OleksiiOleksenko · AlonB644 · Sep 27, 2020 · Oct 10, 2020
diff --git a/Makefile b/Makefile
@@ -6,6 +6,7 @@ REPORT_WITH_OFFSET ?= 0
 ENABLE_COVERAGE ?= 1
 COVERAGE_MEMORY_ERRORS ?= 1
 COVERAGE_CONTROL_FLOW_ERRORS ?= 1
+SEED_NON_SPECULATIVE_ERRORS ?= 1
 ENABLE_SANITY_CHECKS ?= 1
 ENABLE_STATS ?= 0
 ENABLE_SEQUENTIAL_SIMULATION ?= 0
@@ -21,7 +22,7 @@ RUNTIME_CONFIGURATION := -DMAX_NESTING_LEVEL=$(MAX_NESTING_LEVEL)\
  -DENABLE_SANITY_CHECKS=$(ENABLE_SANITY_CHECKS)\
  -DENABLE_STATS=$(ENABLE_STATS) -DENABLE_SEQUENTIAL_SIMULATION=$(ENABLE_SEQUENTIAL_SIMULATION)\
  -DDUMP_COVERAGE_AT_EXIT=$(DUMP_COVERAGE_AT_EXIT) -DPRINT_ROLLABACK_STATS=$(PRINT_ROLLABACK_STATS)\
- -DREPORT_CONTROL_FLOW_ERRORS=$(REPORT_CONTROL_FLOW_ERRORS)
+ -DREPORT_CONTROL_FLOW_ERRORS=$(REPORT_CONTROL_FLOW_ERRORS) -DSEED_NON_SPECULATIVE_ERRORS=$(SEED_NON_SPECULATIVE_ERRORS)
 
 # Paths
 LLVM_CONFIG ?= llvm-7.0.1-config
@@ -68,14 +69,14 @@ rebuild_llvm:
 	make -j -C $(LLVM_BUILD)
 
 install_specfuzz:
-	cp -u install/wrapper.sh /usr/bin/clang-sf
-	cp -u install/wrapper.sh /usr/bin/clang-sf++
-	sed -i -e 's:/clang$$:/clang++:g' /usr/bin/clang-sf++
+	sudo cp -u install/wrapper.sh /usr/bin/clang-sf
+	sudo cp -u install/wrapper.sh /usr/bin/clang-sf++
+	sudo sed -i -e 's:/clang$$:/clang++:g' /usr/bin/clang-sf++
 
 install_tools: analyzer hongg
 
 analyzer: postprocessing/analyzer.py
-	cp $< /usr/bin/analyzer
+	sudo cp $< /usr/bin/analyzer
 
 hongg: check_hongg_path patch_hongg rebuild_hongg
 
@@ -95,7 +96,7 @@ patch_hongg: $(HONGG_PATCH)
 
 rebuild_hongg:
 	CC=${CLANG} CFLAGS=-ggdb make -C $(HONGG_SRC) -j4
-	make -C $(HONGG_SRC) install
+	sudo make -C $(HONGG_SRC) install
 
 test:
 	cd tests && ./run.bats
diff --git a/install/patches/honggfuzz/fuzz.c b/install/patches/honggfuzz/fuzz.c
@@ -585,7 +585,7 @@ static void* fuzz_threadNew(void* arg) {
             map_entry_t entry = coverage_map_conflicts[i];
             if (entry.count == 0)
                 continue;
-            uint64_t address = (entry.tag << COVERAGE_INDEX_WIDTH) + i;
+            uint64_t address = entry.tag;
             LOG_I("[SF], 0x%lx: %d", address, entry.count);
         }
         //hash_map_usage(run.global->feedback.feedbackMap);

diff --git a/install/patches/honggfuzz/instrument.c b/install/patches/honggfuzz/instrument.c
@@ -99,6 +99,12 @@ void specfuzz_cov_vuln(uintptr_t pc) {
     }
 }
 
+// Adds current input to corpus
+void specfuzz_seed_input() {
+	// TODO: less lazy implementation
+    ATOMIC_PRE_INC_RELAXED(feedback->pidFeedbackPc[my_thread_no]);
+}
+
 __attribute__((preserve_most))
 void specfuzz_cov_trace_pc(uintptr_t pc) {
     // quick path - check the cache
@@ -158,6 +164,7 @@ static map_entry_t *get_hash_map_entry(uintptr_t pc) {
 
     // hash conflict
     map_entry_t *coverage_map_conflicts = &coverage_map[COVERAGE_MAP_HASHMAP_SIZE];
+    tag = pc; // assert(uint64_t == unsigned long) // anyway it is priorly assumed that tag and pc are of the same size.
     do {
         if (entry->next == 0) { // create a new entry
             uint32_t top = feedback->cmpMapPcTop;

diff --git a/src/SpecFuzzPass.cpp b/src/SpecFuzzPass.cpp
@@ -594,6 +594,8 @@ auto X86SpecFuzzPass::visitReturn(MachineInstr &MI, MachineBasicBlock &Parent) -
 ///                                |    MOVQ %r15, tmp_gpr1  // reserve the value of r15
 ///                                |    LEAQ 8(%rsp), %r15      // store the address
 ///                                |    MOVQ checkpoint_sp, %rsp
+///                                |    PUSH $0
+///                                |    PUSH $WRITING_WIDTH
 ///                                |    PUSH %r15
 ///                                |    PUSH (%r15)             // store the original value
 ///                                |    MOVQ %rsp, checkpoint_sp     // restore stack
@@ -633,24 +635,164 @@ auto X86SpecFuzzPass::visitWrite(MachineInstr &MI, MachineBasicBlock &Parent) ->
         .add(MI.getOperand(MemRefBegin + X86::AddrSegmentReg));
 
     restoreRegister(Parent, MI, Loc, X86::RSP, "checkpoint_sp");
-
+
+	MachineMemOperand *MMO = *MI.memoperands_begin();
+    uint64_t width = MMO->getSize();
+
+	LLVM_DEBUG(dbgs() << "Store's width: " << width << "\n");
+
+    // push arbitrary value for 16 byte alignment in checkpoint stack
+    BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+		.addImm(0);
+
+	BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+		.addImm((width > 8)? 8 : width);
+
     // PUSH %TmpReg
     BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64r), TmpReg);
-
-    // PUSH (%TmpReg)
-    BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64rmm), TmpReg)
-        .addImm(1).addReg(0)
-        .addImm(0).addReg(0);
+
+
+	switch (width) {
+		case 1:
+			preserveRegister(Parent, MI, Loc, X86::R14, "tmp_gpr2");
+
+			// Immediate is arbitrary
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+				.addImm(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::MOV8rm), X86::R14B)
+				.addReg(TmpReg).addImm(1)
+				.addReg(0).addImm(0)
+				.addReg(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::MOV8mr))
+				.addReg(X86::RSP).addImm(1)
+				.addReg(0).addImm(0)
+				.addReg(0)
+				.addReg(X86::R14B);
+
+			restoreRegister(Parent, MI, Loc, X86::R14, "tmp_gpr2");
+
+			break;
+
+		case 2:
+			preserveRegister(Parent, MI, Loc, X86::R14, "tmp_gpr2");
+
+			// Immediate is arbitrary
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+				.addImm(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::MOV16rm), X86::R14W)
+				.addReg(TmpReg).addImm(1)
+				.addReg(0).addImm(0)
+				.addReg(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::MOV16mr))
+				.addReg(X86::RSP).addImm(1)
+				.addReg(0).addImm(0)
+				.addReg(0)
+				.addReg(X86::R14W);
+
+			restoreRegister(Parent, MI, Loc, X86::R14, "tmp_gpr2");
+
+			break;
+
+		case 4:
+			preserveRegister(Parent, MI, Loc, X86::R14, "tmp_gpr2");
+
+			// Immediate is arbitrary
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+				.addImm(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::MOV32rm), X86::R14D)
+				.addReg(TmpReg).addImm(1)
+				.addReg(0).addImm(0)
+				.addReg(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::MOV32mr))
+				.addReg(X86::RSP).addImm(1)
+				.addReg(0).addImm(0)
+				.addReg(0)
+				.addReg(X86::R14D);
+
+			restoreRegister(Parent, MI, Loc, X86::R14, "tmp_gpr2");
+
+			break;
+
+		case 8:
+		case 16:
+		case 32:
+			// PUSH (%TmpReg)
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64rmm), TmpReg)
+				.addImm(1).addReg(0)
+				.addImm(0).addReg(0);
+
+			if (width == 8) break;
+
+            // else that's SSE or AVX instruction. repeat logging of quadwords.
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::LEA64r), TmpReg)
+            .addReg(TmpReg).addImm(1)
+            .addReg(0).addImm(8)
+            .addReg(0);
+
+            // push arbitrary value for 16 byte alignment in checkpoint stack
+            BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+                .addImm(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+				.addImm(8);
+
+			// PUSH %TmpReg
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64r), TmpReg);
+
+			// PUSH (%TmpReg)
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64rmm), TmpReg)
+				.addImm(1).addReg(0)
+				.addImm(0).addReg(0);
+
+			if (width == 16) { LLVM_DEBUG(dbgs() << "   The store is 128-bit wide\n"); break; }
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::LEA64r), TmpReg)
+            .addReg(TmpReg).addImm(1)
+            .addReg(0).addImm(8)
+            .addReg(0);
+
+            // push arbitrary value for 16 byte alignment in checkpoint stack
+            BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+                .addImm(0);
+
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+				.addImm(8);
+
+			// PUSH %TmpReg
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64r), TmpReg);
+
+			// PUSH (%TmpReg)
+			BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64rmm), TmpReg)
+				.addImm(1).addReg(0)
+				.addImm(0).addReg(0);
+
+			LLVM_DEBUG(dbgs() << "   The store is 256-bit wide\n"); 
+			break;
+
+		default:
+			llvm_unreachable("Unknown width");
+			break;
+	}
 
     // SSE stores are 128-bit wide
-    if (Desc.TSFlags >> X86II::SSEDomainShift & 3) {  // NOLINT
+    /*if (Desc.TSFlags >> X86II::SSEDomainShift & 3) {  // NOLINT
         LLVM_DEBUG(dbgs() << "   The store is 128-bit wide\n");
 
         // LEAQ 8(%TmpReg), %TmpReg
         BuildMI(Parent, MI, Loc, TII->get(X86::LEA64r), TmpReg)
             .addReg(TmpReg).addImm(1)
             .addReg(0).addImm(8)
             .addReg(0);
+
+		BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+			.addImm(8);
 
         // PUSH %TmpReg
         BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64r), TmpReg);
@@ -659,7 +801,7 @@ auto X86SpecFuzzPass::visitWrite(MachineInstr &MI, MachineBasicBlock &Parent) ->
         BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64rmm), TmpReg)
             .addImm(1).addReg(0)
             .addImm(0).addReg(0);
-    }
+    }*/
 
     preserveRegister(Parent, MI, Loc, X86::RSP, "checkpoint_sp");
     restoreRegister(Parent, MI, Loc, TmpReg, "tmp_gpr1");
@@ -684,6 +826,13 @@ auto X86SpecFuzzPass::visitPush(MachineInstr &MI, MachineBasicBlock &Parent) ->
         .addReg(0);
 
     restoreRegister(Parent, MI, Loc, X86::RSP, "checkpoint_sp");
+
+    // push arbitrary value for 16 byte alignment in checkpoint stack
+    BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+        .addImm(0);
+
+	BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64i8))
+		.addImm(8);
 
     // PUSH %TmpReg
     BuildMI(Parent, MI, Loc, TII->get(X86::PUSH64r), TmpReg);
@@ -1042,6 +1191,7 @@ auto X86SpecFuzzPass::getCallTargetType(MachineInstr &MI) -> X86SpecFuzzPass::Ca
         "__asan_set_shadow_f8",
 
         "__asan_frame_malloc_0",
+		"__asan_stack_malloc_0",
         "__asan_stack_malloc_1",
         "__asan_stack_malloc_2",
         "__asan_stack_malloc_3",

diff --git a/src/specfuzz_init.c b/src/specfuzz_init.c
@@ -48,27 +48,57 @@ void specfuzz_handler(int signo, siginfo_t *siginfo, void *ucontext) {
 #if ENABLE_SANITY_CHECKS == 1
     if (inside_handler != 0) {
         fprintf(stderr, "\n[SF] Error: Fault inside the signal handler\n");
+#if SEED_NON_SPECULATIVE_ERRORS == 1
+		specfuzz_seed_input();
+#endif
         abort();
     }
     inside_handler = 1;
 
     if (nesting_level <= 0x0) {
         fprintf(stderr, "[SF] Error: Signal handler called outside speculation\n");
+#if SEED_NON_SPECULATIVE_ERRORS == 1
+		specfuzz_seed_input();
+#endif
         abort();
     }
 
     if (checkpoint_sp > &checkpoint_stack || checkpoint_sp < &checkpoint_stack_bottom) {
         fprintf(stderr, "[SF] Error: checkpoint_sp is corrupted\n");
+#if SEED_NON_SPECULATIVE_ERRORS == 1
+		specfuzz_seed_input();
+#endif
         abort();
     }
 
     if ((uint64_t *) uc_gregs[REG_RSP] <= &specfuzz_rtl_frame
         && (uint64_t *) uc_gregs[REG_RSP] >= &specfuzz_rtl_frame_bottom) {
         fprintf(stderr, "[SF] Error: a signal caught within the SpecFuzz runtime\n");
+#if SEED_NON_SPECULATIVE_ERRORS == 1
+		specfuzz_seed_input();
+#endif
+        abort();
+    }
+
+	if (specfuzz_executing_rollback) {
+		fprintf(stderr, "[SF] Error: a signal caught within SpecFuzz's rollback\n");
+#if SEED_NON_SPECULATIVE_ERRORS == 1
+		specfuzz_seed_input();
+#endif
+        abort();
+    }
+
+	if (specfuzz_executing_checkpoint) {
+		fprintf(stderr, "[SF] Error: a signal caught within SpecFuzz's checkpoint\n");
+#if SEED_NON_SPECULATIVE_ERRORS == 1
+		specfuzz_seed_input();
+#endif
         abort();
     }
 #endif
 
+
+
     if (siginfo->si_signo == SIGFPE) {
         STAT_INCREMENT(stat_signal_misc);
     } else if (context->uc_mcontext.gregs[REG_RSP] >= (long long) &asan_rtl_frame_bottom &&