[llvm] r280046 - [libFuzzer] use trace-div and trace-gep for guided fuzzing, add tests

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Mon Aug 29 18:30:14 PDT 2016 

Author: kcc
Date: Mon Aug 29 20:30:14 2016
New Revision: 280046

URL: http://llvm.org/viewvc/llvm-project?rev=280046&view=rev
Log:
[libFuzzer] use trace-div and trace-gep for guided fuzzing, add tests

Added:
    llvm/trunk/lib/Fuzzer/test/DivTest.cpp
    llvm/trunk/lib/Fuzzer/test/LoadTest.cpp
Modified:
    llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
    llvm/trunk/lib/Fuzzer/test/CMakeLists.txt

Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=280046&r1=280045&r2=280046&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Mon Aug 29 20:30:14 2016
@@ -584,6 +584,14 @@ static void AddValueForCmp(void *PCptr,
   VP.AddValue(Idx);
 }
 
+static void AddValueForSingleVal(void *PCptr, uintptr_t Val) {
+  if (!Val) return;
+  uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
+  uint64_t ArgDistance = __builtin_popcountl(Val) - 1; // [0,63]
+  uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
+  VP.AddValue(Idx);
+}
+
 }  // namespace fuzzer
 
 using fuzzer::TS;
@@ -780,4 +788,17 @@ void __sanitizer_cov_trace_switch(uint64
   TS->TraceSwitchCallback(PC, Cases[1], Val, Cases[0], Cases + 2);
 }
 
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_div4(uint32_t Val) {
+  fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_div8(uint64_t Val) {
+  fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_gep(uintptr_t Idx) {
+  fuzzer::AddValueForSingleVal(__builtin_return_address(0), Idx);
+}
+
 }  // extern "C"

Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=280046&r1=280045&r2=280046&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Mon Aug 29 20:30:14 2016
@@ -25,7 +25,7 @@ foreach (VARNAME ${variables_to_filter})
 endforeach()
 
 # Enable the coverage instrumentation (it is disabled for the Fuzzer lib).
-set(CMAKE_CXX_FLAGS "${LIBFUZZER_FLAGS_BASE} -fsanitize-coverage=edge,indirect-calls -g")
+set(CMAKE_CXX_FLAGS "${LIBFUZZER_FLAGS_BASE} -fsanitize-coverage=edge,indirect-calls,trace-cmp,trace-div,trace-gep -g")
 
 # add_libfuzzer_test(<name>
 #   SOURCES source0.cpp [source1.cpp ...]
@@ -68,6 +68,7 @@ set(Tests
   CounterTest
   CustomCrossOverTest
   CustomMutatorTest
+  DivTest
   EmptyTest
   FourIndependentBranchesTest
   FullCoverageSetTest
@@ -75,6 +76,7 @@ set(Tests
   MemcmpTest
   LeakTest
   LeakTimeoutTest
+  LoadTest
   NullDerefTest
   NullDerefOnEmptyTest
   NthRunCrashTest

Added: llvm/trunk/lib/Fuzzer/test/DivTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/DivTest.cpp?rev=280046&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/DivTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/DivTest.cpp Mon Aug 29 20:30:14 2016
@@ -0,0 +1,20 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Simple test for a fuzzer: find the interesting argument for div.
+#include <assert.h>
+#include <cstdint>
+#include <cstring>
+#include <cstddef>
+#include <iostream>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 4) return 0;
+  int a;
+  memcpy(&a, Data, 4);
+  Sink = 12345678 / (987654 - a);
+  return 0;
+}
+

Added: llvm/trunk/lib/Fuzzer/test/LoadTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/LoadTest.cpp?rev=280046&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/LoadTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/LoadTest.cpp Mon Aug 29 20:30:14 2016
@@ -0,0 +1,22 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Simple test for a fuzzer: find interesting value of array index.
+#include <assert.h>
+#include <cstdint>
+#include <cstring>
+#include <cstddef>
+#include <iostream>
+
+static volatile int Sink;
+const int kArraySize = 1234567;
+int array[kArraySize];
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 8) return 0;
+  size_t a = 0;
+  memcpy(&a, Data, 8);
+  Sink = array[a % (kArraySize + 1)];
+  return 0;
+}
+

More information about the llvm-commits mailing list