[llvm] r281568 - [libFuzzer] add 8-bit counters to trace-pc-guard handler
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Wed Sep 14 18:30:19 PDT 2016
Author: kcc
Date: Wed Sep 14 20:30:18 2016
New Revision: 281568
URL: http://llvm.org/viewvc/llvm-project?rev=281568&view=rev
Log:
[libFuzzer] add 8-bit counters to trace-pc-guard handler
Modified:
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer.test
llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=281568&r1=281567&r2=281568&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Wed Sep 14 20:30:18 2016
@@ -360,9 +360,18 @@ class TracePC {
public:
void HandleTrace(uint8_t *guard, uintptr_t PC);
void HandleInit(uint8_t *start, uint8_t *stop);
- size_t GetTotalCoverage();
- private:
+ size_t GetTotalCoverage() { return TotalCoverage; }
+ void SetUseCounters(bool UC) { UseCounters = UC; }
+ size_t UpdateCounterMap(ValueBitMap *Map);
+ void FinalizeTrace();
+
+private:
+ bool UseCounters = false;
size_t TotalCoverage = 0;
+ size_t TotalCounterBits = 0;
+
+ uint8_t *Start, *Stop;
+ ValueBitMap CounterMap;
};
extern TracePC TPC;
@@ -380,6 +389,7 @@ public:
CounterBitmapBits = 0;
CounterBitmap.clear();
VPMap.Reset();
+ TPCMap.Reset();
VPMapBits = 0;
}
@@ -390,6 +400,7 @@ public:
// Precalculated number of bits in CounterBitmap.
size_t CounterBitmapBits;
std::vector<uint8_t> CounterBitmap;
+ ValueBitMap TPCMap;
ValueBitMap VPMap;
size_t VPMapBits;
};
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=281568&r1=281567&r2=281568&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Wed Sep 14 20:30:18 2016
@@ -77,6 +77,8 @@ void Fuzzer::PrepareCounters(Fuzzer::Cov
bool Fuzzer::RecordMaxCoverage(Fuzzer::Coverage *C) {
bool Res = false;
+ TPC.FinalizeTrace();
+
uint64_t NewBlockCoverage =
EF->__sanitizer_get_total_unique_coverage() + TPC.GetTotalCoverage();
if (NewBlockCoverage > C->BlockCoverage) {
@@ -97,11 +99,13 @@ bool Fuzzer::RecordMaxCoverage(Fuzzer::C
if (Options.UseCounters) {
uint64_t CounterDelta =
EF->__sanitizer_update_counter_bitset_and_clear_counters(
- C->CounterBitmap.data());
+ C->CounterBitmap.data()) +
+ TPC.UpdateCounterMap(&C->TPCMap);
if (CounterDelta > 0) {
Res = true;
C->CounterBitmapBits += CounterDelta;
}
+
}
size_t NewVPMapBits = VPMapMergeFromCurrent(C->VPMap);
@@ -158,6 +162,7 @@ Fuzzer::Fuzzer(UserCallback CB, Mutation
IsMyThread = true;
if (Options.DetectLeaks && EF->__sanitizer_install_malloc_and_free_hooks)
EF->__sanitizer_install_malloc_and_free_hooks(MallocHook, FreeHook);
+ TPC.SetUseCounters(Options.UseCounters);
if (Options.PrintNewCovPcs) {
PcBufferLen = 1 << 24;
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp?rev=281568&r1=281567&r2=281568&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp Wed Sep 14 20:30:18 2016
@@ -18,25 +18,60 @@ namespace fuzzer {
TracePC TPC;
-void TracePC::HandleTrace(uint8_t *guard, uintptr_t PC) {
- *guard = 0xff;
- TotalCoverage++;
+void TracePC::HandleTrace(uint8_t *Guard, uintptr_t PC) {
+ if (UseCounters) {
+ uintptr_t GV = *Guard;
+ if (GV == 0)
+ TotalCoverage++;
+ if (GV < 255)
+ GV++;
+ *Guard = GV;
+ } else {
+ *Guard = 0xff;
+ TotalCoverage++;
+ }
}
-void TracePC::HandleInit(uint8_t *start, uint8_t *stop) {
- Printf("INFO: guards: [%p,%p)\n", start, stop);
+
+void TracePC::HandleInit(uint8_t *Start, uint8_t *Stop) {
+ // TODO: this handles only one DSO/binary.
+ this->Start = Start;
+ this->Stop = Stop;
+}
+
+void TracePC::FinalizeTrace() {
+ if (UseCounters && TotalCoverage) {
+ for (uint8_t *X = Start; X < Stop; X++) {
+ uint8_t Value = *X;
+ size_t Idx = X - Start;
+ if (Value >= 2) {
+ unsigned Bit = 31 - __builtin_clz(Value);
+ assert(Bit < 8);
+ CounterMap.AddValue(Idx * 8 + Bit);
+ }
+ *X = 1;
+ }
+ }
+}
+
+size_t TracePC::UpdateCounterMap(ValueBitMap *Map) {
+ if (!TotalCoverage) return 0;
+ size_t NewTotalCounterBits = Map->MergeFrom(CounterMap);
+ size_t Delta = NewTotalCounterBits - TotalCounterBits;
+ TotalCounterBits = NewTotalCounterBits;
+ return Delta;
}
-size_t TracePC::GetTotalCoverage() { return TotalCoverage; }
} // namespace fuzzer
extern "C" {
__attribute__((visibility("default")))
-void __sanitizer_cov_trace_pc_guard(uint8_t *guard) {
+void __sanitizer_cov_trace_pc_guard(uint8_t *Guard) {
uintptr_t PC = (uintptr_t)__builtin_return_address(0);
- fuzzer::TPC.HandleTrace(guard, PC);
+ fuzzer::TPC.HandleTrace(Guard, PC);
}
__attribute__((visibility("default")))
-void __sanitizer_cov_trace_pc_guard_init(uint8_t *start, uint8_t *stop) {
+void __sanitizer_cov_trace_pc_guard_init(uint8_t *Start, uint8_t *Stop) {
+ fuzzer::TPC.HandleInit(Start, Stop);
}
}
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer.test?rev=281568&r1=281567&r2=281568&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer.test Wed Sep 14 20:30:18 2016
@@ -24,7 +24,13 @@ NULL_DEREF_ON_EMPTY: stat::number_of_exe
#not LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s
-RUN: not LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s
+RUN: not LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=COUNTERS
+RUN: not LLVMFuzzer-CounterTest-TracePC -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=COUNTERS
+
+COUNTERS: INITED {{.*}} bits:
+COUNTERS: NEW {{.*}} bits: {{[1-9]*}}
+COUNTERS: NEW {{.*}} bits: {{[1-9]*}}
+COUNTERS: BINGO
RUN: not LLVMFuzzer-CallerCalleeTest -cross_over=0 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s
# This one is flaky, may actually find the goal even w/o use_indir_calls.
Modified: llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt?rev=281568&r1=281567&r2=281568&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt Wed Sep 14 20:30:18 2016
@@ -5,6 +5,7 @@ set(CMAKE_CXX_FLAGS
set(TracePCTests
SimpleTest
+ CounterTest
)
foreach(Test ${TracePCTests})
More information about the llvm-commits
mailing list