This is an archive of the discontinued LLVM Phabricator instance.

Differential D63334

[libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.
ClosedPublic

Authored by Dor1s on Jun 14 2019, 7:16 AM.

Details

Reviewers
kcc
vitalybuka
metzman
Commits
rG0784e01a98a0: [libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.
rL363443: [libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.
rCRT363443: [libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used.
Summary

Some custom mutators may not peform well when size restriction is
enforced by len_control. Because of that, it's safer to disable len_control
by default in such cases, but still allow users to enable it manually.
Bug example: https://bugs.chromium.org/p/chromium/issues/detail?id=919530.

Tested manually with LPM-based and regular fuzz targets.

Diff Detail

Event Timeline

Dor1s created this revision.Jun 14 2019, 7:16 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJun 14 2019, 7:16 AM
Herald added subscribers: Restricted Project, delcypher. · View Herald Transcript
Harbormaster completed remote builds in B33393: Diff 204765.Jun 14 2019, 7:17 AM
vitalybuka added a comment.Jun 14 2019, 11:13 AM

maybe test?

Dor1s added a comment.Jun 14 2019, 11:24 AM
In D63334#1543977, @vitalybuka wrote:

maybe test?

@metzman also suggested it, will add soon!

kcc accepted this revision.Jun 14 2019, 11:41 AM

LGTM given a test
Thanks!

This revision is now accepted and ready to land.Jun 14 2019, 11:41 AM
Dor1s updated this revision to Diff 204830.Jun 14 2019, 12:22 PM

Added a test, thanks @metzman for the idea how to test it.

Harbormaster completed remote builds in B33419: Diff 204830.Jun 14 2019, 12:23 PM
metzman accepted this revision.Jun 14 2019, 12:27 PM

LGTM

test/fuzzer/fuzzer-custommutator.test
4 ↗(On Diff #204830)

nit: maybe comment why we care about this limit?

Closed by commit rL363443: [libFuzzer] Disable len_control by default if LLVMFuzzerCustomMutator is used. (authored by Dor1s). · Explain WhyJun 14 2019, 12:31 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
fuzzer/
10 lines
2 lines

Diff 204765

lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 176 Lines▼ Show 20 Lines for (size_t F = 0; F < kNumFlags; F++) {
} }
} }
Printf("\n\nWARNING: unrecognized flag '%s'; " Printf("\n\nWARNING: unrecognized flag '%s'; "
"use -help=1 to list all flags\n\n", Param); "use -help=1 to list all flags\n\n", Param);
return true; return true;
} }
// We don't use any library to minimize dependencies. // We don't use any library to minimize dependencies.
static void ParseFlags(const Vector<std::string> &Args) { static void ParseFlags(const Vector<std::string> &Args,
const ExternalFunctions *EF) {
for (size_t F = 0; F < kNumFlags; F++) { for (size_t F = 0; F < kNumFlags; F++) {
if (FlagDescriptions[F].IntFlag) if (FlagDescriptions[F].IntFlag)
*FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default; *FlagDescriptions[F].IntFlag = FlagDescriptions[F].Default;
if (FlagDescriptions[F].UIntFlag) if (FlagDescriptions[F].UIntFlag)
*FlagDescriptions[F].UIntFlag = *FlagDescriptions[F].UIntFlag =
static_cast<unsigned int>(FlagDescriptions[F].Default); static_cast<unsigned int>(FlagDescriptions[F].Default);
if (FlagDescriptions[F].StrFlag) if (FlagDescriptions[F].StrFlag)
*FlagDescriptions[F].StrFlag = nullptr; *FlagDescriptions[F].StrFlag = nullptr;
} }
// Disable len_control by default, if LLVMFuzzerCustomMutator is used.
if (EF->LLVMFuzzerCustomMutator)
Flags.len_control = 0;
Inputs = new Vector<std::string>; Inputs = new Vector<std::string>;
for (size_t A = 1; A < Args.size(); A++) { for (size_t A = 1; A < Args.size(); A++) {
if (ParseOneFlag(Args[A].c_str())) { if (ParseOneFlag(Args[A].c_str())) {
if (Flags.ignore_remaining_args) if (Flags.ignore_remaining_args)
break; break;
continue; continue;
} }
Inputs->push_back(Args[A]); Inputs->push_back(Args[A]);
▲ Show 20 LinesShow All 408 Lines▼ Show 20 Lines if (EF->__msan_scoped_disable_interceptor_checks)
EF->__msan_scoped_disable_interceptor_checks(); EF->__msan_scoped_disable_interceptor_checks();
const Vector<std::string> Args(*argv, *argv + *argc); const Vector<std::string> Args(*argv, *argv + *argc);
assert(!Args.empty()); assert(!Args.empty());
ProgName = new std::string(Args[0]); ProgName = new std::string(Args[0]);
if (Argv0 != *ProgName) { if (Argv0 != *ProgName) {
Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n"); Printf("ERROR: argv[0] has been modified in LLVMFuzzerInitialize\n");
exit(1); exit(1);
} }
ParseFlags(Args); ParseFlags(Args, EF);
if (Flags.help) { if (Flags.help) {
PrintHelp(); PrintHelp();
return 0; return 0;
} }
if (Flags.close_fd_mask & 2) if (Flags.close_fd_mask & 2)
DupAndCloseStderr(); DupAndCloseStderr();
if (Flags.close_fd_mask & 1) if (Flags.close_fd_mask & 1)
▲ Show 20 LinesShow All 203 LinesShow Last 20 Lines

lib/fuzzer/FuzzerFlags.def

Show All 13 Lines
FUZZER_FLAG_INT(runs, -1, FUZZER_FLAG_INT(runs, -1,
"Number of individual test runs (-1 for infinite runs).") "Number of individual test runs (-1 for infinite runs).")
FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. " FUZZER_FLAG_INT(max_len, 0, "Maximum length of the test input. "
"If 0, libFuzzer tries to guess a good value based on the corpus " "If 0, libFuzzer tries to guess a good value based on the corpus "
"and reports it. ") "and reports it. ")
FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, " FUZZER_FLAG_INT(len_control, 100, "Try generating small inputs first, "
"then try larger inputs over time. Specifies the rate at which the length " "then try larger inputs over time. Specifies the rate at which the length "
"limit is increased (smaller == faster). If 0, immediately try inputs with " "limit is increased (smaller == faster). If 0, immediately try inputs with "
"size up to max_len.") "size up to max_len. Default value is 0, if LLVMFuzzerCustomMutator is used.")
FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files " FUZZER_FLAG_STRING(seed_inputs, "A comma-separated list of input files "
"to use as an additional seed corpus. Alternatively, an \"@\" followed by " "to use as an additional seed corpus. Alternatively, an \"@\" followed by "
"the name of a file containing the comma-seperated list.") "the name of a file containing the comma-seperated list.")
FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.") FUZZER_FLAG_INT(cross_over, 1, "If 1, cross over inputs.")
FUZZER_FLAG_INT(mutate_depth, 5, FUZZER_FLAG_INT(mutate_depth, 5,
"Apply this number of consecutive mutations to each input.") "Apply this number of consecutive mutations to each input.")
FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. " FUZZER_FLAG_INT(reduce_depth, 0, "Experimental/internal. "
"Reduce depth if mutations lose unique features") "Reduce depth if mutations lose unique features")
▲ Show 20 LinesShow All 132 LinesShow Last 20 Lines