This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
libc/fuzzing/stdlib/
-
fuzzing/
-
stdlib/
3/3
strtofloat_fuzz.cpp
-
strtointeger_fuzz.cpp

Differential D144208

[libc] use vars in string to num fuzz targets
ClosedPublic

Authored by michaelrj on Feb 16 2023, 11:27 AM.

Download Raw Diff

Details

Reviewers

sivachandra
lntue

Commits

rG62e7bdd22a95: [libc] use vars in string to num fuzz targets

Summary

The string to integer and string to float standalone fuzz targets just
ran the functions and didn't do anything with the output. This was
intentional, since they are intended to be used with sanitizers to
detect buffer overflow bugs. Not using the variables was causing compile
warnings, so this patch adds trivial checks to use the variables.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

michaelrj created this revision.Feb 16 2023, 11:27 AM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptFeb 16 2023, 11:27 AM

Herald added subscribers: libc-commits, ecnelises, tschuett. · View Herald Transcript

michaelrj requested review of this revision.Feb 16 2023, 11:27 AM

Harbormaster completed remote builds in B214224: Diff 498105.Feb 16 2023, 1:10 PM

lntue added inline comments.Feb 16 2023, 10:23 PM

libc/fuzzing/stdlib/strtofloat_fuzz.cpp
50	Maybe adding an inline function will help with readability here: template <typename T> LIBC_INLINE bool is_nan(T x) { return x != x; }

move to is_nan function, and fix some typos in the comments

Harbormaster completed remote builds in B214508: Diff 498505.Feb 17 2023, 2:16 PM

lntue accepted this revision.Feb 27 2023, 12:25 PM

This revision is now accepted and ready to land.Feb 27 2023, 12:25 PM

sivachandra added inline comments.Feb 27 2023, 12:26 PM

libc/fuzzing/stdlib/strtofloat_fuzz.cpp
20	`LIBC_INLINE` is to be used only in the `src` directory. Else, we are creating an unnecessary dependency.
53	If all of this is present to only silence a compiler warning, and if you really want to check `isnan`, you are better off using the `isnan` predicate from `math.h`.

move to normal inline and isnan

sivachandra accepted this revision.Feb 27 2023, 1:19 PM

This revision was landed with ongoing or failed builds.Feb 27 2023, 1:21 PM

Closed by commit rG62e7bdd22a95: [libc] use vars in string to num fuzz targets (authored by michaelrj). · Explain Why

This revision was automatically updated to reflect the committed changes.

michaelrj added a commit: rG62e7bdd22a95: [libc] use vars in string to num fuzz targets.

Harbormaster completed remote builds in B216296: Diff 500893.Feb 27 2023, 2:27 PM

Revision Contents

Path

Size

libc/

fuzzing/

stdlib/

strtofloat_fuzz.cpp

18 lines

strtointeger_fuzz.cpp

10 lines

Diff 500895

libc/fuzzing/stdlib/strtofloat_fuzz.cpp

	//===-- strtofloat_fuzz.cpp -----------------------------------------------===//			//===-- strtofloat_fuzz.cpp -----------------------------------------------===//
	//			//
	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.			// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
	// See https://llvm.org/LICENSE.txt for license information.			// See https://llvm.org/LICENSE.txt for license information.
	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception			// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
	//			//
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	///			///
	/// Fuzzing test for llvm-libc atof implementation.			/// Fuzzing test for llvm-libc atof implementation.
	///			///
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	#include "src/stdlib/atof.h"			#include "src/stdlib/atof.h"
	#include "src/stdlib/strtod.h"			#include "src/stdlib/strtod.h"
	#include "src/stdlib/strtof.h"			#include "src/stdlib/strtof.h"
	#include "src/stdlib/strtold.h"			#include "src/stdlib/strtold.h"
				#include <math.h>
	#include <stddef.h>			#include <stddef.h>
	#include <stdint.h>			#include <stdint.h>

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {			extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
				sivachandraUnsubmitted Done Reply Inline Actions `LIBC_INLINE` is to be used only in the `src` directory. Else, we are creating an unnecessary dependency. sivachandra: `LIBC_INLINE` is to be used only in the `src` directory. Else, we are creating an unnecessary…
	uint8_t *container = new uint8_t[size + 1];			uint8_t *container = new uint8_t[size + 1];
	if (!container)			if (!container)
	__builtin_trap();			__builtin_trap();
	size_t i;			size_t i;

	for (i = 0; i < size; ++i)			for (i = 0; i < size; ++i)
	container[i] = data[i];			container[i] = data[i];
	container[size] = '\0'; // Add null terminator to container.			container[size] = '\0'; // Add null terminator to container.

	const char str_ptr = reinterpret_cast<const char >(container);			const char str_ptr = reinterpret_cast<const char >(container);

	char *out_ptr = nullptr;			char *out_ptr = nullptr;

	// This fuzzer only checks that the alrogithms didn't read beyond the end of			// This fuzzer only checks that the algorithms didn't read beyond the end of
	// the string in container. Combined with sanitizers, this will check that the			// the string in container. Combined with sanitizers, this will check that the
	// code is not reading memory beyond what's expected. This test does not make			// code is not reading memory beyond what's expected. This test does not
	// any attempt to check correctness of the result.			// effectively check the correctness of the result.
	auto volatile atof_output = __llvm_libc::atof(str_ptr);			auto volatile atof_output = __llvm_libc::atof(str_ptr);
	auto volatile strtof_output = __llvm_libc::strtof(str_ptr, &out_ptr);			auto volatile strtof_output = __llvm_libc::strtof(str_ptr, &out_ptr);
	if (str_ptr + size < out_ptr)			if (str_ptr + size < out_ptr)
	__builtin_trap();			__builtin_trap();
	auto volatile strtod_output = __llvm_libc::strtod(str_ptr, &out_ptr);			auto volatile strtod_output = __llvm_libc::strtod(str_ptr, &out_ptr);
	if (str_ptr + size < out_ptr)			if (str_ptr + size < out_ptr)
	__builtin_trap();			__builtin_trap();
	auto volatile strtold_output = __llvm_libc::strtold(str_ptr, &out_ptr);			auto volatile strtold_output = __llvm_libc::strtold(str_ptr, &out_ptr);
	if (str_ptr + size < out_ptr)			if (str_ptr + size < out_ptr)
	__builtin_trap();			__builtin_trap();

				// If any of the outputs are NaN
				if (isnan(atof_output) \|\| isnan(strtof_output) \|\| isnan(strtod_output) \|\|
				lntueUnsubmitted Done Reply Inline Actions Maybe adding an inline function will help with readability here: template <typename T> LIBC_INLINE bool is_nan(T x) { return x != x; } lntue: Maybe adding an inline function will help with readability here: ``` template <typename T>…
				isnan(strtold_output)) {
				// Then all the outputs should be NaN.
				// This is a trivial check meant to silence the "unused variable" warnings.
				sivachandraUnsubmitted Done Reply Inline Actions If all of this is present to only silence a compiler warning, and if you really want to check `isnan`, you are better off using the `isnan` predicate from `math.h`. sivachandra: If all of this is present to only silence a compiler warning, and if you really want to check…
				if (!isnan(atof_output) \|\| !isnan(strtof_output) \|\| !isnan(strtod_output) \|\|
				!isnan(strtold_output)) {
				__builtin_trap();
				}
				}

	delete[] container;			delete[] container;
	return 0;			return 0;
	}			}

libc/fuzzing/stdlib/strtointeger_fuzz.cpp

Show First 20 Lines • Show All 59 Lines • ▼ Show 20 Lines	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
auto volatile strtoul_output = __llvm_libc::strtoul(str_ptr, &out_ptr, base);		auto volatile strtoul_output = __llvm_libc::strtoul(str_ptr, &out_ptr, base);
if (str_ptr + container_size - 1 < out_ptr)		if (str_ptr + container_size - 1 < out_ptr)
__builtin_trap();		__builtin_trap();
auto volatile strtoull_output =		auto volatile strtoull_output =
__llvm_libc::strtoull(str_ptr, &out_ptr, base);		__llvm_libc::strtoull(str_ptr, &out_ptr, base);
if (str_ptr + container_size - 1 < out_ptr)		if (str_ptr + container_size - 1 < out_ptr)
__builtin_trap();		__builtin_trap();

		// If atoi is non-zero and the base is at least 10
		if (atoi_output != 0 && base >= 10) {
		// Then all of the other functions should output non-zero values as well.
		// This is a trivial check meant to silence the "unused variable" warnings.
		if (atol_output == 0 \|\| atoll_output == 0 \|\| strtol_output == 0 \|\|
		strtoll_output == 0 \|\| strtoul_output == 0 \|\| strtoull_output == 0) {
		__builtin_trap();
		}
		}

delete[] container;		delete[] container;
return 0;		return 0;
}		}