commit 53bf7e77691d482ef31e25acb88b52a0f007136d
author Matt Morehouse <mascasa@google.com> Tue May 01 21:01:53 2018 +0000
committer Copybara-Service <copybara-worker@google.com> Thu Mar 25 23:16:51 2021 -0700
tree 4ccd5cf78112eb03be086913ffd3c996781ecd90
parent 96022c0b75735a03cebc58eda1d45d01fa8f30c6

[libFuzzer] Report at most one crash per input.

Summary:
Fixes https://github.com/google/sanitizers/issues/788/, a deadlock
caused by multiple crashes happening at the same time.  Before printing
a crash report, we now test and set an atomic flag.  If the flag was
already set, the crash handler returns immediately.

Reviewers: kcc

Reviewed By: kcc

Subscribers: llvm-commits, kubamracek

Differential Revision: https://reviews.llvm.org/D46277

llvm-svn: 331310
GitOrigin-RevId: 52fd16903569c0f8c3ca3dfe89d664969739f2f0

FuzzerExtFunctions.def

diff --git a/FuzzerExtFunctions.def b/FuzzerExtFunctions.def
index 25a655b..70f4b27 100644
--- a/FuzzerExtFunctions.def
+++ b/FuzzerExtFunctions.def
@@ -29,6 +29,7 @@
 EXT_FUNC(__lsan_enable, void, (), false);
 EXT_FUNC(__lsan_disable, void, (), false);
 EXT_FUNC(__lsan_do_recoverable_leak_check, int, (), false);
+EXT_FUNC(__sanitizer_acquire_crash_state, bool, (), true);
 EXT_FUNC(__sanitizer_install_malloc_and_free_hooks, int,
          (void (*malloc_hook)(const volatile void *, size_t),
           void (*free_hook)(const volatile void *)),

FuzzerLoop.cpp

diff --git a/FuzzerLoop.cpp b/FuzzerLoop.cpp
index cd835be..7a26370 100644
--- a/FuzzerLoop.cpp
+++ b/FuzzerLoop.cpp
@@ -228,6 +228,9 @@
 }
 
 void Fuzzer::CrashCallback() {
+  if (EF->__sanitizer_acquire_crash_state &&
+      !EF->__sanitizer_acquire_crash_state())
+    return;
   Printf("==%lu== ERROR: libFuzzer: deadly signal\n", GetPid());
   if (EF->__sanitizer_print_stack_trace)
     EF->__sanitizer_print_stack_trace();
@@ -243,6 +246,9 @@
 void Fuzzer::ExitCallback() {
   if (!RunningCB)
     return; // This exit did not come from the user callback
+  if (EF->__sanitizer_acquire_crash_state &&
+      !EF->__sanitizer_acquire_crash_state())
+    return;
   Printf("==%lu== ERROR: libFuzzer: fuzz target exited\n", GetPid());
   if (EF->__sanitizer_print_stack_trace)
     EF->__sanitizer_print_stack_trace();
@@ -282,6 +288,9 @@
   if (Options.Verbosity >= 2)
     Printf("AlarmCallback %zd\n", Seconds);
   if (Seconds >= (size_t)Options.UnitTimeoutSec) {
+    if (EF->__sanitizer_acquire_crash_state &&
+        !EF->__sanitizer_acquire_crash_state())
+      return;
     Printf("ALARM: working on the last Unit for %zd seconds\n", Seconds);
     Printf("       and the timeout value is %d (use -timeout=N to change)\n",
            Options.UnitTimeoutSec);
@@ -297,6 +306,9 @@
 }
 
 void Fuzzer::RssLimitCallback() {
+  if (EF->__sanitizer_acquire_crash_state &&
+      !EF->__sanitizer_acquire_crash_state())
+    return;
   Printf(
       "==%lu== ERROR: libFuzzer: out-of-memory (used: %zdMb; limit: %zdMb)\n",
       GetPid(), GetPeakRSSMb(), Options.RssLimitMb);