diff options
| author | Kostya Serebryany <kcc@google.com> | 2017-01-20 20:57:07 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2017-01-20 20:57:07 +0000 |
| commit | 98d592cc91728694defd32ec30b90004fcaeacd1 (patch) | |
| tree | 293547cc65d11570a62c8b5fc6fc2031040837f8 /llvm/lib/Fuzzer/FuzzerLoop.cpp | |
| parent | a99b717f527fe7e37bf7a0b3fb612b7312d5c656 (diff) | |
| download | bcm5719-llvm-98d592cc91728694defd32ec30b90004fcaeacd1.tar.gz bcm5719-llvm-98d592cc91728694defd32ec30b90004fcaeacd1.zip | |
[libFuzzer] experimental support for 'equivalance fuzzing'
llvm-svn: 292646
Diffstat (limited to 'llvm/lib/Fuzzer/FuzzerLoop.cpp')
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerLoop.cpp | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp index f9822ce0724..63dd7315572 100644 --- a/llvm/lib/Fuzzer/FuzzerLoop.cpp +++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp @@ -14,6 +14,7 @@ #include "FuzzerIO.h" #include "FuzzerMutate.h" #include "FuzzerRandom.h" +#include "FuzzerShmem.h" #include "FuzzerTracePC.h" #include <algorithm> #include <cstring> @@ -42,6 +43,8 @@ static const size_t kMaxUnitSizeToPrint = 256; thread_local bool Fuzzer::IsMyThread; +SharedMemoryRegion SMR; + static void MissingExternalApiFunction(const char *FnName) { Printf("ERROR: %s is not defined. Exiting.\n" "Did you use -fsanitize-coverage=... to build your code?\n", @@ -531,6 +534,8 @@ size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const { void Fuzzer::ExecuteCallback(const uint8_t *Data, size_t Size) { assert(InFuzzingThread()); + if (SMR.IsClient()) + SMR.WriteByteArray(Data, Size); // We copy the contents of Unit into a separate heap buffer // so that we reliably find buffer overflows in it. uint8_t *DataCopy = new uint8_t[Size]; @@ -806,6 +811,29 @@ void Fuzzer::MinimizeCrashLoop(const Unit &U) { } } +void Fuzzer::AnnounceOutput(const uint8_t *Data, size_t Size) { + if (SMR.IsServer()) { + SMR.WriteByteArray(Data, Size); + } else if (SMR.IsClient()) { + SMR.PostClient(); + SMR.WaitServer(); + size_t OtherSize = SMR.ReadByteArraySize(); + uint8_t *OtherData = SMR.GetByteArray(); + if (Size != OtherSize || memcmp(Data, OtherData, Size) != 0) { + size_t i = 0; + for (i = 0; i < Min(Size, OtherSize); i++) + if (Data[i] != OtherData[i]) + break; + Printf("==%lu== ERROR: libFuzzer: equivalence-mismatch. Sizes: %zd %zd; " + "offset %zd\n", GetPid(), Size, OtherSize, i); + DumpCurrentUnit("mismatch-"); + Printf("SUMMARY: libFuzzer: equivalence-mismatch\n"); + PrintFinalStats(); + _Exit(Options.ErrorExitCode); + } + } +} + } // namespace fuzzer extern "C" { @@ -816,5 +844,8 @@ size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { } // Experimental -void LLVMFuzzerAnnounceOutput(const uint8_t *Data, size_t Size) {} +void LLVMFuzzerAnnounceOutput(const uint8_t *Data, size_t Size) { + assert(fuzzer::F); + fuzzer::F->AnnounceOutput(Data, Size); +} } // extern "C" |
