[llvm] r243603 - [libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test

Kostya Serebryany kcc at google.com
Wed Jul 29 18:34:59 PDT 2015 

Author: kcc
Date: Wed Jul 29 20:34:58 2015
New Revision: 243603

URL: http://llvm.org/viewvc/llvm-project?rev=243603&view=rev
Log:
[libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test

Modified:
    llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
    llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
    llvm/trunk/lib/Fuzzer/test/MemcmpTest.cpp
    llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test
    llvm/trunk/lib/Fuzzer/test/fuzzer.test

Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=243603&r1=243602&r2=243603&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Wed Jul 29 20:34:58 2015
@@ -394,6 +394,18 @@ void dfsan_weak_hook_memcmp(void *caller
   TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
 }
 
+void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
+                                  const void *s2, size_t n) {
+  if (!TS) return;
+  uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
+  uint64_t S1 = 0, S2 = 0;
+  // Simplification: handle only first 8 bytes.
+  memcpy(&S1, s1, std::min(n, sizeof(S1)));
+  memcpy(&S2, s2, std::min(n, sizeof(S2)));
+  TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
+  // fuzzer::Printf("ZZZ %p %p %zd\n", s1, s2, n);
+}
+
 void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
                                uint64_t Arg2) {
   if (!TS) return;

Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=243603&r1=243602&r2=243603&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Wed Jul 29 20:34:58 2015
@@ -15,6 +15,7 @@ set(Tests
   FourIndependentBranchesTest
   FullCoverageSetTest
   InfiniteTest
+  MemcmpTest
   NullDerefTest
   SimpleCmpTest
   SimpleTest

Modified: llvm/trunk/lib/Fuzzer/test/MemcmpTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/MemcmpTest.cpp?rev=243603&r1=243602&r2=243603&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/MemcmpTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/MemcmpTest.cpp Wed Jul 29 20:34:58 2015
@@ -5,8 +5,13 @@
 #include <cstdlib>
 
 extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  // TODO: check other sizes.
   if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) {
-    fprintf(stderr, "BINGO\n");
-    exit(1);
+    if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) {
+      if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) {
+        fprintf(stderr, "BINGO\n");
+        exit(1);
+      }
+    }
   }
 }

Modified: llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test?rev=243603&r1=243602&r2=243603&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test Wed Jul 29 20:34:58 2015
@@ -4,6 +4,6 @@ CHECK_DFSanCmpCallback: DFSanCmpCallback
 RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 
-RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 2>&1 | FileCheck %s
+RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 

Modified: llvm/trunk/lib/Fuzzer/test/fuzzer.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer.test?rev=243603&r1=243602&r2=243603&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer.test Wed Jul 29 20:34:58 2015
@@ -25,3 +25,6 @@ RUN: not LLVMFuzzer-CxxTokensTest -seed=
 
 RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck %s
 
+RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
+RUN:     LLVMFuzzer-MemcmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
+Done1000000: Done 1000000 runs in

More information about the llvm-commits mailing list