[compiler-rt] r337296 - libFuzzer: prevent irrelevant strings from leaking into auto-dictionary
Matt Morehouse via llvm-commits
llvm-commits at lists.llvm.org
Tue Jul 17 09:12:00 PDT 2018
Author: morehouse
Date: Tue Jul 17 09:12:00 2018
New Revision: 337296
URL: http://llvm.org/viewvc/llvm-project?rev=337296&view=rev
Log:
libFuzzer: prevent irrelevant strings from leaking into auto-dictionary
This is a fix for bug 37047.
https://bugs.llvm.org/show_bug.cgi?id=37047
Implemented by basically reversing the logic. Previously all strings
were considered, with some operations excluded. Now strings are excluded
by default, and only strings during the CB considered.
Patch By: pdknsk
Differential Revision: https://reviews.llvm.org/D48800
Modified:
compiler-rt/trunk/lib/fuzzer/FuzzerDefs.h
compiler-rt/trunk/lib/fuzzer/FuzzerDictionary.h
compiler-rt/trunk/lib/fuzzer/FuzzerInternal.h
compiler-rt/trunk/lib/fuzzer/FuzzerLoop.cpp
compiler-rt/trunk/lib/fuzzer/FuzzerMutate.cpp
compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.cpp
compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h
compiler-rt/trunk/test/fuzzer/three-bytes.test
Modified: compiler-rt/trunk/lib/fuzzer/FuzzerDefs.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerDefs.h?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerDefs.h (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerDefs.h Tue Jul 17 09:12:00 2018
@@ -176,12 +176,6 @@ typedef int (*UserCallback)(const uint8_
int FuzzerDriver(int *argc, char ***argv, UserCallback Callback);
-struct ScopedDoingMyOwnMemOrStr {
- ScopedDoingMyOwnMemOrStr() { DoingMyOwnMemOrStr++; }
- ~ScopedDoingMyOwnMemOrStr() { DoingMyOwnMemOrStr--; }
- static int DoingMyOwnMemOrStr;
-};
-
inline uint8_t Bswap(uint8_t x) { return x; }
inline uint16_t Bswap(uint16_t x) { return __builtin_bswap16(x); }
inline uint32_t Bswap(uint32_t x) { return __builtin_bswap32(x); }
@@ -191,6 +185,8 @@ uint8_t *ExtraCountersBegin();
uint8_t *ExtraCountersEnd();
void ClearExtraCounters();
+extern bool RunningUserCallback;
+
} // namespace fuzzer
#endif // LLVM_FUZZER_DEFS_H
Modified: compiler-rt/trunk/lib/fuzzer/FuzzerDictionary.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerDictionary.h?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerDictionary.h (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerDictionary.h Tue Jul 17 09:12:00 2018
@@ -33,7 +33,6 @@ public:
}
bool operator==(const FixedWord<kMaxSize> &w) const {
- ScopedDoingMyOwnMemOrStr scoped_doing_my_own_mem_os_str;
return Size == w.Size && 0 == memcmp(Data, w.Data, Size);
}
Modified: compiler-rt/trunk/lib/fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerInternal.h?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerInternal.h (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerInternal.h Tue Jul 17 09:12:00 2018
@@ -118,7 +118,6 @@ private:
uint8_t *CurrentUnitData = nullptr;
std::atomic<size_t> CurrentUnitSize;
uint8_t BaseSha1[kSHA1NumBytes]; // Checksum of the base unit.
- bool RunningCB = false;
bool GracefulExitRequested = false;
Modified: compiler-rt/trunk/lib/fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerLoop.cpp?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerLoop.cpp (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerLoop.cpp Tue Jul 17 09:12:00 2018
@@ -43,6 +43,8 @@ thread_local bool Fuzzer::IsMyThread;
SharedMemoryRegion SMR;
+bool RunningUserCallback = false;
+
// Only one Fuzzer per process.
static Fuzzer *F;
@@ -243,7 +245,7 @@ void Fuzzer::CrashCallback() {
}
void Fuzzer::ExitCallback() {
- if (!RunningCB)
+ if (!RunningUserCallback)
return; // This exit did not come from the user callback
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
@@ -277,7 +279,7 @@ void Fuzzer::AlarmCallback() {
if (!InFuzzingThread())
return;
#endif
- if (!RunningCB)
+ if (!RunningUserCallback)
return; // We have not started running units yet.
size_t Seconds =
duration_cast<seconds>(system_clock::now() - UnitStartTime).count();
@@ -451,9 +453,9 @@ void Fuzzer::CheckForUnstableCounters(co
ScopedEnableMsanInterceptorChecks S;
UnitStartTime = system_clock::now();
TPC.ResetMaps();
- RunningCB = true;
+ RunningUserCallback = true;
CB(Data, Size);
- RunningCB = false;
+ RunningUserCallback = false;
UnitStopTime = system_clock::now();
};
@@ -558,9 +560,9 @@ void Fuzzer::ExecuteCallback(const uint8
AllocTracer.Start(Options.TraceMalloc);
UnitStartTime = system_clock::now();
TPC.ResetMaps();
- RunningCB = true;
+ RunningUserCallback = true;
int Res = CB(DataCopy, Size);
- RunningCB = false;
+ RunningUserCallback = false;
UnitStopTime = system_clock::now();
(void)Res;
assert(Res == 0);
Modified: compiler-rt/trunk/lib/fuzzer/FuzzerMutate.cpp
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerMutate.cpp?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerMutate.cpp (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerMutate.cpp Tue Jul 17 09:12:00 2018
@@ -195,7 +195,6 @@ DictionaryEntry MutationDispatcher::Make
const void *Arg1Mutation, const void *Arg2Mutation,
size_t ArgSize, const uint8_t *Data,
size_t Size) {
- ScopedDoingMyOwnMemOrStr scoped_doing_my_own_mem_os_str;
bool HandleFirst = Rand.RandBool();
const void *ExistingBytes, *DesiredBytes;
Word W;
Modified: compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.cpp
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.cpp?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.cpp (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.cpp Tue Jul 17 09:12:00 2018
@@ -39,8 +39,6 @@ namespace fuzzer {
TracePC TPC;
-int ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr;
-
uint8_t *TracePC::Counters() const {
return __sancov_trace_pc_guard_8bit_counters;
}
@@ -608,7 +606,7 @@ void __sanitizer_cov_trace_gep(uintptr_t
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
const void *s2, size_t n, int result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
if (result == 0) return; // No reason to mutate.
if (n <= 1) return; // Not interesting.
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/false);
@@ -617,7 +615,7 @@ void __sanitizer_weak_hook_memcmp(void *
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
const char *s2, size_t n, int result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
if (result == 0) return; // No reason to mutate.
size_t Len1 = fuzzer::InternalStrnlen(s1, n);
size_t Len2 = fuzzer::InternalStrnlen(s2, n);
@@ -630,7 +628,7 @@ void __sanitizer_weak_hook_strncmp(void
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
const char *s2, int result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
if (result == 0) return; // No reason to mutate.
size_t N = fuzzer::InternalStrnlen2(s1, s2);
if (N <= 1) return; // Not interesting.
@@ -640,35 +638,35 @@ void __sanitizer_weak_hook_strcmp(void *
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
const char *s2, size_t n, int result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
return __sanitizer_weak_hook_strncmp(called_pc, s1, s2, n, result);
}
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
const char *s2, int result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
return __sanitizer_weak_hook_strcmp(called_pc, s1, s2, result);
}
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
const char *s2, char *result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
}
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
const char *s2, char *result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
}
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
const void *s2, size_t len2, void *result) {
- if (fuzzer::ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr) return;
+ if (!fuzzer::RunningUserCallback) return;
fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), len2);
}
} // extern "C"
Modified: compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerTracePC.h Tue Jul 17 09:12:00 2018
@@ -180,7 +180,6 @@ private:
std::pair<size_t, size_t> FocusFunction = {-1, -1}; // Module and PC IDs.
-
ValueBitMap ValueProfileMap;
uintptr_t InitialStack;
};
Modified: compiler-rt/trunk/test/fuzzer/three-bytes.test
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/three-bytes.test?rev=337296&r1=337295&r2=337296&view=diff
==============================================================================
--- compiler-rt/trunk/test/fuzzer/three-bytes.test (original)
+++ compiler-rt/trunk/test/fuzzer/three-bytes.test Tue Jul 17 09:12:00 2018
@@ -1,8 +1,8 @@
Tests -use_value_profile=2 (alternative VP metric).
RUN: %cpp_compiler %S/ThreeBytes.cpp -o %t
-RUN: %run %t -seed=1 -runs=100000
-RUN: %run %t -seed=1 -runs=100000 -use_value_profile=1
+RUN: %run %t -seed=1 -runs=30000
+RUN: %run %t -seed=1 -runs=30000 -use_value_profile=1
RUN: not %run %t -seed=1 -runs=1000000 -use_value_profile=2 2>&1 | FileCheck %s
CHECK: Test unit written
More information about the llvm-commits
mailing list