[llvm] r243781 - [libFuzzer] make sure that 2-byte arguments of switch() are handled properly
Kostya Serebryany
kcc at google.com
Fri Jul 31 13:58:56 PDT 2015
Author: kcc
Date: Fri Jul 31 15:58:55 2015
New Revision: 243781
URL: http://llvm.org/viewvc/llvm-project?rev=243781&view=rev
Log:
[libFuzzer] make sure that 2-byte arguments of switch() are handled properly
Modified:
llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer.test
Modified: llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp?rev=243781&r1=243780&r2=243781&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTraceState.cpp Fri Jul 31 15:58:55 2015
@@ -233,7 +233,7 @@ class TraceState {
size_t StopTraceRecording(FuzzerRandomBase &Rand) {
RecordingTraces = false;
std::random_shuffle(Mutations.begin(), Mutations.end(), Rand);
- return Mutations.size();
+ return std::min(Mutations.size(), 128UL);
}
void ApplyTraceBasedMutation(size_t Idx, fuzzer::Unit *U);
@@ -307,16 +307,23 @@ void TraceState::DFSanSwitchCallback(uin
if (!L) return; // Not actionable.
LabelRange LR = GetLabelRange(L);
size_t ValSize = ValSizeInBits / 8;
- for (size_t Pos = LR.Beg; Pos + ValSize <= LR.End; Pos++) {
- for (size_t i = 0; i < NumCases; i++) {
+ bool TryShort = IsTwoByteData(Val);
+ for (size_t i = 0; i < NumCases; i++)
+ TryShort &= IsTwoByteData(Cases[i]);
+
+ for (size_t Pos = LR.Beg; Pos + ValSize <= LR.End; Pos++)
+ for (size_t i = 0; i < NumCases; i++)
Mutations.push_back({Pos, ValSize, Cases[i]});
- Mutations.push_back({Pos, ValSize, Cases[i] + 1});
- Mutations.push_back({Pos, ValSize, Cases[i] - 1});
- }
- }
+
+ if (TryShort)
+ for (size_t Pos = LR.Beg; Pos + 2 <= LR.End; Pos++)
+ for (size_t i = 0; i < NumCases; i++)
+ Mutations.push_back({Pos, 2, Cases[i]});
+
if (Options.Verbosity >= 3)
- Printf("DFSanSwitchCallback: PC %lx Val %zd # %zd L %d\n", PC, Val,
- NumCases, L);
+ Printf("DFSanSwitchCallback: PC %lx Val %zd SZ %zd # %zd L %d: {%d, %d} "
+ "TryShort %d\n",
+ PC, Val, ValSize, NumCases, L, LR.Beg, LR.End, TryShort);
}
int TraceState::TryToAddDesiredData(uint64_t PresentData, uint64_t DesiredData,
@@ -365,8 +372,21 @@ void TraceState::TraceSwitchCallback(uin
uint64_t Val, size_t NumCases,
uint64_t *Cases) {
if (!RecordingTraces) return;
+ size_t ValSize = ValSizeInBits / 8;
+ bool TryShort = IsTwoByteData(Val);
for (size_t i = 0; i < NumCases; i++)
- TryToAddDesiredData(Val, Cases[i], ValSizeInBits / 8);
+ TryShort &= IsTwoByteData(Cases[i]);
+
+ if (Options.Verbosity >= 3)
+ Printf("TraceSwitch: %p %zd # %zd; TryShort %d\n", PC, Val, NumCases,
+ TryShort);
+
+ for (size_t i = 0; i < NumCases; i++) {
+ TryToAddDesiredData(Val, Cases[i], ValSize);
+ if (TryShort)
+ TryToAddDesiredData(Val, Cases[i], 2);
+ }
+
}
static TraceState *TS;
Modified: llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp?rev=243781&r1=243780&r2=243781&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/SwitchTest.cpp Fri Jul 31 15:58:55 2015
@@ -25,9 +25,28 @@ bool Switch(const uint8_t *Data, size_t
return false;
}
+bool ShortSwitch(const uint8_t *Data, size_t Size) {
+ short X;
+ if (Size < sizeof(short)) return false;
+ memcpy(&X, Data, sizeof(short));
+ switch(X) {
+ case 42: Sink = __LINE__; break;
+ case 402: Sink = __LINE__; break;
+ case 4002: Sink = __LINE__; break;
+ case 5002: Sink = __LINE__; break;
+ case 7002: Sink = __LINE__; break;
+ case 9002: Sink = __LINE__; break;
+ case 14002: Sink = __LINE__; break;
+ case 21402: return true;
+ }
+ return false;
+}
+
extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
- if (Switch<int>(Data, Size) && Size >= 12 &&
- Switch<uint64_t>(Data + 4, Size - 4)) {
+ if (Size >= 4 && Switch<int>(Data, Size) &&
+ Size >= 12 && Switch<uint64_t>(Data + 4, Size - 4) &&
+ Size >= 14 && ShortSwitch(Data + 12, 2)
+ ) {
fprintf(stderr, "BINGO; Found the target, exiting\n");
exit(1);
}
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer.test?rev=243781&r1=243780&r2=243781&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer.test Fri Jul 31 15:58:55 2015
@@ -32,5 +32,5 @@ Done1000000: Done 1000000 runs in
RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=10000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-StrncmpTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
-RUN: not LLVMFuzzer-SwitchTest -use_traces=1 -seed=1 -runs=100000 2>&1 | FileCheck %s
+RUN: not LLVMFuzzer-SwitchTest -use_traces=1 -seed=1 -runs=1000000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-SwitchTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
More information about the llvm-commits
mailing list