This is an archive of the discontinued LLVM Phabricator instance.

Differential D38855

Add a fuzz target for llvm's ItaniumDemangler.
ClosedPublic

Authored by hctim on Oct 12 2017, 10:47 AM.

Details

Reviewers
morehouse
bogner
Commits
rGe29452b4b7a8: [llvm-demangle-fuzzer] Add a fuzz target for ItaniumDemangler.
rL315716: [llvm-demangle-fuzzer] Add a fuzz target for ItaniumDemangler.

Diff Detail

Repository
rL LLVM

Event Timeline

hctim created this revision.Oct 12 2017, 10:47 AM
Herald added a subscriber: mgorny. · View Herald TranscriptOct 12 2017, 10:47 AM
Harbormaster completed remote builds in B11100: Diff 118808.Oct 12 2017, 10:47 AM
hctim updated this revision to Diff 118810.Oct 12 2017, 10:52 AM
  • Null-terminated the string (oops).
hctim updated this revision to Diff 118811.Oct 12 2017, 10:53 AM
  • Fixed line length
Harbormaster completed remote builds in B11103: Diff 118811.Oct 12 2017, 10:53 AM
kcc added a comment.Oct 12 2017, 11:01 AM

Code LG, wait for Matt with cmake.

tools/llvm-demangle-fuzzer/llvm-demangle-fuzzer.cpp
19 ↗(On Diff #118811)

style nit: llvm prefers this style:
if (char *demangle = foo())

free(demangle);
morehouse edited edge metadata.Oct 12 2017, 11:15 AM

To add this to OSS-Fuzz, you will need to link with LIB_FUZZING_ENGINE.

bogner added a subscriber: bogner.Oct 12 2017, 11:18 AM

This is pretty straightforward, but if you'd like to add a test for it you can do so by implementing a main function that doesn't link to libfuzzer. It would probably just be something like this:

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int main(int argc, char *argv[]) {
  return llvm::runFuzzerOnInputs(argc, argv, LLVMFuzzerTestOneInput);
}

Then you'd add the file you added as a DUMMY_MAIN argument to add_llvm_fuzzer. See llvm-isel-fuzzer for details.

bogner added a comment.Oct 12 2017, 11:19 AM

Also, please add a description of this fuzzer to docs/FuzzingLLVM.rst

hctim updated this revision to Diff 118814.Oct 12 2017, 11:23 AM
  • kcc's comments
hctim marked an inline comment as done.Oct 12 2017, 11:28 AM
morehouse added a comment.EditedOct 12 2017, 11:49 AM
In D38855#896105, @morehouse wrote:

To add this to OSS-Fuzz, you will need to link with LIB_FUZZING_ENGINE.

Actually, I'm working on a change to AddLLVM.cmake that should do this automatically. So don't worry about it.

hctim updated this revision to Diff 118832.Oct 12 2017, 1:10 PM
  • Fuzzer updates with dummy main.
  • Added main() for dummy target.
  • Remove LIB_FUZZING_ENGINE target (morehouse@)
  • Added to fuzzer doc.
hctim added a comment.Oct 12 2017, 1:11 PM

Note, I've already found some bugs running this locally, but would love to get it up and running in oss-fuzz.

SUMMARY: AddressSanitizer: stack-overflow /usr/local/google/home/mitchp/llvm-src/git/lib/Demangle/ItaniumDemangle.cpp:1654 in _ZL10parse_typeIN12_GLOBAL__N_12DbEEPKcS3_S3_RT_
==151934==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
artifact_prefix='./'; Test unit written to ./crash-c935b5dded9a3c7373cdf899be10c03897c7c2c7

Test:

crash-c935b5dded9a3c7373cdf899be10c03897c7c2c72 KBDownload

bogner accepted this revision.Oct 12 2017, 5:00 PM

LGTM

This revision is now accepted and ready to land.Oct 12 2017, 5:00 PM
Closed by commit rL315716: [llvm-demangle-fuzzer] Add a fuzz target for ItaniumDemangler. (authored by morehouse). · Explain WhyOct 13 2017, 10:35 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
docs/
7 lines
tools/
llvm-demangle-fuzzer/
8 lines
19 lines
24 lines

Diff 118941

llvm/trunk/docs/FuzzingLLVM.rst

Show First 20 LinesShow All 62 Lines▼ Show 20 Lines
--------------------- ---------------------
A |generic fuzzer| that interprets inputs as object files and runs A |generic fuzzer| that interprets inputs as object files and runs
:doc:`llvm-dwarfdump <CommandGuide/llvm-dwarfdump>` on them. Some of the bugs :doc:`llvm-dwarfdump <CommandGuide/llvm-dwarfdump>` on them. Some of the bugs
this fuzzer has reported are `on OSS Fuzz's tracker`__ this fuzzer has reported are `on OSS Fuzz's tracker`__
__ https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm+llvm-dwarfdump-fuzzer __ https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm+llvm-dwarfdump-fuzzer
llvm-demangle-fuzzer
---------------------
A |generic fuzzer| for the Itanium demangler used in various LLVM tools. We've
fuzzed __cxa_demangle to death, why not fuzz LLVM's implementation of the same
function!
llvm-isel-fuzzer llvm-isel-fuzzer
---------------- ----------------
A |LLVM IR fuzzer| aimed at finding bugs in instruction selection. A |LLVM IR fuzzer| aimed at finding bugs in instruction selection.
This fuzzer accepts flags after `ignore_remaining_args=1`. The flags match This fuzzer accepts flags after `ignore_remaining_args=1`. The flags match
those of :doc:`llc <CommandGuide/llc>` and the triple is required. For example, those of :doc:`llc <CommandGuide/llc>` and the triple is required. For example,
the following command would fuzz AArch64 with :doc:`GlobalISel`: the following command would fuzz AArch64 with :doc:`GlobalISel`:
▲ Show 20 LinesShow All 167 LinesShow Last 20 Lines

llvm/trunk/tools/llvm-demangle-fuzzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS
Demangle
FuzzMutate
)
add_llvm_fuzzer(llvm-demangle-fuzzer
llvm-demangle-fuzzer.cpp
DUMMY_MAIN DummyDemanglerFuzzer.cpp)

llvm/trunk/tools/llvm-demangle-fuzzer/DummyDemanglerFuzzer.cpp

//===--- DummyDemanglerMain.cpp - Entry point to sanity check the fuzzer --===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implementation of main so we can build and test without linking libFuzzer.
//
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/FuzzerCLI.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int main(int argc, char *argv[]) {
return llvm::runFuzzerOnInputs(argc, argv, LLVMFuzzerTestOneInput);
}

llvm/trunk/tools/llvm-demangle-fuzzer/llvm-demangle-fuzzer.cpp

//===--- llvm-demangle-fuzzer.cpp - Fuzzer for the Itanium Demangler ------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "llvm/Demangle/Demangle.h"
#include <cstdint>
#include <cstdlib>
#include <string>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
std::string NullTerminatedString((const char *)Data, Size);
int status = 0;
if (char *demangle = llvm::itaniumDemangle(NullTerminatedString.c_str(), nullptr,
nullptr, &status))
free(demangle);
return 0;
}