search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[ELF] Avoid make in elf::writeARMCmseImportLib
[llvm-project.git] / compiler-rt / lib / fuzzer / FuzzerTracePC.cpp
blob7f4e8ef91c447c2bdad588c3222ab958981a8bfc
1 //===- FuzzerTracePC.cpp - PC tracing--------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 // Trace PCs.
9 // This module implements __sanitizer_cov_trace_pc_guard[_init],
10 // the callback required for -fsanitize-coverage=trace-pc-guard instrumentation.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "FuzzerTracePC.h"
15 #include "FuzzerBuiltins.h"
16 #include "FuzzerBuiltinsMsvc.h"
17 #include "FuzzerCorpus.h"
18 #include "FuzzerDefs.h"
19 #include "FuzzerDictionary.h"
20 #include "FuzzerExtFunctions.h"
21 #include "FuzzerIO.h"
22 #include "FuzzerPlatform.h"
23 #include "FuzzerUtil.h"
24 #include "FuzzerValueBitMap.h"
25 #include <set>
26
27 // Used by -fsanitize-coverage=stack-depth to track stack depth
28 ATTRIBUTES_INTERFACE_TLS_INITIAL_EXEC uintptr_t __sancov_lowest_stack;
29
30 namespace fuzzer {
31
32 TracePC TPC;
33
34 size_t TracePC::GetTotalPCCoverage() {
35 return ObservedPCs.size();
36 }
37
38
39 void TracePC::HandleInline8bitCountersInit(uint8_t *Start, uint8_t *Stop) {
40 if (Start == Stop) return;
41 if (NumModules &&
42 Modules[NumModules - 1].Start() == Start)
43 return;
44 assert(NumModules <
45 sizeof(Modules) / sizeof(Modules[0]));
46 auto &M = Modules[NumModules++];
47 uint8_t *AlignedStart = RoundUpByPage(Start);
48 uint8_t *AlignedStop = RoundDownByPage(Stop);
49 size_t NumFullPages = AlignedStop > AlignedStart ?
50 (AlignedStop - AlignedStart) / PageSize() : 0;
51 bool NeedFirst = Start < AlignedStart || !NumFullPages;
52 bool NeedLast = Stop > AlignedStop && AlignedStop >= AlignedStart;
53 M.NumRegions = NumFullPages + NeedFirst + NeedLast;;
54 assert(M.NumRegions > 0);
55 M.Regions = new Module::Region[M.NumRegions];
56 assert(M.Regions);
57 size_t R = 0;
58 if (NeedFirst)
59 M.Regions[R++] = {Start, std::min(Stop, AlignedStart), true, false};
60 for (uint8_t *P = AlignedStart; P < AlignedStop; P += PageSize())
61 M.Regions[R++] = {P, P + PageSize(), true, true};
62 if (NeedLast)
63 M.Regions[R++] = {AlignedStop, Stop, true, false};
64 assert(R == M.NumRegions);
65 assert(M.Size() == (size_t)(Stop - Start));
66 assert(M.Stop() == Stop);
67 assert(M.Start() == Start);
68 NumInline8bitCounters += M.Size();
69 }
70
71 void TracePC::HandlePCsInit(const uintptr_t *Start, const uintptr_t *Stop) {
72 const PCTableEntry *B = reinterpret_cast<const PCTableEntry *>(Start);
73 const PCTableEntry *E = reinterpret_cast<const PCTableEntry *>(Stop);
74 if (NumPCTables && ModulePCTable[NumPCTables - 1].Start == B) return;
75 assert(NumPCTables < sizeof(ModulePCTable) / sizeof(ModulePCTable[0]));
76 ModulePCTable[NumPCTables++] = {B, E};
77 NumPCsInPCTables += E - B;
78 }
79
80 void TracePC::PrintModuleInfo() {
81 if (NumModules) {
82 Printf("INFO: Loaded %zd modules (%zd inline 8-bit counters): ",
83 NumModules, NumInline8bitCounters);
84 for (size_t i = 0; i < NumModules; i++)
85 Printf("%zd [%p, %p), ", Modules[i].Size(), Modules[i].Start(),
86 Modules[i].Stop());
87 Printf("\n");
88 }
89 if (NumPCTables) {
90 Printf("INFO: Loaded %zd PC tables (%zd PCs): ", NumPCTables,
91 NumPCsInPCTables);
92 for (size_t i = 0; i < NumPCTables; i++) {
93 Printf("%zd [%p,%p), ", ModulePCTable[i].Stop - ModulePCTable[i].Start,
94 ModulePCTable[i].Start, ModulePCTable[i].Stop);
95 }
96 Printf("\n");
97
98 if (NumInline8bitCounters && NumInline8bitCounters != NumPCsInPCTables) {
99 Printf("ERROR: The size of coverage PC tables does not match the\n"
100 "number of instrumented PCs. This might be a compiler bug,\n"
101 "please contact the libFuzzer developers.\n"
102 "Also check https://bugs.llvm.org/show_bug.cgi?id=34636\n"
103 "for possible workarounds (tl;dr: don't use the old GNU ld)\n");
104 _Exit(1);
105 }
106 }
107 if (size_t NumExtraCounters = ExtraCountersEnd() - ExtraCountersBegin())
108 Printf("INFO: %zd Extra Counters\n", NumExtraCounters);
109
110 size_t MaxFeatures = CollectFeatures([](uint32_t) {});
111 if (MaxFeatures > std::numeric_limits<uint32_t>::max())
112 Printf("WARNING: The coverage PC tables may produce up to %zu features.\n"
113 "This exceeds the maximum 32-bit value. Some features may be\n"
114 "ignored, and fuzzing may become less precise. If possible,\n"
115 "consider refactoring the fuzzer into several smaller fuzzers\n"
116 "linked against only a portion of the current target.\n",
117 MaxFeatures);
118 }
119
120 ATTRIBUTE_NO_SANITIZE_ALL
121 void TracePC::HandleCallerCallee(uintptr_t Caller, uintptr_t Callee) {
122 const uintptr_t kBits = 12;
123 const uintptr_t kMask = (1 << kBits) - 1;
124 uintptr_t Idx = (Caller & kMask) | ((Callee & kMask) << kBits);
125 ValueProfileMap.AddValueModPrime(Idx);
126 }
127
128 /// \return the address of the previous instruction.
129 /// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.h`
130 inline ALWAYS_INLINE uintptr_t GetPreviousInstructionPc(uintptr_t PC) {
131 #if defined(__arm__)
132 // T32 (Thumb) branch instructions might be 16 or 32 bit long,
133 // so we return (pc-2) in that case in order to be safe.
134 // For A32 mode we return (pc-4) because all instructions are 32 bit long.
135 return (PC - 3) & (~1);
136 #elif defined(__sparc__) || defined(__mips__)
137 return PC - 8;
138 #elif defined(__riscv__)
139 return PC - 2;
140 #elif defined(__i386__) || defined(__x86_64__) || defined(_M_IX86) || defined(_M_X64)
141 return PC - 1;
142 #else
143 return PC - 4;
144 #endif
145 }
146
147 /// \return the address of the next instruction.
148 /// Note: the logic is copied from `sanitizer_common/sanitizer_stacktrace.cpp`
149 ALWAYS_INLINE uintptr_t TracePC::GetNextInstructionPc(uintptr_t PC) {
150 #if defined(__mips__)
151 return PC + 8;
152 #elif defined(__powerpc__) || defined(__sparc__) || defined(__arm__) || \
153 defined(__aarch64__) || defined(__loongarch__)
154 return PC + 4;
155 #else
156 return PC + 1;
157 #endif
158 }
159
160 void TracePC::UpdateObservedPCs() {
161 std::vector<uintptr_t> CoveredFuncs;
162 auto ObservePC = [&](const PCTableEntry *TE) {
163 if (ObservedPCs.insert(TE).second && DoPrintNewPCs) {
164 PrintPC("\tNEW_PC: %p %F %L", "\tNEW_PC: %p",
165 GetNextInstructionPc(TE->PC));
166 Printf("\n");
167 }
168 };
169
170 auto Observe = [&](const PCTableEntry *TE) {
171 if (PcIsFuncEntry(TE))
172 if (++ObservedFuncs[TE->PC] == 1 && NumPrintNewFuncs)
173 CoveredFuncs.push_back(TE->PC);
174 ObservePC(TE);
175 };
176
177 if (NumPCsInPCTables) {
178 if (NumInline8bitCounters == NumPCsInPCTables) {
179 for (size_t i = 0; i < NumModules; i++) {
180 auto &M = Modules[i];
181 assert(M.Size() ==
182 (size_t)(ModulePCTable[i].Stop - ModulePCTable[i].Start));
183 for (size_t r = 0; r < M.NumRegions; r++) {
184 auto &R = M.Regions[r];
185 if (!R.Enabled) continue;
186 for (uint8_t *P = R.Start; P < R.Stop; P++)
187 if (*P)
188 Observe(&ModulePCTable[i].Start[M.Idx(P)]);
189 }
190 }
191 }
192 }
193
194 for (size_t i = 0, N = Min(CoveredFuncs.size(), NumPrintNewFuncs); i < N;
195 i++) {
196 Printf("\tNEW_FUNC[%zd/%zd]: ", i + 1, CoveredFuncs.size());
197 PrintPC("%p %F %L", "%p", GetNextInstructionPc(CoveredFuncs[i]));
198 Printf("\n");
199 }
200 }
201
202 uintptr_t TracePC::PCTableEntryIdx(const PCTableEntry *TE) {
203 size_t TotalTEs = 0;
204 for (size_t i = 0; i < NumPCTables; i++) {
205 auto &M = ModulePCTable[i];
206 if (TE >= M.Start && TE < M.Stop)
207 return TotalTEs + TE - M.Start;
208 TotalTEs += M.Stop - M.Start;
209 }
210 assert(0);
211 return 0;
212 }
213
214 const TracePC::PCTableEntry *TracePC::PCTableEntryByIdx(uintptr_t Idx) {
215 for (size_t i = 0; i < NumPCTables; i++) {
216 auto &M = ModulePCTable[i];
217 size_t Size = M.Stop - M.Start;
218 if (Idx < Size) return &M.Start[Idx];
219 Idx -= Size;
220 }
221 return nullptr;
222 }
223
224 static std::string GetModuleName(uintptr_t PC) {
225 char ModulePathRaw[4096] = ""; // What's PATH_MAX in portable C++?
226 void *OffsetRaw = nullptr;
227 if (!EF->__sanitizer_get_module_and_offset_for_pc(
228 reinterpret_cast<void *>(PC), ModulePathRaw,
229 sizeof(ModulePathRaw), &OffsetRaw))
230 return "";
231 return ModulePathRaw;
232 }
233
234 template<class CallBack>
235 void TracePC::IterateCoveredFunctions(CallBack CB) {
236 for (size_t i = 0; i < NumPCTables; i++) {
237 auto &M = ModulePCTable[i];
238 assert(M.Start < M.Stop);
239 auto ModuleName = GetModuleName(M.Start->PC);
240 for (auto NextFE = M.Start; NextFE < M.Stop; ) {
241 auto FE = NextFE;
242 assert(PcIsFuncEntry(FE) && "Not a function entry point");
243 do {
244 NextFE++;
245 } while (NextFE < M.Stop && !(PcIsFuncEntry(NextFE)));
246 CB(FE, NextFE, ObservedFuncs[FE->PC]);
247 }
248 }
249 }
250
251 void TracePC::SetFocusFunction(const std::string &FuncName) {
252 // This function should be called once.
253 assert(!FocusFunctionCounterPtr);
254 // "auto" is not a valid function name. If this function is called with "auto"
255 // that means the auto focus functionality failed.
256 if (FuncName.empty() || FuncName == "auto")
257 return;
258 for (size_t M = 0; M < NumModules; M++) {
259 auto &PCTE = ModulePCTable[M];
260 size_t N = PCTE.Stop - PCTE.Start;
261 for (size_t I = 0; I < N; I++) {
262 if (!(PcIsFuncEntry(&PCTE.Start[I]))) continue; // not a function entry.
263 auto Name = DescribePC("%F", GetNextInstructionPc(PCTE.Start[I].PC));
264 if (Name[0] == 'i' && Name[1] == 'n' && Name[2] == ' ')
265 Name = Name.substr(3, std::string::npos);
266 if (FuncName != Name) continue;
267 Printf("INFO: Focus function is set to '%s'\n", Name.c_str());
268 FocusFunctionCounterPtr = Modules[M].Start() + I;
269 return;
270 }
271 }
272
273 Printf("ERROR: Failed to set focus function. Make sure the function name is "
274 "valid (%s) and symbolization is enabled.\n", FuncName.c_str());
275 exit(1);
276 }
277
278 bool TracePC::ObservedFocusFunction() {
279 return FocusFunctionCounterPtr && *FocusFunctionCounterPtr;
280 }
281
282 void TracePC::PrintCoverage(bool PrintAllCounters) {
283 if (!EF->__sanitizer_symbolize_pc ||
284 !EF->__sanitizer_get_module_and_offset_for_pc) {
285 Printf("INFO: __sanitizer_symbolize_pc or "
286 "__sanitizer_get_module_and_offset_for_pc is not available,"
287 " not printing coverage\n");
288 return;
289 }
290 Printf(PrintAllCounters ? "FULL COVERAGE:\n" : "COVERAGE:\n");
291 auto CoveredFunctionCallback = [&](const PCTableEntry *First,
292 const PCTableEntry *Last,
293 uintptr_t Counter) {
294 assert(First < Last);
295 auto VisualizePC = GetNextInstructionPc(First->PC);
296 std::string FileStr = DescribePC("%s", VisualizePC);
297 if (!IsInterestingCoverageFile(FileStr))
298 return;
299 std::string FunctionStr = DescribePC("%F", VisualizePC);
300 if (FunctionStr.find("in ") == 0)
301 FunctionStr = FunctionStr.substr(3);
302 std::string LineStr = DescribePC("%l", VisualizePC);
303 size_t NumEdges = Last - First;
304 std::vector<uintptr_t> UncoveredPCs;
305 std::vector<uintptr_t> CoveredPCs;
306 for (auto TE = First; TE < Last; TE++)
307 if (!ObservedPCs.count(TE))
308 UncoveredPCs.push_back(TE->PC);
309 else
310 CoveredPCs.push_back(TE->PC);
311
312 if (PrintAllCounters) {
313 Printf("U");
314 for (auto PC : UncoveredPCs)
315 Printf(DescribePC(" %l", GetNextInstructionPc(PC)).c_str());
316 Printf("\n");
317
318 Printf("C");
319 for (auto PC : CoveredPCs)
320 Printf(DescribePC(" %l", GetNextInstructionPc(PC)).c_str());
321 Printf("\n");
322 } else {
323 Printf("%sCOVERED_FUNC: hits: %zd", Counter ? "" : "UN", Counter);
324 Printf(" edges: %zd/%zd", NumEdges - UncoveredPCs.size(), NumEdges);
325 Printf(" %s %s:%s\n", FunctionStr.c_str(), FileStr.c_str(),
326 LineStr.c_str());
327 if (Counter)
328 for (auto PC : UncoveredPCs)
329 Printf(" UNCOVERED_PC: %s\n",
330 DescribePC("%s:%l", GetNextInstructionPc(PC)).c_str());
331 }
332 };
333
334 IterateCoveredFunctions(CoveredFunctionCallback);
335 }
336
337 // Value profile.
338 // We keep track of various values that affect control flow.
339 // These values are inserted into a bit-set-based hash map.
340 // Every new bit in the map is treated as a new coverage.
341 //
342 // For memcmp/strcmp/etc the interesting value is the length of the common
343 // prefix of the parameters.
344 // For cmp instructions the interesting value is a XOR of the parameters.
345 // The interesting value is mixed up with the PC and is then added to the map.
346
347 ATTRIBUTE_NO_SANITIZE_ALL
348 void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
349 size_t n, bool StopAtZero) {
350 if (!n) return;
351 size_t Len = std::min(n, Word::GetMaxSize());
352 const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
353 const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
354 uint8_t B1[Word::kMaxSize];
355 uint8_t B2[Word::kMaxSize];
356 // Copy the data into locals in this non-msan-instrumented function
357 // to avoid msan complaining further.
358 size_t Hash = 0; // Compute some simple hash of both strings.
359 for (size_t i = 0; i < Len; i++) {
360 B1[i] = A1[i];
361 B2[i] = A2[i];
362 size_t T = B1[i];
363 Hash ^= (T << 8) | B2[i];
364 }
365 size_t I = 0;
366 uint8_t HammingDistance = 0;
367 for (; I < Len; I++) {
368 if (B1[I] != B2[I] || (StopAtZero && B1[I] == 0)) {
369 HammingDistance = static_cast<uint8_t>(Popcountll(B1[I] ^ B2[I]));
370 break;
371 }
372 }
373 size_t PC = reinterpret_cast<size_t>(caller_pc);
374 size_t Idx = (PC & 4095) | (I << 12);
375 Idx += HammingDistance;
376 ValueProfileMap.AddValue(Idx);
377 TORCW.Insert(Idx ^ Hash, Word(B1, Len), Word(B2, Len));
378 }
379
380 template <class T>
381 ATTRIBUTE_TARGET_POPCNT ALWAYS_INLINE
382 ATTRIBUTE_NO_SANITIZE_ALL
383 void TracePC::HandleCmp(uintptr_t PC, T Arg1, T Arg2) {
384 uint64_t ArgXor = Arg1 ^ Arg2;
385 if (sizeof(T) == 4)
386 TORC4.Insert(ArgXor, Arg1, Arg2);
387 else if (sizeof(T) == 8)
388 TORC8.Insert(ArgXor, Arg1, Arg2);
389 uint64_t HammingDistance = Popcountll(ArgXor); // [0,64]
390 uint64_t AbsoluteDistance = (Arg1 == Arg2 ? 0 : Clzll(Arg1 - Arg2) + 1);
391 ValueProfileMap.AddValue(PC * 128 + HammingDistance);
392 ValueProfileMap.AddValue(PC * 128 + 64 + AbsoluteDistance);
393 }
394
395 ATTRIBUTE_NO_SANITIZE_MEMORY
396 static size_t InternalStrnlen(const char *S, size_t MaxLen) {
397 size_t Len = 0;
398 for (; Len < MaxLen && S[Len]; Len++) {}
399 return Len;
400 }
401
402 // Finds min of (strlen(S1), strlen(S2)).
403 // Needed because one of these strings may actually be non-zero terminated.
404 ATTRIBUTE_NO_SANITIZE_MEMORY
405 static size_t InternalStrnlen2(const char *S1, const char *S2) {
406 size_t Len = 0;
407 for (; S1[Len] && S2[Len]; Len++) {}
408 return Len;
409 }
410
411 void TracePC::ClearInlineCounters() {
412 IterateCounterRegions([](const Module::Region &R){
413 if (R.Enabled)
414 memset(R.Start, 0, R.Stop - R.Start);
415 });
416 }
417
418 ATTRIBUTE_NO_SANITIZE_ALL
419 void TracePC::RecordInitialStack() {
420 int stack;
421 __sancov_lowest_stack = InitialStack = reinterpret_cast<uintptr_t>(&stack);
422 }
423
424 uintptr_t TracePC::GetMaxStackOffset() const {
425 return InitialStack - __sancov_lowest_stack; // Stack grows down
426 }
427
428 void WarnAboutDeprecatedInstrumentation(const char *flag) {
429 // Use RawPrint because Printf cannot be used on Windows before OutputFile is
430 // initialized.
431 RawPrint(flag);
432 RawPrint(
433 " is no longer supported by libFuzzer.\n"
434 "Please either migrate to a compiler that supports -fsanitize=fuzzer\n"
435 "or use an older version of libFuzzer\n");
436 exit(1);
437 }
438
439 } // namespace fuzzer
440
441 extern "C" {
442 ATTRIBUTE_INTERFACE
443 ATTRIBUTE_NO_SANITIZE_ALL
444 void __sanitizer_cov_trace_pc_guard(uint32_t *Guard) {
445 fuzzer::WarnAboutDeprecatedInstrumentation(
446 "-fsanitize-coverage=trace-pc-guard");
447 }
448
449 // Best-effort support for -fsanitize-coverage=trace-pc, which is available
450 // in both Clang and GCC.
451 ATTRIBUTE_INTERFACE
452 ATTRIBUTE_NO_SANITIZE_ALL
453 void __sanitizer_cov_trace_pc() {
454 fuzzer::WarnAboutDeprecatedInstrumentation("-fsanitize-coverage=trace-pc");
455 }
456
457 ATTRIBUTE_INTERFACE
458 void __sanitizer_cov_trace_pc_guard_init(uint32_t *Start, uint32_t *Stop) {
459 fuzzer::WarnAboutDeprecatedInstrumentation(
460 "-fsanitize-coverage=trace-pc-guard");
461 }
462
463 ATTRIBUTE_INTERFACE
464 void __sanitizer_cov_8bit_counters_init(uint8_t *Start, uint8_t *Stop) {
465 fuzzer::TPC.HandleInline8bitCountersInit(Start, Stop);
466 }
467
468 ATTRIBUTE_INTERFACE
469 void __sanitizer_cov_pcs_init(const uintptr_t *pcs_beg,
470 const uintptr_t *pcs_end) {
471 fuzzer::TPC.HandlePCsInit(pcs_beg, pcs_end);
472 }
473
474 ATTRIBUTE_INTERFACE
475 ATTRIBUTE_NO_SANITIZE_ALL
476 void __sanitizer_cov_trace_pc_indir(uintptr_t Callee) {
477 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
478 fuzzer::TPC.HandleCallerCallee(PC, Callee);
479 }
480
481 ATTRIBUTE_INTERFACE
482 ATTRIBUTE_NO_SANITIZE_ALL
483 ATTRIBUTE_TARGET_POPCNT
484 void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) {
485 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
486 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
487 }
488
489 ATTRIBUTE_INTERFACE
490 ATTRIBUTE_NO_SANITIZE_ALL
491 ATTRIBUTE_TARGET_POPCNT
492 // Now the __sanitizer_cov_trace_const_cmp[1248] callbacks just mimic
493 // the behaviour of __sanitizer_cov_trace_cmp[1248] ones. This, however,
494 // should be changed later to make full use of instrumentation.
495 void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2) {
496 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
497 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
498 }
499
500 ATTRIBUTE_INTERFACE
501 ATTRIBUTE_NO_SANITIZE_ALL
502 ATTRIBUTE_TARGET_POPCNT
503 void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) {
504 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
505 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
506 }
507
508 ATTRIBUTE_INTERFACE
509 ATTRIBUTE_NO_SANITIZE_ALL
510 ATTRIBUTE_TARGET_POPCNT
511 void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2) {
512 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
513 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
514 }
515
516 ATTRIBUTE_INTERFACE
517 ATTRIBUTE_NO_SANITIZE_ALL
518 ATTRIBUTE_TARGET_POPCNT
519 void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) {
520 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
521 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
522 }
523
524 ATTRIBUTE_INTERFACE
525 ATTRIBUTE_NO_SANITIZE_ALL
526 ATTRIBUTE_TARGET_POPCNT
527 void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2) {
528 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
529 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
530 }
531
532 ATTRIBUTE_INTERFACE
533 ATTRIBUTE_NO_SANITIZE_ALL
534 ATTRIBUTE_TARGET_POPCNT
535 void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2) {
536 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
537 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
538 }
539
540 ATTRIBUTE_INTERFACE
541 ATTRIBUTE_NO_SANITIZE_ALL
542 ATTRIBUTE_TARGET_POPCNT
543 void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2) {
544 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
545 fuzzer::TPC.HandleCmp(PC, Arg1, Arg2);
546 }
547
548 ATTRIBUTE_INTERFACE
549 ATTRIBUTE_NO_SANITIZE_ALL
550 ATTRIBUTE_TARGET_POPCNT
551 void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) {
552 uint64_t N = Cases[0];
553 uint64_t ValSizeInBits = Cases[1];
554 uint64_t *Vals = Cases + 2;
555 // Skip the most common and the most boring case: all switch values are small.
556 // We may want to skip this at compile-time, but it will make the
557 // instrumentation less general.
558 if (Vals[N - 1] < 256)
559 return;
560 // Also skip small inputs values, they won't give good signal.
561 if (Val < 256)
562 return;
563 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
564 size_t i;
565 uint64_t Smaller = 0;
566 uint64_t Larger = ~(uint64_t)0;
567 // Find two switch values such that Smaller < Val < Larger.
568 // Use 0 and 0xfff..f as the defaults.
569 for (i = 0; i < N; i++) {
570 if (Val < Vals[i]) {
571 Larger = Vals[i];
572 break;
573 }
574 if (Val > Vals[i]) Smaller = Vals[i];
575 }
576
577 // Apply HandleCmp to {Val,Smaller} and {Val, Larger},
578 // use i as the PC modifier for HandleCmp.
579 if (ValSizeInBits == 16) {
580 fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint16_t>(Val),
581 (uint16_t)(Smaller));
582 fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint16_t>(Val),
583 (uint16_t)(Larger));
584 } else if (ValSizeInBits == 32) {
585 fuzzer::TPC.HandleCmp(PC + 2 * i, static_cast<uint32_t>(Val),
586 (uint32_t)(Smaller));
587 fuzzer::TPC.HandleCmp(PC + 2 * i + 1, static_cast<uint32_t>(Val),
588 (uint32_t)(Larger));
589 } else {
590 fuzzer::TPC.HandleCmp(PC + 2*i, Val, Smaller);
591 fuzzer::TPC.HandleCmp(PC + 2*i + 1, Val, Larger);
592 }
593 }
594
595 ATTRIBUTE_INTERFACE
596 ATTRIBUTE_NO_SANITIZE_ALL
597 ATTRIBUTE_TARGET_POPCNT
598 void __sanitizer_cov_trace_div4(uint32_t Val) {
599 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
600 fuzzer::TPC.HandleCmp(PC, Val, (uint32_t)0);
601 }
602
603 ATTRIBUTE_INTERFACE
604 ATTRIBUTE_NO_SANITIZE_ALL
605 ATTRIBUTE_TARGET_POPCNT
606 void __sanitizer_cov_trace_div8(uint64_t Val) {
607 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
608 fuzzer::TPC.HandleCmp(PC, Val, (uint64_t)0);
609 }
610
611 ATTRIBUTE_INTERFACE
612 ATTRIBUTE_NO_SANITIZE_ALL
613 ATTRIBUTE_TARGET_POPCNT
614 void __sanitizer_cov_trace_gep(uintptr_t Idx) {
615 uintptr_t PC = reinterpret_cast<uintptr_t>(GET_CALLER_PC());
616 fuzzer::TPC.HandleCmp(PC, Idx, (uintptr_t)0);
617 }
618
619 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
620 void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1,
621 const void *s2, size_t n, int result) {
622 if (!fuzzer::RunningUserCallback) return;
623 if (result == 0) return; // No reason to mutate.
624 if (n <= 1) return; // Not interesting.
625 fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/false);
626 }
627
628 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
629 void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1,
630 const char *s2, size_t n, int result) {
631 if (!fuzzer::RunningUserCallback) return;
632 if (result == 0) return; // No reason to mutate.
633 size_t Len1 = fuzzer::InternalStrnlen(s1, n);
634 size_t Len2 = fuzzer::InternalStrnlen(s2, n);
635 n = std::min(n, Len1);
636 n = std::min(n, Len2);
637 if (n <= 1) return; // Not interesting.
638 fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, n, /*StopAtZero*/true);
639 }
640
641 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
642 void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1,
643 const char *s2, int result) {
644 if (!fuzzer::RunningUserCallback) return;
645 if (result == 0) return; // No reason to mutate.
646 size_t N = fuzzer::InternalStrnlen2(s1, s2);
647 if (N <= 1) return; // Not interesting.
648 fuzzer::TPC.AddValueForMemcmp(caller_pc, s1, s2, N, /*StopAtZero*/true);
649 }
650
651 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
652 void __sanitizer_weak_hook_strncasecmp(void *called_pc, const char *s1,
653 const char *s2, size_t n, int result) {
654 if (!fuzzer::RunningUserCallback) return;
655 return __sanitizer_weak_hook_strncmp(called_pc, s1, s2, n, result);
656 }
657
658 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
659 void __sanitizer_weak_hook_strcasecmp(void *called_pc, const char *s1,
660 const char *s2, int result) {
661 if (!fuzzer::RunningUserCallback) return;
662 return __sanitizer_weak_hook_strcmp(called_pc, s1, s2, result);
663 }
664
665 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
666 void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
667 const char *s2, char *result) {
668 if (!fuzzer::RunningUserCallback) return;
669 fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
670 }
671
672 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
673 void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
674 const char *s2, char *result) {
675 if (!fuzzer::RunningUserCallback) return;
676 fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
677 }
678
679 ATTRIBUTE_INTERFACE ATTRIBUTE_NO_SANITIZE_MEMORY
680 void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
681 const void *s2, size_t len2, void *result) {
682 if (!fuzzer::RunningUserCallback) return;
683 fuzzer::TPC.MMT.Add(reinterpret_cast<const uint8_t *>(s2), len2);
684 }
685 } // extern "C"
LLVM monorepo