This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/llvm/FuzzMutate/
-
llvm/
-
FuzzMutate/
-
FuzzerCLI.h
-
lib/FuzzMutate/
-
FuzzMutate/
3/5
FuzzerCLI.cpp
-
test/tools/llvm-isel-fuzzer/
-
tools/
-
llvm-isel-fuzzer/
-
execname-options.ll
-
tools/llvm-isel-fuzzer/
-
llvm-isel-fuzzer/
-
llvm-isel-fuzzer.cpp

Differential D37495

llvm-isel-fuzzer: Handle a subset of backend flags in the executable name
ClosedPublic

Authored by bogner on Sep 5 2017, 4:06 PM.

Download Raw Diff

Details

Reviewers

kcc
vsk
morehouse
bogner

Summary

Here we add a secondary option parser to llvm-isel-fuzzer (and provide
it for use with other fuzzers). With this, you can copy the fuzzer to
a name like llvm-isel-fuzzer:aarch64-gisel for a fuzzer that fuzzer
AArch64 with GlobalISel enabled, or fuzzer:x86_64 to fuzz x86, with no
flags required. This should be useful for running these in OSS-Fuzz.

Note that this handrolls a subset of cl::opts to recognize, rather
than embedding a complete command parser for argv[0]. If we find we
really need the flexibility of handling arbitrary options at some
point we can rethink this.

Diff Detail

Event Timeline

bogner created this revision.Sep 5 2017, 4:06 PM

Herald added subscribers: kristof.beyls, igorb, mcrosier, aemerson. · View Herald TranscriptSep 5 2017, 4:06 PM

vsk added inline comments.Sep 5 2017, 4:14 PM

lib/FuzzMutate/FuzzerCLI.cpp
44	If there's a fuzzer writeup in llvm/docs, it might be worth mentioning these option names in it.
61	We might be able to get a tighter test by printing out the args here, then checking for them in filecheck. Pro: default behaviors (e.g gisel => -O0) become clearer. Con: This makes the fuzzer stdout a bit more crowded.

this handrolls a subset of cl::opts to recognize

This sounds good.

But there should be some way to find out which "handrolled subsets" are available.

In D37495#861652, @kcc wrote:

this handrolls a subset of cl::opts to recognize

This sounds good.

But there should be some way to find out which "handrolled subsets" are available.

Sure. I've been planning to write up some overview type docs (possibly pulling the Fuzzing components of LLVM parts out of the libFuzzer docs and expanding on them). I think that's probably the right place for this.

some overview type docs (possibly pulling the Fuzzing components of LLVM parts out of the libFuzzer docs

+1
This should really be a separate doc now.

kcc added inline comments.Sep 5 2017, 7:57 PM

lib/FuzzMutate/FuzzerCLI.cpp
61	I would actually request that we print "Args" to errs() here, with some prefix, e.g.: "Flags deducted from <BinaryName>: -foo -bar" This way it will be trivial to test this and to manually verify the desired effect.

ping. :)
I'd like to add this target to oss-fuzz before the llvm dev meeting (sooooon!)

In D37495#893677, @kcc wrote:

I'd like to add this target to oss-fuzz before the llvm dev meeting (sooooon!)

Oops, I'd started writing up some docs and then got distracted and never looped back to this. I'll commit today or tomorrow.

Committed with the requested changes in r315545

lib/FuzzMutate/FuzzerCLI.cpp
44	I've added some docs in FuzzingLLVM in r315544, and I'll add some notes about this in those docs when I commit.
61	I'll make these print to stderr with a note like "<Binary name>: Injected args: ..."

This revision is now accepted and ready to land.Oct 11 2017, 7:29 PM

bogner closed this revision.Oct 11 2017, 7:29 PM

bogner marked 2 inline comments as done.

Note: This had issues on windows, so I changed it to use '=' instead of ':' and recommitted in 315557

Revision Contents

Path

Size

include/

llvm/

FuzzMutate/

FuzzerCLI.h

12 lines

lib/

FuzzMutate/

FuzzerCLI.cpp

34 lines

test/

tools/

llvm-isel-fuzzer/

execname-options.ll

27 lines

tools/

llvm-isel-fuzzer/

llvm-isel-fuzzer.cpp

1 line

Diff 113927

include/llvm/FuzzMutate/FuzzerCLI.h

	Show All 9 Lines
	// Common logic needed to implement LLVM's fuzz targets' CLIs - including LLVM			// Common logic needed to implement LLVM's fuzz targets' CLIs - including LLVM
	// concepts like cl::opt and libFuzzer concepts like -ignore_remaining_args=1.			// concepts like cl::opt and libFuzzer concepts like -ignore_remaining_args=1.
	//			//
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	#ifndef LLVM_FUZZMUTATE_FUZZER_CLI_H			#ifndef LLVM_FUZZMUTATE_FUZZER_CLI_H
	#define LLVM_FUZZMUTATE_FUZZER_CLI_H			#define LLVM_FUZZMUTATE_FUZZER_CLI_H

				#include "llvm/ADT/StringRef.h"
	#include "llvm/Support/DataTypes.h"			#include "llvm/Support/DataTypes.h"

	namespace llvm {			namespace llvm {

	/// Parse cl::opts from a fuzz target commandline.			/// Parse cl::opts from a fuzz target commandline.
	///			///
	/// This handles all arguments after -ignore_remaining_args=1 as cl::opts.			/// This handles all arguments after -ignore_remaining_args=1 as cl::opts.
	void parseFuzzerCLOpts(int ArgC, char *ArgV[]);			void parseFuzzerCLOpts(int ArgC, char *ArgV[]);

				/// Handle backend options that are encoded in the executable name.
				///
				/// Parses some common backend options out of a specially crafted executable
				/// name (argv[0]). For example, a name like llvm-foo-fuzzer:aarch64-gisel might
				/// set up an AArch64 triple and the Global ISel selector. This should be called
				/// before parseFuzzerCLOpts if calling both.
				///
				/// This is meant to be used for environments like OSS-Fuzz that aren't capable
				/// of passing in command line arguments in the normal way.
				void handleExecNameEncodedBEOpts(StringRef ExecName);

	using FuzzerTestFun = int ()(const uint8_t Data, size_t Size);			using FuzzerTestFun = int ()(const uint8_t Data, size_t Size);
	using FuzzerInitFun = int ()(int argc, char ***argv);			using FuzzerInitFun = int ()(int argc, char ***argv);

	/// Runs a fuzz target on the inputs specified on the command line.			/// Runs a fuzz target on the inputs specified on the command line.
	///			///
	/// Useful for testing fuzz targets without linking to libFuzzer. Finds inputs			/// Useful for testing fuzz targets without linking to libFuzzer. Finds inputs
	/// in the argument list in a libFuzzer compatible way.			/// in the argument list in a libFuzzer compatible way.
	int runFuzzerOnInputs(int ArgC, char *ArgV[], FuzzerTestFun TestOne,			int runFuzzerOnInputs(int ArgC, char *ArgV[], FuzzerTestFun TestOne,
	FuzzerInitFun Init = [](int , char **) { return 0; });			FuzzerInitFun Init = [](int , char **) { return 0; });

	} // end llvm namespace			} // end llvm namespace

	#endif // LLVM_FUZZMUTATE_FUZZER_CLI_H			#endif // LLVM_FUZZMUTATE_FUZZER_CLI_H

lib/FuzzMutate/FuzzerCLI.cpp

	//===-- FuzzerCLI.cpp -----------------------------------------------------===//			//===-- FuzzerCLI.cpp -----------------------------------------------------===//
	//			//
	// The LLVM Compiler Infrastructure			// The LLVM Compiler Infrastructure
	//			//
	// This file is distributed under the University of Illinois Open Source			// This file is distributed under the University of Illinois Open Source
	// License. See LICENSE.TXT for details.			// License. See LICENSE.TXT for details.
	//			//
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	#include "llvm/FuzzMutate/FuzzerCLI.h"			#include "llvm/FuzzMutate/FuzzerCLI.h"
	#include "llvm/ADT/StringRef.h"			#include "llvm/ADT/Triple.h"
	#include "llvm/Support/CommandLine.h"			#include "llvm/Support/CommandLine.h"
	#include "llvm/Support/Compiler.h"			#include "llvm/Support/Compiler.h"
	#include "llvm/Support/Error.h"			#include "llvm/Support/Error.h"
	#include "llvm/Support/MemoryBuffer.h"			#include "llvm/Support/MemoryBuffer.h"
	#include "llvm/Support/raw_ostream.h"			#include "llvm/Support/raw_ostream.h"

	using namespace llvm;			using namespace llvm;

	void llvm::parseFuzzerCLOpts(int ArgC, char *ArgV[]) {			void llvm::parseFuzzerCLOpts(int ArgC, char *ArgV[]) {
	std::vector<const char *> CLArgs;			std::vector<const char *> CLArgs;
	CLArgs.push_back(ArgV[0]);			CLArgs.push_back(ArgV[0]);

	int I = 1;			int I = 1;
	while (I < ArgC)			while (I < ArgC)
	if (StringRef(ArgV[I++]).equals("-ignore_remaining_args=1"))			if (StringRef(ArgV[I++]).equals("-ignore_remaining_args=1"))
	break;			break;
	while (I < ArgC)			while (I < ArgC)
	CLArgs.push_back(ArgV[I++]);			CLArgs.push_back(ArgV[I++]);

	cl::ParseCommandLineOptions(CLArgs.size(), CLArgs.data());			cl::ParseCommandLineOptions(CLArgs.size(), CLArgs.data());
	}			}

				void llvm::handleExecNameEncodedBEOpts(StringRef ExecName) {
				std::vector<std::string> Args{ExecName};

				StringRef OptString = ExecName.split(':').second;
				if (OptString.empty())
				return;

				SmallVector<StringRef, 4> Opts;
				OptString.split(Opts, '-');
				for (StringRef Opt : Opts) {
				if (Opt.equals("gisel")) {
				vskUnsubmitted Done Reply Inline Actions If there's a fuzzer writeup in llvm/docs, it might be worth mentioning these option names in it. vsk: If there's a fuzzer writeup in llvm/docs, it might be worth mentioning these option names in it.
				bognerAuthorUnsubmitted Not Done Reply Inline Actions I've added some docs in FuzzingLLVM in r315544, and I'll add some notes about this in those docs when I commit. bogner: I've added some docs in FuzzingLLVM in r315544, and I'll add some notes about this in those…
				Args.push_back("-global-isel");
				// For now we default GlobalISel to -O0
				Args.push_back("-O0");
				} else if (Opt.startswith("O")) {
				Args.push_back("-" + Opt.str());
				} else if (auto Arch = Triple::getArchTypeForLLVMName(Opt)) {
				Args.push_back("-mtriple=" + Opt.str());
				} else {
				errs() << ExecName << ": Unknown option: " << Opt << ".\n";
				exit(1);
				}
				}

				std::vector<const char *> CLArgs;
				CLArgs.reserve(Args.size());
				for (std::string &S : Args)
				CLArgs.push_back(S.c_str());
				vskUnsubmitted Done Reply Inline Actions We might be able to get a tighter test by printing out the args here, then checking for them in filecheck. Pro: default behaviors (e.g gisel => -O0) become clearer. Con: This makes the fuzzer stdout a bit more crowded. vsk: We might be able to get a tighter test by printing out the args here, then checking for them in…
				kccUnsubmitted Done Reply Inline Actions I would actually request that we print "Args" to errs() here, with some prefix, e.g.: "Flags deducted from <BinaryName>: -foo -bar" This way it will be trivial to test this and to manually verify the desired effect. kcc: I would actually request that we print "Args" to errs() here, with some prefix, e.g.: "Flags…
				bognerAuthorUnsubmitted Not Done Reply Inline Actions I'll make these print to stderr with a note like "<Binary name>: Injected args: ..." bogner: I'll make these print to stderr with a note like "<Binary name>: Injected args: ..."

				cl::ParseCommandLineOptions(CLArgs.size(), CLArgs.data());
				}

	int llvm::runFuzzerOnInputs(int ArgC, char *ArgV[], FuzzerTestFun TestOne,			int llvm::runFuzzerOnInputs(int ArgC, char *ArgV[], FuzzerTestFun TestOne,
	FuzzerInitFun Init) {			FuzzerInitFun Init) {
	errs() << "*** This tool was not linked to libFuzzer.\n"			errs() << "*** This tool was not linked to libFuzzer.\n"
	<< "*** No fuzzing will be performed.\n";			<< "*** No fuzzing will be performed.\n";
	if (int RC = Init(&ArgC, &ArgV)) {			if (int RC = Init(&ArgC, &ArgV)) {
	errs() << "Initialization failed\n";			errs() << "Initialization failed\n";
	return RC;			return RC;
	}			}
	Show All 22 Lines

test/tools/llvm-isel-fuzzer/execname-options.ll

				; REQUIRES: aarch64-registered-target

				; RUN: echo > %t.input

				; RUN: cp llvm-isel-fuzzer %t.bin:aarch64
				; RUN: %t.bin:aarch64 %t.input 2>&1 \| FileCheck %s

				; RUN: mv %t.bin:aarch64 %t.bin:aarch64-O1
				; RUN: %t.bin:aarch64-O1 %t.input 2>&1 \| FileCheck %s

				; RUN: mv %t.bin:aarch64-O1 %t.bin:O1-aarch64
				; RUN: %t.bin:O1-aarch64 %t.input 2>&1 \| FileCheck %s

				; RUN: mv %t.bin:O1-aarch64 %t.bin:aarch64-gisel
				; RUN: %t.bin:aarch64-gisel %t.input 2>&1 \| FileCheck %s

				; CHECK: Running

				; RUN: mv %t.bin:aarch64-gisel %t.bin:gisel-O0
				; RUN: not %t.bin:gisel-O0 %t.input 2>&1 \| FileCheck -check-prefix=NO-TRIPLE %s

				; NO-TRIPLE: -mtriple must be specified

				; RUN: mv %t.bin:gisel-O0 %t.bin:unexist
				; RUN: not %t.bin:unexist %t.input 2>&1 \| FileCheck -check-prefix=NO-OPT %s

				; NO-OPT: Unknown option:

tools/llvm-isel-fuzzer/llvm-isel-fuzzer.cpp

Show First 20 Lines • Show All 144 Lines • ▼ Show 20 Lines	extern "C" LLVM_ATTRIBUTE_USED int LLVMFuzzerInitialize(int *argc,
char ***argv) {		char ***argv) {
EnableDebugBuffering = true;		EnableDebugBuffering = true;

InitializeAllTargets();		InitializeAllTargets();
InitializeAllTargetMCs();		InitializeAllTargetMCs();
InitializeAllAsmPrinters();		InitializeAllAsmPrinters();
InitializeAllAsmParsers();		InitializeAllAsmParsers();

		handleExecNameEncodedBEOpts(*argv[0]);
parseFuzzerCLOpts(argc, argv);		parseFuzzerCLOpts(argc, argv);

if (TargetTriple.empty()) {		if (TargetTriple.empty()) {
errs() << *argv[0] << ": -mtriple must be specified\n";		errs() << *argv[0] << ": -mtriple must be specified\n";
return 1;		return 1;
}		}

Triple TheTriple = Triple(Triple::normalize(TargetTriple));		Triple TheTriple = Triple(Triple::normalize(TargetTriple));
Show All 38 Lines