-
Notifications
You must be signed in to change notification settings - Fork 25
Several fixes and small enhancements. #23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
5ff314d
8e1a839
cd9c79a
b3c6aa7
f68fefc
bccc6d8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -255,13 +255,24 @@ extern "C" int InitCorpus(const char *init_corpus_dir) { | |
| g.CreateWithScope(def); | ||
|
|
||
| std::string fpath = base_dir + "/seed_" + to_string(i); | ||
| if (graphfuzz_debug) { | ||
| cerr << "\tattempting to write to " << fpath << endl; | ||
| } | ||
|
|
||
| bool err = false; | ||
| string out_str = g.Write(&err); | ||
| if (err) return -1; | ||
| if (err) { | ||
| if (graphfuzz_debug) { | ||
| cerr << "\tFailed to write graph - aborting" << endl; | ||
| } | ||
| return -1; | ||
| } | ||
|
|
||
| ofstream out(fpath); | ||
| out.write(out_str.data(), out_str.size()); | ||
| if (graphfuzz_debug) { | ||
| cerr << "\twrote graph to " << fpath << endl; | ||
| } | ||
| } | ||
|
|
||
| cerr << "[*] Done" << endl; | ||
|
|
@@ -426,12 +437,24 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { | |
|
|
||
| vector<Node> nodes = g.GetOrderedNodes(); | ||
| void *ref[nodes.size()][MAX_CONN]; | ||
| if (graphfuzz_debug) { | ||
| // catch uninitialized reads early on | ||
| memset(ref, 0xca, sizeof(ref)); | ||
| } | ||
|
|
||
| for (Node n : nodes) { | ||
| void *in_ref[n.in_ref_size()]; | ||
| void *out_ref[n.out_ref_size()]; | ||
| // allocate at least 1 even if we use only 0 to avoid zero-sized stack | ||
| // arrays that are UB. | ||
| void *in_ref[n.in_ref_size() + 1]; | ||
|
Owner
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. could you explain this part
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. UBSan detects zero sized VLA on the stack as UB, so I just made sure the array has at least one element, even if it is not used. |
||
| void *out_ref[n.out_ref_size() + 1]; | ||
| const char *context = n.context().data(); | ||
|
|
||
| if (graphfuzz_debug) { | ||
| // fail more obviously if we have an uninit read for some reason | ||
| memset(in_ref, 0xca, sizeof(in_ref)); | ||
| memset(out_ref, 0xca, sizeof(out_ref)); | ||
| } | ||
|
|
||
| // Load inputs. | ||
| for (int i = 0; i < n.in_ref_size(); ++i) { | ||
| in_ref[i] = ref[n.index()][i]; | ||
|
|
@@ -446,15 +469,20 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { | |
| // Unset bail flag. | ||
| will_bail = false; | ||
|
|
||
| if (graphfuzz_debug) { | ||
| cerr << "Invoking shim_" << n.type() << endl; | ||
| } | ||
| // Invoke shim. | ||
| void (*func)(void **, void **, const char *) = FUZZER_SHIMS[n.type()]; | ||
| func(in_ref, out_ref, context); | ||
|
|
||
| if (will_bail) { | ||
| // Target called graphfuzz_bail() | ||
| if (graphfuzz_debug) { | ||
| cerr << "Bailing..." << endl; | ||
| cerr << "Bailing... (invalid? " << mark_invalid << ")" << endl; | ||
| } | ||
|
|
||
| shim_finalize(); | ||
| return mark_invalid; | ||
| } | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -e | ||
|
|
||
| echo "[+] building core" | ||
| rm -rf build | ||
| mkdir build | ||
| pushd build | ||
| export CC=clang | ||
| export CXX=clang++ | ||
| export CFLAGS="-flto=full -ggdb" | ||
| export CXXFLAGS="-flto=full -ggdb" | ||
| cmake -G Ninja .. | ||
| ninja | ||
| sudo ninja install | ||
| popd | ||
|
|
||
| echo "[+] building core with asan" | ||
| rm -rf build.asan | ||
| mkdir build.asan | ||
| pushd build.asan | ||
| export CC=clang | ||
| export CXX=clang++ | ||
| export CFLAGS="-flto=full -ggdb -fsanitize=address,undefined" | ||
| export CXXFLAGS="-flto=full -ggdb -fsanitize=address,undefined" | ||
| cmake -G Ninja .. | ||
| ninja | ||
| popd | ||
|
|
||
| echo "[+] building python tool" | ||
| pushd cli | ||
| poetry build | ||
| poetry export > dist/requirements.txt | ||
| pip install --user -r dist/requirements.txt | ||
| pip install --user -e . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there was a reason I used
reinterpret_casthere over C-style casts, bit I can't remember the specifics. Can you explain the rationale for this change?Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had troubles with harnessing a C library unless I used this. (because of casting a const pointer to a non-const pointer and vice-versa or something. I think const to non-const cast is forbidden with
reinterpret_cast).