This is an archive of the discontinued LLVM Phabricator instance.

Differential D36982

[libFuzzer] Add deep recursion test.
AbandonedPublic

Authored by morehouse on Aug 21 2017, 3:02 PM.

Download Raw Diff

Details

Reviewers

kcc

Summary

Test that libFuzzer uses -fsanitize-coverage=stack-depth instrumentation when present.
Fix a bug that caused InitialStack to change every time ExecuteCallback was called.
Make stack-depth-guided fuzzing work without compiling libFuzzer with -fsanitize-coverage=stack-depth.

Diff Detail

Build Status

Buildable 9489
Build 9489: arc lint + arc unit

Event Timeline

morehouse created this revision.Aug 21 2017, 3:02 PM

Herald added a subscriber: hiraditya. · View Herald TranscriptAug 21 2017, 3:02 PM

Please update the patch to reflect the new code location.

never mind, I've made a different change: r311421.

This one is not exactly correct: we should reset __sancov_lowest_stack on every run.

morehouse abandoned this revision.Aug 22 2017, 9:15 AM

Revision Contents

Path

Size

llvm/

lib/

Fuzzer/

FuzzerTracePC.h

2 lines

FuzzerTracePC.cpp

5 lines

test/

deep-recursion.test

4 lines

Diff 112066

llvm/lib/Fuzzer/FuzzerTracePC.h

Show First 20 Lines • Show All 150 Lines • ▼ Show 20 Lines	private:
size_t NumPCsInPCTables;		size_t NumPCsInPCTables;

uint8_t *Counters() const;		uint8_t *Counters() const;
uintptr_t *PCs() const;		uintptr_t *PCs() const;

std::set<uintptr_t> ObservedPCs;		std::set<uintptr_t> ObservedPCs;

ValueBitMap ValueProfileMap;		ValueBitMap ValueProfileMap;
uintptr_t InitialStack;		uintptr_t InitialStack = 0;
};		};

template <class Callback>		template <class Callback>
// void Callback(size_t FirstFeature, size_t Idx, uint8_t Value);		// void Callback(size_t FirstFeature, size_t Idx, uint8_t Value);
ATTRIBUTE_NO_SANITIZE_ALL		ATTRIBUTE_NO_SANITIZE_ALL
void ForEachNonZeroByte(const uint8_t Begin, const uint8_t End,		void ForEachNonZeroByte(const uint8_t Begin, const uint8_t End,
size_t FirstFeature, Callback Handle8bitCounter) {		size_t FirstFeature, Callback Handle8bitCounter) {
typedef uintptr_t LargeType;		typedef uintptr_t LargeType;
▲ Show 20 Lines • Show All 90 Lines • Show Last 20 Lines

llvm/lib/Fuzzer/FuzzerTracePC.cpp

Show All 26 Lines
// experiments with inlined instrumentation.		// experiments with inlined instrumentation.
alignas(64) ATTRIBUTE_INTERFACE		alignas(64) ATTRIBUTE_INTERFACE
uint8_t __sancov_trace_pc_guard_8bit_counters[fuzzer::TracePC::kNumPCs];		uint8_t __sancov_trace_pc_guard_8bit_counters[fuzzer::TracePC::kNumPCs];

ATTRIBUTE_INTERFACE		ATTRIBUTE_INTERFACE
uintptr_t __sancov_trace_pc_pcs[fuzzer::TracePC::kNumPCs];		uintptr_t __sancov_trace_pc_pcs[fuzzer::TracePC::kNumPCs];

// Used by -fsanitize-coverage=stack-depth to track stack depth		// Used by -fsanitize-coverage=stack-depth to track stack depth
ATTRIBUTE_INTERFACE thread_local uintptr_t __sancov_lowest_stack;		ATTRIBUTE_INTERFACE thread_local uintptr_t __sancov_lowest_stack = UINTPTR_MAX;

namespace fuzzer {		namespace fuzzer {

TracePC TPC;		TracePC TPC;

int ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr;		int ScopedDoingMyOwnMemOrStr::DoingMyOwnMemOrStr;

uint8_t *TracePC::Counters() const {		uint8_t *TracePC::Counters() const {
▲ Show 20 Lines • Show All 295 Lines • ▼ Show 20 Lines	void TracePC::ClearInlineCounters() {
for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) {		for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) {
uint8_t *Beg = ModuleCounters[i].Start;		uint8_t *Beg = ModuleCounters[i].Start;
size_t Size = ModuleCounters[i].Stop - Beg;		size_t Size = ModuleCounters[i].Stop - Beg;
memset(Beg, 0, Size);		memset(Beg, 0, Size);
}		}
}		}

void TracePC::RecordInitialStack() {		void TracePC::RecordInitialStack() {
		if (InitialStack == 0)
InitialStack = __sancov_lowest_stack;		InitialStack = __sancov_lowest_stack;
}		}

uintptr_t TracePC::GetMaxStackOffset() const {		uintptr_t TracePC::GetMaxStackOffset() const {
return InitialStack - __sancov_lowest_stack; // Stack grows down		return InitialStack - __sancov_lowest_stack; // Stack grows down
}		}

} // namespace fuzzer		} // namespace fuzzer

▲ Show 20 Lines • Show All 228 Lines • Show Last 20 Lines

llvm/lib/Fuzzer/test/deep-recursion.test

This file was added.

				RUN: %cpp_compiler -fsanitize-coverage=stack-depth %S/DeepRecursionTest.cpp \
				RUN: -o %t
				RUN: not %t -seed=1 -runs=100000000 2>&1 \| FileCheck %s
				CHECK: ERROR: libFuzzer: deadly signal