6502/llvm-6502
1
0
Fork 0
mirror of https://github.com/c64scene-ar/llvm-6502.git synced 2025-08-07 12:28:24 +00:00
Code Issues Projects Releases Wiki Activity

[libFuzzer] implement memcmp hook for data-flow-guided fuzzing (w/o dfsan), extend the memcmp fuzzer test

Browse Source 
git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@243603 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Kostya Serebryany
2015-07-30 01:34:58 +00:00
parent b1d5086803
commit c01d39e6b8
5 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/Fuzzer/FuzzerTraceState.cpp
View File

@@ -394,6 +394,18 @@ void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2); TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
} }
void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
const void *s2, size_t n) {
if (!TS) return;
uintptr_t PC = reinterpret_cast<uintptr_t>(caller_pc);
uint64_t S1 = 0, S2 = 0;
// Simplification: handle only first 8 bytes.
memcpy(&S1, s1, std::min(n, sizeof(S1)));
memcpy(&S2, s2, std::min(n, sizeof(S2)));
TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
// fuzzer::Printf("ZZZ %p %p %zd\n", s1, s2, n);
}
void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1, void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,
uint64_t Arg2) { uint64_t Arg2) {
if (!TS) return; if (!TS) return;

1
lib/Fuzzer/test/CMakeLists.txt
View File

@@ -15,6 +15,7 @@ set(Tests
FourIndependentBranchesTest FourIndependentBranchesTest
FullCoverageSetTest FullCoverageSetTest
InfiniteTest InfiniteTest
MemcmpTest
NullDerefTest NullDerefTest
SimpleCmpTest SimpleCmpTest
SimpleTest SimpleTest

9
lib/Fuzzer/test/MemcmpTest.cpp
View File

@@ -5,8 +5,13 @@
#include <cstdlib> #include <cstdlib>
extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
// TODO: check other sizes.
if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) { if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) {
fprintf(stderr, "BINGO\n"); if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) {
exit(1); if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) {
fprintf(stderr, "BINGO\n");
exit(1);
}
}
} }
} }

2
lib/Fuzzer/test/fuzzer-dfsan.test
View File

@@ -4,6 +4,6 @@ CHECK_DFSanCmpCallback: DFSanCmpCallback: PC
RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s RUN: not LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=1000000 -timeout=5 2>&1 | FileCheck %s
RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback RUN: LLVMFuzzer-SimpleCmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback
RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=100 -timeout=5 2>&1 | FileCheck %s RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s -check-prefix=CHECK_DFSanCmpCallback

3
lib/Fuzzer/test/fuzzer.test
View File

@@ -25,3 +25,6 @@ RUN: not LLVMFuzzer-CxxTokensTest -seed=1 -timeout=15 -tokens=%S/../cxx_fuzzer_t
RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck %s RUN: not LLVMFuzzer-UserSuppliedFuzzerTest -seed=1 -timeout=15 2>&1 | FileCheck %s
RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-MemcmpTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
Done1000000: Done 1000000 runs in