diff --git a/compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp b/compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp new file mode 100644 --- /dev/null +++ b/compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp @@ -0,0 +1,85 @@ +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +// This is a fuzz target for running out-of-process fuzzing for a +// binary specified via environment variable LIBFUZZER_OOP_TARGET. +// libFuzzer is not designed for out-of-process fuzzing and so this +// ad-hoc rig lacks many of the in-process libFuzzer features, and is slow, +// but it does provide the basic functionality, which is to run the target +// many times in parallel, feeding in the mutants, and expanding the corpus. +// Use this only for very slow targets (slower than ~ 10 exec/s) +// that you can't convert to conventional libFuzzer fuzz targets. +// +// The target binary (which could be a shell script, or anything), +// consumes one file as an input and produces the file with coverage counters +// as the output (output path is passed via SANCOV_OUT). +// One way to produce a valid binary target is to build it with +// -fsanitize-coverage=inline-8bit-counters and link it with SanCovDump.cpp, +// found in the same directory. +// +// Example usage: +/* + clang -fsanitize=fuzzer OutOfProcessFuzzTarget.cpp -o oop-fuzz && + clang -c -fsanitize-coverage=inline-8bit-counters SimpleTest.cpp && + clang -c ../../lib/fuzzer/standalone/StandaloneFuzzTargetMain.c && + clang -c SanCovDump.cpp && + clang++ SanCovDump.o SimpleTest.o StandaloneFuzzTargetMain.o -o oop-target && + rm -rf CORPUS && mkdir CORPUS && echo > CORPUS/seed && + LIBFUZZER_OOP_TARGET="./oop-target > /dev/null 2>&1 " ./oop-fuzz CORPUS -jobs=42 + +*/ +#include +#include +#include +#include +#include +#include + +#include + +// An arbitrary large number. +// If your target is so large that it has more than this number of coverage +// edges, you may want to increase this number to match your binary, +// otherwise part of the coverage will be lost. +// For small targets there is no reason to reduce this number. +static const size_t kCountersSize = 1 << 20; + +__attribute__((section("__libfuzzer_extra_counters"))) static uint8_t Counters[kCountersSize]; + +static std::string *Run, *IN, *COV; + +void TearDown() { + unlink(COV->c_str()); + unlink(IN->c_str()); +} + +bool Initialize() { + IN = new std::string("lf-oop-in-" + std::to_string(getpid())); + COV = new std::string("lf-oop-cov-" + std::to_string(getpid())); + const char *TargetEnv = getenv("LIBFUZZER_OOP_TARGET"); + if (!TargetEnv) { + fprintf(stderr, "Please define LIBFUZZER_OOP_TARGET\n"); + exit(1); + } + Run = new std::string("SANCOV_OUT=" + *COV + " " + TargetEnv + " " + *IN); + fprintf(stderr, "libFuzzer: OOP command: %s\n", Run->c_str()); + atexit(TearDown); + return true; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + static bool Inited = Initialize(); + if (size == 0) + return 0; + if (FILE *f = fopen(IN->c_str(), "w")) { + fwrite(data, 1, size, f); + fclose(f); + } + system(Run->c_str()); + if (FILE *f = fopen(COV->c_str(), "r")) { + fread(Counters, 1, kCountersSize, f); + fclose(f); + } + return 0; +} diff --git a/compiler-rt/test/fuzzer/SanCovDump.cpp b/compiler-rt/test/fuzzer/SanCovDump.cpp new file mode 100644 --- /dev/null +++ b/compiler-rt/test/fuzzer/SanCovDump.cpp @@ -0,0 +1,31 @@ +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +// Link this tiny library to a binary compiled with +// -fsanitize-coverage=inline-8bit-counters. +// When passed SANCOV_OUT=OUTPUT_PATH, the process will +// dump the 8-bit coverage counters to the file, assuming +// the regular exit() is called. +// +// See OutOfProcessFuzzTarget.cpp for usage. +#include +#include + +static char *CovStart, *CovEnd; + +static void DumpCoverage() { + if (const char *DumpPath = getenv("SANCOV_OUT")) { + fprintf(stderr, "SanCovDump: %p %p %s\n", CovStart, CovEnd, DumpPath); + if (FILE *f = fopen(DumpPath, "w")) { + fwrite(CovStart, 1, CovEnd - CovStart, f); + fclose(f); + } + } +} + +extern "C" void __sanitizer_cov_8bit_counters_init(char *Start, char *End) { + CovStart = Start; + CovEnd = End; + atexit(DumpCoverage); +} diff --git a/compiler-rt/test/fuzzer/out-of-process-fuzz.test b/compiler-rt/test/fuzzer/out-of-process-fuzz.test new file mode 100644 --- /dev/null +++ b/compiler-rt/test/fuzzer/out-of-process-fuzz.test @@ -0,0 +1,20 @@ +RUN: rm -rf %t && mkdir %t +RUN: cd %t +RUN: %cpp_compiler %S/OutOfProcessFuzzTarget.cpp -o oop-fuzzer +RUN: %no_fuzzer_cpp_compiler -fsanitize-coverage=inline-8bit-counters %S/SimpleTest.cpp -c -o SimpleTestOOP.o +RUN: %no_fuzzer_c_compiler %S/../../lib/fuzzer/standalone/StandaloneFuzzTargetMain.c -c -o StandaloneFuzzTargetMainOOP.o +RUN: %no_fuzzer_cpp_compiler %S/SanCovDump.cpp -c -o SanCovDumpOOP.o +RUN: %no_fuzzer_cpp_compiler SimpleTestOOP.o StandaloneFuzzTargetMainOOP.o SanCovDumpOOP.o -o oop-target +RUN: rm -rf OOP_CORPUS +RUN: mkdir OOP_CORPUS +RUN: echo "Hi" > OOP_CORPUS/seed +RUN: echo %t + +# Out-of-process fuzzing with this rig is slow, +# we can not wait for the fuzzer to find the faulty input. +# Just run for a bit and observe the corpus expansion. +RUN: LIBFUZZER_OOP_TARGET="./oop-target > /dev/null 2>&1 " ./oop-fuzzer -max_len=3 OOP_CORPUS -runs=1000 -jobs=4 +CHECK: Running: OOP_CORPUS/ +CHECK: Running: OOP_CORPUS/ +CHECK: Running: OOP_CORPUS/ +RUN: ./oop-target OOP_CORPUS/* 2>&1 | FileCheck %s