[PATCH] D41457: [libfuzzer] Fix UB when calculating Log(0) in StackDepthStepFunction().

Max Moroz via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Dec 20 11:06:48 PST 2017 

Dor1s created this revision.
Dor1s added a reviewer: kcc.
Herald added subscribers: Sanitizers, llvm-commits.

__builtin_clz used for Log calculation returns an undefined result
when argument is 0. I noticed that issue when was testing some fuzzers:

/src/libfuzzer/FuzzerTracePC.h:283:33: runtime error: shift exponent 450349 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')

      #0 0x43d83f in operator() /src/libfuzzer/FuzzerTracePC.h:283:33
              #1 0x43d83f in void fuzzer::TracePC::CollectFeatures<fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1>(fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1) const /src/libfuzzer/FuzzerTracePC.h:290
  	                #2 0x43cbd4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:445:7
  			                #3 0x43e5f1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:706:5
  					                    #4 0x43e9e1 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:739:3
  							                            #5 0x432f8c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
  										                                #6 0x42ee18 in main /src/libfuzzer/FuzzerMain.cpp:20:10
  														                                #7 0x7f17ffeb182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  																		                                    #8 0x407838 in _start (/out/rotate_fuzzer+0x407838)


Repository:
  rCRT Compiler Runtime

https://reviews.llvm.org/D41457

Files:
  lib/fuzzer/FuzzerTracePC.h


Index: lib/fuzzer/FuzzerTracePC.h
===================================================================
--- lib/fuzzer/FuzzerTracePC.h
+++ lib/fuzzer/FuzzerTracePC.h
@@ -276,6 +276,7 @@
 
   // Step function, grows similar to 8 * Log_2(A).
   auto StackDepthStepFunction = [](uint32_t A) -> uint32_t {
+    if (!A) return A;
     uint32_t Log2 = Log(A);
     if (Log2 < 3) return A;
     Log2 -= 3;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D41457.127761.patch
Type: text/x-patch
Size: 397 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20171220/1ea4d478/attachment.bin>

More information about the llvm-commits mailing list