[libFuzzer] make sure we use the feedback from std::string operator ==

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@292835 91177308-0d34-0410-b5e6-96231b3b80d8
simoatze · Jan 23, 2017 · fc4ec25 · fc4ec25
1 parent af0e1c5
commit fc4ec25
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/lib/Fuzzer/FuzzerTracePC.cpp b/lib/Fuzzer/FuzzerTracePC.cpp
@@ -214,9 +214,12 @@ void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
   uint8_t B2[Word::kMaxSize];
   // Copy the data into locals in this non-msan-instrumented function
   // to avoid msan complaining further.
+  size_t Hash = 0;  // Compute some simple hash of both strings.
   for (size_t i = 0; i < Len; i++) {
     B1[i] = A1[i];
     B2[i] = A2[i];
+    size_t T = B1[i];
+    Hash ^= (T << 8) | B2[i];
   }
   size_t I = 0;
   for (; I < Len; I++)
@@ -225,7 +228,7 @@ void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
   size_t PC = reinterpret_cast<size_t>(caller_pc);
   size_t Idx = (PC & 4095) | (I << 12);
   TPC.HandleValueProfile(Idx);
-  TORCW.Insert(Idx, Word(B1, Len), Word(B2, Len));
+  TORCW.Insert(Idx ^ Hash, Word(B1, Len), Word(B2, Len));
 }
 
 template <class T>

diff --git a/lib/Fuzzer/test/CMakeLists.txt b/lib/Fuzzer/test/CMakeLists.txt
@@ -83,6 +83,7 @@ set(Tests
   CounterTest
   CustomCrossOverTest
   CustomMutatorTest
+  CxxStringEqTest
   DivTest
   EmptyTest
   EquivalenceATest

diff --git a/lib/Fuzzer/test/CxxStringEqTest.cpp b/lib/Fuzzer/test/CxxStringEqTest.cpp
@@ -0,0 +1,24 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Simple test for a fuzzer. Must find a specific string
+// used in std::string operator ==.
+#include <cstdint>
+#include <cstdlib>
+#include <cstddef>
+#include <string>
+#include <iostream>
+
+static volatile int Sink;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  std::string Str((const char*)Data, Size);
+  bool Eq = Str == "FooBar";
+  Sink = Str == "123456";   // Try to confuse the fuzzer
+  if (Eq) {
+    std::cout << "BINGO; Found the target, exiting\n";
+    abort();
+  }
+  return 0;
+}
+
diff --git a/lib/Fuzzer/test/cxxstring.test b/lib/Fuzzer/test/cxxstring.test
@@ -0,0 +1,2 @@
+RUN: not LLVMFuzzer-CxxStringEqTest -seed=1 -runs=1000000 2>&1 | FileCheck %s
+CHECK: BINGO
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		RUN: not LLVMFuzzer-CxxStringEqTest -seed=1 -runs=1000000 2>&1 \| FileCheck %s
		CHECK: BINGO