Add support for more llvm instrumentations; fix not working `disable_…

…branch_folding`
rust-fuzz · Feb 24, 2025 · 46a7dcd · 46a7dcd
1 parent 95f7737
commit 46a7dcd
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 4 deletions.
diff --git a/src/options.rs b/src/options.rs
@@ -136,6 +136,20 @@ pub struct BuildOptions {
     /// available.
     pub no_trace_compares: bool,
 
+    #[arg(long)]
+    /// Enables `sanitizer-coverage-trace-divs` LLVM instrumentation
+    ///
+    /// When set to `true`, the compiler will instrument integer division instructions
+    /// to capture the right argument of division.
+    pub trace_div: bool,
+
+    #[arg(long)]
+    /// Enables `sanitizer-coverage-trace-geps` LLVM instrumentation
+    ///
+    /// When set to `true`, instruments GetElementPtr (GEP) instructions to track
+    /// pointer arithmetic operations to capture array indices.
+    pub trace_gep: bool,
+
     #[arg(long)]
     /// Disable transformation of if-statements into `cmov` instructions (when this
     /// happens, we get no coverage feedback for that branch). Default setting is true.
@@ -165,7 +179,7 @@ pub struct BuildOptions {
     /// Note, that in the second program, there are now 2 new coverage feedback points,
     /// and the fuzzer can store an input to the corpus at each condition that it passes;
     /// giving it a better chance of producing an input that reaches `res = 2;`.
-    pub disable_branch_folding: Option<bool>,
+    pub disable_branch_folding: bool,
 
     #[arg(long)]
     /// Disable the inclusion of the `/include:main` MSVC linker argument
@@ -279,7 +293,9 @@ mod test {
             strip_dead_code: true,
             no_cfg_fuzzing: false,
             no_trace_compares: false,
-            disable_branch_folding: None,
+            trace_div: false,
+            trace_gep: false,
+            disable_branch_folding: false,
             no_include_main_msvc: false,
         };
 

diff --git a/src/project.rs b/src/project.rs
@@ -182,8 +182,12 @@ impl FuzzProject {
             rustflags.push_str(" -Cllvm-args=-sanitizer-coverage-trace-compares");
         }
 
-        if build.disable_branch_folding.unwrap_or(true) {
-            rustflags.push_str(" -Cllvm-args=-simplifycfg-branch-fold-threshold=0");
+        if build.trace_div {
+            rustflags.push_str(" -Cllvm-args=-sanitizer-coverage-trace-divs");
+        }
+
+        if build.trace_gep {
+            rustflags.push_str(" -Cllvm-args=-sanitizer-coverage-trace-geps");
         }
 
         if !build.no_cfg_fuzzing {
@@ -194,6 +198,10 @@ impl FuzzProject {
             rustflags.push_str(" -Clink-dead-code");
         }
 
+        if build.disable_branch_folding {
+            rustflags.push_str(" -Cllvm-args=-simplifycfg-branch-fold-threshold=0");
+        }
+
         if build.coverage {
             rustflags.push_str(" -Cinstrument-coverage");
         }

diff --git a/tests/tests/main.rs b/tests/tests/main.rs
@@ -915,6 +915,35 @@ fn build_stripping_dead_code() {
     assert!(a_bin.is_file(), "Not a file: {}", a_bin.display());
 }
 
+#[test]
+fn build_with_all_llvm_features() {
+    let project = project("build_all_feats").with_fuzz().build();
+
+    // Create some targets.
+    project
+        .cargo_fuzz()
+        .arg("add")
+        .arg("build_strip_a")
+        .assert()
+        .success();
+
+    project
+        .cargo_fuzz()
+        .arg("build")
+        .arg("--strip-dead-code")
+        .arg("--dev")
+        .arg("--trace-div")
+        .arg("--trace-gep")
+        .arg("--disable-branch-folding")
+        .assert()
+        .success();
+
+    let build_dir = project.fuzz_build_dir().join("debug");
+
+    let a_bin = build_dir.join("build_strip_a");
+    assert!(a_bin.is_file(), "Not a file: {}", a_bin.display());
+}
+
 #[test]
 fn run_with_different_fuzz_dir() {
     let (fuzz_dir, mut project_builder) = project_with_fuzz_dir(