2017-08-22 07:25:50 +08:00
|
|
|
//===- FuzzerTracePC.cpp - PC tracing--------------------------------------===//
|
|
|
|
//
|
2019-01-19 16:50:56 +08:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2017-08-22 07:25:50 +08:00
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
// Trace PCs.
|
|
|
|
// This module implements __sanitizer_cov_trace_pc_guard[_init],
|
|
|
|
// the callback required for -fsanitize-coverage=trace-pc-guard instrumentation.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
#include "FuzzerTracePC.h"
|
2019-01-10 05:46:09 +08:00
|
|
|
#include "FuzzerBuiltins.h"
|
|
|
|
#include "FuzzerBuiltinsMsvc.h"
|
2017-08-22 07:25:50 +08:00
|
|
|
#include "FuzzerCorpus.h"
|
|
|
|
#include "FuzzerDefs.h"
|
|
|
|
#include "FuzzerDictionary.h"
|
|
|
|
#include "FuzzerExtFunctions.h"
|
|
|
|
#include "FuzzerIO.h"
|
|
|
|
#include "FuzzerUtil.h"
|
|
|
|
#include "FuzzerValueBitMap.h"
|
|
|
|
#include <set>
|
|
|
|
|
2017-08-22 09:28:32 +08:00
|
|
|
// Used by -fsanitize-coverage=stack-depth to track stack depth
|
[libFuzzer] Port to Windows
Summary:
Port libFuzzer to windows-msvc.
This patch allows libFuzzer targets to be built and run on Windows, using -fsanitize=fuzzer and/or fsanitize=fuzzer-no-link. It allows these forms of coverage instrumentation to work on Windows as well.
It does not fix all issues, such as those with -fsanitize-coverage=stack-depth, which is not usable on Windows as of this patch.
It also does not fix any libFuzzer integration tests. Nearly all of them fail to compile, fixing them will come in a later patch, so libFuzzer tests are disabled on Windows until them.
Patch By: metzman
Reviewers: morehouse, rnk
Reviewed By: morehouse, rnk
Subscribers: #sanitizers, delcypher, morehouse, kcc, eraman
Differential Revision: https://reviews.llvm.org/D51022
llvm-svn: 341082
2018-08-30 23:54:44 +08:00
|
|
|
ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC uintptr_t __sancov_lowest_stack;
|
2017-08-22 09:28:32 +08:00
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
namespace fuzzer {
|
|
|
|
|
|
|
|
TracePC TPC;
|
|
|
|
|
|
|
|
size_t TracePC::GetTotalPCCoverage() {
|
2019-01-30 07:53:28 +08:00
|
|
|
return ObservedPCs.size();
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void TracePC::HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop) {
|
|
|
|
if (Start == Stop) return;
|
2019-01-30 14:15:52 +08:00
|
|
|
if (NumModules &&
|
|
|
|
Modules[NumModules - 1].Start() == Start)
|
|
|
|
return;
|
|
|
|
assert(NumModules <
|
|
|
|
sizeof(Modules) / sizeof(Modules[0]));
|
|
|
|
auto &M = Modules[NumModules++];
|
|
|
|
uint8_t *AlignedStart = RoundUpByPage(Start);
|
|
|
|
uint8_t *AlignedStop = RoundDownByPage(Stop);
|
|
|
|
size_t NumFullPages = AlignedStop > AlignedStart ?
|
|
|
|
(AlignedStop - AlignedStart) / PageSize() : 0;
|
|
|
|
bool NeedFirst = Start < AlignedStart || !NumFullPages;
|
|
|
|
bool NeedLast = Stop > AlignedStop && AlignedStop >= AlignedStart;
|
|
|
|
M.NumRegions = NumFullPages + NeedFirst + NeedLast;;
|
|
|
|
assert(M.NumRegions > 0);
|
|
|
|
M.Regions = new Module::Region[M.NumRegions];
|
|
|
|
assert(M.Regions);
|
|
|
|
size_t R = 0;
|
|
|
|
if (NeedFirst)
|
|
|
|
M.Regions[R++] = {Start, std::min(Stop, AlignedStart), true, false};
|
|
|
|
for (uint8_t *P = AlignedStart; P < AlignedStop; P += PageSize())
|
|
|
|
M.Regions[R++] = {P, P + PageSize(), true, true};
|
|
|
|
if (NeedLast)
|
|
|
|
M.Regions[R++] = {AlignedStop, Stop, true, false};
|
|
|
|
assert(R == M.NumRegions);
|
|
|
|
assert(M.Size() == (size_t)(Stop - Start));
|
|
|
|
assert(M.Stop() == Stop);
|
|
|
|
assert(M.Start() == Start);
|
|
|
|
NumInline8bitCounters += M.Size();
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
2019-01-31 08:09:43 +08:00
|
|
|
// Mark all full page counter regions as PROT_NONE and set Enabled=false.
|
|
|
|
// The first time the instrumented code hits such a protected/disabled
|
|
|
|
// counter region we should catch a SEGV and call UnprotectLazyCounters,
|
|
|
|
// which will mark the page as PROT_READ|PROT_WRITE and set Enabled=true.
|
|
|
|
//
|
|
|
|
// Whenever other functions iterate over the counters they should ignore
|
|
|
|
// regions with Enabled=false.
|
|
|
|
void TracePC::ProtectLazyCounters() {
|
|
|
|
size_t NumPagesProtected = 0;
|
|
|
|
IterateCounterRegions([&](Module::Region &R) {
|
|
|
|
if (!R.OneFullPage) return;
|
|
|
|
if (Mprotect(R.Start, R.Stop - R.Start, false)) {
|
|
|
|
R.Enabled = false;
|
|
|
|
NumPagesProtected++;
|
|
|
|
}
|
|
|
|
});
|
|
|
|
if (NumPagesProtected)
|
|
|
|
Printf("INFO: %zd pages of counters where protected;"
|
|
|
|
" libFuzzer's SEGV handler must be installed\n",
|
|
|
|
NumPagesProtected);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool TracePC::UnprotectLazyCounters(void *CounterPtr) {
|
|
|
|
// Printf("UnprotectLazyCounters: %p\n", CounterPtr);
|
|
|
|
if (!CounterPtr)
|
|
|
|
return false;
|
|
|
|
bool Done = false;
|
|
|
|
uint8_t *Addr = reinterpret_cast<uint8_t *>(CounterPtr);
|
|
|
|
IterateCounterRegions([&](Module::Region &R) {
|
|
|
|
if (!R.OneFullPage || R.Enabled || Done) return;
|
|
|
|
if (Addr >= R.Start && Addr < R.Stop)
|
|
|
|
if (Mprotect(R.Start, R.Stop - R.Start, true)) {
|
|
|
|
R.Enabled = true;
|
|
|
|
Done = true;
|
|
|
|
}
|
|
|
|
});
|
|
|
|
return Done;
|
|
|
|
}
|
|
|
|
|
2017-08-26 03:29:47 +08:00
|
|
|
void TracePC::HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop) {
|
|
|
|
const PCTableEntry *B = reinterpret_cast<const PCTableEntry *>(Start);
|
|
|
|
const PCTableEntry *E = reinterpret_cast<const PCTableEntry *>(Stop);
|
2017-08-22 07:25:50 +08:00
|
|
|
if (NumPCTables && ModulePCTable[NumPCTables - 1].Start == B) return;
|
|
|
|
assert(NumPCTables < sizeof(ModulePCTable) / sizeof(ModulePCTable[0]));
|
|
|
|
ModulePCTable[NumPCTables++] = {B, E};
|
|
|
|
NumPCsInPCTables += E - B;
|
|
|
|
}
|
|
|
|
|
|
|
|
void TracePC::PrintModuleInfo() {
|
2019-01-30 14:15:52 +08:00
|
|
|
if (NumModules) {
|
2017-08-22 07:25:50 +08:00
|
|
|
Printf("INFO: Loaded %zd modules (%zd inline 8-bit counters): ",
|
2019-01-30 14:15:52 +08:00
|
|
|
NumModules, NumInline8bitCounters);
|
|
|
|
for (size_t i = 0; i < NumModules; i++)
|
|
|
|
Printf("%zd [%p, %p), ", Modules[i].Size(), Modules[i].Start(),
|
|
|
|
Modules[i].Stop());
|
2017-08-22 07:25:50 +08:00
|
|
|
Printf("\n");
|
|
|
|
}
|
|
|
|
if (NumPCTables) {
|
|
|
|
Printf("INFO: Loaded %zd PC tables (%zd PCs): ", NumPCTables,
|
|
|
|
NumPCsInPCTables);
|
|
|
|
for (size_t i = 0; i < NumPCTables; i++) {
|
|
|
|
Printf("%zd [%p,%p), ", ModulePCTable[i].Stop - ModulePCTable[i].Start,
|
|
|
|
ModulePCTable[i].Start, ModulePCTable[i].Stop);
|
|
|
|
}
|
|
|
|
Printf("\n");
|
|
|
|
|
2019-01-30 07:53:28 +08:00
|
|
|
if (NumInline8bitCounters && NumInline8bitCounters != NumPCsInPCTables) {
|
2017-10-14 08:07:11 +08:00
|
|
|
Printf("ERROR: The size of coverage PC tables does not match the\n"
|
|
|
|
"number of instrumented PCs. This might be a compiler bug,\n"
|
|
|
|
"please contact the libFuzzer developers.\n"
|
|
|
|
"Also check https://bugs.llvm.org/show_bug.cgi?id=34636\n"
|
|
|
|
"for possible workarounds (tl;dr: don't use the old GNU ld)\n");
|
2017-08-22 07:25:50 +08:00
|
|
|
_Exit(1);
|
|
|
|
}
|
|
|
|
}
|
2018-04-20 14:46:19 +08:00
|
|
|
if (size_t NumExtraCounters = ExtraCountersEnd() - ExtraCountersBegin())
|
|
|
|
Printf("INFO: %zd Extra Counters\n", NumExtraCounters);
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
void TracePC::HandleCallerCallee(uintptr_t Caller, uintptr_t Callee) {
|
|
|
|
const uintptr_t kBits = 12;
|
|
|
|
const uintptr_t kMask = (1 << kBits) - 1;
|
|
|
|
uintptr_t Idx = (Caller & kMask) | ((Callee & kMask) << kBits);
|
|
|
|
ValueProfileMap.AddValueModPrime(Idx);
|
|
|
|
}
|
|
|
|
|
2018-10-10 08:57:44 +08:00
|
|
|
/// \return the address of the previous instruction.
|
|
|
|
/// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.h`
|
|
|
|
inline ALWAYS_INLINE uintptr_t GetPreviousInstructionPc(uintptr_t PC) {
|
|
|
|
#if defined(__arm__)
|
|
|
|
// T32 (Thumb) branch instructions might be 16 or 32 bit long,
|
|
|
|
// so we return (pc-2) in that case in order to be safe.
|
|
|
|
// For A32 mode we return (pc-4) because all instructions are 32 bit long.
|
|
|
|
return (PC - 3) & (~1);
|
|
|
|
#elif defined(__powerpc__) || defined(__powerpc64__) || defined(__aarch64__)
|
|
|
|
// PCs are always 4 byte aligned.
|
|
|
|
return PC - 4;
|
|
|
|
#elif defined(__sparc__) || defined(__mips__)
|
|
|
|
return PC - 8;
|
|
|
|
#else
|
|
|
|
return PC - 1;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
/// \return the address of the next instruction.
|
|
|
|
/// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.cc`
|
|
|
|
inline ALWAYS_INLINE uintptr_t GetNextInstructionPc(uintptr_t PC) {
|
|
|
|
#if defined(__mips__)
|
|
|
|
return PC + 8;
|
|
|
|
#elif defined(__powerpc__) || defined(__sparc__) || defined(__arm__) || \
|
|
|
|
defined(__aarch64__)
|
|
|
|
return PC + 4;
|
|
|
|
#else
|
|
|
|
return PC + 1;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
void TracePC::UpdateObservedPCs() {
|
2017-08-29 06:52:22 +08:00
|
|
|
Vector<uintptr_t> CoveredFuncs;
|
2017-08-26 04:09:25 +08:00
|
|
|
auto ObservePC = [&](uintptr_t PC) {
|
2018-07-07 03:47:00 +08:00
|
|
|
if (ObservedPCs.insert(PC).second && DoPrintNewPCs) {
|
2018-10-10 08:57:44 +08:00
|
|
|
PrintPC("\tNEW_PC: %p %F %L", "\tNEW_PC: %p", GetNextInstructionPc(PC));
|
2018-07-07 03:47:00 +08:00
|
|
|
Printf("\n");
|
|
|
|
}
|
2017-08-22 09:28:32 +08:00
|
|
|
};
|
2017-08-26 04:09:25 +08:00
|
|
|
|
|
|
|
auto Observe = [&](const PCTableEntry &TE) {
|
|
|
|
if (TE.PCFlags & 1)
|
2018-07-20 06:00:48 +08:00
|
|
|
if (++ObservedFuncs[TE.PC] == 1 && NumPrintNewFuncs)
|
2017-08-29 06:52:22 +08:00
|
|
|
CoveredFuncs.push_back(TE.PC);
|
2017-08-26 04:09:25 +08:00
|
|
|
ObservePC(TE.PC);
|
|
|
|
};
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
if (NumPCsInPCTables) {
|
|
|
|
if (NumInline8bitCounters == NumPCsInPCTables) {
|
2019-01-30 14:15:52 +08:00
|
|
|
for (size_t i = 0; i < NumModules; i++) {
|
|
|
|
auto &M = Modules[i];
|
|
|
|
assert(M.Size() ==
|
2019-01-16 06:12:51 +08:00
|
|
|
(size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
|
2019-01-30 14:15:52 +08:00
|
|
|
for (size_t r = 0; r < M.NumRegions; r++) {
|
|
|
|
auto &R = M.Regions[r];
|
|
|
|
if (!R.Enabled) continue;
|
|
|
|
for (uint8_t *P = R.Start; P < R.Stop; P++)
|
|
|
|
if (*P)
|
|
|
|
Observe(ModulePCTable[i].Start[M.Idx(P)]);
|
|
|
|
}
|
2019-01-16 06:12:51 +08:00
|
|
|
}
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
}
|
2017-08-29 06:52:22 +08:00
|
|
|
|
2018-07-20 06:00:48 +08:00
|
|
|
for (size_t i = 0, N = Min(CoveredFuncs.size(), NumPrintNewFuncs); i < N;
|
|
|
|
i++) {
|
2018-06-08 05:15:24 +08:00
|
|
|
Printf("\tNEW_FUNC[%zd/%zd]: ", i + 1, CoveredFuncs.size());
|
2018-10-10 08:57:44 +08:00
|
|
|
PrintPC("%p %F %L", "%p", GetNextInstructionPc(CoveredFuncs[i]));
|
2018-07-07 03:47:00 +08:00
|
|
|
Printf("\n");
|
2017-08-29 06:52:22 +08:00
|
|
|
}
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static std::string GetModuleName(uintptr_t PC) {
|
|
|
|
char ModulePathRaw[4096] = ""; // What's PATH_MAX in portable C++?
|
|
|
|
void *OffsetRaw = nullptr;
|
|
|
|
if (!EF->__sanitizer_get_module_and_offset_for_pc(
|
|
|
|
reinterpret_cast<void *>(PC), ModulePathRaw,
|
|
|
|
sizeof(ModulePathRaw), &OffsetRaw))
|
|
|
|
return "";
|
|
|
|
return ModulePathRaw;
|
|
|
|
}
|
|
|
|
|
2018-05-11 09:17:52 +08:00
|
|
|
template<class CallBack>
|
|
|
|
void TracePC::IterateCoveredFunctions(CallBack CB) {
|
|
|
|
for (size_t i = 0; i < NumPCTables; i++) {
|
|
|
|
auto &M = ModulePCTable[i];
|
|
|
|
assert(M.Start < M.Stop);
|
|
|
|
auto ModuleName = GetModuleName(M.Start->PC);
|
|
|
|
for (auto NextFE = M.Start; NextFE < M.Stop; ) {
|
|
|
|
auto FE = NextFE;
|
|
|
|
assert((FE->PCFlags & 1) && "Not a function entry point");
|
|
|
|
do {
|
|
|
|
NextFE++;
|
|
|
|
} while (NextFE < M.Stop && !(NextFE->PCFlags & 1));
|
2019-01-26 09:33:09 +08:00
|
|
|
CB(FE, NextFE, ObservedFuncs[FE->PC]);
|
2018-05-11 09:17:52 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-05-17 07:26:37 +08:00
|
|
|
void TracePC::SetFocusFunction(const std::string &FuncName) {
|
|
|
|
// This function should be called once.
|
2019-01-30 14:15:52 +08:00
|
|
|
assert(!FocusFunctionCounterPtr);
|
2018-05-17 07:26:37 +08:00
|
|
|
if (FuncName.empty())
|
|
|
|
return;
|
2019-01-30 14:15:52 +08:00
|
|
|
for (size_t M = 0; M < NumModules; M++) {
|
2018-05-17 07:26:37 +08:00
|
|
|
auto &PCTE = ModulePCTable[M];
|
|
|
|
size_t N = PCTE.Stop - PCTE.Start;
|
|
|
|
for (size_t I = 0; I < N; I++) {
|
|
|
|
if (!(PCTE.Start[I].PCFlags & 1)) continue; // not a function entry.
|
|
|
|
auto Name = DescribePC("%F", GetNextInstructionPc(PCTE.Start[I].PC));
|
|
|
|
if (Name[0] == 'i' && Name[1] == 'n' && Name[2] == ' ')
|
|
|
|
Name = Name.substr(3, std::string::npos);
|
|
|
|
if (FuncName != Name) continue;
|
|
|
|
Printf("INFO: Focus function is set to '%s'\n", Name.c_str());
|
2019-01-30 14:15:52 +08:00
|
|
|
FocusFunctionCounterPtr = Modules[M].Start() + I;
|
2018-05-17 07:26:37 +08:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
bool TracePC::ObservedFocusFunction() {
|
2019-01-30 14:15:52 +08:00
|
|
|
return FocusFunctionCounterPtr && *FocusFunctionCounterPtr;
|
2018-05-17 07:26:37 +08:00
|
|
|
}
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
void TracePC::PrintCoverage() {
|
|
|
|
if (!EF->__sanitizer_symbolize_pc ||
|
|
|
|
!EF->__sanitizer_get_module_and_offset_for_pc) {
|
|
|
|
Printf("INFO: __sanitizer_symbolize_pc or "
|
|
|
|
"__sanitizer_get_module_and_offset_for_pc is not available,"
|
|
|
|
" not printing coverage\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
Printf("COVERAGE:\n");
|
2018-07-20 06:00:48 +08:00
|
|
|
auto CoveredFunctionCallback = [&](const PCTableEntry *First,
|
|
|
|
const PCTableEntry *Last,
|
|
|
|
uintptr_t Counter) {
|
2018-05-11 09:17:52 +08:00
|
|
|
assert(First < Last);
|
|
|
|
auto VisualizePC = GetNextInstructionPc(First->PC);
|
|
|
|
std::string FileStr = DescribePC("%s", VisualizePC);
|
2018-07-20 06:00:48 +08:00
|
|
|
if (!IsInterestingCoverageFile(FileStr))
|
|
|
|
return;
|
2018-05-11 09:17:52 +08:00
|
|
|
std::string FunctionStr = DescribePC("%F", VisualizePC);
|
2018-07-20 06:00:48 +08:00
|
|
|
if (FunctionStr.find("in ") == 0)
|
|
|
|
FunctionStr = FunctionStr.substr(3);
|
2018-05-11 09:17:52 +08:00
|
|
|
std::string LineStr = DescribePC("%l", VisualizePC);
|
|
|
|
size_t Line = std::stoul(LineStr);
|
2018-07-20 06:00:48 +08:00
|
|
|
size_t NumEdges = Last - First;
|
2018-06-25 23:59:24 +08:00
|
|
|
Vector<uintptr_t> UncoveredPCs;
|
2018-05-11 09:17:52 +08:00
|
|
|
for (auto TE = First; TE < Last; TE++)
|
|
|
|
if (!ObservedPCs.count(TE->PC))
|
|
|
|
UncoveredPCs.push_back(TE->PC);
|
2019-01-26 09:33:09 +08:00
|
|
|
Printf("%sCOVERED_FUNC: hits: %zd", Counter ? "" : "UN", Counter);
|
2018-07-20 06:00:48 +08:00
|
|
|
Printf(" edges: %zd/%zd", NumEdges - UncoveredPCs.size(), NumEdges);
|
|
|
|
Printf(" %s %s:%zd\n", FunctionStr.c_str(), FileStr.c_str(), Line);
|
2019-01-26 09:33:09 +08:00
|
|
|
if (Counter)
|
|
|
|
for (auto PC : UncoveredPCs)
|
|
|
|
Printf(" UNCOVERED_PC: %s\n",
|
|
|
|
DescribePC("%s:%l", GetNextInstructionPc(PC)).c_str());
|
2017-08-22 07:25:50 +08:00
|
|
|
};
|
|
|
|
|
2018-05-11 09:17:52 +08:00
|
|
|
IterateCoveredFunctions(CoveredFunctionCallback);
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Value profile.
|
|
|
|
// We keep track of various values that affect control flow.
|
|
|
|
// These values are inserted into a bit-set-based hash map.
|
|
|
|
// Every new bit in the map is treated as a new coverage.
|
|
|
|
//
|
|
|
|
// For memcmp/strcmp/etc the interesting value is the length of the common
|
|
|
|
// prefix of the parameters.
|
|
|
|
// For cmp instructions the interesting value is a XOR of the parameters.
|
|
|
|
// The interesting value is mixed up with the PC and is then added to the map.
|
|
|
|
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
|
|
|
|
size_t n, bool StopAtZero) {
|
|
|
|
if (!n) return;
|
|
|
|
size_t Len = std::min(n, Word::GetMaxSize());
|
|
|
|
const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
|
|
|
|
const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
|
|
|
|
uint8_t B1[Word::kMaxSize];
|
|
|
|
uint8_t B2[Word::kMaxSize];
|
|
|
|
// Copy the data into locals in this non-msan-instrumented function
|
|
|
|
// to avoid msan complaining further.
|
|
|
|
size_t Hash = 0; // Compute some simple hash of both strings.
|
|
|
|
for (size_t i = 0; i < Len; i++) {
|
|
|
|
B1[i] = A1[i];
|
|
|
|
B2[i] = A2[i];
|
|
|
|
size_t T = B1[i];
|
|
|
|
Hash ^= (T << 8) | B2[i];
|
|
|
|
}
|
|
|
|
size_t I = 0;
|
|
|
|
for (; I < Len; I++)
|
|
|
|
if (B1[I] != B2[I] || (StopAtZero && B1[I] == 0))
|
|
|
|
break;
|
|
|
|
size_t PC = reinterpret_cast<size_t>(caller_pc);
|
|
|
|
size_t Idx = (PC & 4095) | (I << 12);
|
|
|
|
ValueProfileMap.AddValue(Idx);
|
|
|
|
TORCW.Insert(Idx ^ Hash, Word(B1, Len), Word(B2, Len));
|
|
|
|
}
|
|
|
|
|
|
|
|
template <class T>
|
|
|
|
ATTRIBUTE_TARGET_POPCNT ALWAYS_INLINE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
void TracePC::HandleCmp(uintptr_t PC, T Arg1, T Arg2) {
|
|
|
|
uint64_t ArgXor = Arg1 ^ Arg2;
|
|
|
|
if (sizeof(T) == 4)
|
2018-07-16 23:15:34 +08:00
|
|
|
TORC4.Insert(ArgXor, Arg1, Arg2);
|
2017-08-22 07:25:50 +08:00
|
|
|
else if (sizeof(T) == 8)
|
2018-07-16 23:15:34 +08:00
|
|
|
TORC8.Insert(ArgXor, Arg1, Arg2);
|
2019-01-10 05:46:09 +08:00
|
|
|
uint64_t HammingDistance = Popcountll(ArgXor); // [0,64]
|
|
|
|
uint64_t AbsoluteDistance = (Arg1 == Arg2 ? 0 : Clzll(Arg1 - Arg2) + 1);
|
2018-08-02 08:24:49 +08:00
|
|
|
ValueProfileMap.AddValue(PC * 128 + HammingDistance);
|
|
|
|
ValueProfileMap.AddValue(PC * 128 + 64 + AbsoluteDistance);
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static size_t InternalStrnlen(const char *S, size_t MaxLen) {
|
|
|
|
size_t Len = 0;
|
|
|
|
for (; Len < MaxLen && S[Len]; Len++) {}
|
|
|
|
return Len;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Finds min of (strlen(S1), strlen(S2)).
|
|
|
|
// Needed bacause one of these strings may actually be non-zero terminated.
|
|
|
|
static size_t InternalStrnlen2(const char *S1, const char *S2) {
|
|
|
|
size_t Len = 0;
|
|
|
|
for (; S1[Len] && S2[Len]; Len++) {}
|
|
|
|
return Len;
|
|
|
|
}
|
|
|
|
|
|
|
|
void TracePC::ClearInlineCounters() {
|
2019-01-30 14:15:52 +08:00
|
|
|
IterateCounterRegions([](const Module::Region &R){
|
|
|
|
if (R.Enabled)
|
|
|
|
memset(R.Start, 0, R.Stop - R.Start);
|
|
|
|
});
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
2017-08-22 09:50:00 +08:00
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
2017-08-22 09:28:32 +08:00
|
|
|
void TracePC::RecordInitialStack() {
|
2017-08-22 09:50:00 +08:00
|
|
|
int stack;
|
|
|
|
__sancov_lowest_stack = InitialStack = reinterpret_cast<uintptr_t>(&stack);
|
2017-08-22 09:28:32 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
uintptr_t TracePC::GetMaxStackOffset() const {
|
|
|
|
return InitialStack - __sancov_lowest_stack; // Stack grows down
|
|
|
|
}
|
|
|
|
|
2019-01-30 07:37:20 +08:00
|
|
|
void WarnAboutDeprecatedInstrumentation(const char *flag) {
|
|
|
|
Printf("libFuzzer does not support %s any more.\n"
|
|
|
|
"Please either migrate to a compiler that supports -fsanitize=fuzzer\n"
|
|
|
|
"or use an older version of libFuzzer\n", flag);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2017-08-22 07:25:50 +08:00
|
|
|
} // namespace fuzzer
|
|
|
|
|
|
|
|
extern "C" {
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
void __sanitizer_cov_trace_pc_guard(uint32_t *Guard) {
|
2019-01-30 07:37:20 +08:00
|
|
|
fuzzer::WarnAboutDeprecatedInstrumentation("-fsanitize-coverage=trace-pc");
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Best-effort support for -fsanitize-coverage=trace-pc, which is available
|
|
|
|
// in both Clang and GCC.
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
void __sanitizer_cov_trace_pc() {
|
2019-01-30 07:37:20 +08:00
|
|
|
fuzzer::WarnAboutDeprecatedInstrumentation(
|
|
|
|
"-fsanitize-coverage=trace-pc-guard");
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
void __sanitizer_cov_trace_pc_guard_init(uint32_t *Start, uint32_t *Stop) {
|
2019-01-30 07:37:20 +08:00
|
|
|
fuzzer::WarnAboutDeprecatedInstrumentation(
|
|
|
|
"-fsanitize-coverage=trace-pc-guard");
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
void __sanitizer_cov_8bit_counters_init(uint8_t *Start, uint8_t *Stop) {
|
|
|
|
fuzzer::TPC.HandleInline8bitCountersInit(Start, Stop);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
2017-08-26 03:29:47 +08:00
|
|
|
void __sanitizer_cov_pcs_init(const uintptr_t *pcs_beg,
|
|
|
|
const uintptr_t *pcs_end) {
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandlePCsInit(pcs_beg, pcs_end);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
void __sanitizer_cov_trace_pc_indir(uintptr_t Callee) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCallerCallee(PC, Callee);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
// Now the __sanitizer_cov_trace_const_cmp[1248] callbacks just mimic
|
|
|
|
// the behaviour of __sanitizer_cov_trace_cmp[1248] ones. This, however,
|
|
|
|
// should be changed later to make full use of instrumentation.
|
|
|
|
void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
|
|
|
|
uint64_t N = Cases[0];
|
|
|
|
uint64_t ValSizeInBits = Cases[1];
|
|
|
|
uint64_t *Vals = Cases + 2;
|
2019-01-25 05:08:54 +08:00
|
|
|
// Skip the most common and the most boring case: all switch values are small.
|
|
|
|
// We may want to skip this at compile-time, but it will make the
|
|
|
|
// instrumentation less general.
|
|
|
|
if (Vals[N - 1] < 256)
|
|
|
|
return;
|
|
|
|
// Also skip small inputs values, they won't give good signal.
|
|
|
|
if (Val < 256)
|
2017-08-22 07:25:50 +08:00
|
|
|
return;
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
size_t i;
|
2019-01-25 05:08:54 +08:00
|
|
|
uint64_t Smaller = 0;
|
|
|
|
uint64_t Larger = ~(uint64_t)0;
|
|
|
|
// Find two switch values such that Smaller < Val < Larger.
|
|
|
|
// Use 0 and 0xfff..f as the defaults.
|
2017-08-22 07:25:50 +08:00
|
|
|
for (i = 0; i < N; i++) {
|
2019-01-25 05:08:54 +08:00
|
|
|
if (Val < Vals[i]) {
|
|
|
|
Larger = Vals[i];
|
2017-08-22 07:25:50 +08:00
|
|
|
break;
|
2019-01-25 05:08:54 +08:00
|
|
|
}
|
|
|
|
if (Val > Vals[i]) Smaller = Vals[i];
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
2019-01-25 05:08:54 +08:00
|
|
|
// Apply HandleCmp to {Val,Smaller} and {Val, Larger},
|
|
|
|
// use i as the PC modifier for HandleCmp.
|
|
|
|
if (ValSizeInBits == 16) {
|
|
|
|
fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint16_t>(Val),
|
|
|
|
(uint16_t)(Smaller));
|
|
|
|
fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint16_t>(Val),
|
|
|
|
(uint16_t)(Larger));
|
|
|
|
} else if (ValSizeInBits == 32) {
|
|
|
|
fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint32_t>(Val),
|
|
|
|
(uint32_t)(Smaller));
|
|
|
|
fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint32_t>(Val),
|
|
|
|
(uint32_t)(Larger));
|
|
|
|
} else {
|
|
|
|
fuzzer::TPC.HandleCmp(PC + 2*i, Val, Smaller);
|
|
|
|
fuzzer::TPC.HandleCmp(PC + 2*i + 1, Val, Larger);
|
|
|
|
}
|
2017-08-22 07:25:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_div4(uint32_t Val) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Val, (uint32_t)0);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_div8(uint64_t Val) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Val, (uint64_t)0);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE
|
|
|
|
ATTRIBUTE_NO_SANITIZE_ALL
|
|
|
|
ATTRIBUTE_TARGET_POPCNT
|
|
|
|
void __sanitizer_cov_trace_gep(uintptr_t Idx) {
|
2019-01-10 05:46:09 +08:00
|
|
|
uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.HandleCmp(PC, Idx, (uintptr_t)0);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
|
|
|
|
const void *s2, size_t n, int result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
if (result == 0) return; // No reason to mutate.
|
|
|
|
if (n <= 1) return; // Not interesting.
|
|
|
|
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/false);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
|
|
|
|
const char *s2, size_t n, int result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
if (result == 0) return; // No reason to mutate.
|
|
|
|
size_t Len1 = fuzzer::InternalStrnlen(s1, n);
|
|
|
|
size_t Len2 = fuzzer::InternalStrnlen(s2, n);
|
|
|
|
n = std::min(n, Len1);
|
|
|
|
n = std::min(n, Len2);
|
|
|
|
if (n <= 1) return; // Not interesting.
|
|
|
|
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/true);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
|
2018-07-16 23:15:34 +08:00
|
|
|
const char *s2, int result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
if (result == 0) return; // No reason to mutate.
|
|
|
|
size_t N = fuzzer::InternalStrnlen2(s1, s2);
|
|
|
|
if (N <= 1) return; // Not interesting.
|
|
|
|
fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, N, /*StopAtZero*/true);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
|
|
|
|
const char *s2, size_t n, int result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
return __sanitizer_weak_hook_strncmp(called_pc, s1, s2, n, result);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
|
|
|
|
const char *s2, int result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
return __sanitizer_weak_hook_strcmp(called_pc, s1, s2, result);
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
|
|
|
|
const char *s2, char *result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
|
|
|
|
const char *s2, char *result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
|
|
|
|
}
|
|
|
|
|
|
|
|
ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
|
|
|
|
void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
|
|
|
|
const void *s2, size_t len2, void *result) {
|
2018-07-18 00:12:00 +08:00
|
|
|
if (!fuzzer::RunningUserCallback) return;
|
2017-08-22 07:25:50 +08:00
|
|
|
fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), len2);
|
|
|
|
}
|
|
|
|
} // extern "C"
|