This is an archive of the discontinued LLVM Phabricator instance.

Differential D49441

[libFuzzer] Update documentation regarding MSan.
ClosedPublic

Authored by morehouse on Jul 17 2018, 11:47 AM.

Details

Reviewers
kcc
Commits
rGd7df6279e111: [libFuzzer] Update documentation regarding MSan.
rL337476: [libFuzzer] Update documentation regarding MSan.
Summary

-fsanitize=fuzzer,memory now works out-of-the-box.

Diff Detail

Repository
rL LLVM

Event Timeline

morehouse created this revision.Jul 17 2018, 11:47 AM
Harbormaster completed remote builds in B20455: Diff 155937.Jul 17 2018, 11:47 AM
morehouse added a comment.Jul 17 2018, 11:51 AM

Ran fuzzer-test-suite's test-everything.sh with -fsanitize=memory,fuzzer and all MSan reports came from the fuzz target, not libFuzzer. I think it's time to document the new capability.

kcc added a comment.Jul 17 2018, 2:40 PM

all MSan reports came from the fuzz target, not libFuzzer

It may be more subtle than this. Did you investigate the msan reports?

morehouse added a comment.Jul 19 2018, 9:57 AM

Benchmarks easy to discern the crash cause:

  • boringssl - Finds same use-after-free as ASan.
  • c-ares - Finds same crash as vanilla libFuzzer.
  • freetype - Finds the target line.
  • guetzli - False positive (fuzz target uses std::map).
  • harfbuzz - Hits time limit without crashing.
  • lcms - No crashes after several days.
  • libjpeg-turbo - Finds the target line.
  • openssl-1.0.1f - Finds Heartbleed.
  • pcre2 - Finds same buffer overflow as ASan.

Benchmarks with new crash stack traces under MSan. Would take more effort to determine cause:

  • json
  • libarchive
  • libpng
  • libssh
  • libxml
  • openssl-1.0.2d
  • proj4
  • re2
  • woff2

I could investigate each of the new crashes, but that's more time than I'd like to spend on this. Maybe I will just change the documentation to say that MSan support is experimental.

morehouse updated this revision to Diff 156302.Jul 19 2018, 10:03 AM
  • Support MSan experimentally.
Harbormaster completed remote builds in B20517: Diff 156302.Jul 19 2018, 10:04 AM
kcc accepted this revision.Jul 19 2018, 10:55 AM

LGTM

This revision is now accepted and ready to land.Jul 19 2018, 10:55 AM
Closed by commit rL337476: [libFuzzer] Update documentation regarding MSan. (authored by morehouse). · Explain WhyJul 19 2018, 11:04 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
docs/
8 lines

Diff 156322

llvm/trunk/docs/LibFuzzer.rst

Show First 20 LinesShow All 69 Lines▼ Show 20 Lines
Fuzzer Usage Fuzzer Usage
------------ ------------
Recent versions of Clang (starting from 6.0) include libFuzzer, and no extra installation is necessary. Recent versions of Clang (starting from 6.0) include libFuzzer, and no extra installation is necessary.
In order to build your fuzzer binary, use the `-fsanitize=fuzzer` flag during the In order to build your fuzzer binary, use the `-fsanitize=fuzzer` flag during the
compilation and linking. In most cases you may want to combine libFuzzer with compilation and linking. In most cases you may want to combine libFuzzer with
AddressSanitizer_ (ASAN), UndefinedBehaviorSanitizer_ (UBSAN), or both:: AddressSanitizer_ (ASAN), UndefinedBehaviorSanitizer_ (UBSAN), or both. You can
also build with MemorySanitizer_ (MSAN), but support is experimental::
clang -g -O1 -fsanitize=fuzzer mytarget.c # Builds the fuzz target w/o sanitizers clang -g -O1 -fsanitize=fuzzer mytarget.c # Builds the fuzz target w/o sanitizers
clang -g -O1 -fsanitize=fuzzer,address mytarget.c # Builds the fuzz target with ASAN clang -g -O1 -fsanitize=fuzzer,address mytarget.c # Builds the fuzz target with ASAN
clang -g -O1 -fsanitize=fuzzer,signed-integer-overflow mytarget.c # Builds the fuzz target with a part of UBSAN clang -g -O1 -fsanitize=fuzzer,signed-integer-overflow mytarget.c # Builds the fuzz target with a part of UBSAN
clang -g -O1 -fsanitize=fuzzer,memory mytarget.c # Builds the fuzz target with MSAN
This will perform the necessary instrumentation, as well as linking with the libFuzzer library. This will perform the necessary instrumentation, as well as linking with the libFuzzer library.
Note that ``-fsanitize=fuzzer`` links in the libFuzzer's ``main()`` symbol. Note that ``-fsanitize=fuzzer`` links in the libFuzzer's ``main()`` symbol.
If modifying ``CFLAGS`` of a large project, which also compiles executables If modifying ``CFLAGS`` of a large project, which also compiles executables
requiring their own ``main`` symbol, it may be desirable to request just the requiring their own ``main`` symbol, it may be desirable to request just the
instrumentation without linking:: instrumentation without linking::
clang -fsanitize=fuzzer-no-link mytarget.c clang -fsanitize=fuzzer-no-link mytarget.c
Then libFuzzer can be linked to the desired driver by passing in Then libFuzzer can be linked to the desired driver by passing in
``-fsanitize=fuzzer`` during the linking stage. ``-fsanitize=fuzzer`` during the linking stage.
Using MemorySanitizer_ (MSAN) with libFuzzer is possible too, but tricky.
The exact details are out of scope, we expect to simplify this in future
versions.
.. _libfuzzer-corpus: .. _libfuzzer-corpus:
Corpus Corpus
------ ------
Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the Coverage-guided fuzzers like libFuzzer rely on a corpus of sample inputs for the
code under test. This corpus should ideally be seeded with a varied collection code under test. This corpus should ideally be seeded with a varied collection
of valid and invalid inputs for the code under test; for example, for a graphics of valid and invalid inputs for the code under test; for example, for a graphics
▲ Show 20 LinesShow All 648 LinesShow Last 20 Lines