[compiler-rt] r321211 - [libfuzzer] Fix UB when calculating Log(0) in StackDepthStepFunction().
Vedant Kumar via llvm-commits
llvm-commits at lists.llvm.org
Wed Dec 20 16:16:29 PST 2017
It's a bit accidental that the original UB (passing 0 to clz) triggers a second (bad shift). You should be able to catch this bug more reliably with -fsanitize=builtin, now.
vedant
> On Dec 20, 2017, at 11:31 AM, Max Moroz via llvm-commits <llvm-commits at lists.llvm.org> wrote:
>
> Author: dor1s
> Date: Wed Dec 20 11:31:51 2017
> New Revision: 321211
>
> URL: http://llvm.org/viewvc/llvm-project?rev=321211&view=rev
> Log:
> [libfuzzer] Fix UB when calculating Log(0) in StackDepthStepFunction().
>
> Summary:
> __builtin_clz used for Log calculation returns an undefined result
> when argument is 0. I noticed that issue when was testing some fuzzers:
>
> ```
> /src/libfuzzer/FuzzerTracePC.h:282:33: runtime error: shift exponent 450349 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')
> #0 0x43d83f in operator() /src/libfuzzer/FuzzerTracePC.h:283:33
> #1 0x43d83f in void fuzzer::TracePC::CollectFeatures<fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1>(fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1) const /src/libfuzzer/FuzzerTracePC.h:290
> #2 0x43cbd4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:445:7
> #3 0x43e5f1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:706:5
> #4 0x43e9e1 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:739:3
> #5 0x432f8c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
> #6 0x42ee18 in main /src/libfuzzer/FuzzerMain.cpp:20:10
> #7 0x7f17ffeb182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
> #8 0x407838 in _start (/out/rotate_fuzzer+0x407838)
>
> Reviewers: kcc
>
> Reviewed By: kcc
>
> Subscribers: llvm-commits, #sanitizers
>
> Differential Revision: https://reviews.llvm.org/D41457
>
> Modified:
> compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h
>
> Modified: compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h
> URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h?rev=321211&r1=321210&r2=321211&view=diff
> ==============================================================================
> --- compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h (original)
> +++ compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h Wed Dec 20 11:31:51 2017
> @@ -276,6 +276,7 @@ void TracePC::CollectFeatures(Callback H
>
> // Step function, grows similar to 8 * Log_2(A).
> auto StackDepthStepFunction = [](uint32_t A) -> uint32_t {
> + if (!A) return A;
> uint32_t Log2 = Log(A);
> if (Log2 < 3) return A;
> Log2 -= 3;
>
>
> _______________________________________________
> llvm-commits mailing list
> llvm-commits at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
More information about the llvm-commits
mailing list