morehouse
commented
7 years ago r312185: Enable on Linux for -fsanitize=fuzzer.
Closed kcc closed 7 years ago
morehouse
commented
7 years ago r312185: Enable on Linux for -fsanitize=fuzzer.
kcc
commented
7 years ago I'm thinking we should be able to ignore all intrinsics. Even if the intrinsic isn't inlined, it seems unlikely that it would use recursion.
yep
morehouse
commented
7 years ago Yes, I think it's fine to scan for existing calls, where we could also ignore calls to (most?) intrinsics. This pass already does a linear scan over all instructions anyway.
I'm thinking we should be able to ignore all intrinsics. Even if the intrinsic isn't inlined, it seems unlikely that it would use recursion.
kcc
commented
7 years ago I haven't been able to find any leaf function indicator available at the LLVM pass level. But we can do a linear scan to determine if a function has any calls in it.
Yes, I think it's fine to scan for existing calls, where we could also ignore calls to (most?) intrinsics. This pass already does a linear scan over all instructions anyway.
morehouse
commented
7 years ago I haven't been able to find any leaf function indicator available at the LLVM pass level. But we can do a linear scan to determine if a function has any calls in it.
kcc
commented
7 years ago Also: make sure the accesses to __sancov_lowest_stack are not sanitized. Probably just apply SetNoSanitizeMetadata to the load and store insns
morehouse
commented
7 years ago r311490 switches to initialexec TLS type and eliminates calls to the TLS wrapper. Test has been re-enabled and bot is green.
kcc
commented
7 years ago Which bot fails?
(I disabled the test, so the bot is green now).
Exit Code: 1
/tmp/lit_tmp_tEpVa6/DeepRecursionTest-c0b77c.o: In function Recursive(unsigned char const*, unsigned long, int)': /mnt/b/sanitizer-buildbot5/sanitizer-x86_64-linux-fuzzer/build/llvm/projects/compiler-rt/test/fuzzer/DeepRecursionTest.cpp:13: undefined reference toTLS wrapper function for __sancov_lowest_stack'
/tmp/lit_tmp_tEpVa6/DeepRecursionTest-c0b77c.o: In function LLVMFuzzerTestOneInput': /mnt/b/sanitizer-buildbot5/sanitizer-x86_64-linux-fuzzer/build/llvm/projects/compiler-rt/test/fuzzer/DeepRecursionTest.cpp:21: undefined reference toTLS wrapper function for __sancov_lowest_stack'
clang-6.0: error: linker command failed with exit code 1 (use -v to see invocation)
This passes on my machine though.
morehouse
commented
7 years ago Which bot fails?
kcc
commented
7 years ago r311427 disable the test as it fails on the bot
kcc
commented
7 years ago The basic code is there: http://llvm.org/viewvc/llvm-project?rev=311186&view=rev
However, it needs some more love:
kcc
commented
7 years ago assigned to @morehouse
Extended Description
r308577 adds a libFuzzer logic to use recursion depth as a signal (inspired by https://guidovranken.wordpress.com/2017/07/08/libfuzzer-gv-new-techniques-for-dramatically-faster-fuzzing/, "Stack-depth-guided fuzzing")
We need to extract the recursion depth with a dedicated inlined compiler instrumentation.
it should be something like -fsanitize-coverage=stack-depth that would insert this code at the beginning of every function:
uintptr_t current_stack = builtin_frame_address(0); if (sanitizer_cov_lowest_stack > current_stack) __sanitizer_cov_lowest_stack = current_stack;
// Users should declare this in their code (e.g. in libFuzzer) thread_local uintptr __sanitizer_cov_lowest_stack;