RPCS3/llvm
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm.git synced 2025-03-04 16:47:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[libFuzzer] remove stale code

Browse Source 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@292325 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Kostya Serebryany 2017-01-18 01:10:18 +00:00
parent 162faf4627
commit c4a7209e7b
4 changed files with 4 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/Fuzzer/FuzzerDriver.cpp
View File

@ -401,7 +401,6 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
Options.MutateDepth = Flags.mutate_depth;
Options.UseCounters = Flags.use_counters;
Options.UseIndirCalls = Flags.use_indir_calls;
Options.UseMemcmp = Flags.use_memcmp;
Options.UseMemmem = Flags.use_memmem;
Options.UseCmp = Flags.use_cmp;
Options.UseValueProfile = Flags.use_value_profile;

2
lib/Fuzzer/FuzzerFlags.def
View File

@ -45,8 +45,6 @@ FUZZER_FLAG_INT(minimize_crash, 0, "If 1, minimizes the provided"
FUZZER_FLAG_INT(minimize_crash_internal_step, 0, "internal flag")
FUZZER_FLAG_INT(use_counters, 1, "Use coverage counters")
FUZZER_FLAG_INT(use_indir_calls, 1, "Use indirect caller-callee counters")
FUZZER_FLAG_INT(use_memcmp, 0,
"Use hints from intercepting memcmp, strcmp, etc")
FUZZER_FLAG_INT(use_memmem, 1,
"Use hints from intercepting memmem, strstr, etc")
FUZZER_FLAG_INT(use_value_profile, 0,

2
lib/Fuzzer/FuzzerOptions.h
View File

@ -1,4 +1,3 @@
//===- FuzzerOptions.h - Internal header for the Fuzzer ---------*- C++ -* ===//
//
// The LLVM Compiler Infrastructure
//
@ -29,7 +28,6 @@ struct FuzzingOptions {
int MutateDepth = 5;
bool UseCounters = false;
bool UseIndirCalls = true;
bool UseMemcmp = true;
bool UseMemmem = true;
bool UseCmp = false;
bool UseValueProfile = false;

130
lib/Fuzzer/FuzzerTraceState.cpp
View File

@ -13,7 +13,6 @@
#include "FuzzerInternal.h"
#include "FuzzerIO.h"
#include "FuzzerMutate.h"
#include "FuzzerRandom.h"
#include "FuzzerTracePC.h"
#include <algorithm>
#include <cstring>
@ -23,14 +22,7 @@
namespace fuzzer {
// For now, very simple: put Size bytes of Data at position Pos.
struct TraceBasedMutation {
uint32_t Pos;
Word W;
};
// Declared as static globals for faster checks inside the hooks.
static bool RecordingMemcmp = false;
static bool RecordingMemmem = false;
static bool DoingMyOwnMemmem = false;
@ -43,64 +35,21 @@ public:
const Fuzzer *F)
: MD(MD), Options(Options), F(F) {}
void TraceMemcmpCallback(size_t CmpSize, const uint8_t *Data1,
const uint8_t *Data2);
int TryToAddDesiredData(const uint8_t *PresentData,
const uint8_t *DesiredData, size_t DataSize);
void StartTraceRecording() {
if (!Options.UseMemcmp && !Options.UseMemmem)
if (!Options.UseMemmem)
return;
RecordingMemcmp = Options.UseMemcmp;
RecordingMemmem = Options.UseMemmem;
NumMutations = 0;
RecordingMemmem = true;
InterestingWords.clear();
MD.ClearAutoDictionary();
}
void StopTraceRecording() {
if (!RecordingMemcmp && !RecordingMemmem)
if (!RecordingMemmem)
return;
RecordingMemcmp = false;
for (size_t i = 0; i < NumMutations; i++) {
auto &M = Mutations[i];
if (Options.Verbosity >= 2) {
AutoDictUnitCounts[M.W]++;
AutoDictAdds++;
if ((AutoDictAdds & (AutoDictAdds - 1)) == 0) {
typedef std::pair<size_t, Word> CU;
std::vector<CU> CountedUnits;
for (auto &I : AutoDictUnitCounts)
CountedUnits.push_back(std::make_pair(I.second, I.first));
std::sort(CountedUnits.begin(), CountedUnits.end(),
[](const CU &a, const CU &b) { return a.first > b.first; });
Printf("AutoDict:\n");
for (auto &I : CountedUnits) {
Printf(" %zd ", I.first);
PrintASCII(I.second.data(), I.second.size());
Printf("\n");
}
}
}
MD.AddWordToAutoDictionary({M.W, M.Pos});
}
for (auto &W : InterestingWords)
MD.AddWordToAutoDictionary({W});
}
void AddMutation(uint32_t Pos, uint32_t Size, const uint8_t *Data) {
if (NumMutations >= kMaxMutations) return;
auto &M = Mutations[NumMutations++];
M.Pos = Pos;
M.W.Set(Data, Size);
}
void AddMutation(uint32_t Pos, uint32_t Size, uint64_t Data) {
assert(Size <= sizeof(Data));
AddMutation(Pos, Size, reinterpret_cast<uint8_t*>(&Data));
}
void AddInterestingWord(const uint8_t *Data, size_t Size) {
if (!RecordingMemmem || !F->InFuzzingThread()) return;
if (Size <= 1) return;
@ -110,75 +59,14 @@ public:
}
private:
bool IsTwoByteData(uint64_t Data) {
int64_t Signed = static_cast<int64_t>(Data);
Signed >>= 16;
return Signed == 0 || Signed == -1L;
}
// We don't want to create too many trace-based mutations as it is both
// expensive and useless. So after some number of mutations is collected,
// start rejecting some of them. The more there are mutations the more we
// reject.
bool WantToHandleOneMoreMutation() {
const size_t FirstN = 64;
// Gladly handle first N mutations.
if (NumMutations <= FirstN) return true;
size_t Diff = NumMutations - FirstN;
size_t DiffLog = sizeof(long) * 8 - __builtin_clzl((long)Diff);
assert(DiffLog > 0 && DiffLog < 64);
bool WantThisOne = MD.GetRand()(1 << DiffLog) == 0; // 1 out of DiffLog.
return WantThisOne;
}
static const size_t kMaxMutations = 1 << 16;
size_t NumMutations;
TraceBasedMutation Mutations[kMaxMutations];
// TODO: std::set is too inefficient, need to have a custom DS here.
std::set<Word> InterestingWords;
MutationDispatcher &MD;
const FuzzingOptions Options;
const Fuzzer *F;
std::map<Word, size_t> AutoDictUnitCounts;
size_t AutoDictAdds = 0;
};
int TraceState::TryToAddDesiredData(const uint8_t *PresentData,
const uint8_t *DesiredData,
size_t DataSize) {
if (NumMutations >= kMaxMutations || !WantToHandleOneMoreMutation()) return 0;
ScopedDoingMyOwnMemmem scoped_doing_my_own_memmem;
const uint8_t *UnitData;
auto UnitSize = F->GetCurrentUnitInFuzzingThead(&UnitData);
int Res = 0;
const uint8_t *Beg = UnitData;
const uint8_t *End = Beg + UnitSize;
for (const uint8_t *Cur = Beg; Cur < End; Cur++) {
Cur = (uint8_t *)SearchMemory(Cur, End - Cur, PresentData, DataSize);
if (!Cur)
break;
size_t Pos = Cur - Beg;
assert(Pos < UnitSize);
AddMutation(Pos, DataSize, DesiredData);
Res++;
}
return Res;
}
void TraceState::TraceMemcmpCallback(size_t CmpSize, const uint8_t *Data1,
const uint8_t *Data2) {
if (!RecordingMemcmp || !F->InFuzzingThread()) return;
CmpSize = std::min(CmpSize, Word::GetMaxSize());
int Added2 = TryToAddDesiredData(Data1, Data2, CmpSize);
int Added1 = TryToAddDesiredData(Data2, Data1, CmpSize);
if ((Added1 || Added2) && Options.Verbosity >= 3) {
Printf("MemCmp Added %d%d: ", Added1, Added2);
if (Added1) PrintASCII(Data1, CmpSize);
if (Added2) PrintASCII(Data2, CmpSize);
Printf("\n");
}
}
static TraceState *TS;
void Fuzzer::StartTraceRecording() {
@ -192,7 +80,7 @@ void Fuzzer::StopTraceRecording() {
}
void Fuzzer::InitializeTraceState() {
if (!Options.UseMemcmp && !Options.UseMemmem) return;
if (!Options.UseMemmem) return;
TS = new TraceState(MD, Options, this);
}
@ -205,7 +93,6 @@ static size_t InternalStrnlen(const char *S, size_t MaxLen) {
} // namespace fuzzer
using fuzzer::TS;
using fuzzer::RecordingMemcmp;
extern "C" {
@ -222,9 +109,6 @@ void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
if (result == 0) return; // No reason to mutate.
if (n <= 1) return; // Not interesting.
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/false);
if (!RecordingMemcmp) return;
TS->TraceMemcmpCallback(n, reinterpret_cast<const uint8_t *>(s1),
reinterpret_cast<const uint8_t *>(s2));
}
ATTRIBUTE_NO_SANITIZE_MEMORY
@ -237,9 +121,6 @@ void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
n = std::min(n, Len2);
if (n <= 1) return; // Not interesting.
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/true);
if (!RecordingMemcmp) return;
TS->TraceMemcmpCallback(n, reinterpret_cast<const uint8_t *>(s1),
reinterpret_cast<const uint8_t *>(s2));
}
@ -252,9 +133,6 @@ void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
size_t N = std::min(Len1, Len2);
if (N <= 1) return; // Not interesting.
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, N, /*StopAtZero*/true);
if (!RecordingMemcmp) return;
TS->TraceMemcmpCallback(N, reinterpret_cast<const uint8_t *>(s1),
reinterpret_cast<const uint8_t *>(s2));
}
ATTRIBUTE_NO_SANITIZE_MEMORY