diff options
| author | Kostya Serebryany <kcc@google.com> | 2015-03-30 22:09:51 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2015-03-30 22:09:51 +0000 |
| commit | 16d03bd05130593fd9c295bc02ec8ad211088f5d (patch) | |
| tree | 1ee0a1c7d1fcc3183f3e20e883f55f0c61eae340 /llvm/lib/Fuzzer/test | |
| parent | d639cdf427bd79d6b14d1000523bcba397240ce5 (diff) | |
| download | bcm5719-llvm-16d03bd05130593fd9c295bc02ec8ad211088f5d.tar.gz bcm5719-llvm-16d03bd05130593fd9c295bc02ec8ad211088f5d.zip | |
DFSan-based fuzzer (proof of concept).
Summary:
This adds a simple DFSan-based (i.e. taint-guided) fuzzer mutator,
see the comments for details.
Test Plan: a test added
Reviewers: samsonov, pcc
Reviewed By: samsonov, pcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D8669
llvm-svn: 233613
Diffstat (limited to 'llvm/lib/Fuzzer/test')
| -rw-r--r-- | llvm/lib/Fuzzer/test/CMakeLists.txt | 14 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/dfsan/CMakeLists.txt | 17 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/dfsan/DFSanSimpleCmpTest.cpp | 30 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/fuzzer.test | 3 |
4 files changed, 62 insertions, 2 deletions
diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt index 08130c6f7da..8b886a04ff9 100644 --- a/llvm/lib/Fuzzer/test/CMakeLists.txt +++ b/llvm/lib/Fuzzer/test/CMakeLists.txt @@ -2,7 +2,7 @@ # basic blocks and we'll fail to discover the targets. # Also enable the coverage instrumentation back (it is disabled # for the Fuzzer lib) -set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -O0 -fsanitize-coverage=4") +set(CMAKE_CXX_FLAGS_RELEASE "${LIBFUZZER_FLAGS_BASE} -O0 -fsanitize-coverage=4") set(Tests CounterTest @@ -14,11 +14,14 @@ set(Tests TimeoutTest ) +set(DFSanTests + DFSanSimpleCmpTest + ) + set(TestBinaries) foreach(Test ${Tests}) add_executable(LLVMFuzzer-${Test} - EXCLUDE_FROM_ALL ${Test}.cpp ) target_link_libraries(LLVMFuzzer-${Test} @@ -52,6 +55,13 @@ target_link_libraries(LLVMFuzzer-Unittest set(TestBinaries ${TestBinaries} LLVMFuzzer-Unittest) +add_subdirectory(dfsan) + +foreach(Test ${DFSanTests}) + set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test}) +endforeach() + + set_target_properties(${TestBinaries} PROPERTIES RUNTIME_OUTPUT_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} ) diff --git a/llvm/lib/Fuzzer/test/dfsan/CMakeLists.txt b/llvm/lib/Fuzzer/test/dfsan/CMakeLists.txt new file mode 100644 index 00000000000..b5b874fb1ce --- /dev/null +++ b/llvm/lib/Fuzzer/test/dfsan/CMakeLists.txt @@ -0,0 +1,17 @@ +# These tests depend on both coverage and dfsan instrumentation. + +set(DFSAN_FUZZER_ABI_LIST "${CMAKE_CURRENT_SOURCE_DIR}/../../dfsan_fuzzer_abi.list") + +set(CMAKE_CXX_FLAGS_RELEASE + "${LIBFUZZER_FLAGS_BASE} -O0 -fno-sanitize=all -fsanitize=dataflow -mllvm -sanitizer-coverage-experimental-trace-compares=1 -fsanitize-blacklist=${DFSAN_FUZZER_ABI_LIST}") + +foreach(Test ${DFSanTests}) + set_source_files_properties(${Test}.cpp PROPERTIES OBJECT_DEPENDS ${DFSAN_FUZZER_ABI_LIST}) + add_executable(LLVMFuzzer-${Test} + ${Test}.cpp + ) + target_link_libraries(LLVMFuzzer-${Test} + LLVMFuzzer + ) +endforeach() + diff --git a/llvm/lib/Fuzzer/test/dfsan/DFSanSimpleCmpTest.cpp b/llvm/lib/Fuzzer/test/dfsan/DFSanSimpleCmpTest.cpp new file mode 100644 index 00000000000..11620929a42 --- /dev/null +++ b/llvm/lib/Fuzzer/test/dfsan/DFSanSimpleCmpTest.cpp @@ -0,0 +1,30 @@ +// Simple test for a fuzzer. The fuzzer must find several narrow ranges. +#include <cstdint> +#include <cstdlib> +#include <cstring> +#include <cstdio> + +extern "C" void TestOneInput(const uint8_t *Data, size_t Size) { + if (Size < 14) return; + uint64_t x = 0; + int64_t y = 0; + int z = 0; + unsigned short a = 0; + memcpy(&x, Data, 8); + memcpy(&y, Data + Size - 8, 8); + memcpy(&z, Data + Size / 2, sizeof(z)); + memcpy(&a, Data + Size / 2 + 4, sizeof(a)); + + if (x > 1234567890 && + x < 1234567895 && + y >= 987654321 && + y <= 987654325 && + z < -10000 && + z >= -10005 && + z != -10003 && + a == 4242) { + fprintf(stderr, "Found the target: size %zd (%zd, %zd, %d, %d), exiting.\n", + Size, x, y, z, a); + exit(1); + } +} diff --git a/llvm/lib/Fuzzer/test/fuzzer.test b/llvm/lib/Fuzzer/test/fuzzer.test index 45691f5651d..19fafe37935 100644 --- a/llvm/lib/Fuzzer/test/fuzzer.test +++ b/llvm/lib/Fuzzer/test/fuzzer.test @@ -20,3 +20,6 @@ FourIndependentBranchesTest: BINGO RUN: not ./LLVMFuzzer-CounterTest -use_counters=1 -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=CounterTest CounterTest: BINGO + +RUN: not ./LLVMFuzzer-DFSanSimpleCmpTest -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=DFSanSimpleCmpTest +DFSanSimpleCmpTest: Found the target: |
