[libFuzzer] change the default max_len from 64 to 4096. This will affect cases where...

author Kostya Serebryany <kcc@google.com>

Thu, 15 Jun 2017 22:43:40 +0000 (22:43 +0000)

committer Dmitriy Nikiforov <d.nikiforov@partner.samsung.com>

Mon, 17 Jul 2017 04:47:38 +0000 (13:47 +0900)
author Kostya Serebryany <kcc@google.com>
Thu, 15 Jun 2017 22:43:40 +0000 (22:43 +0000)
committer Dmitriy Nikiforov <d.nikiforov@partner.samsung.com>
Mon, 17 Jul 2017 04:47:38 +0000 (13:47 +0900)
diff --git a/lib/Fuzzer/FuzzerDriver.cpp b/lib/Fuzzer/FuzzerDriver.cpp

index 9aad3771784deb1dd6fee8405fa01e525b78a117..0453a7f443b53cc0884e1215fcf5500e53822ff4 100644 (file)
--- a/lib/Fuzzer/FuzzerDriver.cpp
+++ b/lib/Fuzzer/FuzzerDriver.cpp
@@ -553,12 +553,12 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
      return RunInMultipleProcesses(Args, Flags.workers, Flags.jobs);
  
    const size_t kMaxSaneLen = 1 << 20;
-  const size_t kMinDefaultLen = 64;
+  const size_t kMinDefaultLen = 4096;
    FuzzingOptions Options;
    Options.Verbosity = Flags.verbosity;
    Options.MaxLen = Flags.max_len;
    Options.ExperimentalLenControl = Flags.experimental_len_control;
-  if (Flags.experimental_len_control && Flags.max_len == 64)
+  if (Flags.experimental_len_control && Flags.max_len == kMinDefaultLen)
      Options.MaxLen = 1 << 20;
    Options.UnitTimeoutSec = Flags.timeout;
    Options.ErrorExitCode = Flags.error_exitcode;
diff --git a/lib/Fuzzer/FuzzerLoop.cpp b/lib/Fuzzer/FuzzerLoop.cpp

index f6083282ab615a5ce65b4ed35abaf1ed5a2c05b0..fbf18357ede65de76c03dcdac077334d05b36c70 100644 (file)
--- a/lib/Fuzzer/FuzzerLoop.cpp
+++ b/lib/Fuzzer/FuzzerLoop.cpp
@@ -301,7 +301,9 @@ void Fuzzer::SetMaxInputLen(size_t MaxInputLen) {
    this->MaxInputLen = MaxInputLen;
    this->MaxMutationLen = MaxInputLen;
    AllocateCurrentUnitData();
-  Printf("INFO: -max_len is not provided, using %zd\n", MaxInputLen);
+  Printf("INFO: -max_len is not provided; "
+         "libFuzzer will not generate inputs larger than %zd bytes\n",
+         MaxInputLen);
  }
  
  void Fuzzer::SetMaxMutationLen(size_t MaxMutationLen) {
diff --git a/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp b/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp

index dfb6007b7970d9f8adf169d7b2635c642c39000c..b5a61ddca715400eeeaad87e8e945a6975544d3b 100644 (file)
--- a/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp
+++ b/lib/Fuzzer/test/AbsNegAndConstant64Test.cpp
@@ -9,7 +9,7 @@
  #include <cstring>
  
  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  if (Size < 16) return 0;
+  if (Size < 16 || Size > 64) return 0;
    int64_t x;
    uint64_t y;
    memcpy(&x, Data, sizeof(x));
diff --git a/lib/Fuzzer/test/FourIndependentBranchesTest.cpp b/lib/Fuzzer/test/FourIndependentBranchesTest.cpp

index bbf5ea235c7af8595a57a7401e10a9eb8b1357d3..ba963d9b1de882fcb11e4c01ea691faeb84392b1 100644 (file)
--- a/lib/Fuzzer/test/FourIndependentBranchesTest.cpp
+++ b/lib/Fuzzer/test/FourIndependentBranchesTest.cpp
@@ -8,6 +8,7 @@
  #include <iostream>
  
  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 64) return 0;
    int bits = 0;
    if (Size > 0 && Data[0] == 'F') bits |= 1;
    if (Size > 1 && Data[1] == 'U') bits |= 2;
diff --git a/lib/Fuzzer/test/ShrinkControlFlowTest.cpp b/lib/Fuzzer/test/ShrinkControlFlowTest.cpp

index d095429636266d7d41dd237ab1f109ab4135ca65..37eeede7cbffc5c4b675503123583333b86aa7b3 100644 (file)
--- a/lib/Fuzzer/test/ShrinkControlFlowTest.cpp
+++ b/lib/Fuzzer/test/ShrinkControlFlowTest.cpp
@@ -11,6 +11,7 @@
  static volatile int Sink;
  
  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 64) return 0;
    int8_t Ids[256];
    memset(Ids, -1, sizeof(Ids));
    for (size_t i = 0; i < Size; i++)
diff --git a/lib/Fuzzer/test/SimpleHashTest.cpp b/lib/Fuzzer/test/SimpleHashTest.cpp

index 99e96cb25dcd55551b136c7d27834cf2eb835ec0..a3f4211ebeeffe4fb8ce9c7cb1af020bc4a41f26 100644 (file)
--- a/lib/Fuzzer/test/SimpleHashTest.cpp
+++ b/lib/Fuzzer/test/SimpleHashTest.cpp
@@ -26,7 +26,7 @@ static uint32_t simple_hash(const uint8_t *Data, size_t Size) {
  }
  
  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  if (Size < 14)
+  if (Size < 14 || Size > 64)
      return 0;
  
    uint32_t Hash = simple_hash(&Data[0], Size - 4);
diff --git a/lib/Fuzzer/test/SingleStrncmpTest.cpp b/lib/Fuzzer/test/SingleStrncmpTest.cpp

index b302670fb743e614b7723946bbac4bab6f7e7f64..b38c7995d8ff83ea491929e127bd69e9fa450c33 100644 (file)
--- a/lib/Fuzzer/test/SingleStrncmpTest.cpp
+++ b/lib/Fuzzer/test/SingleStrncmpTest.cpp
@@ -8,6 +8,7 @@
  #include <cstring>
  
  extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 64) return 0;
    char *S = (char*)Data;
    volatile auto Strncmp = &(strncmp);   // Make sure strncmp is not inlined.
    if (Size >= 6 && !Strncmp(S, "qwerty", 6)) {
diff --git a/lib/Fuzzer/test/fuzzer-dirs.test b/lib/Fuzzer/test/fuzzer-dirs.test

index 3de64f278f5dfda6d40b8ec89812dd77c7a9c062..622ff5da3a297e9c1455a5f2f2a04dffec86f8c1 100644 (file)
--- a/lib/Fuzzer/test/fuzzer-dirs.test
+++ b/lib/Fuzzer/test/fuzzer-dirs.test
@@ -5,9 +5,13 @@ RUN: echo b > %t/SUB1/SUB2/b
  RUN: echo c > %t/SUB1/SUB2/SUB3/c
  RUN: LLVMFuzzer-SimpleTest %t/SUB1 -runs=0 2>&1 | FileCheck %s --check-prefix=SUBDIRS
  SUBDIRS: READ   units: 3
-RUN: echo -n zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz > %t/SUB1/long
+RUN: echo -n zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz > %t/SUB1/f64
+RUN: cat %t/SUB1/f64 %t/SUB1/f64 %t/SUB1/f64 %t/SUB1/f64 > %t/SUB1/f256
+RUN: cat %t/SUB1/f256 %t/SUB1/f256 %t/SUB1/f256 %t/SUB1/f256 > %t/SUB1/f1024
+RUN: cat %t/SUB1/f1024 %t/SUB1/f1024 %t/SUB1/f1024 %t/SUB1/f1024 > %t/SUB1/f4096
+RUN: cat %t/SUB1/f4096 %t/SUB1/f4096 > %t/SUB1/f8192
  RUN: LLVMFuzzer-SimpleTest %t/SUB1 -runs=0 2>&1 | FileCheck %s --check-prefix=LONG
-LONG: INFO: -max_len is not provided, using 93
+LONG: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 8192 bytes
  RUN: rm -rf %t/SUB1
  
  RUN: not LLVMFuzzer-SimpleTest NONEXISTENT_DIR 2>&1 | FileCheck %s --check-prefix=NONEXISTENT_DIR
diff --git a/lib/Fuzzer/test/inline-8bit-counters.test b/lib/Fuzzer/test/inline-8bit-counters.test

index 4b6ae83744499c34275d7f09c40871a009a87336..8747af81451f3647c580a177d19ad01867b34704 100644 (file)
--- a/lib/Fuzzer/test/inline-8bit-counters.test
+++ b/lib/Fuzzer/test/inline-8bit-counters.test
@@ -1,4 +1,4 @@
  REQUIRES: linux
  CHECK: INFO: Loaded 1 modules with {{.*}} inline 8-bit counters
  CHECK: BINGO
-RUN: LLVMFuzzer-SimpleTest-Inline8bitCounters -runs=100000 -seed=1 2>&1 | FileCheck %s
+RUN: LLVMFuzzer-SimpleTest-Inline8bitCounters -runs=1000000 -seed=1 2>&1 | FileCheck %s
author	Kostya Serebryany <kcc@google.com>
	Thu, 15 Jun 2017 22:43:40 +0000 (22:43 +0000)
committer	Dmitriy Nikiforov <d.nikiforov@partner.samsung.com>
	Mon, 17 Jul 2017 04:47:38 +0000 (13:47 +0900)
lib/Fuzzer/FuzzerDriver.cpp		patch \| blob \| history
lib/Fuzzer/FuzzerLoop.cpp		patch \| blob \| history
lib/Fuzzer/test/AbsNegAndConstant64Test.cpp		patch \| blob \| history
lib/Fuzzer/test/FourIndependentBranchesTest.cpp		patch \| blob \| history
lib/Fuzzer/test/ShrinkControlFlowTest.cpp		patch \| blob \| history
lib/Fuzzer/test/SimpleHashTest.cpp		patch \| blob \| history
lib/Fuzzer/test/SingleStrncmpTest.cpp		patch \| blob \| history
lib/Fuzzer/test/fuzzer-dirs.test		patch \| blob \| history
lib/Fuzzer/test/inline-8bit-counters.test		patch \| blob \| history