This is an archive of the discontinued LLVM Phabricator instance.

Differential D125037

[pseudo] Add fuzzer for the pseudoparser.
ClosedPublic

Authored by sammccall on May 5 2022, 1:00 PM.

Details

Reviewers
hokein
Commits
rG1616bd9ef4eb: [pseudo] Add fuzzer for the pseudoparser.
Summary

As confirmation, running this locally found 2 crashes:

  • trivial: crashes on file with no tokens
  • lexer: hits an assertion failure on bytes: 0x5c,0xa,0x5c,0x1,0x65,0x5c,0xa

Diff Detail

Event Timeline

sammccall created this revision.May 5 2022, 1:00 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 5 2022, 1:00 PM
Herald added a subscriber: mgorny. · View Herald Transcript
sammccall requested review of this revision.May 5 2022, 1:00 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 5 2022, 1:00 PM
Herald added subscribers: cfe-commits, alextsao1999. · View Herald Transcript
Harbormaster completed remote builds in B162987: Diff 427421.May 5 2022, 1:55 PM
hokein accepted this revision.May 5 2022, 10:25 PM

Nice!

clang-tools-extra/pseudo/fuzzer/Fuzzer.cpp
82

nit: I'd suggest using another name -- O looks similar to the number literal 0.

This revision is now accepted and ready to land.May 5 2022, 10:25 PM
sammccall marked an inline comment as done.May 6 2022, 12:22 AM
sammccall added inline comments.
clang-tools-extra/pseudo/fuzzer/Fuzzer.cpp
82

Realized I can use std::remove_if here instead which is cleaner.

Closed by commit rG1616bd9ef4eb: [pseudo] Add fuzzer for the pseudoparser. (authored by sammccall). · Explain WhyMay 6 2022, 12:22 AM
This revision was automatically updated to reflect the committed changes.
sammccall marked an inline comment as done.
sammccall added a commit: rG1616bd9ef4eb: [pseudo] Add fuzzer for the pseudoparser..
sammccall added a comment.May 6 2022, 12:26 AM

This adds a false dependency between check-clang-pseudo and all of LLVM via the FuzzMutate library.
(We use FuzzerCLI.h, but there's also a bunch of utilities for fuzzing IR).
I'll try to split that library up to avoid the false dependency in a followup.

Revision Contents

PathSize
clang-tools-extra/
pseudo/
1 line
fuzzer/
14 lines
106 lines
16 lines
test/
1 line
4 lines

Diff 427542

clang-tools-extra/pseudo/CMakeLists.txt

include_directories(include) include_directories(include)
include_directories(${CMAKE_CURRENT_BINARY_DIR}/include) include_directories(${CMAKE_CURRENT_BINARY_DIR}/include)
add_subdirectory(lib) add_subdirectory(lib)
add_subdirectory(tool) add_subdirectory(tool)
add_subdirectory(fuzzer)
if(CLANG_INCLUDE_TESTS) if(CLANG_INCLUDE_TESTS)
add_subdirectory(unittests) add_subdirectory(unittests)
add_subdirectory(test) add_subdirectory(test)
endif() endif()

clang-tools-extra/pseudo/fuzzer/CMakeLists.txt

  • This file was added.
set(LLVM_LINK_COMPONENTS
FuzzMutate
Support
)
add_llvm_fuzzer(clang-pseudo-fuzzer
Fuzzer.cpp
DUMMY_MAIN Main.cpp
)
target_link_libraries(clang-pseudo-fuzzer
PRIVATE
clangPseudo
)

clang-tools-extra/pseudo/fuzzer/Fuzzer.cpp

  • This file was added.
//===-- Fuzzer.cpp - Fuzz the pseudoparser --------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "clang-pseudo/DirectiveTree.h"
#include "clang-pseudo/Forest.h"
#include "clang-pseudo/GLR.h"
#include "clang-pseudo/Grammar.h"
#include "clang-pseudo/LRTable.h"
#include "clang-pseudo/Token.h"
#include "clang/Basic/LangOptions.h"
#include "llvm/ADT/StringRef.h"
#include "llvm/Support/MemoryBuffer.h"
#include "llvm/Support/raw_ostream.h"
#include <algorithm>
namespace clang {
namespace pseudo {
namespace {
class Fuzzer {
clang::LangOptions LangOpts = clang::pseudo::genericLangOpts();
std::unique_ptr<Grammar> G;
LRTable T;
bool Print;
public:
Fuzzer(llvm::StringRef GrammarPath, bool Print) : Print(Print) {
llvm::ErrorOr<std::unique_ptr<llvm::MemoryBuffer>> GrammarText =
llvm::MemoryBuffer::getFile(GrammarPath);
if (std::error_code EC = GrammarText.getError()) {
llvm::errs() << "Error: can't read grammar file '" << GrammarPath
<< "': " << EC.message() << "\n";
std::exit(1);
}
std::vector<std::string> Diags;
G = Grammar::parseBNF(GrammarText->get()->getBuffer(), Diags);
if (!Diags.empty()) {
for (const auto &Diag : Diags)
llvm::errs() << Diag << "\n";
std::exit(1);
}
T = LRTable::buildSLR(*G);
}
void operator()(llvm::StringRef Code) {
std::string CodeStr = Code.str(); // Must be null-terminated.
auto RawStream = lex(CodeStr, LangOpts);
auto DirectiveStructure = DirectiveTree::parse(RawStream);
clang::pseudo::chooseConditionalBranches(DirectiveStructure, RawStream);
// FIXME: strip preprocessor directives
auto ParseableStream =
clang::pseudo::stripComments(cook(RawStream, LangOpts));
clang::pseudo::ForestArena Arena;
clang::pseudo::GSS GSS;
auto &Root = glrParse(ParseableStream,
clang::pseudo::ParseParams{*G, T, Arena, GSS});
if (Print)
llvm::outs() << Root.dumpRecursive(*G);
}
};
Fuzzer *Fuzz = nullptr;
} // namespace
} // namespace pseudo
} // namespace clang
extern "C" {
// Set up the fuzzer from command line flags:
// -grammar=<file> (required) - path to cxx.bnf
// -print - used for testing the fuzzer
int LLVMFuzzerInitialize(int *Argc, char ***Argv) {
llvm::StringRef GrammarFile;
bool PrintForest = false;
auto ConsumeArg = [&](llvm::StringRef Arg) -> bool {
hokeinUnsubmitted
Done
ReplyInline Actions

nit: I'd suggest using another name -- O looks similar to the number literal 0.

hokein: nit: I'd suggest using another name -- `O` looks similar to the number literal `0`.
sammccallAuthorUnsubmitted
Done
ReplyInline Actions

Realized I can use std::remove_if here instead which is cleaner.

sammccall: Realized I can use std::remove_if here instead which is cleaner.
if (Arg.consume_front("-grammar=")) {
GrammarFile = Arg;
return true;
} else if (Arg == "-print") {
PrintForest = true;
return true;
}
return false;
};
*Argc = std::remove_if(*Argv + 1, *Argv + *Argc, ConsumeArg) - *Argv;
if (GrammarFile.empty()) {
fprintf(stderr, "Fuzzer needs -grammar=/path/to/cxx.bnf\n");
exit(1);
}
clang::pseudo::Fuzz = new clang::pseudo::Fuzzer(GrammarFile, PrintForest);
return 0;
}
int LLVMFuzzerTestOneInput(uint8_t *Data, size_t Size) {
(*clang::pseudo::Fuzz)(llvm::StringRef(reinterpret_cast<char *>(Data), Size));
return 0;
}
}

clang-tools-extra/pseudo/fuzzer/Main.cpp

  • This file was added.
//===--- Main.cpp - Entry point to sanity check the fuzzer ----------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/FuzzerCLI.h"
extern "C" int LLVMFuzzerInitialize(int *, char ***);
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
int main(int argc, char *argv[]) {
return llvm::runFuzzerOnInputs(argc, argv, LLVMFuzzerTestOneInput,
LLVMFuzzerInitialize);
}

clang-tools-extra/pseudo/test/CMakeLists.txt

set(CLANG_PSEUDO_TEST_DEPS set(CLANG_PSEUDO_TEST_DEPS
clang-pseudo clang-pseudo
clang-pseudo-fuzzer
ClangPseudoTests ClangPseudoTests
) )
foreach(dep FileCheck not count) foreach(dep FileCheck not count)
if(TARGET ${dep}) if(TARGET ${dep})
list(APPEND CLANG_PSEUDO_TEST_DEPS ${dep}) list(APPEND CLANG_PSEUDO_TEST_DEPS ${dep})
endif() endif()
endforeach() endforeach()
Show All 18 Lines

clang-tools-extra/pseudo/test/fuzzer.cpp

  • This file was added.
// RUN: clang-pseudo-fuzzer -grammar=%cxx-bnf-file -print %s | FileCheck %s
int x;
// CHECK: translation-unit := declaration-seq
// CHECK: simple-type-specifier := INT