From 27cf743bff0c52614af5bfc4efdb835bb6af9bb4 Mon Sep 17 00:00:00 2001 From: Kostya Serebryany Date: Thu, 20 Jun 2019 01:48:45 +0000 Subject: [PATCH] [libFuzzer] ensure that DFT and autofocus works for C++ (mangled) functions llvm-svn: 363905 --- compiler-rt/lib/fuzzer/dataflow/DataFlow.cpp | 4 +++- compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp | 4 +--- compiler-rt/test/fuzzer/only-some-bytes.test | 11 +++++++++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/compiler-rt/lib/fuzzer/dataflow/DataFlow.cpp b/compiler-rt/lib/fuzzer/dataflow/DataFlow.cpp index 8a5d695094da..4f9c11708129 100644 --- a/compiler-rt/lib/fuzzer/dataflow/DataFlow.cpp +++ b/compiler-rt/lib/fuzzer/dataflow/DataFlow.cpp @@ -98,7 +98,9 @@ static int PrintFunctions() { FILE *Pipe = popen("sed 's/(+/ /g; s/).*//g' " "| llvm-symbolizer " "| grep 'dfs\\$' " - "| sed 's/dfs\\$//g'", "w"); + "| sed 's/dfs\\$//g' " + "| c++filt", + "w"); for (size_t I = 0; I < NumGuards; I++) { uintptr_t PC = PCsBeg[I * 2]; if (!BlockIsEntry(I)) continue; diff --git a/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp b/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp index d60cf3e5fa99..640e00a7550b 100644 --- a/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp +++ b/compiler-rt/test/fuzzer/OnlySomeBytesTest.cpp @@ -15,13 +15,13 @@ typedef const uint8_t *IN; static volatile int one = 1; -extern "C" { __attribute__((noinline)) void bad() { fprintf(stderr, "BINGO\n"); if (one) abort(); } +extern "C" __attribute__((noinline)) void f0(IN in) { uint32_t x = in[5] + 251 * in[7] + 251 * 251 * in[9]; if (x == 'F' + 251 * 'U' + 251 * 251 * 'Z') { @@ -41,8 +41,6 @@ __attribute__((noinline)) void fC(IN in) { if (in[2] == 'C') fD(in); } __attribute__((noinline)) void fB(IN in) { if (in[1] == 'B') fC(in); } __attribute__((noinline)) void fA(IN in) { if (in[0] == 'A') fB(in); } -} // extern "C" - extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Size < N) return 0; fA((IN)Data); diff --git a/compiler-rt/test/fuzzer/only-some-bytes.test b/compiler-rt/test/fuzzer/only-some-bytes.test index 42685fc875c9..5dddf9e07e7b 100644 --- a/compiler-rt/test/fuzzer/only-some-bytes.test +++ b/compiler-rt/test/fuzzer/only-some-bytes.test @@ -15,7 +15,11 @@ RUN: cat %t/IN/8 %t/IN/8 %t/IN/8 %t/IN/8 > %t/IN/10 RUN: cat %t/IN/10 %t/IN/10 %t/IN/10 %t/IN/10 > %t/IN/12 # %t/IN/12 is 4096 bytes-long. +RUN: %t-Fuzz -focus_function='fB(unsigned char const*)' -runs=0 %t/IN 2>&1 | FileCheck %s --check-prefix=FOCUS_fB +FOCUS_fB: Focus function is set to 'fB(unsigned char const*)' + RUN: %t-Fuzz -focus_function=f0 -runs=0 %t/IN 2>&1 | FileCheck %s --check-prefix=NO_FOCUSED_INPUT +NO_FOCUSED_INPUT: Focus function is set to 'f0' NO_FOCUSED_INPUT: INFO: 0/2 inputs touch the focus function RUN: (echo -n ABC; cat %t/IN/12) > %t/IN/ABC @@ -36,9 +40,12 @@ RUN: rm -rf %t/C_DFT && %t-Fuzz -collect_data_flow=%t-DFT %t/C -data_flow_trace= RUN: not %t-Fuzz -focus_function=f0 -data_flow_trace=%t/C_DFT -seed=1 -runs=1000000 -use_value_profile=1 %t/C1 %t/C 2> %t/log RUN: grep BINGO %t/log -# Test -focus_function=auto: run 50 times and verify that 'f0' is the most frequent focus function. -RUN: %t-Fuzz -focus_function=auto -data_flow_trace=%t/C_DFT -runs=0 %t/C -jobs=50 2>&1 | grep AUTOFOCUS | sort | uniq -c | sort -g -r | head -n 1 | FileCheck %s --check-prefix=AUTOFOCUS +# Test -focus_function=auto: run 100 times and verify that +# * 'f0' is the most frequent focus function. +# * the second most frequent is one of fA/fB/fC in a de-mangled form. +RUN: %t-Fuzz -focus_function=auto -data_flow_trace=%t/C_DFT -runs=0 %t/C -jobs=100 2>&1 | grep AUTOFOCUS | sort | uniq -c | sort -g -r | head -n 2 | FileCheck %s --check-prefix=AUTOFOCUS AUTOFOCUS: INFO: AUTOFOCUS: {{.*}} f0 +AUTOFOCUS: INFO: AUTOFOCUS: {{.*f[ABC]}}(unsigned char const*) # Actually execute 50 fuzzing processes with a small number of runs, to test -focus_function=auto for real. # We can not test data_flow_trace=auto in just a single run, because it may choose to focus on a wrong function.