This is an archive of the discontinued LLVM Phabricator instance.

Differential D119000

[Bitcode] Add fuzzer for bitcode reading
ClosedPublic

Authored by nikic on Feb 4 2022, 7:46 AM.

Details

Reviewers
dblaikie
Summary

Inspired by the discussion on D118694, this adds a straightforward fuzzer for bitcode reading.

Diff Detail

Unit TestsFailed

TimeTest
60,030 msx64 debian > MLIR.Examples/standalone::test.toy
60,030 msx64 debian > libFuzzer.libFuzzer::fuzzer-leak.test
60,050 msx64 debian > libFuzzer.libFuzzer::large.test
60,030 msx64 debian > libFuzzer.libFuzzer::value-profile-load.test
1,320 msx64 debian > libomptarget :: x86_64-pc-linux-gnu.mapping::delete_inf_refcount.c

Event Timeline

nikic created this revision.Feb 4 2022, 7:46 AM
Herald added subscribers: ormris, mgorny. · View Herald TranscriptFeb 4 2022, 7:46 AM
nikic requested review of this revision.Feb 4 2022, 7:46 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 4 2022, 7:46 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B147630: Diff 405970.Feb 4 2022, 8:36 AM
nikic added a comment.Feb 4 2022, 8:37 AM

After fixing some issues in the bitstream reader to report errors using the right mechanism, this now quickly runs into OOM, because we do unconditional vector reservations. Can be fixed (a standard approach is to reject reservations larger than the input size for example), just not sure if making bitcode parsing more resilient is something I should invest time in.

dblaikie added a comment.Feb 4 2022, 10:35 AM

If we check this in, does it start failing buildbots or anything if it's not clean? Do we have to address the OOMs for this to be clean, or are OOMs not considered failures by any buildbots/don't produce failmail?

nikic added a comment.Feb 4 2022, 11:21 AM
In D119000#3297487, @dblaikie wrote:

If we check this in, does it start failing buildbots or anything if it's not clean? Do we have to address the OOMs for this to be clean, or are OOMs not considered failures by any buildbots/don't produce failmail?

Nothing should use the fuzzer by default, it needs to be added to oss-fuzz to run. So just adding it is not problematic.

dblaikie accepted this revision.Feb 4 2022, 12:28 PM
In D119000#3297608, @nikic wrote:
In D119000#3297487, @dblaikie wrote:

If we check this in, does it start failing buildbots or anything if it's not clean? Do we have to address the OOMs for this to be clean, or are OOMs not considered failures by any buildbots/don't produce failmail?

Nothing should use the fuzzer by default, it needs to be added to oss-fuzz to run. So just adding it is not problematic.

Hmm, seems unfortunate to checkin dead code, though? But I guess if this is the normal way fuzzers are added/adopted/eventually integrated into oss-fuzz, fair enough.

This revision is now accepted and ready to land.Feb 4 2022, 12:28 PM
nikic closed this revision.Feb 7 2022, 3:30 AM

Landed as https://github.com/llvm/llvm-project/commit/82ef888fbf3a19c80b042c483fe939d93d187f1d, forgot to add the differential revision tag.

Revision Contents

PathSize
llvm/
tools/
llvm-dis-fuzzer/
6 lines
25 lines

Diff 405970

llvm/tools/llvm-dis-fuzzer/CMakeLists.txt

  • This file was added.
set(LLVM_LINK_COMPONENTS
BitReader
)
add_llvm_fuzzer(llvm-dis-fuzzer
llvm-dis-fuzzer.cpp
)

llvm/tools/llvm-dis-fuzzer/llvm-dis-fuzzer.cpp

  • This file was added.
//===-- llvm-dis-fuzzer.cpp - Fuzzer for llvm-dis using lib/Fuzzer --------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Fuzzer for LLVM bitcode reading.
//
//===----------------------------------------------------------------------===//
#include "llvm/Bitcode/BitcodeReader.h"
#include "llvm/Support/MemoryBuffer.h"
using namespace llvm;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
LLVMContext Context;
auto Buffer = MemoryBuffer::getMemBuffer(
StringRef(reinterpret_cast<const char *>(Data), Size), "Fuzzer input",
/*RequiresNullTerminator=*/false);
consumeError(parseBitcodeFile(Buffer->getMemBufferRef(), Context).takeError());
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-  consumeError(parseBitcodeFile(Buffer->getMemBufferRef(), Context).takeError());
+  consumeError(
+      parseBitcodeFile(Buffer->getMemBufferRef(), Context).takeError());
Lint: Pre-merge checks: clang-format: please reformat the code ``` - consumeError(parseBitcodeFile(Buffer…
return 0;
}