From 5317f2e4c907fd1eca64772bdd2c23364adfaa77 Mon Sep 17 00:00:00 2001
From: Matt Morehouse <mascasa@google.com>
Date: Fri, 23 Mar 2018 23:35:28 +0000
Subject: [PATCH] [libFuzzer] Use OptForFuzzing attribute with
 -fsanitize=fuzzer.

Summary:
Disables certain CMP optimizations to improve fuzzing signal under -O1
and -O2.

Switches all fuzzer tests to -O2 except for a few leak tests where the
leak is optimized out under -O2.

Reviewers: kcc, vitalybuka

Reviewed By: vitalybuka

Subscribers: cfe-commits, llvm-commits

Differential Revision: https://reviews.llvm.org/D44798

llvm-svn: 328384
---
 clang/lib/CodeGen/CodeGenFunction.cpp              | 4 ++++
 compiler-rt/test/fuzzer/SimpleCmpTest.cpp          | 6 +++---
 compiler-rt/test/fuzzer/SwapCmpTest.cpp            | 6 +++---
 compiler-rt/test/fuzzer/fuzzer-leak.test           | 7 +++++--
 compiler-rt/test/fuzzer/lit.cfg                    | 2 +-
 compiler-rt/test/fuzzer/trace-malloc-threaded.test | 4 +++-
 6 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp
index c5de16bc..3d7b906 100644
--- a/clang/lib/CodeGen/CodeGenFunction.cpp
+++ b/clang/lib/CodeGen/CodeGenFunction.cpp
@@ -862,6 +862,10 @@ void CodeGenFunction::StartFunction(GlobalDecl GD,
   if (SanOpts.has(SanitizerKind::SafeStack))
     Fn->addFnAttr(llvm::Attribute::SafeStack);
 
+  // Apply fuzzing attribute to the function.
+  if (SanOpts.hasOneOf(SanitizerKind::Fuzzer | SanitizerKind::FuzzerNoLink))
+    Fn->addFnAttr(llvm::Attribute::OptForFuzzing);
+
   // Ignore TSan memory acesses from within ObjC/ObjC++ dealloc, initialize,
   // .cxx_destruct, __destroy_helper_block_ and all of their calees at run time.
   if (SanOpts.has(SanitizerKind::Thread)) {
diff --git a/compiler-rt/test/fuzzer/SimpleCmpTest.cpp b/compiler-rt/test/fuzzer/SimpleCmpTest.cpp
index 8acad4a..3bb28c1 100644
--- a/compiler-rt/test/fuzzer/SimpleCmpTest.cpp
+++ b/compiler-rt/test/fuzzer/SimpleCmpTest.cpp
@@ -17,15 +17,15 @@ bool PrintOnce(int Line) {
 }
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  if (Size != 22) return 0;
+  if (Size != 24) return 0;
   uint64_t x = 0;
   int64_t  y = 0;
   int32_t z = 0;
-  uint16_t a = 0;
+  uint32_t a = 0;
   memcpy(&x, Data, 8);  // 8
   memcpy(&y, Data + 8, 8);  // 16
   memcpy(&z, Data + 16, sizeof(z));  // 20
-  memcpy(&a, Data + 20, sizeof(a));  // 22
+  memcpy(&a, Data + 20, sizeof(a));  // 24
   const bool k32bit = sizeof(void*) == 4;
 
   if ((k32bit || x > 1234567890) && PrintOnce(__LINE__) &&
diff --git a/compiler-rt/test/fuzzer/SwapCmpTest.cpp b/compiler-rt/test/fuzzer/SwapCmpTest.cpp
index bbfbefe..5aa47beb 100644
--- a/compiler-rt/test/fuzzer/SwapCmpTest.cpp
+++ b/compiler-rt/test/fuzzer/SwapCmpTest.cpp
@@ -11,14 +11,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   if (Size < 14) return 0;
   uint64_t x = 0;
   uint32_t y = 0;
-  uint16_t z = 0;
+  uint32_t z = 0;
   memcpy(&x, Data, sizeof(x));
   memcpy(&y, Data + Size / 2, sizeof(y));
   memcpy(&z, Data + Size - sizeof(z), sizeof(z));
 
   x = __builtin_bswap64(x);
   y = __builtin_bswap32(y);
-  z = __builtin_bswap16(z);
+  z = __builtin_bswap32(z);
   const bool k32bit = sizeof(void*) == 4;
 
   if ((k32bit || x == 0x46555A5A5A5A5546ULL) &&
@@ -26,7 +26,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
       y == 0x66757A7A &&
       true
       ) {
-    if (Data[Size - 3] == 'z') {
+    if (Data[Size - 5] == 'z') {
       fprintf(stderr, "BINGO; Found the target\n");
       exit(1);
     }
diff --git a/compiler-rt/test/fuzzer/fuzzer-leak.test b/compiler-rt/test/fuzzer/fuzzer-leak.test
index 0652a88..0b1a09f 100644
--- a/compiler-rt/test/fuzzer/fuzzer-leak.test
+++ b/compiler-rt/test/fuzzer/fuzzer-leak.test
@@ -1,6 +1,9 @@
 REQUIRES: lsan
-RUN: %cpp_compiler %S/LeakTest.cpp -o %t-LeakTest
-RUN: %cpp_compiler %S/ThreadedLeakTest.cpp -o %t-ThreadedLeakTest
+
+// Avoid optimizing since it causes these leaks to go away.
+RUN: %cpp_compiler -O0 %S/LeakTest.cpp -o %t-LeakTest
+RUN: %cpp_compiler -O0 %S/ThreadedLeakTest.cpp -o %t-ThreadedLeakTest
+
 RUN: %cpp_compiler %S/LeakTimeoutTest.cpp -o %t-LeakTimeoutTest
 
 RUN: rm -rf %t-corpus && mkdir -p %t-corpus
diff --git a/compiler-rt/test/fuzzer/lit.cfg b/compiler-rt/test/fuzzer/lit.cfg
index 0789cbc..6a41356 100644
--- a/compiler-rt/test/fuzzer/lit.cfg
+++ b/compiler-rt/test/fuzzer/lit.cfg
@@ -64,7 +64,7 @@ def generate_compiler_cmd(is_cpp=True, fuzzer_enabled=True):
   sanitizers_cmd = ('-fsanitize=%s' % ','.join(sanitizers))
   isysroot_cmd = config.osx_sysroot_flag if config.osx_sysroot_flag else ''
   include_cmd = '-I%s' % libfuzzer_src_root
-  return '%s %s %s -gline-tables-only %s %s %s' % (
+  return '%s %s %s -O2 -gline-tables-only %s %s %s' % (
       compiler_cmd, std_cmd, link_cmd, isysroot_cmd, sanitizers_cmd, include_cmd)
 
 config.substitutions.append(('%cpp_compiler',
diff --git a/compiler-rt/test/fuzzer/trace-malloc-threaded.test b/compiler-rt/test/fuzzer/trace-malloc-threaded.test
index 11f3f04..4d96a66 100644
--- a/compiler-rt/test/fuzzer/trace-malloc-threaded.test
+++ b/compiler-rt/test/fuzzer/trace-malloc-threaded.test
@@ -2,7 +2,9 @@
 // printing a stack trace repeatedly
 UNSUPPORTED: darwin
 
-RUN: %cpp_compiler %S/TraceMallocThreadedTest.cpp -o %t-TraceMallocThreadedTest
+// Avoid optimizing since it causes the malloc to go away.
+RUN: %cpp_compiler -O0 %S/TraceMallocThreadedTest.cpp -o \
+RUN:   %t-TraceMallocThreadedTest
 
 RUN: %t-TraceMallocThreadedTest -trace_malloc=2 -runs=1 2>&1 | FileCheck %s
 CHECK: {{MALLOC\[[0-9]+] +0x[0-9]+ 5639}}
-- 
2.7.4