This is an archive of the discontinued LLVM Phabricator instance.

Differential D60567

[libFuzzer] Fallback to default Mutate when MutateWithMask fails.
ClosedPublic

Authored by Dor1s on Apr 11 2019, 8:21 AM.

Details

Reviewers
kcc
morehouse
Commits
rG9d5e7ee29665: [libFuzzer] Fallback to default Mutate when MutateWithMask fails.
rL358190: [libFuzzer] Fallback to default Mutate when MutateWithMask fails.
rCRT358190: [libFuzzer] Fallback to default Mutate when MutateWithMask fails.
Summary

In case the current corpus input doesn't have bytes going into the
focus function, MutateWithMask is useless and may fail gently, allowing the
default mutation routine happen, rather than crashing on an assertion.

For more context and the initial fix suggestion, see:
https://github.com/google/oss-fuzz/issues/1632#issuecomment-481862879

Diff Detail

Event Timeline

Dor1s created this revision.Apr 11 2019, 8:21 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 11 2019, 8:21 AM
Herald added subscribers: Restricted Project, delcypher. · View Herald Transcript
Harbormaster completed remote builds in B30376: Diff 194698.Apr 11 2019, 8:21 AM
kcc accepted this revision.Apr 11 2019, 9:14 AM
This revision is now accepted and ready to land.Apr 11 2019, 9:14 AM
Closed by commit rCRT358190: [libFuzzer] Fallback to default Mutate when MutateWithMask fails. (authored by Dor1s). · Explain WhyApr 11 2019, 9:24 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
fuzzer/
4 lines
1 line

Diff 194709

lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 652 Lines▼ Show 20 Lines for (int i = 0; i < Options.MutateDepth; i++) {
if (TotalNumberOfRuns >= Options.MaxNumberOfRuns) if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
break; break;
MaybeExitGracefully(); MaybeExitGracefully();
size_t NewSize = 0; size_t NewSize = 0;
if (II.HasFocusFunction && !II.DataFlowTraceForFocusFunction.empty() && if (II.HasFocusFunction && !II.DataFlowTraceForFocusFunction.empty() &&
Size <= CurrentMaxMutationLen) Size <= CurrentMaxMutationLen)
NewSize = MD.MutateWithMask(CurrentUnitData, Size, Size, NewSize = MD.MutateWithMask(CurrentUnitData, Size, Size,
II.DataFlowTraceForFocusFunction); II.DataFlowTraceForFocusFunction);
else
// If MutateWithMask either failed or wasn't called, call default Mutate.
if (!NewSize)
NewSize = MD.Mutate(CurrentUnitData, Size, CurrentMaxMutationLen); NewSize = MD.Mutate(CurrentUnitData, Size, CurrentMaxMutationLen);
assert(NewSize > 0 && "Mutator returned empty unit"); assert(NewSize > 0 && "Mutator returned empty unit");
assert(NewSize <= CurrentMaxMutationLen && "Mutator return oversized unit"); assert(NewSize <= CurrentMaxMutationLen && "Mutator return oversized unit");
Size = NewSize; Size = NewSize;
II.NumExecutedMutations++; II.NumExecutedMutations++;
bool FoundUniqFeatures = false; bool FoundUniqFeatures = false;
bool NewCov = RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II, bool NewCov = RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II,
▲ Show 20 LinesShow All 181 LinesShow Last 20 Lines

lib/fuzzer/FuzzerMutate.cpp

Show First 20 LinesShow All 536 Lines▼ Show 20 Linessize_t MutationDispatcher::MutateWithMask(uint8_t *Data, size_t Size,
auto &T = MutateWithMaskTemp; auto &T = MutateWithMaskTemp;
if (T.size() < Size) if (T.size() < Size)
T.resize(Size); T.resize(Size);
size_t OneBits = 0; size_t OneBits = 0;
for (size_t I = 0; I < Size; I++) for (size_t I = 0; I < Size; I++)
if (Mask[I]) if (Mask[I])
T[OneBits++] = Data[I]; T[OneBits++] = Data[I];
if (!OneBits) return 0;
assert(!T.empty()); assert(!T.empty());
size_t NewSize = Mutate(T.data(), OneBits, OneBits); size_t NewSize = Mutate(T.data(), OneBits, OneBits);
assert(NewSize <= OneBits); assert(NewSize <= OneBits);
(void)NewSize; (void)NewSize;
// Even if NewSize < OneBits we still use all OneBits bytes. // Even if NewSize < OneBits we still use all OneBits bytes.
for (size_t I = 0, J = 0; I < Size; I++) for (size_t I = 0, J = 0; I < Size; I++)
if (Mask[I]) if (Mask[I])
Data[I] = T[J++]; Data[I] = T[J++];
Show All 9 Lines