
<div dir="ltr">No.  :( <div>I want to avoid introducing new STL into this code since STL causes parasitic coverage in the process. </div><div>(libFuzzer's code is ont instrumented for coverage, but the STL code it uses *is* instrumented). </div><div>In fact, I will probably be removing some of the STL... </div><div><br></div><div>--kcc</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 10, 2016 at 11:30 AM, David Blaikie <span dir="ltr"><<a href="mailto:dblaikie@gmail.com" target="_blank">dblaikie@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Any chance of using unique_ptr here?</div><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote"><div dir="ltr">On Sat, Oct 8, 2016 at 3:06 PM Kostya Serebryany via llvm-commits <<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: kcc<br class="m_7515235880740491864gmail_msg">

Date: Sat Oct  8 16:57:48 2016<br class="m_7515235880740491864gmail_msg">

New Revision: 283675<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

URL: <a href="http://llvm.org/viewvc/llvm-project?rev=283675&view=rev" rel="noreferrer" class="m_7515235880740491864gmail_msg" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project?rev=283675&view=rev</a><br class="m_7515235880740491864gmail_msg">

Log:<br class="m_7515235880740491864gmail_msg">

[libFuzzer] fix use-after-free in libFuzzer found by ... fuzzing.<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

Modified:<br class="m_7515235880740491864gmail_msg">

    llvm/trunk/lib/Fuzzer/<wbr>FuzzerCorpus.h<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

Modified: llvm/trunk/lib/Fuzzer/<wbr>FuzzerCorpus.h<br class="m_7515235880740491864gmail_msg">

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerCorpus.h?rev=283675&r1=283674&r2=283675&view=diff" rel="noreferrer" class="m_7515235880740491864gmail_msg" target="_blank">http://llvm.org/viewvc/llvm-<wbr>project/llvm/trunk/lib/Fuzzer/<wbr>FuzzerCorpus.h?rev=283675&r1=<wbr>283674&r2=283675&view=diff</a><br class="m_7515235880740491864gmail_msg">

==============================<wbr>==============================<wbr>==================<br class="m_7515235880740491864gmail_msg">

--- llvm/trunk/lib/Fuzzer/<wbr>FuzzerCorpus.h (original)<br class="m_7515235880740491864gmail_msg">

+++ llvm/trunk/lib/Fuzzer/<wbr>FuzzerCorpus.h Sat Oct  8 16:57:48 2016<br class="m_7515235880740491864gmail_msg">

@@ -36,25 +36,28 @@ class InputCorpus {<br class="m_7515235880740491864gmail_msg">

  public:<br class="m_7515235880740491864gmail_msg">

   static const size_t kFeatureSetSize = 1 << 16;<br class="m_7515235880740491864gmail_msg">

   InputCorpus() {<br class="m_7515235880740491864gmail_msg">

-    Inputs.reserve(1 << 14);  // Avoid too many resizes.<br class="m_7515235880740491864gmail_msg">

     memset(InputSizesPerFeature, 0, sizeof(InputSizesPerFeature));<br class="m_7515235880740491864gmail_msg">

     memset(<wbr>SmallestElementPerFeature, 0, sizeof(<wbr>SmallestElementPerFeature));<br class="m_7515235880740491864gmail_msg">

   }<br class="m_7515235880740491864gmail_msg">

+  ~InputCorpus() {<br class="m_7515235880740491864gmail_msg">

+    for (auto II : Inputs)<br class="m_7515235880740491864gmail_msg">

+      delete II;<br class="m_7515235880740491864gmail_msg">

+  }<br class="m_7515235880740491864gmail_msg">

   size_t size() const { return Inputs.size(); }<br class="m_7515235880740491864gmail_msg">

   size_t SizeInBytes() const {<br class="m_7515235880740491864gmail_msg">

     size_t Res = 0;<br class="m_7515235880740491864gmail_msg">

-    for (auto &II : Inputs)<br class="m_7515235880740491864gmail_msg">

-      Res += II.U.size();<br class="m_7515235880740491864gmail_msg">

+    for (auto II : Inputs)<br class="m_7515235880740491864gmail_msg">

+      Res += II->U.size();<br class="m_7515235880740491864gmail_msg">

     return Res;<br class="m_7515235880740491864gmail_msg">

   }<br class="m_7515235880740491864gmail_msg">

   size_t NumActiveUnits() const {<br class="m_7515235880740491864gmail_msg">

     size_t Res = 0;<br class="m_7515235880740491864gmail_msg">

-    for (auto &II : Inputs)<br class="m_7515235880740491864gmail_msg">

-      Res += !II.U.empty();<br class="m_7515235880740491864gmail_msg">

+    for (auto II : Inputs)<br class="m_7515235880740491864gmail_msg">

+      Res += !II->U.empty();<br class="m_7515235880740491864gmail_msg">

     return Res;<br class="m_7515235880740491864gmail_msg">

   }<br class="m_7515235880740491864gmail_msg">

   bool empty() const { return Inputs.empty(); }<br class="m_7515235880740491864gmail_msg">

-  const Unit &operator[] (size_t Idx) const { return Inputs[Idx].U; }<br class="m_7515235880740491864gmail_msg">

+  const Unit &operator[] (size_t Idx) const { return Inputs[Idx]->U; }<br class="m_7515235880740491864gmail_msg">

   void AddToCorpus(const Unit &U, size_t NumFeatures) {<br class="m_7515235880740491864gmail_msg">

     assert(!U.empty());<br class="m_7515235880740491864gmail_msg">

     uint8_t Hash[kSHA1NumBytes];<br class="m_7515235880740491864gmail_msg">

@@ -62,8 +65,8 @@ class InputCorpus {<br class="m_7515235880740491864gmail_msg">

       Printf("ADD_TO_CORPUS %zd NF %zd\n", Inputs.size(), NumFeatures);<br class="m_7515235880740491864gmail_msg">

     ComputeSHA1(U.data(), U.size(), Hash);<br class="m_7515235880740491864gmail_msg">

     Hashes.insert(Sha1ToString(<wbr>Hash));<br class="m_7515235880740491864gmail_msg">

-    Inputs.push_back(InputInfo());<br class="m_7515235880740491864gmail_msg">

-    InputInfo &II = Inputs.back();<br class="m_7515235880740491864gmail_msg">

+    Inputs.push_back(new InputInfo());<br class="m_7515235880740491864gmail_msg">

+    InputInfo &II = *Inputs.back();<br class="m_7515235880740491864gmail_msg">

     II.U = U;<br class="m_7515235880740491864gmail_msg">

     II.NumFeatures = NumFeatures;<br class="m_7515235880740491864gmail_msg">

     memcpy(II.Sha1, Hash, kSHA1NumBytes);<br class="m_7515235880740491864gmail_msg">

@@ -71,14 +74,10 @@ class InputCorpus {<br class="m_7515235880740491864gmail_msg">

     ValidateFeatureSet();<br class="m_7515235880740491864gmail_msg">

   }<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

-  typedef const std::vector<InputInfo>::const_<wbr>iterator ConstIter;<br class="m_7515235880740491864gmail_msg">

-  ConstIter begin() const { return Inputs.begin(); }<br class="m_7515235880740491864gmail_msg">

-  ConstIter end() const { return Inputs.end(); }<br class="m_7515235880740491864gmail_msg">

-<br class="m_7515235880740491864gmail_msg">

   bool HasUnit(const Unit &U) { return Hashes.count(Hash(U)); }<br class="m_7515235880740491864gmail_msg">

   bool HasUnit(const std::string &H) { return Hashes.count(H); }<br class="m_7515235880740491864gmail_msg">

   InputInfo &ChooseUnitToMutate(Random &Rand) {<br class="m_7515235880740491864gmail_msg">

-    InputInfo &II = Inputs[ChooseUnitIdxToMutate(<wbr>Rand)];<br class="m_7515235880740491864gmail_msg">

+    InputInfo &II = *Inputs[ChooseUnitIdxToMutate(<wbr>Rand)];<br class="m_7515235880740491864gmail_msg">

     assert(!II.U.empty());<br class="m_7515235880740491864gmail_msg">

     return II;<br class="m_7515235880740491864gmail_msg">

   };<br class="m_7515235880740491864gmail_msg">

@@ -94,7 +93,7 @@ class InputCorpus {<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

   void PrintStats() {<br class="m_7515235880740491864gmail_msg">

     for (size_t i = 0; i < Inputs.size(); i++) {<br class="m_7515235880740491864gmail_msg">

-      const auto &II = Inputs[i];<br class="m_7515235880740491864gmail_msg">

+      const auto &II = *Inputs[i];<br class="m_7515235880740491864gmail_msg">

       Printf("  [%zd %s]\tsz: %zd\truns: %zd\tsucc: %zd\n", i,<br class="m_7515235880740491864gmail_msg">

              Sha1ToString(II.Sha1).c_str(), II.U.size(),<br class="m_7515235880740491864gmail_msg">

              II.NumExecutedMutations, II.NumSuccessfullMutations);<br class="m_7515235880740491864gmail_msg">

@@ -108,7 +107,7 @@ class InputCorpus {<br class="m_7515235880740491864gmail_msg">

     }<br class="m_7515235880740491864gmail_msg">

     Printf("\n\t");<br class="m_7515235880740491864gmail_msg">

     for (size_t i = 0; i < Inputs.size(); i++)<br class="m_7515235880740491864gmail_msg">

-      if (size_t N = Inputs[i].NumFeatures)<br class="m_7515235880740491864gmail_msg">

+      if (size_t N = Inputs[i]->NumFeatures)<br class="m_7515235880740491864gmail_msg">

         Printf(" %zd=>%zd ", i, N);<br class="m_7515235880740491864gmail_msg">

     Printf("\n");<br class="m_7515235880740491864gmail_msg">

   }<br class="m_7515235880740491864gmail_msg">

@@ -119,7 +118,7 @@ class InputCorpus {<br class="m_7515235880740491864gmail_msg">

     uint32_t OldSize = GetFeature(Idx);<br class="m_7515235880740491864gmail_msg">

     if (OldSize == 0 || (Shrink && OldSize > NewSize)) {<br class="m_7515235880740491864gmail_msg">

       if (OldSize > 0) {<br class="m_7515235880740491864gmail_msg">

-        InputInfo &II = Inputs[<wbr>SmallestElementPerFeature[Idx]<wbr>];<br class="m_7515235880740491864gmail_msg">

+        InputInfo &II = *Inputs[<wbr>SmallestElementPerFeature[Idx]<wbr>];<br class="m_7515235880740491864gmail_msg">

         assert(II.NumFeatures > 0);<br class="m_7515235880740491864gmail_msg">

         II.NumFeatures--;<br class="m_7515235880740491864gmail_msg">

         if (II.NumFeatures == 0) {<br class="m_7515235880740491864gmail_msg">

@@ -157,12 +156,12 @@ private:<br class="m_7515235880740491864gmail_msg">

       PrintFeatureSet();<br class="m_7515235880740491864gmail_msg">

     for (size_t Idx = 0; Idx < kFeatureSetSize; Idx++)<br class="m_7515235880740491864gmail_msg">

       if (GetFeature(Idx))<br class="m_7515235880740491864gmail_msg">

-        Inputs[<wbr>SmallestElementPerFeature[Idx]<wbr>].Tmp++;<br class="m_7515235880740491864gmail_msg">

-    for (auto &II: Inputs) {<br class="m_7515235880740491864gmail_msg">

-      if (II.Tmp != II.NumFeatures)<br class="m_7515235880740491864gmail_msg">

-        Printf("ZZZ %zd %zd\n", II.Tmp, II.NumFeatures);<br class="m_7515235880740491864gmail_msg">

-      assert(II.Tmp == II.NumFeatures);<br class="m_7515235880740491864gmail_msg">

-      II.Tmp = 0;<br class="m_7515235880740491864gmail_msg">

+        Inputs[<wbr>SmallestElementPerFeature[Idx]<wbr>]->Tmp++;<br class="m_7515235880740491864gmail_msg">

+    for (auto II: Inputs) {<br class="m_7515235880740491864gmail_msg">

+      if (II->Tmp != II->NumFeatures)<br class="m_7515235880740491864gmail_msg">

+        Printf("ZZZ %zd %zd\n", II->Tmp, II->NumFeatures);<br class="m_7515235880740491864gmail_msg">

+      assert(II->Tmp == II->NumFeatures);<br class="m_7515235880740491864gmail_msg">

+      II->Tmp = 0;<br class="m_7515235880740491864gmail_msg">

     }<br class="m_7515235880740491864gmail_msg">

   }<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

@@ -175,7 +174,7 @@ private:<br class="m_7515235880740491864gmail_msg">

     std::iota(Intervals.begin(), Intervals.end(), 0);<br class="m_7515235880740491864gmail_msg">

     if (CountingFeatures)<br class="m_7515235880740491864gmail_msg">

       for (size_t i = 0; i < N; i++)<br class="m_7515235880740491864gmail_msg">

-        Weights[i] = Inputs[i].NumFeatures * (i + 1);<br class="m_7515235880740491864gmail_msg">

+        Weights[i] = Inputs[i]->NumFeatures * (i + 1);<br class="m_7515235880740491864gmail_msg">

     else<br class="m_7515235880740491864gmail_msg">

       std::iota(Weights.begin(), Weights.end(), 1);<br class="m_7515235880740491864gmail_msg">

     CorpusDistribution = std::piecewise_constant_<wbr>distribution<double>(<br class="m_7515235880740491864gmail_msg">

@@ -187,7 +186,7 @@ private:<br class="m_7515235880740491864gmail_msg">

   std::vector<double> Weights;<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

   std::unordered_set<std::<wbr>string> Hashes;<br class="m_7515235880740491864gmail_msg">

-  std::vector<InputInfo> Inputs;<br class="m_7515235880740491864gmail_msg">

+  std::vector<InputInfo*> Inputs;<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

   bool CountingFeatures = false;<br class="m_7515235880740491864gmail_msg">

   uint32_t InputSizesPerFeature[<wbr>kFeatureSetSize];<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

<br class="m_7515235880740491864gmail_msg">

______________________________<wbr>_________________<br class="m_7515235880740491864gmail_msg">

llvm-commits mailing list<br class="m_7515235880740491864gmail_msg">

<a href="mailto:llvm-commits@lists.llvm.org" class="m_7515235880740491864gmail_msg" target="_blank">llvm-commits@lists.llvm.org</a><br class="m_7515235880740491864gmail_msg">

<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" class="m_7515235880740491864gmail_msg" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/llvm-commits</a><br class="m_7515235880740491864gmail_msg">

</blockquote></div>

</div></div></blockquote></div><br></div>