From c48930b3380afed90c2114dd91d11e37fee656f1 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Mon, 9 May 2016 21:02:36 +0000
Subject: [PATCH] [libFuzzer] add a test for libFuzzer+ubsan, extend the docs
 on using libFuzzer+ubsan

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@268968 91177308-0d34-0410-b5e6-96231b3b80d8
---
 docs/LibFuzzer.rst                        | 13 ++++++++-----
 lib/Fuzzer/test/CMakeLists.txt            | 10 ++++++++++
 lib/Fuzzer/test/SignedIntOverflowTest.cpp | 28 ++++++++++++++++++++++++++++
 lib/Fuzzer/test/fuzzer-ubsan.test         |  4 ++++
 lib/Fuzzer/test/ubsan/CMakeLists.txt      | 14 ++++++++++++++
 5 files changed, 64 insertions(+), 5 deletions(-)
 create mode 100644 lib/Fuzzer/test/SignedIntOverflowTest.cpp
 create mode 100644 lib/Fuzzer/test/fuzzer-ubsan.test
 create mode 100644 lib/Fuzzer/test/ubsan/CMakeLists.txt

diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst
index 5a3c335182b..ae0850e2a82 100644
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@@ -93,11 +93,14 @@ the libFuzzer code then gives an fuzzer executable.
 You should also enable one or more of the *sanitizers*, which help to expose
 latent bugs by making incorrect behavior generate errors at runtime:
 
- - AddressSanitizer_ detects memory access errors.
- - MemorySanitizer_ detects uninitialized reads: code whose behavior relies on memory
-   contents that have not been initialized to a specific value.
- - UndefinedBehaviorSanitizer_ detects the use of various features of C/C++ that are explicitly
-   listed as resulting in undefined behavior.
+ - AddressSanitizer_ (ASAN) detects memory access errors. Use `-fsanitize=address`.
+ - UndefinedBehaviorSanitizer_ (UBSAN) detects the use of various features of C/C++ that are explicitly
+   listed as resulting in undefined behavior.  Use `-fsanitize=undefined -fno-sanitize-recover=undefined`
+   or any individual UBSAN check, e.g.  `-fsanitize=signed-integer-overflow -fno-sanitize-recover=undefined`.
+   You may combine ASAN and UBSAN in one build.
+ - MemorySanitizer_ (MSAN) detects uninitialized reads: code whose behavior relies on memory
+   contents that have not been initialized to a specific value. Use `-fsanitize=memory`.
+   MSAN can not be combined with other sanirizers and should be used as a seprate build.
 
 Finally, link with ``libFuzzer.a``::
 
diff --git a/lib/Fuzzer/test/CMakeLists.txt b/lib/Fuzzer/test/CMakeLists.txt
index 81a996930f4..52ed2f5bbb3 100644
--- a/lib/Fuzzer/test/CMakeLists.txt
+++ b/lib/Fuzzer/test/CMakeLists.txt
@@ -57,6 +57,10 @@ set(TracePCTests
   FullCoverageSetTest
   )
 
+set(UbsanTests
+  SignedIntOverflowTest
+  )
+
 set(TestBinaries)
 
 foreach(Test ${Tests})
@@ -118,6 +122,12 @@ foreach(Test ${UninstrumentedTests})
   set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test}-Uninstrumented)
 endforeach()
 
+add_subdirectory(ubsan)
+
+foreach(Test ${UbsanTests})
+  set(TestBinaries ${TestBinaries} LLVMFuzzer-${Test}-Ubsan)
+endforeach()
+
 add_subdirectory(trace-bb)
 
 foreach(Test ${TraceBBTests})
diff --git a/lib/Fuzzer/test/SignedIntOverflowTest.cpp b/lib/Fuzzer/test/SignedIntOverflowTest.cpp
new file mode 100644
index 00000000000..7df32ad5793
--- /dev/null
+++ b/lib/Fuzzer/test/SignedIntOverflowTest.cpp
@@ -0,0 +1,28 @@
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+
+// Test for signed-integer-overflow.
+#include <assert.h>
+#include <cstdint>
+#include <cstdlib>
+#include <cstddef>
+#include <iostream>
+#include <climits>
+
+static volatile int Sink;
+static int Large = INT_MAX;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  assert(Data);
+  if (Size > 0 && Data[0] == 'H') {
+    Sink = 1;
+    if (Size > 1 && Data[1] == 'i') {
+      Sink = 2;
+      if (Size > 2 && Data[2] == '!') {
+        Large++;  // int overflow.
+      }
+    }
+  }
+  return 0;
+}
+
diff --git a/lib/Fuzzer/test/fuzzer-ubsan.test b/lib/Fuzzer/test/fuzzer-ubsan.test
new file mode 100644
index 00000000000..0e8ad6c94a1
--- /dev/null
+++ b/lib/Fuzzer/test/fuzzer-ubsan.test
@@ -0,0 +1,4 @@
+RUN: not LLVMFuzzer-SignedIntOverflowTest-Ubsan 2>&1 | FileCheck %s
+CHECK: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
+CHECK: Test unit written to ./crash-
+
diff --git a/lib/Fuzzer/test/ubsan/CMakeLists.txt b/lib/Fuzzer/test/ubsan/CMakeLists.txt
new file mode 100644
index 00000000000..5547704525e
--- /dev/null
+++ b/lib/Fuzzer/test/ubsan/CMakeLists.txt
@@ -0,0 +1,14 @@
+# These tests are instrumented with ubsan in non-recovery mode.
+
+set(CMAKE_CXX_FLAGS_RELEASE
+  "${LIBFUZZER_FLAGS_BASE} -O0 -fsanitize=undefined -fno-sanitize-recover=all")
+
+foreach(Test ${UbsanTests})
+  add_executable(LLVMFuzzer-${Test}-Ubsan
+    ../${Test}.cpp
+    )
+  target_link_libraries(LLVMFuzzer-${Test}-Ubsan
+    LLVMFuzzer
+    )
+endforeach()
+
-- 
2.11.0