This is an archive of the discontinued LLVM Phabricator instance.

Differential D41193

[libFuzzer] Add dummy call of LLVMFuzzerTestOneInput to afl_driver.
ClosedPublic

Authored by metzman on Dec 13 2017, 12:19 PM.

Details

Reviewers
kcc
morehouse
Commits
rG6e294952b6c0: [libFuzzer] Add dummy call of LLVMFuzzerTestOneInput to afl_driver.
rL320643: [libFuzzer] Add dummy call of LLVMFuzzerTestOneInput to afl_driver.
rCRT320643: [libFuzzer] Add dummy call of LLVMFuzzerTestOneInput to afl_driver.
Summary

Add dummy call of LLVMFuzzerTestOneInput to afl_driver before it starts
executing on actual inputs. Do this so that first time initialization
performed by LLVMFuzzerTestOneInput is not considered code covered by
a particular input.

Diff Detail

Event Timeline

metzman created this revision.Dec 13 2017, 12:19 PM
Herald added subscribers: Restricted Project, llvm-commits. · View Herald TranscriptDec 13 2017, 12:19 PM
metzman added a reviewer: kcc.Dec 13 2017, 12:20 PM
metzman updated this revision to Diff 126812.Dec 13 2017, 12:46 PM
  • Don't do dummy execution when executing files one-by-one.
Harbormaster completed remote builds in B13077: Diff 126812.Dec 13 2017, 12:46 PM
kcc accepted this revision.Dec 13 2017, 1:44 PM
kcc added a reviewer: morehouse.

LGTM
Matt, please land

This revision is now accepted and ready to land.Dec 13 2017, 1:44 PM
Closed by commit rCRT320643: [libFuzzer] Add dummy call of LLVMFuzzerTestOneInput to afl_driver. (authored by morehouse). · Explain WhyDec 13 2017, 2:03 PM
This revision was automatically updated to reflect the committed changes.
Dor1s added a subscriber: Dor1s.Dec 14 2017, 12:28 PM
Dor1s added inline comments.
lib/fuzzer/afl/afl_driver.cpp
314

nit: I'd rather do:

uint8_t dummy_input[] = {0};
LLVMFuzzerTestOneInput(dummy_input, sizeof(dummy_input));

to avoid using "magic" numbers

Revision Contents

PathSize
lib/
fuzzer/
afl/
8 lines

Diff 126839

lib/fuzzer/afl/afl_driver.cpp

Show First 20 LinesShow All 82 Lines▼ Show 20 Lines
// Used to avoid repeating error checking boilerplate. If cond is false, a // Used to avoid repeating error checking boilerplate. If cond is false, a
// fatal error has occured in the program. In this event print error_message // fatal error has occured in the program. In this event print error_message
// to stderr and abort(). Otherwise do nothing. Note that setting // to stderr and abort(). Otherwise do nothing. Note that setting
// AFL_DRIVER_STDERR_DUPLICATE_FILENAME may cause error_message to be appended // AFL_DRIVER_STDERR_DUPLICATE_FILENAME may cause error_message to be appended
// to the file as well, if the error occurs after the duplication is performed. // to the file as well, if the error occurs after the duplication is performed.
#define CHECK_ERROR(cond, error_message) \ #define CHECK_ERROR(cond, error_message) \
if (!(cond)) { \ if (!(cond)) { \
fprintf(stderr, (error_message)); \ fprintf(stderr, "%s\n", (error_message)); \
abort(); \ abort(); \
} }
// libFuzzer interface is thin, so we don't include any libFuzzer headers. // libFuzzer interface is thin, so we don't include any libFuzzer headers.
extern "C" { extern "C" {
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
} }
▲ Show 20 LinesShow All 203 Lines▼ Show 20 Lines if (argc == 2 && argv[1][0] == '-')
N = atoi(argv[1] + 1); N = atoi(argv[1] + 1);
else if(argc == 2 && (N = atoi(argv[1])) > 0) else if(argc == 2 && (N = atoi(argv[1])) > 0)
fprintf(stderr, "WARNING: using the deprecated call style `%s %d`\n", fprintf(stderr, "WARNING: using the deprecated call style `%s %d`\n",
argv[0], N); argv[0], N);
else if (argc > 1) else if (argc > 1)
return ExecuteFilesOnyByOne(argc, argv); return ExecuteFilesOnyByOne(argc, argv);
assert(N > 0); assert(N > 0);
// Call LLVMFuzzerTestOneInput here so that coverage caused by initialization
// on the first execution of LLVMFuzzerTestOneInput is ignored.
uint8_t dummy_input[1] = {0};
Dor1sUnsubmitted
Not Done
ReplyInline Actions

nit: I'd rather do:

uint8_t dummy_input[] = {0};
LLVMFuzzerTestOneInput(dummy_input, sizeof(dummy_input));

to avoid using "magic" numbers

Dor1s: nit: I'd rather do: ``` uint8_t dummy_input[] = {0}; LLVMFuzzerTestOneInput(dummy_input…
LLVMFuzzerTestOneInput(dummy_input, 1);
time_t unit_time_secs; time_t unit_time_secs;
int num_runs = 0; int num_runs = 0;
while (__afl_persistent_loop(N)) { while (__afl_persistent_loop(N)) {
ssize_t n_read = read(0, AflInputBuf, kMaxAflInputSize); ssize_t n_read = read(0, AflInputBuf, kMaxAflInputSize);
if (n_read > 0) { if (n_read > 0) {
// Copy AflInputBuf into a separate buffer to let asan find buffer // Copy AflInputBuf into a separate buffer to let asan find buffer
// overflows. Don't use unique_ptr/etc to avoid extra dependencies. // overflows. Don't use unique_ptr/etc to avoid extra dependencies.
uint8_t *copy = new uint8_t[n_read]; uint8_t *copy = new uint8_t[n_read];
Show All 23 Lines