diff options
author | Max Moroz <mmoroz@chromium.org> | 2017-12-20 19:31:51 +0000 |
---|---|---|
committer | Max Moroz <mmoroz@chromium.org> | 2017-12-20 19:31:51 +0000 |
commit | 1d14da803d4e2743ba9f86d3859b6f6358406cf7 (patch) | |
tree | 8c2c5f1d845d97c802c533fb18e3688a49761ed2 | |
parent | f7d5f654410fbdd20a81ba879d5f96df709a8ef8 (diff) | |
download | compiler-rt-1d14da803d4e2743ba9f86d3859b6f6358406cf7.tar.gz |
[libfuzzer] Fix UB when calculating Log(0) in StackDepthStepFunction().
Summary:
__builtin_clz used for Log calculation returns an undefined result
when argument is 0. I noticed that issue when was testing some fuzzers:
```
/src/libfuzzer/FuzzerTracePC.h:282:33: runtime error: shift exponent 450349 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')
#0 0x43d83f in operator() /src/libfuzzer/FuzzerTracePC.h:283:33
#1 0x43d83f in void fuzzer::TracePC::CollectFeatures<fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1>(fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*)::$_1) const /src/libfuzzer/FuzzerTracePC.h:290
#2 0x43cbd4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:445:7
#3 0x43e5f1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:706:5
#4 0x43e9e1 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:739:3
#5 0x432f8c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:754:6
#6 0x42ee18 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#7 0x7f17ffeb182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x407838 in _start (/out/rotate_fuzzer+0x407838)
Reviewers: kcc
Reviewed By: kcc
Subscribers: llvm-commits, #sanitizers
Differential Revision: https://reviews.llvm.org/D41457
git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@321211 91177308-0d34-0410-b5e6-96231b3b80d8
-rw-r--r-- | lib/fuzzer/FuzzerTracePC.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/fuzzer/FuzzerTracePC.h b/lib/fuzzer/FuzzerTracePC.h index dc65cd720..c3f241b90 100644 --- a/lib/fuzzer/FuzzerTracePC.h +++ b/lib/fuzzer/FuzzerTracePC.h @@ -276,6 +276,7 @@ void TracePC::CollectFeatures(Callback HandleFeature) const { // Step function, grows similar to 8 * Log_2(A). auto StackDepthStepFunction = [](uint32_t A) -> uint32_t { + if (!A) return A; uint32_t Log2 = Log(A); if (Log2 < 3) return A; Log2 -= 3; |