This is an archive of the discontinued LLVM Phabricator instance.

Differential D46277

[libFuzzer] Report at most one crash per input.
ClosedPublic

Authored by morehouse on Apr 30 2018, 11:15 AM.

Details

Reviewers
kcc
Commits
rG52fd16903569: [libFuzzer] Report at most one crash per input.
rCRT331310: [libFuzzer] Report at most one crash per input.
rL331310: [libFuzzer] Report at most one crash per input.
Summary

Fixes https://github.com/google/sanitizers/issues/788/, a deadlock
caused by multiple crashes happening at the same time. Before printing
a crash report, we now test and set an atomic flag. If the flag was
already set, the crash handler returns immediately.

Diff Detail

Event Timeline

morehouse created this revision.Apr 30 2018, 11:15 AM
Harbormaster completed remote builds in B17544: Diff 144595.Apr 30 2018, 11:15 AM
Herald added a subscriber: kubamracek. · View Herald TranscriptApr 30 2018, 11:15 AM
kcc added inline comments.May 1 2018, 12:19 PM
compiler-rt/lib/asan/asan_report.cc
137

Will check-asan pass with this?
__sanitizer_acquire_crash_state is weak, and is not defined w/o libFuzzer, so you should get a null deref here. No?

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
382

I was thinking about implementing this function in sanitizer_common, and not making it weak.

morehouse added inline comments.May 1 2018, 12:26 PM
compiler-rt/lib/asan/asan_report.cc
137

check-asan passes. This is defined weakly in sanitizer_common.cc, so it shouldn't be a nullptr.

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
382

I defined it weakly in sanitizer_common.cc so that recovery mode shouldn't be affected.

kcc added inline comments.May 1 2018, 12:51 PM
compiler-rt/lib/asan/asan_report.cc
137

I would rather define this function (non-weak) in sanitizer_common and check halt_on_error_ before calling it there.
This will make it work with the recovery mode. Right?

morehouse updated this revision to Diff 144770.May 1 2018, 1:16 PM
  • Define __sanitizer_acquire_crash_state() in sanitizer_common.
morehouse marked an inline comment as done.May 1 2018, 1:16 PM
kcc added inline comments.May 1 2018, 1:21 PM
compiler-rt/lib/sanitizer_common/sanitizer_common.cc
352

redundant empty line

compiler-rt/lib/sanitizer_common/sanitizer_interface_internal.h
65

Since this is used by libFuzzer, it's not an internal interface, but a public one, so move it to include/sanitizer/common_interface_defs.h
Also, make it return int, to make more C-friendly, update the comment accordingly.

compiler-rt/test/fuzzer/AcquireCrashStateTest.cpp
11

Instead of this, include sanitizer/common_interface_defs.h

morehouse updated this revision to Diff 144776.May 1 2018, 1:44 PM
  • Add __sanitizer_acquire_crash_state to public interface.
Harbormaster completed remote builds in B17586: Diff 144776.May 1 2018, 1:45 PM
morehouse marked 3 inline comments as done.May 1 2018, 1:46 PM
morehouse added inline comments.
compiler-rt/lib/sanitizer_common/sanitizer_interface_internal.h
65

Still kept this declaration also, following the pattern of other public interfaces that are defined internally.

kcc accepted this revision.May 1 2018, 1:49 PM

LGTM

This revision is now accepted and ready to land.May 1 2018, 1:49 PM
Closed by commit rL331310: [libFuzzer] Report at most one crash per input. (authored by morehouse). · Explain WhyMay 1 2018, 2:06 PM
This revision was automatically updated to reflect the committed changes.
morehouse marked an inline comment as done.
Herald added a subscriber: delcypher. · View Herald TranscriptMay 1 2018, 2:06 PM

Revision Contents

Diff 144595

compiler-rt/lib/asan/asan_report.cc

Show First 20 LinesShow All 128 Lines▼ Show 20 Lines explicit ScopedInErrorReport(bool fatal = false)
// We can lock them only here to avoid self-deadlock in case of // We can lock them only here to avoid self-deadlock in case of
// recursive reports. // recursive reports.
asanThreadRegistry().Lock(); asanThreadRegistry().Lock();
Printf( Printf(
"=================================================================\n"); "=================================================================\n");
} }
~ScopedInErrorReport() { ~ScopedInErrorReport() {
if (!__sanitizer_acquire_crash_state()) {
kccUnsubmitted
Not Done
ReplyInline Actions

Will check-asan pass with this?
__sanitizer_acquire_crash_state is weak, and is not defined w/o libFuzzer, so you should get a null deref here. No?

kcc: Will check-asan pass with this? __sanitizer_acquire_crash_state is weak, and is not defined…
morehouseAuthorUnsubmitted
Not Done
ReplyInline Actions

check-asan passes. This is defined weakly in sanitizer_common.cc, so it shouldn't be a nullptr.

morehouse: check-asan passes. This is defined weakly in sanitizer_common.cc, so it shouldn't be a nullptr.
kccUnsubmitted
Done
ReplyInline Actions

I would rather define this function (non-weak) in sanitizer_common and check halt_on_error_ before calling it there.
This will make it work with the recovery mode. Right?

kcc: I would rather define this function (non-weak) in sanitizer_common and check `halt_on_error_`…
asanThreadRegistry().Unlock();
return;
}
ASAN_ON_ERROR(); ASAN_ON_ERROR();
if (current_error_.IsValid()) current_error_.Print(); if (current_error_.IsValid()) current_error_.Print();
// Make sure the current thread is announced. // Make sure the current thread is announced.
DescribeThread(GetCurrentThread()); DescribeThread(GetCurrentThread());
// We may want to grab this lock again when printing stats. // We may want to grab this lock again when printing stats.
asanThreadRegistry().Unlock(); asanThreadRegistry().Unlock();
// Print memory stats. // Print memory stats.
▲ Show 20 LinesShow All 396 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerExtFunctions.def

Show All 23 LinesEXT_FUNC(LLVMFuzzerCustomCrossOver, size_t,
const uint8_t * Data2, size_t Size2, const uint8_t * Data2, size_t Size2,
uint8_t * Out, size_t MaxOutSize, unsigned int Seed), uint8_t * Out, size_t MaxOutSize, unsigned int Seed),
false); false);
// Sanitizer functions // Sanitizer functions
EXT_FUNC(__lsan_enable, void, (), false); EXT_FUNC(__lsan_enable, void, (), false);
EXT_FUNC(__lsan_disable, void, (), false); EXT_FUNC(__lsan_disable, void, (), false);
EXT_FUNC(__lsan_do_recoverable_leak_check, int, (), false); EXT_FUNC(__lsan_do_recoverable_leak_check, int, (), false);
EXT_FUNC(__sanitizer_acquire_crash_state, bool, (), true);
EXT_FUNC(__sanitizer_install_malloc_and_free_hooks, int, EXT_FUNC(__sanitizer_install_malloc_and_free_hooks, int,
(void (*malloc_hook)(const volatile void *, size_t), (void (*malloc_hook)(const volatile void *, size_t),
void (*free_hook)(const volatile void *)), void (*free_hook)(const volatile void *)),
false); false);
EXT_FUNC(__sanitizer_purge_allocator, void, (), false); EXT_FUNC(__sanitizer_purge_allocator, void, (), false);
EXT_FUNC(__sanitizer_print_memory_profile, int, (size_t, size_t), false); EXT_FUNC(__sanitizer_print_memory_profile, int, (size_t, size_t), false);
EXT_FUNC(__sanitizer_print_stack_trace, void, (), true); EXT_FUNC(__sanitizer_print_stack_trace, void, (), true);
EXT_FUNC(__sanitizer_symbolize_pc, void, EXT_FUNC(__sanitizer_symbolize_pc, void,
(void *, const char *fmt, char *out_buf, size_t out_buf_size), false); (void *, const char *fmt, char *out_buf, size_t out_buf_size), false);
EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int, EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int,
(void *pc, char *module_path, (void *pc, char *module_path,
size_t module_path_len,void **pc_offset), false); size_t module_path_len,void **pc_offset), false);
EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true); EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true);
EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false); EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
EXT_FUNC(__sanitizer_dump_coverage, void, (const uintptr_t *, uintptr_t), EXT_FUNC(__sanitizer_dump_coverage, void, (const uintptr_t *, uintptr_t),
false); false);

compiler-rt/lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 222 Lines▼ Show 20 Lines
} }
void Fuzzer::StaticFileSizeExceedCallback() { void Fuzzer::StaticFileSizeExceedCallback() {
Printf("==%lu== ERROR: libFuzzer: file size exceeded\n", GetPid()); Printf("==%lu== ERROR: libFuzzer: file size exceeded\n", GetPid());
exit(1); exit(1);
} }
void Fuzzer::CrashCallback() { void Fuzzer::CrashCallback() {
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf("==%lu== ERROR: libFuzzer: deadly signal\n", GetPid()); Printf("==%lu== ERROR: libFuzzer: deadly signal\n", GetPid());
if (EF->__sanitizer_print_stack_trace) if (EF->__sanitizer_print_stack_trace)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
Printf("NOTE: libFuzzer has rudimentary signal handlers.\n" Printf("NOTE: libFuzzer has rudimentary signal handlers.\n"
" Combine libFuzzer with AddressSanitizer or similar for better " " Combine libFuzzer with AddressSanitizer or similar for better "
"crash reports.\n"); "crash reports.\n");
Printf("SUMMARY: libFuzzer: deadly signal\n"); Printf("SUMMARY: libFuzzer: deadly signal\n");
DumpCurrentUnit("crash-"); DumpCurrentUnit("crash-");
PrintFinalStats(); PrintFinalStats();
_Exit(Options.ErrorExitCode); // Stop right now. _Exit(Options.ErrorExitCode); // Stop right now.
} }
void Fuzzer::ExitCallback() { void Fuzzer::ExitCallback() {
if (!RunningCB) if (!RunningCB)
return; // This exit did not come from the user callback return; // This exit did not come from the user callback
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf("==%lu== ERROR: libFuzzer: fuzz target exited\n", GetPid()); Printf("==%lu== ERROR: libFuzzer: fuzz target exited\n", GetPid());
if (EF->__sanitizer_print_stack_trace) if (EF->__sanitizer_print_stack_trace)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
Printf("SUMMARY: libFuzzer: fuzz target exited\n"); Printf("SUMMARY: libFuzzer: fuzz target exited\n");
DumpCurrentUnit("crash-"); DumpCurrentUnit("crash-");
PrintFinalStats(); PrintFinalStats();
_Exit(Options.ErrorExitCode); _Exit(Options.ErrorExitCode);
} }
Show All 23 Lines if (!RunningCB)
return; // We have not started running units yet. return; // We have not started running units yet.
size_t Seconds = size_t Seconds =
duration_cast<seconds>(system_clock::now() - UnitStartTime).count(); duration_cast<seconds>(system_clock::now() - UnitStartTime).count();
if (Seconds == 0) if (Seconds == 0)
return; return;
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("AlarmCallback %zd\n", Seconds); Printf("AlarmCallback %zd\n", Seconds);
if (Seconds >= (size_t)Options.UnitTimeoutSec) { if (Seconds >= (size_t)Options.UnitTimeoutSec) {
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf("ALARM: working on the last Unit for %zd seconds\n", Seconds); Printf("ALARM: working on the last Unit for %zd seconds\n", Seconds);
Printf(" and the timeout value is %d (use -timeout=N to change)\n", Printf(" and the timeout value is %d (use -timeout=N to change)\n",
Options.UnitTimeoutSec); Options.UnitTimeoutSec);
DumpCurrentUnit("timeout-"); DumpCurrentUnit("timeout-");
Printf("==%lu== ERROR: libFuzzer: timeout after %d seconds\n", GetPid(), Printf("==%lu== ERROR: libFuzzer: timeout after %d seconds\n", GetPid(),
Seconds); Seconds);
if (EF->__sanitizer_print_stack_trace) if (EF->__sanitizer_print_stack_trace)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
Printf("SUMMARY: libFuzzer: timeout\n"); Printf("SUMMARY: libFuzzer: timeout\n");
PrintFinalStats(); PrintFinalStats();
_Exit(Options.TimeoutExitCode); // Stop right now. _Exit(Options.TimeoutExitCode); // Stop right now.
} }
} }
void Fuzzer::RssLimitCallback() { void Fuzzer::RssLimitCallback() {
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf( Printf(
"==%lu== ERROR: libFuzzer: out-of-memory (used: %zdMb; limit: %zdMb)\n", "==%lu== ERROR: libFuzzer: out-of-memory (used: %zdMb; limit: %zdMb)\n",
GetPid(), GetPeakRSSMb(), Options.RssLimitMb); GetPid(), GetPeakRSSMb(), Options.RssLimitMb);
Printf(" To change the out-of-memory limit use -rss_limit_mb=<N>\n\n"); Printf(" To change the out-of-memory limit use -rss_limit_mb=<N>\n\n");
if (EF->__sanitizer_print_memory_profile) if (EF->__sanitizer_print_memory_profile)
EF->__sanitizer_print_memory_profile(95, 8); EF->__sanitizer_print_memory_profile(95, 8);
DumpCurrentUnit("oom-"); DumpCurrentUnit("oom-");
Printf("SUMMARY: libFuzzer: out-of-memory\n"); Printf("SUMMARY: libFuzzer: out-of-memory\n");
▲ Show 20 LinesShow All 532 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp

Show All 14 Lines
#include "FuzzerTracePC.h" #include "FuzzerTracePC.h"
#include "FuzzerCorpus.h" #include "FuzzerCorpus.h"
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
#include "FuzzerDictionary.h" #include "FuzzerDictionary.h"
#include "FuzzerExtFunctions.h" #include "FuzzerExtFunctions.h"
#include "FuzzerIO.h" #include "FuzzerIO.h"
#include "FuzzerUtil.h" #include "FuzzerUtil.h"
#include "FuzzerValueBitMap.h" #include "FuzzerValueBitMap.h"
#include <atomic>
#include <set> #include <set>
// The coverage counters and PCs. // The coverage counters and PCs.
// These are declared as global variables named "__sancov_*" to simplify // These are declared as global variables named "__sancov_*" to simplify
// experiments with inlined instrumentation. // experiments with inlined instrumentation.
alignas(64) ATTRIBUTE_INTERFACE alignas(64) ATTRIBUTE_INTERFACE
uint8_t __sancov_trace_pc_guard_8bit_counters[fuzzer::TracePC::kNumPCs]; uint8_t __sancov_trace_pc_guard_8bit_counters[fuzzer::TracePC::kNumPCs];
▲ Show 20 LinesShow All 339 Lines▼ Show 20 Lines
uintptr_t TracePC::GetMaxStackOffset() const { uintptr_t TracePC::GetMaxStackOffset() const {
return InitialStack - __sancov_lowest_stack; // Stack grows down return InitialStack - __sancov_lowest_stack; // Stack grows down
} }
} // namespace fuzzer } // namespace fuzzer
extern "C" { extern "C" {
// Ensures at most one crash report is printed per input execution.
ATTRIBUTE_INTERFACE
ATTRIBUTE_NO_SANITIZE_ALL
bool __sanitizer_acquire_crash_state() {
kccUnsubmitted
Not Done
ReplyInline Actions

I was thinking about implementing this function in sanitizer_common, and not making it weak.

kcc: I was thinking about implementing this function in sanitizer_common, and not making it weak.
morehouseAuthorUnsubmitted
Not Done
ReplyInline Actions

I defined it weakly in sanitizer_common.cc so that recovery mode shouldn't be affected.

morehouse: I defined it weakly in sanitizer_common.cc so that recovery mode shouldn't be affected.
static std::atomic<bool> InCrashState(false);
return !InCrashState.exchange(true, std::memory_order_relaxed);
}
ATTRIBUTE_INTERFACE ATTRIBUTE_INTERFACE
ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_ALL
void __sanitizer_cov_trace_pc_guard(uint32_t *Guard) { void __sanitizer_cov_trace_pc_guard(uint32_t *Guard) {
uintptr_t PC = reinterpret_cast<uintptr_t>(__builtin_return_address(0)); uintptr_t PC = reinterpret_cast<uintptr_t>(__builtin_return_address(0));
uint32_t Idx = *Guard; uint32_t Idx = *Guard;
__sancov_trace_pc_pcs[Idx] = PC; __sancov_trace_pc_pcs[Idx] = PC;
__sancov_trace_pc_guard_8bit_counters[Idx]++; __sancov_trace_pc_guard_8bit_counters[Idx]++;
} }
▲ Show 20 LinesShow All 220 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_common.cc

Show First 20 LinesShow All 337 Lines▼ Show 20 Lines
using namespace __sanitizer; // NOLINT using namespace __sanitizer; // NOLINT
extern "C" { extern "C" {
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_report_error_summary, SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_report_error_summary,
const char *error_summary) { const char *error_summary) {
Printf("%s\n", error_summary); Printf("%s\n", error_summary);
} }
SANITIZER_INTERFACE_WEAK_DEF(bool, __sanitizer_acquire_crash_state, void) {
return true;
}
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
void __sanitizer_set_death_callback(void (*callback)(void)) { void __sanitizer_set_death_callback(void (*callback)(void)) {
SetUserDieCallback(callback); SetUserDieCallback(callback);
kccUnsubmitted
Done
ReplyInline Actions

redundant empty line

kcc: redundant empty line
} }
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
int __sanitizer_install_malloc_and_free_hooks(void (*malloc_hook)(const void *, int __sanitizer_install_malloc_and_free_hooks(void (*malloc_hook)(const void *,
uptr), uptr),
void (*free_hook)(const void *)) { void (*free_hook)(const void *)) {
return InstallMallocFreeHooks(malloc_hook, free_hook); return InstallMallocFreeHooks(malloc_hook, free_hook);
} }
} // extern "C" } // extern "C"

compiler-rt/lib/sanitizer_common/sanitizer_common_interface.inc

//===-- sanitizer_common_interface.inc ------------------------------------===// //===-- sanitizer_common_interface.inc ------------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Sanitizer Common interface list. // Sanitizer Common interface list.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
INTERFACE_FUNCTION(__sanitizer_annotate_contiguous_container) INTERFACE_FUNCTION(__sanitizer_annotate_contiguous_container)
INTERFACE_FUNCTION(__sanitizer_contiguous_container_find_bad_address) INTERFACE_FUNCTION(__sanitizer_contiguous_container_find_bad_address)
INTERFACE_FUNCTION(__sanitizer_set_death_callback) INTERFACE_FUNCTION(__sanitizer_set_death_callback)
INTERFACE_FUNCTION(__sanitizer_set_report_path) INTERFACE_FUNCTION(__sanitizer_set_report_path)
INTERFACE_FUNCTION(__sanitizer_set_report_fd) INTERFACE_FUNCTION(__sanitizer_set_report_fd)
INTERFACE_FUNCTION(__sanitizer_verify_contiguous_container) INTERFACE_FUNCTION(__sanitizer_verify_contiguous_container)
INTERFACE_WEAK_FUNCTION(__sanitizer_acquire_crash_state)
INTERFACE_WEAK_FUNCTION(__sanitizer_report_error_summary) INTERFACE_WEAK_FUNCTION(__sanitizer_report_error_summary)
INTERFACE_WEAK_FUNCTION(__sanitizer_sandbox_on_notify) INTERFACE_WEAK_FUNCTION(__sanitizer_sandbox_on_notify)
// Sanitizer weak hooks // Sanitizer weak hooks
INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_memcmp) INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_memcmp)
INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_strcmp) INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_strcmp)
INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_strncmp) INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_strncmp)
INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_strstr) INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_strstr)
// Stacktrace interface. // Stacktrace interface.
Show All 16 Lines

compiler-rt/lib/sanitizer_common/sanitizer_interface_internal.h

Show All 40 Lines SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE void
__sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args); __sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args);
// This function is called by the tool when it has just finished reporting // This function is called by the tool when it has just finished reporting
// an error. 'error_summary' is a one-line string that summarizes // an error. 'error_summary' is a one-line string that summarizes
// the error message. This function can be overridden by the client. // the error message. This function can be overridden by the client.
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
void __sanitizer_report_error_summary(const char *error_summary); void __sanitizer_report_error_summary(const char *error_summary);
// This function is called by the tool before printing a crash report. If
// this function returns true, the crash report is printed, otherwise it is
// not. This function can be overridden by the client.
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE bool
__sanitizer_acquire_crash_state();
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump(); SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump();
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_coverage( SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_coverage(
const __sanitizer::uptr *pcs, const __sanitizer::uptr len); const __sanitizer::uptr *pcs, const __sanitizer::uptr len);
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_trace_pc_guard_coverage(); SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_trace_pc_guard_coverage();
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(__sanitizer::u32 *guard); SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(__sanitizer::u32 *guard);
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
void __sanitizer_annotate_contiguous_container(const void *beg, void __sanitizer_annotate_contiguous_container(const void *beg,
const void *end, const void *end,
const void *old_mid, const void *old_mid,
const void *new_mid); const void *new_mid);
kccUnsubmitted
Done
ReplyInline Actions

Since this is used by libFuzzer, it's not an internal interface, but a public one, so move it to include/sanitizer/common_interface_defs.h
Also, make it return int, to make more C-friendly, update the comment accordingly.

kcc: Since this is used by libFuzzer, it's not an internal interface, but a public one, so move it…
morehouseAuthorUnsubmitted
Not Done
ReplyInline Actions

Still kept this declaration also, following the pattern of other public interfaces that are defined internally.

morehouse: Still kept this declaration also, following the pattern of other public interfaces that are…
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
int __sanitizer_verify_contiguous_container(const void *beg, const void *mid, int __sanitizer_verify_contiguous_container(const void *beg, const void *mid,
const void *end); const void *end);
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
const void *__sanitizer_contiguous_container_find_bad_address( const void *__sanitizer_contiguous_container_find_bad_address(
const void *beg, const void *mid, const void *end); const void *beg, const void *mid, const void *end);
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
▲ Show 20 LinesShow All 44 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/weak_symbols.txt

___sanitizer_acquire_crash_state
___sanitizer_free_hook ___sanitizer_free_hook
___sanitizer_malloc_hook ___sanitizer_malloc_hook
___sanitizer_report_error_summary ___sanitizer_report_error_summary
___sanitizer_sandbox_on_notify ___sanitizer_sandbox_on_notify
___sanitizer_symbolize_code ___sanitizer_symbolize_code
___sanitizer_symbolize_data ___sanitizer_symbolize_data
___sanitizer_symbolize_demangle ___sanitizer_symbolize_demangle
___sanitizer_symbolize_flush ___sanitizer_symbolize_flush

compiler-rt/test/fuzzer/AcquireCrashStateTest.cpp

  • This file was added.
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Ensures that error reports are suppressed after
// __sanitizer_acquire_crash_state() has been called the first time.
#include <cassert>
#include <cstdint>
#include <cstdlib>
extern "C" bool __sanitizer_acquire_crash_state();
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
kccUnsubmitted
Done
ReplyInline Actions

Instead of this, include sanitizer/common_interface_defs.h

kcc: Instead of this, include sanitizer/common_interface_defs.h
assert(Data);
if (Size == 0) return 0;
__sanitizer_acquire_crash_state();
exit(0); // No report should be generated here.
}

compiler-rt/test/fuzzer/acquire-crash-state.test

  • This file was added.
RUN: %cpp_compiler %S/AcquireCrashStateTest.cpp -o %t
RUN: %t 2>&1 | FileCheck %s
CHECK-NOT: fuzz target exited