initial support for integrated fuzzing #20725
Conversation
andrewrk
force-pushed
the
fuzz
branch
2 times, most recently
from
a2fdc16 to
25fc237
Compare
* Add the `-ffuzz` and `-fno-fuzz` CLI arguments. * Detect fuzz testing flags from zig cc. * Set the correct clang flags when fuzz testing is requested. It can be combined with TSAN and UBSAN. * Compilation: build fuzzer library when needed which is currently an empty zig file. * Add optforfuzzing to every function in the llvm backend for modules that have requested fuzzing. * In ZigLLVMTargetMachineEmitToFile, add the optimization passes for sanitizer coverage. * std.mem.eql uses a naive implementation optimized for fuzzing when builtin.fuzz is true. Tracked by #20702
This is needed to ensure that start code does not try to access thread local storage before it has set up thread local storage.
I have committed to implementing this next month this as part of my term project. Is there a space for collaboration? I have to implement this either way and I would love to contribute my implementation upstream. |
Sure. I'll have the system wired together shortly, so you can see how it is all supposed to work. Then it is a matter of improving the genetic algorithm. We can look at afl-fuzz.c for inspiration. |
This prevents it from trying to access thread local storage before it has set up thread local storage, particularly when code coverage instrumentation is enabled.
`-fno-sanitize=function` must come after `-fsanitize=undefined` or it has no effect.
| @@ -263,6 +264,14 @@ pub const list = list: { | |||
| .illegal_outside_function = true, | |||
| }, | |||
| }, | |||
| .{ | |||
| "@disableInstrumentation", | |||
There was a problem hiding this comment.
Should we add this built-in to the langref?
There was a problem hiding this comment.
i think it makes sense to leave out of the langref but include in the spec
There was a problem hiding this comment.
Should we add this built-in to the langref?
Yes of course
i think it makes sense to leave out of the langref but include in the spec
This not Meghan's Opinion Tracker. Provide technical arguments, or keep your opinion to yourself.
Initial implementation of #20702.
-ffuzzand-fno-fuzzCLI arguments.combined with TSAN and UBSAN.
empty zig file.
that have requested fuzzing.
sanitizer coverage.
builtin.fuzz is true.
@disableInstrumentationbuiltin and use it in start code to prevent using threadlocal variables before threadlocal storage is initialized.Current status:
I'm putting this up because I think it will already benefit zig-afl-kit mainly because of making
std.mem.eqloptimize for fuzzing when-ffuzzis selected. Probably also because of theoptforfuzzingattribute on all the functions in the LLVM backend.Closes #5484. See #20702 for follow-up issues.
Next steps: