This is an archive of the discontinued LLVM Phabricator instance.

Differential D32193

More user-friendly libFuzzer flag
ClosedPublic

Authored by george.karpenkov on Apr 18 2017, 2:44 PM.

Details

Reviewers
kcc
Summary

Currently, adding libfuzzer support is quite involved:

  • User needs to manually link libFuzzer.a (which previously they needed to build themselves)
  • User needs to specify coverage flags (-fsanitize-coverage-trace-pc-guard and friends), which are very long, and from my understanding subject to change.
  • When compiling C files, user also would need to link libcxx.

With this patch we aim to simplify the procedure, requiring a single -fsanitize=fuzzer flag instead, which automatically inserts the required options.

Diff Detail

Event Timeline

george.karpenkov created this revision.Apr 18 2017, 2:44 PM
kcc edited edge metadata.Apr 18 2017, 3:31 PM

It makes sense to have some shorter flag combination, I've been asked for it a couple of times.
One more reason for such flag is that I hope to have more/better/other coverage instrumentation and I don't want to make all users change their build rules.

It's not totally clear what such flag combination should be.

-fsanitize=fuzzer is a bit confusing, because it actually behaves differently compared to all other -fsanitize=foo (e.g. it provides main())

Another problem (not on OSX) is with msan. What if the user does -fsanitize=memory,fuzzer?
Right now this needs the libFuzzer itself to be msan-instrumented. :(

But ok, let's start from here

And yes, I'd really appreciate a linux implementation and documentation update.

george.karpenkov added a comment.Apr 18 2017, 3:35 PM

it provides main()

We actually had a counterintuitive behavior while linking libfuzzer with something which has main already:

  • if the target file already has main, it is executed. Lack of LLVMFuzzerTestOneInput is ignored.
  • otherwise, fuzzing is done using LLVMFuzzerTestOneInput.
  • If neither LLVMFuzzerTestOneInputnor main are present, linker complains about the lack of LLVMFuzzerTestOneInput.

We were not able to figure out what causes such behavior, hints will be appreciated.

And yes, I will upload docs and linux support shortly.

kcc added a comment.Apr 18 2017, 3:40 PM

We were not able to figure out what causes such behavior, hints will be appreciated.

This is a linker-dependent behavior, which is hard to predict (a form of ODR violation).
Also depends on the order of the arguments to the linker.
E.g. on Linux:
% cat main.cc
int main() {}
% clang++ main.cc libFuzzer.a && ./a.out

produces a.out with empty main()

% clang++ libFuzzer.a main.cc
main.cc:(.text+0x0): multiple definition of `main'

george.karpenkov updated this revision to Diff 95854.Apr 19 2017, 4:47 PM
george.karpenkov edited the summary of this revision. (Show Details)

I've added and tested linux support, documentation coming in a separate patch (a different repo).

george.karpenkov added a comment.Apr 19 2017, 4:52 PM

Updated documentation in https://reviews.llvm.org/D32257

kcc added a comment.Apr 19 2017, 5:08 PM

Please also add one full test with -fsanitize=fuzzer in lib/Fuzzer/test (probably, will need to create a subdir). Ok to have it in a separate change.

kcc accepted this revision.Apr 19 2017, 5:08 PM

LGTM

This revision is now accepted and ready to land.Apr 19 2017, 5:08 PM
george.karpenkov closed this revision.Apr 24 2017, 11:38 AM

Committed in 301212

george.karpenkov added a comment.Apr 24 2017, 2:47 PM

Please also add one full test

I assume you don't want to simply change the flag in test/CMakeLists.txt to -fsanitize=fuzzer, and you would prefer to specify the coverage explicitly for tests?

As for the test, would you prefer to simply duplicate an existing test, or write a similar new one?

kcc added a comment.Aug 10 2017, 2:56 PM

There is a problem with -fsanitize=fuzzer

It's both a compiler flag and a linker flags (just as -fsanitize=address), which is convenient since the users don't need to specify two flags.
But it's also a trouble because now if you set CFLAGS="-fsanitize=fuzzer" in some build systems (I've hit it in libpng) this flag will also be used for linking during the configure step and will cause failures,
because -fsanitize=fuzzer is supposed to work only with fuzz targets (a library w/o main and with LLVFuzzerTestOneInput).

Thoughts?

george.karpenkov added a comment.Aug 10 2017, 2:58 PM

@kcc hmm that's strange, I did check logic *not* to link libLLVMFuzzer if output is a shared object. What is the output in your case? Is Clang recent?

george.karpenkov added a comment.Aug 10 2017, 2:59 PM

@kcc otherwise even libFuzzer tests would fail, as they produce shared objects.

kcc added a comment.Aug 10 2017, 3:02 PM

I am using TotT clang to build libpng with fsanitize=fuzzer and libpng's configure script fails
configure: error: C compiler cannot create executables

And of course it does!
It creates a tiny .c file with main() and tries to build it:
configure:3306: clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer conftest.c >&5
/tmp/conftest-e56ae6.o: In function `main':
...BUILD/conftest.c:14: multiple definition of `main'

kubamracek added a comment.Aug 10 2017, 3:04 PM

If adding -fsanitize=fuzzer into CFLAGS enables it for linking as well and if that's undesired, how about adding -fno-sanitize=fuzzer into LDFLAGS?

kcc added a comment.Aug 10 2017, 3:11 PM

OMG no.

I was thinking maybe to have a separate linker flag (-lfuzzer? -llibFuzzer? -libFuzzer?).
Yes, annoying to pass another flag, but I don't see a better solution for this. At least not yet

george.karpenkov added a comment.Aug 10 2017, 3:55 PM

@kcc I guess I didn't have this problem yet as somehow on macos the symbol collision seems to be resolved "properly" in most cases.
Honestly the way I would do it is by providing a function run_fuzzer which would take a function pointer with an explicit callback.

But that's a large change, and I assume you would not want that?

For the libpng case, you can not link off-the-shelf library with libFuzzer anyway, right? As it does not have LLVMFuzzerTestOneInput symbol.
So the solution seems to be not to compile it with -fsanitize=fuzzer, but only with coverage flags, and then compile and link the fuzzing driver itself
with -fsanitize=fuzzer.
If there are too many coverage flags (which also keep changing) maybe we could also have -fsanitize=coverage or similar? In the driver then,
-fsanitize=fuzzer would link libc++ and imply -fsanitize=coverage.

kcc added a comment.Aug 10 2017, 4:00 PM
In D32193#838574, @george.karpenkov wrote:

@kcc I guess I didn't have this problem yet as somehow on macos the symbol collision seems to be resolved "properly" in most cases.
Honestly the way I would do it is by providing a function run_fuzzer which would take a function pointer with an explicit callback.

And then all fuzzing engines will have a different API, and we won't have engine interoperability.

But that's a large change, and I assume you would not want that?

For the libpng case, you can not link off-the-shelf library with libFuzzer anyway, right?

It's not the libarary, it's the configure tests that the build system uses (most GNU libraries use it)

As it does not have LLVMFuzzerTestOneInput symbol.
So the solution seems to be not to compile it with -fsanitize=fuzzer, but only with coverage flags, and then compile and link the fuzzing driver itself
with -fsanitize=fuzzer.

Yes.

If there are too many coverage flags (which also keep changing) maybe we could also have -fsanitize=coverage or similar? In the driver then,
-fsanitize=fuzzer would link libc++ and imply -fsanitize=coverage.

Yes, that will probably be ok (except the name. maybe -fsanitize=fuzzer_coverage?)

george.karpenkov added a comment.Aug 10 2017, 4:07 PM

@kcc I'm fine with either name.

kcc added a comment.Aug 10 2017, 4:12 PM

Naming is hard. maybe -fsanitize=fuzzer-no-link?

george.karpenkov added a comment.Aug 10 2017, 4:30 PM

@kcc yeah better than having underscores.

kcc added a comment.Aug 10 2017, 4:39 PM

Than -fsanitize=fuzzer-no-link :)
Will you have time to make this change?

george.karpenkov added a comment.Aug 10 2017, 4:43 PM

@kcc OK I think we need it anyway, since relying on correct "main" resolution is fragile.

Revision Contents

PathSize
include/
clang/
Basic/
3 lines
Driver/
1 line
lib/
Driver/
4 lines
ToolChains/
2 lines
15 lines
1 line
test/
Driver/
15 lines

Diff 95628

include/clang/Basic/Sanitizers.def

Show First 20 LinesShow All 41 Lines▼ Show 20 Lines
SANITIZER("address", Address) SANITIZER("address", Address)
// Kernel AddressSanitizer (KASan) // Kernel AddressSanitizer (KASan)
SANITIZER("kernel-address", KernelAddress) SANITIZER("kernel-address", KernelAddress)
// MemorySanitizer // MemorySanitizer
SANITIZER("memory", Memory) SANITIZER("memory", Memory)
// libFuzzer
SANITIZER("fuzzer", Fuzzer)
// ThreadSanitizer // ThreadSanitizer
SANITIZER("thread", Thread) SANITIZER("thread", Thread)
// LeakSanitizer // LeakSanitizer
SANITIZER("leak", Leak) SANITIZER("leak", Leak)
// UndefinedBehaviorSanitizer // UndefinedBehaviorSanitizer
SANITIZER("alignment", Alignment) SANITIZER("alignment", Alignment)
▲ Show 20 LinesShow All 77 LinesShow Last 20 Lines

include/clang/Driver/SanitizerArgs.h

Show First 20 LinesShow All 44 Lines▼ Show 20 Lines
public: public:
/// Parses the sanitizer arguments from an argument list. /// Parses the sanitizer arguments from an argument list.
SanitizerArgs(const ToolChain &TC, const llvm::opt::ArgList &Args); SanitizerArgs(const ToolChain &TC, const llvm::opt::ArgList &Args);
bool needsAsanRt() const { return Sanitizers.has(SanitizerKind::Address); } bool needsAsanRt() const { return Sanitizers.has(SanitizerKind::Address); }
bool needsSharedAsanRt() const { return AsanSharedRuntime; } bool needsSharedAsanRt() const { return AsanSharedRuntime; }
bool needsTsanRt() const { return Sanitizers.has(SanitizerKind::Thread); } bool needsTsanRt() const { return Sanitizers.has(SanitizerKind::Thread); }
bool needsMsanRt() const { return Sanitizers.has(SanitizerKind::Memory); } bool needsMsanRt() const { return Sanitizers.has(SanitizerKind::Memory); }
bool needsFuzzer() const { return Sanitizers.has(SanitizerKind::Fuzzer); }
bool needsLsanRt() const { bool needsLsanRt() const {
return Sanitizers.has(SanitizerKind::Leak) && return Sanitizers.has(SanitizerKind::Leak) &&
!Sanitizers.has(SanitizerKind::Address); !Sanitizers.has(SanitizerKind::Address);
} }
bool needsUbsanRt() const; bool needsUbsanRt() const;
bool needsDfsanRt() const { return Sanitizers.has(SanitizerKind::DataFlow); } bool needsDfsanRt() const { return Sanitizers.has(SanitizerKind::DataFlow); }
bool needsSafeStackRt() const { bool needsSafeStackRt() const {
return Sanitizers.has(SanitizerKind::SafeStack); return Sanitizers.has(SanitizerKind::SafeStack);
Show All 20 Lines

lib/Driver/SanitizerArgs.cpp

Show First 20 LinesShow All 259 Lines▼ Show 20 Lines if (Arg->getOption().matches(options::OPT_fsanitize_EQ)) {
Add = expandSanitizerGroups(Add); Add = expandSanitizerGroups(Add);
// Group expansion may have enabled a sanitizer which is disabled later. // Group expansion may have enabled a sanitizer which is disabled later.
Add &= ~AllRemove; Add &= ~AllRemove;
// Silently discard any unsupported sanitizers implicitly enabled through // Silently discard any unsupported sanitizers implicitly enabled through
// group expansion. // group expansion.
Add &= ~InvalidTrappingKinds; Add &= ~InvalidTrappingKinds;
Add &= Supported; Add &= Supported;
// Enable coverage if the fuzzing flag is set.
if (Add & Fuzzer)
CoverageFeatures |= CoverageTracePCGuard | CoverageIndirCall | CoverageTraceCmp;
Kinds |= Add; Kinds |= Add;
} else if (Arg->getOption().matches(options::OPT_fno_sanitize_EQ)) { } else if (Arg->getOption().matches(options::OPT_fno_sanitize_EQ)) {
Arg->claim(); Arg->claim();
SanitizerMask Remove = parseArgValues(D, Arg, true); SanitizerMask Remove = parseArgValues(D, Arg, true);
AllRemove |= expandSanitizerGroups(Remove); AllRemove |= expandSanitizerGroups(Remove);
} }
} }
▲ Show 20 LinesShow All 572 LinesShow Last 20 Lines

lib/Driver/ToolChains/Darwin.h

Show First 20 LinesShow All 148 Lines▼ Show 20 Linespublic:
/// Add the linker arguments to link the ARC runtime library. /// Add the linker arguments to link the ARC runtime library.
virtual void AddLinkARCArgs(const llvm::opt::ArgList &Args, virtual void AddLinkARCArgs(const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs) const {} llvm::opt::ArgStringList &CmdArgs) const {}
/// Add the linker arguments to link the compiler runtime library. /// Add the linker arguments to link the compiler runtime library.
virtual void AddLinkRuntimeLibArgs(const llvm::opt::ArgList &Args, virtual void AddLinkRuntimeLibArgs(const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs) const; llvm::opt::ArgStringList &CmdArgs) const;
void AddLinkToFuzzer(const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs) const;
virtual void addStartObjectFileArgs(const llvm::opt::ArgList &Args, virtual void addStartObjectFileArgs(const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs) const { llvm::opt::ArgStringList &CmdArgs) const {
} }
virtual void addMinVersionArgs(const llvm::opt::ArgList &Args, virtual void addMinVersionArgs(const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs) const {} llvm::opt::ArgStringList &CmdArgs) const {}
▲ Show 20 LinesShow All 324 LinesShow Last 20 Lines

lib/Driver/ToolChains/Darwin.cpp

Show First 20 LinesShow All 924 Lines▼ Show 20 Lines if (AddRPath) {
// Add the path to the resource dir to rpath to support using the dylib // Add the path to the resource dir to rpath to support using the dylib
// from the default location without copying. // from the default location without copying.
CmdArgs.push_back("-rpath"); CmdArgs.push_back("-rpath");
CmdArgs.push_back(Args.MakeArgString(Dir)); CmdArgs.push_back(Args.MakeArgString(Dir));
} }
} }
void MachO::AddFuzzerLinkArgs(const ArgList &Args, ArgStringList &CmdArgs) const {
// Go up one directory from Clang to find the libfuzzer archive file.
StringRef ParentDir = llvm::sys::path::parent_path(getDriver().InstalledDir);
SmallString<128> P(ParentDir);
llvm::sys::path::append(P, "lib", "libLLVMFuzzer.a");
CmdArgs.push_back(Args.MakeArgString(P));
// Libfuzzer is written in C++ and requires libcxx.
AddCXXStdlibLibArgs(Args, CmdArgs);
}
StringRef Darwin::getPlatformFamily() const { StringRef Darwin::getPlatformFamily() const {
switch (TargetPlatform) { switch (TargetPlatform) {
case DarwinPlatformKind::MacOS: case DarwinPlatformKind::MacOS:
return "MacOSX"; return "MacOSX";
case DarwinPlatformKind::IPhoneOS: case DarwinPlatformKind::IPhoneOS:
case DarwinPlatformKind::IPhoneOSSimulator: case DarwinPlatformKind::IPhoneOSSimulator:
return "iPhone"; return "iPhone";
case DarwinPlatformKind::TvOS: case DarwinPlatformKind::TvOS:
▲ Show 20 LinesShow All 93 Lines▼ Show 20 Linesvoid DarwinClang::AddLinkRuntimeLibArgs(const ArgList &Args,
const SanitizerArgs &Sanitize = getSanitizerArgs(); const SanitizerArgs &Sanitize = getSanitizerArgs();
if (Sanitize.needsAsanRt()) if (Sanitize.needsAsanRt())
AddLinkSanitizerLibArgs(Args, CmdArgs, "asan"); AddLinkSanitizerLibArgs(Args, CmdArgs, "asan");
if (Sanitize.needsUbsanRt()) if (Sanitize.needsUbsanRt())
AddLinkSanitizerLibArgs(Args, CmdArgs, "ubsan"); AddLinkSanitizerLibArgs(Args, CmdArgs, "ubsan");
if (Sanitize.needsTsanRt()) if (Sanitize.needsTsanRt())
AddLinkSanitizerLibArgs(Args, CmdArgs, "tsan"); AddLinkSanitizerLibArgs(Args, CmdArgs, "tsan");
if (Sanitize.needsFuzzer())
AddFuzzerLinkArgs(Args, CmdArgs);
if (Sanitize.needsStatsRt()) { if (Sanitize.needsStatsRt()) {
StringRef OS = isTargetMacOS() ? "osx" : "iossim"; StringRef OS = isTargetMacOS() ? "osx" : "iossim";
AddLinkRuntimeLib(Args, CmdArgs, AddLinkRuntimeLib(Args, CmdArgs,
(Twine("libclang_rt.stats_client_") + OS + ".a").str(), (Twine("libclang_rt.stats_client_") + OS + ".a").str(),
/*AlwaysLink=*/true); /*AlwaysLink=*/true);
AddLinkSanitizerLibArgs(Args, CmdArgs, "stats"); AddLinkSanitizerLibArgs(Args, CmdArgs, "stats");
} }
if (Sanitize.needsEsanRt()) if (Sanitize.needsEsanRt())
▲ Show 20 LinesShow All 836 Lines▼ Show 20 Lines if (isTargetIOSBased() || isTargetWatchOSBased() ||
return; return;
getDriver().Diag(diag::err_arc_unsupported_on_toolchain); getDriver().Diag(diag::err_arc_unsupported_on_toolchain);
} }
SanitizerMask Darwin::getSupportedSanitizers() const { SanitizerMask Darwin::getSupportedSanitizers() const {
const bool IsX86_64 = getTriple().getArch() == llvm::Triple::x86_64; const bool IsX86_64 = getTriple().getArch() == llvm::Triple::x86_64;
SanitizerMask Res = ToolChain::getSupportedSanitizers(); SanitizerMask Res = ToolChain::getSupportedSanitizers();
Res |= SanitizerKind::Address; Res |= SanitizerKind::Address;
Res |= SanitizerKind::Fuzzer;
if (isTargetMacOS()) { if (isTargetMacOS()) {
if (!isMacosxVersionLT(10, 9)) if (!isMacosxVersionLT(10, 9))
Res |= SanitizerKind::Vptr; Res |= SanitizerKind::Vptr;
Res |= SanitizerKind::SafeStack; Res |= SanitizerKind::SafeStack;
if (IsX86_64) if (IsX86_64)
Res |= SanitizerKind::Thread; Res |= SanitizerKind::Thread;
} else if (isTargetIOSSimulator() || isTargetTvOSSimulator()) { } else if (isTargetIOSSimulator() || isTargetTvOSSimulator()) {
if (IsX86_64) if (IsX86_64)
Res |= SanitizerKind::Thread; Res |= SanitizerKind::Thread;
} }
return Res; return Res;
} }
void Darwin::printVerboseInfo(raw_ostream &OS) const { void Darwin::printVerboseInfo(raw_ostream &OS) const {
CudaInstallation.print(OS); CudaInstallation.print(OS);
} }

lib/Driver/ToolChains/Linux.cpp

Show First 20 LinesShow All 863 Lines▼ Show 20 Lines const bool IsPowerPC64 = getTriple().getArch() == llvm::Triple::ppc64 ||
getTriple().getArch() == llvm::Triple::ppc64le; getTriple().getArch() == llvm::Triple::ppc64le;
const bool IsAArch64 = getTriple().getArch() == llvm::Triple::aarch64 || const bool IsAArch64 = getTriple().getArch() == llvm::Triple::aarch64 ||
getTriple().getArch() == llvm::Triple::aarch64_be; getTriple().getArch() == llvm::Triple::aarch64_be;
const bool IsArmArch = getTriple().getArch() == llvm::Triple::arm || const bool IsArmArch = getTriple().getArch() == llvm::Triple::arm ||
llvm::Triple::thumb || llvm::Triple::armeb || llvm::Triple::thumb || llvm::Triple::armeb ||
llvm::Triple::thumbeb; llvm::Triple::thumbeb;
SanitizerMask Res = ToolChain::getSupportedSanitizers(); SanitizerMask Res = ToolChain::getSupportedSanitizers();
Res |= SanitizerKind::Address; Res |= SanitizerKind::Address;
Res |= SanitizerKind::Fuzzer;
Res |= SanitizerKind::KernelAddress; Res |= SanitizerKind::KernelAddress;
Res |= SanitizerKind::Vptr; Res |= SanitizerKind::Vptr;
Res |= SanitizerKind::SafeStack; Res |= SanitizerKind::SafeStack;
if (IsX86_64 || IsMIPS64 || IsAArch64) if (IsX86_64 || IsMIPS64 || IsAArch64)
Res |= SanitizerKind::DataFlow; Res |= SanitizerKind::DataFlow;
if (IsX86_64 || IsMIPS64 || IsAArch64 || IsX86 || IsArmArch) if (IsX86_64 || IsMIPS64 || IsAArch64 || IsX86 || IsArmArch)
Res |= SanitizerKind::Leak; Res |= SanitizerKind::Leak;
if (IsX86_64 || IsMIPS64 || IsAArch64 || IsPowerPC64) if (IsX86_64 || IsMIPS64 || IsAArch64 || IsPowerPC64)
Show All 22 Lines

test/Driver/fuzzer.c

  • This file was added.
// Test flags inserted by -fsanitize=fuzzer.
// RUN: %clang -fsanitize=fuzzer %s -### 2>&1 | FileCheck --check-prefixes=CHECK-FUZZER-LIB,CHECK-LIBCXX,CHECK-COVERAGE-FLAGS %s
//
// CHECK-FUZZER-LIB: libLLVMFuzzer.a
// CHECK-LIBCXX: -lc++
// CHECK-COVERAGE: -fsanitize-coverage-trace-pc-guard
// CHECK-COVERAGE-SAME: -fsanitize-coverage-indirect-calls
// CHECK-COVERAGE-SAME: -fsanitize-coverage-trace-cmp
// RUN: %clang -fsanitize=fuzzer %s
int LLVMFuzzerTestOneInput(const char *Data, long Size) {
return 0;
}