replica
/
hanchenye-llvm-project
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
287,388 Commits 2 Branches 0 Tags 1.8 GiB
Commit Graph

14 Commits

Author SHA1 Message Date
Max Moroz a40ce7bc36 [libfuzzer] Fix UB when calculating Log(0) in StackDepthStepFunction(). 
Summary:
__builtin_clz used for Log calculation returns an undefined result
when argument is 0. I noticed that issue when was testing some fuzzers:

```
/src/libfuzzer/FuzzerTracePC.h:282:33: runtime error: shift exponent 450349 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')
  #0 0x43d83f in operator() /src/libfuzzer/FuzzerTracePC.h:283:33
  #1 0x43d83f in void fuzzer::TracePC::CollectFeatures<fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1>(fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1) const /src/libfuzzer/FuzzerTracePC.h:290
  #2 0x43cbd4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:445:7
  #3 0x43e5f1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:706:5
  #4 0x43e9e1 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:739:3
  #5 0x432f8c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
  #6 0x42ee18 in main /src/libfuzzer/FuzzerMain.cpp:20:10
  #7 0x7f17ffeb182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #8 0x407838 in _start (/out/rotate_fuzzer+0x407838)

Reviewers: kcc

Reviewed By: kcc

Subscribers: llvm-commits, #sanitizers

Differential Revision: https://reviews.llvm.org/D41457

llvm-svn: 321211
 2017-12-20 19:31:51 +00:00
Kostya Serebryany e9ed2327b6 [libFuzzer] change the strategy for -experimental_len_control to grow max_len slower 
llvm-svn: 320531
 2017-12-12 23:11:28 +00:00
Kostya Serebryany de891a1946 [libFuzzer] even less aggressive step function for stack depth. Also don't use asan in one test to speed it up 
llvm-svn: 320259
 2017-12-09 19:18:10 +00:00
Kostya Serebryany f94d87aadf [libFuzzer] make the stack depth signal less agressive, otherwise we are sometimes exploding the corpus size. This still needs more analysis and tuning 
llvm-svn: 320237
 2017-12-09 02:45:23 +00:00
Kostya Serebryany 2659c63e2e [libFuzzer] honor -use_counters, sligntly change the meaning of -experimental_len_control, call UpdateFeatureFrequency only if instructed by the flag 
llvm-svn: 320205
 2017-12-08 22:21:42 +00:00
Dan Liew 37516b527b [LibFuzzer] Improve comments on `CounterToFeature()` function. 
This is based on discussion in https://reviews.llvm.org/D40376 .

The comments try to explain the reason for the current implementation
and note that it might change in the future, so clients should not
rely on this particular implementation.

Differential Revision: https://reviews.llvm.org/D40565

llvm-svn: 319190
 2017-11-28 17:41:58 +00:00
Max Moroz 330496c3fc [libFuzzer] Disable experimental clang coverage support by default. 
Summary:
It can be enabled via "-use_clang_coverage=1" flag. Reason for disabling:
libFuzzer resets Clang Counters and makes it impossible to generate coverage
report for a regular fuzz target (i.e. not standalone build).

Reviewers: kcc

Reviewed By: kcc

Subscribers: kcc

Differential Revision: https://reviews.llvm.org/D38604

llvm-svn: 315029
 2017-10-05 22:41:03 +00:00
Kostya Serebryany bcd78491ef [libFuzzer] minor refactoring, NFC 
llvm-svn: 313406
 2017-09-15 22:10:36 +00:00
Kostya Serebryany c07008653c [libFuzzer] allow -print_funcs=N: N is the max number of new covered function printed 
llvm-svn: 311945
 2017-08-28 22:52:22 +00:00
George Karpenkov bebcbfb46d [libFuzzer] Use custom allocators for STL containers in libFuzzer. 
Avoids ODR violations causing spurious ASAN warnings.

Differential Revision: https://reviews.llvm.org/D37086

llvm-svn: 311866
 2017-08-27 23:20:09 +00:00
Kostya Serebryany 2eef816e6e [libFuzzer] add -print_funcs=1 (on bey default): print newly discovered functions during fuzzing 
llvm-svn: 311797
 2017-08-25 20:09:25 +00:00
Kostya Serebryany d3e4b7e24a [sanitizer-coverage] extend fsanitize-coverage=pc-table with flags for every PC 
llvm-svn: 311794
 2017-08-25 19:29:47 +00:00
Kostya Serebryany f65cf64fa2 [libFuzzer] apply changes lost during the migration to compiler-rt 
llvm-svn: 311420
 2017-08-22 01:28:32 +00:00
George Karpenkov 10ab2ace13 Move libFuzzer to compiler_rt. 
Resulting library binaries will be named libclang_rt.fuzzer*, and will
be placed in Clang toolchain, allowing redistribution.

Differential Revision: https://reviews.llvm.org/D36908

llvm-svn: 311407
 2017-08-21 23:25:50 +00:00