[llvm] r282458 - [libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Mon Sep 26 17:10:21 PDT 2016
Author: kcc
Date: Mon Sep 26 19:10:20 2016
New Revision: 282458
URL: http://llvm.org/viewvc/llvm-project?rev=282458&view=rev
Log:
[libFuzzer] add -exit_on_src_pos to test libFuzzer itself, add a test script for RE2 that uses this flag
Added:
llvm/trunk/lib/Fuzzer/fuzzer-test-suite/re2-2014-12-09/test.sh (with props)
Modified:
llvm/trunk/lib/Fuzzer/FuzzerDefs.h
llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
llvm/trunk/lib/Fuzzer/FuzzerFlags.def
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/FuzzerOptions.h
llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp
llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer.test
Modified: llvm/trunk/lib/Fuzzer/FuzzerDefs.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDefs.h?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDefs.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDefs.h Mon Sep 26 19:10:20 2016
@@ -79,6 +79,7 @@ void PrintASCII(const uint8_t *Data, siz
void PrintASCII(const Unit &U, const char *PrintAfter = "");
void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC);
+std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC);
std::string Hash(const Unit &U);
void SetTimer(int Seconds);
void SetSigSegvHandler();
Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Mon Sep 26 19:10:20 2016
@@ -428,6 +428,8 @@ int FuzzerDriver(int *argc, char ***argv
Options.PrintCorpusStats = Flags.print_corpus_stats;
Options.PrintCoverage = Flags.print_coverage;
Options.PruneCorpus = Flags.prune_corpus;
+ if (Flags.exit_on_src_pos)
+ Options.ExitOnSrcPos = Flags.exit_on_src_pos;
unsigned Seed = Flags.seed;
// Initialize Seed.
Modified: llvm/trunk/lib/Fuzzer/FuzzerFlags.def
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerFlags.def (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerFlags.def Mon Sep 26 19:10:20 2016
@@ -94,6 +94,9 @@ FUZZER_FLAG_INT(rss_limit_mb, 2048, "If
"reaching this limit of RSS memory usage.")
FUZZER_FLAG_INT(prune_corpus, 1, "Prune corpus items without new coverage when "
"loading corpus.")
+FUZZER_FLAG_STRING(exit_on_src_pos, "Exit if a newly found PC originates"
+ " from the given source location. Example: -exit_on_src_pos=foo.cc:123. "
+ "Used primarily for testing libFuzzer itself.")
FUZZER_DEPRECATED_FLAG(exit_on_first)
FUZZER_DEPRECATED_FLAG(save_minimized_corpus)
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Mon Sep 26 19:10:20 2016
@@ -116,6 +116,7 @@ private:
void TryDetectingAMemoryLeak(const uint8_t *Data, size_t Size,
bool DuringInitialCorpusExecution);
void AddToCorpusAndMaybeRerun(const Unit &U);
+ void CheckExitOnSrcPos();
bool UpdateMaxCoverage();
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Mon Sep 26 19:10:20 2016
@@ -374,7 +374,24 @@ void Fuzzer::SetMaxMutationLen(size_t Ma
this->MaxMutationLen = MaxMutationLen;
}
+void Fuzzer::CheckExitOnSrcPos() {
+ if (!Options.ExitOnSrcPos.empty()) {
+ uintptr_t *PCIDs;
+ if (size_t NumNewPCIDs = TPC.GetNewPCIDs(&PCIDs)) {
+ for (size_t i = 0; i < NumNewPCIDs; i++) {
+ std::string Descr = DescribePC("%L", TPC.GetPCbyPCID(PCIDs[i]));
+ if (Descr.find(Options.ExitOnSrcPos) != std::string::npos) {
+ Printf("INFO: found line matching '%s', exiting.\n",
+ Options.ExitOnSrcPos.c_str());
+ _Exit(0);
+ }
+ }
+ }
+ }
+}
+
void Fuzzer::AddToCorpusAndMaybeRerun(const Unit &U) {
+ CheckExitOnSrcPos();
Corpus.AddToCorpus(U);
if (TPC.GetTotalPCCoverage()) {
TPC.ResetMaps();
Modified: llvm/trunk/lib/Fuzzer/FuzzerOptions.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerOptions.h?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerOptions.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerOptions.h Mon Sep 26 19:10:20 2016
@@ -40,6 +40,7 @@ struct FuzzingOptions {
std::string OutputCorpus;
std::string ArtifactPrefix = "./";
std::string ExactArtifactPath;
+ std::string ExitOnSrcPos;
bool SaveArtifacts = true;
bool PrintNEW = true; // Print a status line when new units are found;
bool OutputCSV = false;
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp Mon Sep 26 19:10:20 2016
@@ -70,7 +70,7 @@ void TracePC::ResetGuards() {
void TracePC::FinalizeTrace() {
if (TotalPCCoverage) {
- for (size_t Idx = 1, N = Min(kNumCounters, NumGuards); Idx < N;
+ for (size_t Idx = 1, N = Min(kNumCounters, NumGuards + 1); Idx < N;
Idx++) {
uint8_t Counter = Counters[Idx];
if (!Counter) continue;
@@ -96,7 +96,7 @@ void TracePC::HandleCallerCallee(uintptr
void TracePC::PrintCoverage() {
Printf("COVERAGE:\n");
- for (size_t i = 0; i < Min(NumGuards, kNumPCs); i++) {
+ for (size_t i = 0; i < Min(NumGuards + 1, kNumPCs); i++) {
if (PCs[i])
PrintPC("COVERED: %p %F %L\n", "COVERED: %p\n", PCs[i]);
}
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.h?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.h Mon Sep 26 19:10:20 2016
@@ -40,7 +40,6 @@ class TracePC {
return Min(kMaxNewPCIDs, NumNewPCIDs);
}
- void ResetNewPCIDs() { NumNewPCIDs = 0; }
uintptr_t GetPCbyPCID(uintptr_t PCID) { return PCs[PCID]; }
void ResetMaps() {
@@ -64,7 +63,7 @@ private:
bool UseValueProfile = false;
size_t TotalPCCoverage = 0;
- static const size_t kMaxNewPCIDs = 64;
+ static const size_t kMaxNewPCIDs = 1024;
uintptr_t NewPCIDs[kMaxNewPCIDs];
size_t NumNewPCIDs = 0;
void AddNewPCID(uintptr_t PCID) {
Modified: llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp Mon Sep 26 19:10:20 2016
@@ -290,16 +290,20 @@ size_t GetPeakRSSMb() {
return 0;
}
+std::string DescribePC(const char *SymbolizedFMT, uintptr_t PC) {
+ if (!EF->__sanitizer_symbolize_pc) return "<can not symbolize>";
+ char PcDescr[1024];
+ EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC),
+ SymbolizedFMT, PcDescr, sizeof(PcDescr));
+ PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case.
+ return PcDescr;
+}
+
void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC) {
- if (EF->__sanitizer_symbolize_pc) {
- char PcDescr[1024];
- EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC),
- SymbolizedFMT, PcDescr, sizeof(PcDescr));
- PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case.
- Printf("%s", PcDescr);
- } else {
+ if (EF->__sanitizer_symbolize_pc)
+ Printf("%s", DescribePC(SymbolizedFMT, PC).c_str());
+ else
Printf(FallbackFMT, PC);
- }
}
} // namespace fuzzer
Added: llvm/trunk/lib/Fuzzer/fuzzer-test-suite/re2-2014-12-09/test.sh
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/fuzzer-test-suite/re2-2014-12-09/test.sh?rev=282458&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/fuzzer-test-suite/re2-2014-12-09/test.sh (added)
+++ llvm/trunk/lib/Fuzzer/fuzzer-test-suite/re2-2014-12-09/test.sh Mon Sep 26 19:10:20 2016
@@ -0,0 +1,10 @@
+#!/bin/bash
+set -x
+SCRIPT_DIR=$(dirname $0)
+EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR)
+CORPUS=CORPUS-$EXECUTABLE_NAME_BASE
+JOBS=8
+rm -rf $CORPUS
+mkdir $CORPUS
+[ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -exit_on_src_pos=re2/dfa.cc:474 -exit_on_src_pos=re2/dfa.cc:474 -runs=1000000 -jobs=$JOBS $CORPUS
+grep "INFO: found line matching 're2/dfa.cc:474', exiting." fuzz-0.log
Propchange: llvm/trunk/lib/Fuzzer/fuzzer-test-suite/re2-2014-12-09/test.sh
------------------------------------------------------------------------------
svn:executable = *
Modified: llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp (original)
+++ llvm/trunk/lib/Fuzzer/test/MinimizeCorpusTest.cpp Mon Sep 26 19:10:20 2016
@@ -21,7 +21,7 @@ extern "C" int LLVMFuzzerTestOneInput(co
int Z = Ids[(unsigned char)'Z'];
if (F >= 0 && U > F && Z > U) {
Sink++;
- // printf("IDS: %d %d %d\n", F, U, Z);
+ // fprintf(stderr, "IDS: %d %d %d\n", F, U, Z);
}
return 0;
}
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer.test?rev=282458&r1=282457&r2=282458&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer.test Mon Sep 26 19:10:20 2016
@@ -53,3 +53,7 @@ RUN: not LLVMFuzzer-DSOTest 2>&1 | FileC
DSO: INFO: Loaded 3 modules
DSO: BINGO
+RUN: LLVMFuzzer-SimpleTest-TracePC -exit_on_src_pos=SimpleTest.cpp:17 2>&1 | FileCheck %s --check-prefix=EXIT_ON_SRC_POS
+RUN: LLVMFuzzer-MinimizeCorpusTest-TracePC -exit_on_src_pos=MinimizeCorpusTest.cpp:23 2>&1 | FileCheck %s --check-prefix=EXIT_ON_SRC_POS
+EXIT_ON_SRC_POS: INFO: found line matching '{{.*}}', exiting.
+
More information about the llvm-commits
mailing list