This is an archive of the discontinued LLVM Phabricator instance.

Differential D8669

DFSan-based fuzzer (proof of concept).
ClosedPublic

Authored by kcc on Mar 27 2015, 12:04 PM.

Details

Reviewers
samsonov
pcc
Commits
rG16d03bd05130: DFSan-based fuzzer (proof of concept).
rL233613: DFSan-based fuzzer (proof of concept).
Summary

This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Diff Detail

Event Timeline

kcc updated this revision to Diff 22811.Mar 27 2015, 12:04 PM
kcc retitled this revision from to DFSan-based fuzzer (proof of concept)..
kcc updated this object.
kcc edited the test plan for this revision. (Show Details)
kcc added reviewers: pcc, samsonov.
kcc added a subscriber: Unknown Object (MLST).
samsonov accepted this revision.Mar 30 2015, 1:03 PM
samsonov edited edge metadata.

LGTM for CMake part (but note comment about explicit dependency on abilist you may require).

lib/Fuzzer/test/CMakeLists.txt
21

Did you remove this line on purpose?

lib/Fuzzer/test/dfsan/CMakeLists.txt
11

You probably need smth. like

set(DFSAN_FUZZER_ABI_LIST "${CMAKE_CURRENT_SOURCE_DIR}/../../dfsan_fuzzer_abi.list")
...

set_source_files_properties(${Test}.cpp PROPERTIES OBJECT_DEPENDS ${DFSAN_FUZZER_ABI_LIST})

to make sure you will recompile the test after changes to ABI list.

This revision is now accepted and ready to land.Mar 30 2015, 1:03 PM
kcc updated this revision to Diff 22901.Mar 30 2015, 1:15 PM
kcc edited edge metadata.

Address Alexey's comment

lib/Fuzzer/test/CMakeLists.txt
21

Yes. It is not needed any more due to
if( LLVM_USE_SANITIZE_COVERAGE ) in lib/Fuzzer/CMakeLists.txt

lib/Fuzzer/test/dfsan/CMakeLists.txt
11

Done, thanks!

samsonov added inline comments.Mar 30 2015, 1:23 PM
lib/Fuzzer/test/dfsan/CMakeLists.txt
5

You can use DFSAN_FUZZER_ABI_LIST here as well.

kcc updated this revision to Diff 22902.Mar 30 2015, 1:27 PM

addressed one more Alexey's comment ( reuse DFSAN_FUZZER_ABI_LIST)

pcc accepted this revision.Mar 30 2015, 3:03 PM
pcc edited edge metadata.

LGTM

We might also want to reset the DFSan state after each iteration, but that can probably come later.

lib/Fuzzer/FuzzerFlags.def
47

taint-guided

lib/Fuzzer/dfsan_fuzzer_abi.list
13

uninstrumented+discard maybe? Though this shouldn't matter if the function is only called from non-dfsan code.

lib/Fuzzer/test/dfsan/CMakeLists.txt
5

Doesn't this mean that the test will only use DFSan in release builds? Probably better to set the COMPILE_FLAGS property on the target.

kcc added a comment.Mar 30 2015, 3:10 PM

We might also want to reset the DFSan state after each iteration, but that can probably come later.

Yep.
So far everything works w/o resetting the dfsan state because I taint the global input vector which never gets reallocated.
I guess we may run out of dfsan labels in long fuzzing session woth resetting the DFSan state.

lib/Fuzzer/FuzzerFlags.def
47

done

lib/Fuzzer/dfsan_fuzzer_abi.list
13

Yes, this code is expected to be called *only* from non-instrumented code.

lib/Fuzzer/test/dfsan/CMakeLists.txt
5

Err. I think I tried and it did not work.
Let me try to wrestle with it separately if/when we need a Debug build.

kcc closed this revision.Mar 30 2015, 3:12 PM
pcc added inline comments.Mar 30 2015, 3:18 PM
lib/Fuzzer/test/dfsan/CMakeLists.txt
5

(FWIW, you might need to append to COMPILE_FLAGS as show here: http://llvm.org/klaus/llvm/blob/master/cmake/modules/AddLLVM.cmake#L-57 )

Revision Contents

Diff 22902

lib/Fuzzer/CMakeLists.txt

# Disable the coverage instrumentation for the fuzzer itself. set(LIBFUZZER_FLAGS_BASE "${CMAKE_CXX_FLAGS_RELEASE}")
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -O2 -fsanitize-coverage=0") # Disable the coverage and sanitizer instrumentation for the fuzzer itself.
set(CMAKE_CXX_FLAGS_RELEASE "${LIBFUZZER_FLAGS_BASE} -O2 -fno-sanitize=all")
if( LLVM_USE_SANITIZE_COVERAGE ) if( LLVM_USE_SANITIZE_COVERAGE )
add_library(LLVMFuzzerNoMain OBJECT add_library(LLVMFuzzerNoMain OBJECT
FuzzerCrossOver.cpp FuzzerCrossOver.cpp
FuzzerDFSan.cpp
FuzzerDriver.cpp FuzzerDriver.cpp
FuzzerIO.cpp FuzzerIO.cpp
FuzzerLoop.cpp FuzzerLoop.cpp
FuzzerMutate.cpp FuzzerMutate.cpp
FuzzerSanitizerOptions.cpp FuzzerSanitizerOptions.cpp
FuzzerUtil.cpp FuzzerUtil.cpp
) )
add_library(LLVMFuzzer STATIC add_library(LLVMFuzzer STATIC
FuzzerMain.cpp FuzzerMain.cpp
$<TARGET_OBJECTS:LLVMFuzzerNoMain> $<TARGET_OBJECTS:LLVMFuzzerNoMain>
) )
if( LLVM_INCLUDE_TESTS ) if( LLVM_INCLUDE_TESTS )
add_subdirectory(test) add_subdirectory(test)
endif() endif()
endif() endif()

lib/Fuzzer/FuzzerDFSan.cpp

  • This file was added.
//===- FuzzerDFSan.cpp - DFSan-based fuzzer mutator -----------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// DataFlowSanitizer (DFSan) is a tool for
// generalised dynamic data flow (taint) analysis:
// http://clang.llvm.org/docs/DataFlowSanitizer.html .
//
// This file implements a mutation algorithm based on taint
// analysis feedback from DFSan.
//
// The approach has some similarity to "Taint-based Directed Whitebox Fuzzing"
// by Vijay Ganesh & Tim Leek & Martin Rinard:
// http://dspace.mit.edu/openaccess-disseminate/1721.1/59320,
// but it uses a full blown LLVM IR taint analysis and separate instrumentation
// to analyze all of the "attack points" at once.
//
// Workflow:
// * lib/Fuzzer/Fuzzer*.cpp is compiled w/o any instrumentation.
// * The code under test is compiled with DFSan *and* with special extra hooks
// that are inserted before dfsan. Currently supported hooks:
// - __sanitizer_cov_trace_cmp: inserted before every ICMP instruction,
// receives the type, size and arguments of ICMP.
// * Every call to HOOK(a,b) is replaced by DFSan with
// __dfsw_HOOK(a, b, label(a), label(b)) so that __dfsw_HOOK
// gets all the taint labels for the arguments.
// * At the Fuzzer startup we assign a unique DFSan label
// to every byte of the input string (Fuzzer::CurrentUnit) so that for any
// chunk of data we know which input bytes it has derived from.
// * The __dfsw_* functions (implemented in this file) record the
// parameters (i.e. the application data and the corresponding taint labels)
// in a global state.
// * Fuzzer::MutateWithDFSan() tries to use the data recorded by __dfsw_*
// hooks to guide the fuzzing towards new application states.
// For example if 4 bytes of data that derive from input bytes {4,5,6,7}
// are compared with a constant 12345 and the comparison always yields
// the same result, we try to insert 12345, 12344, 12346 into bytes
// {4,5,6,7} of the next fuzzed inputs.
//
// This code does not function when DFSan is not linked in.
// Instead of using ifdefs and thus requiring a separate build of lib/Fuzzer
// we redeclare the dfsan_* interface functions as weak and check if they
// are nullptr before calling.
// If this approach proves to be useful we may add attribute(weak) to the
// dfsan declarations in dfsan_interface.h
//
// This module is in the "proof of concept" stage.
// It is capable of solving only the simplest puzzles
// like test/dfsan/DFSanSimpleCmpTest.cpp.
//===----------------------------------------------------------------------===//
/* Example of manual usage:
(
cd $LLVM/lib/Fuzzer/
clang -fPIC -c -g -O2 -std=c++11 Fuzzer*.cpp
clang++ -O0 -std=c++11 -fsanitize-coverage=3 \
-mllvm -sanitizer-coverage-experimental-trace-compares=1 \
-fsanitize=dataflow -fsanitize-blacklist=./dfsan_fuzzer_abi.list \
test/dfsan/DFSanSimpleCmpTest.cpp Fuzzer*.o
./a.out
)
*/
#include "FuzzerInternal.h"
#include <sanitizer/dfsan_interface.h>
#include <cstring>
#include <iostream>
#include <unordered_map>
extern "C" {
__attribute__((weak))
dfsan_label dfsan_create_label(const char *desc, void *userdata);
__attribute__((weak))
void dfsan_set_label(dfsan_label label, void *addr, size_t size);
__attribute__((weak))
void dfsan_add_label(dfsan_label label, void *addr, size_t size);
__attribute__((weak))
const struct dfsan_label_info *dfsan_get_label_info(dfsan_label label);
} // extern "C"
namespace {
// These values are copied from include/llvm/IR/InstrTypes.h.
// We do not include the LLVM headers here to remain independent.
// If these values ever change, an assertion in ComputeCmp will fail.
enum Predicate {
ICMP_EQ = 32, ///< equal
ICMP_NE = 33, ///< not equal
ICMP_UGT = 34, ///< unsigned greater than
ICMP_UGE = 35, ///< unsigned greater or equal
ICMP_ULT = 36, ///< unsigned less than
ICMP_ULE = 37, ///< unsigned less or equal
ICMP_SGT = 38, ///< signed greater than
ICMP_SGE = 39, ///< signed greater or equal
ICMP_SLT = 40, ///< signed less than
ICMP_SLE = 41, ///< signed less or equal
};
template <class U, class S>
bool ComputeCmp(size_t CmpType, U Arg1, U Arg2) {
switch(CmpType) {
case ICMP_EQ : return Arg1 == Arg2;
case ICMP_NE : return Arg1 != Arg2;
case ICMP_UGT: return Arg1 > Arg2;
case ICMP_UGE: return Arg1 >= Arg2;
case ICMP_ULT: return Arg1 < Arg2;
case ICMP_ULE: return Arg1 <= Arg2;
case ICMP_SGT: return (S)Arg1 > (S)Arg2;
case ICMP_SGE: return (S)Arg1 >= (S)Arg2;
case ICMP_SLT: return (S)Arg1 < (S)Arg2;
case ICMP_SLE: return (S)Arg1 <= (S)Arg2;
default: assert(0 && "unsupported CmpType");
}
return false;
}
static bool ComputeCmp(size_t CmpSize, size_t CmpType, uint64_t Arg1,
uint64_t Arg2) {
if (CmpSize == 8) return ComputeCmp<uint64_t, int64_t>(CmpType, Arg1, Arg2);
if (CmpSize == 4) return ComputeCmp<uint32_t, int32_t>(CmpType, Arg1, Arg2);
if (CmpSize == 2) return ComputeCmp<uint16_t, int16_t>(CmpType, Arg1, Arg2);
if (CmpSize == 1) return ComputeCmp<uint8_t, int8_t>(CmpType, Arg1, Arg2);
assert(0 && "unsupported type size");
return true;
}
// As a simplification we use the range of input bytes instead of a set of input
// bytes.
struct LabelRange {
uint16_t Beg, End; // Range is [Beg, End), thus Beg==End is an empty range.
LabelRange(uint16_t Beg = 0, uint16_t End = 0) : Beg(Beg), End(End) {}
static LabelRange Join(LabelRange LR1, LabelRange LR2) {
if (LR1.Beg == LR1.End) return LR2;
if (LR2.Beg == LR2.End) return LR1;
return {std::min(LR1.Beg, LR2.Beg), std::max(LR1.End, LR2.End)};
}
LabelRange &Join(LabelRange LR) {
return *this = Join(*this, LR);
}
static LabelRange Singleton(const dfsan_label_info *LI) {
uint16_t Idx = (uint16_t)(uintptr_t)LI->userdata;
assert(Idx > 0);
return {(uint16_t)(Idx - 1), Idx};
}
};
std::ostream &operator<<(std::ostream &os, const LabelRange &LR) {
return os << "[" << LR.Beg << "," << LR.End << ")";
}
class DFSanState {
public:
DFSanState(const fuzzer::Fuzzer::FuzzingOptions &Options)
: Options(Options) {}
struct CmpSiteInfo {
size_t ResCounters[2] = {0, 0};
size_t CmpSize = 0;
LabelRange LR;
std::unordered_map<uint64_t, size_t> CountedConstants;
};
LabelRange GetLabelRange(dfsan_label L);
void DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType,
uint64_t Arg1, uint64_t Arg2, dfsan_label L1,
dfsan_label L2);
bool Mutate(fuzzer::Unit *U);
private:
std::unordered_map<uintptr_t, CmpSiteInfo> PcToCmpSiteInfoMap;
LabelRange LabelRanges[1 << (sizeof(dfsan_label) * 8)] = {};
const fuzzer::Fuzzer::FuzzingOptions &Options;
};
LabelRange DFSanState::GetLabelRange(dfsan_label L) {
LabelRange &LR = LabelRanges[L];
if (LR.Beg < LR.End || L == 0)
return LR;
const dfsan_label_info *LI = dfsan_get_label_info(L);
if (LI->l1 || LI->l2)
return LR = LabelRange::Join(GetLabelRange(LI->l1), GetLabelRange(LI->l2));
return LR = LabelRange::Singleton(LI);
}
void DFSanState::DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType,
uint64_t Arg1, uint64_t Arg2, dfsan_label L1,
dfsan_label L2) {
if (L1 == 0 && L2 == 0)
return; // Not actionable.
if (L1 != 0 && L2 != 0)
return; // Probably still actionable.
bool Res = ComputeCmp(CmpSize, CmpType, Arg1, Arg2);
CmpSiteInfo &CSI = PcToCmpSiteInfoMap[PC];
CSI.CmpSize = CmpSize;
CSI.LR.Join(GetLabelRange(L1)).Join(GetLabelRange(L2));
if (!L1) CSI.CountedConstants[Arg1]++;
if (!L2) CSI.CountedConstants[Arg2]++;
size_t Counter = CSI.ResCounters[Res]++;
if (Options.Verbosity >= 2 &&
(Counter & (Counter - 1)) == 0 &&
CSI.ResCounters[!Res] == 0)
std::cerr << "DFSAN:"
<< " PC " << std::hex << PC << std::dec
<< " S " << CmpSize
<< " T " << CmpType
<< " A1 " << Arg1 << " A2 " << Arg2 << " R " << Res
<< " L" << L1 << GetLabelRange(L1)
<< " L" << L2 << GetLabelRange(L2)
<< " LR " << CSI.LR
<< "\n";
}
bool DFSanState::Mutate(fuzzer::Unit *U) {
for (auto &PCToCmp : PcToCmpSiteInfoMap) {
auto &CSI = PCToCmp.second;
if (CSI.ResCounters[0] * CSI.ResCounters[1] != 0) continue;
if (CSI.ResCounters[0] + CSI.ResCounters[1] < 1000) continue;
if (CSI.CountedConstants.size() != 1) continue;
uintptr_t C = CSI.CountedConstants.begin()->first;
if (U->size() >= CSI.CmpSize) {
size_t RangeSize = CSI.LR.End - CSI.LR.Beg;
size_t Idx = CSI.LR.Beg + rand() % RangeSize;
if (Idx + CSI.CmpSize > U->size()) continue;
C += rand() % 5 - 2;
memcpy(U->data() + Idx, &C, CSI.CmpSize);
return true;
}
}
return false;
}
static DFSanState *DFSan;
} // namespace
namespace fuzzer {
bool Fuzzer::MutateWithDFSan(Unit *U) {
if (!&dfsan_create_label || !DFSan) return false;
return DFSan->Mutate(U);
}
void Fuzzer::InitializeDFSan() {
if (!&dfsan_create_label || !Options.UseDFSan) return;
DFSan = new DFSanState(Options);
CurrentUnit.resize(Options.MaxLen);
for (size_t i = 0; i < static_cast<size_t>(Options.MaxLen); i++) {
dfsan_label L = dfsan_create_label("input", (void*)(i + 1));
// We assume that no one else has called dfsan_create_label before.
assert(L == i + 1);
dfsan_set_label(L, &CurrentUnit[i], 1);
}
}
} // namespace fuzzer
extern "C" {
void __dfsw___sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
uint64_t Arg2, dfsan_label L0,
dfsan_label L1, dfsan_label L2) {
assert(L0 == 0);
uintptr_t PC = reinterpret_cast<uintptr_t>(__builtin_return_address(0));
uint64_t CmpSize = (SizeAndType >> 32) / 8;
uint64_t Type = (SizeAndType << 32) >> 32;
DFSan->DFSanCmpCallback(PC, CmpSize, Type, Arg1, Arg2, L1, L2);
}
} // extern "C"

lib/Fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 155 Lines▼ Show 20 Linesint FuzzerDriver(int argc, char **argv, UserCallback Callback) {
Options.Verbosity = Flags.verbosity; Options.Verbosity = Flags.verbosity;
Options.MaxLen = Flags.max_len; Options.MaxLen = Flags.max_len;
Options.DoCrossOver = Flags.cross_over; Options.DoCrossOver = Flags.cross_over;
Options.MutateDepth = Flags.mutate_depth; Options.MutateDepth = Flags.mutate_depth;
Options.ExitOnFirst = Flags.exit_on_first; Options.ExitOnFirst = Flags.exit_on_first;
Options.UseCounters = Flags.use_counters; Options.UseCounters = Flags.use_counters;
Options.UseFullCoverageSet = Flags.use_full_coverage_set; Options.UseFullCoverageSet = Flags.use_full_coverage_set;
Options.UseCoveragePairs = Flags.use_coverage_pairs; Options.UseCoveragePairs = Flags.use_coverage_pairs;
Options.UseDFSan = Flags.dfsan;
Options.PreferSmallDuringInitialShuffle = Options.PreferSmallDuringInitialShuffle =
Flags.prefer_small_during_initial_shuffle; Flags.prefer_small_during_initial_shuffle;
if (Flags.runs >= 0) if (Flags.runs >= 0)
Options.MaxNumberOfRuns = Flags.runs; Options.MaxNumberOfRuns = Flags.runs;
if (!inputs.empty()) if (!inputs.empty())
Options.OutputCorpus = inputs[0]; Options.OutputCorpus = inputs[0];
Fuzzer F(Callback, Options); Fuzzer F(Callback, Options);
Show All 29 Lines

lib/Fuzzer/FuzzerFlags.def

Show All 38 LinesFUZZER_FLAG(int, use_full_coverage_set, 0,
" This is potentially MUCH slower, but may discover more paths.") " This is potentially MUCH slower, but may discover more paths.")
FUZZER_FLAG(int, use_coverage_pairs, 0, FUZZER_FLAG(int, use_coverage_pairs, 0,
"Experimental: Maximize the number of different coverage pairs.") "Experimental: Maximize the number of different coverage pairs.")
FUZZER_FLAG(int, jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn" FUZZER_FLAG(int, jobs, 0, "Number of jobs to run. If jobs >= 1 we spawn"
" this number of jobs in separate worker processes" " this number of jobs in separate worker processes"
" with stdout/stderr redirected to fuzz-JOB.log.") " with stdout/stderr redirected to fuzz-JOB.log.")
FUZZER_FLAG(int, workers, 0, FUZZER_FLAG(int, workers, 0,
"Number of simultaneous worker processes to run the jobs.") "Number of simultaneous worker processes to run the jobs.")
FUZZER_FLAG(int, dfsan, 1, "Use DFSan for taing-guided mutations. No-op unless "
pccUnsubmitted
Not Done
ReplyInline Actions

taint-guided

pcc: taint-guided
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

done

kcc: done
"the DFSan instrumentation was compiled in.")

lib/Fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 45 Lines▼ Show 20 Lines struct FuzzingOptions {
int Verbosity = 1; int Verbosity = 1;
int MaxLen = 0; int MaxLen = 0;
bool DoCrossOver = true; bool DoCrossOver = true;
int MutateDepth = 5; int MutateDepth = 5;
bool ExitOnFirst = false; bool ExitOnFirst = false;
bool UseCounters = false; bool UseCounters = false;
bool UseFullCoverageSet = false; bool UseFullCoverageSet = false;
bool UseCoveragePairs = false; bool UseCoveragePairs = false;
bool UseDFSan = false;
int PreferSmallDuringInitialShuffle = -1; int PreferSmallDuringInitialShuffle = -1;
size_t MaxNumberOfRuns = ULONG_MAX; size_t MaxNumberOfRuns = ULONG_MAX;
std::string OutputCorpus; std::string OutputCorpus;
}; };
Fuzzer(UserCallback Callback, FuzzingOptions Options) Fuzzer(UserCallback Callback, FuzzingOptions Options)
: Callback(Callback), Options(Options) { : Callback(Callback), Options(Options) {
SetDeathCallback(); SetDeathCallback();
InitializeDFSan();
} }
void AddToCorpus(const Unit &U) { Corpus.push_back(U); } void AddToCorpus(const Unit &U) { Corpus.push_back(U); }
size_t Loop(size_t NumIterations); size_t Loop(size_t NumIterations);
void ShuffleAndMinimize(); void ShuffleAndMinimize();
void InitializeDFSan();
size_t CorpusSize() const { return Corpus.size(); } size_t CorpusSize() const { return Corpus.size(); }
void ReadDir(const std::string &Path) { void ReadDir(const std::string &Path) {
ReadDirToVectorOfUnits(Path.c_str(), &Corpus); ReadDirToVectorOfUnits(Path.c_str(), &Corpus);
} }
// Save the current corpus to OutputCorpus. // Save the current corpus to OutputCorpus.
void SaveCorpus(); void SaveCorpus();
size_t secondsSinceProcessStartUp() { size_t secondsSinceProcessStartUp() {
return duration_cast<seconds>(system_clock::now() - ProcessStartTime) return duration_cast<seconds>(system_clock::now() - ProcessStartTime)
.count(); .count();
} }
size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; } size_t getTotalNumberOfRuns() { return TotalNumberOfRuns; }
static void AlarmCallback(); static void AlarmCallback();
private: private:
size_t MutateAndTestOne(Unit *U); size_t MutateAndTestOne(Unit *U);
size_t RunOne(const Unit &U); size_t RunOne(const Unit &U);
size_t RunOneMaximizeTotalCoverage(const Unit &U); size_t RunOneMaximizeTotalCoverage(const Unit &U);
size_t RunOneMaximizeFullCoverageSet(const Unit &U); size_t RunOneMaximizeFullCoverageSet(const Unit &U);
size_t RunOneMaximizeCoveragePairs(const Unit &U); size_t RunOneMaximizeCoveragePairs(const Unit &U);
void WriteToOutputCorpus(const Unit &U); void WriteToOutputCorpus(const Unit &U);
static void WriteToCrash(const Unit &U, const char *Prefix); static void WriteToCrash(const Unit &U, const char *Prefix);
bool MutateWithDFSan(Unit *U);
void SetDeathCallback(); void SetDeathCallback();
static void DeathCallback(); static void DeathCallback();
static Unit CurrentUnit; static Unit CurrentUnit;
size_t TotalNumberOfRuns = 0; size_t TotalNumberOfRuns = 0;
std::vector<Unit> Corpus; std::vector<Unit> Corpus;
Show All 18 Lines

lib/Fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 186 Lines▼ Show 20 Lines std::cerr << "Written corpus of " << Corpus.size() << " files to "
<< Options.OutputCorpus << "\n"; << Options.OutputCorpus << "\n";
} }
size_t Fuzzer::MutateAndTestOne(Unit *U) { size_t Fuzzer::MutateAndTestOne(Unit *U) {
size_t NewUnits = 0; size_t NewUnits = 0;
for (int i = 0; i < Options.MutateDepth; i++) { for (int i = 0; i < Options.MutateDepth; i++) {
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns) if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
return NewUnits; return NewUnits;
MutateWithDFSan(U);
Mutate(U, Options.MaxLen); Mutate(U, Options.MaxLen);
size_t NewCoverage = RunOne(*U); size_t NewCoverage = RunOne(*U);
if (NewCoverage) { if (NewCoverage) {
Corpus.push_back(*U); Corpus.push_back(*U);
NewUnits++; NewUnits++;
if (Options.Verbosity) { if (Options.Verbosity) {
std::cerr << "#" << TotalNumberOfRuns std::cerr << "#" << TotalNumberOfRuns
<< "\tNEW: " << NewCoverage << "\tNEW: " << NewCoverage
▲ Show 20 LinesShow All 43 LinesShow Last 20 Lines

lib/Fuzzer/dfsan_fuzzer_abi.list

  • This file was added.
# Replaces __sanitizer_cov_trace_cmp with __dfsw___sanitizer_cov_trace_cmp
fun:__sanitizer_cov_trace_cmp=custom
fun:__sanitizer_cov_trace_cmp=uninstrumented
# Ignores coverage callbacks.
fun:__sanitizer_cov=uninstrumented
fun:__sanitizer_cov=discard
fun:__sanitizer_cov_module_init=uninstrumented
fun:__sanitizer_cov_module_init=discard
# Don't add extra parameters to the Fuzzer callback.
fun:TestOneInput=uninstrumented
pccUnsubmitted
Not Done
ReplyInline Actions

uninstrumented+discard maybe? Though this shouldn't matter if the function is only called from non-dfsan code.

pcc: uninstrumented+discard maybe? Though this shouldn't matter if the function is only called from…
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes, this code is expected to be called *only* from non-instrumented code.

kcc: Yes, this code is expected to be called *only* from non-instrumented code.

lib/Fuzzer/test/CMakeLists.txt

# Build all these tests with -O0, otherwise optimizations may merge some # Build all these tests with -O0, otherwise optimizations may merge some
# basic blocks and we'll fail to discover the targets. # basic blocks and we'll fail to discover the targets.
# Also enable the coverage instrumentation back (it is disabled # Also enable the coverage instrumentation back (it is disabled
# for the Fuzzer lib) # for the Fuzzer lib)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -O0 -fsanitize-coverage=4") set(CMAKE_CXX_FLAGS_RELEASE "${LIBFUZZER_FLAGS_BASE} -O0 -fsanitize-coverage=4")
set(Tests set(Tests
CounterTest CounterTest
FourIndependentBranchesTest FourIndependentBranchesTest
FullCoverageSetTest FullCoverageSetTest
InfiniteTest InfiniteTest
NullDerefTest NullDerefTest
SimpleTest SimpleTest
TimeoutTest TimeoutTest
) )
set(DFSanTests
DFSanSimpleCmpTest
)
set(TestBinaries) set(TestBinaries)
foreach(Test ${Tests}) foreach(Test ${Tests})
add_executable(LLVMFuzzer-${Test} add_executable(LLVMFuzzer-${Test}
EXCLUDE_FROM_ALL
samsonovUnsubmitted
Not Done
ReplyInline Actions

Did you remove this line on purpose?

samsonov: Did you remove this line on purpose?
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes. It is not needed any more due to
if( LLVM_USE_SANITIZE_COVERAGE ) in lib/Fuzzer/CMakeLists.txt

kcc: Yes. It is not needed any more due to if( LLVM_USE_SANITIZE_COVERAGE ) in…
${Test}.cpp ${Test}.cpp
) )
target_link_libraries(LLVMFuzzer-${Test} target_link_libraries(LLVMFuzzer-${Test}
LLVMFuzzer LLVMFuzzer
) )
set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test}) set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test})
endforeach() endforeach()
Show All 17 Lines
target_link_libraries(LLVMFuzzer-Unittest target_link_libraries(LLVMFuzzer-Unittest
gtest gtest
gtest_main gtest_main
) )
set(TestBinaries ${TestBinaries} LLVMFuzzer-Unittest) set(TestBinaries ${TestBinaries} LLVMFuzzer-Unittest)
add_subdirectory(dfsan)
foreach(Test ${DFSanTests})
set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test})
endforeach()
set_target_properties(${TestBinaries} set_target_properties(${TestBinaries}
PROPERTIES RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} PROPERTIES RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
) )
add_lit_testsuite(check-fuzzer "Running Fuzzer tests" add_lit_testsuite(check-fuzzer "Running Fuzzer tests"
${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_BINARY_DIR}
DEPENDS ${TestBinaries} FileCheck not DEPENDS ${TestBinaries} FileCheck not
) )

lib/Fuzzer/test/dfsan/

  • This directory was added.

lib/Fuzzer/test/dfsan/CMakeLists.txt

  • This file was added.
# These tests depend on both coverage and dfsan instrumentation.
set(DFSAN_FUZZER_ABI_LIST "${CMAKE_CURRENT_SOURCE_DIR}/../../dfsan_fuzzer_abi.list")
set(CMAKE_CXX_FLAGS_RELEASE
samsonovUnsubmitted
Not Done
ReplyInline Actions

You can use DFSAN_FUZZER_ABI_LIST here as well.

samsonov: You can use DFSAN_FUZZER_ABI_LIST here as well.
pccUnsubmitted
Not Done
ReplyInline Actions

Doesn't this mean that the test will only use DFSan in release builds? Probably better to set the COMPILE_FLAGS property on the target.

pcc: Doesn't this mean that the test will only use DFSan in release builds? Probably better to set…
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

Err. I think I tried and it did not work.
Let me try to wrestle with it separately if/when we need a Debug build.

kcc: Err. I think I tried and it did not work. Let me try to wrestle with it separately if/when we…
pccUnsubmitted
Not Done
ReplyInline Actions

(FWIW, you might need to append to COMPILE_FLAGS as show here: http://llvm.org/klaus/llvm/blob/master/cmake/modules/AddLLVM.cmake#L-57 )

pcc: (FWIW, you might need to append to COMPILE_FLAGS as show here: http://llvm.
"${LIBFUZZER_FLAGS_BASE} -O0 -fno-sanitize=all -fsanitize=dataflow -mllvm -sanitizer-coverage-experimental-trace-compares=1 -fsanitize-blacklist=${DFSAN_FUZZER_ABI_LIST}")
foreach(Test ${DFSanTests})
set_source_files_properties(${Test}.cpp PROPERTIES OBJECT_DEPENDS ${DFSAN_FUZZER_ABI_LIST})
add_executable(LLVMFuzzer-${Test}
${Test}.cpp
samsonovUnsubmitted
Not Done
ReplyInline Actions

You probably need smth. like

set(DFSAN_FUZZER_ABI_LIST "${CMAKE_CURRENT_SOURCE_DIR}/../../dfsan_fuzzer_abi.list")
...

set_source_files_properties(${Test}.cpp PROPERTIES OBJECT_DEPENDS ${DFSAN_FUZZER_ABI_LIST})

to make sure you will recompile the test after changes to ABI list.

samsonov: You probably need smth. like set(DFSAN_FUZZER_ABI_LIST "${CMAKE_CURRENT_SOURCE_DIR}/../..
kccAuthorUnsubmitted
Not Done
ReplyInline Actions

Done, thanks!

kcc: Done, thanks!
)
target_link_libraries(LLVMFuzzer-${Test}
LLVMFuzzer
)
endforeach()

lib/Fuzzer/test/dfsan/DFSanSimpleCmpTest.cpp

  • This file was added.
// Simple test for a fuzzer. The fuzzer must find several narrow ranges.
#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <cstdio>
extern "C" void TestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 14) return;
uint64_t x = 0;
int64_t y = 0;
int z = 0;
unsigned short a = 0;
memcpy(&x, Data, 8);
memcpy(&y, Data + Size - 8, 8);
memcpy(&z, Data + Size / 2, sizeof(z));
memcpy(&a, Data + Size / 2 + 4, sizeof(a));
if (x > 1234567890 &&
x < 1234567895 &&
y >= 987654321 &&
y <= 987654325 &&
z < -10000 &&
z >= -10005 &&
z != -10003 &&
a == 4242) {
fprintf(stderr, "Found the target: size %zd (%zd, %zd, %d, %d), exiting.\n",
Size, x, y, z, a);
exit(1);
}
}

lib/Fuzzer/test/fuzzer.test

Show All 14 Lines
RUN: not ./LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s --check-prefix=FullCoverageSetTest RUN: not ./LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s --check-prefix=FullCoverageSetTest
FullCoverageSetTest: BINGO FullCoverageSetTest: BINGO
RUN: not ./LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_coverage_pairs=1 2>&1 | FileCheck %s --check-prefix=FourIndependentBranchesTest RUN: not ./LLVMFuzzer-FourIndependentBranchesTest -timeout=15 -seed=1 -use_coverage_pairs=1 2>&1 | FileCheck %s --check-prefix=FourIndependentBranchesTest
FourIndependentBranchesTest: BINGO FourIndependentBranchesTest: BINGO
RUN: not ./LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=CounterTest RUN: not ./LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=CounterTest
CounterTest: BINGO CounterTest: BINGO
RUN: not ./LLVMFuzzer-DFSanSimpleCmpTest -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=DFSanSimpleCmpTest
DFSanSimpleCmpTest: Found the target: