forked from OSchip/llvm-project
parent
61d35249b1
commit
2891b257c2
|
@ -621,7 +621,6 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
|
||||||
Options.PrintFinalStats = Flags.print_final_stats;
|
Options.PrintFinalStats = Flags.print_final_stats;
|
||||||
Options.PrintCorpusStats = Flags.print_corpus_stats;
|
Options.PrintCorpusStats = Flags.print_corpus_stats;
|
||||||
Options.PrintCoverage = Flags.print_coverage;
|
Options.PrintCoverage = Flags.print_coverage;
|
||||||
Options.DumpCoverage = Flags.dump_coverage;
|
|
||||||
if (Flags.exit_on_src_pos)
|
if (Flags.exit_on_src_pos)
|
||||||
Options.ExitOnSrcPos = Flags.exit_on_src_pos;
|
Options.ExitOnSrcPos = Flags.exit_on_src_pos;
|
||||||
if (Flags.exit_on_item)
|
if (Flags.exit_on_item)
|
||||||
|
|
|
@ -43,8 +43,6 @@ EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int,
|
||||||
size_t module_path_len,void **pc_offset), false);
|
size_t module_path_len,void **pc_offset), false);
|
||||||
EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true);
|
EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true);
|
||||||
EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
|
EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
|
||||||
EXT_FUNC(__sanitizer_dump_coverage, void, (const uintptr_t *, uintptr_t),
|
|
||||||
false);
|
|
||||||
EXT_FUNC(__msan_scoped_disable_interceptor_checks, void, (), false);
|
EXT_FUNC(__msan_scoped_disable_interceptor_checks, void, (), false);
|
||||||
EXT_FUNC(__msan_scoped_enable_interceptor_checks, void, (), false);
|
EXT_FUNC(__msan_scoped_enable_interceptor_checks, void, (), false);
|
||||||
EXT_FUNC(__msan_unpoison, void, (const volatile void *, size_t size), false);
|
EXT_FUNC(__msan_unpoison, void, (const volatile void *, size_t size), false);
|
||||||
|
|
|
@ -106,9 +106,7 @@ FUZZER_FLAG_INT(print_corpus_stats, 0,
|
||||||
"If 1, print statistics on corpus elements at exit.")
|
"If 1, print statistics on corpus elements at exit.")
|
||||||
FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information as text"
|
FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information as text"
|
||||||
" at exit.")
|
" at exit.")
|
||||||
FUZZER_FLAG_INT(dump_coverage, 0, "Deprecated."
|
FUZZER_FLAG_INT(dump_coverage, 0, "Deprecated.")
|
||||||
" If 1, dump coverage information as a"
|
|
||||||
" .sancov file at exit.")
|
|
||||||
FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
|
FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
|
||||||
FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.")
|
FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.")
|
||||||
FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
|
FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
|
||||||
|
|
|
@ -354,8 +354,6 @@ void Fuzzer::PrintStats(const char *Where, const char *End, size_t Units) {
|
||||||
void Fuzzer::PrintFinalStats() {
|
void Fuzzer::PrintFinalStats() {
|
||||||
if (Options.PrintCoverage)
|
if (Options.PrintCoverage)
|
||||||
TPC.PrintCoverage();
|
TPC.PrintCoverage();
|
||||||
if (Options.DumpCoverage)
|
|
||||||
TPC.DumpCoverage();
|
|
||||||
if (Options.PrintCorpusStats)
|
if (Options.PrintCorpusStats)
|
||||||
Corpus.PrintStats();
|
Corpus.PrintStats();
|
||||||
if (!Options.PrintFinalStats)
|
if (!Options.PrintFinalStats)
|
||||||
|
|
|
@ -23,15 +23,6 @@
|
||||||
#include "FuzzerValueBitMap.h"
|
#include "FuzzerValueBitMap.h"
|
||||||
#include <set>
|
#include <set>
|
||||||
|
|
||||||
// The coverage counters and PCs.
|
|
||||||
// These are declared as global variables named "__sancov_*" to simplify
|
|
||||||
// experiments with inlined instrumentation.
|
|
||||||
alignas(64) ATTRIBUTE_INTERFACE
|
|
||||||
uint8_t __sancov_trace_pc_guard_8bit_counters[fuzzer::TracePC::kNumPCs];
|
|
||||||
|
|
||||||
ATTRIBUTE_INTERFACE
|
|
||||||
uintptr_t __sancov_trace_pc_pcs[fuzzer::TracePC::kNumPCs];
|
|
||||||
|
|
||||||
// Used by -fsanitize-coverage=stack-depth to track stack depth
|
// Used by -fsanitize-coverage=stack-depth to track stack depth
|
||||||
ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC uintptr_t __sancov_lowest_stack;
|
ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC uintptr_t __sancov_lowest_stack;
|
||||||
|
|
||||||
|
@ -39,22 +30,8 @@ namespace fuzzer {
|
||||||
|
|
||||||
TracePC TPC;
|
TracePC TPC;
|
||||||
|
|
||||||
uint8_t *TracePC::Counters() const {
|
|
||||||
return __sancov_trace_pc_guard_8bit_counters;
|
|
||||||
}
|
|
||||||
|
|
||||||
uintptr_t *TracePC::PCs() const {
|
|
||||||
return __sancov_trace_pc_pcs;
|
|
||||||
}
|
|
||||||
|
|
||||||
size_t TracePC::GetTotalPCCoverage() {
|
size_t TracePC::GetTotalPCCoverage() {
|
||||||
if (ObservedPCs.size())
|
|
||||||
return ObservedPCs.size();
|
return ObservedPCs.size();
|
||||||
size_t Res = 0;
|
|
||||||
for (size_t i = 1, N = GetNumPCs(); i < N; i++)
|
|
||||||
if (PCs()[i])
|
|
||||||
Res++;
|
|
||||||
return Res;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -77,32 +54,7 @@ void TracePC::HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop) {
|
||||||
NumPCsInPCTables += E - B;
|
NumPCsInPCTables += E - B;
|
||||||
}
|
}
|
||||||
|
|
||||||
void TracePC::HandleInit(uint32_t *Start, uint32_t *Stop) {
|
|
||||||
if (Start == Stop || *Start) return;
|
|
||||||
assert(NumModules < sizeof(Modules) / sizeof(Modules[0]));
|
|
||||||
for (uint32_t *P = Start; P < Stop; P++) {
|
|
||||||
NumGuards++;
|
|
||||||
if (NumGuards == kNumPCs) {
|
|
||||||
RawPrint(
|
|
||||||
"WARNING: The binary has too many instrumented PCs.\n"
|
|
||||||
" You may want to reduce the size of the binary\n"
|
|
||||||
" for more efficient fuzzing and precise coverage data\n");
|
|
||||||
}
|
|
||||||
*P = NumGuards % kNumPCs;
|
|
||||||
}
|
|
||||||
Modules[NumModules].Start = Start;
|
|
||||||
Modules[NumModules].Stop = Stop;
|
|
||||||
NumModules++;
|
|
||||||
}
|
|
||||||
|
|
||||||
void TracePC::PrintModuleInfo() {
|
void TracePC::PrintModuleInfo() {
|
||||||
if (NumGuards) {
|
|
||||||
Printf("INFO: Loaded %zd modules (%zd guards): ", NumModules, NumGuards);
|
|
||||||
for (size_t i = 0; i < NumModules; i++)
|
|
||||||
Printf("%zd [%p, %p), ", Modules[i].Stop - Modules[i].Start,
|
|
||||||
Modules[i].Start, Modules[i].Stop);
|
|
||||||
Printf("\n");
|
|
||||||
}
|
|
||||||
if (NumModulesWithInline8bitCounters) {
|
if (NumModulesWithInline8bitCounters) {
|
||||||
Printf("INFO: Loaded %zd modules (%zd inline 8-bit counters): ",
|
Printf("INFO: Loaded %zd modules (%zd inline 8-bit counters): ",
|
||||||
NumModulesWithInline8bitCounters, NumInline8bitCounters);
|
NumModulesWithInline8bitCounters, NumInline8bitCounters);
|
||||||
|
@ -120,8 +72,7 @@ void TracePC::PrintModuleInfo() {
|
||||||
}
|
}
|
||||||
Printf("\n");
|
Printf("\n");
|
||||||
|
|
||||||
if ((NumGuards && NumGuards != NumPCsInPCTables) ||
|
if (NumInline8bitCounters && NumInline8bitCounters != NumPCsInPCTables) {
|
||||||
(NumInline8bitCounters && NumInline8bitCounters != NumPCsInPCTables)) {
|
|
||||||
Printf("ERROR: The size of coverage PC tables does not match the\n"
|
Printf("ERROR: The size of coverage PC tables does not match the\n"
|
||||||
"number of instrumented PCs. This might be a compiler bug,\n"
|
"number of instrumented PCs. This might be a compiler bug,\n"
|
||||||
"please contact the libFuzzer developers.\n"
|
"please contact the libFuzzer developers.\n"
|
||||||
|
@ -200,17 +151,6 @@ void TracePC::UpdateObservedPCs() {
|
||||||
if (Beg[j])
|
if (Beg[j])
|
||||||
Observe(ModulePCTable[i].Start[j]);
|
Observe(ModulePCTable[i].Start[j]);
|
||||||
}
|
}
|
||||||
} else if (NumGuards == NumPCsInPCTables) {
|
|
||||||
size_t GuardIdx = 1;
|
|
||||||
for (size_t i = 0; i < NumModules; i++) {
|
|
||||||
uint32_t *Beg = Modules[i].Start;
|
|
||||||
size_t Size = Modules[i].Stop - Beg;
|
|
||||||
assert(Size ==
|
|
||||||
(size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
|
|
||||||
for (size_t j = 0; j < Size; j++, GuardIdx++)
|
|
||||||
if (Counters()[GuardIdx])
|
|
||||||
Observe(ModulePCTable[i].Start[j]);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -322,15 +262,6 @@ void TracePC::PrintCoverage() {
|
||||||
IterateCoveredFunctions(CoveredFunctionCallback);
|
IterateCoveredFunctions(CoveredFunctionCallback);
|
||||||
}
|
}
|
||||||
|
|
||||||
void TracePC::DumpCoverage() {
|
|
||||||
if (EF->__sanitizer_dump_coverage) {
|
|
||||||
Vector<uintptr_t> PCsCopy(GetNumPCs());
|
|
||||||
for (size_t i = 0; i < GetNumPCs(); i++)
|
|
||||||
PCsCopy[i] = PCs()[i] ? GetPreviousInstructionPc(PCs()[i]) : 0;
|
|
||||||
EF->__sanitizer_dump_coverage(PCsCopy.data(), PCsCopy.size());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Value profile.
|
// Value profile.
|
||||||
// We keep track of various values that affect control flow.
|
// We keep track of various values that affect control flow.
|
||||||
// These values are inserted into a bit-set-based hash map.
|
// These values are inserted into a bit-set-based hash map.
|
||||||
|
|
|
@ -69,11 +69,6 @@ struct MemMemTable {
|
||||||
|
|
||||||
class TracePC {
|
class TracePC {
|
||||||
public:
|
public:
|
||||||
static const size_t kNumPCs = 1 << 21;
|
|
||||||
// How many bits of PC are used from __sanitizer_cov_trace_pc.
|
|
||||||
static const size_t kTracePcBits = 18;
|
|
||||||
|
|
||||||
void HandleInit(uint32_t *Start, uint32_t *Stop);
|
|
||||||
void HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop);
|
void HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop);
|
||||||
void HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop);
|
void HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop);
|
||||||
void HandleCallerCallee(uintptr_t Caller, uintptr_t Callee);
|
void HandleCallerCallee(uintptr_t Caller, uintptr_t Callee);
|
||||||
|
@ -88,8 +83,6 @@ class TracePC {
|
||||||
|
|
||||||
void ResetMaps() {
|
void ResetMaps() {
|
||||||
ValueProfileMap.Reset();
|
ValueProfileMap.Reset();
|
||||||
if (NumModules)
|
|
||||||
memset(Counters(), 0, GetNumPCs());
|
|
||||||
ClearExtraCounters();
|
ClearExtraCounters();
|
||||||
ClearInlineCounters();
|
ClearInlineCounters();
|
||||||
}
|
}
|
||||||
|
@ -102,7 +95,6 @@ class TracePC {
|
||||||
void PrintModuleInfo();
|
void PrintModuleInfo();
|
||||||
|
|
||||||
void PrintCoverage();
|
void PrintCoverage();
|
||||||
void DumpCoverage();
|
|
||||||
|
|
||||||
template<class CallBack>
|
template<class CallBack>
|
||||||
void IterateCoveredFunctions(CallBack CB);
|
void IterateCoveredFunctions(CallBack CB);
|
||||||
|
@ -115,14 +107,6 @@ class TracePC {
|
||||||
TableOfRecentCompares<Word, 32> TORCW;
|
TableOfRecentCompares<Word, 32> TORCW;
|
||||||
MemMemTable<1024> MMT;
|
MemMemTable<1024> MMT;
|
||||||
|
|
||||||
size_t GetNumPCs() const {
|
|
||||||
return NumGuards == 0 ? (1 << kTracePcBits) : Min(kNumPCs, NumGuards + 1);
|
|
||||||
}
|
|
||||||
uintptr_t GetPC(size_t Idx) {
|
|
||||||
assert(Idx < GetNumPCs());
|
|
||||||
return PCs()[Idx];
|
|
||||||
}
|
|
||||||
|
|
||||||
void RecordInitialStack();
|
void RecordInitialStack();
|
||||||
uintptr_t GetMaxStackOffset() const;
|
uintptr_t GetMaxStackOffset() const;
|
||||||
|
|
||||||
|
@ -141,14 +125,6 @@ private:
|
||||||
bool DoPrintNewPCs = false;
|
bool DoPrintNewPCs = false;
|
||||||
size_t NumPrintNewFuncs = 0;
|
size_t NumPrintNewFuncs = 0;
|
||||||
|
|
||||||
struct Module {
|
|
||||||
uint32_t *Start, *Stop;
|
|
||||||
};
|
|
||||||
|
|
||||||
Module Modules[4096];
|
|
||||||
size_t NumModules; // linker-initialized.
|
|
||||||
size_t NumGuards; // linker-initialized.
|
|
||||||
|
|
||||||
struct { uint8_t *Start, *Stop; } ModuleCounters[4096];
|
struct { uint8_t *Start, *Stop; } ModuleCounters[4096];
|
||||||
size_t NumModulesWithInline8bitCounters; // linker-initialized.
|
size_t NumModulesWithInline8bitCounters; // linker-initialized.
|
||||||
size_t NumInline8bitCounters;
|
size_t NumInline8bitCounters;
|
||||||
|
@ -161,9 +137,6 @@ private:
|
||||||
size_t NumPCTables;
|
size_t NumPCTables;
|
||||||
size_t NumPCsInPCTables;
|
size_t NumPCsInPCTables;
|
||||||
|
|
||||||
uint8_t *Counters() const;
|
|
||||||
uintptr_t *PCs() const;
|
|
||||||
|
|
||||||
Set<uintptr_t> ObservedPCs;
|
Set<uintptr_t> ObservedPCs;
|
||||||
std::unordered_map<uintptr_t, uintptr_t> ObservedFuncs; // PC => Counter.
|
std::unordered_map<uintptr_t, uintptr_t> ObservedFuncs; // PC => Counter.
|
||||||
|
|
||||||
|
@ -230,8 +203,6 @@ template <class Callback> // void Callback(size_t Feature)
|
||||||
ATTRIBUTE_NO_SANITIZE_ADDRESS
|
ATTRIBUTE_NO_SANITIZE_ADDRESS
|
||||||
ATTRIBUTE_NOINLINE
|
ATTRIBUTE_NOINLINE
|
||||||
void TracePC::CollectFeatures(Callback HandleFeature) const {
|
void TracePC::CollectFeatures(Callback HandleFeature) const {
|
||||||
uint8_t *Counters = this->Counters();
|
|
||||||
size_t N = GetNumPCs();
|
|
||||||
auto Handle8bitCounter = [&](size_t FirstFeature,
|
auto Handle8bitCounter = [&](size_t FirstFeature,
|
||||||
size_t Idx, uint8_t Counter) {
|
size_t Idx, uint8_t Counter) {
|
||||||
if (UseCounters)
|
if (UseCounters)
|
||||||
|
@ -242,11 +213,6 @@ void TracePC::CollectFeatures(Callback HandleFeature) const {
|
||||||
|
|
||||||
size_t FirstFeature = 0;
|
size_t FirstFeature = 0;
|
||||||
|
|
||||||
if (!NumInline8bitCounters) {
|
|
||||||
ForEachNonZeroByte(Counters, Counters + N, FirstFeature, Handle8bitCounter);
|
|
||||||
FirstFeature += N * 8;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (NumInline8bitCounters) {
|
if (NumInline8bitCounters) {
|
||||||
for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) {
|
for (size_t i = 0; i < NumModulesWithInline8bitCounters; i++) {
|
||||||
ForEachNonZeroByte(ModuleCounters[i].Start, ModuleCounters[i].Stop,
|
ForEachNonZeroByte(ModuleCounters[i].Start, ModuleCounters[i].Stop,
|
||||||
|
|
Loading…
Reference in New Issue