[compiler-rt] r363443 - [libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.

Max Moroz via llvm-commits llvm-commits at lists.llvm.org
Fri Jun 14 12:34:11 PDT 2019 

Author: dor1s
Date: Fri Jun 14 12:34:11 2019
New Revision: 363443

URL: http://llvm.org/viewvc/llvm-project?rev=363443&view=rev
Log:
[libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.

Summary:
Some custom mutators may not peform well when size restriction is
enforced by len_control. Because of that, it's safer to disable len_control
by default in such cases, but still allow users to enable it manually.
Bug example: https://bugs.chromium.org/p/chromium/issues/detail?id=919530.

Tested manually with LPM-based and regular fuzz targets.

Reviewers: kcc, vitalybuka, metzman

Reviewed By: kcc, metzman

Subscribers: delcypher, #sanitizers, llvm-commits

Tags: #llvm, #sanitizers

Differential Revision: https://reviews.llvm.org/D63334

Modified:
    compiler-rt/trunk/lib/fuzzer/FuzzerDriver.cpp
    compiler-rt/trunk/lib/fuzzer/FuzzerFlags.def
    compiler-rt/trunk/test/fuzzer/fuzzer-custommutator.test

Modified: compiler-rt/trunk/lib/fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerDriver.cpp?rev=363443&r1=363442&r2=363443&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerDriver.cpp (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerDriver.cpp Fri Jun 14 12:34:11 2019
@@ -182,7 +182,8 @@ static bool ParseOneFlag(const char *Par
 }
 
 // We don't use any library to minimize dependencies.
-static void ParseFlags(const Vector<std::string> &Args) {
+static void ParseFlags(const Vector<std::string> &Args,
+                       const ExternalFunctions *EF) {
   for (size_t F = 0; F < kNumFlags; F++) {
     if (FlagDescriptions[F].IntFlag)
       *FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;
@@ -192,6 +193,11 @@ static void ParseFlags(const Vector<std:
     if (FlagDescriptions[F].StrFlag)
       *FlagDescriptions[F].StrFlag = nullptr;
   }
+
+  // Disable len_control by default, if LLVMFuzzerCustomMutator is used.
+  if (EF->LLVMFuzzerCustomMutator)
+    Flags.len_control = 0;
+
   Inputs = new Vector<std::string>;
   for (size_t A = 1; A < Args.size(); A++) {
     if (ParseOneFlag(Args[A].c_str())) {
@@ -616,7 +622,7 @@ int FuzzerDriver(int *argc, char ***argv
     Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
     exit(1);
   }
-  ParseFlags(Args);
+  ParseFlags(Args, EF);
   if (Flags.help) {
     PrintHelp();
     return 0;

Modified: compiler-rt/trunk/lib/fuzzer/FuzzerFlags.def
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerFlags.def?rev=363443&r1=363442&r2=363443&view=diff
==============================================================================
--- compiler-rt/trunk/lib/fuzzer/FuzzerFlags.def (original)
+++ compiler-rt/trunk/lib/fuzzer/FuzzerFlags.def Fri Jun 14 12:34:11 2019
@@ -19,7 +19,7 @@ FUZZER_FLAG_INT(max_len, 0, "Maximum len
 FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, "
   "then try larger inputs over time.  Specifies the rate at which the length "
   "limit is increased (smaller == faster).  If 0, immediately try inputs with "
-  "size up to max_len.")
+  "size up to max_len. Default value is 0, if LLVMFuzzerCustomMutator is used.")
 FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "
   "to use as an additional seed corpus. Alternatively, an \"@\" followed by "
   "the name of a file containing the comma-seperated list.")

Modified: compiler-rt/trunk/test/fuzzer/fuzzer-custommutator.test
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/fuzzer-custommutator.test?rev=363443&r1=363442&r2=363443&view=diff
==============================================================================
--- compiler-rt/trunk/test/fuzzer/fuzzer-custommutator.test (original)
+++ compiler-rt/trunk/test/fuzzer/fuzzer-custommutator.test Fri Jun 14 12:34:11 2019
@@ -1,5 +1,11 @@
 RUN: %cpp_compiler %S/CustomMutatorTest.cpp -o %t-CustomMutatorTest
 RUN: not %run %t-CustomMutatorTest 2>&1 | FileCheck %s --check-prefix=LLVMFuzzerCustomMutator
 LLVMFuzzerCustomMutator: In LLVMFuzzerCustomMutator
+LLVMFuzzerCustomMutator: {{.*}} lim: 4096 {{.*}}
 LLVMFuzzerCustomMutator: BINGO
 
+# len_control is disabled for custom mutators by default, test that it can be enabled.
+RUN: not %run %t-CustomMutatorTest -len_control=100 2>&1 | FileCheck %s --check-prefix=LLVMFuzzerCustomMutatorWithLenControl
+LLVMFuzzerCustomMutatorWithLenControl: In LLVMFuzzerCustomMutator
+LLVMFuzzerCustomMutatorWithLenControl: {{.*}} lim: {{[1-9][0-9]?}} {{.*}}
+LLVMFuzzerCustomMutatorWithLenControl: BINGO

More information about the llvm-commits mailing list