[llvm] r270905 - [libFuzzer] when there is a leak in the existing corpus report the reproducer properly
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Thu May 26 13:25:49 PDT 2016
Author: kcc
Date: Thu May 26 15:25:49 2016
New Revision: 270905
URL: http://llvm.org/viewvc/llvm-project?rev=270905&view=rev
Log:
[libFuzzer] when there is a leak in the existing corpus report the reproducer properly
Modified:
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer-leak.test
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=270905&r1=270904&r2=270905&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Thu May 26 15:25:49 2016
@@ -415,8 +415,8 @@ private:
void PrintStats(const char *Where, const char *End = "\n");
void PrintStatusForNewUnit(const Unit &U);
void ShuffleCorpus(UnitVector *V);
- void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size);
- void CheckForMemoryLeaks();
+ void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
+ bool DuringInitialCorpusExecution);
// Updates the probability distribution for the units in the corpus.
// Must be called whenever the corpus or unit weights are changed.
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=270905&r1=270904&r2=270905&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Thu May 26 15:25:49 2016
@@ -409,13 +409,14 @@ void Fuzzer::ShuffleAndMinimize() {
if (Options.Verbosity >= 2)
Printf("NEW0: %zd L %zd\n", MaxCoverage.BlockCoverage, U.size());
}
+ TryDetectingAMemoryLeak(U.data(), U.size(),
+ /*DuringInitialCorpusExecution*/ true);
}
Corpus = NewCorpus;
UpdateCorpusDistribution();
for (auto &X : Corpus)
UnitHashesAddedToCorpus.insert(Hash(X));
PrintStats("INITED");
- CheckForMemoryLeaks();
}
bool Fuzzer::UpdateMaxCoverage() {
@@ -639,26 +640,10 @@ void Fuzzer::Merge(const std::vector<std
Printf("=== Merge: written %zd units\n", Res.size());
}
-// Tries to call lsan, and if there are leaks exits. We call this right after
-// the initial corpus was read because if there are leaky inputs in the corpus
-// further fuzzing will likely hit OOMs.
-void Fuzzer::CheckForMemoryLeaks() {
- if (!Options.DetectLeaks) return;
- if (!__lsan_do_recoverable_leak_check)
- return;
- if (__lsan_do_recoverable_leak_check()) {
- Printf("==%d== ERROR: libFuzzer: initial corpus triggers memory leaks.\n"
- "Exiting now. Use -detect_leaks=0 to disable leak detection here.\n"
- "LeakSanitizer will still check for leaks at the process exit.\n",
- GetPid());
- PrintFinalStats();
- _Exit(Options.ErrorExitCode);
- }
-}
-
// Tries detecting a memory leak on the particular input that we have just
// executed before calling this function.
-void Fuzzer::TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size) {
+void Fuzzer::TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
+ bool DuringInitialCorpusExecution) {
if (!HasMoreMallocsThanFrees) return; // mallocs==frees, a leak is unlikely.
if (!Options.DetectLeaks) return;
if (!&__lsan_enable || !&__lsan_disable || !__lsan_do_recoverable_leak_check)
@@ -681,6 +666,9 @@ void Fuzzer::TryDetectingAMemoryLeak(con
// Now perform the actual lsan pass. This is expensive and we must ensure
// we don't call it too often.
if (__lsan_do_recoverable_leak_check()) { // Leak is found, report it.
+ if (DuringInitialCorpusExecution)
+ Printf("\nINFO: a leak has been found in the initial corpus.\n\n");
+ Printf("INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.\n\n");
CurrentUnitData = Data;
CurrentUnitSize = Size;
DumpCurrentUnit("leak-");
@@ -715,7 +703,8 @@ void Fuzzer::MutateAndTestOne() {
StartTraceRecording();
RunOneAndUpdateCorpus(MutateInPlaceHere.data(), Size);
StopTraceRecording();
- TryDetectingAMemoryLeak(MutateInPlaceHere.data(), Size);
+ TryDetectingAMemoryLeak(MutateInPlaceHere.data(), Size,
+ /*DuringInitialCorpusExecution*/ false);
}
}
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer-leak.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer-leak.test?rev=270905&r1=270904&r2=270905&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-leak.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-leak.test Thu May 26 15:25:49 2016
@@ -7,7 +7,7 @@ LEAK_DURING-NOT: DEATH:
RUN: not LLVMFuzzer-LeakTest -runs=0 -detect_leaks=1 %S 2>&1 | FileCheck %s --check-prefix=LEAK_IN_CORPUS
LEAK_IN_CORPUS: ERROR: LeakSanitizer: detected memory leaks
-LEAK_IN_CORPUS: ERROR: libFuzzer: initial corpus triggers memory leaks.
+LEAK_IN_CORPUS: INFO: a leak has been found in the initial corpus.
RUN: not LLVMFuzzer-LeakTest -runs=100000 -detect_leaks=0 2>&1 | FileCheck %s --check-prefix=LEAK_AFTER
More information about the llvm-commits
mailing list