[compiler-rt] 52f1df0 - Recommit "[libFuzzer] Fix value-profile-load test."

Thu Aug 27 12:12:44 PDT 2020

Author: Dokyung Song
Date: 2020-08-27T19:12:30Z
New Revision: 52f1df09237312eac044f84ca4c4f9e49aea0b9b

URL: https://github.com/llvm/llvm-project/commit/52f1df09237312eac044f84ca4c4f9e49aea0b9b
DIFF: https://github.com/llvm/llvm-project/commit/52f1df09237312eac044f84ca4c4f9e49aea0b9b.diff

LOG: Recommit "[libFuzzer] Fix value-profile-load test."

value-profile-load.test needs adjustment with a mutator change in
bb54bcf84970c04c9748004f3a4cf59b0c1832a7, which reverted as of now, but will be
recommitted after landing this patch.

This patch makes value-profile-load.test more friendly to (and aware of) the
current value profiling strategy, which is based on the hamming as well as the
absolute distance. To this end, this patch adjusts the set of input values that
trigger an expected crash. More specifically, this patch now uses a single value
0x01effffe as a crashing input, because this value is close to values like
{0x1ffffff, 0xffffff, ...}, which are very likely to be added to the corpus per
the current hamming- and absolute-distance-based value profiling strategy. Note
that previously the crashing input values were {1234567 * {1, 2, ...}, s.t. <
INT_MAX}.

Every byte in the chosen value 0x01effeef is intentionally different; this was
to make it harder to find the value without the intermediate inputs added to the
corpus by the value profiling strategy.

Also note that LoadTest.cpp now uses a narrower condition (Size != 8) for
initial pruning of inputs, effectively preventing libFuzzer from generating
inputs longer than necessary and spending time on mutating such long inputs in
the corpus - a functionality not meant to be tested by this specific test.

Differential Revision: https://reviews.llvm.org/D86247

Added: 
    

Modified: 
    compiler-rt/test/fuzzer/LoadTest.cpp
    compiler-rt/test/fuzzer/value-profile-load.test

Removed: 
    


################################################################################
diff  --git a/compiler-rt/test/fuzzer/LoadTest.cpp b/compiler-rt/test/fuzzer/LoadTest.cpp
index 9cf101542cb4..2b58c4efcf1b 100644

--- a/compiler-rt/test/fuzzer/LoadTest.cpp
+++ b/compiler-rt/test/fuzzer/LoadTest.cpp
@@ -9,15 +9,16 @@
 #include <cstring>
 #include <iostream>
 
-static volatile int Sink;
-const int kArraySize = 1234567;
-int array[kArraySize];
+static volatile uint8_t Sink;
+const int kArraySize = 32505854; // 0x01effffe
+uint8_t array[kArraySize];
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  if (Size < 8) return 0;
+  if (Size != 8)
+    return 0;
   uint64_t a = 0;
-  memcpy(&a, Data, 8);
+  memcpy(&a, Data, sizeof(a));
+  a &= 0x1fffffff;
   Sink = array[a % (kArraySize + 1)];
   return 0;
 }
-

diff  --git a/compiler-rt/test/fuzzer/value-profile-load.test b/compiler-rt/test/fuzzer/value-profile-load.test
index 607b81cd527f..bf51e7f56c9e 100644
--- a/compiler-rt/test/fuzzer/value-profile-load.test
+++ b/compiler-rt/test/fuzzer/value-profile-load.test
@@ -1,3 +1,3 @@
 CHECK: AddressSanitizer: global-buffer-overflow
 RUN: %cpp_compiler %S/LoadTest.cpp -fsanitize-coverage=trace-gep -o %t-LoadTest
-RUN: not %run %t-LoadTest -seed=2 -use_cmp=0 -use_value_profile=1 -runs=20000000 2>&1 | FileCheck %s
+RUN: not %run %t-LoadTest -seed=1 -use_cmp=0 -use_value_profile=1 -runs=20000000 2>&1 | FileCheck %s


        
