| blob | 9f3537491679827d9878882259b8b7f317a214d0 |
1 # Tests the data flow tracer.
2 REQUIRES: linux, x86_64
4 # Disable, like other dataflow tests.
5 RUN: false
6 XFAIL: *
8 # Build the tracer and the test.
9 RUN: %no_fuzzer_cpp_compiler -c -fno-sanitize=all -fsanitize=dataflow %S/../../lib/fuzzer/dataflow/DataFlow.cpp -o %t-DataFlow.o
10 RUN: %no_fuzzer_cpp_compiler -c -fno-sanitize=all -fPIC %S/../../lib/fuzzer/dataflow/DataFlowCallbacks.cpp -o %t-DataFlowCallbacks.o
11 RUN: %no_fuzzer_cpp_compiler -fno-sanitize=all -fsanitize=dataflow -fsanitize-coverage=trace-pc-guard,pc-table,bb,trace-cmp %S/ThreeFunctionsTest.cpp %t-DataFlow*.o -o %t-ThreeFunctionsTestDF
12 RUN: %no_fuzzer_cpp_compiler -fno-sanitize=all -fsanitize=dataflow -fsanitize-coverage=trace-pc-guard,pc-table,bb,trace-cmp %S/Labels20Test.cpp %t-DataFlow*.o -o %t-Labels20TestDF
13 RUN: %cpp_compiler %S/ThreeFunctionsTest.cpp -o %t-ThreeFunctionsTest
15 # Dump the function list.
16 RUN: %t-ThreeFunctionsTestDF 2>&1 | FileCheck %s --check-prefix=FUNC_LIST
17 FUNC_LIST-DAG: LLVMFuzzerTestOneInput
18 FUNC_LIST-DAG: Func1
19 FUNC_LIST-DAG: Func2
21 # Prepare the inputs.
22 RUN: rm -rf %t/IN %t/IN20
23 RUN: mkdir -p %t/IN %t/IN20
24 RUN: echo -n ABC > %t/IN/ABC
25 RUN: echo -n FUABC > %t/IN/FUABC
26 RUN: echo -n FUZZR > %t/IN/FUZZR
27 RUN: echo -n FUZZM > %t/IN/FUZZM
28 RUN: echo -n FUZZMU > %t/IN/FUZZMU
29 RUN: echo -n 1234567890123456 > %t/IN/1234567890123456
31 RUN: echo -n FUZZxxxxxxxxxxxxxxxx > %t/IN20/FUZZxxxxxxxxxxxxxxxx
32 RUN: echo -n FUZZxxxxxxxxxxxxMxxx > %t/IN20/FUZZxxxxxxxxxxxxMxxx
33 RUN: echo -n FUZxxxxxxxxxxxxxxxxx > %t/IN20/FUZxxxxxxxxxxxxxxxxx
34 RUN: echo -n FUxxxxxxxxxxxxxxxxxx > %t/IN20/FUxxxxxxxxxxxxxxxxxx
37 RUN: export DFSAN_OPTIONS=warn_unimplemented=0
39 # This test assumes that the functions in ThreeFunctionsTestDF are instrumented
40 # in a specific order:
41 # LLVMFuzzerTestOneInput: F0
42 # Func1: F1
43 # Func2: F2
45 # ABC: No data is used
46 RUN:%t-ThreeFunctionsTestDF %t/IN/ABC | FileCheck %s --check-prefix=IN_ABC
47 IN_ABC-NOT: F0
48 IN_ABC: C0
49 IN_ABC-NOT: C
51 # FUABC: First 3 bytes are checked, Func1/Func2 are not called.
52 RUN:%t-ThreeFunctionsTestDF %t/IN/FUABC | FileCheck %s --check-prefix=IN_FUABC
53 IN_FUABC: F0 11100{{$}}
54 IN_FUABC-NOT: F
55 IN_FUABC-NEXT: C0
56 IN_FUABC-NOT: C
58 # FUZZR: 5 bytes are used (4 in one function, 5-th in the other), Func2 is not called.
59 RUN:%t-ThreeFunctionsTestDF %t/IN/FUZZR | FileCheck %s --check-prefix=IN_FUZZR
60 IN_FUZZR: F0 11110
61 IN_FUZZR: F1 00001
62 IN_FUZZR-NOT: F
63 IN_FUZZR: C0
64 IN_FUZZR: C1
65 IN_FUZZR-NOT: C
67 # FUZZM: 5 bytes are used, both Func1 and Func2 are called, Func2 depends only on size.
68 RUN:%t-ThreeFunctionsTestDF %t/IN/FUZZM | FileCheck %s --check-prefix=IN_FUZZM
69 IN_FUZZM: F0 11110
70 IN_FUZZM: F1 00001
71 IN_FUZZM-NOT: F2
72 IN_FUZZM: C0
73 IN_FUZZM: C1
74 IN_FUZZM: C2
76 # FUZZMU: 6 bytes are used, both Func1 and Func2 are called, Func2 depends on byte 6 and size.
77 RUN:%t-ThreeFunctionsTestDF %t/IN/FUZZMU | FileCheck %s --check-prefix=IN_FUZZMU
80 # Test Labels20TestDF
81 RUN:%t-Labels20TestDF %t/IN20/FUxxxxxxxxxxxxxxxxxx | FileCheck %s --check-prefix=L20_FU
82 L20_FU: F0 11100000000000000000{{$}}
83 L20_FU-NOT: F
85 RUN:%t-Labels20TestDF %t/IN20/FUZxxxxxxxxxxxxxxxxx | FileCheck %s --check-prefix=L20_FUZ
86 L20_FUZ: F0 11110000000000000000{{$}}
87 L20_FUZ-NOT: F
89 RUN:%t-Labels20TestDF %t/IN20/FUZZxxxxxxxxxxxxxxxx | FileCheck %s --check-prefix=L20_FUZZ
90 L20_FUZZ: F0 11110000000000000000{{$}}
91 L20_FUZZ-NEXT: F1 00000000000000001000{{$}}
92 L20_FUZZ-NOT: F
94 RUN:%t-Labels20TestDF %t/IN20/FUZZxxxxxxxxxxxxMxxx | FileCheck %s --check-prefix=L20_FUZZM
95 L20_FUZZM: F0 11110000000000000000{{$}}
96 L20_FUZZM-NEXT: F1 00000000000000001000{{$}}
97 L20_FUZZM-NEXT: F2 00000000000000000001{{$}}
98 L20_FUZZM-NOT: F
100 # Don't crash with missing data_flow args.
101 RUN: rm -rf %t-DFT
102 RUN: %t-ThreeFunctionsTest -collect_data_flow=%t-ThreeFunctionsTestDF
103 RUN: %t-ThreeFunctionsTest -data_flow_trace=%t-DFT %t/IN/FUZZMU
105 # Test libFuzzer's built in DFT collection.
106 RUN: rm -rf %t-DFT
107 RUN: %t-ThreeFunctionsTest -collect_data_flow=%t-ThreeFunctionsTestDF -data_flow_trace=%t-DFT %t/IN/FUZZMU
108 RUN: cat %t-DFT/* | sort | FileCheck %s --check-prefix=IN_FUZZMU
110 IN_FUZZMU: F0 111100
111 IN_FUZZMU: F1 000010
112 IN_FUZZMU: F2 000001
114 # Test that we can run collect_data_flow on the entire corpus dir
115 RUN: rm -rf %t/OUT
116 RUN: %t-ThreeFunctionsTest -collect_data_flow=%t-ThreeFunctionsTestDF -data_flow_trace=%t/OUT %t/IN
117 RUN: %t-ThreeFunctionsTest -data_flow_trace=%t/OUT -runs=0 -focus_function=Func2 %t/IN 2>&1 | FileCheck %s --check-prefix=USE_DATA_FLOW_TRACE
119 USE_DATA_FLOW_TRACE: INFO: DataFlowTrace: reading from {{.*}}/OUT
120 USE_DATA_FLOW_TRACE: d28cb407e8e1a702c72d25473f0553d3ec172262 => |000001|
121 USE_DATA_FLOW_TRACE: INFO: DataFlowTrace: 6 trace files, 3 functions, 1 traces with focus function
122 USE_DATA_FLOW_TRACE: INFO: Focus function is set to 'Func2'
123 USE_DATA_FLOW_TRACE: INITED
124 USE_DATA_FLOW_TRACE: INFO: 2/6 inputs touch the focus function
125 USE_DATA_FLOW_TRACE: INFO: 1/2 inputs have the Data Flow Trace
127 # Test that we can run collect_data_flow on a long input (>2**16 bytes)
128 RUN: printf "%0.sA" {1..150001} > %t/IN/very_long_input
129 RUN: rm -rf %t/OUT
130 RUN: %t-ThreeFunctionsTest -collect_data_flow=%t-ThreeFunctionsTestDF -data_flow_trace=%t/OUT %t/IN/very_long_input
131 RUN: rm %t/IN/very_long_input
133 # Test that it fails explicitly when an empty corpus is provided.
134 RUN: rm -rf %t/IN && mkdir %t/IN
135 RUN: not %t-ThreeFunctionsTest -collect_data_flow=%t-ThreeFunctionsTestDF -data_flow_trace=%t/OUT %t/IN 2>&1 | FileCheck %s --check-prefix=EMPTY_CORPUS
137 EMPTY_CORPUS: ERROR: can't collect data flow without corpus provided