[libFuzzer] support switch interception in dfsan mode

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243760 91177308-0d34-0410-b5e6-96231b3b80d8
2025-01-09 05:31:19 +00:00 · 2015-07-31 17:05:05 +00:00 · 2015-07-31 17:05:05 +00:00 · 26e09e2da5
commit 26e09e2da5
parent 3973e4b71b
4 changed files with 41 additions and 4 deletions
--- a/lib/Fuzzer/FuzzerTraceState.cpp
+++ b/lib/Fuzzer/FuzzerTraceState.cpp
@ -214,6 +214,8 @@ class TraceState {
  void DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType,
                        uint64_t Arg1, uint64_t Arg2, dfsan_label L1,
                        dfsan_label L2);
+  void DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits, uint64_t Val,
+                           size_t NumCases, uint64_t *Cases, dfsan_label L);
  void TraceCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType, uint64_t Arg1,
                        uint64_t Arg2);

@ -297,6 +299,26 @@ void TraceState::DFSanCmpCallback(uintptr_t PC, size_t CmpSize, size_t CmpType,
           PC, CmpSize, CmpType, Arg1, Arg2, Res, L1, L2, Mutations.size());
 }

+void TraceState::DFSanSwitchCallback(uint64_t PC, size_t ValSizeInBits,
+                                     uint64_t Val, size_t NumCases,
+                                     uint64_t *Cases, dfsan_label L) {
+  assert(ReallyHaveDFSan());
+  if (!RecordingTraces) return;
+  if (!L) return;  // Not actionable.
+  LabelRange LR = GetLabelRange(L);
+  size_t ValSize = ValSizeInBits / 8;
+  for (size_t Pos = LR.Beg; Pos + ValSize <= LR.End; Pos++) {
+    for (size_t i = 0; i < NumCases; i++) {
+      Mutations.push_back({Pos, ValSize, Cases[i]});
+      Mutations.push_back({Pos, ValSize, Cases[i] + 1});
+      Mutations.push_back({Pos, ValSize, Cases[i] - 1});
+    }
+  }
+  if (Options.Verbosity >= 3)
+    Printf("DFSanSwitchCallback: PC %lx Val %zd # %zd L %d\n", PC, Val,
+           NumCases, L);
+}
+
 int TraceState::TryToAddDesiredData(uint64_t PresentData, uint64_t DesiredData,
                                    size_t DataSize) {
  int Res = 0;
@ -399,6 +421,13 @@ void __dfsw___sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
  TS->DFSanCmpCallback(PC, CmpSize, Type, Arg1, Arg2, L1, L2);
 }

+void __dfsw___sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases,
+                                         dfsan_label L1, dfsan_label L2) {
+  if (!TS) return;
+  uintptr_t PC = reinterpret_cast<uintptr_t>(__builtin_return_address(0));
+  TS->DFSanSwitchCallback(PC, Cases[1], Val, Cases[0], Cases+2, L1);
+}
+
 void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
                            size_t n, dfsan_label s1_label,
                            dfsan_label s2_label, dfsan_label n_label) {
@ -445,8 +474,11 @@ void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
  if (!TS) return;
  uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
  uint64_t S1 = 0, S2 = 0;
-  n = std::min(n, fuzzer::InternalStrnlen(s1, n));
-  n = std::min(n, fuzzer::InternalStrnlen(s2, n));
+  size_t Len1 = fuzzer::InternalStrnlen(s1, n);
+  size_t Len2 = fuzzer::InternalStrnlen(s2, n);
+  n = std::min(n, Len1);
+  n = std::min(n, Len2);
+  if (n <= 1) return;  // Not interesting.
  // Simplification: handle only first 8 bytes.
  memcpy(&S1, s1, std::min(n, sizeof(S1)));
  memcpy(&S2, s2, std::min(n, sizeof(S2)));
--- a/lib/Fuzzer/test/CMakeLists.txt
+++ b/lib/Fuzzer/test/CMakeLists.txt
@ -8,6 +8,7 @@ set(DFSanTests
  MemcmpTest
  SimpleCmpTest
  StrncmpTest
+  SwitchTest
  )

 set(Tests
--- a/lib/Fuzzer/test/SwitchTest.cpp
+++ b/lib/Fuzzer/test/SwitchTest.cpp
@ -1,9 +1,9 @@
 // Simple test for a fuzzer. The fuzzer must find the interesting switch value.
 #include <cstdint>
 #include <cstdlib>
+#include <cstdio>
 #include <cstring>
 #include <cstddef>
-#include <iostream>

 static volatile int Sink;

@ -28,7 +28,7 @@ bool Switch(const uint8_t *Data, size_t Size) {
 extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (Switch<int>(Data, Size) && Size >= 12 &&
      Switch<uint64_t>(Data + 4, Size - 4)) {
-    std::cout << "BINGO; Found the target, exiting\n";
+    fprintf(stderr, "BINGO; Found the target, exiting\n");
    exit(1);
  }
 }
--- a/lib/Fuzzer/test/fuzzer-dfsan.test
+++ b/lib/Fuzzer/test/fuzzer-dfsan.test
@ -1,5 +1,6 @@
 CHECK: BINGO
 CHECK_DFSanCmpCallback: DFSanCmpCallback: PC
+CHECK_DFSanSwitchCallback: DFSanSwitchCallback: PC

 RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
@ -9,3 +10,6 @@ RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbo

 RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
+
+RUN: not LLVMFuzzer-SwitchTest-DFSan -use_traces=1 -seed=1 -runs=10000 -timeout=5              2>&1 | FileCheck %s
+RUN:     LLVMFuzzer-SwitchTest-DFSan -use_traces=1 -seed=1 -runs=2     -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanSwitchCallback