This is an archive of the discontinued LLVM Phabricator instance.

Differential D143784

[libc] Add basic fuzz target for the printf parser
ClosedPublic

Authored by michaelrj on Feb 10 2023, 3:03 PM.

Details

Reviewers
sivachandra
lntue
Commits
rGf6b724f1f9c8: [libc] Add basic fuzz target for the printf parser
Summary

The goal is to fuzz the entirety of printf, but the plan is to do it in
pieces for simplicity. This test fuzzes just the parser, while later
tests will fuzz the converters. This also adds a mock version of the
arg_list class.

Diff Detail

Event Timeline

michaelrj created this revision.Feb 10 2023, 3:03 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptFeb 10 2023, 3:03 PM
Herald added subscribers: libc-commits, ecnelises, tschuett. · View Herald Transcript
michaelrj requested review of this revision.Feb 10 2023, 3:03 PM
Harbormaster completed remote builds in B213158: Diff 496611.Feb 10 2023, 3:32 PM
sivachandra added a comment.Feb 10 2023, 4:26 PM

I think the main fuzzer file is missing.

michaelrj updated this revision to Diff 497033.Feb 13 2023, 10:10 AM

include main fuzzer file that I forgot

Harbormaster completed remote builds in B213460: Diff 497033.Feb 13 2023, 10:52 AM
sivachandra added inline comments.Feb 13 2023, 12:53 PM
libc/fuzzing/stdio/mock_arg_list.h
18 ↗(On Diff #497033)

It's not clear to me as to how this MockArgList is helping the fuzzer. Can please add comments explaining this?

33 ↗(On Diff #497033)

This is not a virtual function. So, who/what is supposed to make use of this method?

libc/fuzzing/stdio/printf_parser_fuzz.cpp
21

Please add a detailed comment about the fuzzing strategy that is being employed here.

michaelrj updated this revision to Diff 497471.Feb 14 2023, 4:10 PM
michaelrj marked 3 inline comments as done.

Add comment about how the fuzzer is intended to work.
Redo mock arg list so that it actually works.

Harbormaster completed remote builds in B213759: Diff 497471.Feb 14 2023, 4:36 PM
sivachandra added inline comments.Feb 15 2023, 3:32 PM
libc/fuzzing/stdio/printf_parser_fuzz.cpp
41

Other than passing it to the Parser constructor, I don't see mock_arg_list being used anywhere. What am I missing?

libc/src/__support/arg_list.h
37 ↗(On Diff #497471)

I am assuming that the use of this class is to get the number of args read out from the list. So, my suggestion is as follows. I would really not add a comment referencing printf or fuzz testing here. Also, you can add a mock class here unconditionally. The condition should be at the usage-site, which is the Parser class and the fuzzer, something like:

#ifdef LIBC_COPT_PRINTF_PARSER_WITH_MOCK_ARGS // Or a better name
using ArgProvider = MockArgList;
#else
using ArgProvider = ArgList;
#endif

Update Parser to take ArgProvider.

66 ↗(On Diff #497471)

Since it is a mock, you can just return T(); and avoid implicit type casts and the void* specialization. Also, instead of overloading next_var to read the args fetched, you can add a new method, say:

size_t read_count() const { return arg_counter; }
michaelrj updated this revision to Diff 497838.Feb 15 2023, 4:09 PM
michaelrj marked 3 inline comments as done.

move ArgList changes to https://reviews.llvm.org/D144145

libc/fuzzing/stdio/printf_parser_fuzz.cpp
41

You're not missing anything. The mock arg list is just there so that the program doesn't crash when the parser starts requesting arguments. It needs to respond with some value, but what that value actually is doesn't matter right now. Later I'll hopefully add a separate fuzz test that does check that the arguments were read in the right order, but this works for now.

libc/src/__support/arg_list.h
37 ↗(On Diff #497471)

This seemed to be getting larger than should be in this patch, so I've split the ArgList changes into this other patch: https://reviews.llvm.org/D144145

michaelrj added a parent revision: D144145: [libc] add mock arg list.Feb 15 2023, 4:10 PM
Harbormaster completed remote builds in B214017: Diff 497838.Feb 15 2023, 4:42 PM
michaelrj updated this revision to Diff 498112.Feb 16 2023, 11:48 AM

rebase

Harbormaster completed remote builds in B214229: Diff 498112.Feb 16 2023, 1:26 PM
sivachandra accepted this revision.Feb 16 2023, 10:38 PM
This revision is now accepted and ready to land.Feb 16 2023, 10:38 PM
This revision was landed with ongoing or failed builds.Feb 17 2023, 11:18 AM
Closed by commit rGf6b724f1f9c8: [libc] Add basic fuzz target for the printf parser (authored by michaelrj). · Explain Why
This revision was automatically updated to reflect the committed changes.
michaelrj added a commit: rGf6b724f1f9c8: [libc] Add basic fuzz target for the printf parser.

Revision Contents

PathSize
libc/
fuzzing/
1 line
stdio/
9 lines
73 lines
src/
stdio/
printf_core/
19 lines

Diff 498459

libc/fuzzing/CMakeLists.txt

set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
add_custom_target(libc-fuzzer) add_custom_target(libc-fuzzer)
add_subdirectory(math) add_subdirectory(math)
add_subdirectory(stdlib) add_subdirectory(stdlib)
add_subdirectory(stdio)
add_subdirectory(string) add_subdirectory(string)

libc/fuzzing/stdio/CMakeLists.txt

  • This file was added.
add_libc_fuzzer(
printf_parser_fuzz
SRCS
printf_parser_fuzz.cpp
DEPENDS
libc.src.stdio.printf_core.mock_parser
COMPILE_OPTIONS
-DLIBC_COPT_MOCK_ARG_LIST
)

libc/fuzzing/stdio/printf_parser_fuzz.cpp

  • This file was added.
//===-- printf_parser_fuzz.cpp --------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
///
/// Fuzzing test for llvm-libc qsort implementation.
///
//===----------------------------------------------------------------------===//
#ifndef LIBC_COPT_MOCK_ARG_LIST
#error The printf Parser Fuzzer must be compiled with LIBC_COPT_MOCK_ARG_LIST, and the parser itself must also be compiled with that option when it's linked against the fuzzer.
#endif
#include "src/__support/arg_list.h"
#include "src/stdio/printf_core/parser.h"
#include <stdarg.h>
#include <stdint.h>
sivachandraUnsubmitted
Done
ReplyInline Actions

Please add a detailed comment about the fuzzing strategy that is being employed here.

sivachandra: Please add a detailed comment about the fuzzing strategy that is being employed here.
using namespace __llvm_libc;
// The design for the printf parser fuzzer is fairly simple. The parser uses a
// mock arg list that will never fail, and is passed a randomized string. The
// format sections it outputs are checked against a count of the number of '%'
// signs are in the original string. This is a fairly basic test, and the main
// intent is to run this under sanitizers, which will check for buffer overruns.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
char *in_str = new char[size + 1];
for (size_t i = 0; i < size; ++i)
in_str[i] = data[i];
in_str[size] = '\0';
auto mock_arg_list = internal::MockArgList();
auto parser = printf_core::Parser(in_str, mock_arg_list);
sivachandraUnsubmitted
Done
ReplyInline Actions

Other than passing it to the Parser constructor, I don't see mock_arg_list being used anywhere. What am I missing?

sivachandra: Other than passing it to the `Parser` constructor, I don't see `mock_arg_list` being used…
michaelrjAuthorUnsubmitted
Done
ReplyInline Actions

You're not missing anything. The mock arg list is just there so that the program doesn't crash when the parser starts requesting arguments. It needs to respond with some value, but what that value actually is doesn't matter right now. Later I'll hopefully add a separate fuzz test that does check that the arguments were read in the right order, but this works for now.

michaelrj: You're not missing anything. The mock arg list is just there so that the program doesn't crash…
int str_percent_count = 0;
for (size_t i = 0; i < size && in_str[i] != '\0'; ++i) {
if (in_str[i] == '%') {
++str_percent_count;
}
}
int section_percent_count = 0;
for (printf_core::FormatSection cur_section = parser.get_next_section();
!cur_section.raw_string.empty();
cur_section = parser.get_next_section()) {
if (cur_section.has_conv) {
++section_percent_count;
if (cur_section.conv_name == '%') {
++section_percent_count;
}
} else if (cur_section.raw_string[0] == '%') {
// If the conversion would be undefined, it's instead raw, but it still
// starts with a %.
++section_percent_count;
}
}
if (str_percent_count != section_percent_count) {
__builtin_trap();
}
delete[] in_str;
return 0;
}

libc/src/stdio/printf_core/CMakeLists.txt

Show All 20 Lines DEPENDS
libc.src.__support.str_to_integer libc.src.__support.str_to_integer
libc.src.__support.CPP.bit libc.src.__support.CPP.bit
libc.src.__support.CPP.string_view libc.src.__support.CPP.string_view
libc.src.__support.CPP.type_traits libc.src.__support.CPP.type_traits
libc.src.__support.common libc.src.__support.common
) )
add_object_library( add_object_library(
mock_parser
SRCS
parser.cpp
HDRS
parser.h
DEPENDS
.core_structs
libc.src.__support.arg_list
libc.src.__support.ctype_utils
libc.src.__support.str_to_integer
libc.src.__support.CPP.bit
libc.src.__support.CPP.string_view
libc.src.__support.CPP.type_traits
libc.src.__support.common
COMPILE_OPTIONS
-DLIBC_COPT_MOCK_ARG_LIST
)
add_object_library(
string_writer string_writer
SRCS SRCS
string_writer.cpp string_writer.cpp
HDRS HDRS
string_writer.h string_writer.h
DEPENDS DEPENDS
libc.src.__support.CPP.string_view libc.src.__support.CPP.string_view
libc.src.string.memory_utils.memcpy_implementation libc.src.string.memory_utils.memcpy_implementation
▲ Show 20 LinesShow All 92 LinesShow Last 20 Lines