Index: tools/clang-fuzzer/CMakeLists.txt =================================================================== --- tools/clang-fuzzer/CMakeLists.txt +++ tools/clang-fuzzer/CMakeLists.txt @@ -14,6 +14,7 @@ ClangFuzzer.cpp DummyClangFuzzer.cpp ExampleClangProtoFuzzer.cpp + FuzzerInitialize.cpp ) if(CLANG_ENABLE_PROTO_FUZZER) @@ -44,6 +45,7 @@ add_clang_executable(clang-proto-fuzzer ${DUMMY_MAIN} ExampleClangProtoFuzzer.cpp + FuzzerInitialize.cpp ) target_link_libraries(clang-proto-fuzzer Index: tools/clang-fuzzer/ExampleClangProtoFuzzer.cpp =================================================================== --- tools/clang-fuzzer/ExampleClangProtoFuzzer.cpp +++ tools/clang-fuzzer/ExampleClangProtoFuzzer.cpp @@ -18,27 +18,14 @@ #include "handle-cxx/handle_cxx.h" #include "proto-to-cxx/proto_to_cxx.h" +#include "FuzzerInitialize.h" #include "src/libfuzzer/libfuzzer_macro.h" #include using namespace clang_fuzzer; -static std::vector CLArgs; - -extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { - CLArgs.push_back("-O2"); - for (int I = 1; I < *argc; I++) { - if (strcmp((*argv)[I], "-ignore_remaining_args=1") == 0) { - for (I++; I < *argc; I++) - CLArgs.push_back((*argv)[I]); - break; - } - } - return 0; -} - DEFINE_BINARY_PROTO_FUZZER(const Function& input) { auto S = FunctionToString(input); - HandleCXX(S, CLArgs); + HandleCXX(S, GetCLArgs()); } Index: tools/clang-fuzzer/FuzzerInitialize.h =================================================================== --- /dev/null +++ tools/clang-fuzzer/FuzzerInitialize.h @@ -0,0 +1,11 @@ +#include "handle-cxx/handle_cxx.h" +#include "proto-to-cxx/proto_to_cxx.h" + +#include "src/libfuzzer/libfuzzer_macro.h" + +#include + +namespace clang_fuzzer { +const std::vector& GetCLArgs(); +} + Index: tools/clang-fuzzer/FuzzerInitialize.cpp =================================================================== --- tools/clang-fuzzer/FuzzerInitialize.cpp +++ tools/clang-fuzzer/FuzzerInitialize.cpp @@ -1,4 +1,4 @@ -//===-- ExampleClangProtoFuzzer.cpp - Fuzz Clang --------------------------===// +//===-- FuzzerInitialize.cpp - Fuzz Clang ---------------------------------===// // // The LLVM Compiler Infrastructure // @@ -15,17 +15,22 @@ //===----------------------------------------------------------------------===// #include "cxx_proto.pb.h" -#include "handle-cxx/handle_cxx.h" -#include "proto-to-cxx/proto_to_cxx.h" -#include "src/libfuzzer/libfuzzer_macro.h" - -#include +#include "FuzzerInitialize.h" using namespace clang_fuzzer; + +namespace clang_fuzzer { + static std::vector CLArgs; +const std::vector& GetCLArgs() { + return CLArgs; +} + +} + extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { CLArgs.push_back("-O2"); for (int I = 1; I < *argc; I++) { @@ -38,7 +43,3 @@ return 0; } -DEFINE_BINARY_PROTO_FUZZER(const Function& input) { - auto S = FunctionToString(input); - HandleCXX(S, CLArgs); -} Index: tools/clang-fuzzer/experimental/ExampleClangLoopProtoFuzzer.cpp =================================================================== --- tools/clang-fuzzer/experimental/ExampleClangLoopProtoFuzzer.cpp +++ tools/clang-fuzzer/experimental/ExampleClangLoopProtoFuzzer.cpp @@ -14,9 +14,12 @@ /// //===----------------------------------------------------------------------===// -#include "cxx_proto.pb.h" +// This is a copy and will be updated later to introduce changes + +#include "cxx_loop_proto.pb.h" #include "handle-cxx/handle_cxx.h" -#include "proto-to-cxx/proto_to_cxx.h" + +#include "FuzzerInitialize.h" #include "src/libfuzzer/libfuzzer_macro.h" @@ -24,20 +27,6 @@ using namespace clang_fuzzer; -static std::vector CLArgs; - -extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { - CLArgs.push_back("-O2"); - for (int I = 1; I < *argc; I++) { - if (strcmp((*argv)[I], "-ignore_remaining_args=1") == 0) { - for (I++; I < *argc; I++) - CLArgs.push_back((*argv)[I]); - break; - } - } - return 0; -} - DEFINE_BINARY_PROTO_FUZZER(const Function& input) { auto S = FunctionToString(input); HandleCXX(S, CLArgs); Index: tools/clang-fuzzer/experimental/cxx_loop_proto.proto =================================================================== --- /dev/null +++ tools/clang-fuzzer/experimental/cxx_loop_proto.proto @@ -0,0 +1,95 @@ +//===-- cxx_proto.proto - Protobuf description of C++ ---------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +/// +/// \file +/// This file describes a subset of C++ as a protobuf. It is used to +/// more easily find interesting inputs for fuzzing Clang. +/// +//===----------------------------------------------------------------------===// + +// This is a copy and will be updated later to introduce changes + +syntax = "proto2"; + +message VarRef { + required int32 varnum = 1; +} + +message Lvalue { + required VarRef varref = 1; +} + +message Const { + required int32 val = 1; +} + +message BinaryOp { + enum Op { + PLUS = 0; + MINUS = 1; + MUL = 2; + DIV = 3; + MOD = 4; + XOR = 5; + AND = 6; + OR = 7; + EQ = 8; + NE = 9; + LE = 10; + GE = 11; + LT = 12; + GT = 13; + }; + required Op op = 1; + required Rvalue left = 2; + required Rvalue right = 3; +} + +message Rvalue { + oneof rvalue_oneof { + VarRef varref = 1; + Const cons = 2; + BinaryOp binop = 3; + } +} + +message AssignmentStatement { + required Lvalue lvalue = 1; + required Rvalue rvalue = 2; +} + + +message IfElse { + required Rvalue cond = 1; + required StatementSeq if_body = 2; + required StatementSeq else_body = 3; +} + +message While { + required Rvalue cond = 1; + required StatementSeq body = 2; +} + +message Statement { + oneof stmt_oneof { + AssignmentStatement assignment = 1; + IfElse ifelse = 2; + While while_loop = 3; + } +} + +message StatementSeq { + repeated Statement statements = 1; +} + +message Function { + required StatementSeq statements = 1; +} + +package clang_fuzzer; Index: tools/clang-fuzzer/proto-to-cxx/experimental/loop_proto_to_cxx.h =================================================================== --- /dev/null +++ tools/clang-fuzzer/proto-to-cxx/experimental/loop_proto_to_cxx.h @@ -0,0 +1,24 @@ +//==-- proto_to_cxx.h - Protobuf-C++ conversion ----------------------------==// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// Defines functions for converting between protobufs and C++. +// +//===----------------------------------------------------------------------===// + +// This is a copy and will be updated later to introduce changes + +#include +#include +#include + +namespace clang_fuzzer { +class Function; +std::string FunctionToString(const Function &input); +std::string ProtoToCxx(const uint8_t *data, size_t size); +} Index: tools/clang-fuzzer/proto-to-cxx/experimental/loop_proto_to_cxx.cpp =================================================================== --- /dev/null +++ tools/clang-fuzzer/proto-to-cxx/experimental/loop_proto_to_cxx.cpp @@ -0,0 +1,115 @@ +//==-- proto_to_cxx.cpp - Protobuf-C++ conversion --------------------------==// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// Implements functions for converting between protobufs and C++. +// +//===----------------------------------------------------------------------===// + +// This is a copy and will be updated later to introduce changes + +#include "loop_proto_to_cxx.h" +#include "cxx_loop_proto.pb.h" + +// The following is needed to convert protos in human-readable form +#include + + +#include +#include + +namespace clang_fuzzer { + +// Forward decls. +std::ostream &operator<<(std::ostream &os, const BinaryOp &x); +std::ostream &operator<<(std::ostream &os, const StatementSeq &x); + +// Proto to C++. +std::ostream &operator<<(std::ostream &os, const Const &x) { + return os << "(" << x.val() << ")"; +} +std::ostream &operator<<(std::ostream &os, const VarRef &x) { + return os << "a[" << (static_cast(x.varnum()) % 100) << "]"; +} +std::ostream &operator<<(std::ostream &os, const Lvalue &x) { + return os << x.varref(); +} +std::ostream &operator<<(std::ostream &os, const Rvalue &x) { + if (x.has_varref()) return os << x.varref(); + if (x.has_cons()) return os << x.cons(); + if (x.has_binop()) return os << x.binop(); + return os << "1"; +} +std::ostream &operator<<(std::ostream &os, const BinaryOp &x) { + os << "(" << x.left(); + switch (x.op()) { + case BinaryOp::PLUS: os << "+"; break; + case BinaryOp::MINUS: os << "-"; break; + case BinaryOp::MUL: os << "*"; break; + case BinaryOp::DIV: os << "/"; break; + case BinaryOp::MOD: os << "%"; break; + case BinaryOp::XOR: os << "^"; break; + case BinaryOp::AND: os << "&"; break; + case BinaryOp::OR: os << "|"; break; + case BinaryOp::EQ: os << "=="; break; + case BinaryOp::NE: os << "!="; break; + case BinaryOp::LE: os << "<="; break; + case BinaryOp::GE: os << ">="; break; + case BinaryOp::LT: os << "<"; break; + case BinaryOp::GT: os << ">"; break; + } + return os << x.right() << ")"; +} +std::ostream &operator<<(std::ostream &os, const AssignmentStatement &x) { + return os << x.lvalue() << "=" << x.rvalue() << ";\n"; +} +std::ostream &operator<<(std::ostream &os, const IfElse &x) { + return os << "if (" << x.cond() << "){\n" + << x.if_body() << "} else { \n" + << x.else_body() << "}\n"; +} +std::ostream &operator<<(std::ostream &os, const While &x) { + return os << "while (" << x.cond() << "){\n" << x.body() << "}\n"; +} +std::ostream &operator<<(std::ostream &os, const Statement &x) { + if (x.has_assignment()) return os << x.assignment(); + if (x.has_ifelse()) return os << x.ifelse(); + if (x.has_while_loop()) return os << x.while_loop(); + return os << "(void)0;\n"; +} +std::ostream &operator<<(std::ostream &os, const StatementSeq &x) { + for (auto &st : x.statements()) os << st; + return os; +} +std::ostream &operator<<(std::ostream &os, const Function &x) { + return os << "void foo(int *a) {\n" << x.statements() << "}\n"; +} + +// --------------------------------- + +std::string FunctionToString(const Function &input) { + std::ostringstream os; + os << input; + return os.str(); + +} +std::string ProtoToCxx(const uint8_t *data, size_t size) { + Function message; + if (!message.ParsePartialFromArray(data, size)) + return "#error invalid proto, may not be binary encoded\n"; + return FunctionToString(message); +} +/* +std::string ProtoStringToCxx(const std::string& data) { + Function message; + if (!google::protobuf::TextFormat::ParseFromString(data, &message)) + return "#error invalid proto, may not be string encoded\n"; + return FunctionToString(message); +} +*/ +} // namespace clang_fuzzer Index: tools/clang-fuzzer/proto-to-cxx/experimental/loop_proto_to_cxx_main.cpp =================================================================== --- /dev/null +++ tools/clang-fuzzer/proto-to-cxx/experimental/loop_proto_to_cxx_main.cpp @@ -0,0 +1,34 @@ +//==-- proto_to_cxx_main.cpp - Driver for protobuf-C++ conversion ----------==// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// Implements a simple driver to print a C++ program from a protobuf. +// +//===----------------------------------------------------------------------===// + +// This is a copy and will be updated later to introduce changes + +#include +#include +#include +#include + +#include "loop_proto_to_cxx.h" + +int main(int argc, char **argv) { + for (int i = 1; i < argc; i++) { + std::fstream in(argv[i]); + std::string str((std::istreambuf_iterator(in)), + std::istreambuf_iterator()); + std::cout << "// " << argv[i] << std::endl; + std::cout << clang_fuzzer::ProtoToCxx( + reinterpret_cast(str.data()), str.size()); + // std::cout << clang_fuzzer::ProtoStringToCxx(str); + } +} +