diff options
| -rw-r--r-- | llvm/docs/LibFuzzer.rst | 13 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/CMakeLists.txt | 10 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/SignedIntOverflowTest.cpp | 28 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/fuzzer-ubsan.test | 4 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/ubsan/CMakeLists.txt | 14 |
5 files changed, 64 insertions, 5 deletions
diff --git a/llvm/docs/LibFuzzer.rst b/llvm/docs/LibFuzzer.rst index 5a3c335182b..ae0850e2a82 100644 --- a/llvm/docs/LibFuzzer.rst +++ b/llvm/docs/LibFuzzer.rst @@ -93,11 +93,14 @@ the libFuzzer code then gives an fuzzer executable. You should also enable one or more of the *sanitizers*, which help to expose latent bugs by making incorrect behavior generate errors at runtime: - - AddressSanitizer_ detects memory access errors. - - MemorySanitizer_ detects uninitialized reads: code whose behavior relies on memory - contents that have not been initialized to a specific value. - - UndefinedBehaviorSanitizer_ detects the use of various features of C/C++ that are explicitly - listed as resulting in undefined behavior. + - AddressSanitizer_ (ASAN) detects memory access errors. Use `-fsanitize=address`. + - UndefinedBehaviorSanitizer_ (UBSAN) detects the use of various features of C/C++ that are explicitly + listed as resulting in undefined behavior. Use `-fsanitize=undefined -fno-sanitize-recover=undefined` + or any individual UBSAN check, e.g. `-fsanitize=signed-integer-overflow -fno-sanitize-recover=undefined`. + You may combine ASAN and UBSAN in one build. + - MemorySanitizer_ (MSAN) detects uninitialized reads: code whose behavior relies on memory + contents that have not been initialized to a specific value. Use `-fsanitize=memory`. + MSAN can not be combined with other sanirizers and should be used as a seprate build. Finally, link with ``libFuzzer.a``:: diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt index 81a996930f4..52ed2f5bbb3 100644 --- a/llvm/lib/Fuzzer/test/CMakeLists.txt +++ b/llvm/lib/Fuzzer/test/CMakeLists.txt @@ -57,6 +57,10 @@ set(TracePCTests FullCoverageSetTest ) +set(UbsanTests + SignedIntOverflowTest + ) + set(TestBinaries) foreach(Test ${Tests}) @@ -118,6 +122,12 @@ foreach(Test ${UninstrumentedTests}) set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test}-Uninstrumented) endforeach() +add_subdirectory(ubsan) + +foreach(Test ${UbsanTests}) + set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test}-Ubsan) +endforeach() + add_subdirectory(trace-bb) foreach(Test ${TraceBBTests}) diff --git a/llvm/lib/Fuzzer/test/SignedIntOverflowTest.cpp b/llvm/lib/Fuzzer/test/SignedIntOverflowTest.cpp new file mode 100644 index 00000000000..7df32ad5793 --- /dev/null +++ b/llvm/lib/Fuzzer/test/SignedIntOverflowTest.cpp @@ -0,0 +1,28 @@ +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. + +// Test for signed-integer-overflow. +#include <assert.h> +#include <cstdint> +#include <cstdlib> +#include <cstddef> +#include <iostream> +#include <climits> + +static volatile int Sink; +static int Large = INT_MAX; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + assert(Data); + if (Size > 0 && Data[0] == 'H') { + Sink = 1; + if (Size > 1 && Data[1] == 'i') { + Sink = 2; + if (Size > 2 && Data[2] == '!') { + Large++; // int overflow. + } + } + } + return 0; +} + diff --git a/llvm/lib/Fuzzer/test/fuzzer-ubsan.test b/llvm/lib/Fuzzer/test/fuzzer-ubsan.test new file mode 100644 index 00000000000..0e8ad6c94a1 --- /dev/null +++ b/llvm/lib/Fuzzer/test/fuzzer-ubsan.test @@ -0,0 +1,4 @@ +RUN: not LLVMFuzzer-SignedIntOverflowTest-Ubsan 2>&1 | FileCheck %s +CHECK: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' +CHECK: Test unit written to ./crash- + diff --git a/llvm/lib/Fuzzer/test/ubsan/CMakeLists.txt b/llvm/lib/Fuzzer/test/ubsan/CMakeLists.txt new file mode 100644 index 00000000000..5547704525e --- /dev/null +++ b/llvm/lib/Fuzzer/test/ubsan/CMakeLists.txt @@ -0,0 +1,14 @@ +# These tests are instrumented with ubsan in non-recovery mode. + +set(CMAKE_CXX_FLAGS_RELEASE + "${LIBFUZZER_FLAGS_BASE} -O0 -fsanitize=undefined -fno-sanitize-recover=all") + +foreach(Test ${UbsanTests}) + add_executable(LLVMFuzzer-${Test}-Ubsan + ../${Test}.cpp + ) + target_link_libraries(LLVMFuzzer-${Test}-Ubsan + LLVMFuzzer + ) +endforeach() + |
