[libFuzzer] Experimental data flow tracer for fuzz targets.

Summary:
Experimental data flow tracer for fuzz targets.
Allows to tell which bytes of the input affect which functions of the fuzz target.

We previously attempted to use DFSan directly in the libFuzzer process,
and that didn't work nicely.
Now we will try to collect the data flow information for the seed corpus
in a separate process (using this tracer), and then use it in the regular libFuzzer runs.

Reviewers: morehouse, pcc, Dor1s

Reviewed By: morehouse, Dor1s

Subscribers: delcypher, #sanitizers, llvm-commits

Differential Revision: https://reviews.llvm.org/D46666

llvm-svn: 332029

1 files changed, 34 insertions, 0 deletions

diff --git a/compiler-rt/test/fuzzer/ThreeFunctionsTest.cpp b/compiler-rt/test/fuzzer/ThreeFunctionsTest.cpp
new file mode 100644
index 00000000000..0ff682abc95
--- /dev/null
+++ b/compiler-rt/test/fuzzer/ThreeFunctionsTest.cpp
@@ -0,0 +1,34 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Find "FUZZME", the target has 3 different functions.
+#include <assert.h>
+#include <cstddef>
+#include <cstdint>
+#include <cstdlib>
+#include <cstdio>
+
+__attribute__((noinline))
+static bool Func1(const uint8_t *Data, size_t Size) {
+  // assumes Size >= 5, doesn't check it.
+  return Data[4] == 'M';
+}
+
+__attribute__((noinline))
+bool Func2(const uint8_t *Data, size_t Size) {
+  return Size >= 6 && Data[5] == 'E';
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size >= 5
+      && Data[0] == 'F'
+      && Data[1] == 'U'
+      && Data[2] == 'Z'
+      && Data[3] == 'Z'
+      && Func1(Data, Size)
+      && Func2(Data, Size)) {
+        fprintf(stderr, "BINGO\n");
+        abort();
+  }
+  return 0;
+}