[llvm] r297202 - [fuzzer] Don't crash if LLVMFuzzerMutate was called by CustomCrossOver
Vitaly Buka via llvm-commits
llvm-commits at lists.llvm.org
Tue Mar 7 12:37:38 PST 2017
Author: vitalybuka
Date: Tue Mar 7 14:37:38 2017
New Revision: 297202
URL: http://llvm.org/viewvc/llvm-project?rev=297202&view=rev
Log:
[fuzzer] Don't crash if LLVMFuzzerMutate was called by CustomCrossOver
Reviewers: kcc
Subscribers: llvm-commits, mgorny
Differential Revision: https://reviews.llvm.org/D30682
Added:
llvm/trunk/lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test
Modified:
llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp
llvm/trunk/lib/Fuzzer/FuzzerMutate.h
llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
Modified: llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp?rev=297202&r1=297201&r2=297202&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerMutate.cpp Tue Mar 7 14:37:38 2017
@@ -81,8 +81,8 @@ size_t MutationDispatcher::Mutate_Custom
const Unit &Other = (*Corpus)[Idx];
if (Other.empty())
return 0;
- MutateInPlaceHere.resize(MaxSize);
- auto &U = MutateInPlaceHere;
+ CustomCrossOverInPlaceHere.resize(MaxSize);
+ auto &U = CustomCrossOverInPlaceHere;
size_t NewSize = EF->LLVMFuzzerCustomCrossOver(
Data, Size, Other.data(), Other.size(), U.data(), U.size(), Rand.Rand());
if (!NewSize)
Modified: llvm/trunk/lib/Fuzzer/FuzzerMutate.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerMutate.h?rev=297202&r1=297201&r2=297202&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerMutate.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerMutate.h Tue Mar 7 14:37:38 2017
@@ -143,6 +143,9 @@ private:
const InputCorpus *Corpus = nullptr;
std::vector<uint8_t> MutateInPlaceHere;
+ // CustomCrossOver needs its own buffer as a custom implementation may call
+ // LLVMFuzzerMutate, which in turn may resize MutateInPlaceHere.
+ std::vector<uint8_t> CustomCrossOverInPlaceHere;
std::vector<Mutator> Mutators;
std::vector<Mutator> DefaultMutators;
Modified: llvm/trunk/lib/Fuzzer/test/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CMakeLists.txt?rev=297202&r1=297201&r2=297202&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/CMakeLists.txt Tue Mar 7 14:37:38 2017
@@ -80,6 +80,7 @@ set(Tests
BufferOverflowOnInput
CallerCalleeTest
CounterTest
+ CustomCrossOverAndMutateTest
CustomCrossOverTest
CustomMutatorTest
CxxStringEqTest
Added: llvm/trunk/lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp?rev=297202&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp (added)
+++ llvm/trunk/lib/Fuzzer/test/CustomCrossOverAndMutateTest.cpp Tue Mar 7 14:37:38 2017
@@ -0,0 +1,33 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test that libFuzzer does not crash when LLVMFuzzerMutate called from
+// LLVMFuzzerCustomCrossOver.
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <string>
+#include <string.h>
+#include <vector>
+
+#include "FuzzerInterface.h"
+
+static volatile int sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+ std::string Str(reinterpret_cast<const char *>(Data), Size);
+ if (Size && Data[0] == '0')
+ sink++;
+ return 0;
+}
+
+extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
+ const uint8_t *Data2, size_t Size2,
+ uint8_t *Out, size_t MaxOutSize,
+ unsigned int Seed) {
+ std::vector<uint8_t> Buffer(MaxOutSize * 10);
+ LLVMFuzzerMutate(Buffer.data(), Buffer.size(), Buffer.size());
+ size_t Size = std::min<size_t>(Size1, MaxOutSize);
+ memcpy(Out, Data1, Size);
+ return Size;
+}
Added: llvm/trunk/lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test?rev=297202&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test (added)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-customcrossoverandmutate.test Tue Mar 7 14:37:38 2017
@@ -0,0 +1 @@
+RUN: LLVMFuzzer-CustomCrossOverAndMutateTest -seed=1 -use_memcmp=0 -runs=100000
More information about the llvm-commits
mailing list