From 7c9fc88e66588c81458ed032b33749d686fbf9f9 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 1 Mar 2021 10:20:08 +0100 Subject: [PATCH] use hitcounts in libfuzzer rt --- fuzzers/libfuzzer_libpng/build.rs | 1 + fuzzers/libfuzzer_libpng/harness.cc | 7 +++---- fuzzers/libfuzzer_libpng/src/fuzzer.rs | 1 - fuzzers/libfuzzer_runtime/rt.c | 6 +++--- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/fuzzers/libfuzzer_libpng/build.rs b/fuzzers/libfuzzer_libpng/build.rs index f19a4eed1d..d41462e8a8 100644 --- a/fuzzers/libfuzzer_libpng/build.rs +++ b/fuzzers/libfuzzer_libpng/build.rs @@ -95,6 +95,7 @@ fn main() { cc::Build::new() .include(&libpng_path) .flag("-fsanitize-coverage=trace-pc-guard") + // .define("HAS_DUMMY_CRASH", "1") .file("./harness.cc") .compile("libfuzzer-harness"); diff --git a/fuzzers/libfuzzer_libpng/harness.cc b/fuzzers/libfuzzer_libpng/harness.cc index 8d276ed86a..ea6680018f 100644 --- a/fuzzers/libfuzzer_libpng/harness.cc +++ b/fuzzers/libfuzzer_libpng/harness.cc @@ -20,8 +20,6 @@ #include -#define HAS_BUG 1 - #define PNG_INTERNAL #include "png.h" @@ -159,8 +157,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // This is going to be too slow. if (width && height > 100000000 / width) { PNG_CLEANUP - if (HAS_BUG) - asm("ud2"); +#ifdef HAS_DUMMY_CRASH + asm("ud2"); +#endif return 0; } diff --git a/fuzzers/libfuzzer_libpng/src/fuzzer.rs b/fuzzers/libfuzzer_libpng/src/fuzzer.rs index c18aa49c7f..8c37ef7cf5 100644 --- a/fuzzers/libfuzzer_libpng/src/fuzzer.rs +++ b/fuzzers/libfuzzer_libpng/src/fuzzer.rs @@ -124,7 +124,6 @@ fn fuzz(corpus_dirs: Vec, objective_dir: PathBuf, broker_port: u16) -> // A fuzzer with just one stage and a minimization+queue policy to get testcasess from the corpus let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new()); - //let scheduler = QueueCorpusScheduler::new(); let fuzzer = StdFuzzer::new(scheduler, tuple_list!(stage)); // Create the executor for an in-process function with just one observer for edge coverage diff --git a/fuzzers/libfuzzer_runtime/rt.c b/fuzzers/libfuzzer_runtime/rt.c index 0022249d8f..90f4fea89a 100644 --- a/fuzzers/libfuzzer_runtime/rt.c +++ b/fuzzers/libfuzzer_runtime/rt.c @@ -17,9 +17,9 @@ uint32_t __lafl_max_edges_size = 0; void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { uint32_t pos = *guard; - //uint16_t val = __lafl_edges_map[pos] + 1; - //__lafl_edges_map[pos] = ((uint8_t) val) + (uint8_t) (val >> 8); - __lafl_edges_map[pos] = 1; + uint16_t val = __lafl_edges_map[pos] + 1; + __lafl_edges_map[pos] = ((uint8_t) val) + (uint8_t) (val >> 8); + //__lafl_edges_map[pos] = 1; }