[llvm] r243760 - [libFuzzer] support switch interception in dfsan mode
Kostya Serebryany
kcc at google.com
Fri Jul 31 10:05:06 PDT 2015
Author: kcc
Date: Fri Jul 31 12:05:05 2015
New Revision: 243760
URL: http://llvm.org/viewvc/llvm-project?rev=243760&view=rev
Log:
[libFuzzer] support switch interception in dfsan mode
Modified:
llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test
Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=243760&r1=243759&r2=243760&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Fri Jul 31 12:05:05 2015
@@ -214,6 +214,8 @@ class TraceState {
void DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType,
uint64_t Arg1, uint64_t Arg2, dfsan_label L1,
dfsan_label L2);
+ void DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits, uint64_t Val,
+ size_t NumCases, uint64_t *Cases, dfsan_label L);
void TraceCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType, uint64_t Arg1,
uint64_t Arg2);
@@ -297,6 +299,26 @@ void TraceState::DFSanCmpCallback(uintpt
PC, CmpSize, CmpType, Arg1, Arg2, Res, L1, L2, Mutations.size());
}
+void TraceState::DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits,
+ uint64_t Val, size_t NumCases,
+ uint64_t *Cases, dfsan_label L) {
+ assert(ReallyHaveDFSan());
+ if (!RecordingTraces) return;
+ if (!L) return; // Not actionable.
+ LabelRange LR = GetLabelRange(L);
+ size_t ValSize = ValSizeInBits / 8;
+ for (size_t Pos = LR.Beg; Pos + ValSize <= LR.End; Pos++) {
+ for (size_t i = 0; i < NumCases; i++) {
+ Mutations.push_back({Pos, ValSize, Cases[i]});
+ Mutations.push_back({Pos, ValSize, Cases[i] + 1});
+ Mutations.push_back({Pos, ValSize, Cases[i] - 1});
+ }
+ }
+ if (Options.Verbosity >= 3)
+ Printf("DFSanSwitchCallback: PC %lx Val %zd # %zd L %d\n", PC, Val,
+ NumCases, L);
+}
+
int TraceState::TryToAddDesiredData(uint64_t PresentData, uint64_t DesiredData,
size_t DataSize) {
int Res = 0;
@@ -399,6 +421,13 @@ void __dfsw___sanitizer_cov_trace_cmp(ui
TS->DFSanCmpCallback(PC, CmpSize, Type, Arg1, Arg2, L1, L2);
}
+void __dfsw___sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases,
+ dfsan_label L1, dfsan_label L2) {
+ if (!TS) return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(__builtin_return_address(0));
+ TS->DFSanSwitchCallback(PC, Cases[1], Val, Cases[0], Cases+2, L1);
+}
+
void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
size_t n, dfsan_label s1_label,
dfsan_label s2_label, dfsan_label n_label) {
@@ -445,8 +474,11 @@ void __sanitizer_weak_hook_strncmp(void
if (!TS) return;
uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
uint64_t S1 = 0, S2 = 0;
- n = std::min(n, fuzzer::InternalStrnlen(s1, n));
- n = std::min(n, fuzzer::InternalStrnlen(s2, n));
+ size_t Len1 = fuzzer::InternalStrnlen(s1, n);
+ size_t Len2 = fuzzer::InternalStrnlen(s2, n);
+ n = std::min(n, Len1);
+ n = std::min(n, Len2);
+ if (n <= 1) return; // Not interesting.
// Simplification: handle only first 8 bytes.
memcpy(&S1, s1, std::min(n, sizeof(S1)));
memcpy(&S2, s2, std::min(n, sizeof(S2)));
Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=243760&r1=243759&r2=243760&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Fri Jul 31 12:05:05 2015
@@ -8,6 +8,7 @@ set(DFSanTests
MemcmpTest
SimpleCmpTest
StrncmpTest
+ SwitchTest
)
set(Tests
Modified: llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp?rev=243760&r1=243759&r2=243760&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp Fri Jul 31 12:05:05 2015
@@ -1,9 +1,9 @@
// Simple test for a fuzzer. The fuzzer must find the interesting switch value.
#include <cstdint>
#include <cstdlib>
+#include <cstdio>
#include <cstring>
#include <cstddef>
-#include <iostream>
static volatile int Sink;
@@ -28,7 +28,7 @@ bool Switch(const uint8_t *Data, size_t
extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Switch<int>(Data, Size) && Size >= 12 &&
Switch<uint64_t>(Data + 4, Size - 4)) {
- std::cout << "BINGO; Found the target, exiting\n";
+ fprintf(stderr, "BINGO; Found the target, exiting\n");
exit(1);
}
}
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test?rev=243760&r1=243759&r2=243760&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-dfsan.test Fri Jul 31 12:05:05 2015
@@ -1,5 +1,6 @@
CHECK: BINGO
CHECK_DFSanCmpCallback: DFSanCmpCallback: PC
+CHECK_DFSanSwitchCallback: DFSanSwitchCallback: PC
RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s
RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback
@@ -9,3 +10,6 @@ RUN: LLVMFuzzer-MemcmpTest-DFSan -use_tr
RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s
RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback
+
+RUN: not LLVMFuzzer-SwitchTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s
+RUN: LLVMFuzzer-SwitchTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanSwitchCallback
More information about the llvm-commits
mailing list