From 26e09e2da5a3eb297fae551019af449d13e4973d Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Fri, 31 Jul 2015 17:05:05 +0000 Subject: [PATCH] [libFuzzer] support switch interception in dfsan mode git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243760 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Fuzzer/FuzzerTraceState.cpp | 36 +++++++++++++++++++++++++++++-- lib/Fuzzer/test/CMakeLists.txt | 1 + lib/Fuzzer/test/SwitchTest.cpp | 4 ++-- lib/Fuzzer/test/fuzzer-dfsan.test | 4 ++++ 4 files changed, 41 insertions(+), 4 deletions(-) diff --git a/lib/Fuzzer/FuzzerTraceState.cpp b/lib/Fuzzer/FuzzerTraceState.cpp index e87fe6a5cd7..7af5f74d2a9 100644 --- a/lib/Fuzzer/FuzzerTraceState.cpp +++ b/lib/Fuzzer/FuzzerTraceState.cpp @@ -214,6 +214,8 @@ class TraceState { void DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType, uint64_t Arg1, uint64_t Arg2, dfsan_label L1, dfsan_label L2); + void DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits, uint64_t Val, + size_t NumCases, uint64_t *Cases, dfsan_label L); void TraceCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType, uint64_t Arg1, uint64_t Arg2); @@ -297,6 +299,26 @@ void TraceState::DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType, PC, CmpSize, CmpType, Arg1, Arg2, Res, L1, L2, Mutations.size()); } +void TraceState::DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits, + uint64_t Val, size_t NumCases, + uint64_t *Cases, dfsan_label L) { + assert(ReallyHaveDFSan()); + if (!RecordingTraces) return; + if (!L) return; // Not actionable. + LabelRange LR = GetLabelRange(L); + size_t ValSize = ValSizeInBits / 8; + for (size_t Pos = LR.Beg; Pos + ValSize <= LR.End; Pos++) { + for (size_t i = 0; i < NumCases; i++) { + Mutations.push_back({Pos, ValSize, Cases[i]}); + Mutations.push_back({Pos, ValSize, Cases[i] + 1}); + Mutations.push_back({Pos, ValSize, Cases[i] - 1}); + } + } + if (Options.Verbosity >= 3) + Printf("DFSanSwitchCallback: PC %lx Val %zd # %zd L %d\n", PC, Val, + NumCases, L); +} + int TraceState::TryToAddDesiredData(uint64_t PresentData, uint64_t DesiredData, size_t DataSize) { int Res = 0; @@ -399,6 +421,13 @@ void __dfsw___sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1, TS->DFSanCmpCallback(PC, CmpSize, Type, Arg1, Arg2, L1, L2); } +void __dfsw___sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases, + dfsan_label L1, dfsan_label L2) { + if (!TS) return; + uintptr_t PC = reinterpret_cast(__builtin_return_address(0)); + TS->DFSanSwitchCallback(PC, Cases[1], Val, Cases[0], Cases+2, L1); +} + void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2, size_t n, dfsan_label s1_label, dfsan_label s2_label, dfsan_label n_label) { @@ -445,8 +474,11 @@ void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1, if (!TS) return; uintptr_t PC = reinterpret_cast(caller_pc); uint64_t S1 = 0, S2 = 0; - n = std::min(n, fuzzer::InternalStrnlen(s1, n)); - n = std::min(n, fuzzer::InternalStrnlen(s2, n)); + size_t Len1 = fuzzer::InternalStrnlen(s1, n); + size_t Len2 = fuzzer::InternalStrnlen(s2, n); + n = std::min(n, Len1); + n = std::min(n, Len2); + if (n <= 1) return; // Not interesting. // Simplification: handle only first 8 bytes. memcpy(&S1, s1, std::min(n, sizeof(S1))); memcpy(&S2, s2, std::min(n, sizeof(S2))); diff --git a/lib/Fuzzer/test/CMakeLists.txt b/lib/Fuzzer/test/CMakeLists.txt index ac21b460944..b8c1f3228df 100644 --- a/lib/Fuzzer/test/CMakeLists.txt +++ b/lib/Fuzzer/test/CMakeLists.txt @@ -8,6 +8,7 @@ set(DFSanTests MemcmpTest SimpleCmpTest StrncmpTest + SwitchTest ) set(Tests diff --git a/lib/Fuzzer/test/SwitchTest.cpp b/lib/Fuzzer/test/SwitchTest.cpp index 6e300aa44e1..0f2319b2cc9 100644 --- a/lib/Fuzzer/test/SwitchTest.cpp +++ b/lib/Fuzzer/test/SwitchTest.cpp @@ -1,9 +1,9 @@ // Simple test for a fuzzer. The fuzzer must find the interesting switch value. #include #include +#include #include #include -#include static volatile int Sink; @@ -28,7 +28,7 @@ bool Switch(const uint8_t *Data, size_t Size) { extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Switch(Data, Size) && Size >= 12 && Switch(Data + 4, Size - 4)) { - std::cout << "BINGO; Found the target, exiting\n"; + fprintf(stderr, "BINGO; Found the target, exiting\n"); exit(1); } } diff --git a/lib/Fuzzer/test/fuzzer-dfsan.test b/lib/Fuzzer/test/fuzzer-dfsan.test index 37015ef5b78..c9d00f1d950 100644 --- a/lib/Fuzzer/test/fuzzer-dfsan.test +++ b/lib/Fuzzer/test/fuzzer-dfsan.test @@ -1,5 +1,6 @@ CHECK: BINGO CHECK_DFSanCmpCallback: DFSanCmpCallback: PC +CHECK_DFSanSwitchCallback: DFSanSwitchCallback: PC RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback @@ -9,3 +10,6 @@ RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbo RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback + +RUN: not LLVMFuzzer-SwitchTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s +RUN: LLVMFuzzer-SwitchTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanSwitchCallback -- 2.34.1