[go] cmd/compile: support libFuzzer value profiling mode for integer compares
Gerrit Bot (Gerrit)
Gerrit Bot has uploaded this change for review.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 7863abdfa3ce04ca8cfef8bed8f97c39d9dcdeb1
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
6 files changed, 169 insertions(+), 42 deletions(-)
diff --git a/src/cmd/compile/internal/typecheck/builtin.go b/src/cmd/compile/internal/typecheck/builtin.go
index 67597ce..08f8e39 100644
--- a/src/cmd/compile/internal/typecheck/builtin.go
+++ b/src/cmd/compile/internal/typecheck/builtin.go
@@ -372,9 +372,9 @@
typs[142] = newSig(params(typs[7], typs[1], typs[5]), nil)
typs[143] = types.NewSlice(typs[7])
typs[144] = newSig(params(typs[7], typs[143]), nil)
- typs[145] = newSig(params(typs[66], typs[66]), nil)
- typs[146] = newSig(params(typs[60], typs[60]), nil)
- typs[147] = newSig(params(typs[62], typs[62]), nil)
- typs[148] = newSig(params(typs[24], typs[24]), nil)
+ typs[145] = newSig(params(typs[66], typs[66], typs[15]), nil)
+ typs[146] = newSig(params(typs[60], typs[60], typs[15]), nil)
+ typs[147] = newSig(params(typs[62], typs[62], typs[15]), nil)
+ typs[148] = newSig(params(typs[24], typs[24], typs[15]), nil)
return typs[:]
}
diff --git a/src/cmd/compile/internal/typecheck/builtin/runtime.go b/src/cmd/compile/internal/typecheck/builtin/runtime.go
index 04ae4f2..fe861c5 100644
--- a/src/cmd/compile/internal/typecheck/builtin/runtime.go
+++ b/src/cmd/compile/internal/typecheck/builtin/runtime.go
@@ -257,14 +257,14 @@
func checkptrAlignment(unsafe.Pointer, *byte, uintptr)
func checkptrArithmetic(unsafe.Pointer, []unsafe.Pointer)
-func libfuzzerTraceCmp1(uint8, uint8)
-func libfuzzerTraceCmp2(uint16, uint16)
-func libfuzzerTraceCmp4(uint32, uint32)
-func libfuzzerTraceCmp8(uint64, uint64)
-func libfuzzerTraceConstCmp1(uint8, uint8)
-func libfuzzerTraceConstCmp2(uint16, uint16)
-func libfuzzerTraceConstCmp4(uint32, uint32)
-func libfuzzerTraceConstCmp8(uint64, uint64)
+func libfuzzerTraceCmp1(uint8, uint8, int)
+func libfuzzerTraceCmp2(uint16, uint16, int)
+func libfuzzerTraceCmp4(uint32, uint32, int)
+func libfuzzerTraceCmp8(uint64, uint64, int)
+func libfuzzerTraceConstCmp1(uint8, uint8, int)
+func libfuzzerTraceConstCmp2(uint16, uint16, int)
+func libfuzzerTraceConstCmp4(uint32, uint32, int)
+func libfuzzerTraceConstCmp8(uint64, uint64, int)
// architecture variants
var x86HasPOPCNT bool
diff --git a/src/cmd/compile/internal/walk/compare.go b/src/cmd/compile/internal/walk/compare.go
index 625e216..2ecbf06 100644
--- a/src/cmd/compile/internal/walk/compare.go
+++ b/src/cmd/compile/internal/walk/compare.go
@@ -5,7 +5,11 @@
package walk
import (
+ "encoding/binary"
+ "fmt"
"go/constant"
+ "hash/fnv"
+ "io"
"cmd/compile/internal/base"
"cmd/compile/internal/ir"
@@ -15,6 +19,22 @@
"cmd/compile/internal/types"
)
+func fakePC(n ir.Node) ir.Node {
+ // In order to get deterministic IDs, we include the package path, file index, line number, column number
+ // in the calculation of the fakePC for the IR node.
+ hash := fnv.New32()
+ // We ignore the errors here because the `io.Writer` in the `hash.Hash` interface never returns an error.
+ _, _ = io.WriteString(hash, base.Ctxt.Pkgpath)
+ _ = binary.Write(hash, binary.LittleEndian, n.Pos().FileIndex())
+ _ = binary.Write(hash, binary.LittleEndian, int64(n.Pos().Line()))
+ _ = binary.Write(hash, binary.LittleEndian, int64(n.Pos().Col()))
+ // We also include the string representation of the node to distinguish autogenerated expression since
+ // those get the same `src.XPos`
+ _, _ = io.WriteString(hash, fmt.Sprintf("%v", n))
+
+ return ir.NewInt(int64(hash.Sum32()))
+}
+
// The result of walkCompare MUST be assigned back to n, e.g.
// n.Left = walkCompare(n.Left, init)
func walkCompare(n *ir.BinaryExpr, init *ir.Nodes) ir.Node {
@@ -131,7 +151,7 @@
default:
base.Fatalf("unexpected integer size %d for %v", t.Size(), t)
}
- init.Append(mkcall(fn, nil, init, tracecmpArg(l, paramType, init), tracecmpArg(r, paramType, init)))
+ init.Append(mkcall(fn, nil, init, tracecmpArg(l, paramType, init), tracecmpArg(r, paramType, init), fakePC(n)))
}
return n
case types.TARRAY:
diff --git a/src/internal/fuzz/trace.go b/src/internal/fuzz/trace.go
index cab0838..8384b23 100644
--- a/src/internal/fuzz/trace.go
+++ b/src/internal/fuzz/trace.go
@@ -18,12 +18,12 @@
//go:linkname libfuzzerTraceConstCmp4 runtime.libfuzzerTraceConstCmp4
//go:linkname libfuzzerTraceConstCmp8 runtime.libfuzzerTraceConstCmp8
-func libfuzzerTraceCmp1(arg0, arg1 uint8) {}
-func libfuzzerTraceCmp2(arg0, arg1 uint16) {}
-func libfuzzerTraceCmp4(arg0, arg1 uint32) {}
-func libfuzzerTraceCmp8(arg0, arg1 uint64) {}
+func libfuzzerTraceCmp1(arg0, arg1 uint8, fakePC int) {}
+func libfuzzerTraceCmp2(arg0, arg1 uint16, fakePC int) {}
+func libfuzzerTraceCmp4(arg0, arg1 uint32, fakePC int) {}
+func libfuzzerTraceCmp8(arg0, arg1 uint64, fakePC int) {}
-func libfuzzerTraceConstCmp1(arg0, arg1 uint8) {}
-func libfuzzerTraceConstCmp2(arg0, arg1 uint16) {}
-func libfuzzerTraceConstCmp4(arg0, arg1 uint32) {}
-func libfuzzerTraceConstCmp8(arg0, arg1 uint64) {}
+func libfuzzerTraceConstCmp1(arg0, arg1 uint8, fakePC int) {}
+func libfuzzerTraceConstCmp2(arg0, arg1 uint16, fakePC int) {}
+func libfuzzerTraceConstCmp4(arg0, arg1 uint32, fakePC int) {}
+func libfuzzerTraceConstCmp8(arg0, arg1 uint64, fakePC int) {}
diff --git a/src/runtime/libfuzzer.go b/src/runtime/libfuzzer.go
index e7b3cdc..0ea3632 100644
--- a/src/runtime/libfuzzer.go
+++ b/src/runtime/libfuzzer.go
@@ -8,38 +8,49 @@
import _ "unsafe" // for go:linkname
-func libfuzzerCall(fn *byte, arg0, arg1 uintptr)
+// Keep in sync with the definition of ret_sled in src/runtime/libfuzzer_amd64.s
+const retSledSize = 512
-func libfuzzerTraceCmp1(arg0, arg1 uint8) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp1, uintptr(arg0), uintptr(arg1))
+func libfuzzerCallTraceIntCmp(fn *byte, arg0, arg1, fakePC uintptr)
+
+func libfuzzerTraceCmp1(arg0, arg1 uint8, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp1, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceCmp2(arg0, arg1 uint16) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp2, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceCmp2(arg0, arg1 uint16, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp2, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceCmp4(arg0, arg1 uint32) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp4, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceCmp4(arg0, arg1 uint32, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp4, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceCmp8(arg0, arg1 uint64) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp8, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceCmp8(arg0, arg1 uint64, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp8, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp1(arg0, arg1 uint8) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp1, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp1(arg0, arg1 uint8, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp1, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp2(arg0, arg1 uint16) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp2, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp2(arg0, arg1 uint16, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp2, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp4(arg0, arg1 uint32) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp4, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp4(arg0, arg1 uint32, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp4, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp8(arg0, arg1 uint64) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp8, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp8(arg0, arg1 uint64, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp8, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
//go:linkname __sanitizer_cov_trace_cmp1 __sanitizer_cov_trace_cmp1
diff --git a/src/runtime/libfuzzer_amd64.s b/src/runtime/libfuzzer_amd64.s
index 253fe15..1f21774 100644
--- a/src/runtime/libfuzzer_amd64.s
+++ b/src/runtime/libfuzzer_amd64.s
@@ -13,17 +13,47 @@
#ifdef GOOS_windows
#define RARG0 CX
#define RARG1 DX
+#define RARG0 R8
+#define RARG1 R9
#else
#define RARG0 DI
#define RARG1 SI
+#define RARG2 DX
+#define RARG3 CX
#endif
-// void runtime·libfuzzerCall(fn, arg0, arg1 uintptr)
-// Calls C function fn from libFuzzer and passes 2 arguments to it.
-TEXT runtime·libfuzzerCall(SB), NOSPLIT, $0-24
+// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
+// Calls C function fn from libFuzzer and passes 2 arguments to it after
+// manipulating the return address so that libfuzzer's interger compare hooks
+// work
+// libFuzzer's compare hooks obtain the caller's address from the compiler
+// builtin __builtin_return_adress. Since we invoke the hooks always
+// from the same native function, this builtin would always return the same
+// value. Internally, the libFuzzer hooks call through to the always inlined
+// HandleCmp and thus can't be mimicked without patching libFuzzer.
+//
+// We solve this problem via an inline assembly trampoline construction that
+// translates a runtime argument `fake_pc` in the range [0, 512) into a call to
+// a hook with a fake return address whose lower 9 bits are `fake_pc` up to a
+// constant shift. This is achieved by pushing a return address pointing into
+// 512 ret instructions at offset `fake_pc` onto the stack and then jumping
+// directly to the address of the hook.
+//
+// Note: We only set the lowest 9 bits of the return address since only these
+// bits are used by the libFuzzer value profiling mode for integer compares, see
+// https://github.com/llvm/llvm-project/blob/704d92607d26e696daba596b72cb70effe79a872/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp#L390
+// as well as
+// https://github.com/llvm/llvm-project/blob/704d92607d26e696daba596b72cb70effe79a872/compiler-rt/lib/fuzzer/FuzzerValueBitMap.h#L34
+// ValueProfileMap.AddValue() truncates its argument to 16 bits and shifts the
+// PC to the left by log_2(128)=7, which means that only the lowest 16 - 7 bits
+// of the return address matter. String compare hooks use the lowest 12 bits,
+// but take the return address as an argument and thus don't require the
+// indirection through a trampoline.
+TEXT runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $0-32
MOVQ fn+0(FP), AX
MOVQ arg0+8(FP), RARG0
MOVQ arg1+16(FP), RARG1
+ MOVQ fakePC+24(FP), RARG2
get_tls(R12)
MOVQ g(R12), R14
@@ -37,6 +67,42 @@
MOVQ (g_sched+gobuf_sp)(R10), SP
call:
ANDQ $~15, SP // alignment for gcc ABI
- CALL AX
+ // Load the address of the end of the function and push it into the stack.
+ // This address will be jumped to after executing the return instruction
+ // from the return sled. There we reset the stack pointer and return.
+ MOVQ $end_of_function(SB), BX
+ PUSHQ BX
+ // Load the starting address of the return sled into BX.
+ MOVQ $ret_sled(SB), BX
+ // Load the address of the i'th return instruction fron the return sled.
+ // The index is given in the fakePC argument.
+ ADDQ RARG2, BX
+ PUSHQ BX
+ // Call the original function with the fakePC return address on the stack.
+ // Function arguments arg0 and arg1 are passed unchanged in the registers
+ // RDI and RSI as specified by the x64 calling convention.
+ JMP AX
+// This code will not be executed and is only there to statisfy assembler
+// check of a balanced stack.
+not_reachable:
+ POPQ BX
+ POPQ BX
+ RET
+
+TEXT end_of_function(SB), NOSPLIT, $0-0
MOVQ R12, SP
RET
+
+#define REPEAT_8(a) a \
+ a \
+ a \
+ a \
+ a \
+ a \
+ a \
+ a
+
+#define REPEAT_512(a) REPEAT_8(REPEAT_8(REPEAT_8(a)))
+
+TEXT ret_sled(SB), NOSPLIT, $0-0
+ REPEAT_512(RET)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Austin Clements, Michael Knyszek, Michael Pratt, Robert Griesemer, Katie Hockman, Roland Shoemaker.
6 comments:
File src/cmd/compile/internal/walk/compare.go:
Patch Set #1, Line 27:
PkgpathDo you need Pkgpath here? It is not always available in the compiler.
Maybe you could get away with package name instead.Patch Set #1, Line 28:
_ = binary.Write(hash, binary.LittleEndian, n.Pos().FileIndex())File index seems problematic - two different compilations won't agree on the file index (say a exported function is used in two other packages, and that exported function is inlined into both. The hashes then won't agree).
I think file name would be ok.
File src/runtime/libfuzzer_amd64.s:
Patch Set #1, Line 27:
intergerinteger
Patch Set #1, Line 56:
RARG2This doesn't need to be RARG2, because it is not actually being passed to the C function. Just a fixed register would be fine.
// Call the original function with the fakePC return address on the stack.
// Function arguments arg0 and arg1 are passed unchanged in the registers
// RDI and RSI as specified by the x64 calling convention.
"Passed unchanged" here doesn't make a lot of sense. The values are loaded into the correct registers in lines 54-55.
Patch Set #1, Line 107:
TEXT ret_sled(SB), NOSPLIT, $0-0This scheme is going to completely break the CPU ret branch predictor. Any idea what kind of slowdown that causes?
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Katie Hockman, Keith Randall, Roland Shoemaker.
Gerrit Bot uploaded patch set #2 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: b2ecd6953361f798191243d44e07df4d497cccfe
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
6 files changed, 169 insertions(+), 42 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Katie Hockman, Keith Randall, Roland Shoemaker.
6 comments:
File src/cmd/compile/internal/walk/compare.go:
Patch Set #1, Line 27:
Pkgpath
Do you need Pkgpath here? It is not always available in the compiler. […]
How can I get the package name of an IR node?
Patch Set #1, Line 28:
_ = binary.Write(hash, binary.LittleEndian, n.Pos().FileIndex())
File index seems problematic - two different compilations won't agree on the file index (say a expor […]
How about adding fmt.Sprintf("%+v", n) to the hash? This debug syntax add file name, line number, and column number.
File src/runtime/libfuzzer_amd64.s:
Patch Set #1, Line 27:
intergerinteger
fixed
Patch Set #1, Line 56:
RARG2
This doesn't need to be RARG2, because it is not actually being passed to the C function. […]
Changed to use R8
// Call the original function with the fakePC return address on the stack.
// Function arguments arg0 and arg1 are passed unchanged in the registers
// RDI and RSI as specified by the x64 calling convention.
"Passed unchanged" here doesn't make a lot of sense. […]
Updated the comment
Patch Set #1, Line 107:
TEXT ret_sled(SB), NOSPLIT, $0-0
This scheme is going to completely break the CPU ret branch predictor. […]
We haven't performed any profiling to measure the slowdown. We've used the same trick for jazzer to make value profiling work for Java. The gain of the effectiveness in fuzzing justifies the slowdown here. The root cause of that is that libfuzzer callbacks do not accept a PC argument for the functions that handle integer comparisons. We will try to get this patch into upstream libfuzzer since it is needed for many fuzzers using libfuzzer as a backend (jazzer, atheris, and Go)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Katie Hockman, Keith Randall, Roland Shoemaker.
6 comments:
File src/cmd/compile/internal/walk/compare.go:
Patch Set #1, Line 27:
Pkgpath
How can I get the package name of an IR node?
Ignore this comment, we're going to require that Pkgpath is set from 1.19 onwards.
https://go-review.googlesource.com/c/go/+/391014
Patch Set #1, Line 28:
_ = binary.Write(hash, binary.LittleEndian, n.Pos().FileIndex())
How about adding fmt. […]
That seems fine. A bit slower, but that's ok in the compiler.
Maybe better is to use cmd/compile/internal/base.Ctxt.PosTable.Pos(n.Pos()).Filename (or RelFilename or AbsFilename? Might not matter much which you use).
File src/runtime/libfuzzer_amd64.s:
Patch Set #1, Line 27:
interger
fixed
Done
Patch Set #1, Line 56:
RARG2
Changed to use R8
Done
// Call the original function with the fakePC return address on the stack.
// Function arguments arg0 and arg1 are passed unchanged in the registers
// RDI and RSI as specified by the x64 calling convention.
Updated the comment
Done
Patch Set #1, Line 107:
TEXT ret_sled(SB), NOSPLIT, $0-0
We haven't performed any profiling to measure the slowdown. […]
Ack
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Katie Hockman, Roland Shoemaker.
1 comment:
File src/cmd/compile/internal/walk/compare.go:
Patch Set #1, Line 28:
_ = binary.Write(hash, binary.LittleEndian, n.Pos().FileIndex())That seems fine. A bit slower, but that's ok in the compiler. […]
Thanks for the tip. Done!
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Katie Hockman, Roland Shoemaker.
Gerrit Bot uploaded patch set #3 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: b08fea0842cc0e0ca0adcea59697f9b01416cf61
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
6 files changed, 169 insertions(+), 42 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Katie Hockman, Roland Shoemaker.
Patch set 3:Code-Review +2
1 comment:
File src/runtime/libfuzzer_amd64.s:
Patch Set #3, Line 25:
// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)Is there a plan to add a PC argument to libfuzzer's int compare hooks? If so, maybe add a TODO and a link to that plan/issue/whatever here.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Katie Hockman, Roland Shoemaker.
1 comment:
File src/runtime/libfuzzer_amd64.s:
Patch Set #3, Line 25:
// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
Is there a plan to add a PC argument to libfuzzer's int compare hooks? If so, maybe add a TODO and a […]
We will try to get a patch to libFuzzer that does exactly that. Should I add a todo here to simplify the hooks once/whether it is accepted?
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Keith Randall, Katie Hockman, Roland Shoemaker.
1 comment:
File src/runtime/libfuzzer_amd64.s:
Patch Set #3, Line 25:
// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
We will try to get a patch to libFuzzer that does exactly that. […]
Yes, thanks.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Ian Lance Taylor (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Keith Randall, Katie Hockman, Roland Shoemaker.
1 comment:
File src/cmd/compile/internal/walk/compare.go:
Patch Set #3, Line 27:
_, _ = io.WriteString(hash, base.Ctxt.Pkgpath)This _, _ is not the usual Go style. Is there other code in the compiler that works this way? I would expect simpliy
io.WriteString(hash, base.Ctxt.Pkgpath)
io.WriteString(hash, ...)
...
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Keith Randall, Katie Hockman, Roland Shoemaker.
Gerrit Bot uploaded patch set #4 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 882f92d5dd0dc921081da8a9ca99aa930975827a
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
6 files changed, 169 insertions(+), 42 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Cherry Mui (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Keith Randall, Katie Hockman, Roland Shoemaker.
Patch set 4:Trust +1
1 comment:
File src/runtime/libfuzzer_amd64.s:
Patch Set #4, Line 92:
TEXT end_of_function(SB), NOSPLIT, $0-0Maybe define this symbol locally (i.e. end_of_function<>(SB) ) to avoid potential name clash in global namespace. Also next one.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker.
1 comment:
File src/cmd/compile/internal/walk/compare.go:
Patch Set #3, Line 27:
_, _ = io.WriteString(hash, base.Ctxt.Pkgpath)
This _, _ is not the usual Go style. […]
I wanted to make it clear that we are ignoring the errors here. Updated as you suggested.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
1 comment:
File src/runtime/libfuzzer_amd64.s:
Patch Set #4, Line 92:
TEXT end_of_function(SB), NOSPLIT, $0-0
Maybe define this symbol locally (i.e. […]
Done
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
Gerrit Bot uploaded patch set #5 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: d70343d3f40de42952f5a814762f047b92ac6ccb
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
6 files changed, 169 insertions(+), 42 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
Gerrit Bot uploaded patch set #6 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 365003629283126256b530685e8ecb8299beeb79
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
6 files changed, 169 insertions(+), 42 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
Patch set 6:Code-Review +2
2 comments:
File src/runtime/libfuzzer_amd64.s:
Patch Set #3, Line 25:
// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
Yes, thanks.
Still need a TODO here somewhere.
File src/runtime/libfuzzer_amd64.s:
Patch Set #4, Line 92:
TEXT end_of_function(SB), NOSPLIT, $0-0
Done
ret_sled also needs this treatment.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
1 comment:
Patchset:
Let me know when you've fixed this up and we can get your CLs in.
Is there an order that they need to be submitted?
Khaled Yakdan (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
3 comments:
Patchset:
Let me know when you've fixed this up and we can get your CLs in. […]
I've addressed the remaining two comments. There is no preferred order to merge the CLs. I might need to rebase after merging.
File src/runtime/libfuzzer_amd64.s:
Patch Set #3, Line 25:
// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
Still need a TODO here somewhere.
Done
File src/runtime/libfuzzer_amd64.s:
Patch Set #4, Line 92:
TEXT end_of_function(SB), NOSPLIT, $0-0
ret_sled also needs this treatment.
Done
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
Gerrit Bot uploaded patch set #7 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 86500697e9cd1491124c6f7a69b2e317a17971d0
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
6 files changed, 170 insertions(+), 42 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Keith Randall, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
Patch set 7:Run-TryBot +1Code-Review +2
Keith Randall (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Ian Lance Taylor, Katie Hockman, Roland Shoemaker, Cherry Mui.
Patch set 7:Code-Review +1
Ian Lance Taylor (Gerrit)
Attention is currently required from: Michael Knyszek, Michael Pratt, Khaled Yakdan, Keith Randall, Katie Hockman, Roland Shoemaker, Cherry Mui.
3 comments:
File src/cmd/compile/internal/walk/compare.go:
Patch Set #1, Line 28:
_ = binary.Write(hash, binary.LittleEndian, n.Pos().FileIndex())
Thanks for the tip. […]
Ack
File src/cmd/compile/internal/walk/compare.go:
Patch Set #3, Line 27:
_, _ = io.WriteString(hash, base.Ctxt.Pkgpath)
I wanted to make it clear that we are ignoring the errors here. Updated as you suggested.
Ack
File src/runtime/libfuzzer_amd64.s:
Patch Set #7, Line 53:
TEXT runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $0-32Also libfuzzer_arm64.s.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Katie Hockman, Keith Randall, Keith Randall, Khaled Yakdan, Michael Knyszek, Michael Pratt, Roland Shoemaker.
Gerrit Bot uploaded patch set #8 to this change.
The following approvals got outdated and were removed: Run-TryBot+1 by Keith Randall, TryBot-Result+1 by Gopher Robot
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 1eec332a12e9a52576776e5fe54f5184932c206f
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 212 insertions(+), 48 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
1 comment:
File src/runtime/libfuzzer_amd64.s:
Patch Set #7, Line 53:
TEXT runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $0-32Also libfuzzer_arm64.s.
Added!
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
Gerrit Bot uploaded patch set #9 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: ce08f43d1209725c8d3b4dd0f4a5385d4a5f614f
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 212 insertions(+), 48 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
Patch set 9:Code-Review +2
1 comment:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0I'm not sure I understand how the return address works here.
Where is the return address of runtime.libfuzzerCallTraceIntCmp stored and restored?
The return address starts in R30, but you end up clobbering that register with an address in the sled. The sled needs to know where it should return to somehow.The x86 code puts the return address on the stack, so the return address to the sled doesn't overwrite the overall return address. It just requires some push/pop to use a different stack slot.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
1 comment:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
I'm not sure I understand how the return address works here. […]
You are right. The original return address is not stored before manipulating R30. This is based on the maybe-wrong assumption about how the RET instruction in Go assembly works for ARM. The existing implementation of runtime·libfuzzerCall calls the original libFuzzer function with a brach with link instruction (BL R9) which also overwrites the R30 with the address of the next instruction. That is why I assumed that the RET instruction takes care of restoring R30 from a value that is pushed on the stack. However, based on your comment and investigating the resulting ARM64 code with objdump, this does not seem the case. Does the existing implementation work? is it tested somehow? Or, have I overseen something?
I've updated the implementation to store R30 into a local variable and restore it before returning.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
Gerrit Bot uploaded patch set #10 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 7dafaa656b32f3d4c8570d9ebb221c0fb4816a7d
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 214 insertions(+), 48 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Cherry Mui (Gerrit)
Attention is currently required from: Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Khaled Yakdan, Michael Knyszek, Michael Pratt, Roland Shoemaker.
1 comment:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
You are right. The original return address is not stored before manipulating R30. […]
The RET instruction works differently depending on whether the function is leaf (contains a call instruction). For non-leaf functions, the assembler inserts prologue to store the LR on stack, and the RET instruction loads it. This is how the old code works. With the new code, end_of_function is no longer a leaf function (the assembler doesn't know the new control flow) so RET is just JMP (LR). You could probably write it as loading LR from stack then jump to it, something like
MOVD.P 16(SP), R30 // offset is the frame size, check it with the prologue
JMP (R30)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Cherry Mui (Gerrit)
Attention is currently required from: Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Khaled Yakdan, Michael Knyszek, Michael Pratt, Roland Shoemaker.
1 comment:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
end_of_function is no longer a leaf function
no longer a non-leaf function (as it contains no call now)
Gerrit Bot (Gerrit)
Attention is currently required from: Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Khaled Yakdan, Michael Knyszek, Michael Pratt, Roland Shoemaker.
Gerrit Bot uploaded patch set #11 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: bd20788b449155029373ae4172f1af2e8bda2648
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 213 insertions(+), 48 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
1 comment:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
> end_of_function is no longer a leaf function […]
Thanks for the clarification. I've updated the code so that the original return address is saved into a local variable that is used to restore the original value of R30 before returning. Could you have a look?
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Cherry Mui (Gerrit)
Attention is currently required from: Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Khaled Yakdan, Michael Knyszek, Michael Pratt, Roland Shoemaker.
3 comments:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
Thanks for the clarification. […]
This probably will work. But I feel that it is clearer if we use a list of calls, instead of a list of return addresses. I think manually computing the entry address is easier to follow than computing the return address. Maybe something like
TEXT calls<>(SB),NOSPLIT,$0-0
CALL (R9)
JMP end
CALL (R9)
JMP end
... // repeat
end:
RET
In the main function you can just doMOVD $calls<>(SB), R20 // R20 is an arbitrary scratch register
ADD R8<<3, R20 // add offset*8 (CALL+JMP is 8 bytes)
CALL (R20)// old code continues here
MOVD R19, RSP
RET
File src/runtime/libfuzzer_arm64.s:
Patch Set #11, Line 29:
MOVD fakePC+24(FP), R8Minor: use tab between instruction name and operands. Thanks.
Patch Set #11, Line 45:
ADR $16, R30I think ADR takes a label instead of an offset. However the assembler is buggy. I have a CL to fix that.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
3 comments:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
This probably will work. […]
This was one of the ideas I thought about, and it would have a negative impact on the fuzzing performance. With the proposed approach, the return addresses would then have a granularity of 8 bytes (each of the call+jump pairs takes 8 bytes). This means that the three least significant bits would be fixed for all of them. With the JUMP approach, the return addresses have a granularity of 4 bytes. This gives us one more bit that we can we influence with fakePC, and as a result, the value profiling mode of libFuzzer would be more effective.
File src/runtime/libfuzzer_arm64.s:
Patch Set #11, Line 29:
MOVD fakePC+24(FP), R8Minor: use tab between instruction name and operands. Thanks.
Changed.
Patch Set #11, Line 45:
ADR $16, R30
I think ADR takes a label instead of an offset. However the assembler is buggy. […]
Should I change this to `ARD ret_sled, R30` where ret_sled is the label of the start of the return sled?
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
Gerrit Bot uploaded patch set #12 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: fbb34866973f49e002cabfb1d01b57680640d53a
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 213 insertions(+), 48 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Michael Knyszek, Michael Pratt, Roland Shoemaker.
Patch set 12:Code-Review +2
1 comment:
Patchset:
LGTM.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Khaled Yakdan, Michael Knyszek, Michael Pratt, Roland Shoemaker.
4 comments:
File src/runtime/libfuzzer_amd64.s:
Patch Set #7, Line 53:
TEXT runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $0-32
Added!
Done
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
This was one of the ideas I thought about, and it would have a negative impact on the fuzzing perfor […]
Done
File src/runtime/libfuzzer_arm64.s:
Patch Set #11, Line 29:
MOVD fakePC+24(FP), R8
Changed.
Done
Patch Set #11, Line 45:
ADR $16, R30
Should I change this to `ARD ret_sled, R30` where ret_sled is the label of the start of the return s […]
Done
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Michael Knyszek (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Khaled Yakdan, Michael Pratt, Roland Shoemaker.
Patch set 12:Code-Review +1
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Khaled Yakdan, Michael Pratt, Roland Shoemaker.
Gerrit Bot uploaded patch set #13 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 9de7b559a5fd3184cb2b6714e7c81a8bebac0772
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/gc/obj.go
M src/cmd/compile/internal/ir/name.go
M src/cmd/compile/internal/ssa/writebarrier.go
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/cmd/compile/internal/walk/expr.go
M src/cmd/compile/internal/walk/order.go
M src/cmd/internal/goobj/builtinlist.go
M src/cmd/internal/objabi/symkind.go
M src/cmd/internal/objabi/symkind_string.go
M src/cmd/link/internal/ld/data.go
M src/cmd/link/internal/ld/elf.go
M src/cmd/link/internal/ld/xcoff.go
M src/cmd/link/internal/sym/symkind.go
M src/cmd/link/internal/sym/symkind_string.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
20 files changed, 480 insertions(+), 102 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Khaled Yakdan, Roland Shoemaker.
Gerrit Bot uploaded patch set #14 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: 642b0319c8a80d4b8f0dbe3fb3a7325448eecbeb
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/cmd/compile/internal/walk/expr.go
M src/cmd/internal/goobj/builtinlist.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
9 files changed, 340 insertions(+), 49 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Khaled Yakdan, Roland Shoemaker.
Patch set 14:Run-TryBot +1Code-Review +2
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Khaled Yakdan, Roland Shoemaker.
1 comment:
Patchset:
Needs another rebase.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Roland Shoemaker.
1 comment:
Patchset:
Needs another rebase.
Done!
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Katie Hockman, Keith Randall, Keith Randall, Roland Shoemaker.
Gerrit Bot uploaded patch set #15 to this change.
The following approvals got outdated and were removed: Run-TryBot+1 by Keith Randall, TryBot-Result+1 by Gopher Robot
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: b536eb3544d2739826c42377464a8e1715e0d8a5
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 195 insertions(+), 57 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Gerrit Bot (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Keith Randall, Keith Randall, Roland Shoemaker.
Gerrit Bot uploaded patch set #16 to this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: f9184baafd507eb4c31f7d99b3894595689d8f89
GitHub-Pull-Request: golang/go#51321
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 195 insertions(+), 57 deletions(-)
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Keith Randall, Keith Randall, Roland Shoemaker.
1 comment:
Patchset:
Done!
I've rebased on master after the CL to fix the fuzz tests has been merged
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Attention is currently required from: Cherry Mui, Ian Lance Taylor, Keith Randall, Roland Shoemaker.
Patch set 16:Run-TryBot +1Code-Review +2
1 comment:
Patchset:
TRY=linux-amd64-longtest,windows-amd64-longtest
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Keith Randall (Gerrit)
Keith Randall submitted this change.
cmd/compile: support libFuzzer value profiling mode for integer compares
libFuzzer provides a special mode known as “value profiling” in which it
tracks the bit-wise progress made by the fuzzer in satisfying tracked
comparisons. Furthermore, libFuzzer uses the value of the return address
in its hooks to distinguish the progress for different comparisons.
The original implementation of the interception for integer comparisons
in Go simply called the libFuzzer hooks from a function written in Go
assembly. The libFuzzer hooks thus always see the same return address
(i.e., the address of the call instruction in the assembly snippet) and
thus can’t distinguish individual comparisons anymore. This drastically
reduces the usefulness of value profiling.
This is fixed by using an assembly trampoline that injects synthetic but
valid return addresses on the stack before calling the libFuzzer hook,
otherwise preserving the calling convention of the respective platform
(for starters, x86_64 Windows or Unix). These fake PCs are generated
deterministically based on the location of the compare instruction in
the IR representation.
Change-Id: Iea68057c83aea7f9dc226fba7128708e8637d07a
GitHub-Last-Rev: f9184baafd507eb4c31f7d99b3894595689d8f89
GitHub-Pull-Request: golang/go#51321
Reviewed-on: https://go-review.googlesource.com/c/go/+/387336
Reviewed-by: Michael Knyszek <mkny...@google.com>
TryBot-Result: Gopher Robot <go...@golang.org>
Run-TryBot: Keith Randall <k...@golang.org>
Reviewed-by: Keith Randall <k...@golang.org>
Reviewed-by: Keith Randall <k...@google.com>
---
M src/cmd/compile/internal/typecheck/builtin.go
M src/cmd/compile/internal/typecheck/builtin/runtime.go
M src/cmd/compile/internal/walk/compare.go
M src/internal/fuzz/trace.go
M src/runtime/libfuzzer.go
M src/runtime/libfuzzer_amd64.s
M src/runtime/libfuzzer_arm64.s
7 files changed, 201 insertions(+), 57 deletions(-)
diff --git a/src/cmd/compile/internal/typecheck/builtin.go b/src/cmd/compile/internal/typecheck/builtin.go
index e452f23..b2c8b57 100644
--- a/src/cmd/compile/internal/typecheck/builtin.go
+++ b/src/cmd/compile/internal/typecheck/builtin.go
@@ -376,10 +376,10 @@
typs[142] = newSig(params(typs[7], typs[1], typs[5]), nil)
typs[143] = types.NewSlice(typs[7])
typs[144] = newSig(params(typs[7], typs[143]), nil)
- typs[145] = newSig(params(typs[66], typs[66]), nil)
- typs[146] = newSig(params(typs[60], typs[60]), nil)
- typs[147] = newSig(params(typs[62], typs[62]), nil)
- typs[148] = newSig(params(typs[24], typs[24]), nil)
+ typs[145] = newSig(params(typs[66], typs[66], typs[15]), nil)
+ typs[146] = newSig(params(typs[60], typs[60], typs[15]), nil)
+ typs[147] = newSig(params(typs[62], typs[62], typs[15]), nil)
+ typs[148] = newSig(params(typs[24], typs[24], typs[15]), nil)
typs[149] = newSig(params(typs[28], typs[28], typs[15]), nil)
return typs[:]
}
diff --git a/src/cmd/compile/internal/typecheck/builtin/runtime.go b/src/cmd/compile/internal/typecheck/builtin/runtime.go
index 97b8318..2a07ea1 100644
--- a/src/cmd/compile/internal/typecheck/builtin/runtime.go
+++ b/src/cmd/compile/internal/typecheck/builtin/runtime.go
@@ -259,14 +259,14 @@
func checkptrAlignment(unsafe.Pointer, *byte, uintptr)
func checkptrArithmetic(unsafe.Pointer, []unsafe.Pointer)
-func libfuzzerTraceCmp1(uint8, uint8)
-func libfuzzerTraceCmp2(uint16, uint16)
-func libfuzzerTraceCmp4(uint32, uint32)
-func libfuzzerTraceCmp8(uint64, uint64)
-func libfuzzerTraceConstCmp1(uint8, uint8)
-func libfuzzerTraceConstCmp2(uint16, uint16)
-func libfuzzerTraceConstCmp4(uint32, uint32)
-func libfuzzerTraceConstCmp8(uint64, uint64)
+func libfuzzerTraceCmp1(uint8, uint8, int)
+func libfuzzerTraceCmp2(uint16, uint16, int)
+func libfuzzerTraceCmp4(uint32, uint32, int)
+func libfuzzerTraceCmp8(uint64, uint64, int)
+func libfuzzerTraceConstCmp1(uint8, uint8, int)
+func libfuzzerTraceConstCmp2(uint16, uint16, int)
+func libfuzzerTraceConstCmp4(uint32, uint32, int)
+func libfuzzerTraceConstCmp8(uint64, uint64, int)
func libfuzzerHookStrCmp(string, string, int)
func libfuzzerHookEqualFold(string, string, int)
diff --git a/src/cmd/compile/internal/walk/compare.go b/src/cmd/compile/internal/walk/compare.go
index b02cf22..6a8ad56 100644
--- a/src/cmd/compile/internal/walk/compare.go
+++ b/src/cmd/compile/internal/walk/compare.go
@@ -153,7 +153,7 @@
default:
base.Fatalf("unexpected integer size %d for %v", t.Size(), t)
}
- init.Append(mkcall(fn, nil, init, tracecmpArg(l, paramType, init), tracecmpArg(r, paramType, init)))
+ init.Append(mkcall(fn, nil, init, tracecmpArg(l, paramType, init), tracecmpArg(r, paramType, init), fakePC(n)))
}
return n
case types.TARRAY:
diff --git a/src/internal/fuzz/trace.go b/src/internal/fuzz/trace.go
index 3aa684b..5e3cccc 100644
--- a/src/internal/fuzz/trace.go
+++ b/src/internal/fuzz/trace.go
@@ -21,15 +21,15 @@
//go:linkname libfuzzerHookStrCmp runtime.libfuzzerHookStrCmp
//go:linkname libfuzzerHookEqualFold runtime.libfuzzerHookEqualFold
-func libfuzzerTraceCmp1(arg0, arg1 uint8) {}
-func libfuzzerTraceCmp2(arg0, arg1 uint16) {}
-func libfuzzerTraceCmp4(arg0, arg1 uint32) {}
-func libfuzzerTraceCmp8(arg0, arg1 uint64) {}
+func libfuzzerTraceCmp1(arg0, arg1 uint8, fakePC int) {}
+func libfuzzerTraceCmp2(arg0, arg1 uint16, fakePC int) {}
+func libfuzzerTraceCmp4(arg0, arg1 uint32, fakePC int) {}
+func libfuzzerTraceCmp8(arg0, arg1 uint64, fakePC int) {}
-func libfuzzerTraceConstCmp1(arg0, arg1 uint8) {}
-func libfuzzerTraceConstCmp2(arg0, arg1 uint16) {}
-func libfuzzerTraceConstCmp4(arg0, arg1 uint32) {}
-func libfuzzerTraceConstCmp8(arg0, arg1 uint64) {}
+func libfuzzerTraceConstCmp1(arg0, arg1 uint8, fakePC int) {}
+func libfuzzerTraceConstCmp2(arg0, arg1 uint16, fakePC int) {}
+func libfuzzerTraceConstCmp4(arg0, arg1 uint32, fakePC int) {}
+func libfuzzerTraceConstCmp8(arg0, arg1 uint64, fakePC int) {}
func libfuzzerHookStrCmp(arg0, arg1 string, fakePC int) {}
func libfuzzerHookEqualFold(arg0, arg1 string, fakePC int) {}
diff --git a/src/runtime/libfuzzer.go b/src/runtime/libfuzzer.go
index c136eaf..09e84d7 100644
--- a/src/runtime/libfuzzer.go
+++ b/src/runtime/libfuzzer.go
@@ -9,39 +9,50 @@
import "unsafe"
func libfuzzerCallWithTwoByteBuffers(fn, start, end *byte)
+func libfuzzerCallTraceIntCmp(fn *byte, arg0, arg1, fakePC uintptr)
func libfuzzerCall4(fn *byte, fakePC uintptr, s1, s2 unsafe.Pointer, result uintptr)
-func libfuzzerCall(fn *byte, arg0, arg1 uintptr)
+// Keep in sync with the definition of ret_sled in src/runtime/libfuzzer_amd64.s
+const retSledSize = 512
-func libfuzzerTraceCmp1(arg0, arg1 uint8) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp1, uintptr(arg0), uintptr(arg1))
+
+func libfuzzerTraceCmp1(arg0, arg1 uint8, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp1, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceCmp2(arg0, arg1 uint16) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp2, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceCmp2(arg0, arg1 uint16, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp2, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceCmp4(arg0, arg1 uint32) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp4, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceCmp4(arg0, arg1 uint32, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp4, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceCmp8(arg0, arg1 uint64) {
- libfuzzerCall(&__sanitizer_cov_trace_cmp8, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceCmp8(arg0, arg1 uint64, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_cmp8, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp1(arg0, arg1 uint8) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp1, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp1(arg0, arg1 uint8, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp1, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp2(arg0, arg1 uint16) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp2, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp2(arg0, arg1 uint16, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp2, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp4(arg0, arg1 uint32) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp4, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp4(arg0, arg1 uint32, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp4, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
-func libfuzzerTraceConstCmp8(arg0, arg1 uint64) {
- libfuzzerCall(&__sanitizer_cov_trace_const_cmp8, uintptr(arg0), uintptr(arg1))
+func libfuzzerTraceConstCmp8(arg0, arg1 uint64, fakePC int) {
+ fakePC = fakePC % retSledSize
+ libfuzzerCallTraceIntCmp(&__sanitizer_cov_trace_const_cmp8, uintptr(arg0), uintptr(arg1), uintptr(fakePC))
}
var pcTables []byte
diff --git a/src/runtime/libfuzzer_amd64.s b/src/runtime/libfuzzer_amd64.s
index 032821f..65ac7a3 100644
--- a/src/runtime/libfuzzer_amd64.s
+++ b/src/runtime/libfuzzer_amd64.s
@@ -13,8 +13,8 @@
#ifdef GOOS_windows
#define RARG0 CX
#define RARG1 DX
-#define RARG0 R8
-#define RARG1 R9
+#define RARG2 R8
+#define RARG3 R9
#else
#define RARG0 DI
#define RARG1 SI
@@ -47,12 +47,39 @@
MOVQ R12, SP
RET
-// void runtime·libfuzzerCallTraceInit(fn, start, end *byte)
-// Calls C function fn from libFuzzer and passes 2 arguments to it.
-TEXT runtime·libfuzzerCall(SB), NOSPLIT, $0-24
+// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
+// Calls C function fn from libFuzzer and passes 2 arguments to it after
+// manipulating the return address so that libfuzzer's integer compare hooks
+// work
+// libFuzzer's compare hooks obtain the caller's address from the compiler
+// builtin __builtin_return_adress. Since we invoke the hooks always
+// from the same native function, this builtin would always return the same
+// value. Internally, the libFuzzer hooks call through to the always inlined
+// HandleCmp and thus can't be mimicked without patching libFuzzer.
+//
+// We solve this problem via an inline assembly trampoline construction that
+// translates a runtime argument `fake_pc` in the range [0, 512) into a call to
+// a hook with a fake return address whose lower 9 bits are `fake_pc` up to a
+// constant shift. This is achieved by pushing a return address pointing into
+// 512 ret instructions at offset `fake_pc` onto the stack and then jumping
+// directly to the address of the hook.
+//
+// Note: We only set the lowest 9 bits of the return address since only these
+// bits are used by the libFuzzer value profiling mode for integer compares, see
+// https://github.com/llvm/llvm-project/blob/704d92607d26e696daba596b72cb70effe79a872/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp#L390
+// as well as
+// https://github.com/llvm/llvm-project/blob/704d92607d26e696daba596b72cb70effe79a872/compiler-rt/lib/fuzzer/FuzzerValueBitMap.h#L34
+// ValueProfileMap.AddValue() truncates its argument to 16 bits and shifts the
+// PC to the left by log_2(128)=7, which means that only the lowest 16 - 7 bits
+// of the return address matter. String compare hooks use the lowest 12 bits,
+// but take the return address as an argument and thus don't require the
+// indirection through a trampoline.
+// TODO: Remove the inline assembly trampoline once a PC argument has been added to libfuzzer's int compare hooks.
+TEXT runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $0-32
MOVQ fn+0(FP), AX
MOVQ arg0+8(FP), RARG0
MOVQ arg1+16(FP), RARG1
+ MOVQ fakePC+24(FP), R8
get_tls(R12)
MOVQ g(R12), R14
@@ -66,10 +93,46 @@
MOVQ (g_sched+gobuf_sp)(R10), SP
call:
ANDQ $~15, SP // alignment for gcc ABI
- CALL AX
+ // Load the address of the end of the function and push it into the stack.
+ // This address will be jumped to after executing the return instruction
+ // from the return sled. There we reset the stack pointer and return.
+ MOVQ $end_of_function<>(SB), BX
+ PUSHQ BX
+ // Load the starting address of the return sled into BX.
+ MOVQ $ret_sled<>(SB), BX
+ // Load the address of the i'th return instruction fron the return sled.
+ // The index is given in the fakePC argument.
+ ADDQ R8, BX
+ PUSHQ BX
+ // Call the original function with the fakePC return address on the stack.
+ // Function arguments arg0 and arg1 are passed in the registers specified
+ // by the x64 calling convention.
+ JMP AX
+// This code will not be executed and is only there to statisfy assembler
+// check of a balanced stack.
+not_reachable:
+ POPQ BX
+ POPQ BX
+ RET
+
+TEXT end_of_function<>(SB), NOSPLIT, $0-0
MOVQ R12, SP
RET
+#define REPEAT_8(a) a \
+ a \
+ a \
+ a \
+ a \
+ a \
+ a \
+ a
+
+#define REPEAT_512(a) REPEAT_8(REPEAT_8(REPEAT_8(a)))
+
+TEXT ret_sled<>(SB), NOSPLIT, $0-0
+ REPEAT_512(RET)
+
// void runtime·libfuzzerCallWithTwoByteBuffers(fn, start, end *byte)
// Calls C function fn from libFuzzer and passes 2 arguments of type *byte to it.
TEXT runtime·libfuzzerCallWithTwoByteBuffers(SB), NOSPLIT, $0-24
diff --git a/src/runtime/libfuzzer_arm64.s b/src/runtime/libfuzzer_arm64.s
index f9b6791..0729077 100644
--- a/src/runtime/libfuzzer_arm64.s
+++ b/src/runtime/libfuzzer_arm64.s
@@ -14,14 +14,23 @@
#define RARG2 R2
#define RARG3 R3
-// void runtime·libfuzzerCall4(fn, hookId int, s1, s2 unsafe.Pointer, result uintptr)
-// Calls C function fn from libFuzzer and passes 4 arguments to it.
-TEXT runtime·libfuzzerCall4(SB), NOSPLIT, $0-40
+#define REPEAT_2(a) a a
+#define REPEAT_8(a) REPEAT_2(REPEAT_2(REPEAT_2(a)))
+#define REPEAT_128(a) REPEAT_2(REPEAT_8(REPEAT_8(a)))
+
+// void runtime·libfuzzerCallTraceIntCmp(fn, arg0, arg1, fakePC uintptr)
+// Calls C function fn from libFuzzer and passes 2 arguments to it after
+// manipulating the return address so that libfuzzer's integer compare hooks
+// work.
+// The problem statment and solution are documented in detail in libfuzzer_amd64.s.
+// See commentary there.
+TEXT runtime·libfuzzerCallTraceIntCmp(SB), NOSPLIT, $8-32
MOVD fn+0(FP), R9
- MOVD hookId+8(FP), RARG0
- MOVD s1+16(FP), RARG1
- MOVD s2+24(FP), RARG2
- MOVD result+32(FP), RARG3
+ MOVD arg0+8(FP), RARG0
+ MOVD arg1+16(FP), RARG1
+ MOVD fakePC+24(FP), R8
+ // Save the original return address in a local variable
+ MOVD R30, savedRetAddr-8(SP)
MOVD g_m(g), R10
@@ -33,16 +42,41 @@
MOVD (g_sched+gobuf_sp)(R11), R12
MOVD R12, RSP
call:
- BL R9
+ // Load address of the ret sled into the default register for the return
+ // address (offset of four instructions, which means 16 bytes).
+ ADR $16, R30
+ // Clear the lowest 2 bits of fakePC. All ARM64 instructions are four
+ // bytes long, so we cannot get better return address granularity than
+ // multiples of 4.
+ AND $-4, R8, R8
+ // Add the offset of the fake_pc-th ret.
+ ADD R8, R30, R30
+ // Call the function by jumping to it and reusing all registers except
+ // for the modified return address register R30.
+ JMP (R9)
+
+// The ret sled for ARM64 consists of 128 br instructions jumping to the
+// end of the function. Each instruction is 4 bytes long. The sled thus
+// has the same byte length of 4 * 128 = 512 as the x86_64 sled, but
+// coarser granularity.
+#define RET_SLED \
+ JMP end_of_function;
+
+ REPEAT_128(RET_SLED);
+
+end_of_function:
MOVD R19, RSP
+ MOVD savedRetAddr-8(SP), R30
RET
-// func runtime·libfuzzerCall(fn, arg0, arg1 uintptr)
-// Calls C function fn from libFuzzer and passes 2 arguments to it.
-TEXT runtime·libfuzzerCall(SB), NOSPLIT, $0-24
+// void runtime·libfuzzerCall4(fn, hookId int, s1, s2 unsafe.Pointer, result uintptr)
+// Calls C function fn from libFuzzer and passes 4 arguments to it.
+TEXT runtime·libfuzzerCall4(SB), NOSPLIT, $0-40
MOVD fn+0(FP), R9
- MOVD arg0+8(FP), RARG0
- MOVD arg1+16(FP), RARG1
+ MOVD hookId+8(FP), RARG0
+ MOVD s1+16(FP), RARG1
+ MOVD s2+24(FP), RARG2
+ MOVD result+32(FP), RARG3
MOVD g_m(g), R10
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Cherry Mui (Gerrit)
3 comments:
Patchset:
Sorry for being late...
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
Done
How many bits of the return PC does libfuzzer use as discriminator? Would it be possible to multiply the fake PC by 4 (or 8) as the offset, instead of just losing the lowest bits?
(As it is already submitted, I think we don't need to rewrite it to CALL+JMP. But if it works it might be a good idea to multiply the fake PC by 4 and have 512 return addresses as AMD64 does.)
File src/runtime/libfuzzer_arm64.s:
Patch Set #11, Line 45:
ADR $16, R30Done
Yes, you'd need to change it to a label. In the current form it doesn't build. "GOARCH=arm64 GOOS=linux go build -tags libfuzzer runtime" fails.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
2 comments:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
How many bits of the return PC does libfuzzer use as discriminator? Would it be possible to multiply […]
libfuzzer's value profiling mode only uses the lowest 9 bits of the return address. Could you clarify how multiplying the fakePC by 4 would be better? Isn't this just shifting the value by two to the left, which also results in the lowest two bits set to zero? The issue I see is that we cannot have return addresses on ARM64 where the lowest two bits are zero.
File src/runtime/libfuzzer_arm64.s:
Patch Set #11, Line 45:
ADR $16, R30
Yes, you'd need to change it to a label. In the current form it doesn't build. […]
I've pushed a fix in this CL https://go-review.googlesource.com/c/go/+/407895
The fix now computes the start address of the ret sled based on the program counter (R15). I couldn't find a way to move the address representing a label into a register. Could you have a look there?
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Cherry Mui (Gerrit)
2 comments:
File src/runtime/libfuzzer_arm64.s:
Patch Set #9, Line 52:
TEXT end_of_function<>(SB), NOSPLIT, $0-0
libfuzzer's value profiling mode only uses the lowest 9 bits of the return address. […]
If it only uses the lowest 9 bits, which means on platforms with fixed-length instructions like ARM64 it only has 7 bits as discriminator. I don't think there is anything we could do. Thanks.
File src/runtime/libfuzzer_arm64.s:
Patch Set #11, Line 45:
ADR $16, R30
I've pushed a fix in this CL https://go-review.googlesource.com/c/go/+/407895 […]
R15 is not the PC on ARM64 (it is on ARM32, but not ARM64).
TryADR ret_sled, R30
... other instructions ...ret_sled:
REPEAT_128(RET_SLED)
You'll need to rebase (a bug fix to the assembler just went in). Thanks.
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
1 comment:
File src/runtime/libfuzzer_arm64.s:
Patch Set #11, Line 45:
ADR $16, R30
R15 is not the PC on ARM64 (it is on ARM32, but not ARM64). […]
Thanks for the assembler bug fix. I've changed it as suggested and it seems to work now. You can have a look at the CL https://go-review.googlesource.com/c/go/+/407895
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Austin Clements (Gerrit)
1 comment:
Patchset:
Should this have a release note in doc/go1.19.html?
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.
Khaled Yakdan (Gerrit)
1 comment:
Patchset:
Should this have a release note in doc/go1.19. […]
Good idea! I'll submit a CL to explain the fuzzing improvements in 1.19
To view, visit change 387336. To unsubscribe, or for help writing mail filters, visit settings.