[PATCH] D65672: [compiler-rt] Expose fuzzer coverage bitmaps to the target

Fri Aug 2 12:14:23 PDT 2019

a1xndr created this revision.
a1xndr added reviewers: kcc, morehouse.
a1xndr added a project: LLVM.
Herald added subscribers: Sanitizers, llvm-commits, dberris.
Herald added a project: Sanitizers.

This change enables a fuzz-target to locate the coverage bitmaps that are
checked at the end of each fuzz-run. The main use-case for this is
a fuzz-target which, similarly to AFL, forks to reset state. Unlike AFL,
libfuzzer doesn't place the coverage data in shared memory. To work around
this, the target can map some shared memory and copy the coverage data from the
child to the parent, at the end of each fuzz run. There is an example of such a
fuzz target in test/fuzzer/DeferredForkTest.cpp

Another use-case is state-resetting through memory-snapshotting. In this case,
the target would use the information to roll-back changes to memory outside of
the fuzzer-related pages.

I am fuzzing virtual QEMU devices as part of Google Summer of Code 2019.
Previously, I used virtual machine snapshots and reboots to reset state, but the
fork-based approach often performs better.

The patch exposes a LLVMFuzzerIterateFeatureRegions() function to the guest,
which leaves the actual implementation of the forking/other type of resetting
logic up to the fuzz-target developer, offering some flexibility over an afl-style
forkserver.

Repository:
  rCRT Compiler Runtime

https://reviews.llvm.org/D65672

Files:
  lib/fuzzer/FuzzerInterface.h
  lib/fuzzer/FuzzerLoop.cpp
  lib/fuzzer/FuzzerTracePC.cpp
  lib/fuzzer/FuzzerTracePC.h
  test/fuzzer/DeferredForkTest.cpp
  test/fuzzer/deferred-fork-test.test

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D65672.213108.patch
Type: text/x-patch
Size: 4326 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190802/8b1f4288/attachment.bin>