This is an archive of the discontinued LLVM Phabricator instance.

Differential D48891

[libFuzzer] Make -fsanitize=memory,fuzzer work.
ClosedPublic

Authored by morehouse on Jul 3 2018, 12:27 PM.

Details

Reviewers
kcc
Commits
rGa34c65e845dc: [libFuzzer] Make -fsanitize=memory,fuzzer work.
rL336619: [libFuzzer] Make -fsanitize=memory,fuzzer work.
rCRT336619: [libFuzzer] Make -fsanitize=memory,fuzzer work.
Summary

This patch allows libFuzzer to fuzz applications instrumented with MSan
without recompiling libFuzzer with MSan instrumentation.

Fixes https://github.com/google/sanitizers/issues/958.

Diff Detail

Event Timeline

morehouse created this revision.Jul 3 2018, 12:27 PM
Harbormaster completed remote builds in B19991: Diff 153955.Jul 3 2018, 12:27 PM
morehouse added a parent revision: D48890: [MSan] Add functions to enable/disable interceptor checks..Jul 3 2018, 12:29 PM
kcc added inline comments.Jul 3 2018, 1:23 PM
compiler-rt/lib/fuzzer/FuzzerLoop.cpp
182 ↗(On Diff #153955)

why do you need this here?

compiler-rt/test/fuzzer/msan.test
17 ↗(On Diff #153955)

it would be nice to have a separate msan-ish test with a real msan-ish bug (not a buffer overflow)

morehouse added inline comments.Jul 3 2018, 2:43 PM
compiler-rt/lib/fuzzer/FuzzerLoop.cpp
182 ↗(On Diff #153955)

DumpCurrentUnit is called from most error callbacks. When that happens, interceptor checks are still active.

Since we eventually call fopen to write out the current unit, we need to disable interceptor checks again here.

kcc added inline comments.Jul 3 2018, 2:54 PM
compiler-rt/lib/fuzzer/FuzzerLoop.cpp
182 ↗(On Diff #153955)

ACK. please make it a scoped operator (a class with a CTOR calling disable and DTOR calling enable).

morehouse updated this revision to Diff 154011.Jul 3 2018, 4:08 PM
  • Merge branch 'memfuzz' into memfuzz2
  • Sync with parent patch.
  • Added use-after-dtor test.
  • Disable/enable MSan interceptors via scoped class.
Harbormaster completed remote builds in B20006: Diff 154011.Jul 3 2018, 4:08 PM
morehouse marked 2 inline comments as done.Jul 3 2018, 4:09 PM
kcc added inline comments.Jul 3 2018, 4:15 PM
compiler-rt/lib/fuzzer/FuzzerDriver.cpp
541 ↗(On Diff #154011)

errr. this sounds like an overkill.
If you never destruct this, then just call __msan_scoped_disable_interceptor_checks

compiler-rt/lib/fuzzer/FuzzerInternal.h
155 ↗(On Diff #154011)

you only ever need ScopedEnable, right?
never ScopedDisable

compiler-rt/lib/fuzzer/FuzzerLoop.cpp
182 ↗(On Diff #154011)

Do you need this extra scope here?

519 ↗(On Diff #154011)

why Data, not DataCopy?

compiler-rt/test/fuzzer/msan.test
18 ↗(On Diff #154011)

also add one test that would break if you accidentally disable and never enable back the interceptor checks

morehouse added inline comments.Jul 3 2018, 5:11 PM
compiler-rt/lib/fuzzer/FuzzerInternal.h
155 ↗(On Diff #154011)

Technically yes, we could avoid re-enabling after the write in DumpCurrentUnit, since DumpCurrentUnit is currently only ever called right before crashing. But I'm not sure we want to bank on that...

Since DumpCurrentUnit doesn't crash itself, a future change could end up calling it outside of a crash handler. If that happens, we would have a tricky bug where MSan's interceptor checks are permanently disabled.

morehouse updated this revision to Diff 154034.Jul 3 2018, 6:00 PM
morehouse marked 4 inline comments as done.
  • Remove global from FuzzerDriver.cpp.
  • Remove unnecessary scope.
  • Unpoison DataCopy.
  • Add strlen test.
kcc accepted this revision.Jul 9 2018, 3:29 PM

LGTM

Please also update the docs (http://llvm.org/docs/LibFuzzer.html) once we are confident that msan+libfuzzer works out of the box

compiler-rt/test/fuzzer/UninitializedStrlen.cpp
1 ↗(On Diff #154034)

here and below make sure the test has the proper header.

This revision is now accepted and ready to land.Jul 9 2018, 3:29 PM
kcc added a comment.Jul 9 2018, 3:30 PM
In D48891#1156587, @kcc wrote:

LGTM

Please also update the docs (http://llvm.org/docs/LibFuzzer.html) once we are confident that msan+libfuzzer works out of the box

I mean, in a separate patch.

morehouse updated this revision to Diff 154733.Jul 9 2018, 4:48 PM
  • Update test headers.
Harbormaster completed remote builds in B20186: Diff 154733.Jul 9 2018, 4:48 PM
morehouse updated this revision to Diff 154734.Jul 9 2018, 4:50 PM
  • Correct diffbase.
Harbormaster completed remote builds in B20187: Diff 154734.Jul 9 2018, 4:50 PM
Closed by commit rCRT336619: [libFuzzer] Make -fsanitize=memory,fuzzer work. (authored by morehouse). · Explain WhyJul 9 2018, 4:56 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: Restricted Project. · View Herald TranscriptJul 9 2018, 4:56 PM
Dor1s added a subscriber: Dor1s.Jul 16 2018, 7:05 AM

Hey Matt, this new test seems to be failing for me locally. I've run ninja check-msan, but it doesn't help. I assume that the problem is on my side, do you have any clue what I can be missing?

The failure is that it doesn't print BINGO, as it seems to be crashing before that:

#4523	REDUCE cov: 6 ft: 6 corp: 5/9b lim: 6 exec/s: 0 rss: 38Mb L: 3/3 MS: 3 CopyPart-EraseBytes-InsertByte-
==103360==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x53ca2b in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long) <...>llvm/build/bin/../include/c++/v1/ostream:722:13
    #1 0x53c4c1 in LLVMFuzzerTestOneInput <...>llvm/llvm/projects/compiler-rt/test/fuzzer/SimpleTest.cpp:21:19
    #2 0x4528ac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) <...>llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:531
    #3 0x459cd6 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) <...>llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:452
    #4 0x459cd6 in fuzzer::Fuzzer::MutateAndTestOne() <...>llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:664
    #5 0x45d83f in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> >, fuzzer::fuzzer_allocator<std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char> > > > const&) <...>llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:794
    #6 0x44e233 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) <...>llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:760
    #7 0x421272 in main <...>llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20
    #8 0x7f9a300502b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #9 0x4212a9 in _start (<...>llvm/build/projects/compiler-rt/test/fuzzer/Output/msan.test.tmp+0x4212a9)

SUMMARY: MemorySanitizer: use-of-uninitialized-value <...>llvm/build/bin/../include/c++/v1/ostream:722:13 in std::__1::basic_ostream<char, std::__1::char_traits<char> >& std::__1::__put_character_sequence<char, std::__1::char_traits<char> >(std::__1::basic_ostream<char, std::__1::char_traits<char> >&, char const*, unsigned long)
Exiting
MS: 1 ChangeBit-; base unit: ba5baccb9bbf5a3e04d647914437de87a1fae521
0x48,0x69,0x21,
Hi!
artifact_prefix='./'; Test unit written to ./crash-c0a0ad26a634840c67a210fefdda76577b03a111
Base64: SGkh
morehouse added a comment.Jul 16 2018, 9:42 AM

Hmm... Seems to be crashing in std::cout <<, but nothing there should be uninitialized. Also the bots are all green.

What revision are you at? Is the libFuzzer revision in sync with the rest of LLVM / compiler-rt?

Dor1s added a comment.Jul 16 2018, 9:53 AM

I'm on r337187. Yeah, all the repos seem to be updated.

Looks like my local build isn't linking against a special libc++ mentioned here: https://github.com/google/oss-fuzz/issues/1556#issuecomment-399818430

I suspected that my cmake config could be wrong, so tried the following one copied from a buildbot:

cmake -G "Ninja" -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=OFF \
    -DLLVM_PARALLEL_LINK_JOBS=8 -DLIBFUZZER_ENABLE_TESTS=ON

but the issue still persists.

morehouse added a comment.Jul 16 2018, 10:55 AM

Make sure you have the libcxx sources checked out (I think under llvm/projects). I think that should fix it.

Also, sync to ToT since I just added a test dependency for MSan.

But now that you bring this up, we might want to create a libcxx feature that the MSan test can require.

Dor1s added a comment.Jul 16 2018, 11:17 AM

Good call, but I have libcxx synced to ToT already :(

However, it's very likely to be the root cause:

$ ldd <...>/Projects/llvm/build/projects/compiler-rt/test/fuzzer/Output/msan.test.tmp
	linux-vdso.so.1 (0x00007ffe87f6f000)
	libc++.so.1 => /usr/lib/x86_64-linux-gnu/libc++.so.1 (0x00007f613884d000)
	libc++abi.so.1 => <...>/Projects/llvm/build/./lib/libc++abi.so.1 (0x00007f6138620000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f613831c000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f61380ff000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f6137ef7000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6137cf3000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f6137adb000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f613773c000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f6138b53000)
Dor1s added a comment.Jul 16 2018, 11:22 AM

Let me build everything completely from scratch. I'm sure something is messed up with my cmake config / cmake files in the build dir. I'll post an update. Thanks for your help!

morehouse added a comment.Jul 16 2018, 11:26 AM

After more thinking, the private libc++ probably isn't the issue here since only libFuzzer itself gets linked with that. The fuzz target is linked with whatever C++ standard library your system is configured to use.

On my machine, that's libstdc++, but yours is libc++. Perhaps libc++ implements cout << ... differently, therefore causing the false positive... Let me know if the rebuild fixes it. Otherwise, I'll take a closer look.

kcc added a comment.Jul 16 2018, 12:20 PM

Maybe just change the msan-ish test to not use STL

Dor1s added a comment.Jul 16 2018, 1:02 PM

Let me know if the rebuild fixes it. Otherwise, I'll take a closer look.

Didn't help. Also, the stacktrace points to the libcxx source file, even though ldd shows the system libc++ being used:

mmoroz@mmoroz2:~/Projects/llvm/build$ sha1sum include/c++/v1/ostream
99ce0b9ca18a5c9e4c3d88b35fbae6416135ae9a  include/c++/v1/ostream
mmoroz@mmoroz2:~/Projects/llvm/build$ sha1sum ../llvm/projects/libcxx/include/ostream 
99ce0b9ca18a5c9e4c3d88b35fbae6416135ae9a  ../llvm/projects/libcxx/include/ostream
morehouse added a comment.Jul 16 2018, 4:30 PM

Try again after syncing past r337224. Hopefully that fixes your issue.

Dor1s added a comment.Jul 17 2018, 7:20 AM
In D48891#1164431, @morehouse wrote:

Try again after syncing past r337224. Hopefully that fixes your issue.

Yay, everything works now. Thank you, guys!

Revision Contents

PathSize
lib/
fuzzer/
2 lines
3 lines
22 lines
26 lines
test/
fuzzer/
14 lines
27 lines
11 lines
23 lines

Diff 154735

lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 531 Lines▼ Show 20 Lines
int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
using namespace fuzzer; using namespace fuzzer;
assert(argc && argv && "Argument pointers cannot be nullptr"); assert(argc && argv && "Argument pointers cannot be nullptr");
std::string Argv0((*argv)[0]); std::string Argv0((*argv)[0]);
EF = new ExternalFunctions(); EF = new ExternalFunctions();
if (EF->LLVMFuzzerInitialize) if (EF->LLVMFuzzerInitialize)
EF->LLVMFuzzerInitialize(argc, argv); EF->LLVMFuzzerInitialize(argc, argv);
if (EF->__msan_scoped_disable_interceptor_checks)
EF->__msan_scoped_disable_interceptor_checks();
const Vector<std::string> Args(*argv, *argv + *argc); const Vector<std::string> Args(*argv, *argv + *argc);
assert(!Args.empty()); assert(!Args.empty());
ProgName = new std::string(Args[0]); ProgName = new std::string(Args[0]);
if (Argv0 != *ProgName) { if (Argv0 != *ProgName) {
Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n"); Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
exit(1); exit(1);
} }
ParseFlags(Args); ParseFlags(Args);
▲ Show 20 LinesShow All 224 LinesShow Last 20 Lines

lib/fuzzer/FuzzerExtFunctions.def

Show All 40 LinesEXT_FUNC(__sanitizer_symbolize_pc, void,
(void *, const char *fmt, char *out_buf, size_t out_buf_size), false); (void *, const char *fmt, char *out_buf, size_t out_buf_size), false);
EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int, EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int,
(void *pc, char *module_path, (void *pc, char *module_path,
size_t module_path_len,void **pc_offset), false); size_t module_path_len,void **pc_offset), false);
EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true); EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true);
EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false); EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
EXT_FUNC(__sanitizer_dump_coverage, void, (const uintptr_t *, uintptr_t), EXT_FUNC(__sanitizer_dump_coverage, void, (const uintptr_t *, uintptr_t),
false); false);
EXT_FUNC(__msan_scoped_disable_interceptor_checks, void, (), false);
EXT_FUNC(__msan_scoped_enable_interceptor_checks, void, (), false);
EXT_FUNC(__msan_unpoison, void, (const volatile void *, size_t size), false);

lib/fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 146 Lines▼ Show 20 Linesprivate:
size_t TmpMaxMutationLen = 0; size_t TmpMaxMutationLen = 0;
Vector<uint32_t> UniqFeatureSetTmp; Vector<uint32_t> UniqFeatureSetTmp;
// Need to know our own thread. // Need to know our own thread.
static thread_local bool IsMyThread; static thread_local bool IsMyThread;
}; };
struct ScopedEnableMsanInterceptorChecks {
ScopedEnableMsanInterceptorChecks() {
if (EF->__msan_scoped_enable_interceptor_checks)
EF->__msan_scoped_enable_interceptor_checks();
}
~ScopedEnableMsanInterceptorChecks() {
if (EF->__msan_scoped_disable_interceptor_checks)
EF->__msan_scoped_disable_interceptor_checks();
}
};
struct ScopedDisableMsanInterceptorChecks {
ScopedDisableMsanInterceptorChecks() {
if (EF->__msan_scoped_disable_interceptor_checks)
EF->__msan_scoped_disable_interceptor_checks();
}
~ScopedDisableMsanInterceptorChecks() {
if (EF->__msan_scoped_enable_interceptor_checks)
EF->__msan_scoped_enable_interceptor_checks();
}
};
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_INTERNAL_H #endif // LLVM_FUZZER_INTERNAL_H

lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 173 Lines▼ Show 20 Lines
void Fuzzer::StaticDeathCallback() { void Fuzzer::StaticDeathCallback() {
assert(F); assert(F);
F->DeathCallback(); F->DeathCallback();
} }
void Fuzzer::DumpCurrentUnit(const char *Prefix) { void Fuzzer::DumpCurrentUnit(const char *Prefix) {
if (!CurrentUnitData) if (!CurrentUnitData)
return; // Happens when running individual inputs. return; // Happens when running individual inputs.
ScopedDisableMsanInterceptorChecks S;
MD.PrintMutationSequence(); MD.PrintMutationSequence();
Printf("; base unit: %s\n", Sha1ToString(BaseSha1).c_str()); Printf("; base unit: %s\n", Sha1ToString(BaseSha1).c_str());
size_t UnitSize = CurrentUnitSize; size_t UnitSize = CurrentUnitSize;
if (UnitSize <= kMaxUnitSizeToPrint) { if (UnitSize <= kMaxUnitSizeToPrint) {
PrintHexArray(CurrentUnitData, UnitSize, "\n"); PrintHexArray(CurrentUnitData, UnitSize, "\n");
PrintASCII(CurrentUnitData, UnitSize, "\n"); PrintASCII(CurrentUnitData, UnitSize, "\n");
} }
WriteUnitToFileWithPrefix({CurrentUnitData, CurrentUnitData + UnitSize}, WriteUnitToFileWithPrefix({CurrentUnitData, CurrentUnitData + UnitSize},
▲ Show 20 LinesShow All 321 Lines▼ Show 20 Linesvoid Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) {
TotalNumberOfRuns++; TotalNumberOfRuns++;
assert(InFuzzingThread()); assert(InFuzzingThread());
if (SMR.IsClient()) if (SMR.IsClient())
SMR.WriteByteArray(Data, Size); SMR.WriteByteArray(Data, Size);
// We copy the contents of Unit into a separate heap buffer // We copy the contents of Unit into a separate heap buffer
// so that we reliably find buffer overflows in it. // so that we reliably find buffer overflows in it.
uint8_t *DataCopy = new uint8_t[Size]; uint8_t *DataCopy = new uint8_t[Size];
memcpy(DataCopy, Data, Size); memcpy(DataCopy, Data, Size);
if (EF->__msan_unpoison)
EF->__msan_unpoison(DataCopy, Size);
if (CurrentUnitData && CurrentUnitData != Data) if (CurrentUnitData && CurrentUnitData != Data)
memcpy(CurrentUnitData, Data, Size); memcpy(CurrentUnitData, Data, Size);
CurrentUnitSize = Size; CurrentUnitSize = Size;
{
ScopedEnableMsanInterceptorChecks S;
AllocTracer.Start(Options.TraceMalloc); AllocTracer.Start(Options.TraceMalloc);
UnitStartTime = system_clock::now(); UnitStartTime = system_clock::now();
TPC.ResetMaps(); TPC.ResetMaps();
RunningCB = true; RunningCB = true;
int Res = CB(DataCopy, Size); int Res = CB(DataCopy, Size);
RunningCB = false; RunningCB = false;
UnitStopTime = system_clock::now(); UnitStopTime = system_clock::now();
(void)Res; (void)Res;
assert(Res == 0); assert(Res == 0);
HasMoreMallocsThanFrees = AllocTracer.Stop(); HasMoreMallocsThanFrees = AllocTracer.Stop();
}
if (!LooseMemeq(DataCopy, Data, Size)) if (!LooseMemeq(DataCopy, Data, Size))
CrashOnOverwrittenData(); CrashOnOverwrittenData();
CurrentUnitSize = 0; CurrentUnitSize = 0;
delete[] DataCopy; delete[] DataCopy;
} }
void Fuzzer::WriteToOutputCorpus(const Unit &U) { void Fuzzer::WriteToOutputCorpus(const Unit &U) {
if (Options.OnlyASCII) if (Options.OnlyASCII)
▲ Show 20 LinesShow All 315 LinesShow Last 20 Lines

test/fuzzer/UninitializedStrlen.cpp

#include <cstdint>
#include <cstring>
volatile size_t Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 4) return 0;
if (Data[0] == 'F' && Data[1] == 'U' && Data[2] == 'Z' && Data[3] == 'Z') {
char uninit[7];
Sink = strlen(uninit);
}
return 0;
}

test/fuzzer/UseAfterDtor.cpp

#include <cstdint>
#include <cstdio>
struct Simple {
int x_;
Simple() {
x_ = 5;
}
~Simple() {
x_ += 1;
}
};
Simple *volatile SimpleSink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 4) return 0;
if (Data[0] == 'F' && Data[1] == 'U' && Data[2] == 'Z' && Data[3] == 'Z') {
{
Simple S;
SimpleSink = &S;
}
if (SimpleSink->x_) fprintf(stderr, "Failed to catch use-after-dtor\n");
}
return 0;
}

test/fuzzer/lit.cfg

Show First 20 LinesShow All 43 Lines▼ Show 20 Linesif sys.platform.startswith('linux'):
config.available_features.add('linux') config.available_features.add('linux')
else: else:
lit_config.note('linux feature unavailable') lit_config.note('linux feature unavailable')
config.substitutions.append(('%build_dir', config.cmake_binary_dir)) config.substitutions.append(('%build_dir', config.cmake_binary_dir))
libfuzzer_src_root = os.path.join(config.compiler_rt_src_root, "lib", "fuzzer") libfuzzer_src_root = os.path.join(config.compiler_rt_src_root, "lib", "fuzzer")
config.substitutions.append(('%libfuzzer_src', libfuzzer_src_root)) config.substitutions.append(('%libfuzzer_src', libfuzzer_src_root))
def generate_compiler_cmd(is_cpp=True, fuzzer_enabled=True): def generate_compiler_cmd(is_cpp=True, fuzzer_enabled=True, msan_enabled=False):
compiler_cmd = config.clang compiler_cmd = config.clang
extra_cmd = config.target_flags extra_cmd = config.target_flags
if config.clang and config.stdlib == 'libc++': if config.clang and config.stdlib == 'libc++':
link_cmd = '-stdlib=libc++ -Wl,-rpath=%s' % config.runtime_library_dir link_cmd = '-stdlib=libc++ -Wl,-rpath=%s' % config.runtime_library_dir
elif config.clang and config.stdlib == 'static-libc++': elif config.clang and config.stdlib == 'static-libc++':
link_cmd = '-stdlib=libc++ -lc++abi -static-libstdc++ -Wl,-rpath=%s' % ( link_cmd = '-stdlib=libc++ -lc++abi -static-libstdc++ -Wl,-rpath=%s' % (
config.runtime_library_dir) config.runtime_library_dir)
elif any(x in config.target_triple for x in ('darwin', 'freebsd')): elif any(x in config.target_triple for x in ('darwin', 'freebsd')):
link_cmd = '-lc++' link_cmd = '-lc++'
else: else:
link_cmd = '-lstdc++' link_cmd = '-lstdc++'
std_cmd = '--driver-mode=g++ -std=c++11' if is_cpp else '' std_cmd = '--driver-mode=g++ -std=c++11' if is_cpp else ''
if msan_enabled:
sanitizers = ['memory']
else:
sanitizers = ['address'] sanitizers = ['address']
if fuzzer_enabled: if fuzzer_enabled:
sanitizers.append('fuzzer') sanitizers.append('fuzzer')
sanitizers_cmd = ('-fsanitize=%s' % ','.join(sanitizers)) sanitizers_cmd = ('-fsanitize=%s' % ','.join(sanitizers))
return " ".join([ return " ".join([
compiler_cmd, compiler_cmd,
std_cmd, std_cmd,
link_cmd, link_cmd,
"-O2 -gline-tables-only", "-O2 -gline-tables-only",
Show All 13 Lines
config.substitutions.append(('%no_fuzzer_cpp_compiler', config.substitutions.append(('%no_fuzzer_cpp_compiler',
generate_compiler_cmd(is_cpp=True, fuzzer_enabled=False) generate_compiler_cmd(is_cpp=True, fuzzer_enabled=False)
)) ))
config.substitutions.append(('%no_fuzzer_c_compiler', config.substitutions.append(('%no_fuzzer_c_compiler',
generate_compiler_cmd(is_cpp=False, fuzzer_enabled=False) generate_compiler_cmd(is_cpp=False, fuzzer_enabled=False)
)) ))
config.substitutions.append(('%msan_compiler',
generate_compiler_cmd(is_cpp=True, fuzzer_enabled=True, msan_enabled=True)
))
if config.host_os == 'Darwin': if config.host_os == 'Darwin':
if config.target_arch in ["x86_64", "x86_64h"]: if config.target_arch in ["x86_64", "x86_64h"]:
config.parallelism_group = "darwin-64bit-sanitizer" config.parallelism_group = "darwin-64bit-sanitizer"
elif config.apple_platform != "osx" and not config.apple_platform.endswith("sim"): elif config.apple_platform != "osx" and not config.apple_platform.endswith("sim"):
config.parallelism_group = "darwin-ios-device-sanitizer" config.parallelism_group = "darwin-ios-device-sanitizer"

test/fuzzer/msan.test

RUN: %msan_compiler %S/SimpleTest.cpp -o %t
RUN: not %run %t -seed=1 -runs=10000000 2>&1 | FileCheck %s --check-prefix=NO-REPORT
RUN: %msan_compiler %S/SimpleCmpTest.cpp -o %t
RUN: not %run %t -seed=1 -runs=10000000 2>&1 | FileCheck %s --check-prefix=NO-REPORT
RUN: %msan_compiler %S/MemcmpTest.cpp -o %t
RUN: not %run %t -seed=1 -runs=10000000 2>&1 | FileCheck %s --check-prefix=NO-REPORT
RUN: %msan_compiler %S/StrcmpTest.cpp -o %t
RUN: not %run %t -seed=1 -runs=10000000 2>&1 | FileCheck %s --check-prefix=NO-REPORT
NO-REPORT-NOT: MemorySanitizer
NO-REPORT: BINGO
RUN: %msan_compiler %S/UseAfterDtor.cpp -o %t
RUN: MSAN_OPTIONS=poison_in_dtor=1 not %run %t -seed=1 -runs=10000000 2>&1 | FileCheck %s --check-prefix=REPORT
RUN: %msan_compiler %S/UninitializedStrlen.cpp -o %t
RUN: not %run %t -seed=1 -runs=10000000 2>&1 | FileCheck %s --check-prefix=REPORT
REPORT: MemorySanitizer: use-of-uninitialized-value