This is an archive of the discontinued LLVM Phabricator instance.

llvm-mc-fuzzer: A fuzzing tool for the MC layer.
ClosedPublic

Authored by dsanders on Sep 9 2015, 3:59 AM.

Download Raw Diff

Details

Reviewers

Commits

rG205d1993bbdf: llvm-mc-fuzzer: A fuzzing tool for the MC layer.
rL247786: llvm-mc-fuzzer: A fuzzing tool for the MC layer.

Summary

Only the disassembler is supported in this patch but it has already found a few
issues in the Mips disassembler (mostly invalid instructions being successfully
disassembled).

Diff Detail

Event Timeline

dsanders updated this revision to Diff 34315.Sep 9 2015, 3:59 AM

dsanders retitled this revision from to llvm-mc-fuzzer: A fuzzing tool for the MC layer..

dsanders updated this object.

dsanders added a subscriber: llvm-commits.

The recent threads on libFuzzer inspired me to try it out and llvm-mc-fuzzer is
the result. It seems to be useful and has already found a few issues with the
Mips disassembler, so I thought I'd post the patch to see if there's interest
in bringing this upstream.

I forgot to mention: I also have some python scripts to convert our disassembler test inputs to the raw binary format used by libFuzzer and back. I haven't included those in this patch since they are just quick hacks. They'll need implementing properly to be suitable for upstreaming.

Nice!

Could you please also add a line about your findings
to http://llvm.org/docs/LibFuzzer.html#trophies
(or tell me what to add there) ?

Once committed, I'll add it to the fuzzer bot:
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer

tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp
23	please use a C++ constant
63	why not vector?
82	Since the command line is unusual (compared to other uses of libFuzzer) please add a comment with usage example(s)
104	Do you really need to copy these here? Why not just pass I.c_str()?
110	Do you need it to be this complex? For assembling you can write a separate target binary

dsanders marked 3 inline comments as done.Sep 10 2015, 2:30 AM

dsanders added inline comments.

tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp
63	I didn't give it much thought. I'll switch it to a vector.
104	Unfortunately, yes but there is an alternate solution. The problem is that c_str() returns a const char * but fuzzer::FuzzerDriver() expects an array of char . It's unsafe to just drop the const-ness so I make a non-const copy. If fuzzer::FuzzerDriver's second was const char * then I could avoid the copy.
110	My thinking was that it would be nice if llvm-mc-fuzzer had a similar command line to llvm-mc. If it's preferred to use a separate binary then I don't mind doing that.

Replaced macro with C++ constant.
Added trophy to libFuzzer documentation.
Changed DataCopy to a std::vector.
Added usage examples.

kcc added inline comments.Sep 10 2015, 10:01 AM

docs/LibFuzzer.rst
432	Links maybe?
tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp
98	typeo: contrain
104	I've just added more interface variants: Can you try this one? int FuzzerDriver(const std::vector<std::string> &Args, UserCallback Callback);
110	Ok, makes sense

Nice! I know Russell had been looking at using fuzz-testing to test
round-tripping through assembly, which seems like a perfect fit for a
libFuzzer-based tool. Russell, is this something that you are still working
on? Maybe llvm-mc-fuzzer will grow that functionality some day.

Sean Silva

I found a number of bugs comparing direct object emission and via assembly with the check_cfc tool. Sean I and spoke about using fuzzing in that area. I expect it would find issues but I haven't done any work on it so no objections if someone wanted to add this to llvm-mc-fuzzer.

Added links to libFuzzer.rst and better explained it.
Fixed contrain -> constrain.
Switched to the new FuzzerDriver() interface.

In D12723#243586, @silvas wrote:

Nice! I know Russell had been looking at using fuzz-testing to test
round-tripping through assembly, which seems like a perfect fit for a
libFuzzer-based tool. Russell, is this something that you are still working
on? Maybe llvm-mc-fuzzer will grow that functionality some day.

Sean Silva

I'm keen to get that functionality too. Mips's move instructions will be a bit troublesome here since many distinct opcodes disassemble to 'move $1, $2' but that string only assembles to a single opcode.

One feature that would be helpful from the Fuzzer is the ability for the callback to be able to classify inputs into various bins. For example, "this input is invalid", "this input disassembled but failed to complete the round trip", "this input completed a round trip but the encodings don't match", etc. At the moment, we need to determine this when converting inputs into test cases which seems redundant when the callback already knew what happened.

tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp
106	That worked nicely. Thanks

One feature that would be helpful from the Fuzzer is the ability for the callback to be able to classify inputs into various bins. For example, "this input is invalid", "this input disassembled but failed to complete the round trip", "this input completed a round trip but the encodings don't match", etc. At the moment, we need to determine this when converting inputs into test cases which seems redundant when the callback already knew what happened.

Yes, I've seen similar requests already.
goFuzz does it this way:

The function must return 1 if the input is interesting in some way (for example, it was parsed successfully, that is, it is lexically correct, go-fuzz will give more priority to such inputs); -1 if the input must not be added to corpus even if gives new coverage; and 0 otherwise; other values are reserved for future use.

So, I'll probably add some similar functionality (probably not in the nearest two weeks though).

LGTM, thanks for doing this!

tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp
128	I would just call fuzzer::FuzzerDriver and not create the "TestOneInput" temporary. But feel free to ignore this comment.

This revision is now accepted and ready to land.Sep 14 2015, 9:23 AM

dsanders closed this revision.Sep 16 2015, 4:51 AM

dsanders marked an inline comment as done.

Revision Contents

Path

Size

docs/

LibFuzzer.rst

4 lines

tools/

llvm-mc-fuzzer/

CMakeLists.txt

18 lines

llvm-mc-fuzzer.cpp

145 lines

Diff 34421

docs/LibFuzzer.rst

Show First 20 Lines • Show All 423 Lines • ▼ Show 20 Lines	* LLVM:
* Clang: https://llvm.org/bugs/show_bug.cgi?id=23057		* Clang: https://llvm.org/bugs/show_bug.cgi?id=23057

* Clang-format: https://llvm.org/bugs/show_bug.cgi?id=23052		* Clang-format: https://llvm.org/bugs/show_bug.cgi?id=23052

* libc++: https://llvm.org/bugs/show_bug.cgi?id=24411		* libc++: https://llvm.org/bugs/show_bug.cgi?id=24411

* llvm-as: https://llvm.org/bugs/show_bug.cgi?id=24639		* llvm-as: https://llvm.org/bugs/show_bug.cgi?id=24639

		* Disassembler: Discovered a class of bug in the Mips disassembler where
		kccUnsubmitted Done Reply Inline Actions Links maybe? kcc: Links maybe?
		instructions would successfully disassemble in ISA's that lack the
		instruction.

.. _pcre2: http://www.pcre.org/		.. _pcre2: http://www.pcre.org/

.. _AFL: http://lcamtuf.coredump.cx/afl/		.. _AFL: http://lcamtuf.coredump.cx/afl/

.. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html		.. _SanitizerCoverage: http://clang.llvm.org/docs/SanitizerCoverage.html
.. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow		.. _SanitizerCoverageTraceDataFlow: http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-data-flow
.. _DataFlowSanitizer: http://clang.llvm.org/docs/DataFlowSanitizer.html		.. _DataFlowSanitizer: http://clang.llvm.org/docs/DataFlowSanitizer.html

.. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed		.. _Heartbleed: http://en.wikipedia.org/wiki/Heartbleed

.. _FuzzerInterface.h: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerInterface.h		.. _FuzzerInterface.h: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerInterface.h

tools/llvm-mc-fuzzer/

This directory was added.

tools/llvm-mc-fuzzer/CMakeLists.txt

This file was added.

				if( LLVM_USE_SANITIZE_COVERAGE )
				include_directories(BEFORE
				${CMAKE_CURRENT_SOURCE_DIR}/../../lib/Fuzzer)

				set(LLVM_LINK_COMPONENTS
				AllTargetsDescs
				AllTargetsDisassemblers
				AllTargetsInfos
				MC
				MCDisassembler
				Support
				)
				add_llvm_tool(llvm-mc-fuzzer
				llvm-mc-fuzzer.cpp)
				target_link_libraries(llvm-mc-fuzzer
				LLVMFuzzerNoMain
				)
				endif()

tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp

This file was added.

				//===--- llvm-mc-fuzzer.cpp - Fuzzer for the MC layer ---------------------===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//
				//
				//===----------------------------------------------------------------------===//

				#include "llvm-c/Disassembler.h"
				#include "llvm-c/Target.h"
				#include "llvm/ADT/ArrayRef.h"
				#include "llvm/MC/SubtargetFeature.h"
				#include "llvm/Support/CommandLine.h"
				#include "llvm/Support/raw_ostream.h"
				#include "FuzzerInterface.h"

				using namespace llvm;

				const unsigned AssemblyTextBufSize = 80;

				kccUnsubmitted Done Reply Inline Actions please use a C++ constant kcc: please use a C++ constant
				enum ActionType {
				AC_Assemble,
				AC_Disassemble
				};

				static cl::opt<ActionType>
				Action(cl::desc("Action to perform:"),
				cl::init(AC_Assemble),
				cl::values(clEnumValN(AC_Assemble, "assemble",
				"Assemble a .s file (default)"),
				clEnumValN(AC_Disassemble, "disassemble",
				"Disassemble strings of hex bytes"),
				clEnumValEnd));

				static cl::opt<std::string>
				TripleName("triple", cl::desc("Target triple to assemble for, "
				"see -version for available targets"));

				static cl::opt<std::string>
				MCPU("mcpu",
				cl::desc("Target a specific cpu type (-mcpu=help for details)"),
				cl::value_desc("cpu-name"), cl::init(""));

				static cl::list<std::string>
				MAttrs("mattr", cl::CommaSeparated,
				cl::desc("Target specific attributes (-mattr=help for details)"),
				cl::value_desc("a1,+a2,-a3,..."));
				// The feature string derived from -mattr's values.
				std::string FeaturesStr;

				static cl::list<std::string>
				FuzzerOptions("fuzzer-args", cl::Positional,
				cl::desc("Options to pass to the fuzzer"), cl::ZeroOrMore,
				cl::PositionalEatsArgs);

				void DisassembleOneInput(const uint8_t *Data, size_t Size) {
				char AssemblyText[AssemblyTextBufSize];

				std::vector<uint8_t> DataCopy(Data, Data + Size);

				kccUnsubmitted Done Reply Inline Actions why not vector? kcc: why not vector?
				dsandersAuthorUnsubmitted Done Reply Inline Actions I didn't give it much thought. I'll switch it to a vector. dsanders: I didn't give it much thought. I'll switch it to a vector.
				LLVMDisasmContextRef Ctx = LLVMCreateDisasmCPUFeatures(
				TripleName.c_str(), MCPU.c_str(), FeaturesStr.c_str(), nullptr, 0,
				nullptr, nullptr);
				assert(Ctx);
				uint8_t *p = DataCopy.data();
				unsigned Consumed;
				do {
				Consumed = LLVMDisasmInstruction(Ctx, p, Size, 0, AssemblyText,
				AssemblyTextBufSize);
				Size -= Consumed;
				p += Consumed;
				} while (Consumed != 0);
				LLVMDisasmDispose(Ctx);
				}

				int main(int argc, char **argv) {
				// The command line is unusual compared to other fuzzers due to the need to
				// specify the target. Options like -triple, -mcpu, and -mattr work like
				// their counterparts in llvm-mc, while -fuzzer-args collects options for the
				kccUnsubmitted Done Reply Inline Actions Since the command line is unusual (compared to other uses of libFuzzer) please add a comment with usage example(s) kcc: Since the command line is unusual (compared to other uses of libFuzzer) please add a comment…
				// fuzzer itself.
				//
				// Examples:
				//
				// Fuzz the big-endian MIPS32R6 disassembler using 100,000 inputs of up to
				// 4-bytes each and use the contents of ./corpus as the test corpus:
				// llvm-mc-fuzzer -triple mips-linux-gnu -mcpu=mips32r6 -disassemble \
				// -fuzzer-args -max_len=4 -runs=100000 ./corpus
				//
				// Infinitely fuzz the little-endian MIPS64R2 disassembler with the MSA
				// feature enabled using up to 64-byte inputs:
				// llvm-mc-fuzzer -triple mipsel-linux-gnu -mcpu=mips64r2 -mattr=msa \
				// -disassemble -fuzzer-args ./corpus
				//
				// If your aim is to find instructions that are not tested, then it is
				// advisable to contrain the maximum input size to a single instruction
				kccUnsubmitted Done Reply Inline Actions typeo: contrain kcc: typeo: contrain
				// using -max_len as in the first example. This results in a test corpus of
				// individual instructions that test unique paths. Without this constraint,
				// there will be considerable redundancy in the corpus.

				LLVMInitializeAllTargetInfos();
				LLVMInitializeAllTargetMCs();
				kccUnsubmitted Done Reply Inline Actions Do you really need to copy these here? Why not just pass I.c_str()? kcc: Do you really need to copy these here? Why not just pass I.c_str()?
				dsandersAuthorUnsubmitted Done Reply Inline Actions Unfortunately, yes but there is an alternate solution. The problem is that c_str() returns a const char * but fuzzer::FuzzerDriver() expects an array of char . It's unsafe to just drop the const-ness so I make a non-const copy. If fuzzer::FuzzerDriver's second was const char * then I could avoid the copy. dsanders: Unfortunately, yes but there is an alternate solution. The problem is that c_str() returns a…
				kccUnsubmitted Done Reply Inline Actions I've just added more interface variants: Can you try this one? int FuzzerDriver(const std::vector<std::string> &Args, UserCallback Callback); kcc: I've just added more interface variants: Can you try this one? int FuzzerDriver(const std…
				LLVMInitializeAllDisassemblers();

				dsandersAuthorUnsubmitted Not Done Reply Inline Actions That worked nicely. Thanks dsanders: That worked nicely. Thanks
				cl::ParseCommandLineOptions(argc, argv);

				// Package up features to be passed to target/subtarget
				// We have to pass it via a global since the callback doesn't
				kccUnsubmitted Done Reply Inline Actions Do you need it to be this complex? For assembling you can write a separate target binary kcc: Do you need it to be this complex? For assembling you can write a separate target binary
				dsandersAuthorUnsubmitted Done Reply Inline Actions My thinking was that it would be nice if llvm-mc-fuzzer had a similar command line to llvm-mc. If it's preferred to use a separate binary then I don't mind doing that. dsanders: My thinking was that it would be nice if llvm-mc-fuzzer had a similar command line to llvm-mc.
				kccUnsubmitted Done Reply Inline Actions Ok, makes sense kcc: Ok, makes sense
				// permit any user data.
				if (MAttrs.size()) {
				SubtargetFeatures Features;
				for (unsigned i = 0; i != MAttrs.size(); ++i)
				Features.AddFeature(MAttrs[i]);
				FeaturesStr = Features.getString();
				}

				// Build an argv for libFuzzer to parse.
				std::vector<char *> FuzzerArgv = { argv[0] };
				for (const auto &I : FuzzerOptions) {
				char *Arg = new char[I.size()+1];
				strcpy(Arg, I.c_str());
				FuzzerArgv.push_back(Arg);
				}

				void (TestOneInput)(const uint8_t , size_t) = nullptr;

				kccUnsubmitted Not Done Reply Inline Actions I would just call fuzzer::FuzzerDriver and not create the "TestOneInput" temporary. But feel free to ignore this comment. kcc: I would just call fuzzer::FuzzerDriver and not create the "TestOneInput" temporary. But feel…
				if (Action == AC_Assemble)
				errs() << "error: -assemble is not implemented\n";
				else if (Action == AC_Disassemble)
				TestOneInput = DisassembleOneInput;
				else
				llvm_unreachable("Unknown action");

				auto Result = fuzzer::FuzzerDriver(FuzzerArgv.size(), FuzzerArgv.data(),
				TestOneInput);

				// Clean up the temporary argv.
				FuzzerArgv.erase(FuzzerArgv.begin());
				for (const auto &I : FuzzerArgv)
				delete[] I;

				return Result;
				}