[PATCH] D30682: [fuzzer] Don't crash if LLVMFuzzerMutate was called by CustomCrossOver

Tue Mar 7 12:43:02 PST 2017

vitalybuka updated this revision to Diff 90916.
vitalybuka added a comment.

Comment


https://reviews.llvm.org/D30682

Files:
  lib/Fuzzer/FuzzerCorpus.h
  lib/Fuzzer/FuzzerMutate.cpp
  lib/Fuzzer/FuzzerMutate.h


Index: lib/Fuzzer/FuzzerMutate.h
===================================================================

--- lib/Fuzzer/FuzzerMutate.h
+++ lib/Fuzzer/FuzzerMutate.h
@@ -143,6 +143,9 @@
 
   const InputCorpus *Corpus = nullptr;
   std::vector<uint8_t> MutateInPlaceHere;
+  // CustomCrossOver needs its own buffer as a custom implementation may call
+  // LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
+  std::vector<uint8_t> CustomCrossOverInPlaceHere;
 
   std::vector<Mutator> Mutators;
   std::vector<Mutator> DefaultMutators;
Index: lib/Fuzzer/FuzzerMutate.cpp
===================================================================
--- lib/Fuzzer/FuzzerMutate.cpp
+++ lib/Fuzzer/FuzzerMutate.cpp
@@ -77,12 +77,12 @@
                                                   size_t MaxSize) {
   if (!Corpus || Corpus->size() < 2 || Size == 0)
     return 0;
-  size_t Idx = Rand(Corpus->size());
+  size_t Idx = Corpus->ChooseUnitIdxToMutate(Rand);
   const Unit &Other = (*Corpus)[Idx];
   if (Other.empty())
     return 0;
-  MutateInPlaceHere.resize(MaxSize);
-  auto &U = MutateInPlaceHere;
+  CustomCrossOverInPlaceHere.resize(MaxSize);
+  auto &U = CustomCrossOverInPlaceHere;
   size_t NewSize = EF->LLVMFuzzerCustomCrossOver(
       Data, Size, Other.data(), Other.size(), U.data(), U.size(), Rand.Rand());
   if (!NewSize)
Index: lib/Fuzzer/FuzzerCorpus.h
===================================================================
--- lib/Fuzzer/FuzzerCorpus.h
+++ lib/Fuzzer/FuzzerCorpus.h
@@ -96,7 +96,7 @@
   // Returns an index of random unit from the corpus to mutate.
   // Hypothesis: units added to the corpus last are more likely to be
   // interesting. This function gives more weight to the more recent units.
-  size_t ChooseUnitIdxToMutate(Random &Rand) {
+  size_t ChooseUnitIdxToMutate(Random &Rand) const {
     size_t Idx = static_cast<size_t>(CorpusDistribution(Rand));
     assert(Idx < Inputs.size());
     return Idx;
@@ -204,7 +204,7 @@
     CorpusDistribution = std::piecewise_constant_distribution<double>(
         Intervals.begin(), Intervals.end(), Weights.begin());
   }
-  std::piecewise_constant_distribution<double> CorpusDistribution;
+  mutable std::piecewise_constant_distribution<double> CorpusDistribution;
 
   std::vector<double> Intervals;
   std::vector<double> Weights;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D30682.90916.patch
Type: text/x-patch
Size: 2320 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170307/b0581efa/attachment.bin>
