diff options
Diffstat (limited to 'llvm/lib/Fuzzer')
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerDriver.cpp | 21 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerLoop.cpp | 2 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/SingleByteInputTest.cpp | 17 | ||||
| -rw-r--r-- | llvm/lib/Fuzzer/test/minimize_crash.test | 8 |
5 files changed, 37 insertions, 12 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerDriver.cpp b/llvm/lib/Fuzzer/FuzzerDriver.cpp index 7707f76cd37..97dbf00bc87 100644 --- a/llvm/lib/Fuzzer/FuzzerDriver.cpp +++ b/llvm/lib/Fuzzer/FuzzerDriver.cpp @@ -277,7 +277,8 @@ static bool AllInputsAreFiles() { return true; } -int MinimizeCrashInput(const std::vector<std::string> &Args) { +int MinimizeCrashInput(const std::vector<std::string> &Args, + const FuzzingOptions &Options) { if (Inputs->size() != 1) { Printf("ERROR: -minimize_crash should be given one input file\n"); exit(1); @@ -299,10 +300,6 @@ int MinimizeCrashInput(const std::vector<std::string> &Args) { std::string CurrentFilePath = InputFilePath; while (true) { Unit U = FileToVector(CurrentFilePath); - if (U.size() < 2) { - Printf("CRASH_MIN: '%s' is small enough\n", CurrentFilePath.c_str()); - return 0; - } Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n", CurrentFilePath.c_str(), U.size()); @@ -318,7 +315,8 @@ int MinimizeCrashInput(const std::vector<std::string> &Args) { "it further\n", CurrentFilePath.c_str(), U.size()); - std::string ArtifactPath = "minimized-from-" + Hash(U); + std::string ArtifactPath = + Options.ArtifactPrefix + "minimized-from-" + Hash(U); Cmd += " -minimize_crash_internal_step=1 -exact_artifact_path=" + ArtifactPath; Printf("CRASH_MIN: executing: %s\n", Cmd.c_str()); @@ -342,8 +340,11 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { assert(Inputs->size() == 1); std::string InputFilePath = Inputs->at(0); Unit U = FileToVector(InputFilePath); - assert(U.size() > 2); Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size()); + if (U.size() < 2) { + Printf("INFO: The input is small enough, exiting\n"); + exit(0); + } Corpus->AddToCorpus(U, 0); F->SetMaxInputLen(U.size()); F->SetMaxMutationLen(U.size() - 1); @@ -368,9 +369,6 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { return 0; } - if (Flags.minimize_crash) - return MinimizeCrashInput(Args); - if (Flags.close_fd_mask & 2) DupAndCloseStderr(); if (Flags.close_fd_mask & 1) @@ -470,6 +468,9 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) { Options.HandleXfsz = Flags.handle_xfsz; SetSignalHandler(Options); + if (Flags.minimize_crash) + return MinimizeCrashInput(Args, Options); + if (Flags.minimize_crash_internal_step) return MinimizeCrashInputInternalStep(F, Corpus); diff --git a/llvm/lib/Fuzzer/FuzzerLoop.cpp b/llvm/lib/Fuzzer/FuzzerLoop.cpp index 02cbcc76e13..f9822ce0724 100644 --- a/llvm/lib/Fuzzer/FuzzerLoop.cpp +++ b/llvm/lib/Fuzzer/FuzzerLoop.cpp @@ -792,7 +792,7 @@ void Fuzzer::Loop() { } void Fuzzer::MinimizeCrashLoop(const Unit &U) { - if (U.size() <= 2) return; + if (U.size() <= 1) return; while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) { MD.StartMutationSequence(); memcpy(CurrentUnitData, U.data(), U.size()); diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt index 2359c208ab0..5e7334f6b2a 100644 --- a/llvm/lib/Fuzzer/test/CMakeLists.txt +++ b/llvm/lib/Fuzzer/test/CMakeLists.txt @@ -94,6 +94,7 @@ set(Tests SimpleHashTest SimpleTest SimpleThreadedTest + SingleByteInputTest SingleMemcmpTest SingleStrcmpTest SingleStrncmpTest diff --git a/llvm/lib/Fuzzer/test/SingleByteInputTest.cpp b/llvm/lib/Fuzzer/test/SingleByteInputTest.cpp new file mode 100644 index 00000000000..4ce819d230c --- /dev/null +++ b/llvm/lib/Fuzzer/test/SingleByteInputTest.cpp @@ -0,0 +1,17 @@ +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. + +// Simple test for a fuzzer, need just one byte to crash. +#include <cstdint> +#include <cstdlib> +#include <cstddef> +#include <cstdio> + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + if (Size > 0 && Data[Size/2] == 42) { + fprintf(stderr, "BINGO\n"); + abort(); + } + return 0; +} + diff --git a/llvm/lib/Fuzzer/test/minimize_crash.test b/llvm/lib/Fuzzer/test/minimize_crash.test index 7e5406598e4..ec54ec59d6d 100644 --- a/llvm/lib/Fuzzer/test/minimize_crash.test +++ b/llvm/lib/Fuzzer/test/minimize_crash.test @@ -1,6 +1,12 @@ RUN: echo 'Hi!rv349f34t3gg' > not_minimal_crash RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 2>&1 | FileCheck %s -CHECK: CRASH_MIN: failed to minimize beyond minimized-from-{{.*}} (3 bytes), exiting +CHECK: CRASH_MIN: failed to minimize beyond ./minimized-from-{{.*}} (3 bytes), exiting RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 -exact_artifact_path=exact_minimized_path 2>&1 | FileCheck %s --check-prefix=CHECK_EXACT CHECK_EXACT: CRASH_MIN: failed to minimize beyond exact_minimized_path (3 bytes), exiting RUN: rm not_minimal_crash minimized-from-* exact_minimized_path + +RUN: echo 'abcd*xyz' > not_minimal_crash +RUN: LLVMFuzzer-SingleByteInputTest -minimize_crash=1 not_minimal_crash -artifact_prefix=./ZZZ- -exact_artifact_path=exact_minimized_path 2>&1 | FileCheck %s --check-prefix=MIN1 +MIN1: Test unit written to ./ZZZ-minimized-from- +MIN1: INFO: The input is small enough, exiting +MIN1: CRASH_MIN: failed to minimize beyond exact_minimized_path (1 bytes), exiting |
