This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lldb/tools/
-
tools/
-
CMakeLists.txt
-
lldb-fuzzer/
-
CMakeLists.txt
-
lldb-target-fuzzer.cpp
-
utils/
-
CMakeLists.txt
-
TempFile.h
-
TempFile.cpp
-
llvm/docs/
-
docs/
-
FuzzingLLVM.rst

Differential D122461

[lldb] Add a fuzzer for target create
ClosedPublic

Authored by JDevlieghere on Mar 24 2022, 10:32 PM.

Download Raw Diff

Details

Reviewers

labath

Group Reviewers

Restricted Project

Commits

rG61efe14e21b2: [lldb] Add a fuzzer for target creation

Summary

This patch adds a fuzzer that interprets inputs as object files and makes lldb create targets from them. It is very similar to the llvm-dwarfdump fuzzer which found a bunch of issues in libObject. I let it run in the background for an hour or so and it identified 15 or so inputs that cause lldb to crash.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

JDevlieghere created this revision.Mar 24 2022, 10:32 PM

Herald added a project: Restricted Project. · View Herald TranscriptMar 24 2022, 10:32 PM

Herald added a subscriber: mgorny. · View Herald Transcript

JDevlieghere requested review of this revision.Mar 24 2022, 10:32 PM

Harbormaster completed remote builds in B156217: Diff 418132.Mar 24 2022, 10:35 PM

Fix ASCII art

Harbormaster completed remote builds in B156218: Diff 418133.Mar 24 2022, 10:38 PM

I like this.

lldb/tools/lldb-fuzzer/lldb-fuzzer-target.cpp
24 ↗	(On Diff #418133)	Not an ideal use of auto -- it's clear that this returns some form of TempFile, but if this were say Expected<TempFile>, then the code would be incorrect (but still compile).

This revision is now accepted and ready to land.Mar 25 2022, 1:46 AM

JDevlieghere marked an inline comment as done.Mar 25 2022, 9:06 AM

JDevlieghere added inline comments.

lldb/tools/lldb-fuzzer/lldb-fuzzer-target.cpp
24 ↗	(On Diff #418133)	Agreed. Originally I was returning a `llvm::Expected<std::unqique_ptr<TempFile>>` but the inability to create a temp file isn't all that interesting and without the expected the logic can be a lot simpler.

Closed by commit rG61efe14e21b2: [lldb] Add a fuzzer for target creation (authored by JDevlieghere). · Explain WhyMar 25 2022, 9:34 AM

This revision was automatically updated to reflect the committed changes.

JDevlieghere marked an inline comment as done.

JDevlieghere added a commit: rG61efe14e21b2: [lldb] Add a fuzzer for target creation.

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptMar 25 2022, 9:34 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

Path

Size

lldb/

tools/

CMakeLists.txt

1 line

lldb-fuzzer/

CMakeLists.txt

17 lines

lldb-target-fuzzer.cpp

35 lines

utils/

CMakeLists.txt

6 lines

TempFile.h

27 lines

TempFile.cpp

33 lines

llvm/

docs/

FuzzingLLVM.rst

5 lines

Diff 418252

lldb/tools/CMakeLists.txt

	add_subdirectory(argdumper)			add_subdirectory(argdumper)
	add_subdirectory(driver)			add_subdirectory(driver)
	add_subdirectory(intel-features)			add_subdirectory(intel-features)

	# We want lldb-test to be built only when it's needed,			# We want lldb-test to be built only when it's needed,
	# i.e. if a target requires it as dependency. The typical			# i.e. if a target requires it as dependency. The typical
	# example is `check-lldb`. So, we pass EXCLUDE_FROM_ALL here.			# example is `check-lldb`. So, we pass EXCLUDE_FROM_ALL here.
	add_subdirectory(lldb-test EXCLUDE_FROM_ALL)			add_subdirectory(lldb-test EXCLUDE_FROM_ALL)
				add_subdirectory(lldb-fuzzer EXCLUDE_FROM_ALL)

	add_lldb_tool_subdirectory(lldb-instr)			add_lldb_tool_subdirectory(lldb-instr)
	add_lldb_tool_subdirectory(lldb-vscode)			add_lldb_tool_subdirectory(lldb-vscode)

	if (CMAKE_SYSTEM_NAME MATCHES "Darwin")			if (CMAKE_SYSTEM_NAME MATCHES "Darwin")
	add_lldb_tool_subdirectory(darwin-debug)			add_lldb_tool_subdirectory(darwin-debug)
	if(NOT LLDB_USE_SYSTEM_DEBUGSERVER)			if(NOT LLDB_USE_SYSTEM_DEBUGSERVER)
	add_lldb_tool_subdirectory(debugserver)			add_lldb_tool_subdirectory(debugserver)
	endif()			endif()
	endif()			endif()

	if (LLDB_CAN_USE_LLDB_SERVER)			if (LLDB_CAN_USE_LLDB_SERVER)
	add_lldb_tool_subdirectory(lldb-server)			add_lldb_tool_subdirectory(lldb-server)
	endif()			endif()

lldb/tools/lldb-fuzzer/CMakeLists.txt

This file was added.

				add_subdirectory(utils)

				set(LLVM_LINK_COMPONENTS
				Support
				)

				add_llvm_fuzzer(lldb-target-fuzzer
				EXCLUDE_FROM_ALL
				lldb-target-fuzzer.cpp
				)

				target_link_libraries(lldb-target-fuzzer
				PRIVATE
				liblldb
				lldbFuzzerUtils
				)

lldb/tools/lldb-fuzzer/lldb-target-fuzzer.cpp

This file was added.

				//===-- lldb-target-fuzzer.cpp - Fuzz target creation ---------------------===//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include <utils/TempFile.h>

				#include "lldb/API/SBDebugger.h"
				#include "lldb/API/SBTarget.h"

				using namespace lldb;
				using namespace lldb_fuzzer;
				using namespace llvm;

				extern "C" int LLVMFuzzerInitialize(int argc, char **argv) {
				SBDebugger::Initialize();
				return 0;
				}

				extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
				std::unique_ptr<TempFile> file = TempFile::Create(data, size);
				if (!file)
				return 1;

				SBDebugger debugger = SBDebugger::Create(false);
				SBTarget target = debugger.CreateTarget(file->GetPath().data());
				debugger.DeleteTarget(target);
				SBDebugger::Destroy(debugger);
				SBModule::GarbageCollectAllocatedModules();

				return 0;
				}

lldb/tools/lldb-fuzzer/utils/CMakeLists.txt

This file was added.

				add_lldb_library(lldbFuzzerUtils
				TempFile.cpp

				LINK_COMPONENTS
				Support
				)

lldb/tools/lldb-fuzzer/utils/TempFile.h

This file was added.

				//===-- TempFile.h ----------------------------------------------- C++ --===//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include "llvm/ADT/SmallString.h"
				#include "llvm/ADT/StringRef.h"
				#include "llvm/Support/Error.h"

				namespace lldb_fuzzer {

				class TempFile {
				public:
				TempFile() = default;
				~TempFile();

				static std::unique_ptr<TempFile> Create(uint8_t *data, size_t size);
				llvm::StringRef GetPath() { return m_path.str(); }

				private:
				llvm::SmallString<128> m_path;
				};

				} // namespace lldb_fuzzer

lldb/tools/lldb-fuzzer/utils/TempFile.cpp

This file was added.

				//===-- TempFile.cpp ------------------------------------------------------===//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				#include "llvm/Support/FileSystem.h"
				#include <TempFile.h>

				using namespace lldb_fuzzer;
				using namespace llvm;

				TempFile::~TempFile() {
				if (!m_path.empty())
				sys::fs::remove(m_path.str(), true);
				}

				std::unique_ptr<TempFile> TempFile::Create(uint8_t *data, size_t size) {
				int fd;
				std::unique_ptr<TempFile> temp_file = std::make_unique<TempFile>();
				std::error_code ec = sys::fs::createTemporaryFile("lldb-fuzzer", "input", fd,
				temp_file->m_path);
				if (ec)
				return nullptr;

				raw_fd_ostream os(fd, true);
				os.write(reinterpret_cast<const char *>(data), size);
				os.close();

				return temp_file;
				}

llvm/docs/FuzzingLLVM.rst

	Show First 20 Lines • Show All 152 Lines • ▼ Show 20 Lines


	.. \|generic fuzzer\| replace:: :ref:`generic fuzzer <fuzzing-llvm-generic>`			.. \|generic fuzzer\| replace:: :ref:`generic fuzzer <fuzzing-llvm-generic>`
	.. \|protobuf fuzzer\|			.. \|protobuf fuzzer\|
	replace:: :ref:`libprotobuf-mutator based fuzzer <fuzzing-llvm-protobuf>`			replace:: :ref:`libprotobuf-mutator based fuzzer <fuzzing-llvm-protobuf>`
	.. \|LLVM IR fuzzer\|			.. \|LLVM IR fuzzer\|
	replace:: :ref:`structured LLVM IR fuzzer <fuzzing-llvm-ir>`			replace:: :ref:`structured LLVM IR fuzzer <fuzzing-llvm-ir>`

				lldb-target-fuzzer
				---------------------

				A \|generic fuzzer\| that interprets inputs as object files and uses them to
				create a target in lldb.

	Mutators and Input Generators			Mutators and Input Generators
	=============================			=============================

	The inputs for a fuzz target are generated via random mutations of a			The inputs for a fuzz target are generated via random mutations of a
	:ref:`corpus <libfuzzer-corpus>`. There are a few options for the kinds of			:ref:`corpus <libfuzzer-corpus>`. There are a few options for the kinds of
	mutations that a fuzzer in LLVM might want.			mutations that a fuzzer in LLVM might want.

	▲ Show 20 Lines • Show All 112 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[lldb] Add a fuzzer for target createClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 418252

lldb/tools/CMakeLists.txt

lldb/tools/lldb-fuzzer/CMakeLists.txt

lldb/tools/lldb-fuzzer/lldb-target-fuzzer.cpp

lldb/tools/lldb-fuzzer/utils/CMakeLists.txt

lldb/tools/lldb-fuzzer/utils/TempFile.h

lldb/tools/lldb-fuzzer/utils/TempFile.cpp

llvm/docs/FuzzingLLVM.rst

[lldb] Add a fuzzer for target create
ClosedPublic