inside MakeTrampoline()
50	// actually defines the symbol with internal linkage only.
51	void CrashTrampolineAsm() __asm__("CrashTrampolineAsm");
52
53	namespace {
54
55	// The signal handler thread uses Zircon exceptions to resume crashed threads
56	// into libFuzzer's POSIX signal handlers. The associated event is used to
57	// signal when the thread is running, and when it should stop.
58	std::thread SignalHandler;
59	zx_handle_t SignalHandlerEvent = ZX_HANDLE_INVALID;
60
61	// Helper function to handle Zircon syscall failures.
62	void ExitOnErr(zx_status_t Status, const char *Syscall) {
63	if (Status != ZX_OK) {
64	Printf("libFuzzer: %s failed: %s\n", Syscall,
65	_zx_status_get_string(Status));
66	exit(`1`);
67	}
68	}
69
70	void AlarmHandler(int Seconds) {
71	while (true) {
72	SleepSeconds(Seconds);
73	Fuzzer::StaticAlarmCallback();
74	}
75	}
76
77	// For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback
78	// without POSIX signal handlers. To achieve this, we use an assembly function
79	// to add the necessary CFI unwinding information and a C function to bridge
80	// from that back into C++.
81
82	// FIXME: This works as a short-term solution, but this code really shouldn't be
83	// architecture dependent. A better long term solution is to implement remote
84	// unwinding and expose the necessary APIs through sanitizer_common and/or ASAN
85	// to allow the exception handling thread to gather the crash state directly.
86	//
87	// Alternatively, Fuchsia may in future actually implement basic signal
88	// handling for the machine trap signals.
89	#if defined(__x86_64__)
90
91	#define FOREACH_REGISTER(OP_REG, OP_NUM) \
92	OP_REG(rax) \
93	OP_REG(rbx) \
94	OP_REG(rcx) \
95	OP_REG(rdx) \
96	OP_REG(rsi) \
97	OP_REG(rdi) \
98	OP_REG(rbp) \
99	OP_REG(rsp) \
100	OP_REG(r8) \
101	OP_REG(r9) \
102	OP_REG(r10) \
103	OP_REG(r11) \
104	OP_REG(r12) \
105	OP_REG(r13) \
106	OP_REG(r14) \
107	OP_REG(r15) \
108	OP_REG(rip)
109
110	#elif defined(__aarch64__)
111
112	#define FOREACH_REGISTER(OP_REG, OP_NUM) \
113	OP_NUM(0) \
114	OP_NUM(1) \
115	OP_NUM(2) \
116	OP_NUM(3) \
117	OP_NUM(4) \
118	OP_NUM(5) \
119	OP_NUM(6) \
120	OP_NUM(7) \
121	OP_NUM(8) \
122	OP_NUM(9) \
123	OP_NUM(10) \
124	OP_NUM(11) \
125	OP_NUM(12) \
126	OP_NUM(13) \
127	OP_NUM(14) \
128	OP_NUM(15) \
129	OP_NUM(16) \
130	OP_NUM(17) \
131	OP_NUM(18) \
132	OP_NUM(19) \
133	OP_NUM(20) \
134	OP_NUM(21) \
135	OP_NUM(22) \
136	OP_NUM(23) \
137	OP_NUM(24) \
138	OP_NUM(25) \
139	OP_NUM(26) \
140	OP_NUM(27) \
141	OP_NUM(28) \
142	OP_NUM(29) \
143	OP_REG(sp)
144
145	#elif defined(__riscv)
146
147	#define FOREACH_REGISTER(OP_REG, OP_NUM) \
148	OP_REG(ra) \
149	OP_REG(sp) \
150	OP_REG(gp) \
151	OP_REG(tp) \
152	OP_REG(t0) \
153	OP_REG(t1) \
154	OP_REG(t2) \
155	OP_REG(s0) \
156	OP_REG(s1) \
157	OP_REG(a0) \
158	OP_REG(a1) \
159	OP_REG(a2) \
160	OP_REG(a3) \
161	OP_REG(a4) \
162	OP_REG(a5) \
163	OP_REG(a6) \
164	OP_REG(a7) \
165	OP_REG(s2) \
166	OP_REG(s3) \
167	OP_REG(s4) \
168	OP_REG(s5) \
169	OP_REG(s6) \
170	OP_REG(s7) \
171	OP_REG(s8) \
172	OP_REG(s9) \
173	OP_REG(s10) \
174	OP_REG(s11) \
175	OP_REG(t3) \
176	OP_REG(t4) \
177	OP_REG(t5) \
178	OP_REG(t6) \
179
180	#else
181	#error "Unsupported architecture for fuzzing on Fuchsia"
182	#endif
183
184	// Produces a CFI directive for the named or numbered register.
185	// The value used refers to an assembler immediate operand with the same name
186	// as the register (see ASM_OPERAND_REG).
187	#define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n"
188	#define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(x##num)
189
190	// Produces an assembler immediate operand for the named or numbered register.
191	// This operand contains the offset of the register relative to the CFA.
192	#define ASM_OPERAND_REG(reg) \
193	[reg] "i"(offsetof(zx_thread_state_general_regs_t, reg)),
194	#define ASM_OPERAND_NUM(num) \
195	[x##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num])),
196
197	// Trampoline to bridge from the assembly below to the static C++ crash
198	// callback.
199	__attribute__((noreturn))
200	static void StaticCrashHandler() {
201	Fuzzer::StaticCrashSignalCallback();
202	for (;;) {
203	_Exit(`1`);
204	}
205	}
206
207	// This trampoline function has the necessary CFI information to unwind
208	// and get a backtrace:
209	// The stack contains a copy of all the registers at the point of crash,*
210	// the code has CFI directives specifying how to restore them.
211	// A call to StaticCrashHandler, which will print the stacktrace and exit*
212	// the fuzzer, generating a crash artifact.
213	//
214	// The __attribute__((used)) is necessary because the function
215	// is never called; it's just a container around the assembly to allow it to
216	// use operands for compile-time computed constants.
217	__attribute__((used))
218	void MakeTrampoline() {
219	__asm__(
220	".cfi_endproc\n"
221	".pushsection .text.CrashTrampolineAsm\n"
222	".type CrashTrampolineAsm,STT_FUNC\n"
223	"CrashTrampolineAsm:\n"
224	".cfi_startproc simple\n"
225	".cfi_signal_frame\n"
226	#if defined(__x86_64__)
227	".cfi_return_column rip\n"
228	".cfi_def_cfa rsp, 0\n"
229	FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
230	"call %c[StaticCrashHandler]\n"
231	"ud2\n"
232	#elif defined(__aarch64__)
233	".cfi_return_column 33\n"
234	".cfi_def_cfa sp, 0\n"
235	FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
236	".cfi_offset 33, %c[pc]\n"
237	".cfi_offset 30, %c[lr]\n"
238	"bl %c[StaticCrashHandler]\n"
239	"brk 1\n"
240	#elif defined(__riscv)
241	".cfi_return_column 64\n"
242	".cfi_def_cfa sp, 0\n"
243	".cfi_offset 64, %[pc]\n"
244	FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
245	"call %c[StaticCrashHandler]\n"
246	"unimp\n"
247	#else
248	#error "Unsupported architecture for fuzzing on Fuchsia"
249	#endif
250	".cfi_endproc\n"
251	".size CrashTrampolineAsm, . - CrashTrampolineAsm\n"
252	".popsection\n"
253	".cfi_startproc\n"
254	: // No outputs
255	: FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
256	#if defined(__aarch64__) \|\| defined(__riscv)
257	ASM_OPERAND_REG(pc)
258	#endif
259	#if defined(__aarch64__)
260	ASM_OPERAND_REG(lr)
261	#endif
262	[StaticCrashHandler] "i"(StaticCrashHandler));
263	}
264
265	void CrashHandler() {
266	assert(SignalHandlerEvent != ZX_HANDLE_INVALID);
267
268	// This structure is used to ensure we close handles to objects we create in
269	// this handler.
270	struct ScopedHandle {
271	~ScopedHandle() { _zx_handle_close(Handle); }
272	zx_handle_t Handle = ZX_HANDLE_INVALID;
273	};
274
275	// Create the exception channel. We need to claim to be a "debugger" so the
276	// kernel will allow us to modify and resume dying threads (see below). Once
277	// the channel is set, we can signal the main thread to continue and wait
278	// for the exception to arrive.
279	ScopedHandle Channel;
280	zx_handle_t Self = _zx_process_self();
281	ExitOnErr(_zx_task_create_exception_channel(
282	Self, ZX_EXCEPTION_CHANNEL_DEBUGGER, &Channel.Handle),
283	"_zx_task_create_exception_channel");
284
285	ExitOnErr(_zx_object_signal(SignalHandlerEvent, `0`, ZX_USER_SIGNAL_0),
286	"_zx_object_signal");
287
288	// This thread lives as long as the process in order to keep handling
289	// crashes. In practice, the first crashed thread to reach the end of the
290	// StaticCrashHandler will end the process.
291	while (true) {
292	zx_wait_item_t WaitItems[] = {
293	{
294	.handle = SignalHandlerEvent,
295	.waitfor = ZX_USER_SIGNAL_1,
296	.pending = `0`,
297	},
298	{
299	.handle = Channel.Handle,
300	.waitfor = ZX_CHANNEL_READABLE \| ZX_CHANNEL_PEER_CLOSED,
301	.pending = `0`,
302	},
303	};
304	auto Status = _zx_object_wait_many(
305	WaitItems, sizeof(WaitItems) / sizeof(WaitItems[`0`]), ZX_TIME_INFINITE);
306	if (Status != ZX_OK \|\| (WaitItems[`1`].pending & ZX_CHANNEL_READABLE) == `0`) {
307	break;
308	}
309
310	zx_exception_info_t ExceptionInfo;
311	ScopedHandle Exception;
312	ExitOnErr(_zx_channel_read(Channel.Handle, `0`, &ExceptionInfo,
313	&Exception.Handle, sizeof(ExceptionInfo), `1`,
314	nullptr, nullptr),
315	"_zx_channel_read");
316
317	// Ignore informational synthetic exceptions.
318	if (ZX_EXCP_THREAD_STARTING == ExceptionInfo.type \|\|
319	ZX_EXCP_THREAD_EXITING == ExceptionInfo.type \|\|
320	ZX_EXCP_PROCESS_STARTING == ExceptionInfo.type) {
321	continue;
322	}
323
324	// At this point, we want to get the state of the crashing thread, but
325	// libFuzzer and the sanitizers assume this will happen from that same
326	// thread via a POSIX signal handler. "Resurrecting" the thread in the
327	// middle of the appropriate callback is as simple as forcibly setting the
328	// instruction pointer/program counter, provided we NEVER EVER return from
329	// that function (since otherwise our stack will not be valid).
330	ScopedHandle Thread;
331	ExitOnErr(_zx_exception_get_thread(Exception.Handle, &Thread.Handle),
332	"_zx_exception_get_thread");
333
334	zx_thread_state_general_regs_t GeneralRegisters;
335	ExitOnErr(_zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
336	&GeneralRegisters,
337	sizeof(GeneralRegisters)),
338	"_zx_thread_read_state");
339
340	// To unwind properly, we need to push the crashing thread's register state
341	// onto the stack and jump into a trampoline with CFI instructions on how
342	// to restore it.
343	#if defined(__x86_64__)
344
345	uintptr_t StackPtr =
346	(GeneralRegisters.rsp - (`128` + sizeof(GeneralRegisters))) &
347	-(uintptr_t)`16`;
348	__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
349	sizeof(GeneralRegisters));
350	GeneralRegisters.rsp = StackPtr;
351	GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
352
353	#elif defined(__aarch64__) \|\| defined(__riscv)
354
355	uintptr_t StackPtr =
356	(GeneralRegisters.sp - sizeof(GeneralRegisters)) & -(uintptr_t)`16`;
357	__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
358	sizeof(GeneralRegisters));
359	GeneralRegisters.sp = StackPtr;
360	GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
361
362	#else
363	#error "Unsupported architecture for fuzzing on Fuchsia"
364	#endif
365
366	// Now force the crashing thread's state.
367	ExitOnErr(
368	_zx_thread_write_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
369	&GeneralRegisters, sizeof(GeneralRegisters)),
370	"_zx_thread_write_state");
371
372	// Set the exception to HANDLED so it resumes the thread on close.
373	uint32_t ExceptionState = ZX_EXCEPTION_STATE_HANDLED;
374	ExitOnErr(_zx_object_set_property(Exception.Handle, ZX_PROP_EXCEPTION_STATE,
375	&ExceptionState, sizeof(ExceptionState)),
376	"zx_object_set_property");
377	}
378	}
379
380	void StopSignalHandler() {
381	_zx_object_signal(SignalHandlerEvent, `0`, ZX_USER_SIGNAL_1);
382	if (SignalHandler.joinable()) {
383	SignalHandler.join();
384	}
385	_zx_handle_close(SignalHandlerEvent);
386	}
387
388	} // namespace
389
390	// Platform specific functions.
391	void SetSignalHandler(const FuzzingOptions &Options) {
392	// Make sure information from libFuzzer and the sanitizers are easy to
393	// reassemble. `__sanitizer_log_write` has the added benefit of ensuring the
394	// DSO map is always available for the symbolizer.
395	// A uint64_t fits in 20 chars, so 64 is plenty.
396	char Buf[`64`];
397	memset(Buf, `0`, sizeof(Buf));
398	snprintf(Buf, sizeof(Buf), "==%lu== INFO: libFuzzer starting.\n", GetPid());
399	if (EF->__sanitizer_log_write)
400	__sanitizer_log_write(Buf, sizeof(Buf));
401	Printf("%s", Buf);
402
403	// Set up alarm handler if needed.
404	if (Options.HandleAlrm && Options.UnitTimeoutSec > `0`) {
405	std::thread T(AlarmHandler, Options.UnitTimeoutSec / `2` + `1`);
406	T.detach();
407	}
408
409	// Options.HandleInt and Options.HandleTerm are not supported on Fuchsia
410
411	// Early exit if no crash handler needed.
412	if (!Options.HandleSegv && !Options.HandleBus && !Options.HandleIll &&
413	!Options.HandleFpe && !Options.HandleAbrt)
414	return;
415
416	// Set up the crash handler and wait until it is ready before proceeding.
417	ExitOnErr(_zx_event_create(`0`, &SignalHandlerEvent), "_zx_event_create");
418
419	SignalHandler = std::thread(CrashHandler);
420	zx_status_t Status = _zx_object_wait_one(SignalHandlerEvent, ZX_USER_SIGNAL_0,
421	ZX_TIME_INFINITE, nullptr);
422	ExitOnErr(Status, "_zx_object_wait_one");
423
424	std::atexit(StopSignalHandler);
425	}
426
427	void SleepSeconds(int Seconds) {
428	_zx_nanosleep(_zx_deadline_after(ZX_SEC(Seconds)));
429	}
430
431	unsigned long GetPid() {
432	zx_status_t rc;
433	zx_info_handle_basic_t Info;
434	if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_HANDLE_BASIC, &Info,
435	sizeof(Info), NULL, NULL)) != ZX_OK) {
436	Printf("libFuzzer: unable to get info about self: %s\n",
437	_zx_status_get_string(rc));
438	exit(`1`);
439	}
440	return Info.koid;
441	}
442
443	size_t GetPeakRSSMb() {
444	zx_status_t rc;
445	zx_info_task_stats_t Info;
446	if ((rc = _zx_object_get_info(_zx_process_self(), ZX_INFO_TASK_STATS, &Info,
447	sizeof(Info), NULL, NULL)) != ZX_OK) {
448	Printf("libFuzzer: unable to get info about self: %s\n",
449	_zx_status_get_string(rc));
450	exit(`1`);
451	}
452	return (Info.mem_private_bytes + Info.mem_shared_bytes) >> `20`;
453	}
454
455	template <typename Fn>
456	class RunOnDestruction {
457	public:
458	explicit RunOnDestruction(Fn fn) : fn_(fn) {}
459	~RunOnDestruction() { fn_(); }
460
461	private:
462	Fn fn_;
463	};
464
465	template <typename Fn>
466	RunOnDestruction<Fn> at_scope_exit(Fn fn) {
467	return RunOnDestruction<Fn>(fn);
468	}
469
470	static fdio_spawn_action_t clone_fd_action(int localFd, int targetFd) {
471	return {
472	.action = FDIO_SPAWN_ACTION_CLONE_FD,
473	.fd =
474	{
475	.local_fd = localFd,
476	.target_fd = targetFd,
477	},
478	};
479	}
480
481	int ExecuteCommand(const Command &Cmd) {
482	zx_status_t rc;
483
484	// Convert arguments to C array
485	auto Args = Cmd.getArguments();
486	size_t Argc = Args.size();
487	assert(Argc != `0`);
488	std::unique_ptr<const char []> Argv(new* const char *[Argc + `1`]);
489	for (size_t i = `0`; i < Argc; ++i)
490	Argv[i] = Args[i].c_str();
491	Argv[Argc] = nullptr;
492
493	// Determine output. On Fuchsia, the fuzzer is typically run as a component
494	// that lacks a mutable working directory. Fortunately, when this is the case
495	// a mutable output directory must be specified using "-artifact_prefix=...",
496	// so write the log file(s) there.
497	// However, we don't want to apply this logic for absolute paths.
498	int FdOut = STDOUT_FILENO;
499	bool discardStdout = false;
500	bool discardStderr = false;
501
502	if (Cmd.hasOutputFile()) {
503	std::string Path = Cmd.getOutputFile();
504	if (Path == getDevNull()) {
505	// On Fuchsia, there's no "/dev/null" like-file, so we
506	// just don't copy the FDs into the spawned process.
507	discardStdout = true;
508	} else {
509	bool IsAbsolutePath = Path.length() > `1` && Path[`0`] == `'/'`;
510	if (!IsAbsolutePath && Cmd.hasFlag("artifact_prefix"))
511	Path = Cmd.getFlagValue("artifact_prefix") + "/" + Path;
512
513	FdOut = open(Path.c_str(), O_WRONLY \| O_CREAT \| O_TRUNC, `0`);
514	if (FdOut == -`1`) {
515	Printf("libFuzzer: failed to open %s: %s\n", Path.c_str(),
516	strerror(errno));
517	return ZX_ERR_IO;
518	}
519	}
520	}
521	auto CloseFdOut = at_scope_exit([FdOut]() {
522	if (FdOut != STDOUT_FILENO)
523	close(FdOut);
524	});
525
526	// Determine stderr
527	int FdErr = STDERR_FILENO;
528	if (Cmd.isOutAndErrCombined()) {
529	FdErr = FdOut;
530	if (discardStdout)
531	discardStderr = true;
532	}
533
534	// Clone the file descriptors into the new process
535	std::vector<fdio_spawn_action_t> SpawnActions;
536	SpawnActions.push_back(clone_fd_action(STDIN_FILENO, STDIN_FILENO));
537
538	if (!discardStdout)
539	SpawnActions.push_back(clone_fd_action(FdOut, STDOUT_FILENO));
540	if (!discardStderr)
541	SpawnActions.push_back(clone_fd_action(FdErr, STDERR_FILENO));
542
543	// Start the process.
544	char ErrorMsg[FDIO_SPAWN_ERR_MSG_MAX_LENGTH];
545	zx_handle_t ProcessHandle = ZX_HANDLE_INVALID;
546	rc = fdio_spawn_etc(ZX_HANDLE_INVALID,
547	FDIO_SPAWN_CLONE_ALL & (~FDIO_SPAWN_CLONE_STDIO), Argv[`0`],
548	Argv.get(), nullptr, SpawnActions.size(),
549	SpawnActions.data(), &ProcessHandle, ErrorMsg);
550
551	if (rc != ZX_OK) {
552	Printf("libFuzzer: failed to launch '%s': %s, %s\n", Argv[`0`], ErrorMsg,
553	_zx_status_get_string(rc));
554	return rc;
555	}
556	auto CloseHandle = at_scope_exit([&]() { _zx_handle_close(ProcessHandle); });
557
558	// Now join the process and return the exit status.
559	if ((rc = _zx_object_wait_one(ProcessHandle, ZX_PROCESS_TERMINATED,
560	ZX_TIME_INFINITE, nullptr)) != ZX_OK) {
561	Printf("libFuzzer: failed to join '%s': %s\n", Argv[`0`],
562	_zx_status_get_string(rc));
563	return rc;
564	}
565
566	zx_info_process_t Info;
567	if ((rc = _zx_object_get_info(ProcessHandle, ZX_INFO_PROCESS, &Info,
568	sizeof(Info), nullptr, nullptr)) != ZX_OK) {
569	Printf("libFuzzer: unable to get return code from '%s': %s\n", Argv[`0`],
570	_zx_status_get_string(rc));
571	return rc;
572	}
573
574	return static_cast<int>(Info.return_code);
575	}
576
577	bool ExecuteCommand(const Command &BaseCmd, std::string *CmdOutput) {
578	auto LogFilePath = TempPath("SimPopenOut", ".txt");
579	Command Cmd(BaseCmd);
580	Cmd.setOutputFile(LogFilePath);
581	int Ret = ExecuteCommand(Cmd);
582	*CmdOutput = FileToString(LogFilePath);
583	RemoveFile(LogFilePath);
584	return Ret == `0`;
585	}
586
587	const void SearchMemory(const* void Data, size_t DataLen, const* void *Patt,
588	size_t PattLen) {
589	return memmem(Data, DataLen, Patt, PattLen);
590	}
591
592	// In fuchsia, accessing /dev/null is not supported. There's nothing
593	// similar to a file that discards everything that is written to it.
594	// The way of doing something similar in fuchsia is by using
595	// fdio_null_create and binding that to a file descriptor.
596	void DiscardOutput(int Fd) {
597	fdio_t *fdio_null = fdio_null_create();
598	if (fdio_null == nullptr) return;
599	int nullfd = fdio_bind_to_fd(fdio_null, -`1`, `0`);
600	if (nullfd < `0`) return;
601	dup2(nullfd, Fd);
602	}
603
604	size_t PageSize() {
605	static size_t PageSizeCached = _zx_system_get_page_size();
606	return PageSizeCached;
607	}
608
609	void SetThreadName(std::thread &thread, const std::string &name) {
610	// TODO ?
611	}
612
613	} // namespace fuzzer
614
615	#endif // LIBFUZZER_FUCHSIA
616

source code of compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp