This is an archive of the discontinued LLVM Phabricator instance.

Differential D143784

[libc] Add basic fuzz target for the printf parser
ClosedPublic

Authored by michaelrj on Feb 10 2023, 3:03 PM.

Details

Reviewers
sivachandra
lntue
Commits
rGf6b724f1f9c8: [libc] Add basic fuzz target for the printf parser
Summary

The goal is to fuzz the entirety of printf, but the plan is to do it in
pieces for simplicity. This test fuzzes just the parser, while later
tests will fuzz the converters. This also adds a mock version of the
arg_list class.

Diff Detail

Event Timeline

michaelrj created this revision.Feb 10 2023, 3:03 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptFeb 10 2023, 3:03 PM
Herald added subscribers: libc-commits, ecnelises, tschuett. · View Herald Transcript
michaelrj requested review of this revision.Feb 10 2023, 3:03 PM
Harbormaster completed remote builds in B213158: Diff 496611.Feb 10 2023, 3:32 PM
sivachandra added a comment.Feb 10 2023, 4:26 PM

I think the main fuzzer file is missing.

michaelrj updated this revision to Diff 497033.Feb 13 2023, 10:10 AM

include main fuzzer file that I forgot

Harbormaster completed remote builds in B213460: Diff 497033.Feb 13 2023, 10:52 AM
sivachandra added inline comments.Feb 13 2023, 12:53 PM
libc/fuzzing/stdio/mock_arg_list.h
18

It's not clear to me as to how this MockArgList is helping the fuzzer. Can please add comments explaining this?

33

This is not a virtual function. So, who/what is supposed to make use of this method?

libc/fuzzing/stdio/printf_parser_fuzz.cpp
20

Please add a detailed comment about the fuzzing strategy that is being employed here.

michaelrj updated this revision to Diff 497471.Feb 14 2023, 4:10 PM
michaelrj marked 3 inline comments as done.

Add comment about how the fuzzer is intended to work.
Redo mock arg list so that it actually works.

Harbormaster completed remote builds in B213759: Diff 497471.Feb 14 2023, 4:36 PM
sivachandra added inline comments.Feb 15 2023, 3:32 PM
libc/fuzzing/stdio/printf_parser_fuzz.cpp
41

Other than passing it to the Parser constructor, I don't see mock_arg_list being used anywhere. What am I missing?

libc/src/__support/arg_list.h
37 ↗(On Diff #497471)

I am assuming that the use of this class is to get the number of args read out from the list. So, my suggestion is as follows. I would really not add a comment referencing printf or fuzz testing here. Also, you can add a mock class here unconditionally. The condition should be at the usage-site, which is the Parser class and the fuzzer, something like:

#ifdef LIBC_COPT_PRINTF_PARSER_WITH_MOCK_ARGS // Or a better name
using ArgProvider = MockArgList;
#else
using ArgProvider = ArgList;
#endif

Update Parser to take ArgProvider.

66 ↗(On Diff #497471)

Since it is a mock, you can just return T(); and avoid implicit type casts and the void* specialization. Also, instead of overloading next_var to read the args fetched, you can add a new method, say:

size_t read_count() const { return arg_counter; }
michaelrj updated this revision to Diff 497838.Feb 15 2023, 4:09 PM
michaelrj marked 3 inline comments as done.

move ArgList changes to https://reviews.llvm.org/D144145

libc/fuzzing/stdio/printf_parser_fuzz.cpp
41

You're not missing anything. The mock arg list is just there so that the program doesn't crash when the parser starts requesting arguments. It needs to respond with some value, but what that value actually is doesn't matter right now. Later I'll hopefully add a separate fuzz test that does check that the arguments were read in the right order, but this works for now.

libc/src/__support/arg_list.h
37 ↗(On Diff #497471)

This seemed to be getting larger than should be in this patch, so I've split the ArgList changes into this other patch: https://reviews.llvm.org/D144145

michaelrj added a parent revision: D144145: [libc] add mock arg list.Feb 15 2023, 4:10 PM
Harbormaster completed remote builds in B214017: Diff 497838.Feb 15 2023, 4:42 PM
michaelrj updated this revision to Diff 498112.Feb 16 2023, 11:48 AM

rebase

Harbormaster completed remote builds in B214229: Diff 498112.Feb 16 2023, 1:26 PM
sivachandra accepted this revision.Feb 16 2023, 10:38 PM
This revision is now accepted and ready to land.Feb 16 2023, 10:38 PM
This revision was landed with ongoing or failed builds.Feb 17 2023, 11:18 AM
Closed by commit rGf6b724f1f9c8: [libc] Add basic fuzz target for the printf parser (authored by michaelrj). · Explain Why
This revision was automatically updated to reflect the committed changes.
michaelrj added a commit: rGf6b724f1f9c8: [libc] Add basic fuzz target for the printf parser.

Revision Contents

PathSize
libc/
fuzzing/
1 line
stdio/
17 lines
42 lines
75 lines

Diff 497033

libc/fuzzing/CMakeLists.txt

set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
add_custom_target(libc-fuzzer) add_custom_target(libc-fuzzer)
add_subdirectory(math) add_subdirectory(math)
add_subdirectory(stdlib) add_subdirectory(stdlib)
add_subdirectory(stdio)
add_subdirectory(string) add_subdirectory(string)

libc/fuzzing/stdio/CMakeLists.txt

  • This file was added.
add_header_library(
mock_arg_list
HDRS
mock_arg_list.h
DEPENDS
libc.src.__support.arg_list
libc.src.__support.common
)
add_libc_fuzzer(
printf_parser_fuzz
SRCS
printf_parser_fuzz.cpp
DEPENDS
libc.src.stdio.printf_core.parser
.mock_arg_list
)

libc/fuzzing/stdio/mock_arg_list.h

  • This file was added.
//===-- Mock arg list -------------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_LIBC_FUZZING_STDIO_MOCK_ARG_LIST_H
#define LLVM_LIBC_FUZZING_STDIO_MOCK_ARG_LIST_H
#include "src/__support/common.h"
#include "src/__support/arg_list.h"
namespace __llvm_libc {
namespace internal {
class MockArgList : public ArgList {
sivachandraUnsubmitted
Done
ReplyInline Actions

It's not clear to me as to how this MockArgList is helping the fuzzer. Can please add comments explaining this?

sivachandra: It's not clear to me as to how this `MockArgList` is helping the fuzzer. Can please add…
int arg_counter = 0;
public:
LIBC_INLINE MockArgList(ArgList any_arg_list) : ArgList(any_arg_list){};
LIBC_INLINE MockArgList(MockArgList &other) : ArgList(other) {
this->arg_counter = other.arg_counter;
}
LIBC_INLINE ~MockArgList() = default;
LIBC_INLINE MockArgList &operator=(MockArgList &rhs) {
arg_counter = rhs.arg_counter;
return *this;
}
template <class T> LIBC_INLINE T next_var() {
sivachandraUnsubmitted
Done
ReplyInline Actions

This is not a virtual function. So, who/what is supposed to make use of this method?

sivachandra: This is not a virtual function. So, who/what is supposed to make use of this method?
++arg_counter;
return static_cast<T>(arg_counter);
}
};
} // namespace internal
} // namespace __llvm_libc
#endif // LLVM_LIBC_FUZZING_STDIO_MOCK_ARG_LIST_H

libc/fuzzing/stdio/printf_parser_fuzz.cpp

  • This file was added.
//===-- printf_parser_fuzz.cpp --------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
///
/// Fuzzing test for llvm-libc qsort implementation.
///
//===----------------------------------------------------------------------===//
#include "mock_arg_list.h"
#include "src/stdio/printf_core/parser.h"
#include <stdarg.h>
#include <stdint.h>
using namespace __llvm_libc;
sivachandraUnsubmitted
Done
ReplyInline Actions

Please add a detailed comment about the fuzzing strategy that is being employed here.

sivachandra: Please add a detailed comment about the fuzzing strategy that is being employed here.
int arglist_func(const char *in_str, size_t size, ...) {
va_list vlist;
va_start(vlist, size);
auto arg_list = internal::ArgList(vlist);
va_end(vlist);
auto mock_arg_list = internal::MockArgList(arg_list);
auto parser = printf_core::Parser(in_str, mock_arg_list);
int str_percent_count = 0;
for (size_t i = 0; i < size && in_str[i] != '\0'; ++i) {
if (in_str[i] == '%') {
++str_percent_count;
}
}
int section_percent_count = 0;
sivachandraUnsubmitted
Done
ReplyInline Actions

Other than passing it to the Parser constructor, I don't see mock_arg_list being used anywhere. What am I missing?

sivachandra: Other than passing it to the `Parser` constructor, I don't see `mock_arg_list` being used…
michaelrjAuthorUnsubmitted
Done
ReplyInline Actions

You're not missing anything. The mock arg list is just there so that the program doesn't crash when the parser starts requesting arguments. It needs to respond with some value, but what that value actually is doesn't matter right now. Later I'll hopefully add a separate fuzz test that does check that the arguments were read in the right order, but this works for now.

michaelrj: You're not missing anything. The mock arg list is just there so that the program doesn't crash…
for (printf_core::FormatSection cur_section = parser.get_next_section();
!cur_section.raw_string.empty();
cur_section = parser.get_next_section()) {
if (cur_section.has_conv) {
++section_percent_count;
if (cur_section.conv_name == '%') {
++section_percent_count;
}
} else if (cur_section.raw_string[0] == '%') {
// If the conversion would be undefined, it's instead raw, but it still
// starts with a %.
++section_percent_count;
}
}
if (str_percent_count != section_percent_count) {
__builtin_trap();
}
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
char *in_str = new char[size + 1];
for (size_t i = 0; i < size; ++i)
in_str[i] = data[i];
in_str[size] = '\0';
int ret_val = arglist_func(in_str, size);
delete[] in_str;
return ret_val;
}