This is an archive of the discontinued LLVM Phabricator instance.

Differential D15098

Libfuzzer: do not pass null into user function
ClosedPublic

Authored by aizatsky on Nov 30 2015, 5:05 PM.

Details

Reviewers
kcc
krasin
Commits
rG71552ce64b16: Libfuzzer: do not pass null into user function
rL254558: Libfuzzer: do not pass null into user function

Diff Detail

Repository
rL LLVM

Event Timeline

aizatsky updated this revision to Diff 41455.Nov 30 2015, 5:05 PM
aizatsky retitled this revision from to Libfuzzer: do not pass null into user function.
aizatsky updated this object.
aizatsky added reviewers: kcc, krasin.Nov 30 2015, 5:06 PM
aizatsky added a subscriber: llvm-commits.
krasin edited edge metadata.Nov 30 2015, 5:14 PM

LGTM with a nit

lib/Fuzzer/test/SimpleTest.cpp
11 ↗(On Diff #41455)

Alternatively, you could #include "gtest/gtest.h" and use EXPECT_NE:

EXPECT_NE(NULL, Data) << "Pointer to the data must not be NULL"

EXPECT_NE will work even if LLVM is built without asserts, while assert will just pass.

kcc added inline comments.Nov 30 2015, 5:46 PM
lib/Fuzzer/FuzzerLoop.cpp
242 ↗(On Diff #41455)

Looks weird.
I would prefer to have assert(!U.empty()) and enforce it in callers.

lib/Fuzzer/test/SimpleTest.cpp
11 ↗(On Diff #41455)

Oh no, we don't want these simple tests to depend on gtest.

aizatsky marked 2 inline comments as done.Dec 1 2015, 12:28 PM
aizatsky added inline comments.
lib/Fuzzer/FuzzerLoop.cpp
242 ↗(On Diff #41455)

There are too many paths that lead here. Plus, didn't we agree that its ok to call it with empty unit?

kcc added inline comments.Dec 2 2015, 2:27 PM
lib/Fuzzer/FuzzerLoop.cpp
242 ↗(On Diff #41455)

Emm. I am probably not 100% convinced we want to call this with empty units. But ok, let's assume we can.
Now, remind me, why we can't call the target function as f(NULL, 0) ?

kcc accepted this revision.Dec 2 2015, 2:30 PM
kcc edited edge metadata.

LGTM with two nits.

lib/Fuzzer/FuzzerLoop.cpp
242 ↗(On Diff #41455)

no static?

243 ↗(On Diff #41455)

no {} ?

This revision is now accepted and ready to land.Dec 2 2015, 2:30 PM
aizatsky updated this revision to Diff 41679.Dec 2 2015, 2:32 PM
aizatsky marked 2 inline comments as done.
aizatsky edited edge metadata.

review

aizatsky added a comment.Dec 2 2015, 2:33 PM

thanks. running check-all and submitting.

Closed by commit rL254558: Libfuzzer: do not pass null into user function (authored by aizatsky). · Explain WhyDec 2 2015, 2:47 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Fuzzer/
6 lines
test/
2 lines

Diff 41682

llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 232 Lines▼ Show 20 Lines if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
return; return;
if (Options.OnlyASCII) if (Options.OnlyASCII)
ToASCII(U); ToASCII(U);
if (RunOne(U)) if (RunOne(U))
ReportNewCoverage(U); ReportNewCoverage(U);
} }
void Fuzzer::ExecuteCallback(const Unit &U) { void Fuzzer::ExecuteCallback(const Unit &U) {
int Res = USF.TargetFunction(U.data(), U.size()); const uint8_t *Data = U.data();
uint8_t EmptyData;
if (!Data)
Data = &EmptyData;
int Res = USF.TargetFunction(Data, U.size());
(void)Res; (void)Res;
assert(Res == 0); assert(Res == 0);
} }
size_t Fuzzer::RecordBlockCoverage() { size_t Fuzzer::RecordBlockCoverage() {
CHECK_WEAK_API_FUNCTION(__sanitizer_get_total_unique_coverage); CHECK_WEAK_API_FUNCTION(__sanitizer_get_total_unique_coverage);
return LastRecordedBlockCoverage = __sanitizer_get_total_unique_coverage(); return LastRecordedBlockCoverage = __sanitizer_get_total_unique_coverage();
} }
▲ Show 20 LinesShow All 263 LinesShow Last 20 Lines

llvm/trunk/lib/Fuzzer/test/SimpleTest.cpp

// Simple test for a fuzzer. The fuzzer must find the string "Hi!". // Simple test for a fuzzer. The fuzzer must find the string "Hi!".
#include <assert.h>
#include <cstdint> #include <cstdint>
#include <cstdlib> #include <cstdlib>
#include <cstddef> #include <cstddef>
#include <iostream> #include <iostream>
static volatile int Sink; static volatile int Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
if (Size > 0 && Data[0] == 'H') { if (Size > 0 && Data[0] == 'H') {
Sink = 1; Sink = 1;
if (Size > 1 && Data[1] == 'i') { if (Size > 1 && Data[1] == 'i') {
Sink = 2; Sink = 2;
if (Size > 2 && Data[2] == '!') { if (Size > 2 && Data[2] == '!') {
std::cout << "BINGO; Found the target, exiting\n"; std::cout << "BINGO; Found the target, exiting\n";
exit(0); exit(0);
} }
} }
} }
return 0; return 0;
} }