[libFuzzer] Use OptForFuzzing attribute with -fsanitize=fuzzer.

morehouse · morehouse · commit 5317f2e4c907 · 2018-03-23T23:35:28.000Z
Summary: Disables certain CMP optimizations to improve fuzzing signal under -O1 and -O2. Switches all fuzzer tests to -O2 except for a few leak tests where the leak is optimized out under -O2. Reviewers: kcc, vitalybuka Reviewed By: vitalybuka Subscribers: cfe-commits, llvm-commits Differential Revision: https://reviews.llvm.org/D44798 llvm-svn: 328384
diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp
@@ -862,6 +862,10 @@ void CodeGenFunction::StartFunction(GlobalDecl GD,
   if (SanOpts.has(SanitizerKind::SafeStack))
     Fn->addFnAttr(llvm::Attribute::SafeStack);
 
+  // Apply fuzzing attribute to the function.
+  if (SanOpts.hasOneOf(SanitizerKind::Fuzzer | SanitizerKind::FuzzerNoLink))
+    Fn->addFnAttr(llvm::Attribute::OptForFuzzing);
+
   // Ignore TSan memory acesses from within ObjC/ObjC++ dealloc, initialize,
   // .cxx_destruct, __destroy_helper_block_ and all of their calees at run time.
   if (SanOpts.has(SanitizerKind::Thread)) {
diff --git a/compiler-rt/test/fuzzer/SimpleCmpTest.cpp b/compiler-rt/test/fuzzer/SimpleCmpTest.cpp
@@ -17,15 +17,15 @@ bool PrintOnce(int Line) {
 }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  if (Size != 22) return 0;
+  if (Size != 24) return 0;
   uint64_t x = 0;
   int64_t  y = 0;
   int32_t z = 0;
-  uint16_t a = 0;
+  uint32_t a = 0;
   memcpy(&x, Data, 8);  // 8
   memcpy(&y, Data + 8, 8);  // 16
   memcpy(&z, Data + 16, sizeof(z));  // 20
-  memcpy(&a, Data + 20, sizeof(a));  // 22
+  memcpy(&a, Data + 20, sizeof(a));  // 24
   const bool k32bit = sizeof(void*) == 4;
 
   if ((k32bit || x > 1234567890) && PrintOnce(__LINE__) &&
diff --git a/compiler-rt/test/fuzzer/SwapCmpTest.cpp b/compiler-rt/test/fuzzer/SwapCmpTest.cpp
@@ -11,22 +11,22 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   if (Size < 14) return 0;
   uint64_t x = 0;
   uint32_t y = 0;
-  uint16_t z = 0;
+  uint32_t z = 0;
   memcpy(&x, Data, sizeof(x));
   memcpy(&y, Data + Size / 2, sizeof(y));
   memcpy(&z, Data + Size - sizeof(z), sizeof(z));
 
   x = __builtin_bswap64(x);
   y = __builtin_bswap32(y);
-  z = __builtin_bswap16(z);
+  z = __builtin_bswap32(z);
   const bool k32bit = sizeof(void*) == 4;
 
   if ((k32bit || x == 0x46555A5A5A5A5546ULL) &&
       z == 0x4F4B &&
       y == 0x66757A7A &&
       true
       ) {
-    if (Data[Size - 3] == 'z') {
+    if (Data[Size - 5] == 'z') {
       fprintf(stderr, "BINGO; Found the target\n");
       exit(1);
     }
diff --git a/compiler-rt/test/fuzzer/fuzzer-leak.test b/compiler-rt/test/fuzzer/fuzzer-leak.test
@@ -1,6 +1,9 @@
 REQUIRES: lsan
-RUN: %cpp_compiler %S/LeakTest.cpp -o %t-LeakTest
-RUN: %cpp_compiler %S/ThreadedLeakTest.cpp -o %t-ThreadedLeakTest
+
+// Avoid optimizing since it causes these leaks to go away.
+RUN: %cpp_compiler -O0 %S/LeakTest.cpp -o %t-LeakTest
+RUN: %cpp_compiler -O0 %S/ThreadedLeakTest.cpp -o %t-ThreadedLeakTest
+
 RUN: %cpp_compiler %S/LeakTimeoutTest.cpp -o %t-LeakTimeoutTest
 
 RUN: rm -rf %t-corpus && mkdir -p %t-corpus
diff --git a/compiler-rt/test/fuzzer/lit.cfg b/compiler-rt/test/fuzzer/lit.cfg
@@ -64,7 +64,7 @@ def generate_compiler_cmd(is_cpp=True, fuzzer_enabled=True):
   sanitizers_cmd = ('-fsanitize=%s' % ','.join(sanitizers))
   isysroot_cmd = config.osx_sysroot_flag if config.osx_sysroot_flag else ''
   include_cmd = '-I%s' % libfuzzer_src_root
-  return '%s %s %s -gline-tables-only %s %s %s' % (
+  return '%s %s %s -O2 -gline-tables-only %s %s %s' % (
       compiler_cmd, std_cmd, link_cmd, isysroot_cmd, sanitizers_cmd, include_cmd)
 
 config.substitutions.append(('%cpp_compiler',
diff --git a/compiler-rt/test/fuzzer/trace-malloc-threaded.test b/compiler-rt/test/fuzzer/trace-malloc-threaded.test
@@ -2,7 +2,9 @@
 // printing a stack trace repeatedly
 UNSUPPORTED: darwin
 
-RUN: %cpp_compiler %S/TraceMallocThreadedTest.cpp -o %t-TraceMallocThreadedTest
+// Avoid optimizing since it causes the malloc to go away.
+RUN: %cpp_compiler -O0 %S/TraceMallocThreadedTest.cpp -o \
+RUN:   %t-TraceMallocThreadedTest
 
 RUN: %t-TraceMallocThreadedTest -trace_malloc=2 -runs=1 2>&1 | FileCheck %s
 CHECK: {{MALLOC\[[0-9]+] +0x[0-9]+ 5639}}
