This is an archive of the discontinued LLVM Phabricator instance.

Differential D47843

Introducing single for loop into clang_proto_fuzzer
ClosedPublic

Authored by emmettneyman on Jun 6 2018, 1:23 PM.

Details

Reviewers
kcc
vitalybuka
morehouse
Commits
rG410a6b2c632f: Introducing single for loop into clang_proto_fuzzer
rC334216: Introducing single for loop into clang_proto_fuzzer
rL334216: Introducing single for loop into clang_proto_fuzzer
Summary

Created a new protobuf and protobuf-to-C++ "converter" that wraps the entire C++ code in a single for loop.

  • Slightly changed cxx_proto.proto -> cxx_loop_proto.proto
  • Made some changes to proto_to_cxx files to handle the new kind of protobuf
  • Created ExampleClangLoopProtoFuzzer to test new protobuf and "converter"

Patch by Emmett Neyman

Diff Detail

Repository
rL LLVM

Event Timeline

emmettneyman created this revision.Jun 6 2018, 1:23 PM
Herald added subscribers: cfe-commits, mgorny. · View Herald TranscriptJun 6 2018, 1:23 PM
Harbormaster completed remote builds in B19007: Diff 150191.Jun 6 2018, 1:25 PM
emmettneyman updated this revision to Diff 150192.Jun 6 2018, 1:26 PM

Took out typo'd comment

Harbormaster completed remote builds in B19008: Diff 150192.Jun 6 2018, 1:26 PM
vitalybuka requested changes to this revision.Jun 6 2018, 1:44 PM
vitalybuka added inline comments.
tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
23 ↗(On Diff #150192)

I guess you already committed this patch.
Could you please try rebase to upstream, e.g. "git pull -r" and re-upload the review

This revision now requires changes to proceed.Jun 6 2018, 1:44 PM
morehouse added a comment.Jun 6 2018, 1:46 PM

This contains changes from previous patch. Please rebase.

emmettneyman updated this revision to Diff 150200.Jun 6 2018, 2:35 PM

Hopefully rebased correctly.

morehouse added inline comments.Jun 6 2018, 3:32 PM
tools/clang-fuzzer/cxx_loop_proto.proto
93 ↗(On Diff #150200)

Maybe call this LoopFunction to distinguish from the other protobuf.

tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
14 ↗(On Diff #150200)

Nit: Try not to introduce whitespace at end of lines. Depending on your configuration, this causes git to complain.

tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp
115 ↗(On Diff #150200)

Right now this file duplicates a lot of code from proto_to_cxx.cpp. But assuming this file will continue to diverge from proto_to_cxx.cpp, I'm fine with the duplication for now.

tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.h
22 ↗(On Diff #150200)

Instead of making a whole new header for this, can we simply add LoopProtoToCxx() and LoopFunctionToString() to proto_to_cxx.h? Then implement them in loop_proto_to_cxx.cpp?

emmettneyman updated this revision to Diff 150213.EditedJun 6 2018, 3:55 PM
  • Combined two header files into one
  • Also renamed protobuf to LoopFunction
Harbormaster completed remote builds in B19016: Diff 150213.Jun 6 2018, 3:55 PM
morehouse added inline comments.Jun 6 2018, 4:12 PM
tools/clang-fuzzer/CMakeLists.txt
28 ↗(On Diff #150213)

I think it makes sense to use separate SRCS and HDRS variables for cxx_loop_proto.proto. Otherwise each proto-fuzzer will be compiled with both protobufs even though each only uses one.

58 ↗(On Diff #150213)

Why is this here twice?

90 ↗(On Diff #150213)

Maybe you can cut down on some LOC here by creating a COMMON_PROTO_FUZZ_LIBRARIES variable with the dependencies that overlap between the proto-fuzzers.

tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.h
22 ↗(On Diff #150200)

Can we remove this file completely?

emmettneyman updated this revision to Diff 150365.Jun 7 2018, 11:06 AM
  • refactored cmake and deleted header file
Harbormaster completed remote builds in B19058: Diff 150365.Jun 7 2018, 11:06 AM
morehouse accepted this revision.Jun 7 2018, 11:16 AM
vitalybuka accepted this revision.Jun 7 2018, 11:59 AM
This revision is now accepted and ready to land.Jun 7 2018, 11:59 AM
vitalybuka edited the summary of this revision. (Show Details)Jun 7 2018, 12:00 PM
vitalybuka updated this revision to Diff 150380.Jun 7 2018, 12:12 PM

git clang-format -f --style=file HEAD^

vitalybuka accepted this revision.Jun 7 2018, 12:13 PM
Closed by commit rL334216: Introducing single for loop into clang_proto_fuzzer (authored by vitalybuka). · Explain WhyJun 7 2018, 12:22 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
tools/
clang-fuzzer/
34 lines
30 lines
97 lines
proto-to-cxx/
11 lines
148 lines
32 lines
4 lines

Diff 150383

cfe/trunk/tools/clang-fuzzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD} FuzzMutate) set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD} FuzzMutate)
set(CXX_FLAGS_NOFUZZ ${CMAKE_CXX_FLAGS}) set(CXX_FLAGS_NOFUZZ ${CMAKE_CXX_FLAGS})
set(DUMMY_MAIN DummyClangFuzzer.cpp) set(DUMMY_MAIN DummyClangFuzzer.cpp)
if(LLVM_LIB_FUZZING_ENGINE) if(LLVM_LIB_FUZZING_ENGINE)
unset(DUMMY_MAIN) unset(DUMMY_MAIN)
elseif(LLVM_USE_SANITIZE_COVERAGE) elseif(LLVM_USE_SANITIZE_COVERAGE)
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
set(CXX_FLAGS_NOFUZZ "${CXX_FLAGS_NOFUZZ} -fsanitize=fuzzer-no-link") set(CXX_FLAGS_NOFUZZ "${CXX_FLAGS_NOFUZZ} -fsanitize=fuzzer-no-link")
unset(DUMMY_MAIN) unset(DUMMY_MAIN)
endif() endif()
# Needed by LLVM's CMake checks because this file defines multiple targets. # Needed by LLVM's CMake checks because this file defines multiple targets.
set(LLVM_OPTIONAL_SOURCES set(LLVM_OPTIONAL_SOURCES
ClangFuzzer.cpp ClangFuzzer.cpp
DummyClangFuzzer.cpp DummyClangFuzzer.cpp
ExampleClangProtoFuzzer.cpp ExampleClangProtoFuzzer.cpp
ExampleClangLoopProtoFuzzer.cpp
) )
if(CLANG_ENABLE_PROTO_FUZZER) if(CLANG_ENABLE_PROTO_FUZZER)
# Create protobuf .h and .cc files, and put them in a library for use by # Create protobuf .h and .cc files, and put them in a library for use by
# clang-proto-fuzzer components. # clang-proto-fuzzer components.
find_package(Protobuf REQUIRED) find_package(Protobuf REQUIRED)
add_definitions(-DGOOGLE_PROTOBUF_NO_RTTI) add_definitions(-DGOOGLE_PROTOBUF_NO_RTTI)
include_directories(${PROTOBUF_INCLUDE_DIRS}) include_directories(${PROTOBUF_INCLUDE_DIRS})
include_directories(${CMAKE_CURRENT_BINARY_DIR}) include_directories(${CMAKE_CURRENT_BINARY_DIR})
protobuf_generate_cpp(PROTO_SRCS PROTO_HDRS cxx_proto.proto) protobuf_generate_cpp(PROTO_SRCS PROTO_HDRS cxx_proto.proto)
protobuf_generate_cpp(LOOP_PROTO_SRCS LOOP_PROTO_HDRS cxx_loop_proto.proto)
set(LLVM_OPTIONAL_SOURCES ${LLVM_OPTIONAL_SOURCES} ${PROTO_SRCS}) set(LLVM_OPTIONAL_SOURCES ${LLVM_OPTIONAL_SOURCES} ${PROTO_SRCS})
add_clang_library(clangCXXProto add_clang_library(clangCXXProto
${PROTO_SRCS} ${PROTO_SRCS}
${PROTO_HDRS} ${PROTO_HDRS}
LINK_LIBS LINK_LIBS
${PROTOBUF_LIBRARIES} ${PROTOBUF_LIBRARIES}
) )
add_clang_library(clangCXXLoopProto
${LOOP_PROTO_SRCS}
${LOOP_PROTO_HDRS}
LINK_LIBS
${PROTOBUF_LIBRARIES}
)
# Build and include libprotobuf-mutator # Build and include libprotobuf-mutator
include(ProtobufMutator) include(ProtobufMutator)
include_directories(${ProtobufMutator_INCLUDE_DIRS}) include_directories(${ProtobufMutator_INCLUDE_DIRS})
# Build the protobuf->C++ translation library and driver. # Build the protobuf->C++ translation library and driver.
add_clang_subdirectory(proto-to-cxx) add_clang_subdirectory(proto-to-cxx)
# Build the fuzzer initialization library. # Build the fuzzer initialization library.
add_clang_subdirectory(fuzzer-initialize) add_clang_subdirectory(fuzzer-initialize)
# Build the protobuf fuzzer # Build the protobuf fuzzer
add_clang_executable(clang-proto-fuzzer add_clang_executable(clang-proto-fuzzer
${DUMMY_MAIN} ${DUMMY_MAIN}
ExampleClangProtoFuzzer.cpp ExampleClangProtoFuzzer.cpp
) )
target_link_libraries(clang-proto-fuzzer # Build the loop protobuf fuzzer
PRIVATE add_clang_executable(clang-loop-proto-fuzzer
${DUMMY_MAIN}
ExampleClangLoopProtoFuzzer.cpp
)
set(COMMON_PROTO_FUZZ_LIBRARIES
${ProtobufMutator_LIBRARIES} ${ProtobufMutator_LIBRARIES}
${PROTOBUF_LIBRARIES} ${PROTOBUF_LIBRARIES}
${LLVM_LIB_FUZZING_ENGINE} ${LLVM_LIB_FUZZING_ENGINE}
clangCXXProto
clangFuzzerInitialize clangFuzzerInitialize
clangHandleCXX clangHandleCXX
)
target_link_libraries(clang-proto-fuzzer
PRIVATE
${COMMON_PROTO_FUZZ_LIBRARIES}
clangCXXProto
clangProtoToCXX clangProtoToCXX
) )
target_link_libraries(clang-loop-proto-fuzzer
PRIVATE
${COMMON_PROTO_FUZZ_LIBRARIES}
clangCXXLoopProto
clangLoopProtoToCXX
)
endif() endif()
add_clang_subdirectory(handle-cxx) add_clang_subdirectory(handle-cxx)
add_clang_executable(clang-fuzzer add_clang_executable(clang-fuzzer
EXCLUDE_FROM_ALL EXCLUDE_FROM_ALL
${DUMMY_MAIN} ${DUMMY_MAIN}
ClangFuzzer.cpp ClangFuzzer.cpp
) )
target_link_libraries(clang-fuzzer target_link_libraries(clang-fuzzer
PRIVATE PRIVATE
${LLVM_LIB_FUZZING_ENGINE} ${LLVM_LIB_FUZZING_ENGINE}
clangHandleCXX clangHandleCXX
) )

cfe/trunk/tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp

//===-- ExampleClangLoopProtoFuzzer.cpp - Fuzz Clang ----------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// \file
/// This file implements a function that runs Clang on a single
/// input and uses libprotobuf-mutator to find new inputs. This function is
/// then linked into the Fuzzer library. This file differs from
/// ExampleClangProtoFuzzer in that it uses the new protobuf that includes
/// C++ code with a single for loop.
///
//===----------------------------------------------------------------------===//
#include "cxx_loop_proto.pb.h"
#include "fuzzer-initialize/fuzzer_initialize.h"
#include "handle-cxx/handle_cxx.h"
#include "proto-to-cxx/proto_to_cxx.h"
#include "src/libfuzzer/libfuzzer_macro.h"
using namespace clang_fuzzer;
DEFINE_BINARY_PROTO_FUZZER(const LoopFunction &input) {
auto S = LoopFunctionToString(input);
HandleCXX(S, GetCLArgs());
}

cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto

//===-- cxx_loop_proto.proto - Protobuf description of C++ with for loops -===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// \file
/// This file describes a subset of C++ as a protobuf. It is used to
/// more easily find interesting inputs for fuzzing Clang. This subset
/// extends the one defined in cxx_proto.proto by adding the option that
/// a VarRef can use the for loop's counter variable.
///
//===----------------------------------------------------------------------===//
syntax = "proto2";
message VarRef {
required int32 varnum = 1;
required bool is_loop_var = 2;
}
message Lvalue {
required VarRef varref = 1;
}
message Const {
required int32 val = 1;
}
message BinaryOp {
enum Op {
PLUS = 0;
MINUS = 1;
MUL = 2;
DIV = 3;
MOD = 4;
XOR = 5;
AND = 6;
OR = 7;
EQ = 8;
NE = 9;
LE = 10;
GE = 11;
LT = 12;
GT = 13;
};
required Op op = 1;
required Rvalue left = 2;
required Rvalue right = 3;
}
message Rvalue {
oneof rvalue_oneof {
VarRef varref = 1;
Const cons = 2;
BinaryOp binop = 3;
}
}
message AssignmentStatement {
required Lvalue lvalue = 1;
required Rvalue rvalue = 2;
}
message IfElse {
required Rvalue cond = 1;
required StatementSeq if_body = 2;
required StatementSeq else_body = 3;
}
message While {
required Rvalue cond = 1;
required StatementSeq body = 2;
}
message Statement {
oneof stmt_oneof {
AssignmentStatement assignment = 1;
IfElse ifelse = 2;
While while_loop = 3;
}
}
message StatementSeq {
repeated Statement statements = 1;
}
message LoopFunction {
required StatementSeq statements = 1;
}
package clang_fuzzer;

cfe/trunk/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt

set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD}) set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD})
set(CMAKE_CXX_FLAGS ${CXX_FLAGS_NOFUZZ}) set(CMAKE_CXX_FLAGS ${CXX_FLAGS_NOFUZZ})
# Needed by LLVM's CMake checks because this file defines multiple targets. # Needed by LLVM's CMake checks because this file defines multiple targets.
set(LLVM_OPTIONAL_SOURCES proto_to_cxx.cpp proto_to_cxx_main.cpp) set(LLVM_OPTIONAL_SOURCES proto_to_cxx.cpp proto_to_cxx_main.cpp
loop_proto_to_cxx.cpp loop_proto_to_cxx_main.cpp)
add_clang_library(clangProtoToCXX proto_to_cxx.cpp add_clang_library(clangProtoToCXX proto_to_cxx.cpp
DEPENDS clangCXXProto DEPENDS clangCXXProto
LINK_LIBS clangCXXProto ${PROTOBUF_LIBRARIES} LINK_LIBS clangCXXProto ${PROTOBUF_LIBRARIES}
) )
add_clang_library(clangLoopProtoToCXX loop_proto_to_cxx.cpp
DEPENDS clangCXXLoopProto
LINK_LIBS clangCXXLoopProto ${PROTOBUF_LIBRARIES}
)
add_clang_executable(clang-proto-to-cxx proto_to_cxx_main.cpp) add_clang_executable(clang-proto-to-cxx proto_to_cxx_main.cpp)
add_clang_executable(clang-loop-proto-to-cxx loop_proto_to_cxx_main.cpp)
target_link_libraries(clang-proto-to-cxx PRIVATE clangProtoToCXX) target_link_libraries(clang-proto-to-cxx PRIVATE clangProtoToCXX)
target_link_libraries(clang-loop-proto-to-cxx PRIVATE clangLoopProtoToCXX)

cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp

//==-- loop_proto_to_cxx.cpp - Protobuf-C++ conversion ---------------------==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implements functions for converting between protobufs and C++. Extends
// proto_to_cxx.cpp by wrapping all the generated C++ code in a single for
// loop. Also coutputs a different function signature that includes a
// size_t parameter for the loop to use.
//
//===----------------------------------------------------------------------===//
#include "cxx_loop_proto.pb.h"
#include "proto_to_cxx.h"
// The following is needed to convert protos in human-readable form
#include <google/protobuf/text_format.h>
#include <ostream>
#include <sstream>
namespace clang_fuzzer {
// Forward decls.
std::ostream &operator<<(std::ostream &os, const BinaryOp &x);
std::ostream &operator<<(std::ostream &os, const StatementSeq &x);
// Proto to C++.
std::ostream &operator<<(std::ostream &os, const Const &x) {
return os << "(" << x.val() << ")";
}
std::ostream &operator<<(std::ostream &os, const VarRef &x) {
if (x.is_loop_var()) {
return os << "a[loop_ctr]";
} else {
return os << "a[" << static_cast<uint32_t>(x.varnum()) << " % s]";
}
}
std::ostream &operator<<(std::ostream &os, const Lvalue &x) {
return os << x.varref();
}
std::ostream &operator<<(std::ostream &os, const Rvalue &x) {
if (x.has_varref())
return os << x.varref();
if (x.has_cons())
return os << x.cons();
if (x.has_binop())
return os << x.binop();
return os << "1";
}
std::ostream &operator<<(std::ostream &os, const BinaryOp &x) {
os << "(" << x.left();
switch (x.op()) {
case BinaryOp::PLUS:
os << "+";
break;
case BinaryOp::MINUS:
os << "-";
break;
case BinaryOp::MUL:
os << "*";
break;
case BinaryOp::DIV:
os << "/";
break;
case BinaryOp::MOD:
os << "%";
break;
case BinaryOp::XOR:
os << "^";
break;
case BinaryOp::AND:
os << "&";
break;
case BinaryOp::OR:
os << "|";
break;
case BinaryOp::EQ:
os << "==";
break;
case BinaryOp::NE:
os << "!=";
break;
case BinaryOp::LE:
os << "<=";
break;
case BinaryOp::GE:
os << ">=";
break;
case BinaryOp::LT:
os << "<";
break;
case BinaryOp::GT:
os << ">";
break;
}
return os << x.right() << ")";
}
std::ostream &operator<<(std::ostream &os, const AssignmentStatement &x) {
return os << x.lvalue() << "=" << x.rvalue();
}
std::ostream &operator<<(std::ostream &os, const IfElse &x) {
return os << "if (" << x.cond() << "){\n"
<< x.if_body() << "} else { \n"
<< x.else_body() << "}\n";
}
std::ostream &operator<<(std::ostream &os, const While &x) {
return os << "while (" << x.cond() << "){\n" << x.body() << "}\n";
}
std::ostream &operator<<(std::ostream &os, const Statement &x) {
if (x.has_assignment())
return os << x.assignment() << ";\n";
if (x.has_ifelse())
return os << x.ifelse();
if (x.has_while_loop())
return os << x.while_loop();
return os << "(void)0;\n";
}
std::ostream &operator<<(std::ostream &os, const StatementSeq &x) {
for (auto &st : x.statements())
os << st;
return os;
}
std::ostream &operator<<(std::ostream &os, const LoopFunction &x) {
return os << "void foo(int *a, size_t s) {\n"
<< "for (int loop_ctr = 0; loop_ctr < s; loop_ctr++){\n"
<< x.statements() << "}\n}\n";
}
// ---------------------------------
std::string LoopFunctionToString(const LoopFunction &input) {
std::ostringstream os;
os << input;
return os.str();
}
std::string LoopProtoToCxx(const uint8_t *data, size_t size) {
LoopFunction message;
if (!message.ParsePartialFromArray(data, size))
return "#error invalid proto, may not be binary encoded\n";
return LoopFunctionToString(message);
}
} // namespace clang_fuzzer

cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx_main.cpp

//==-- loop_proto_to_cxx_main.cpp - Driver for protobuf-C++ conversion -----==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implements a simple driver to print a C++ program from a protobuf with loops.
//
//===----------------------------------------------------------------------===//
// This is a copy and will be updated later to introduce changes
#include <fstream>
#include <iostream>
#include <streambuf>
#include <string>
#include "proto_to_cxx.h"
int main(int argc, char **argv) {
for (int i = 1; i < argc; i++) {
std::fstream in(argv[i]);
std::string str((std::istreambuf_iterator<char>(in)),
std::istreambuf_iterator<char>());
std::cout << "// " << argv[i] << std::endl;
std::cout << clang_fuzzer::LoopProtoToCxx(
reinterpret_cast<const uint8_t *>(str.data()), str.size());
}
}

cfe/trunk/tools/clang-fuzzer/proto-to-cxx/proto_to_cxx.h

Show All 11 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include <cstdint> #include <cstdint>
#include <cstddef> #include <cstddef>
#include <string> #include <string>
namespace clang_fuzzer { namespace clang_fuzzer {
class Function; class Function;
class LoopFunction;
std::string FunctionToString(const Function &input); std::string FunctionToString(const Function &input);
std::string ProtoToCxx(const uint8_t *data, size_t size); std::string ProtoToCxx(const uint8_t *data, size_t size);
std::string LoopFunctionToString(const LoopFunction &input);
std::string LoopProtoToCxx(const uint8_t *data, size_t size);
} }