diff options
Diffstat (limited to 'test/fuzzer/dataflow.test')
| -rw-r--r-- | test/fuzzer/dataflow.test | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/test/fuzzer/dataflow.test b/test/fuzzer/dataflow.test new file mode 100644 index 0000000000000..64f083735cb9e --- /dev/null +++ b/test/fuzzer/dataflow.test @@ -0,0 +1,84 @@ +# Tests the data flow tracer. +REQUIRES: linux +UNSUPPORTED: aarch64 + +# Build the tracer and the test. +RUN: %no_fuzzer_cpp_compiler -c -fno-sanitize=all -fsanitize=dataflow %S/../../lib/fuzzer/dataflow/DataFlow.cpp -o %t-DataFlow.o +RUN: %no_fuzzer_cpp_compiler -fno-sanitize=all -fsanitize=dataflow -fsanitize-coverage=trace-pc-guard,pc-table,func,trace-cmp %S/ThreeFunctionsTest.cpp %t-DataFlow.o -o %t-ThreeFunctionsTestDF +RUN: %no_fuzzer_cpp_compiler -fno-sanitize=all -fsanitize=dataflow -fsanitize-coverage=trace-pc-guard,pc-table,func,trace-cmp %S/ExplodeDFSanLabelsTest.cpp %t-DataFlow.o -o %t-ExplodeDFSanLabelsTestDF +RUN: %cpp_compiler %S/ThreeFunctionsTest.cpp -o %t-ThreeFunctionsTest + +# Dump the function list. +RUN: %t-ThreeFunctionsTestDF 2>&1 | FileCheck %s --check-prefix=FUNC_LIST +FUNC_LIST-DAG: LLVMFuzzerTestOneInput +FUNC_LIST-DAG: Func1 +FUNC_LIST-DAG: Func2 + +# Prepare the inputs. +RUN: rm -rf %t/IN +RUN: mkdir -p %t/IN +RUN: echo -n ABC > %t/IN/ABC +RUN: echo -n FUABC > %t/IN/FUABC +RUN: echo -n FUZZR > %t/IN/FUZZR +RUN: echo -n FUZZM > %t/IN/FUZZM +RUN: echo -n FUZZMU > %t/IN/FUZZMU +RUN: echo -n 1234567890123456 > %t/IN/1234567890123456 + +# ABC: No data is used, the only used label is 4 (corresponds to the size) +RUN:%t-ThreeFunctionsTestDF 0 3 %t/IN/ABC | FileCheck %s --check-prefix=IN_ABC +IN_ABC: F{{[012]}} 0001 +IN_ABC-NOT: F + +# FUABC: First 3 bytes are checked, Func1/Func2 are not called. +RUN:%t-ThreeFunctionsTestDF 0 5 %t/IN/FUABC | FileCheck %s --check-prefix=IN_FUABC +IN_FUABC: F{{[012]}} 111001 +IN_FUABC-NOT: F + +# FUZZR: 5 bytes are used (4 in one function, 5-th in the other), Func2 is not called. +RUN:%t-ThreeFunctionsTestDF 0 5 %t/IN/FUZZR | FileCheck %s --check-prefix=IN_FUZZR +IN_FUZZR-DAG: F{{[012]}} 111101 +IN_FUZZR-DAG: F{{[012]}} 000010 +IN_FUZZR-NOT: F + +# FUZZM: 5 bytes are used, both Func1 and Func2 are called, Func2 depends only on size (label 6). +RUN:%t-ThreeFunctionsTestDF 0 5 %t/IN/FUZZM | FileCheck %s --check-prefix=IN_FUZZM +IN_FUZZM-DAG: F{{[012]}} 000010 +IN_FUZZM-DAG: F{{[012]}} 111101 +IN_FUZZM-DAG: F{{[012]}} 000001 + +# FUZZMU: 6 bytes are used, both Func1 and Func2 are called, Func2 depends on byte 6 and size (label 7) +RUN:%t-ThreeFunctionsTestDF 0 6 %t/IN/FUZZMU | FileCheck %s --check-prefix=IN_FUZZMU + +# Test merge_data_flow +RUN:rm -f %t-merge-* +RUN:%t-ThreeFunctionsTestDF 0 2 %t/IN/FUZZMU > %t-merge-1 +RUN:%t-ThreeFunctionsTestDF 2 4 %t/IN/FUZZMU > %t-merge-2 +RUN:%t-ThreeFunctionsTestDF 4 6 %t/IN/FUZZMU > %t-merge-3 +RUN:%libfuzzer_src/scripts/merge_data_flow.py %t-merge-* | FileCheck %s --check-prefix=IN_FUZZMU + +# Test collect_data_flow +RUN: %libfuzzer_src/scripts/collect_data_flow.py %t-ThreeFunctionsTestDF %t/IN/FUZZMU | FileCheck %s --check-prefix=IN_FUZZMU + +IN_FUZZMU-DAG: F{{[012]}} 0000100 +IN_FUZZMU-DAG: F{{[012]}} 1111001 +IN_FUZZMU-DAG: F{{[012]}} 0000011 + +# A very simple test will cause DFSan to die with "out of labels" +RUN: not %t-ExplodeDFSanLabelsTestDF 0 16 %t/IN/1234567890123456 2>&1 | FileCheck %s --check-prefix=OUT_OF_LABELS +OUT_OF_LABELS: ==FATAL: DataFlowSanitizer: out of labels +# However we can run the same test piece by piece. +RUN: %t-ExplodeDFSanLabelsTestDF 0 2 %t/IN/1234567890123456 +RUN: %t-ExplodeDFSanLabelsTestDF 2 4 %t/IN/1234567890123456 +RUN: %t-ExplodeDFSanLabelsTestDF 4 6 %t/IN/1234567890123456 +# Or we can use collect_data_flow +RUN: %libfuzzer_src/scripts/collect_data_flow.py %t-ExplodeDFSanLabelsTestDF %t/IN/1234567890123456 + +# Test that we can run collect_data_flow on the entire corpus dir +RUN: rm -rf %t/OUT +RUN: %libfuzzer_src/scripts/collect_data_flow.py %t-ThreeFunctionsTestDF %t/IN %t/OUT +RUN: %t-ThreeFunctionsTest -data_flow_trace=%t/OUT -runs=0 -focus_function=Func2 2>&1 | FileCheck %s --check-prefix=USE_DATA_FLOW_TRACE +USE_DATA_FLOW_TRACE: INFO: Focus function is set to 'Func2' +USE_DATA_FLOW_TRACE: INFO: DataFlowTrace: reading from {{.*}}/OUT +USE_DATA_FLOW_TRACE-DAG: a8eefe2fd5d6b32028f355fafa3e739a6bf5edc => |000001| +USE_DATA_FLOW_TRACE-DGA: d28cb407e8e1a702c72d25473f0553d3ec172262 => |0000011| +USE_DATA_FLOW_TRACE: INFO: DataFlowTrace: 6 trace files, 3 functions, 2 traces with focus function |