projects / oota-llvm.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7c8bec3)
[libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan...
authorKostya Serebryany <kcc@google.com>
Thu, 30 Jul 2015 02:33:45 +0000 (02:33 +0000)
committerKostya Serebryany <kcc@google.com>
Thu, 30 Jul 2015 02:33:45 +0000 (02:33 +0000)
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243611 91177308-0d34-0410-b5e6-96231b3b80d8

lib/Fuzzer/FuzzerTraceState.cpp patch | blob | history
lib/Fuzzer/test/CMakeLists.txt patch | blob | history
lib/Fuzzer/test/MemcmpTest.cpp patch | blob | history
lib/Fuzzer/test/StrncmpTest.cpp [new file with mode: 0644] patch | blob
lib/Fuzzer/test/fuzzer-dfsan.test patch | blob | history
lib/Fuzzer/test/fuzzer.test patch | blob | history

diff --git a/lib/Fuzzer/FuzzerTraceState.cpp b/lib/Fuzzer/FuzzerTraceState.cpp
index 9c7f9966708fff4bccd5f5bbb8d05529d312fde2..d4ccd81d21ba8485243b70afeb4e274710ae2a3d 100644 (file)
--- a/lib/Fuzzer/FuzzerTraceState.cpp
+++ b/lib/Fuzzer/FuzzerTraceState.cpp
@@ -138,7 +138,9 @@ static bool ComputeCmp(size_t CmpSize, size_t CmpType, uint64_t Arg1,
   if (CmpSize == 4) return ComputeCmp<uint32_t, int32_t>(CmpType, Arg1, Arg2);
   if (CmpSize == 2) return ComputeCmp<uint16_t, int16_t>(CmpType, Arg1, Arg2);
   if (CmpSize == 1) return ComputeCmp<uint8_t, int8_t>(CmpType, Arg1, Arg2);
   if (CmpSize == 4) return ComputeCmp<uint32_t, int32_t>(CmpType, Arg1, Arg2);
   if (CmpSize == 2) return ComputeCmp<uint16_t, int16_t>(CmpType, Arg1, Arg2);
   if (CmpSize == 1) return ComputeCmp<uint8_t, int8_t>(CmpType, Arg1, Arg2);
-  assert(0 && "unsupported type size");
+  // Other size, ==
+  if (CmpType == ICMP_EQ) return Arg1 == Arg2;
+  assert(0 && "unsupported cmp and type size combination");
   return true;
 }
 
   return true;
 }
 
@@ -394,6 +396,12 @@ void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
   TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
 }
 
   TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
 }
 
+void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
+                             size_t n, dfsan_label s1_label,
+                             dfsan_label s2_label, dfsan_label n_label) {
+  dfsan_weak_hook_memcmp(caller_pc, s1, s2, n, s1_label, s2_label, n_label);
+}
+
 void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
                                   const void *s2, size_t n) {
   if (!TS) return;
 void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
                                   const void *s2, size_t n) {
   if (!TS) return;
@@ -403,7 +411,11 @@ void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
   memcpy(&S1, s1, std::min(n, sizeof(S1)));
   memcpy(&S2, s2, std::min(n, sizeof(S2)));
   TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
   memcpy(&S1, s1, std::min(n, sizeof(S1)));
   memcpy(&S2, s2, std::min(n, sizeof(S2)));
   TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
-  // fuzzer::Printf("ZZZ %p %p %zd\n", s1, s2, n);
+}
+
+void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
+                                   const char *s2, size_t n) {
+  __sanitizer_weak_hook_memcmp(caller_pc, s1, s2, n);
 }
 
 void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
 }
 
 void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
diff --git a/lib/Fuzzer/test/CMakeLists.txt b/lib/Fuzzer/test/CMakeLists.txt
index 5247f001cb4da721be5b820f9c92898bd027c010..4cff70c111192e1383b0d867bd45c4f113bfd2dd 100644 (file)
--- a/lib/Fuzzer/test/CMakeLists.txt
+++ b/lib/Fuzzer/test/CMakeLists.txt
@@ -7,6 +7,7 @@ set(CMAKE_CXX_FLAGS_RELEASE "${LIBFUZZER_FLAGS_BASE} -O0 -fsanitize-coverage=edg
 set(DFSanTests
   MemcmpTest
   SimpleCmpTest
 set(DFSanTests
   MemcmpTest
   SimpleCmpTest
+  StrncmpTest
   )
 
 set(Tests
   )
 
 set(Tests
@@ -19,6 +20,7 @@ set(Tests
   NullDerefTest
   SimpleCmpTest
   SimpleTest
   NullDerefTest
   SimpleCmpTest
   SimpleTest
+  StrncmpTest
   TimeoutTest
   )
 
   TimeoutTest
   )
 
diff --git a/lib/Fuzzer/test/MemcmpTest.cpp b/lib/Fuzzer/test/MemcmpTest.cpp
index cabdff8f0753d5c6689d8126001d8829b86bf7b8..2954b6c7d486127e64aadb0787b0f8eb5ab3500d 100644 (file)
--- a/lib/Fuzzer/test/MemcmpTest.cpp
+++ b/lib/Fuzzer/test/MemcmpTest.cpp
@@ -9,8 +9,10 @@ extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) {
     if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) {
       if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) {
   if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) {
     if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) {
       if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) {
-        fprintf(stderr, "BINGO\n");
-        exit(1);
+        if (Size >= 16 && memcmp(Data + 14, "KLM", 3) == 0) {
+          fprintf(stderr, "BINGO\n");
+          exit(1);
+        }
       }
     }
   }
       }
     }
   }
diff --git a/lib/Fuzzer/test/StrncmpTest.cpp b/lib/Fuzzer/test/StrncmpTest.cpp
new file mode 100644 (file)
index 0000000..86b02d0
--- /dev/null
+++ b/lib/Fuzzer/test/StrncmpTest.cpp
@@ -0,0 +1,20 @@
+// Simple test for a fuzzer. The fuzzer must find a particular string.
+#include <cstring>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+
+extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  // TODO: check other sizes.
+  char *S = (char*)Data;
+  if (Size >= 8 && strncmp(S, "01234567", 8) == 0) {
+    if (Size >= 12 && strncmp(S + 8, "ABCD", 4) == 0) {
+      if (Size >= 14 && strncmp(S + 12, "XY", 2) == 0) {
+        if (Size >= 16 && strncmp(S + 14, "KLM", 3) == 0) {
+          fprintf(stderr, "BINGO\n");
+          exit(1);
+        }
+      }
+    }
+  }
+}
diff --git a/lib/Fuzzer/test/fuzzer-dfsan.test b/lib/Fuzzer/test/fuzzer-dfsan.test
index 9a3c9e05d949bb3e6bb8a35e41fd72f7de36c02c..5e41a9e2ba7fdbf14fed6b7a713691af8898224f 100644 (file)
--- a/lib/Fuzzer/test/fuzzer-dfsan.test
+++ b/lib/Fuzzer/test/fuzzer-dfsan.test
@@ -7,3 +7,5 @@ RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -
 RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 
 RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 
+RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
+RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
diff --git a/lib/Fuzzer/test/fuzzer.test b/lib/Fuzzer/test/fuzzer.test
index fdabbb1c814b8d2ee2e250992c6baab851929d94..d6dd3ff7c95bee0e463a209d488e4e382ce6e6ec 100644 (file)
--- a/lib/Fuzzer/test/fuzzer.test
+++ b/lib/Fuzzer/test/fuzzer.test
@@ -28,3 +28,6 @@ RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck
 RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-MemcmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
 Done1000000: Done 1000000 runs in
 RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-MemcmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
 Done1000000: Done 1000000 runs in
+
+RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
+RUN:     LLVMFuzzer-StrncmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
C/C++ LLVM-based compilers that forbids OOTA behaviors