This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Details
Diff Detail
Event Timeline
LGTM for CMake part (but note comment about explicit dependency on abilist you may require).
lib/Fuzzer/test/CMakeLists.txt | ||
---|---|---|
21 | Did you remove this line on purpose? | |
lib/Fuzzer/test/dfsan/CMakeLists.txt | ||
10 | You probably need smth. like set(DFSAN_FUZZER_ABI_LIST "${CMAKE_CURRENT_SOURCE_DIR}/../../dfsan_fuzzer_abi.list") ... set_source_files_properties(${Test}.cpp PROPERTIES OBJECT_DEPENDS ${DFSAN_FUZZER_ABI_LIST}) to make sure you will recompile the test after changes to ABI list. |
lib/Fuzzer/test/dfsan/CMakeLists.txt | ||
---|---|---|
5 | You can use DFSAN_FUZZER_ABI_LIST here as well. |
LGTM
We might also want to reset the DFSan state after each iteration, but that can probably come later.
lib/Fuzzer/FuzzerFlags.def | ||
---|---|---|
47 | taint-guided | |
lib/Fuzzer/dfsan_fuzzer_abi.list | ||
13 | uninstrumented+discard maybe? Though this shouldn't matter if the function is only called from non-dfsan code. | |
lib/Fuzzer/test/dfsan/CMakeLists.txt | ||
6 | Doesn't this mean that the test will only use DFSan in release builds? Probably better to set the COMPILE_FLAGS property on the target. |
We might also want to reset the DFSan state after each iteration, but that can probably come later.
Yep.
So far everything works w/o resetting the dfsan state because I taint the global input vector which never gets reallocated.
I guess we may run out of dfsan labels in long fuzzing session woth resetting the DFSan state.
lib/Fuzzer/FuzzerFlags.def | ||
---|---|---|
47 | done | |
lib/Fuzzer/dfsan_fuzzer_abi.list | ||
13 | Yes, this code is expected to be called *only* from non-instrumented code. | |
lib/Fuzzer/test/dfsan/CMakeLists.txt | ||
6 | Err. I think I tried and it did not work. |
lib/Fuzzer/test/dfsan/CMakeLists.txt | ||
---|---|---|
6 | (FWIW, you might need to append to COMPILE_FLAGS as show here: http://llvm.org/klaus/llvm/blob/master/cmake/modules/AddLLVM.cmake#L-57 ) |
taint-guided