if (CmpSize == 4) return ComputeCmp<uint32_t, int32_t>(CmpType, Arg1, Arg2);
if (CmpSize == 2) return ComputeCmp<uint16_t, int16_t>(CmpType, Arg1, Arg2);
if (CmpSize == 1) return ComputeCmp<uint8_t, int8_t>(CmpType, Arg1, Arg2);
- assert(0 && "unsupported type size");
+ // Other size, ==
+ if (CmpType == ICMP_EQ) return Arg1 == Arg2;
+ assert(0 && "unsupported cmp and type size combination");
return true;
}
void DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType,
uint64_t Arg1, uint64_t Arg2, dfsan_label L1,
dfsan_label L2);
+ void DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits, uint64_t Val,
+ size_t NumCases, uint64_t *Cases, dfsan_label L);
void TraceCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType, uint64_t Arg1,
uint64_t Arg2);
+
+ void TraceSwitchCallback(uintptr_t PC, size_t ValSizeInBits, uint64_t Val,
+ size_t NumCases, uint64_t *Cases);
int TryToAddDesiredData(uint64_t PresentData, uint64_t DesiredData,
size_t DataSize);
size_t StopTraceRecording(FuzzerRandomBase &Rand) {
RecordingTraces = false;
std::random_shuffle(Mutations.begin(), Mutations.end(), Rand);
- return Mutations.size();
+ return std::min(Mutations.size(), 128UL);
}
void ApplyTraceBasedMutation(size_t Idx, fuzzer::Unit *U);
PC, CmpSize, CmpType, Arg1, Arg2, Res, L1, L2, Mutations.size());
}
+void TraceState::DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits,
+ uint64_t Val, size_t NumCases,
+ uint64_t *Cases, dfsan_label L) {
+ assert(ReallyHaveDFSan());
+ if (!RecordingTraces) return;
+ if (!L) return; // Not actionable.
+ LabelRange LR = GetLabelRange(L);
+ size_t ValSize = ValSizeInBits / 8;
+ bool TryShort = IsTwoByteData(Val);
+ for (size_t i = 0; i < NumCases; i++)
+ TryShort &= IsTwoByteData(Cases[i]);
+
+ for (size_t Pos = LR.Beg; Pos + ValSize <= LR.End; Pos++)
+ for (size_t i = 0; i < NumCases; i++)
+ Mutations.push_back({Pos, ValSize, Cases[i]});
+
+ if (TryShort)
+ for (size_t Pos = LR.Beg; Pos + 2 <= LR.End; Pos++)
+ for (size_t i = 0; i < NumCases; i++)
+ Mutations.push_back({Pos, 2, Cases[i]});
+
+ if (Options.Verbosity >= 3)
+ Printf("DFSanSwitchCallback: PC %lx Val %zd SZ %zd # %zd L %d: {%d, %d} "
+ "TryShort %d\n",
+ PC, Val, ValSize, NumCases, L, LR.Beg, LR.End, TryShort);
+}
+
int TraceState::TryToAddDesiredData(uint64_t PresentData, uint64_t DesiredData,
size_t DataSize) {
int Res = 0;
break;
size_t Pos = Cur - Beg;
assert(Pos < CurrentUnit.size());
+ if (Mutations.size() > 100000U) return Res; // Just in case.
Mutations.push_back({Pos, DataSize, DesiredData});
Mutations.push_back({Pos, DataSize, DesiredData + 1});
Mutations.push_back({Pos, DataSize, DesiredData - 1});
}
}
+void TraceState::TraceSwitchCallback(uintptr_t PC, size_t ValSizeInBits,
+ uint64_t Val, size_t NumCases,
+ uint64_t *Cases) {
+ if (!RecordingTraces) return;
+ size_t ValSize = ValSizeInBits / 8;
+ bool TryShort = IsTwoByteData(Val);
+ for (size_t i = 0; i < NumCases; i++)
+ TryShort &= IsTwoByteData(Cases[i]);
+
+ if (Options.Verbosity >= 3)
+ Printf("TraceSwitch: %p %zd # %zd; TryShort %d\n", PC, Val, NumCases,
+ TryShort);
+
+ for (size_t i = 0; i < NumCases; i++) {
+ TryToAddDesiredData(Val, Cases[i], ValSize);
+ if (TryShort)
+ TryToAddDesiredData(Val, Cases[i], 2);
+ }
+
+}
+
static TraceState *TS;
void Fuzzer::StartTraceRecording() {
}
}
+static size_t InternalStrnlen(const char *S, size_t MaxLen) {
+ size_t Len = 0;
+ for (; Len < MaxLen && S[Len]; Len++) {}
+ return Len;
+}
+
} // namespace fuzzer
using fuzzer::TS;
TS->DFSanCmpCallback(PC, CmpSize, Type, Arg1, Arg2, L1, L2);
}
+void __dfsw___sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases,
+ dfsan_label L1, dfsan_label L2) {
+ if (!TS) return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(__builtin_return_address(0));
+ TS->DFSanSwitchCallback(PC, Cases[1], Val, Cases[0], Cases+2, L1);
+}
+
void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
size_t n, dfsan_label s1_label,
dfsan_label s2_label, dfsan_label n_label) {
TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
}
+void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
+ size_t n, dfsan_label s1_label,
+ dfsan_label s2_label, dfsan_label n_label) {
+ if (!TS) return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
+ uint64_t S1 = 0, S2 = 0;
+ n = std::min(n, fuzzer::InternalStrnlen(s1, n));
+ n = std::min(n, fuzzer::InternalStrnlen(s2, n));
+ // Simplification: handle only first 8 bytes.
+ memcpy(&S1, s1, std::min(n, sizeof(S1)));
+ memcpy(&S2, s2, std::min(n, sizeof(S2)));
+ dfsan_label L1 = dfsan_read_label(s1, n);
+ dfsan_label L2 = dfsan_read_label(s2, n);
+ TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
+}
+
+void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
+ const void *s2, size_t n) {
+ if (!TS) return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
+ uint64_t S1 = 0, S2 = 0;
+ // Simplification: handle only first 8 bytes.
+ memcpy(&S1, s1, std::min(n, sizeof(S1)));
+ memcpy(&S2, s2, std::min(n, sizeof(S2)));
+ TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
+}
+
+void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
+ const char *s2, size_t n) {
+ if (!TS) return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
+ uint64_t S1 = 0, S2 = 0;
+ size_t Len1 = fuzzer::InternalStrnlen(s1, n);
+ size_t Len2 = fuzzer::InternalStrnlen(s2, n);
+ n = std::min(n, Len1);
+ n = std::min(n, Len2);
+ if (n <= 1) return; // Not interesting.
+ // Simplification: handle only first 8 bytes.
+ memcpy(&S1, s1, std::min(n, sizeof(S1)));
+ memcpy(&S2, s2, std::min(n, sizeof(S2)));
+ TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
+}
+
void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
uint64_t Arg2) {
if (!TS) return;
TS->TraceCmpCallback(PC, CmpSize, Type, Arg1, Arg2);
}
+void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
+ if (!TS) return;
+ uintptr_t PC = reinterpret_cast<uintptr_t>(__builtin_return_address(0));
+ TS->TraceSwitchCallback(PC, Cases[1], Val, Cases[0], Cases + 2);
+}
+
} // extern "C"
projects / oota-llvm.git / blobdiff