diff options
| -rw-r--r-- | docs/SanitizerCoverage.rst | 19 | ||||
| -rw-r--r-- | include/clang/Driver/CC1Options.td | 6 | ||||
| -rw-r--r-- | include/clang/Frontend/CodeGenOptions.def | 4 | ||||
| -rw-r--r-- | lib/CodeGen/BackendUtil.cpp | 2 | ||||
| -rw-r--r-- | lib/Driver/SanitizerArgs.cpp | 10 | ||||
| -rw-r--r-- | lib/Frontend/CompilerInvocation.cpp | 2 | ||||
| -rw-r--r-- | test/Driver/fsanitize-coverage.c | 4 |
7 files changed, 41 insertions, 6 deletions
diff --git a/docs/SanitizerCoverage.rst b/docs/SanitizerCoverage.rst index 1e506fc89f..9673416420 100644 --- a/docs/SanitizerCoverage.rst +++ b/docs/SanitizerCoverage.rst @@ -324,11 +324,14 @@ and can be used with `AFL <http://lcamtuf.coredump.cx/afl>`__. Tracing data flow ================= -An *experimental* feature to support data-flow-guided fuzzing. +Support for data-flow-guided fuzzing. With ``-fsanitize-coverage=trace-cmp`` the compiler will insert extra instrumentation around comparison instructions and switch statements. -The fuzzer will need to define the following functions, -they will be called by the instrumented code. +Similarly, with ``-fsanitize-coverage=trace-div`` the compiler will instrument +integer division instructions (to capture the right argument of division) +and with ``-fsanitize-coverage=trace-gep`` -- +the `LLVM GEP instructions <http://llvm.org/docs/GetElementPtr.html>`_ +(to capture array indices). .. code-block:: c++ @@ -346,6 +349,16 @@ they will be called by the instrumented code. // Cases[2:] are the case constants. void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases); + // Called before a division statement. + // Val is the second argument of division. + void __sanitizer_cov_trace_div4(uint32_t Val); + void __sanitizer_cov_trace_div8(uint64_t Val); + + // Called before a GetElemementPtr (GEP) instruction + // for every non-constant array index. + void __sanitizer_cov_trace_gep(uintptr_t Idx); + + This interface is a subject to change. The current implementation is not thread-safe and thus can be safely used only for single-threaded targets. diff --git a/include/clang/Driver/CC1Options.td b/include/clang/Driver/CC1Options.td index e99d19e3fc..bfe56f9d4b 100644 --- a/include/clang/Driver/CC1Options.td +++ b/include/clang/Driver/CC1Options.td @@ -272,6 +272,12 @@ def fsanitize_coverage_trace_bb def fsanitize_coverage_trace_cmp : Flag<["-"], "fsanitize-coverage-trace-cmp">, HelpText<"Enable cmp instruction tracing in sanitizer coverage">; +def fsanitize_coverage_trace_div + : Flag<["-"], "fsanitize-coverage-trace-div">, + HelpText<"Enable div instruction tracing in sanitizer coverage">; +def fsanitize_coverage_trace_gep + : Flag<["-"], "fsanitize-coverage-trace-gep">, + HelpText<"Enable gep instruction tracing in sanitizer coverage">; def fsanitize_coverage_8bit_counters : Flag<["-"], "fsanitize-coverage-8bit-counters">, HelpText<"Enable frequency counters in sanitizer coverage">; diff --git a/include/clang/Frontend/CodeGenOptions.def b/include/clang/Frontend/CodeGenOptions.def index 4dd634c72a..187faea25f 100644 --- a/include/clang/Frontend/CodeGenOptions.def +++ b/include/clang/Frontend/CodeGenOptions.def @@ -151,6 +151,10 @@ CODEGENOPT(SanitizeCoverageTraceBB, 1, 0) ///< Enable basic block tracing in ///< in sanitizer coverage. CODEGENOPT(SanitizeCoverageTraceCmp, 1, 0) ///< Enable cmp instruction tracing ///< in sanitizer coverage. +CODEGENOPT(SanitizeCoverageTraceDiv, 1, 0) ///< Enable div instruction tracing + ///< in sanitizer coverage. +CODEGENOPT(SanitizeCoverageTraceGep, 1, 0) ///< Enable GEP instruction tracing + ///< in sanitizer coverage. CODEGENOPT(SanitizeCoverage8bitCounters, 1, 0) ///< Use 8-bit frequency counters ///< in sanitizer coverage. CODEGENOPT(SanitizeCoverageTracePC, 1, 0) ///< Enable PC tracing diff --git a/lib/CodeGen/BackendUtil.cpp b/lib/CodeGen/BackendUtil.cpp index 06f21367ad..91c8dedc6e 100644 --- a/lib/CodeGen/BackendUtil.cpp +++ b/lib/CodeGen/BackendUtil.cpp @@ -176,6 +176,8 @@ static void addSanitizerCoveragePass(const PassManagerBuilder &Builder, Opts.IndirectCalls = CGOpts.SanitizeCoverageIndirectCalls; Opts.TraceBB = CGOpts.SanitizeCoverageTraceBB; Opts.TraceCmp = CGOpts.SanitizeCoverageTraceCmp; + Opts.TraceDiv = CGOpts.SanitizeCoverageTraceDiv; + Opts.TraceGep = CGOpts.SanitizeCoverageTraceGep; Opts.Use8bitCounters = CGOpts.SanitizeCoverage8bitCounters; Opts.TracePC = CGOpts.SanitizeCoverageTracePC; PM.add(createSanitizerCoverageModulePass(Opts)); diff --git a/lib/Driver/SanitizerArgs.cpp b/lib/Driver/SanitizerArgs.cpp index 30cc3f45c9..5c9abd1ddc 100644 --- a/lib/Driver/SanitizerArgs.cpp +++ b/lib/Driver/SanitizerArgs.cpp @@ -49,8 +49,10 @@ enum CoverageFeature { CoverageIndirCall = 1 << 3, CoverageTraceBB = 1 << 4, CoverageTraceCmp = 1 << 5, - Coverage8bitCounters = 1 << 6, - CoverageTracePC = 1 << 7, + CoverageTraceDiv = 1 << 6, + CoverageTraceGep = 1 << 7, + Coverage8bitCounters = 1 << 8, + CoverageTracePC = 1 << 9, }; /// Parse a -fsanitize= or -fno-sanitize= argument's values, diagnosing any @@ -615,6 +617,8 @@ void SanitizerArgs::addArgs(const ToolChain &TC, const llvm::opt::ArgList &Args, std::make_pair(CoverageIndirCall, "-fsanitize-coverage-indirect-calls"), std::make_pair(CoverageTraceBB, "-fsanitize-coverage-trace-bb"), std::make_pair(CoverageTraceCmp, "-fsanitize-coverage-trace-cmp"), + std::make_pair(CoverageTraceDiv, "-fsanitize-coverage-trace-div"), + std::make_pair(CoverageTraceGep, "-fsanitize-coverage-trace-gep"), std::make_pair(Coverage8bitCounters, "-fsanitize-coverage-8bit-counters"), std::make_pair(CoverageTracePC, "-fsanitize-coverage-trace-pc")}; for (auto F : CoverageFlags) { @@ -752,6 +756,8 @@ int parseCoverageFeatures(const Driver &D, const llvm::opt::Arg *A) { .Case("indirect-calls", CoverageIndirCall) .Case("trace-bb", CoverageTraceBB) .Case("trace-cmp", CoverageTraceCmp) + .Case("trace-div", CoverageTraceDiv) + .Case("trace-gep", CoverageTraceGep) .Case("8bit-counters", Coverage8bitCounters) .Case("trace-pc", CoverageTracePC) .Default(0); diff --git a/lib/Frontend/CompilerInvocation.cpp b/lib/Frontend/CompilerInvocation.cpp index e6bff91ff1..e21f244b03 100644 --- a/lib/Frontend/CompilerInvocation.cpp +++ b/lib/Frontend/CompilerInvocation.cpp @@ -717,6 +717,8 @@ static bool ParseCodeGenArgs(CodeGenOptions &Opts, ArgList &Args, InputKind IK, Args.hasArg(OPT_fsanitize_coverage_indirect_calls); Opts.SanitizeCoverageTraceBB = Args.hasArg(OPT_fsanitize_coverage_trace_bb); Opts.SanitizeCoverageTraceCmp = Args.hasArg(OPT_fsanitize_coverage_trace_cmp); + Opts.SanitizeCoverageTraceDiv = Args.hasArg(OPT_fsanitize_coverage_trace_div); + Opts.SanitizeCoverageTraceGep = Args.hasArg(OPT_fsanitize_coverage_trace_gep); Opts.SanitizeCoverage8bitCounters = Args.hasArg(OPT_fsanitize_coverage_8bit_counters); Opts.SanitizeCoverageTracePC = Args.hasArg(OPT_fsanitize_coverage_trace_pc); diff --git a/test/Driver/fsanitize-coverage.c b/test/Driver/fsanitize-coverage.c index 16c5dfe099..1efb1e485d 100644 --- a/test/Driver/fsanitize-coverage.c +++ b/test/Driver/fsanitize-coverage.c @@ -40,11 +40,13 @@ // RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-coverage=func -fno-sanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANITIZE-COVERAGE-SAN-DISABLED // CHECK-SANITIZE-COVERAGE-SAN-DISABLED-NOT: argument unused -// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-bb,trace-pc,trace-cmp,8bit-counters %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANITIZE-COVERAGE-FEATURES +// RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-bb,trace-pc,trace-cmp,8bit-counters,trace-div,trace-gep %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANITIZE-COVERAGE-FEATURES // CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-type=3 // CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-indirect-calls // CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-trace-bb // CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-trace-cmp +// CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-trace-div +// CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-trace-gep // CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-8bit-counters // CHECK-SANITIZE-COVERAGE-FEATURES: -fsanitize-coverage-trace-pc |