Closed kcc closed 7 years ago
r312185: Enable on Linux for -fsanitize=fuzzer.
I'm thinking we should be able to ignore all intrinsics. Even if the intrinsic isn't inlined, it seems unlikely that it would use recursion.
yep
Yes, I think it's fine to scan for existing calls, where we could also ignore calls to (most?) intrinsics. This pass already does a linear scan over all instructions anyway.
I'm thinking we should be able to ignore all intrinsics. Even if the intrinsic isn't inlined, it seems unlikely that it would use recursion.
I haven't been able to find any leaf function indicator available at the LLVM pass level. But we can do a linear scan to determine if a function has any calls in it.
Yes, I think it's fine to scan for existing calls, where we could also ignore calls to (most?) intrinsics. This pass already does a linear scan over all instructions anyway.
I haven't been able to find any leaf function indicator available at the LLVM pass level. But we can do a linear scan to determine if a function has any calls in it.
Also: make sure the accesses to __sancov_lowest_stack are not sanitized. Probably just apply SetNoSanitizeMetadata to the load and store insns
r311490 switches to initialexec TLS type and eliminates calls to the TLS wrapper. Test has been re-enabled and bot is green.
Which bot fails?
(I disabled the test, so the bot is green now).
Exit Code: 1
/tmp/lit_tmp_tEpVa6/DeepRecursionTest-c0b77c.o: In function Recursive(unsigned char const*, unsigned long, int)': /mnt/b/sanitizer-buildbot5/sanitizer-x86_64-linux-fuzzer/build/llvm/projects/compiler-rt/test/fuzzer/DeepRecursionTest.cpp:13: undefined reference to
TLS wrapper function for __sancov_lowest_stack'
/tmp/lit_tmp_tEpVa6/DeepRecursionTest-c0b77c.o: In function LLVMFuzzerTestOneInput': /mnt/b/sanitizer-buildbot5/sanitizer-x86_64-linux-fuzzer/build/llvm/projects/compiler-rt/test/fuzzer/DeepRecursionTest.cpp:21: undefined reference to
TLS wrapper function for __sancov_lowest_stack'
clang-6.0: error: linker command failed with exit code 1 (use -v to see invocation)
This passes on my machine though.
Which bot fails?
r311427 disable the test as it fails on the bot
The basic code is there: http://llvm.org/viewvc/llvm-project?rev=311186&view=rev
However, it needs some more love:
assigned to @morehouse
Extended Description
r308577 adds a libFuzzer logic to use recursion depth as a signal (inspired by https://guidovranken.wordpress.com/2017/07/08/libfuzzer-gv-new-techniques-for-dramatically-faster-fuzzing/, "Stack-depth-guided fuzzing")
We need to extract the recursion depth with a dedicated inlined compiler instrumentation.
it should be something like -fsanitize-coverage=stack-depth that would insert this code at the beginning of every function:
uintptr_t current_stack = builtin_frame_address(0); if (sanitizer_cov_lowest_stack > current_stack) __sanitizer_cov_lowest_stack = current_stack;
// Users should declare this in their code (e.g. in libFuzzer) thread_local uintptr __sanitizer_cov_lowest_stack;