From 4d22e4fcb92cf1f3af8fe0246694fa572971fd22 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Tue, 30 Aug 2016 01:30:14 +0000
Subject: [PATCH] [libFuzzer] use trace-div and trace-gep for guided fuzzing,
 add tests

llvm-svn: 280046
---
 llvm/lib/Fuzzer/FuzzerTraceState.cpp | 21 +++++++++++++++++++++
 llvm/lib/Fuzzer/test/CMakeLists.txt  |  4 +++-
 llvm/lib/Fuzzer/test/DivTest.cpp     | 20 ++++++++++++++++++++
 llvm/lib/Fuzzer/test/LoadTest.cpp    | 22 ++++++++++++++++++++++
 4 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 llvm/lib/Fuzzer/test/DivTest.cpp
 create mode 100644 llvm/lib/Fuzzer/test/LoadTest.cpp

diff --git a/llvm/lib/Fuzzer/FuzzerTraceState.cpp b/llvm/lib/Fuzzer/FuzzerTraceState.cpp
index f1307d7d..7bbc759 100644
--- a/llvm/lib/Fuzzer/FuzzerTraceState.cpp
+++ b/llvm/lib/Fuzzer/FuzzerTraceState.cpp
@@ -584,6 +584,14 @@ static void AddValueForCmp(void *PCptr, uint64_t Arg1, uint64_t Arg2) {
   VP.AddValue(Idx);
 }
 
+static void AddValueForSingleVal(void *PCptr, uintptr_t Val) {
+  if (!Val) return;
+  uintptr_t PC = reinterpret_cast<uintptr_t>(PCptr);
+  uint64_t ArgDistance = __builtin_popcountl(Val) - 1; // [0,63]
+  uintptr_t Idx = (PC & 4095) | (ArgDistance << 12);
+  VP.AddValue(Idx);
+}
+
 }  // namespace fuzzer
 
 using fuzzer::TS;
@@ -780,4 +788,17 @@ void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
   TS->TraceSwitchCallback(PC, Cases[1], Val, Cases[0], Cases + 2);
 }
 
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_div4(uint32_t Val) {
+  fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_div8(uint64_t Val) {
+  fuzzer::AddValueForSingleVal(__builtin_return_address(0), Val);
+}
+__attribute__((visibility("default")))
+void __sanitizer_cov_trace_gep(uintptr_t Idx) {
+  fuzzer::AddValueForSingleVal(__builtin_return_address(0), Idx);
+}
+
 }  // extern "C"
diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt
index 340c5b9..dcafb1a 100644
--- a/llvm/lib/Fuzzer/test/CMakeLists.txt
+++ b/llvm/lib/Fuzzer/test/CMakeLists.txt
@@ -25,7 +25,7 @@ foreach (VARNAME ${variables_to_filter})
 endforeach()
 
 # Enable the coverage instrumentation (it is disabled for the Fuzzer lib).
-set(CMAKE_CXX_FLAGS "${LIBFUZZER_FLAGS_BASE} -fsanitize-coverage=edge,indirect-calls -g")
+set(CMAKE_CXX_FLAGS "${LIBFUZZER_FLAGS_BASE} -fsanitize-coverage=edge,indirect-calls,trace-cmp,trace-div,trace-gep -g")
 
 # add_libfuzzer_test(<name>
 #   SOURCES source0.cpp [source1.cpp ...]
@@ -68,6 +68,7 @@ set(Tests
   CounterTest
   CustomCrossOverTest
   CustomMutatorTest
+  DivTest
   EmptyTest
   FourIndependentBranchesTest
   FullCoverageSetTest
@@ -75,6 +76,7 @@ set(Tests
   MemcmpTest
   LeakTest
   LeakTimeoutTest
+  LoadTest
   NullDerefTest
   NullDerefOnEmptyTest
   NthRunCrashTest
diff --git a/llvm/lib/Fuzzer/test/DivTest.cpp b/llvm/lib/Fuzzer/test/DivTest.cpp
new file mode 100644
index 0000000..63f6960
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/DivTest.cpp
@@ -0,0 +1,20 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Simple test for a fuzzer: find the interesting argument for div.
+#include <assert.h>
+#include <cstdint>
+#include <cstring>
+#include <cstddef>
+#include <iostream>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 4) return 0;
+  int a;
+  memcpy(&a, Data, 4);
+  Sink = 12345678 / (987654 - a);
+  return 0;
+}
+
diff --git a/llvm/lib/Fuzzer/test/LoadTest.cpp b/llvm/lib/Fuzzer/test/LoadTest.cpp
new file mode 100644
index 0000000..c1780d5
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/LoadTest.cpp
@@ -0,0 +1,22 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Simple test for a fuzzer: find interesting value of array index.
+#include <assert.h>
+#include <cstdint>
+#include <cstring>
+#include <cstddef>
+#include <iostream>
+
+static volatile int Sink;
+const int kArraySize = 1234567;
+int array[kArraySize];
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 8) return 0;
+  size_t a = 0;
+  memcpy(&a, Data, 8);
+  Sink = array[a % (kArraySize + 1)];
+  return 0;
+}
+
-- 
2.7.4