diff options
| -rw-r--r-- | compiler-rt/lib/fuzzer/FuzzerDriver.cpp | 3 | ||||
| -rw-r--r-- | compiler-rt/lib/fuzzer/FuzzerFlags.def | 3 | ||||
| -rw-r--r-- | compiler-rt/lib/fuzzer/FuzzerLoop.cpp | 2 | ||||
| -rw-r--r-- | compiler-rt/lib/fuzzer/FuzzerOptions.h | 1 | ||||
| -rw-r--r-- | compiler-rt/test/fuzzer/fuzzer-oom.test | 4 | ||||
| -rw-r--r-- | llvm/docs/LibFuzzer.rst | 4 |
6 files changed, 15 insertions, 2 deletions
diff --git a/compiler-rt/lib/fuzzer/FuzzerDriver.cpp b/compiler-rt/lib/fuzzer/FuzzerDriver.cpp index e43f581fcd8..ccb9b0ca75d 100644 --- a/compiler-rt/lib/fuzzer/FuzzerDriver.cpp +++ b/compiler-rt/lib/fuzzer/FuzzerDriver.cpp @@ -581,6 +581,9 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.PurgeAllocatorIntervalSec = Flags.purge_allocator_interval; Options.TraceMalloc = Flags.trace_malloc; Options.RssLimitMb = Flags.rss_limit_mb; + Options.MallocLimitMb = Flags.malloc_limit_mb; + if (!Options.MallocLimitMb) + Options.MallocLimitMb = Options.RssLimitMb; if (Flags.runs >= 0) Options.MaxNumberOfRuns = Flags.runs; if (!Inputs->empty() && !Flags.minimize_crash_internal_step) diff --git a/compiler-rt/lib/fuzzer/FuzzerFlags.def b/compiler-rt/lib/fuzzer/FuzzerFlags.def index 7326c3dfc7a..a32102a7da0 100644 --- a/compiler-rt/lib/fuzzer/FuzzerFlags.def +++ b/compiler-rt/lib/fuzzer/FuzzerFlags.def @@ -130,6 +130,9 @@ FUZZER_FLAG_INT(trace_malloc, 0, "If >= 1 will print all mallocs/frees. " "If >= 2 will also print stack traces.") FUZZER_FLAG_INT(rss_limit_mb, 2048, "If non-zero, the fuzzer will exit upon" "reaching this limit of RSS memory usage.") +FUZZER_FLAG_INT(malloc_limit_mb, 0, "If non-zero, the fuzzer will exit " + "if the target tries to allocate this number of Mb with one malloc call. " + "If zero (default) same limit as rss_limit_mb is applied.") FUZZER_FLAG_STRING(exit_on_src_pos, "Exit if a newly found PC originates" " from the given source location. Example: -exit_on_src_pos=foo.cc:123. " "Used primarily for testing libFuzzer itself.") diff --git a/compiler-rt/lib/fuzzer/FuzzerLoop.cpp b/compiler-rt/lib/fuzzer/FuzzerLoop.cpp index 3cfcfad93b1..f0de940e014 100644 --- a/compiler-rt/lib/fuzzer/FuzzerLoop.cpp +++ b/compiler-rt/lib/fuzzer/FuzzerLoop.cpp @@ -124,7 +124,7 @@ void FreeHook(const volatile void *ptr) { // Crash on a single malloc that exceeds the rss limit. void Fuzzer::HandleMalloc(size_t Size) { - if (!Options.RssLimitMb || (Size >> 20) < (size_t)Options.RssLimitMb) + if (!Options.MallocLimitMb || (Size >> 20) < (size_t)Options.MallocLimitMb) return; Printf("==%d== ERROR: libFuzzer: out-of-memory (malloc(%zd))\n", GetPid(), Size); diff --git a/compiler-rt/lib/fuzzer/FuzzerOptions.h b/compiler-rt/lib/fuzzer/FuzzerOptions.h index e0baf69a749..31e1a4de7e4 100644 --- a/compiler-rt/lib/fuzzer/FuzzerOptions.h +++ b/compiler-rt/lib/fuzzer/FuzzerOptions.h @@ -24,6 +24,7 @@ struct FuzzingOptions { int ErrorExitCode = 77; int MaxTotalTimeSec = 0; int RssLimitMb = 0; + int MallocLimitMb = 0; bool DoCrossOver = true; int MutateDepth = 5; bool ReduceDepth = false; diff --git a/compiler-rt/test/fuzzer/fuzzer-oom.test b/compiler-rt/test/fuzzer/fuzzer-oom.test index 9ef7c485d4d..308c4c5cd39 100644 --- a/compiler-rt/test/fuzzer/fuzzer-oom.test +++ b/compiler-rt/test/fuzzer/fuzzer-oom.test @@ -8,7 +8,9 @@ CHECK: ERROR: libFuzzer: out-of-memory (used: {{.*}}; limit: 300Mb) CHECK: Test unit written to ./oom- SUMMARY: libFuzzer: out-of-memory -RUN: not %t-OutOfMemorySingleLargeMallocTest -rss_limit_mb=300 2>&1 | FileCheck %s --check-prefix=SINGLE_LARGE_MALLOC +RUN: not %t-OutOfMemorySingleLargeMallocTest -rss_limit_mb=300 2>&1 | FileCheck %s --check-prefix=SINGLE_LARGE_MALLOC +RUN: not %t-OutOfMemorySingleLargeMallocTest -malloc_limit_mb=300 2>&1 | FileCheck %s --check-prefix=SINGLE_LARGE_MALLOC +RUN: not %t-OutOfMemorySingleLargeMallocTest -rss_limit_mb=1000 -malloc_limit_mb=300 2>&1 | FileCheck %s --check-prefix=SINGLE_LARGE_MALLOC We used to check for "out-of-memory (malloc(53{{.*}}))", but that would fail sometimes, so now we accept any OOM message. diff --git a/llvm/docs/LibFuzzer.rst b/llvm/docs/LibFuzzer.rst index a2198f2b5a8..7a105e5ed12 100644 --- a/llvm/docs/LibFuzzer.rst +++ b/llvm/docs/LibFuzzer.rst @@ -246,6 +246,10 @@ The most important command line options are: the process is treated as a failure case. The limit is checked in a separate thread every second. If running w/o ASAN/MSAN, you may use 'ulimit -v' instead. +``-malloc_limit_mb`` + If non-zero, the fuzzer will exit if the target tries to allocate this + number of Mb with one malloc call. + If zero (default) same limit as rss_limit_mb is applied. ``-timeout_exitcode`` Exit code (default 77) used if libFuzzer reports a timeout. ``-error_exitcode`` |
