Index: clang/cmake/modules/ProtobufMutator.cmake =================================================================== --- clang/cmake/modules/ProtobufMutator.cmake +++ clang/cmake/modules/ProtobufMutator.cmake @@ -1,5 +1,9 @@ include(ExternalProject) -set(PBM_PREFIX protobuf_mutator) + +if (NOT PBM_PREFIX) + set (PBM_PREFIX protobuf_mutator) +endif() + set(PBM_PATH ${CMAKE_CURRENT_BINARY_DIR}/${PBM_PREFIX}/src/${PBM_PREFIX}) set(PBM_LIB_PATH ${PBM_PATH}-build/src/libprotobuf-mutator.a) set(PBM_FUZZ_LIB_PATH ${PBM_PATH}-build/src/libfuzzer/libprotobuf-mutator-libfuzzer.a) Index: clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt =================================================================== --- clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt +++ clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt @@ -11,3 +11,5 @@ clangSerialization clangTooling ) + +target_include_directories(clangHandleCXX PUBLIC .) Index: clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt =================================================================== --- clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt +++ clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt @@ -14,6 +14,8 @@ DEPENDS clangCXXLoopProto LINK_LIBS clangCXXLoopProto ${PROTOBUF_LIBRARIES} ) +target_include_directories(clangProtoToCXX PUBLIC .) +target_include_directories(clangLoopProtoToCXX PUBLIC .) add_clang_executable(clang-proto-to-cxx proto_to_cxx_main.cpp) add_clang_executable(clang-loop-proto-to-cxx loop_proto_to_cxx_main.cpp) Index: lldb/tools/lldb-fuzzer/CMakeLists.txt =================================================================== --- lldb/tools/lldb-fuzzer/CMakeLists.txt +++ lldb/tools/lldb-fuzzer/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(lldb-commandinterpreter-fuzzer) +add_subdirectory(lldb-expression-fuzzer) add_subdirectory(lldb-target-fuzzer) add_subdirectory(utils) Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt @@ -0,0 +1,57 @@ +if(CLANG_ENABLE_PROTO_FUZZER) + set(LLVM_LINK_COMPONENTS + Support + ) + + add_llvm_fuzzer(lldb-expression-fuzzer + EXCLUDE_FROM_ALL + lldb-expression-fuzzer.cpp + ) + + if(TARGET lldb-expression-fuzzer) + target_include_directories(lldb-expression-fuzzer PRIVATE ..) + find_package(Protobuf REQUIRED) + add_definitions(-DGOOGLE_PROTOBUF_NO_RTTI) + include_directories(${PROTOBUF_INCLUDE_DIRS}) + include_directories(${CMAKE_CURRENT_BINARY_DIR}/../../../../clang/tools/clang-fuzzer PRIVATE ..) + + set(CLANG_CMAKE_MODULE_PATH + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../clang/cmake/modules) + + set(CMAKE_MODULE_PATH + ${CMAKE_MODULE_PATH} + ${CLANG_CMAKE_MODULE_PATH}) + + + set (PBM_PREFIX lldb_protobuf_mutator) + include(ProtobufMutator) + include_directories(${ProtobufMutator_INCLUDE_DIRS}) + + target_link_libraries(lldb-expression-fuzzer + PRIVATE + ${ProtobufMutator_LIBRARIES} + ${LLVM_LIB_FUZZING_ENGINE} + clangHandleCXX + clangCXXProto + clangProtoToCXX + liblldb + ) + + add_custom_command(TARGET lldb-expression-fuzzer PRE_BUILD + COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_BINARY_DIR}/fuzzer-artifacts/expression-artifacts + # Create and compile a simple C program using the command line. This is + # needed because LLDB's expression evaluator needs a legitmate target + # instead of a dummy target + COMMAND echo 'int main (int argc, char** argv) { return 0\; }' | clang -o main.out -xc - + ) + + # Create a directory for storing the fuzzer's artifacts and run the fuzzer with arguments that will + # not attempt to reduce the size of the inputs being generated + add_custom_target(fuzz-lldb-expression + COMMENT "Running the LLDB expression evaluator fuzzer..." + WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/fuzzer-artifacts/expression-artifacts + COMMAND $ -artifact_prefix=expression- -reduce_inputs=0 + USES_TERMINAL + ) + endif() +endif() Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto @@ -0,0 +1,92 @@ +//===-- cxx_proto.proto - Protobuf description of C++ ---------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +/// +/// \file +/// This file describes a subset of C++ as a protobuf. It is used to +/// more easily find interesting inputs for fuzzing Clang. +/// +//===----------------------------------------------------------------------===// + +syntax = "proto2"; + +message VarRef { + required int32 varnum = 1; +} + +message Lvalue { + required VarRef varref = 1; +} + +message Const { + required int32 val = 1; +} + +message BinaryOp { + enum Op { + PLUS = 0; + MINUS = 1; + MUL = 2; + DIV = 3; + MOD = 4; + XOR = 5; + AND = 6; + OR = 7; + EQ = 8; + NE = 9; + LE = 10; + GE = 11; + LT = 12; + GT = 13; + }; + required Op op = 1; + required Rvalue left = 2; + required Rvalue right = 3; +} + +message Rvalue { + oneof rvalue_oneof { + VarRef varref = 1; + Const cons = 2; + BinaryOp binop = 3; + } +} + +message AssignmentStatement { + required Lvalue lvalue = 1; + required Rvalue rvalue = 2; +} + + +message IfElse { + required Rvalue cond = 1; + required StatementSeq if_body = 2; + required StatementSeq else_body = 3; +} + +message While { + required Rvalue cond = 1; + required StatementSeq body = 2; +} + +message Statement { + oneof stmt_oneof { + AssignmentStatement assignment = 1; + IfElse ifelse = 2; + While while_loop = 3; + } +} + +message StatementSeq { + repeated Statement statements = 1; +} + +message Function { + required StatementSeq statements = 1; +} + +package clang_fuzzer; Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp @@ -0,0 +1,73 @@ +//===-- lldb-expression-fuzzer.cpp ---------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===---------------------------------------------------------------------===// +// +// \file +// This file is a fuzzer for LLDB's expression evaluator. It uses protobufs +// and the libprotobuf-mutator to create valid C-like inputs for the +// expression evaluator. +// +//===---------------------------------------------------------------------===// + +#include + +#include "cxx_proto.pb.h" +#include "handle_cxx.h" +#include "lldb/API/SBBreakpoint.h" +#include "lldb/API/SBDebugger.h" +#include "lldb/API/SBError.h" +#include "lldb/API/SBLaunchInfo.h" +#include "lldb/API/SBProcess.h" +#include "lldb/API/SBTarget.h" +#include "proto_to_cxx.h" +#include "src/libfuzzer/libfuzzer_macro.h" +#include "llvm/ADT/StringRef.h" +#include "llvm/Support/Error.h" + +using namespace lldb; +using namespace llvm; +using namespace clang_fuzzer; + +char **originalargv; + +extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { + SBDebugger::Initialize(); + + // The path for a simple compiled program is needed to create a + // target for the debugger and that path is passed in through argv + originalargv = *argv; + return 0; +} + +DEFINE_BINARY_PROTO_FUZZER(const clang_fuzzer::Function &input) { + auto S = clang_fuzzer::FunctionToString(input); + + // Get the second argument from argv and strip the '--' from it. + // This will be used as the path for the object file to create a target from + std::string rawpath = originalargv[2]; + StringRef objpath = rawpath.erase(0, 2); + + // Create a debugger and a target + SBDebugger debugger = SBDebugger::Create(false); + SBTarget target = debugger.CreateTarget(objpath.str().c_str()); + + // Create a breakpoint on the only line in the program + SBBreakpoint bp = target.BreakpointCreateByLocation(objpath.str().c_str(), 1); + + // Create launch info and error for launching the process + SBLaunchInfo li = target.GetLaunchInfo(); + SBError error; + + // Launch the process and evaluate the fuzzer's input data + // as an expression + SBProcess process = target.Launch(li, error); + target.EvaluateExpression(S.c_str()); + + debugger.DeleteTarget(target); + SBDebugger::Destroy(debugger); + SBModule::GarbageCollectAllocatedModules(); +}