This is an archive of the discontinued LLVM Phabricator instance.

Differential D44798

[libFuzzer] Use OptForFuzzing attribute with -fsanitize=fuzzer.
ClosedPublic

Authored by morehouse on Mar 22 2018, 12:08 PM.

Details

Reviewers
kcc
vitalybuka
Commits
rG5317f2e4c907: [libFuzzer] Use OptForFuzzing attribute with -fsanitize=fuzzer.
rCRT328384: [libFuzzer] Use OptForFuzzing attribute with -fsanitize=fuzzer.
rL328384: [libFuzzer] Use OptForFuzzing attribute with -fsanitize=fuzzer.
rC328384: [libFuzzer] Use OptForFuzzing attribute with -fsanitize=fuzzer.
Summary

Disables certain CMP optimizations to improve fuzzing signal under -O1
and -O2.

Switches all fuzzer tests to -O2 except for a few leak tests where the
leak is optimized out under -O2.

Diff Detail

Repository
rC Clang

Event Timeline

morehouse created this revision.Mar 22 2018, 12:08 PM
morehouse added a comment.Mar 22 2018, 12:12 PM

16-bit variables are switched to 32-bit variables in SwapCmpTest.cpp and SimpleCmpTest.cpp. This is because those tests rely on libFuzzer's TraceCMP heuristic to pass, but 16-bit compares are not considered for the heuristic.

The only reason the test used to pass was because under -O0 16-bit compares are promoted to 32-bit compares.

vitalybuka accepted this revision.Mar 22 2018, 1:58 PM
vitalybuka added inline comments.
compiler-rt/test/fuzzer/lit.cfg
88 ↗(On Diff #139491)

Maybe instead of new substitutions, better just explicitly add -O0 into tests

This revision is now accepted and ready to land.Mar 22 2018, 1:58 PM
morehouse updated this revision to Diff 139673.Mar 23 2018, 4:36 PM
  • Remove new substitutions. Use -O0 to avoid optimization.
morehouse marked an inline comment as done.Mar 23 2018, 4:36 PM
Closed by commit rC328384: [libFuzzer] Use OptForFuzzing attribute with -fsanitize=fuzzer. (authored by morehouse). · Explain WhyMar 23 2018, 4:40 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
CodeGen/
4 lines

Diff 139675

lib/CodeGen/CodeGenFunction.cpp

Show First 20 LinesShow All 856 Lines▼ Show 20 Lines if (SanOpts.hasOneOf(SanitizerKind::HWAddress))
Fn->addFnAttr(llvm::Attribute::SanitizeHWAddress); Fn->addFnAttr(llvm::Attribute::SanitizeHWAddress);
if (SanOpts.has(SanitizerKind::Thread)) if (SanOpts.has(SanitizerKind::Thread))
Fn->addFnAttr(llvm::Attribute::SanitizeThread); Fn->addFnAttr(llvm::Attribute::SanitizeThread);
if (SanOpts.has(SanitizerKind::Memory)) if (SanOpts.has(SanitizerKind::Memory))
Fn->addFnAttr(llvm::Attribute::SanitizeMemory); Fn->addFnAttr(llvm::Attribute::SanitizeMemory);
if (SanOpts.has(SanitizerKind::SafeStack)) if (SanOpts.has(SanitizerKind::SafeStack))
Fn->addFnAttr(llvm::Attribute::SafeStack); Fn->addFnAttr(llvm::Attribute::SafeStack);
// Apply fuzzing attribute to the function.
if (SanOpts.hasOneOf(SanitizerKind::Fuzzer | SanitizerKind::FuzzerNoLink))
Fn->addFnAttr(llvm::Attribute::OptForFuzzing);
// Ignore TSan memory acesses from within ObjC/ObjC++ dealloc, initialize, // Ignore TSan memory acesses from within ObjC/ObjC++ dealloc, initialize,
// .cxx_destruct, __destroy_helper_block_ and all of their calees at run time. // .cxx_destruct, __destroy_helper_block_ and all of their calees at run time.
if (SanOpts.has(SanitizerKind::Thread)) { if (SanOpts.has(SanitizerKind::Thread)) {
if (const auto *OMD = dyn_cast_or_null<ObjCMethodDecl>(D)) { if (const auto *OMD = dyn_cast_or_null<ObjCMethodDecl>(D)) {
IdentifierInfo *II = OMD->getSelector().getIdentifierInfoForSlot(0); IdentifierInfo *II = OMD->getSelector().getIdentifierInfoForSlot(0);
if (OMD->getMethodFamily() == OMF_dealloc || if (OMD->getMethodFamily() == OMF_dealloc ||
OMD->getMethodFamily() == OMF_initialize || OMD->getMethodFamily() == OMF_initialize ||
(OMD->getSelector().isUnarySelector() && II->isStr(".cxx_destruct"))) { (OMD->getSelector().isUnarySelector() && II->isStr(".cxx_destruct"))) {
▲ Show 20 LinesShow All 1,514 LinesShow Last 20 Lines