This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
libc/fuzzing/stdlib/
-
fuzzing/
-
stdlib/
-
CMakeLists.txt
7/7
atof_differential_fuzz.cpp

Differential D149359

[libc] add exception to atof differential fuzz
ClosedPublic

Authored by michaelrj on Apr 27 2023, 10:45 AM.

Download Raw Diff

Details

Reviewers

sivachandra
lntue

Commits

rG377b82a088d4: [libc] add exception to atof differential fuzz

Summary

The differential fuzzer for atof found a bug in glibc's handling of
hexadecimal rounding. Since we can't easily update glibc and we want to
avoid false positives when running the fuzzer, I've added an exception
to skip all hexadecimal subnormal cases.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

michaelrj created this revision.Apr 27 2023, 10:45 AM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 27 2023, 10:45 AM

Herald added subscribers: libc-commits, ecnelises, tschuett. · View Herald Transcript

michaelrj requested review of this revision.Apr 27 2023, 10:45 AM

Harbormaster completed remote builds in B228609: Diff 517640.Apr 27 2023, 11:11 AM

sivachandra added inline comments.Apr 27 2023, 11:21 AM

libc/fuzzing/stdlib/atof_differential_fuzz.cpp
41	Can there be a way to do this without using `__llvm_libc::atof`?

michaelrj added inline comments.Apr 27 2023, 12:06 PM

libc/fuzzing/stdlib/atof_differential_fuzz.cpp
41	Not really. We need to use some version of `atof`, either the system's or ours. The thing we're trying to detect here is hexadecimal subnormals, and the process for checking that is exactly the process for converting a string to a float.

sivachandra added inline comments.Apr 27 2023, 12:34 PM

libc/fuzzing/stdlib/atof_differential_fuzz.cpp
41	Let me rephrase my question: can you detect problem inputs using the system libc `atof`?

switch to system atof for exception detection.

libc/fuzzing/stdlib/atof_differential_fuzz.cpp
41	yes, either `atof` will work.

Harbormaster completed remote builds in B228659: Diff 517698.Apr 27 2023, 2:02 PM

sivachandra added inline comments.Apr 27 2023, 11:42 PM

libc/fuzzing/stdlib/atof_differential_fuzz.cpp
22	A normal way to do this would be to: #ifdef LLVM_LIBC_... ... #else ... #endif And, let users define that macro in the build system. Also, the name of the macro can be more suggestive I think: `LLVM_LIBC_ATOF_DIF_FUZZ_SKIP_GLIBC_HEX_SUBNORMAL_ERR`.
54	If the skip check function can take the size argument, can we skip before making the copy.

address comments

libc/fuzzing/stdlib/atof_differential_fuzz.cpp
54	not really, we need to add the null terminator to the string and to do that we need to copy it into something we can modify.

sivachandra accepted this revision.Apr 28 2023, 11:16 AM

This revision is now accepted and ready to land.Apr 28 2023, 11:16 AM

Harbormaster completed remote builds in B228886: Diff 517998.Apr 28 2023, 11:24 AM

Closed by commit rG377b82a088d4: [libc] add exception to atof differential fuzz (authored by michaelrj). · Explain WhyApr 28 2023, 1:50 PM

This revision was automatically updated to reflect the committed changes.

michaelrj added a commit: rG377b82a088d4: [libc] add exception to atof differential fuzz.

Revision Contents

Path

Size

libc/

fuzzing/

stdlib/

CMakeLists.txt

2 lines

atof_differential_fuzz.cpp

39 lines

Diff 518043

libc/fuzzing/stdlib/CMakeLists.txt

	add_libc_fuzzer(			add_libc_fuzzer(
	qsort_fuzz			qsort_fuzz
	SRCS			SRCS
	qsort_fuzz.cpp			qsort_fuzz.cpp
	DEPENDS			DEPENDS
	libc.src.stdlib.qsort			libc.src.stdlib.qsort
	)			)

	add_libc_fuzzer(			add_libc_fuzzer(
	atof_differential_fuzz			atof_differential_fuzz
	SRCS			SRCS
	atof_differential_fuzz.cpp			atof_differential_fuzz.cpp
	HDRS			HDRS
	StringParserOutputDiff.h			StringParserOutputDiff.h
	DEPENDS			DEPENDS
	libc.src.stdlib.atof			libc.src.stdlib.atof
				COMPILE_OPTIONS
				-DLLVM_LIBC_ATOF_DIF_FUZZ_SKIP_GLIBC_HEX_SUBNORMAL_ERR
	)			)

	add_libc_fuzzer(			add_libc_fuzzer(
	strtofloat_fuzz			strtofloat_fuzz
	SRCS			SRCS
	strtofloat_fuzz.cpp			strtofloat_fuzz.cpp
	DEPENDS			DEPENDS
	libc.src.stdlib.atof			libc.src.stdlib.atof
	▲ Show 20 Lines • Show All 52 Lines • Show Last 20 Lines

libc/fuzzing/stdlib/atof_differential_fuzz.cpp

	Show All 10 Lines
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	#include "src/stdlib/atof.h"			#include "src/stdlib/atof.h"
	#include <stddef.h>			#include <stddef.h>
	#include <stdint.h>			#include <stdint.h>
	#include <stdlib.h>			#include <stdlib.h>

	#include "fuzzing/stdlib/StringParserOutputDiff.h"			#include "fuzzing/stdlib/StringParserOutputDiff.h"

				// TODO: Remove this once glibc fixes hex subnormal rounding. See
				// https://sourceware.org/bugzilla/show_bug.cgi?id=30220
				#ifdef LLVM_LIBC_ATOF_DIF_FUZZ_SKIP_GLIBC_HEX_SUBNORMAL_ERR
				#include <ctype.h>
				sivachandraUnsubmitted Done Reply Inline Actions A normal way to do this would be to: #ifdef LLVM_LIBC_... ... #else ... #endif And, let users define that macro in the build system. Also, the name of the macro can be more suggestive I think: `LLVM_LIBC_ATOF_DIF_FUZZ_SKIP_GLIBC_HEX_SUBNORMAL_ERR`. sivachandra: A normal way to do this would be to: ``` #ifdef LLVM_LIBC_... ... #else ... #endif ``` And…
				constexpr double MIN_NORMAL = 0x1p-1022;

				bool has_hex_prefix(const uint8_t *str) {
				size_t index = 0;

				// Skip over leading whitespace
				while (isspace(str[index])) {
				++index;
				}
				// Skip over sign
				if (str[index] == '-' \|\| str[index] == '+') {
				++index;
				}
				return str[index] == '0' && (tolower(str[index + 1])) == 'x';
				}

				bool should_be_skipped(const uint8_t *str) {
				double init_result = ::atof(reinterpret_cast<const char *>(str));
				if (init_result < 0) {
				sivachandraUnsubmitted Done Reply Inline Actions Can there be a way to do this without using `__llvm_libc::atof`? sivachandra: Can there be a way to do this without using `__llvm_libc::atof`?
				michaelrjAuthorUnsubmitted Done Reply Inline Actions Not really. We need to use some version of `atof`, either the system's or ours. The thing we're trying to detect here is hexadecimal subnormals, and the process for checking that is exactly the process for converting a string to a float. michaelrj: Not really. We need to use some version of `atof`, either the system's or ours. The thing we're…
				sivachandraUnsubmitted Done Reply Inline Actions Let me rephrase my question: can you detect problem inputs using the system libc `atof`? sivachandra: Let me rephrase my question: can you detect problem inputs using the system libc `atof`?
				michaelrjAuthorUnsubmitted Done Reply Inline Actions yes, either `atof` will work. michaelrj: yes, either `atof` will work.
				init_result = -init_result;
				}
				if (init_result < MIN_NORMAL && init_result != 0) {
				return has_hex_prefix(str);
				}
				return false;
				}
				#else
				bool should_be_skipped(const uint8_t *) { return false; }
				#endif // LLVM_LIBC_ATOF_DIF_FUZZ_SKIP_GLIBC_HEX_SUBNORMAL_ERR

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {			extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
	uint8_t *container = new uint8_t[size + 1];			uint8_t *container = new uint8_t[size + 1];
				sivachandraUnsubmitted Done Reply Inline Actions If the skip check function can take the size argument, can we skip before making the copy. sivachandra: If the skip check function can take the size argument, can we skip before making the copy.
				michaelrjAuthorUnsubmitted Done Reply Inline Actions not really, we need to add the null terminator to the string and to do that we need to copy it into something we can modify. michaelrj: not really, we need to add the null terminator to the string and to do that we need to copy it…
	if (!container)			if (!container)
	__builtin_trap();			__builtin_trap();
	size_t i;			size_t i;

	for (i = 0; i < size; ++i)			for (i = 0; i < size; ++i)
	container[i] = data[i];			container[i] = data[i];
	container[size] = '\0'; // Add null terminator to container.			container[size] = '\0'; // Add null terminator to container.

	StringParserOutputDiff<double>(&__llvm_libc::atof, &::atof, container, size);			if (!should_be_skipped(container)) {
				StringParserOutputDiff<double>(&__llvm_libc::atof, &::atof, container,
				size);
				}
	delete[] container;			delete[] container;
	return 0;			return 0;
	}			}