Merge pull request #402 from 0xdeafbeef/0xdeafbeef/push-tqronnqkpknw

Add support for more llvm instrumentations

Author: fitzgen

src/options.rs

@@ -137,6 +137,20 @@ pub struct BuildOptions {
     pub no_trace_compares: bool,
 
     #[arg(long)]
+    /// Enables `sanitizer-coverage-trace-divs` LLVM instrumentation
+    ///
+    /// When set to `true`, the compiler will instrument integer division instructions
+    /// to capture the right argument of division.
+    pub trace_div: bool,
+
+    #[arg(long)]
+    /// Enables `sanitizer-coverage-trace-geps` LLVM instrumentation
+    ///
+    /// When set to `true`, instruments GetElementPtr (GEP) instructions to track
+    /// pointer arithmetic operations to capture array indices.
+    pub trace_gep: bool,
+
+    #[arg(long, default_value_t = true)]
     /// Disable transformation of if-statements into `cmov` instructions (when this
     /// happens, we get no coverage feedback for that branch). Default setting is true.
     /// This is done by setting the `-simplifycfg-branch-fold-threshold=0` LLVM arg.
@@ -165,7 +179,7 @@ pub struct BuildOptions {
     /// Note, that in the second program, there are now 2 new coverage feedback points,
     /// and the fuzzer can store an input to the corpus at each condition that it passes;
     /// giving it a better chance of producing an input that reaches `res = 2;`.
-    pub disable_branch_folding: Option<bool>,
+    pub disable_branch_folding: bool,
 
     #[arg(long)]
     /// Disable the inclusion of the `/include:main` MSVC linker argument
@@ -279,7 +293,9 @@ mod test {
             strip_dead_code: true,
             no_cfg_fuzzing: false,
             no_trace_compares: false,
-            disable_branch_folding: None,
+            trace_div: false,
+            trace_gep: false,
+            disable_branch_folding: true,
             no_include_main_msvc: false,
         };
 

src/project.rs

@@ -182,8 +182,12 @@ impl FuzzProject {
             rustflags.push_str(" -Cllvm-args=-sanitizer-coverage-trace-compares");
         }
 
-        if build.disable_branch_folding.unwrap_or(true) {
-            rustflags.push_str(" -Cllvm-args=-simplifycfg-branch-fold-threshold=0");
+        if build.trace_div {
+            rustflags.push_str(" -Cllvm-args=-sanitizer-coverage-trace-divs");
+        }
+
+        if build.trace_gep {
+            rustflags.push_str(" -Cllvm-args=-sanitizer-coverage-trace-geps");
         }
 
         if !build.no_cfg_fuzzing {
@@ -194,6 +198,10 @@ impl FuzzProject {
             rustflags.push_str(" -Clink-dead-code");
         }
 
+        if build.disable_branch_folding {
+            rustflags.push_str(" -Cllvm-args=-simplifycfg-branch-fold-threshold=0");
+        }
+
         if build.coverage {
             rustflags.push_str(" -Cinstrument-coverage");
         }

tests/tests/main.rs

@@ -915,6 +915,35 @@ fn build_stripping_dead_code() {
     assert!(a_bin.is_file(), "Not a file: {}", a_bin.display());
 }
 
+#[test]
+fn build_with_all_llvm_features() {
+    let project = project("build_all_feats").with_fuzz().build();
+
+    // Create some targets.
+    project
+        .cargo_fuzz()
+        .arg("add")
+        .arg("build_strip_a")
+        .assert()
+        .success();
+
+    project
+        .cargo_fuzz()
+        .arg("build")
+        .arg("--strip-dead-code")
+        .arg("--dev")
+        .arg("--trace-div")
+        .arg("--trace-gep")
+        .arg("--disable-branch-folding")
+        .assert()
+        .success();
+
+    let build_dir = project.fuzz_build_dir().join("debug");
+
+    let a_bin = build_dir.join("build_strip_a");
+    assert!(a_bin.is_file(), "Not a file: {}", a_bin.display());
+}
+
 #[test]
 fn run_with_different_fuzz_dir() {
     let (fuzz_dir, mut project_builder) = project_with_fuzz_dir(