This is an archive of the discontinued LLVM Phabricator instance.

DFSan-based fuzzer (proof of concept).
ClosedPublic

Authored by kcc on Mar 27 2015, 12:04 PM.

Details

Summary

This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.

Diff Detail

Event Timeline

kcc updated this revision to Diff 22811.Mar 27 2015, 12:04 PM
kcc retitled this revision from to DFSan-based fuzzer (proof of concept)..
kcc updated this object.
kcc edited the test plan for this revision. (Show Details)
kcc added reviewers: pcc, samsonov.
kcc added a subscriber: Unknown Object (MLST).
samsonov accepted this revision.Mar 30 2015, 1:03 PM
samsonov edited edge metadata.

LGTM for CMake part (but note comment about explicit dependency on abilist you may require).

lib/Fuzzer/test/CMakeLists.txt
21

Did you remove this line on purpose?

lib/Fuzzer/test/dfsan/CMakeLists.txt
11

You probably need smth. like

set(DFSAN_FUZZER_ABI_LIST "${CMAKE_CURRENT_SOURCE_DIR}/../../dfsan_fuzzer_abi.list")
...

set_source_files_properties(${Test}.cpp PROPERTIES OBJECT_DEPENDS ${DFSAN_FUZZER_ABI_LIST})

to make sure you will recompile the test after changes to ABI list.

This revision is now accepted and ready to land.Mar 30 2015, 1:03 PM
kcc updated this revision to Diff 22901.Mar 30 2015, 1:15 PM
kcc edited edge metadata.

Address Alexey's comment

lib/Fuzzer/test/CMakeLists.txt
21

Yes. It is not needed any more due to
if( LLVM_USE_SANITIZE_COVERAGE ) in lib/Fuzzer/CMakeLists.txt

lib/Fuzzer/test/dfsan/CMakeLists.txt
11

Done, thanks!

samsonov added inline comments.Mar 30 2015, 1:23 PM
lib/Fuzzer/test/dfsan/CMakeLists.txt
4

You can use DFSAN_FUZZER_ABI_LIST here as well.

kcc updated this revision to Diff 22902.Mar 30 2015, 1:27 PM

addressed one more Alexey's comment ( reuse DFSAN_FUZZER_ABI_LIST)

pcc accepted this revision.Mar 30 2015, 3:03 PM
pcc edited edge metadata.

LGTM

We might also want to reset the DFSan state after each iteration, but that can probably come later.

lib/Fuzzer/FuzzerFlags.def
47

taint-guided

lib/Fuzzer/dfsan_fuzzer_abi.list
12

uninstrumented+discard maybe? Though this shouldn't matter if the function is only called from non-dfsan code.

lib/Fuzzer/test/dfsan/CMakeLists.txt
6

Doesn't this mean that the test will only use DFSan in release builds? Probably better to set the COMPILE_FLAGS property on the target.

kcc added a comment.Mar 30 2015, 3:10 PM

We might also want to reset the DFSan state after each iteration, but that can probably come later.

Yep.
So far everything works w/o resetting the dfsan state because I taint the global input vector which never gets reallocated.
I guess we may run out of dfsan labels in long fuzzing session woth resetting the DFSan state.

lib/Fuzzer/FuzzerFlags.def
47

done

lib/Fuzzer/dfsan_fuzzer_abi.list
12

Yes, this code is expected to be called *only* from non-instrumented code.

lib/Fuzzer/test/dfsan/CMakeLists.txt
6

Err. I think I tried and it did not work.
Let me try to wrestle with it separately if/when we need a Debug build.

kcc closed this revision.Mar 30 2015, 3:12 PM
pcc added inline comments.Mar 30 2015, 3:18 PM
lib/Fuzzer/test/dfsan/CMakeLists.txt
6

(FWIW, you might need to append to COMPILE_FLAGS as show here: http://llvm.org/klaus/llvm/blob/master/cmake/modules/AddLLVM.cmake#L-57 )