diff options
| author | Khaled Yakdan <yakdan@code-intelligence.com> | 2022-05-20 22:09:58 +0000 |
|---|---|---|
| committer | Keith Randall <khr@golang.org> | 2022-05-20 22:30:37 +0000 |
| commit | 2b0e457b42a64455ca2d3eebb5c6d4e6acfc5db2 (patch) | |
| tree | 5d524a6994b395136cf1e6e5954266856091bd08 /src/runtime/libfuzzer_arm64.s | |
| parent | b58067013eaa2f2bf0dc24f4d848e10bb758b6bd (diff) | |
| download | go-2b0e457b42a64455ca2d3eebb5c6d4e6acfc5db2.tar.xz | |
cmd/compile: intercept string compares in libFuzzer mode
IR string compares as well as calls to string comparison functions such
as `strings.EqualFold` are intercepted and the corresponding libFuzzer
callbacks are invoked with the corresponding arguments. As a result, the
compared strings will be added to libFuzzer’s table of recent compares,
which feeds future mutations performed by the fuzzer and thus allow it
to reach into branches guarded by string comparisons.
The list of methods to intercept is maintained in
`cmd/compile/internal/walk/expr.go` and can easily be extended to cover
more standard library functions in the future.
Change-Id: I5c8b89499c4e19459406795dea923bf777779c51
GitHub-Last-Rev: 6b8529b55561faf57ea59cb7cff1caf8c9c94ecd
GitHub-Pull-Request: golang/go#51319
Reviewed-on: https://go-review.googlesource.com/c/go/+/387335
Reviewed-by: Keith Randall <khr@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Keith Randall <khr@google.com>
Run-TryBot: Keith Randall <khr@golang.org>
Diffstat (limited to 'src/runtime/libfuzzer_arm64.s')
| -rw-r--r-- | src/runtime/libfuzzer_arm64.s | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/src/runtime/libfuzzer_arm64.s b/src/runtime/libfuzzer_arm64.s index b0146682a2..f9b67913e2 100644 --- a/src/runtime/libfuzzer_arm64.s +++ b/src/runtime/libfuzzer_arm64.s @@ -9,12 +9,40 @@ // Based on race_arm64.s; see commentary there. +#define RARG0 R0 +#define RARG1 R1 +#define RARG2 R2 +#define RARG3 R3 + +// void runtime·libfuzzerCall4(fn, hookId int, s1, s2 unsafe.Pointer, result uintptr) +// Calls C function fn from libFuzzer and passes 4 arguments to it. +TEXT runtime·libfuzzerCall4(SB), NOSPLIT, $0-40 + MOVD fn+0(FP), R9 + MOVD hookId+8(FP), RARG0 + MOVD s1+16(FP), RARG1 + MOVD s2+24(FP), RARG2 + MOVD result+32(FP), RARG3 + + MOVD g_m(g), R10 + + // Switch to g0 stack. + MOVD RSP, R19 // callee-saved, preserved across the CALL + MOVD m_g0(R10), R11 + CMP R11, g + BEQ call // already on g0 + MOVD (g_sched+gobuf_sp)(R11), R12 + MOVD R12, RSP +call: + BL R9 + MOVD R19, RSP + RET + // func runtime·libfuzzerCall(fn, arg0, arg1 uintptr) // Calls C function fn from libFuzzer and passes 2 arguments to it. TEXT runtime·libfuzzerCall(SB), NOSPLIT, $0-24 MOVD fn+0(FP), R9 - MOVD arg0+8(FP), R0 - MOVD arg1+16(FP), R1 + MOVD arg0+8(FP), RARG0 + MOVD arg1+16(FP), RARG1 MOVD g_m(g), R10 |