diff options
| author | Khaled Yakdan <yakdan@code-intelligence.com> | 2022-05-20 22:09:58 +0000 |
|---|---|---|
| committer | Keith Randall <khr@golang.org> | 2022-05-20 22:30:37 +0000 |
| commit | 2b0e457b42a64455ca2d3eebb5c6d4e6acfc5db2 (patch) | |
| tree | 5d524a6994b395136cf1e6e5954266856091bd08 /src/runtime/libfuzzer_amd64.s | |
| parent | b58067013eaa2f2bf0dc24f4d848e10bb758b6bd (diff) | |
| download | go-2b0e457b42a64455ca2d3eebb5c6d4e6acfc5db2.tar.xz | |
cmd/compile: intercept string compares in libFuzzer mode
IR string compares as well as calls to string comparison functions such
as `strings.EqualFold` are intercepted and the corresponding libFuzzer
callbacks are invoked with the corresponding arguments. As a result, the
compared strings will be added to libFuzzer’s table of recent compares,
which feeds future mutations performed by the fuzzer and thus allow it
to reach into branches guarded by string comparisons.
The list of methods to intercept is maintained in
`cmd/compile/internal/walk/expr.go` and can easily be extended to cover
more standard library functions in the future.
Change-Id: I5c8b89499c4e19459406795dea923bf777779c51
GitHub-Last-Rev: 6b8529b55561faf57ea59cb7cff1caf8c9c94ecd
GitHub-Pull-Request: golang/go#51319
Reviewed-on: https://go-review.googlesource.com/c/go/+/387335
Reviewed-by: Keith Randall <khr@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Run-TryBot: Keith Randall <khr@golang.org>
Diffstat (limited to 'src/runtime/libfuzzer_amd64.s')
| -rw-r--r-- | src/runtime/libfuzzer_amd64.s | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/src/runtime/libfuzzer_amd64.s b/src/runtime/libfuzzer_amd64.s index 5ea77f59de..032821fbbc 100644 --- a/src/runtime/libfuzzer_amd64.s +++ b/src/runtime/libfuzzer_amd64.s @@ -13,12 +13,41 @@ #ifdef GOOS_windows #define RARG0 CX #define RARG1 DX +#define RARG0 R8 +#define RARG1 R9 #else #define RARG0 DI #define RARG1 SI +#define RARG2 DX +#define RARG3 CX #endif -// void runtime·libfuzzerCall(fn, arg0, arg1 uintptr) +// void runtime·libfuzzerCall4(fn, hookId int, s1, s2 unsafe.Pointer, result uintptr) +// Calls C function fn from libFuzzer and passes 4 arguments to it. +TEXT runtime·libfuzzerCall4(SB), NOSPLIT, $0-40 + MOVQ fn+0(FP), AX + MOVQ hookId+8(FP), RARG0 + MOVQ s1+16(FP), RARG1 + MOVQ s2+24(FP), RARG2 + MOVQ result+32(FP), RARG3 + + get_tls(R12) + MOVQ g(R12), R14 + MOVQ g_m(R14), R13 + + // Switch to g0 stack. + MOVQ SP, R12 // callee-saved, preserved across the CALL + MOVQ m_g0(R13), R10 + CMPQ R10, R14 + JE call // already on g0 + MOVQ (g_sched+gobuf_sp)(R10), SP +call: + ANDQ $~15, SP // alignment for gcc ABI + CALL AX + MOVQ R12, SP + RET + +// void runtime·libfuzzerCallTraceInit(fn, start, end *byte) // Calls C function fn from libFuzzer and passes 2 arguments to it. TEXT runtime·libfuzzerCall(SB), NOSPLIT, $0-24 MOVQ fn+0(FP), AX |