Download Raw Diff

Details

Reviewers

JDevlieghere
mib

Commits

rG46be5faaf034: [lldb/Fuzzer] Add command interpreter fuzzer for LLDB

Summary

This adds a command interpreter fuzzer to LLDB's fuzzing library. The input data from the fuzzer is used as input for the command interpreter. Input data for the fuzzer is guided by a dictionary of keywords used in LLDB, such as "breakpoint", "target" and others.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

cassanova created this revision.Jun 21 2022, 11:17 AM

Herald added a project: Restricted Project. · View Herald TranscriptJun 21 2022, 11:17 AM

Herald added a subscriber: mgorny. · View Herald Transcript

cassanova requested review of this revision.Jun 21 2022, 11:17 AM

Herald added a subscriber: lldb-commits. · View Herald TranscriptJun 21 2022, 11:17 AM

Harbormaster completed remote builds in B171142: Diff 438769.Jun 21 2022, 11:20 AM

JDevlieghere added inline comments.Jun 21 2022, 12:53 PM

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt
4	I assume we don't need this anymore if we're using the dummy target?
22	Shouldn't we use an absolute path for the input dictionary? Something like `${CMAKE_CURRENT_SOURCE_DIR}/inputdictionary.txt`
lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp
45	Why do we need a breakpoint?

cassanova added inline comments.Jun 21 2022, 1:11 PM

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt
4	Yes this isn't necessary anymore, I'll remove it and update the revision.
22	Yes an absolute path is better here, I'll add it and update the revision.
lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp
45	This was a leftover from when I ran this fuzzer with a non-dummy target, removing it doesn't seem to affect the fuzzer so I can take this line out and update the diff.

Removed ObjectYAML link component from CMakeLists file, changed fuzzer invocation to use a relative path for the dictionary file, removed line that sets a breakpoint in the fuzzer's LLDB process.

Harbormaster completed remote builds in B171171: Diff 438810.Jun 21 2022, 1:19 PM

JDevlieghere added inline comments.Jun 21 2022, 1:27 PM

lldb/tools/lldb-fuzzer/CMakeLists.txt
2–3	nit: I'd sort these alphabetically
lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt
16	I don't think this used any longer.
lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp
2–3	ASCII art needs fixing :-)
18	Not used?

mib added inline comments.Jun 21 2022, 1:33 PM

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp
40	Nit: the variable naming does really follow the lldb's style.
40	doesn't *

cassanova added inline comments.Jun 21 2022, 1:41 PM

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt
16	Ok, I can remove this library.
lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp
18	Not in this file, but removing that include causes the compiler to not recognize the llvm and lldb_fuzzer namespaces. That's also fine in this file because neither of those namespaces are used but I still found it strange.
40	Oh shoot, I didn't notice. Would `interpreter` or `ci` be a better variable name?

mib added inline comments.Jun 21 2022, 1:44 PM

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp
40	I was more annoyed by the fact that the variable started with `this`. It's a reserved keyword in C++ and that can it make error prone. However, `ci` is a great candidate for this :)

Sorted subdirectories alphabetically in top-level CMakeLists file.

Removed lldbfuzzer link library in command interpreter CMakeLists file.

Fixed ASCII art in command interpreter source file, renamed thisinterpreter to ci, removed unused include in command interpreter source file.

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp
40	Ah, good point about that. I renamed it to `ci`.

Harbormaster completed remote builds in B171194: Diff 438839.Jun 21 2022, 2:44 PM

Updated ASCII header to work with 80-column limit.

Harbormaster completed remote builds in B171320: Diff 439021.Jun 22 2022, 7:39 AM

LGTM!

This revision is now accepted and ready to land.Jun 22 2022, 10:57 AM

Updated CMakeLists file to save fuzzer artifacts (the files that the fuzzer writes when an input causes the program being fuzzed to fail) to a directory in the user's build directory, instead of saving them in the user's source directory. Also change fuzzer invocation to add a prefix to artifacts so that it is easier to identify them.

Harbormaster completed remote builds in B171387: Diff 439111.Jun 22 2022, 11:36 AM

mib added inline comments.Jun 22 2022, 2:00 PM

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt
18	typo
24	You might want to have a top-level `fuzzer-artifacts` that will have `commandinterpreter-fuzzer-artifacts` as a subdirectory

Added a subdirectory to the top-level build directory. This directory will hold directories for the artifacts of various fuzzers. Also corrected a typo in the command interpreter CMakeLists file.

Harbormaster completed remote builds in B171422: Diff 439158.Jun 22 2022, 2:31 PM

Ship it!

Closed by commit rG46be5faaf034: [lldb/Fuzzer] Add command interpreter fuzzer for LLDB (authored by cassanova). · Explain WhyJun 22 2022, 2:43 PM

This revision was automatically updated to reflect the committed changes.

cassanova added a commit: rG46be5faaf034: [lldb/Fuzzer] Add command interpreter fuzzer for LLDB.

Diff 439163

lldb/tools/lldb-fuzzer/CMakeLists.txt

				add_subdirectory(lldb-commandinterpreter-fuzzer)
	add_subdirectory(lldb-target-fuzzer)			add_subdirectory(lldb-target-fuzzer)
	add_subdirectory(utils)			add_subdirectory(utils)
				JDevlieghereUnsubmitted Not Done Reply Inline Actions nit: I'd sort these alphabetically JDevlieghere: nit: I'd sort these alphabetically

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt

This file was added.

set(LLVM_LINK_COMPONENTS

Support

)

JDevlieghereUnsubmitted

Not Done

I assume we don't need this anymore if we're using the dummy target?

JDevlieghere: I assume we don't need this anymore if we're using the dummy target?

cassanovaAuthorUnsubmitted

Done

Yes this isn't necessary anymore, I'll remove it and update the revision.

cassanova: Yes this isn't necessary anymore, I'll remove it and update the revision.

add_llvm_fuzzer(lldb-commandinterpreter-fuzzer

EXCLUDE_FROM_ALL

lldb-commandinterpreter-fuzzer.cpp

)

if(TARGET lldb-commandinterpreter-fuzzer)

target_include_directories(lldb-commandinterpreter-fuzzer PRIVATE ..)

target_link_libraries(lldb-commandinterpreter-fuzzer

PRIVATE

liblldb

)

JDevlieghereUnsubmitted

Not Done

I don't think this used any longer.

JDevlieghere: I don't think this used any longer.

cassanovaAuthorUnsubmitted

Done

Ok, I can remove this library.

cassanova: Ok, I can remove this library.

# This will create a directory specifically for the fuzzer's artifacts, go to that

# directory and run the fuzzer from there. When the fuzzer exits the input

mibUnsubmitted

Not Done

liblldb

)

- # This will create a directory specifially for the fuzzer's artifacts, go to that

+ # This will create a directory specifically for the fuzzer's artifacts, go to that

# directory and run the fuzzer from there. When the fuzzer exits the input

typo

mib: typo

# artifact that caused it to exit will be written to a directory within the

# build directory

add_custom_target(fuzz-lldb-commandinterpreter

COMMENT "Running the LLDB command interpreter fuzzer..."

JDevlieghereUnsubmitted

Not Done

Shouldn't we use an absolute path for the input dictionary? Something like ${CMAKE_CURRENT_SOURCE_DIR}/inputdictionary.txt

JDevlieghere: Shouldn't we use an absolute path for the input dictionary? Something like…

cassanovaAuthorUnsubmitted

Done

Yes an absolute path is better here, I'll add it and update the revision.

cassanova: Yes an absolute path is better here, I'll add it and update the revision.

COMMAND mkdir -p ${CMAKE_BINARY_DIR}/fuzzer-artifacts/commandinterpreter-artifacts &&

cd ${CMAKE_BINARY_DIR}/fuzzer-artifacts/commandinterpreter-artifacts

mibUnsubmitted

Not Done

You might want to have a top-level fuzzer-artifacts that will have commandinterpreter-fuzzer-artifacts as a subdirectory

mib: You might want to have a top-level `fuzzer-artifacts` that will have `commandinterpreter-fuzzer…

&& $<TARGET_FILE:lldb-commandinterpreter-fuzzer> -dict=${CMAKE_CURRENT_SOURCE_DIR}/inputdictionary.txt -only_ascii=1 -artifact_prefix=commandinterpreter-

USES_TERMINAL

)

endif()

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/inputdictionary.txt

This file was added.

				kw1="breakpoint set"
				kw2="target"
				kw3="run"
				kw4="frame info"

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp

This file was added.

				//===-- lldb-commandinterpreter-fuzzer.cpp -------------------------------===//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				JDevlieghereUnsubmitted Not Done Reply Inline Actions ASCII art needs fixing :-) JDevlieghere: ASCII art needs fixing :-)
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===---------------------------------------------------------------------===//

				#include <string>

				#include "lldb/API/SBCommandInterpreter.h"
				#include "lldb/API/SBCommandInterpreterRunOptions.h"
				#include "lldb/API/SBCommandReturnObject.h"
				#include "lldb/API/SBDebugger.h"
				#include "lldb/API/SBTarget.h"

				using namespace lldb;

				JDevlieghereUnsubmitted Not Done Reply Inline Actions Not used? JDevlieghere: Not used?
				cassanovaAuthorUnsubmitted Done Reply Inline Actions Not in this file, but removing that include causes the compiler to not recognize the llvm and lldb_fuzzer namespaces. That's also fine in this file because neither of those namespaces are used but I still found it strange. cassanova: Not in this file, but removing that include causes the compiler to not recognize the llvm and…
				extern "C" int LLVMFuzzerInitialize(int argc, char **argv) {
				SBDebugger::Initialize();
				return 0;
				}

				extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
				// Convert the data into a null-terminated string
				std::string str((char *)data, size);

				// Create a debugger and a dummy target
				SBDebugger debugger = SBDebugger::Create(false);
				SBTarget target = debugger.GetDummyTarget();

				// Create a command interpreter for the current debugger
				// A return object is needed to run the command interpreter
				SBCommandReturnObject ro = SBCommandReturnObject();
				SBCommandInterpreter ci = debugger.GetCommandInterpreter();

				// Use the fuzzer generated input as input for the command interpreter
				if (ci.IsValid()) {
				ci.HandleCommand(str.c_str(), ro, false);
				}
				mibUnsubmitted Not Done Reply Inline Actions Nit: the variable naming does really follow the lldb's style. mib: Nit: the variable naming does really follow the lldb's style.
				mibUnsubmitted Not Done Reply Inline Actions doesn't * mib: doesn't *
				cassanovaAuthorUnsubmitted Done Reply Inline Actions Oh shoot, I didn't notice. Would `interpreter` or `ci` be a better variable name? cassanova: Oh shoot, I didn't notice. Would `interpreter` or `ci` be a better variable name?
				mibUnsubmitted Not Done Reply Inline Actions I was more annoyed by the fact that the variable started with `this`. It's a reserved keyword in C++ and that can it make error prone. However, `ci` is a great candidate for this :) mib: I was more annoyed by the fact that the variable started with `this`. It's a reserved keyword…
				cassanovaAuthorUnsubmitted Done Reply Inline Actions Ah, good point about that. I renamed it to `ci`. cassanova: Ah, good point about that. I renamed it to `ci`.

				debugger.DeleteTarget(target);
				SBDebugger::Destroy(debugger);
				SBModule::GarbageCollectAllocatedModules();

				JDevlieghereUnsubmitted Not Done Reply Inline Actions Why do we need a breakpoint? JDevlieghere: Why do we need a breakpoint?
				cassanovaAuthorUnsubmitted Done Reply Inline Actions This was a leftover from when I ran this fuzzer with a non-dummy target, removing it doesn't seem to affect the fuzzer so I can take this line out and update the diff. cassanova: This was a leftover from when I ran this fuzzer with a non-dummy target, removing it doesn't…
				return 0;
				}

This is an archive of the discontinued LLVM Phabricator instance.

[lldb/Fuzzer] Add command interpreter fuzzer for LLDB
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 439163

lldb/tools/lldb-fuzzer/CMakeLists.txt

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/inputdictionary.txt

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp

This is an archive of the discontinued LLVM Phabricator instance.

[lldb/Fuzzer] Add command interpreter fuzzer for LLDBClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 439163

lldb/tools/lldb-fuzzer/CMakeLists.txt

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/CMakeLists.txt

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/inputdictionary.txt

lldb/tools/lldb-fuzzer/lldb-commandinterpreter-fuzzer/lldb-commandinterpreter-fuzzer.cpp

[lldb/Fuzzer] Add command interpreter fuzzer for LLDB
ClosedPublic