Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / b74ba421fc9f8d8e1d5e52bb1566ecb705a3029b^! / . / llvm / lib / Fuzzer
commitb74ba421fc9f8d8e1d5e52bb1566ecb705a3029b[log] [tgz]
authorKostya Serebryany <kcc@google.com>Thu Jul 30 02:33:45 2015 +0000
committerKostya Serebryany <kcc@google.com>Thu Jul 30 02:33:45 2015 +0000
tree950d6c210a356cb0b5203439cc92e4c070a700ab
parent66a75c54bee1d5aae6e31ae747114144ef56b58a [diff]
[libFuzzer] implement strncmp hook for data-flow-guided fuzzing (w/ and w/o dfsan), add a test

llvm-svn: 243611

diff --git a/llvm/lib/Fuzzer/FuzzerTraceState.cpp b/llvm/lib/Fuzzer/FuzzerTraceState.cpp
index 9c7f996..d4ccd81 100644
--- a/llvm/lib/Fuzzer/FuzzerTraceState.cpp
+++ b/llvm/lib/Fuzzer/FuzzerTraceState.cpp

@@ -138,7 +138,9 @@
   if (CmpSize == 4) return ComputeCmp<uint32_t, int32_t>(CmpType, Arg1, Arg2);
   if (CmpSize == 2) return ComputeCmp<uint16_t, int16_t>(CmpType, Arg1, Arg2);
   if (CmpSize == 1) return ComputeCmp<uint8_t, int8_t>(CmpType, Arg1, Arg2);
-  assert(0 && "unsupported type size");
+  // Other size, ==
+  if (CmpType == ICMP_EQ) return Arg1 == Arg2;
+  assert(0 && "unsupported cmp and type size combination");
   return true;
 }
 
@@ -394,6 +396,12 @@
   TS->DFSanCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2, L1, L2);
 }
 
+void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
+                             size_t n, dfsan_label s1_label,
+                             dfsan_label s2_label, dfsan_label n_label) {
+  dfsan_weak_hook_memcmp(caller_pc, s1, s2, n, s1_label, s2_label, n_label);
+}
+
 void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
                                   const void *s2, size_t n) {
   if (!TS) return;
@@ -403,7 +411,11 @@
   memcpy(&S1, s1, std::min(n, sizeof(S1)));
   memcpy(&S2, s2, std::min(n, sizeof(S2)));
   TS->TraceCmpCallback(PC, n, fuzzer::ICMP_EQ, S1, S2);
-  // fuzzer::Printf("ZZZ %p %p %zd\n", s1, s2, n);
+}
+
+void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
+                                   const char *s2, size_t n) {
+  __sanitizer_weak_hook_memcmp(caller_pc, s1, s2, n);
 }
 
 void __sanitizer_cov_trace_cmp(uint64_t SizeAndType, uint64_t Arg1,

diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt
index 5247f00..4cff70c 100644
--- a/llvm/lib/Fuzzer/test/CMakeLists.txt
+++ b/llvm/lib/Fuzzer/test/CMakeLists.txt

@@ -7,6 +7,7 @@
 set(DFSanTests
   MemcmpTest
   SimpleCmpTest
+  StrncmpTest
   )
 
 set(Tests
@@ -19,6 +20,7 @@
   NullDerefTest
   SimpleCmpTest
   SimpleTest
+  StrncmpTest
   TimeoutTest
   )
 

diff --git a/llvm/lib/Fuzzer/test/MemcmpTest.cpp b/llvm/lib/Fuzzer/test/MemcmpTest.cpp
index cabdff8..2954b6c 100644
--- a/llvm/lib/Fuzzer/test/MemcmpTest.cpp
+++ b/llvm/lib/Fuzzer/test/MemcmpTest.cpp

@@ -9,8 +9,10 @@
   if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) {
     if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) {
       if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) {
-        fprintf(stderr, "BINGO\n");
-        exit(1);
+        if (Size >= 16 && memcmp(Data + 14, "KLM", 3) == 0) {
+          fprintf(stderr, "BINGO\n");
+          exit(1);
+        }
       }
     }
   }

diff --git a/llvm/lib/Fuzzer/test/StrncmpTest.cpp b/llvm/lib/Fuzzer/test/StrncmpTest.cpp
new file mode 100644
index 0000000..86b02d0
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/StrncmpTest.cpp

@@ -0,0 +1,20 @@
+// Simple test for a fuzzer. The fuzzer must find a particular string.
+#include <cstring>
+#include <cstdint>
+#include <cstdio>
+#include <cstdlib>
+
+extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  // TODO: check other sizes.
+  char *S = (char*)Data;
+  if (Size >= 8 && strncmp(S, "01234567", 8) == 0) {
+    if (Size >= 12 && strncmp(S + 8, "ABCD", 4) == 0) {
+      if (Size >= 14 && strncmp(S + 12, "XY", 2) == 0) {
+        if (Size >= 16 && strncmp(S + 14, "KLM", 3) == 0) {
+          fprintf(stderr, "BINGO\n");
+          exit(1);
+        }
+      }
+    }
+  }
+}

diff --git a/llvm/lib/Fuzzer/test/fuzzer-dfsan.test b/llvm/lib/Fuzzer/test/fuzzer-dfsan.test
index 9a3c9e0..5e41a9e 100644
--- a/llvm/lib/Fuzzer/test/fuzzer-dfsan.test
+++ b/llvm/lib/Fuzzer/test/fuzzer-dfsan.test

@@ -7,3 +7,5 @@
 RUN: not LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
 RUN: LLVMFuzzer-MemcmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback
 
+RUN: not LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=1000 -timeout=5 2>&1 | FileCheck %s
+RUN: LLVMFuzzer-StrncmpTest-DFSan -use_traces=1 -seed=1 -runs=2 -timeout=5 -verbosity=3 2>&1 | FileCheck %s  -check-prefix=CHECK_DFSanCmpCallback

diff --git a/llvm/lib/Fuzzer/test/fuzzer.test b/llvm/lib/Fuzzer/test/fuzzer.test
index fdabbb1..d6dd3ff 100644
--- a/llvm/lib/Fuzzer/test/fuzzer.test
+++ b/llvm/lib/Fuzzer/test/fuzzer.test

@@ -28,3 +28,6 @@
 RUN: not LLVMFuzzer-MemcmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-MemcmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
 Done1000000: Done 1000000 runs in
+
+RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
+RUN:     LLVMFuzzer-StrncmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000