[llvm] r260794 - [libFuzzer] provide a plain C interface for custom mutators (experimental)
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Fri Feb 12 18:29:38 PST 2016
Author: kcc
Date: Fri Feb 12 20:29:38 2016
New Revision: 260794
URL: http://llvm.org/viewvc/llvm-project?rev=260794&view=rev
Log:
[libFuzzer] provide a plain C interface for custom mutators (experimental)
Added:
llvm/trunk/lib/Fuzzer/test/CustomMutatorTest.cpp
Modified:
llvm/trunk/lib/Fuzzer/FuzzerInterface.cpp
llvm/trunk/lib/Fuzzer/FuzzerInterface.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
llvm/trunk/lib/Fuzzer/test/fuzzer.test
Modified: llvm/trunk/lib/Fuzzer/FuzzerInterface.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInterface.cpp?rev=260794&r1=260793&r2=260794&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInterface.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInterface.cpp Fri Feb 12 20:29:38 2016
@@ -58,6 +58,10 @@ size_t Mutate(uint8_t *Data, size_t Size
return MD.Mutate(Data, Size, MaxSize);
}
-
+size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) {
+ FuzzerRandom_mt19937 R(Seed);
+ MutationDispatcher MD(R);
+ return MD.Mutate(Data, Size, MaxSize);
+}
} // namespace fuzzer.
Modified: llvm/trunk/lib/Fuzzer/FuzzerInterface.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInterface.h?rev=260794&r1=260793&r2=260794&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInterface.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInterface.h Fri Feb 12 20:29:38 2016
@@ -22,6 +22,22 @@
#include <vector>
#include <string>
+// Plain C interface. Should be sufficient for most uses.
+extern "C" {
+// The target function, mandatory.
+// Must return 0.
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+// The initialization function, optional.
+int LLVMFuzzerInitialize(int *argc, char ***argv);
+// Custom mutator, optional.
+// Mutates raw data in [Data, Data+Size] inplace.
+// Returns the new size, which is not greater than MaxSize.
+// Given the same Seed produces the same mutation.
+size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize,
+ unsigned int Seed);
+
+} // extern "C"
+
namespace fuzzer {
/// Returns an int 0. Values other than zero are reserved for future.
@@ -93,6 +109,8 @@ class FuzzerRandom_mt19937 : public Fuzz
size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize,
FuzzerRandomBase &Rand);
+size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed);
+
class MutationDispatcher;
/** An abstract class that allows to use user-supplied mutators with libFuzzer.
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=260794&r1=260793&r2=260794&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Fri Feb 12 20:29:38 2016
@@ -35,6 +35,10 @@ __attribute__((weak)) uintptr_t
__sanitizer_update_counter_bitset_and_clear_counters(uint8_t *bitset);
__attribute__((weak)) uintptr_t
__sanitizer_get_coverage_pc_buffer(uintptr_t **data);
+
+__attribute__((weak)) size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
+ size_t MaxSize,
+ unsigned int Seed);
}
namespace fuzzer {
@@ -407,7 +411,12 @@ void Fuzzer::MutateAndTestOne() {
for (int i = 0; i < Options.MutateDepth; i++) {
size_t Size = U.size();
U.resize(Options.MaxLen);
- size_t NewSize = USF.Mutate(U.data(), Size, U.size());
+ size_t NewSize = 0;
+ if (LLVMFuzzerCustomMutator)
+ NewSize = LLVMFuzzerCustomMutator(U.data(), Size, U.size(),
+ USF.GetRand().Rand());
+ else
+ NewSize = USF.Mutate(U.data(), Size, U.size());
assert(NewSize > 0 && "Mutator returned empty unit");
assert(NewSize <= (size_t)Options.MaxLen &&
"Mutator return overisized unit");
Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=260794&r1=260793&r2=260794&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Fri Feb 12 20:29:38 2016
@@ -16,6 +16,7 @@ set(Tests
BufferOverflowOnInput
CallerCalleeTest
CounterTest
+ CustomMutatorTest
FourIndependentBranchesTest
FullCoverageSetTest
InitializeTest
Added: llvm/trunk/lib/Fuzzer/test/CustomMutatorTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CustomMutatorTest.cpp?rev=260794&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CustomMutatorTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/CustomMutatorTest.cpp Fri Feb 12 20:29:38 2016
@@ -0,0 +1,27 @@
+// Simple test for a cutom mutator.
+#include <assert.h>
+#include <cstdint>
+#include <cstdlib>
+#include <cstddef>
+#include <iostream>
+
+#include "FuzzerInterface.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ assert(Data);
+ if (Size > 0 && Data[0] == 'F') {
+ std::cout << "BINGO; Found the target, exiting\n";
+ exit(1);
+ }
+ return 0;
+}
+
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
+ size_t MaxSize, unsigned int Seed) {
+ static bool Printed;
+ if (!Printed) {
+ std::cerr << "In LLVMFuzzerCustomMutator\n";
+ Printed = true;
+ }
+ return fuzzer::Mutate(Data, Size, MaxSize, Seed);
+}
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer.test?rev=260794&r1=260793&r2=260794&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer.test Fri Feb 12 20:29:38 2016
@@ -66,3 +66,7 @@ RUN: LLVMFuzzer-NthRunCrashTest %t/NthRu
RUN: LLVMFuzzer-NthRunCrashTest %t/NthRunCrashTest.in -runs=10
RUN: not LLVMFuzzer-NthRunCrashTest %t/NthRunCrashTest.in -runs=10000 2>&1 | FileCheck %s
RUN: rm %t/NthRunCrashTest.in
+
+RUN: not LLVMFuzzer-CustomMutatorTest 2>&1 | FileCheck %s --check-prefix=LLVMFuzzerCustomMutator
+LLVMFuzzerCustomMutator: In LLVMFuzzerCustomMutator
+LLVMFuzzerCustomMutator: BINGO
More information about the llvm-commits
mailing list