Skip to content

Commit f6e313e

Browse files
committed
Update vendored LibFuzzer to LLVM 22.x release
Last this was updated for the 20.x release. The changes in only the 21.x release is largely uninteresting for LibFuzzer. Just skip to the 22.x release. Specifically: * Tag: `llvmorg-22.1.0-rc2` * Commit: `a47b42eb9f9b302167b4fc413e6c92798d65dd0b` Major changes: * Fix out-of-sync Modules and ModulePCTable arrays when handling empty instrumented modules * Add `SIGTRAP` Handler to LibFuzzer's runtime, specifically for Swift's FatalError * Rework `StartRssThread` to fix deadlocks on Fuchsia * Address typos and various type castings to address static analysis warnings Full commit log: `git log --format=ref release/20.x..release/22.x -- 'compiler-rt/lib/fuzzer/'` ``` 9d18e92ee78c ([compiler-rt] Add CMake option to enable execute-only code generation on AArch64 (#140555), 2025-11-07) be6c5d066379 ([NFC] [compiler-rt] fix typos (#160803), 2025-09-27) b928695c2fb8 ([compiler-rt] fix typos (#160799), 2025-09-26) 3f52e97df77a (Fix libFuzzer array alignment with empty modules (#159661), 2025-09-18) 46fd8d0db2f7 (Reapply "[NFC] Fix CodeQL violations in compiler-rt. (#157793)" (#157913) (#159097), 2025-09-16) 8062b166762b (Revert "[NFC] Fix CodeQL violations in compiler-rt. (#157793)" (#157913), 2025-09-10) b44e6e01f7f7 ([NFC] Fix CodeQL violations in compiler-rt. (#157793), 2025-09-10) 316004764fe3 ([fuzzer][Fuchsia] Forward fix for undefined StartRssThread (#155514), 2025-08-26) 7153392a1089 (Reapply "[fuzzer][Fuchsia] Prevent deadlock from suspending threads" … (#155271), 2025-08-25) 781a4db6b50b (Revert "[fuzzer][Fuchsia] Prevent deadlock from suspending threads" (#155042), 2025-08-22) b9987503d2ed ([fuzzer][Fuchsia] Prevent deadlock from suspending threads (#154854), 2025-08-22) 03372c7782e6 (Revert "[libFuzzer] always install signal handler with SA_ONSTACK" (#153114), 2025-08-12) aee4f2baccdb ([libFuzzer] always install signal handler with SA_ONSTACK (#147422), 2025-08-09) 33cc58f46f0c ([compiler-rt][libFuzzer] Add support for capturing SIGTRAP exits. (#149120), 2025-07-28) f7cdff7bddcb ([compiler-rt] Include missing headers for libFuzzer (#146828), 2025-07-10) 7b6963ea672f ([compiler-rt] [Fuzzer] Fix tests linking buildbot failure (#144495), 2025-06-19) 6f4add34801e ([compiler-rt] [Fuzzer] Fix ARMv7 test link failure by linking unwinder (#144495), 2025-06-18) cd573e0a547d ([compiler-rt] Remove unused local variables (NFC) (#144010), 2025-06-12) ```
1 parent 72a4b1b commit f6e313e

18 files changed

Lines changed: 121 additions & 29 deletions

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ Released YYYY-MM-DD.
88

99
### Changed
1010

11-
* TODO (or remove section if none)
11+
* Updated to `libFuzzer` commit `a47b42eb9f9b` (`release/22.x`).
1212

1313
### Deprecated
1414

libfuzzer/CMakeLists.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,7 @@ if(OS_NAME MATCHES "Android|Linux|Fuchsia" AND
162162
CFLAGS ${TARGET_CFLAGS}
163163
CMAKE_ARGS -DCMAKE_CXX_COMPILER_WORKS=ON
164164
-DCMAKE_POSITION_INDEPENDENT_CODE=ON
165+
-DRUNTIMES_EXECUTE_ONLY_CODE=${RUNTIMES_EXECUTE_ONLY_CODE}
165166
-DLIBCXXABI_ENABLE_EXCEPTIONS=OFF
166167
-DLIBCXX_ABI_NAMESPACE=__Fuzzer
167168
-DLIBCXX_ENABLE_EXCEPTIONS=OFF)

libfuzzer/FuzzerCorpus.h

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ struct InputInfo {
3535
size_t Tmp = 0; // Used by ValidateFeatureSet.
3636
// Stats.
3737
size_t NumExecutedMutations = 0;
38-
size_t NumSuccessfullMutations = 0;
38+
size_t NumSuccessfulMutations = 0;
3939
bool NeverReduce = false;
4040
bool MayDeleteFile = false;
4141
bool Reduced = false;
@@ -328,15 +328,16 @@ class InputCorpus {
328328
const auto &II = *Inputs[i];
329329
Printf(" [% 3zd %s] sz: % 5zd runs: % 5zd succ: % 5zd focus: %d\n", i,
330330
Sha1ToString(II.Sha1).c_str(), II.U.size(),
331-
II.NumExecutedMutations, II.NumSuccessfullMutations,
331+
II.NumExecutedMutations, II.NumSuccessfulMutations,
332332
II.HasFocusFunction);
333333
}
334334
}
335335

336336
void PrintFeatureSet() {
337337
for (size_t i = 0; i < kFeatureSetSize; i++) {
338338
if(size_t Sz = GetFeature(i))
339-
Printf("[%zd: id %zd sz%zd] ", i, SmallestElementPerFeature[i], Sz);
339+
Printf("[%zd: id %zd sz%zd] ", i, (size_t)SmallestElementPerFeature[i],
340+
Sz);
340341
}
341342
Printf("\n\t");
342343
for (size_t i = 0; i < Inputs.size(); i++)

libfuzzer/FuzzerDataFlowTrace.cpp

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -265,8 +265,6 @@ int CollectDataFlow(const std::string &DFTBinary, const std::string &DirPath,
265265
// we then request tags in [0,Size/2) and [Size/2, Size), and so on.
266266
// Function number => DFT.
267267
auto OutPath = DirPlusFile(DirPath, Hash(FileToVector(F.File)));
268-
std::unordered_map<size_t, std::vector<uint8_t>> DFTMap;
269-
std::unordered_set<std::string> Cov;
270268
Command Cmd;
271269
Cmd.addArgument(DFTBinary);
272270
Cmd.addArgument(F.File);

libfuzzer/FuzzerDriver.cpp

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -24,10 +24,11 @@
2424
#include <chrono>
2525
#include <cstdlib>
2626
#include <cstring>
27+
#include <fstream>
28+
#include <functional>
2729
#include <mutex>
2830
#include <string>
2931
#include <thread>
30-
#include <fstream>
3132

3233
// This function should be present in the libFuzzer so that the client
3334
// binary can test for its existence.
@@ -162,13 +163,13 @@ static bool ParseOneFlag(const char *Param) {
162163
auto Val = MyStol(Str);
163164
*FlagDescriptions[F].IntFlag = static_cast<int>(Val);
164165
if (Flags.verbosity >= 2)
165-
Printf("Flag: %s %d\n", Name, Val);
166+
Printf("Flag: %s %d\n", Name, (int)Val);
166167
return true;
167168
} else if (FlagDescriptions[F].UIntFlag) {
168169
auto Val = std::stoul(Str);
169170
*FlagDescriptions[F].UIntFlag = static_cast<unsigned int>(Val);
170171
if (Flags.verbosity >= 2)
171-
Printf("Flag: %s %u\n", Name, Val);
172+
Printf("Flag: %s %u\n", Name, (uint32_t)Val);
172173
return true;
173174
} else if (FlagDescriptions[F].StrFlag) {
174175
*FlagDescriptions[F].StrFlag = Str;
@@ -305,6 +306,11 @@ static int RunInMultipleProcesses(const std::vector<std::string> &Args,
305306
return HasErrors ? 1 : 0;
306307
}
307308

309+
void StartRssThread(Fuzzer *F, size_t RssLimitMb);
310+
311+
// Fuchsia needs to do some book checking before starting the RssThread,
312+
// so it has its own implementation.
313+
#if !LIBFUZZER_FUCHSIA
308314
static void RssThread(Fuzzer *F, size_t RssLimitMb) {
309315
while (true) {
310316
SleepSeconds(1);
@@ -314,12 +320,13 @@ static void RssThread(Fuzzer *F, size_t RssLimitMb) {
314320
}
315321
}
316322

317-
static void StartRssThread(Fuzzer *F, size_t RssLimitMb) {
323+
void StartRssThread(Fuzzer *F, size_t RssLimitMb) {
318324
if (!RssLimitMb)
319325
return;
320326
std::thread T(RssThread, F, RssLimitMb);
321327
T.detach();
322328
}
329+
#endif
323330

324331
int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) {
325332
Unit U = FileToVector(InputFilePath);
@@ -602,7 +609,7 @@ int AnalyzeDictionary(Fuzzer *F, const std::vector<Unit> &Dict,
602609
return 0;
603610
}
604611

605-
std::vector<std::string> ParseSeedInuts(const char *seed_inputs) {
612+
std::vector<std::string> ParseSeedInputs(const char *seed_inputs) {
606613
// Parse -seed_inputs=file1,file2,... or -seed_inputs=@seed_inputs_file
607614
std::vector<std::string> Files;
608615
if (!seed_inputs) return Files;
@@ -833,6 +840,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
833840
Options.HandleInt = Flags.handle_int;
834841
Options.HandleSegv = Flags.handle_segv;
835842
Options.HandleTerm = Flags.handle_term;
843+
Options.HandleTrap = Flags.handle_trap;
836844
Options.HandleXfsz = Flags.handle_xfsz;
837845
Options.HandleUsr1 = Flags.handle_usr1;
838846
Options.HandleUsr2 = Flags.handle_usr2;
@@ -911,7 +919,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
911919
exit(0);
912920
}
913921

914-
auto CorporaFiles = ReadCorpora(*Inputs, ParseSeedInuts(Flags.seed_inputs));
922+
auto CorporaFiles = ReadCorpora(*Inputs, ParseSeedInputs(Flags.seed_inputs));
915923
F->Loop(CorporaFiles);
916924

917925
if (Flags.verbosity)

libfuzzer/FuzzerExtFunctionsWindows.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ using namespace fuzzer;
3535
#define WIN_SYM_PREFIX
3636
#endif
3737

38-
// Declare external functions as having alternativenames, so that we can
38+
// Declare external functions as having alternative names, so that we can
3939
// determine if they are not defined.
4040
#define EXTERNAL_FUNC(Name, Default) \
4141
__pragma(comment(linker, "/alternatename:" WIN_SYM_PREFIX STRINGIFY( \

libfuzzer/FuzzerFlags.def

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@ FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.")
152152
FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.")
153153
FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.")
154154
FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.")
155+
FUZZER_FLAG_INT(handle_trap, 1, "If 1, try to intercept SIGTRAP.")
155156
FUZZER_FLAG_INT(handle_xfsz, 1, "If 1, try to intercept SIGXFSZ.")
156157
FUZZER_FLAG_INT(handle_usr1, 1, "If 1, try to intercept SIGUSR1.")
157158
FUZZER_FLAG_INT(handle_usr2, 1, "If 1, try to intercept SIGUSR2.")

libfuzzer/FuzzerIOPosix.cpp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212

1313
#include "FuzzerExtFunctions.h"
1414
#include "FuzzerIO.h"
15+
#include <cerrno>
1516
#include <cstdarg>
1617
#include <cstdio>
1718
#include <dirent.h>

libfuzzer/FuzzerLoop.cpp

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -125,8 +125,8 @@ void FreeHook(const volatile void *ptr) {
125125
void Fuzzer::HandleMalloc(size_t Size) {
126126
if (!Options.MallocLimitMb || (Size >> 20) < (size_t)Options.MallocLimitMb)
127127
return;
128-
Printf("==%d== ERROR: libFuzzer: out-of-memory (malloc(%zd))\n", GetPid(),
129-
Size);
128+
Printf("==%d== ERROR: libFuzzer: out-of-memory (malloc(%zd))\n",
129+
(int)GetPid(), Size);
130130
Printf(" To change the out-of-memory limit use -rss_limit_mb=<N>\n\n");
131131
PrintStackTrace();
132132
DumpCurrentUnit("oom-");
@@ -448,9 +448,9 @@ void Fuzzer::PrintPulseAndReportSlowInput(const uint8_t *Data, size_t Size) {
448448
if (!(TotalNumberOfRuns & (TotalNumberOfRuns - 1)) &&
449449
secondsSinceProcessStartUp() >= 2)
450450
PrintStats("pulse ");
451-
auto Threshhold =
451+
auto Threshold =
452452
static_cast<long>(static_cast<double>(TimeOfLongestUnitInSeconds) * 1.1);
453-
if (TimeOfUnit > Threshhold && TimeOfUnit >= Options.ReportSlowUnits) {
453+
if (TimeOfUnit > Threshold && TimeOfUnit >= Options.ReportSlowUnits) {
454454
TimeOfLongestUnitInSeconds = TimeOfUnit;
455455
Printf("Slowest unit: %ld s:\n", TimeOfLongestUnitInSeconds);
456456
WriteUnitToFileWithPrefix({Data, Data + Size}, "slow-unit-");
@@ -568,7 +568,7 @@ size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
568568

569569
void Fuzzer::CrashOnOverwrittenData() {
570570
Printf("==%d== ERROR: libFuzzer: fuzz target overwrites its const input\n",
571-
GetPid());
571+
(int)GetPid());
572572
PrintStackTrace();
573573
Printf("SUMMARY: libFuzzer: overwrites-const-input\n");
574574
DumpCurrentUnit("crash-");
@@ -666,7 +666,7 @@ void Fuzzer::PrintStatusForNewUnit(const Unit &U, const char *Text) {
666666
}
667667

668668
void Fuzzer::ReportNewCoverage(InputInfo *II, const Unit &U) {
669-
II->NumSuccessfullMutations++;
669+
II->NumSuccessfulMutations++;
670670
MD.RecordSuccessfulMutationSequence();
671671
PrintStatusForNewUnit(U, II->Reduced ? "REDUCE" : "NEW ");
672672
WriteToOutputCorpus(U);

libfuzzer/FuzzerMutate.cpp

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ size_t MutationDispatcher::Mutate_CustomCrossOver(uint8_t *Data, size_t Size,
101101

102102
if (!NewSize)
103103
return 0;
104-
assert(NewSize <= MaxSize && "CustomCrossOver returned overisized unit");
104+
assert(NewSize <= MaxSize && "CustomCrossOver returned oversized unit");
105105
memcpy(Data, U.data(), NewSize);
106106
return NewSize;
107107
}
@@ -413,9 +413,9 @@ size_t ChangeBinaryInteger(uint8_t *Data, size_t Size, Random &Rand) {
413413
T Add = static_cast<T>(Rand(21));
414414
Add -= 10;
415415
if (Rand.RandBool())
416-
Val = Bswap(T(Bswap(Val) + Add)); // Add assuming different endiannes.
416+
Val = Bswap(T(Bswap(Val) + Add)); // Add assuming different endianness.
417417
else
418-
Val = Val + Add; // Add assuming current endiannes.
418+
Val = Val + Add; // Add assuming current endianness.
419419
if (Add == 0 || Rand.RandBool()) // Maybe negate.
420420
Val = -Val;
421421
}
@@ -463,7 +463,7 @@ size_t MutationDispatcher::Mutate_CrossOver(uint8_t *Data, size_t Size,
463463
default: assert(0);
464464
}
465465
assert(NewSize > 0 && "CrossOver returned empty unit");
466-
assert(NewSize <= MaxSize && "CrossOver returned overisized unit");
466+
assert(NewSize <= MaxSize && "CrossOver returned oversized unit");
467467
return NewSize;
468468
}
469469

0 commit comments

Comments
 (0)