[llvm] r292511 - [libFuzzer] improve -minimize_crash: honor -artifact_prefix= and don't special case 2-byte inputs

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Thu Jan 19 11:38:12 PST 2017 

Author: kcc
Date: Thu Jan 19 13:38:12 2017
New Revision: 292511

URL: http://llvm.org/viewvc/llvm-project?rev=292511&view=rev
Log:
[libFuzzer] improve -minimize_crash: honor -artifact_prefix= and don't special case 2-byte inputs

Added:
    llvm/trunk/lib/Fuzzer/test/SingleByteInputTest.cpp
Modified:
    llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
    llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
    llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
    llvm/trunk/lib/Fuzzer/test/minimize_crash.test

Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=292511&r1=292510&r2=292511&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Thu Jan 19 13:38:12 2017
@@ -277,7 +277,8 @@ static bool AllInputsAreFiles() {
   return true;
 }
 
-int MinimizeCrashInput(const std::vector<std::string> &Args) {
+int MinimizeCrashInput(const std::vector<std::string> &Args,
+                       const FuzzingOptions &Options) {
   if (Inputs->size() != 1) {
     Printf("ERROR: -minimize_crash should be given one input file\n");
     exit(1);
@@ -299,10 +300,6 @@ int MinimizeCrashInput(const std::vector
   std::string CurrentFilePath = InputFilePath;
   while (true) {
     Unit U = FileToVector(CurrentFilePath);
-    if (U.size() < 2) {
-      Printf("CRASH_MIN: '%s' is small enough\n", CurrentFilePath.c_str());
-      return 0;
-    }
     Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
            CurrentFilePath.c_str(), U.size());
 
@@ -318,7 +315,8 @@ int MinimizeCrashInput(const std::vector
            "it further\n",
            CurrentFilePath.c_str(), U.size());
 
-    std::string ArtifactPath = "minimized-from-" + Hash(U);
+    std::string ArtifactPath =
+        Options.ArtifactPrefix + "minimized-from-" + Hash(U);
     Cmd += " -minimize_crash_internal_step=1 -exact_artifact_path=" +
         ArtifactPath;
     Printf("CRASH_MIN: executing: %s\n", Cmd.c_str());
@@ -342,8 +340,11 @@ int MinimizeCrashInputInternalStep(Fuzze
   assert(Inputs->size() == 1);
   std::string InputFilePath = Inputs->at(0);
   Unit U = FileToVector(InputFilePath);
-  assert(U.size() > 2);
   Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size());
+  if (U.size() < 2) {
+    Printf("INFO: The input is small enough, exiting\n");
+    exit(0);
+  }
   Corpus->AddToCorpus(U, 0);
   F->SetMaxInputLen(U.size());
   F->SetMaxMutationLen(U.size() - 1);
@@ -368,9 +369,6 @@ int FuzzerDriver(int *argc, char ***argv
     return 0;
   }
 
-  if (Flags.minimize_crash)
-    return MinimizeCrashInput(Args);
-
   if (Flags.close_fd_mask & 2)
     DupAndCloseStderr();
   if (Flags.close_fd_mask & 1)
@@ -470,6 +468,9 @@ int FuzzerDriver(int *argc, char ***argv
   Options.HandleXfsz = Flags.handle_xfsz;
   SetSignalHandler(Options);
 
+  if (Flags.minimize_crash)
+    return MinimizeCrashInput(Args, Options);
+
   if (Flags.minimize_crash_internal_step)
     return MinimizeCrashInputInternalStep(F, Corpus);
 

Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=292511&r1=292510&r2=292511&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Thu Jan 19 13:38:12 2017
@@ -792,7 +792,7 @@ void Fuzzer::Loop() {
 }
 
 void Fuzzer::MinimizeCrashLoop(const Unit &U) {
-  if (U.size() <= 2) return;
+  if (U.size() <= 1) return;
   while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) {
     MD.StartMutationSequence();
     memcpy(CurrentUnitData, U.data(), U.size());

Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=292511&r1=292510&r2=292511&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Thu Jan 19 13:38:12 2017
@@ -94,6 +94,7 @@ set(Tests
   SimpleHashTest
   SimpleTest
   SimpleThreadedTest
+  SingleByteInputTest
   SingleMemcmpTest
   SingleStrcmpTest
   SingleStrncmpTest

Added: llvm/trunk/lib/Fuzzer/test/SingleByteInputTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/SingleByteInputTest.cpp?rev=292511&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/SingleByteInputTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/SingleByteInputTest.cpp Thu Jan 19 13:38:12 2017
@@ -0,0 +1,17 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Simple test for a fuzzer, need just one byte to crash.
+#include <cstdint>
+#include <cstdlib>
+#include <cstddef>
+#include <cstdio>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 0 && Data[Size/2] == 42) {
+    fprintf(stderr, "BINGO\n");
+    abort();
+  }
+  return 0;
+}
+

Modified: llvm/trunk/lib/Fuzzer/test/minimize_crash.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/minimize_crash.test?rev=292511&r1=292510&r2=292511&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/minimize_crash.test (original)
+++ llvm/trunk/lib/Fuzzer/test/minimize_crash.test Thu Jan 19 13:38:12 2017
@@ -1,6 +1,12 @@
 RUN: echo 'Hi!rv349f34t3gg' > not_minimal_crash
 RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 2>&1 | FileCheck %s
-CHECK: CRASH_MIN: failed to minimize beyond minimized-from-{{.*}} (3 bytes), exiting
+CHECK: CRASH_MIN: failed to minimize beyond ./minimized-from-{{.*}} (3 bytes), exiting
 RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 -exact_artifact_path=exact_minimized_path 2>&1 | FileCheck %s --check-prefix=CHECK_EXACT
 CHECK_EXACT: CRASH_MIN: failed to minimize beyond exact_minimized_path (3 bytes), exiting
 RUN: rm not_minimal_crash minimized-from-* exact_minimized_path
+
+RUN: echo 'abcd*xyz' > not_minimal_crash
+RUN: LLVMFuzzer-SingleByteInputTest -minimize_crash=1 not_minimal_crash -artifact_prefix=./ZZZ- -exact_artifact_path=exact_minimized_path 2>&1 | FileCheck %s --check-prefix=MIN1
+MIN1: Test unit written to ./ZZZ-minimized-from-
+MIN1: INFO: The input is small enough, exiting
+MIN1: CRASH_MIN: failed to minimize beyond exact_minimized_path (1 bytes), exiting

More information about the llvm-commits mailing list