[libFuzzer] improve -minimize_crash: honor -artifact_prefix= and don't special case 2-byte inputs

llvm-svn: 292511
2024-10-19 02:52:53 +02:00 · 2017-01-19 19:38:12 +00:00 · 2017-01-19 19:38:12 +00:00 · 51f50e3dd0
commit 51f50e3dd0
parent 8cb15cfc13
5 changed files with 37 additions and 12 deletions
--- a/lib/Fuzzer/FuzzerDriver.cpp
+++ b/lib/Fuzzer/FuzzerDriver.cpp
@ -277,7 +277,8 @@ static bool AllInputsAreFiles() {
  return true;
 }

-int MinimizeCrashInput(const std::vector<std::string> &Args) {
+int MinimizeCrashInput(const std::vector<std::string> &Args,
+                       const FuzzingOptions &Options) {
  if (Inputs->size() != 1) {
    Printf("ERROR: -minimize_crash should be given one input file\n");
    exit(1);
@ -299,10 +300,6 @@ int MinimizeCrashInput(const std::vector<std::string> &Args) {
  std::string CurrentFilePath = InputFilePath;
  while (true) {
    Unit U = FileToVector(CurrentFilePath);
-    if (U.size() < 2) {
-      Printf("CRASH_MIN: '%s' is small enough\n", CurrentFilePath.c_str());
-      return 0;
-    }
    Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
           CurrentFilePath.c_str(), U.size());

@ -318,7 +315,8 @@ int MinimizeCrashInput(const std::vector<std::string> &Args) {
           "it further\n",
           CurrentFilePath.c_str(), U.size());

-    std::string ArtifactPath = "minimized-from-" + Hash(U);
+    std::string ArtifactPath =
+        Options.ArtifactPrefix + "minimized-from-" + Hash(U);
    Cmd += " -minimize_crash_internal_step=1 -exact_artifact_path=" +
        ArtifactPath;
    Printf("CRASH_MIN: executing: %s\n", Cmd.c_str());
@ -342,8 +340,11 @@ int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
  assert(Inputs->size() == 1);
  std::string InputFilePath = Inputs->at(0);
  Unit U = FileToVector(InputFilePath);
-  assert(U.size() > 2);
  Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size());
+  if (U.size() < 2) {
+    Printf("INFO: The input is small enough, exiting\n");
+    exit(0);
+  }
  Corpus->AddToCorpus(U, 0);
  F->SetMaxInputLen(U.size());
  F->SetMaxMutationLen(U.size() - 1);
@ -368,9 +369,6 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
    return 0;
  }

-  if (Flags.minimize_crash)
-    return MinimizeCrashInput(Args);
-
  if (Flags.close_fd_mask & 2)
    DupAndCloseStderr();
  if (Flags.close_fd_mask & 1)
@ -470,6 +468,9 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
  Options.HandleXfsz = Flags.handle_xfsz;
  SetSignalHandler(Options);

+  if (Flags.minimize_crash)
+    return MinimizeCrashInput(Args, Options);
+
  if (Flags.minimize_crash_internal_step)
    return MinimizeCrashInputInternalStep(F, Corpus);

--- a/lib/Fuzzer/FuzzerLoop.cpp
+++ b/lib/Fuzzer/FuzzerLoop.cpp
@ -792,7 +792,7 @@ void Fuzzer::Loop() {
 }

 void Fuzzer::MinimizeCrashLoop(const Unit &U) {
-  if (U.size() <= 2) return;
+  if (U.size() <= 1) return;
  while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) {
    MD.StartMutationSequence();
    memcpy(CurrentUnitData, U.data(), U.size());
--- a/lib/Fuzzer/test/CMakeLists.txt
+++ b/lib/Fuzzer/test/CMakeLists.txt
@ -94,6 +94,7 @@ set(Tests
  SimpleHashTest
  SimpleTest
  SimpleThreadedTest
+  SingleByteInputTest
  SingleMemcmpTest
  SingleStrcmpTest
  SingleStrncmpTest
--- a/lib/Fuzzer/test/SingleByteInputTest.cpp
+++ b/lib/Fuzzer/test/SingleByteInputTest.cpp
@ -0,0 +1,17 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Simple test for a fuzzer, need just one byte to crash.
+#include <cstdint>
+#include <cstdlib>
+#include <cstddef>
+#include <cstdio>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size > 0 && Data[Size/2] == 42) {
+    fprintf(stderr, "BINGO\n");
+    abort();
+  }
+  return 0;
+}
+
--- a/lib/Fuzzer/test/minimize_crash.test
+++ b/lib/Fuzzer/test/minimize_crash.test
@ -1,6 +1,12 @@
 RUN: echo 'Hi!rv349f34t3gg' > not_minimal_crash
 RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 2>&1 | FileCheck %s
-CHECK: CRASH_MIN: failed to minimize beyond minimized-from-{{.*}} (3 bytes), exiting
+CHECK: CRASH_MIN: failed to minimize beyond ./minimized-from-{{.*}} (3 bytes), exiting
 RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 -exact_artifact_path=exact_minimized_path 2>&1 | FileCheck %s --check-prefix=CHECK_EXACT
 CHECK_EXACT: CRASH_MIN: failed to minimize beyond exact_minimized_path (3 bytes), exiting
 RUN: rm not_minimal_crash minimized-from-* exact_minimized_path
+
+RUN: echo 'abcd*xyz' > not_minimal_crash
+RUN: LLVMFuzzer-SingleByteInputTest -minimize_crash=1 not_minimal_crash -artifact_prefix=./ZZZ- -exact_artifact_path=exact_minimized_path 2>&1 | FileCheck %s --check-prefix=MIN1
+MIN1: Test unit written to ./ZZZ-minimized-from-
+MIN1: INFO: The input is small enough, exiting
+MIN1: CRASH_MIN: failed to minimize beyond exact_minimized_path (1 bytes), exiting