This is an archive of the discontinued LLVM Phabricator instance.

Differential D40974

[libFuzzer] Add support for Fuchsia OS
ClosedPublic

Authored by aarongreen on Dec 7 2017, 11:09 AM.

Details

Reviewers
kcc
morehouse
flowerhack
phosek
Commits
rGffb1132e52f1: [libFuzzer] Add support for Fuchsia OS.
rL320210: [libFuzzer] Add support for Fuchsia OS.
rCRT320210: [libFuzzer] Add support for Fuchsia OS.
Summary

This patch adds the initial support for Fuchsia.

Summary of changes:

  • LIBFUZZER_FUCHSIA is added as an OS type in FuzzerDefs.h
  • Fuchsia is, by design, not POSIX compliant. However, it does use ELF and supports common POSIX I/O functions. Thus, FuzzerExtFunctions.h and FuzzerIO.h are implemented by extending the header guards in FuzzerExtFunctionsWeak.cpp and FuzzerIOPosix.cpp to include LIBFUZZER_FUCHSIA.
  • The platform-specific portions of FuzzerUtil.h are implemented by FuzzerUtilFuchsia.cpp, which makes use of exception ports, syscalls, and the launchpad library.
  • The experimental equivalence server is not currently supported, so FuzzerShmem.h is implemented by stub methods in FuzzerShmemFuchsia.cpp. Any future implementation will likely involve VMOs.

Tested with ASAN/SanCov on Fuchsia/x86-64 with the canonical toy fuzzer.

Diff Detail

Event Timeline

aarongreen created this revision.Dec 7 2017, 11:09 AM
aarongreen edited the summary of this revision. (Show Details)
kcc edited edge metadata.Dec 7 2017, 11:15 AM

Common code LGTM

Please get the review for FuzzerUtilFuchsia.cpp and I'll land it.

Will you need a change in CMakeLists.txt FuzzerUtilFuchsia.cpp?
Or you are using a different build?

lib/fuzzer/FuzzerShmemFuchsia.cpp
11

Totally fine.
The equivalence server functionality haven't been used by anyone (AFAICT), so it's a candidate for deletion.

lib/fuzzer/FuzzerUtilFuchsia.cpp
2

Please have this file reviewed on your side. (flowerhack?)

Eugene.Zelenko added a subscriber: Eugene.Zelenko.Dec 7 2017, 1:49 PM
Eugene.Zelenko added inline comments.
lib/fuzzer/FuzzerShmemFuchsia.cpp
13

Please separate with empty line.

lib/fuzzer/FuzzerUtilFuchsia.cpp
12

Please separate with empty line.

16

cerrno? See Clang-tidy modernize-deprecated-headers.

19

cinttypes? See Clang-tidy modernize-deprecated-headers.

aarongreen updated this revision to Diff 126045.Dec 7 2017, 2:21 PM
aarongreen marked 5 inline comments as done.

Add cmake hooks.
Addressed formatting comments.

Herald added subscribers: mgorny, srhines. · View Herald TranscriptDec 7 2017, 2:21 PM
aarongreen added a reviewer: phosek.Dec 7 2017, 2:22 PM
phosek edited edge metadata.Dec 7 2017, 11:52 PM

LGTM % a few nits

lib/fuzzer/FuzzerIOPosix.cpp
12

This is probably fine for now but eventually we'll probably need FuzzerIOFuchsia.cpp since some of the things in this file doesn't make sense on Fuchsia, e.g. IsInterestingCoverageFile.

lib/fuzzer/FuzzerUtilFuchsia.cpp
53

nit: you can probably just do while (getchar() != 0x03);.

161

You should probably do this above on line 153.

aarongreen updated this revision to Diff 126169.Dec 8 2017, 9:32 AM
aarongreen marked 2 inline comments as done.

Address phosek's comments.

kcc accepted this revision.Dec 8 2017, 1:46 PM

Matt, please land.

This revision is now accepted and ready to land.Dec 8 2017, 1:46 PM
Closed by commit rCRT320210: [libFuzzer] Add support for Fuchsia OS. (authored by morehouse). · Explain WhyDec 8 2017, 2:55 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

Diff 126216

lib/fuzzer/CMakeLists.txt

Show All 12 Linesset(LIBFUZZER_SOURCES
FuzzerMerge.cpp FuzzerMerge.cpp
FuzzerMutate.cpp FuzzerMutate.cpp
FuzzerSHA1.cpp FuzzerSHA1.cpp
FuzzerShmemPosix.cpp FuzzerShmemPosix.cpp
FuzzerShmemWindows.cpp FuzzerShmemWindows.cpp
FuzzerTracePC.cpp FuzzerTracePC.cpp
FuzzerUtil.cpp FuzzerUtil.cpp
FuzzerUtilDarwin.cpp FuzzerUtilDarwin.cpp
FuzzerUtilFuchsia.cpp
FuzzerUtilLinux.cpp FuzzerUtilLinux.cpp
FuzzerUtilPosix.cpp FuzzerUtilPosix.cpp
FuzzerUtilWindows.cpp FuzzerUtilWindows.cpp
) )
CHECK_CXX_SOURCE_COMPILES(" CHECK_CXX_SOURCE_COMPILES("
static thread_local int blah; static thread_local int blah;
int main() { int main() {
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

lib/fuzzer/FuzzerDefs.h

Show All 18 Lines
#include <string> #include <string>
#include <vector> #include <vector>
#include <set> #include <set>
#include <memory> #include <memory>
// Platform detection. // Platform detection.
#ifdef __linux__ #ifdef __linux__
#define LIBFUZZER_APPLE 0 #define LIBFUZZER_APPLE 0
#define LIBFUZZER_FUCHSIA 0
#define LIBFUZZER_LINUX 1 #define LIBFUZZER_LINUX 1
#define LIBFUZZER_NETBSD 0 #define LIBFUZZER_NETBSD 0
#define LIBFUZZER_WINDOWS 0 #define LIBFUZZER_WINDOWS 0
#elif __APPLE__ #elif __APPLE__
#define LIBFUZZER_APPLE 1 #define LIBFUZZER_APPLE 1
#define LIBFUZZER_FUCHSIA 0
#define LIBFUZZER_LINUX 0 #define LIBFUZZER_LINUX 0
#define LIBFUZZER_NETBSD 0 #define LIBFUZZER_NETBSD 0
#define LIBFUZZER_WINDOWS 0 #define LIBFUZZER_WINDOWS 0
#elif __NetBSD__ #elif __NetBSD__
#define LIBFUZZER_APPLE 0 #define LIBFUZZER_APPLE 0
#define LIBFUZZER_FUCHSIA 0
#define LIBFUZZER_LINUX 0 #define LIBFUZZER_LINUX 0
#define LIBFUZZER_NETBSD 1 #define LIBFUZZER_NETBSD 1
#define LIBFUZZER_WINDOWS 0 #define LIBFUZZER_WINDOWS 0
#elif _WIN32 #elif _WIN32
#define LIBFUZZER_APPLE 0 #define LIBFUZZER_APPLE 0
#define LIBFUZZER_FUCHSIA 0
#define LIBFUZZER_LINUX 0 #define LIBFUZZER_LINUX 0
#define LIBFUZZER_NETBSD 0 #define LIBFUZZER_NETBSD 0
#define LIBFUZZER_WINDOWS 1 #define LIBFUZZER_WINDOWS 1
#elif __Fuchsia__
#define LIBFUZZER_APPLE 0
#define LIBFUZZER_FUCHSIA 1
#define LIBFUZZER_LINUX 0
#define LIBFUZZER_NETBSD 0
#define LIBFUZZER_WINDOWS 0
#else #else
#error "Support for your platform has not been implemented" #error "Support for your platform has not been implemented"
#endif #endif
#ifndef __has_attribute #ifndef __has_attribute
# define __has_attribute(x) 0 # define __has_attribute(x) 0
#endif #endif
▲ Show 20 LinesShow All 105 LinesShow Last 20 Lines

lib/fuzzer/FuzzerExtFunctionsWeak.cpp

//===- FuzzerExtFunctionsWeak.cpp - Interface to external functions -------===// //===- FuzzerExtFunctionsWeak.cpp - Interface to external functions -------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Implementation for Linux. This relies on the linker's support for weak // Implementation for Linux. This relies on the linker's support for weak
// symbols. We don't use this approach on Apple platforms because it requires // symbols. We don't use this approach on Apple platforms because it requires
// clients of LibFuzzer to pass ``-U _<symbol_name>`` to the linker to allow // clients of LibFuzzer to pass ``-U _<symbol_name>`` to the linker to allow
// weak symbols to be undefined. That is a complication we don't want to expose // weak symbols to be undefined. That is a complication we don't want to expose
// to clients right now. // to clients right now.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
#if LIBFUZZER_LINUX || LIBFUZZER_NETBSD #if LIBFUZZER_LINUX || LIBFUZZER_NETBSD || LIBFUZZER_FUCHSIA
#include "FuzzerExtFunctions.h" #include "FuzzerExtFunctions.h"
#include "FuzzerIO.h" #include "FuzzerIO.h"
extern "C" { extern "C" {
// Declare these symbols as weak to allow them to be optionally defined. // Declare these symbols as weak to allow them to be optionally defined.
#define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \ #define EXT_FUNC(NAME, RETURN_TYPE, FUNC_SIG, WARN) \
__attribute__((weak)) RETURN_TYPE NAME FUNC_SIG __attribute__((weak)) RETURN_TYPE NAME FUNC_SIG
Show All 30 Lines

lib/fuzzer/FuzzerIOPosix.cpp

//===- FuzzerIOPosix.cpp - IO utils for Posix. ----------------------------===// //===- FuzzerIOPosix.cpp - IO utils for Posix. ----------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// IO functions implementation using Posix API. // IO functions implementation using Posix API.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "FuzzerDefs.h" #include "FuzzerDefs.h"
#if LIBFUZZER_POSIX #if LIBFUZZER_POSIX || LIBFUZZER_FUCHSIA
phosekUnsubmitted
Not Done
ReplyInline Actions

This is probably fine for now but eventually we'll probably need FuzzerIOFuchsia.cpp since some of the things in this file doesn't make sense on Fuchsia, e.g. IsInterestingCoverageFile.

phosek: This is probably fine for now but eventually we'll probably need `FuzzerIOFuchsia.cpp` since…
#include "FuzzerExtFunctions.h" #include "FuzzerExtFunctions.h"
#include "FuzzerIO.h" #include "FuzzerIO.h"
#include <cstdarg> #include <cstdarg>
#include <cstdio> #include <cstdio>
#include <dirent.h> #include <dirent.h>
#include <fstream> #include <fstream>
#include <iterator> #include <iterator>
▲ Show 20 LinesShow All 120 LinesShow Last 20 Lines

lib/fuzzer/FuzzerShmemFuchsia.cpp

//===- FuzzerShmemPosix.cpp - Posix shared memory ---------------*- C++ -* ===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// SharedMemoryRegion. For Fuchsia, this is just stubs as equivalence servers
// are not currently supported.
//===----------------------------------------------------------------------===//
kccUnsubmitted
Done
ReplyInline Actions

Totally fine.
The equivalence server functionality haven't been used by anyone (AFAICT), so it's a candidate for deletion.

kcc: Totally fine. The equivalence server functionality haven't been used by anyone (AFAICT), so…
#include "FuzzerDefs.h"
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Please separate with empty line.

Eugene.Zelenko: Please separate with empty line.
#if LIBFUZZER_FUCHSIA
#include "FuzzerShmem.h"
namespace fuzzer {
bool SharedMemoryRegion::Create(const char *Name) {
return false;
}
bool SharedMemoryRegion::Open(const char *Name) {
return false;
}
bool SharedMemoryRegion::Destroy(const char *Name) {
return false;
}
void SharedMemoryRegion::Post(int Idx) {}
void SharedMemoryRegion::Wait(int Idx) {}
} // namespace fuzzer
#endif // LIBFUZZER_FUCHSIA

lib/fuzzer/FuzzerUtilFuchsia.cpp

//===- FuzzerUtilFuchsia.cpp - Misc utils for Fuchsia. --------------------===//
//
kccUnsubmitted
Not Done
ReplyInline Actions

Please have this file reviewed on your side. (flowerhack?)

kcc: Please have this file reviewed on your side. (flowerhack?)
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
// Misc utils implementation using Fuchsia/Zircon APIs.
//===----------------------------------------------------------------------===//
#include "FuzzerDefs.h"
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

Please separate with empty line.

Eugene.Zelenko: Please separate with empty line.
#if LIBFUZZER_FUCHSIA
#include "FuzzerInternal.h"
#include "FuzzerUtil.h"
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

cerrno? See Clang-tidy modernize-deprecated-headers.

Eugene.Zelenko: cerrno? See [[ http://clang.llvm.org/extra/clang-tidy/checks/modernize-deprecated-headers.html…
#include <cerrno>
#include <cinttypes>
#include <cstdint>
Eugene.ZelenkoUnsubmitted
Done
ReplyInline Actions

cinttypes? See Clang-tidy modernize-deprecated-headers.

Eugene.Zelenko: cinttypes? See [[ http://clang.llvm.org/extra/clang-tidy/checks/modernize-deprecated-headers.
#include <fbl/unique_fd.h>
#include <fcntl.h>
#include <launchpad/launchpad.h>
#include <string>
#include <thread>
#include <zircon/errors.h>
#include <zircon/status.h>
#include <zircon/syscalls.h>
#include <zircon/syscalls/port.h>
#include <zircon/types.h>
#include <zx/object.h>
#include <zx/port.h>
#include <zx/process.h>
#include <zx/time.h>
namespace fuzzer {
namespace {
// A magic value for the Zircon exception port, chosen to spell 'FUZZING'
// when interpreted as a byte sequence on little-endian platforms.
const uint64_t kFuzzingCrash = 0x474e495a5a5546;
void AlarmHandler(int Seconds) {
while (true) {
SleepSeconds(Seconds);
Fuzzer::StaticAlarmCallback();
}
}
void InterruptHandler() {
// Ctrl-C sends ETX in Zircon.
while (getchar() != 0x03);
Fuzzer::StaticInterruptCallback();
phosekUnsubmitted
Done
ReplyInline Actions

nit: you can probably just do while (getchar() != 0x03);.

phosek: nit: you can probably just do `while (getchar() != 0x03);`.
}
void CrashHandler(zx::port *Port) {
std::unique_ptr<zx::port> ExceptionPort(Port);
zx_port_packet_t Packet;
ExceptionPort->wait(ZX_TIME_INFINITE, &Packet, 0);
// Unbind as soon as possible so we don't receive exceptions from this thread.
if (zx_task_bind_exception_port(ZX_HANDLE_INVALID, ZX_HANDLE_INVALID,
kFuzzingCrash, 0) != ZX_OK) {
// Shouldn't happen; if it does the safest option is to just exit.
Printf("libFuzzer: unable to unbind exception port; aborting!\n");
exit(1);
}
if (Packet.key != kFuzzingCrash) {
Printf("libFuzzer: invalid crash key: %" PRIx64 "; aborting!\n",
Packet.key);
exit(1);
}
// CrashCallback should not return from this call
Fuzzer::StaticCrashSignalCallback();
}
} // namespace
// Platform specific functions.
void SetSignalHandler(const FuzzingOptions &Options) {
zx_status_t rc;
// Set up alarm handler if needed.
if (Options.UnitTimeoutSec > 0) {
std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1);
T.detach();
}
// Set up interrupt handler if needed.
if (Options.HandleInt || Options.HandleTerm) {
std::thread T(InterruptHandler);
T.detach();
}
// Early exit if no crash handler needed.
if (!Options.HandleSegv && !Options.HandleBus && !Options.HandleIll &&
!Options.HandleFpe && !Options.HandleAbrt)
return;
// Create an exception port
zx::port *ExceptionPort = new zx::port();
if ((rc = zx::port::create(0, ExceptionPort)) != ZX_OK) {
Printf("libFuzzer: zx_port_create failed: %s\n", zx_status_get_string(rc));
exit(1);
}
// Bind the port to receive exceptions from our process
if ((rc = zx_task_bind_exception_port(zx_process_self(), ExceptionPort->get(),
kFuzzingCrash, 0)) != ZX_OK) {
Printf("libFuzzer: unable to bind exception port: %s\n",
zx_status_get_string(rc));
exit(1);
}
// Set up the crash handler.
std::thread T(CrashHandler, ExceptionPort);
T.detach();
}
void SleepSeconds(int Seconds) {
zx::nanosleep(zx::deadline_after(ZX_SEC(Seconds)));
}
unsigned long GetPid() {
zx_status_t rc;
zx_info_handle_basic_t Info;
if ((rc = zx_object_get_info(zx_process_self(), ZX_INFO_HANDLE_BASIC, &Info,
sizeof(Info), NULL, NULL)) != ZX_OK) {
Printf("libFuzzer: unable to get info about self: %s\n",
zx_status_get_string(rc));
exit(1);
}
return Info.koid;
}
size_t GetPeakRSSMb() {
zx_status_t rc;
zx_info_task_stats_t Info;
if ((rc = zx_object_get_info(zx_process_self(), ZX_INFO_TASK_STATS, &Info,
sizeof(Info), NULL, NULL)) != ZX_OK) {
Printf("libFuzzer: unable to get info about self: %s\n",
zx_status_get_string(rc));
exit(1);
}
return (Info.mem_private_bytes + Info.mem_shared_bytes) >> 20;
}
int ExecuteCommand(const Command &Cmd) {
zx_status_t rc;
// Convert arguments to C array
auto Args = Cmd.getArguments();
size_t Argc = Args.size();
assert(Argc != 0);
std::unique_ptr<const char *[]> Argv(new const char *[Argc]);
for (size_t i = 0; i < Argc; ++i)
Argv[i] = Args[i].c_str();
// Create the basic launchpad. Clone everything except stdio.
launchpad_t *lp;
launchpad_create(ZX_HANDLE_INVALID, Argv[0], &lp);
launchpad_load_from_file(lp, Argv[0]);
phosekUnsubmitted
Done
ReplyInline Actions

You should probably do this above on line 153.

phosek: You should probably do this above on line 153.
launchpad_set_args(lp, Argc, Argv.get());
launchpad_clone(lp, LP_CLONE_ALL & (~LP_CLONE_FDIO_STDIO));
// Determine stdout
int FdOut = STDOUT_FILENO;
fbl::unique_fd OutputFile;
if (Cmd.hasOutputFile()) {
auto Filename = Cmd.getOutputFile();
OutputFile.reset(open(Filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0));
if (!OutputFile) {
Printf("libFuzzer: failed to open %s: %s\n", Filename.c_str(),
strerror(errno));
return ZX_ERR_IO;
}
FdOut = OutputFile.get();
}
// Determine stderr
int FdErr = STDERR_FILENO;
if (Cmd.isOutAndErrCombined())
FdErr = FdOut;
// Clone the file descriptors into the new process
if ((rc = launchpad_clone_fd(lp, STDIN_FILENO, STDIN_FILENO)) != ZX_OK ||
(rc = launchpad_clone_fd(lp, FdOut, STDOUT_FILENO)) != ZX_OK ||
(rc = launchpad_clone_fd(lp, FdErr, STDERR_FILENO)) != ZX_OK) {
Printf("libFuzzer: failed to clone FDIO: %s\n", zx_status_get_string(rc));
return rc;
}
// Start the process
zx_handle_t ProcessHandle = ZX_HANDLE_INVALID;
const char *ErrorMsg = nullptr;
if ((rc = launchpad_go(lp, &ProcessHandle, &ErrorMsg)) != ZX_OK) {
Printf("libFuzzer: failed to launch '%s': %s, %s\n", Argv[0], ErrorMsg,
zx_status_get_string(rc));
return rc;
}
zx::process Process(ProcessHandle);
// Now join the process and return the exit status.
if ((rc = Process.wait_one(ZX_PROCESS_TERMINATED, ZX_TIME_INFINITE,
nullptr)) != ZX_OK) {
Printf("libFuzzer: failed to join '%s': %s\n", Argv[0],
zx_status_get_string(rc));
return rc;
}
zx_info_process_t Info;
if ((rc = Process.get_info(ZX_INFO_PROCESS, &Info, sizeof(Info), nullptr,
nullptr)) != ZX_OK) {
Printf("libFuzzer: unable to get return code from '%s': %s\n", Argv[0],
zx_status_get_string(rc));
return rc;
}
return Info.return_code;
}
const void *SearchMemory(const void *Data, size_t DataLen, const void *Patt,
size_t PattLen) {
return memmem(Data, DataLen, Patt, PattLen);
}
} // namespace fuzzer
#endif // LIBFUZZER_FUCHSIA