This is an archive of the discontinued LLVM Phabricator instance.

Differential D48106

implemented proto to llvm
ClosedPublic

Authored by emmettneyman on Jun 12 2018, 4:15 PM.

Details

Reviewers
kcc
vitalybuka
morehouse
Commits
rC335374: Implemented proto to LLVM conversion and LLVM fuzz target
rL335374: Implemented proto to LLVM conversion and LLVM fuzz target
Summary

implemented proto_to_llvm

  • also removed div and mod to eliminate UB

Diff Detail

Event Timeline

emmettneyman created this revision.Jun 12 2018, 4:15 PM
Herald added subscribers: cfe-commits, mgorny. · View Herald TranscriptJun 12 2018, 4:15 PM
Harbormaster completed remote builds in B19256: Diff 151060.Jun 12 2018, 4:15 PM
emmettneyman updated this revision to Diff 151063.Jun 12 2018, 4:19 PM
  • removed unneeded file
emmettneyman updated this revision to Diff 151066.Jun 12 2018, 4:31 PM
  • fixed proto_to_cxx.cpp
Harbormaster completed remote builds in B19261: Diff 151066.Jun 12 2018, 4:31 PM
morehouse added a comment.Jun 12 2018, 6:29 PM

Where is the fuzz target?

tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
34

I'd suggest wrapper functions that return unused variable names, so your code below won't need to juggle these globals.

44

The way these globals are being used seems confusing and error-prone.

Maybe what you want is to replace the operator<< overloads with functions that emit the LLVM and then return the variable name that the result is stored in. Then the parent node can use the returned variable name without juggling globals.

49

getelementptr should make this much simpler.

81

When will this last return be executed?

133

Probably not a big deal, but maybe load the rvalue first? I'd expect the frontend to do that normally to simplify register allocation.

133

Also, I think it is easier to read if you put each statement on its own line.

145

Space before %b.

154

Can we put %z = ... on the next line for consistency?

157

Can we put the first newline on previous statement for consistency?

emmettneyman updated this revision to Diff 151239.Jun 13 2018, 1:29 PM
  • refactored loop_proto_to_llvm.cpp
Harbormaster completed remote builds in B19304: Diff 151239.Jun 13 2018, 1:29 PM
emmettneyman added a comment.Jun 13 2018, 1:33 PM
In D48106#1130581, @morehouse wrote:

Where is the fuzz target?

I wanted to implement the proto_to_llvm converter before the fuzz target.

emmettneyman updated this revision to Diff 151240.Jun 13 2018, 1:39 PM
  • removed typo in emitted llvm insn
Harbormaster completed remote builds in B19305: Diff 151240.Jun 13 2018, 1:39 PM
morehouse added a comment.Jun 13 2018, 3:24 PM
In D48106#1131625, @emmettneyman wrote:

I wanted to implement the proto_to_llvm converter before the fuzz target.

The fuzz target should make testing your converter way easier. I'd recommend adding it to this patch so that you're less likely to need a bug-fixing patch later.

tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
33

You can hide this as a static int inside get_var.

47

What's the point of storing then loading the value? Can you just return val?

50

Returning a pair can be confusing (which element is which?). I'd suggest passing os to these functions, writing the instructions to os, and then returning just the result variable.

121

If all these cases are the same, we can simplify the code to

case BinaryOp::EQ:
case BinaryOp::NE:
...
op = "add";
break;
130

If AssignmentStatementToString has no extra return value, I think its more concise to just keep the operator<< overload. (Same for below functions)

emmettneyman updated this revision to Diff 151798.Jun 18 2018, 2:57 PM

Implemented HandleLLVM fuzz target

-HandleLLVM function compiles LLVM IR
-ExampleClangLLVMProtoFuzzer wraps the fuzz target
-Next step is to compile at different opt levels and run the executables
emmettneyman updated this revision to Diff 151801.Jun 18 2018, 3:03 PM
  • removed unnecessary includes and linked libs
Harbormaster completed remote builds in B19438: Diff 151801.Jun 18 2018, 3:03 PM
morehouse requested changes to this revision.Jun 18 2018, 5:54 PM
morehouse added inline comments.
tools/clang-fuzzer/CMakeLists.txt
72

llvm

82–83

Maybe remove clangHandleCXX here, so you can use this variable for linking clang-llvm-proto-fuzzer.

tools/clang-fuzzer/handle-llvm/CMakeLists.txt
6

There's fewer libraries linked here than in handle-cxx/ (not saying this is wrong, but it could be). Do you get link errors if you build clang-llvm-proto-fuzzer with shared libraries?

tools/clang-fuzzer/handle-llvm/\
31 ↗(On Diff #151801)

Please sort includes alphabetically, with handle_llvm.h separate at the top.

42 ↗(On Diff #151801)

Nit: avoid empty lines at beginning or end of a {} block (here and below)

62 ↗(On Diff #151801)

Does this initialization need to happen every time the fuzzer generates a new input, or can we call this from LLVMFuzzerInitialize() instead?

71 ↗(On Diff #151801)
  1. Avoid using new when you could create the object on the stack instead. This will prevent you from introducing memory leaks if you forget to call delete later.
  2. I don't think you need to construct StringRefs or the MemoryBufferRef here. Instead you can probably do parseIR(MemoryBufferRef(S, "IR"), Err, ...) below.
79 ↗(On Diff #151801)

I'd move the unique_ptr definition to the same line as parseIR.

81 ↗(On Diff #151801)

What's the point of wrapping sys::getDefaultTargetTriple() if we always unwrap TheTriple below?

84 ↗(On Diff #151801)

What does UpgradeDebugInfo=false do here? The documentation warns about setting this bool to false.

84 ↗(On Diff #151801)

What if parseIR returns nullptr?

88 ↗(On Diff #151801)

What if lookupTarget returns nullptr?

90 ↗(On Diff #151801)

Please separate to 2 statements.

98 ↗(On Diff #151801)

Fix indentation here.

101 ↗(On Diff #151801)

Maybe add a default case here with an error message?

104 ↗(On Diff #151801)

It might make sense to move command line arg parsing to a helper function, and then call that function closer to the top. That way if there's a bad argument we can quit before doing all the IR parsing.

113 ↗(On Diff #151801)

Any reason not to use the newer PassManager?

127 ↗(On Diff #151801)

What's the reason for this cast? MachineModuleInfo() accepts TargetMachine * as an argument.

130 ↗(On Diff #151801)

Eventually you will want to save the outputs to do A/B runs. This is fine for now though.

tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
15

Apparently you created a file called \ with the same text. Please remove that file, and apply my comments there to this file instead.

tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
58

Simpler to do os << ptr_var << " = getelementptr" ... (here and below)

72

Is it still possible for the protobuf to not have a constant, a binOp, or a varRef?

114

Nit: Maybe var_ref or lvalue would be more descriptive names.

115

Might make for slightly faster IR if you do the rvalue first. Would at least simplify register allocation.

This revision now requires changes to proceed.Jun 18 2018, 5:54 PM
emmettneyman added inline comments.Jun 19 2018, 10:51 AM
tools/clang-fuzzer/handle-llvm/CMakeLists.txt
6

It builds without any errors both with all the libraries from handle-cxx/ linked in and without any of the libraries linked in (as I have here). Which is preferred?

morehouse added inline comments.Jun 19 2018, 11:02 AM
tools/clang-fuzzer/handle-llvm/CMakeLists.txt
6

I prefer what you have here, if shared libraries are OK.

emmettneyman added inline comments.Jun 19 2018, 11:43 AM
tools/clang-fuzzer/handle-llvm/\
62 ↗(On Diff #151801)

I was following the pattern from handle_cxx.cpp in which the initialization calls were made every time a new input was generated. However looking at the documentation and at llvm-isel-fuzzer.cpp, it seems like putting it in LLVMFuzzerInitialize() makes more sense. I will make this change in the next commit.

emmettneyman added inline comments.Jun 19 2018, 2:44 PM
tools/clang-fuzzer/handle-llvm/\
113 ↗(On Diff #151801)

Clang (llc) and the llvm-isel-fuzzer both still use the legacy PassManager. The newer PassManager has a new interface that doesn't use Modules.

emmettneyman added inline comments.Jun 19 2018, 3:13 PM
tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
72

Right now, since the protobufs use oneof, it is possible for the protobuf to not have a constant binOp, or varRef. For now, I'll generate "dummy" code for this case.

Then, I'll submit a new patch that eliminates the use of oneof for both cxx_proto.proto and cxx_loop_proto so that "dummy" code isn't necessary.

emmettneyman updated this revision to Diff 151986.Jun 19 2018, 3:21 PM
  • made changes to handle_llvm.cpp in response to reviewer comments
Harbormaster completed remote builds in B19483: Diff 151986.Jun 19 2018, 3:21 PM
morehouse added a comment.Jun 19 2018, 4:46 PM

If you haven't already, please apply for commit access: https://llvm.org/docs/DeveloperPolicy.html#obtaining-commit-access.

That way you can land this after it's accepted.

tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
24

This should come before llvm/IR/Module.h.

36

Can make this static to avoid future namespace collisions.

49

Maybe exit() as well on error? (here and below)

Exiting will cause the fuzz target to fail, so you can debug more easily. Otherwise, these error messages could go unnoticed.

59

It's easier to follow if you move this closer to where Context is first used.

67

You can actually omit the last argument here since you're using the default.

82

Easier to follow if you move these two lines closer to where CPUStr and FeaturesStr are used.

106

I believe you can avoid creating the MMI here since it looks like addPassesToEmitFile will do it for you.

emmettneyman updated this revision to Diff 152003.Jun 19 2018, 5:29 PM
  • minor changes to improve readability and style
Harbormaster completed remote builds in B19488: Diff 152003.Jun 19 2018, 5:29 PM
morehouse accepted this revision.Jun 19 2018, 5:38 PM
morehouse added inline comments.
tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
51

exit(1) will indicate an abnormal exit. (here and below)

65

This comment is unnecessary. Clearly a new Context is being created on the next line.

This revision is now accepted and ready to land.Jun 19 2018, 5:38 PM
emmettneyman updated this revision to Diff 152005.Jun 19 2018, 5:44 PM
  • removed unnecessary comment and fixed exit statement
morehouse added a comment.Jun 19 2018, 6:01 PM

Looks like exit(0) is still there.

emmettneyman updated this revision to Diff 152006.Jun 19 2018, 6:02 PM
  • actually fixed error statement
Harbormaster completed remote builds in B19490: Diff 152006.Jun 19 2018, 6:02 PM
emmettneyman added a comment.Jun 19 2018, 6:03 PM
In D48106#1137224, @morehouse wrote:

Looks like exit(0) is still there.

oops, forgot to :w

emmettneyman closed this revision.Jun 20 2018, 8:54 AM
sbc100 added a subscriber: sbc100.Jun 22 2018, 12:16 PM

I think this broke the BUILD_SHARED_LIBS=1 build: https://reviews.llvm.org/D48503

Revision Contents

PathSize
tools/
clang-fuzzer/
22 lines
28 lines
26 lines
fuzzer-initialize/
7 lines
handle-cxx/
6 lines
handle-llvm/
5 lines
25 lines
111 lines
proto-to-cxx/
11 lines
1 line
proto-to-llvm/
14 lines
23 lines
156 lines
proto-to-llvm/
proto-to-cxx/
loop_proto_to_llvm_main.cpp
loop_proto_to_cxx_main.cpp
11 lines

Diff 152006

tools/clang-fuzzer/CMakeLists.txt

Show All 9 Lines
endif() endif()
# Needed by LLVM's CMake checks because this file defines multiple targets. # Needed by LLVM's CMake checks because this file defines multiple targets.
set(LLVM_OPTIONAL_SOURCES set(LLVM_OPTIONAL_SOURCES
ClangFuzzer.cpp ClangFuzzer.cpp
DummyClangFuzzer.cpp DummyClangFuzzer.cpp
ExampleClangProtoFuzzer.cpp ExampleClangProtoFuzzer.cpp
ExampleClangLoopProtoFuzzer.cpp ExampleClangLoopProtoFuzzer.cpp
ExampleClangLLVMProtoFuzzer.cpp
) )
if(CLANG_ENABLE_PROTO_FUZZER) if(CLANG_ENABLE_PROTO_FUZZER)
# Create protobuf .h and .cc files, and put them in a library for use by # Create protobuf .h and .cc files, and put them in a library for use by
# clang-proto-fuzzer components. # clang-proto-fuzzer components.
find_package(Protobuf REQUIRED) find_package(Protobuf REQUIRED)
add_definitions(-DGOOGLE_PROTOBUF_NO_RTTI) add_definitions(-DGOOGLE_PROTOBUF_NO_RTTI)
include_directories(${PROTOBUF_INCLUDE_DIRS}) include_directories(${PROTOBUF_INCLUDE_DIRS})
Show All 18 Lines add_clang_library(clangCXXLoopProto
) )
# Build and include libprotobuf-mutator # Build and include libprotobuf-mutator
include(ProtobufMutator) include(ProtobufMutator)
include_directories(${ProtobufMutator_INCLUDE_DIRS}) include_directories(${ProtobufMutator_INCLUDE_DIRS})
# Build the protobuf->C++ translation library and driver. # Build the protobuf->C++ translation library and driver.
add_clang_subdirectory(proto-to-cxx) add_clang_subdirectory(proto-to-cxx)
# Build the protobuf->LLVM IR translation library and driver.
add_clang_subdirectory(proto-to-llvm)
# Build the fuzzer initialization library. # Build the fuzzer initialization library.
add_clang_subdirectory(fuzzer-initialize) add_clang_subdirectory(fuzzer-initialize)
# Build the protobuf fuzzer # Build the protobuf fuzzer
add_clang_executable(clang-proto-fuzzer add_clang_executable(clang-proto-fuzzer
${DUMMY_MAIN} ${DUMMY_MAIN}
ExampleClangProtoFuzzer.cpp ExampleClangProtoFuzzer.cpp
) )
# Build the loop protobuf fuzzer # Build the loop protobuf fuzzer
add_clang_executable(clang-loop-proto-fuzzer add_clang_executable(clang-loop-proto-fuzzer
${DUMMY_MAIN} ${DUMMY_MAIN}
ExampleClangLoopProtoFuzzer.cpp ExampleClangLoopProtoFuzzer.cpp
) )
# Build the llvm protobuf fuzzer
morehouseUnsubmitted
Not Done
ReplyInline Actions

llvm

morehouse: llvm
add_clang_executable(clang-llvm-proto-fuzzer
${DUMMY_MAIN}
ExampleClangLLVMProtoFuzzer.cpp
)
set(COMMON_PROTO_FUZZ_LIBRARIES set(COMMON_PROTO_FUZZ_LIBRARIES
${ProtobufMutator_LIBRARIES} ${ProtobufMutator_LIBRARIES}
${PROTOBUF_LIBRARIES} ${PROTOBUF_LIBRARIES}
${LLVM_LIB_FUZZING_ENGINE} ${LLVM_LIB_FUZZING_ENGINE}
clangFuzzerInitialize clangFuzzerInitialize
clangHandleCXX
) )
morehouseUnsubmitted
Not Done
ReplyInline Actions

Maybe remove clangHandleCXX here, so you can use this variable for linking clang-llvm-proto-fuzzer.

morehouse: Maybe remove `clangHandleCXX` here, so you can use this variable for linking `clang-llvm-proto…
target_link_libraries(clang-proto-fuzzer target_link_libraries(clang-proto-fuzzer
PRIVATE PRIVATE
${COMMON_PROTO_FUZZ_LIBRARIES} ${COMMON_PROTO_FUZZ_LIBRARIES}
clangHandleCXX
clangCXXProto clangCXXProto
clangProtoToCXX clangProtoToCXX
) )
target_link_libraries(clang-loop-proto-fuzzer target_link_libraries(clang-loop-proto-fuzzer
PRIVATE PRIVATE
${COMMON_PROTO_FUZZ_LIBRARIES} ${COMMON_PROTO_FUZZ_LIBRARIES}
clangHandleCXX
clangCXXLoopProto clangCXXLoopProto
clangLoopProtoToCXX clangLoopProtoToCXX
) )
target_link_libraries(clang-llvm-proto-fuzzer
PRIVATE
${COMMON_PROTO_FUZZ_LIBRARIES}
clangHandleLLVM
clangCXXLoopProto
clangLoopProtoToLLVM
)
endif() endif()
add_clang_subdirectory(handle-cxx) add_clang_subdirectory(handle-cxx)
add_clang_subdirectory(handle-llvm)
add_clang_executable(clang-fuzzer add_clang_executable(clang-fuzzer
EXCLUDE_FROM_ALL EXCLUDE_FROM_ALL
${DUMMY_MAIN} ${DUMMY_MAIN}
ClangFuzzer.cpp ClangFuzzer.cpp
) )
target_link_libraries(clang-fuzzer target_link_libraries(clang-fuzzer
PRIVATE PRIVATE
${LLVM_LIB_FUZZING_ENGINE} ${LLVM_LIB_FUZZING_ENGINE}
clangHandleCXX clangHandleCXX
) )

tools/clang-fuzzer/ExampleClangLLVMProtoFuzzer.cpp

  • This file was added.
//===-- ExampleClangLLVMProtoFuzzer.cpp - Fuzz Clang ----------------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
///
/// \file
/// This file implements a function that compiles a single LLVM IR string as
/// input and uses libprotobuf-mutator to find new inputs. This function is
/// then linked into the Fuzzer library.
///
//===----------------------------------------------------------------------===//
#include "cxx_loop_proto.pb.h"
#include "fuzzer-initialize/fuzzer_initialize.h"
#include "handle-llvm/handle_llvm.h"
#include "proto-to-llvm/loop_proto_to_llvm.h"
#include "src/libfuzzer/libfuzzer_macro.h"
using namespace clang_fuzzer;
DEFINE_BINARY_PROTO_FUZZER(const LoopFunction &input) {
auto S = LoopFunctionToLLVMString(input);
HandleLLVM(S, GetCLArgs());
}

tools/clang-fuzzer/cxx_loop_proto.proto

Show All 31 Linesmessage VarRef {
required Arr arr = 1; required Arr arr = 1;
} }
message BinaryOp { message BinaryOp {
enum Op { enum Op {
PLUS = 0; PLUS = 0;
MINUS = 1; MINUS = 1;
MUL = 2; MUL = 2;
DIV = 3; XOR = 3;
MOD = 4; AND = 4;
XOR = 5; OR = 5;
AND = 6; EQ = 6;
OR = 7; NE = 7;
EQ = 8; LE = 8;
NE = 9; GE = 9;
LE = 10; LT = 10;
GE = 11; GT = 11;
LT = 12;
GT = 13;
}; };
required Op op = 1; required Op op = 1;
required Rvalue left = 2; required Rvalue left = 2;
required Rvalue right = 3; required Rvalue right = 3;
} }
message Rvalue { message Rvalue {
oneof rvalue_oneof { oneof rvalue_oneof {
Const cons = 1; Const cons = 1;
BinaryOp binop = 2; BinaryOp binop = 2;
VarRef varref = 3; VarRef varref = 3;
} }
} }
message AssignmentStatement { message AssignmentStatement {
required VarRef varref = 1; required VarRef varref = 1;
required Rvalue rvalue = 2; required Rvalue rvalue = 2;
} }
message IfElse {
required Rvalue cond = 1;
required StatementSeq if_body = 2;
required StatementSeq else_body = 3;
}
message Statement { message Statement {
required AssignmentStatement assignment = 1; required AssignmentStatement assignment = 1;
} }
message StatementSeq { message StatementSeq {
repeated Statement statements = 1; repeated Statement statements = 1;
} }
message LoopFunction { message LoopFunction {
required StatementSeq statements = 1; required StatementSeq statements = 1;
} }
package clang_fuzzer; package clang_fuzzer;

tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp

Show All 9 Lines
/// \file /// \file
/// This file implements two functions: one that returns the command line /// This file implements two functions: one that returns the command line
/// arguments for a given call to the fuzz target and one that initializes /// arguments for a given call to the fuzz target and one that initializes
/// the fuzzer with the correct command line arguments. /// the fuzzer with the correct command line arguments.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "fuzzer_initialize.h" #include "fuzzer_initialize.h"
#include "llvm/Support/TargetSelect.h"
#include <cstring> #include <cstring>
using namespace clang_fuzzer; using namespace clang_fuzzer;
namespace clang_fuzzer { namespace clang_fuzzer {
static std::vector<const char *> CLArgs; static std::vector<const char *> CLArgs;
const std::vector<const char *>& GetCLArgs() { const std::vector<const char *>& GetCLArgs() {
return CLArgs; return CLArgs;
} }
} }
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
llvm::InitializeAllTargets();
llvm::InitializeAllTargetMCs();
llvm::InitializeAllAsmPrinters();
llvm::InitializeAllAsmParsers();
CLArgs.push_back("-O2"); CLArgs.push_back("-O2");
for (int I = 1; I < *argc; I++) { for (int I = 1; I < *argc; I++) {
if (strcmp((*argv)[I], "-ignore_remaining_args=1") == 0) { if (strcmp((*argv)[I], "-ignore_remaining_args=1") == 0) {
for (I++; I < *argc; I++) for (I++; I < *argc; I++)
CLArgs.push_back((*argv)[I]); CLArgs.push_back((*argv)[I]);
break; break;
} }
} }
return 0; return 0;
} }

tools/clang-fuzzer/handle-cxx/handle_cxx.cpp

Show All 12 Lines
#include "handle_cxx.h" #include "handle_cxx.h"
#include "clang/CodeGen/CodeGenAction.h" #include "clang/CodeGen/CodeGenAction.h"
#include "clang/Frontend/CompilerInstance.h" #include "clang/Frontend/CompilerInstance.h"
#include "clang/Lex/PreprocessorOptions.h" #include "clang/Lex/PreprocessorOptions.h"
#include "clang/Tooling/Tooling.h" #include "clang/Tooling/Tooling.h"
#include "llvm/Option/Option.h" #include "llvm/Option/Option.h"
#include "llvm/Support/TargetSelect.h"
using namespace clang; using namespace clang;
void clang_fuzzer::HandleCXX(const std::string &S, void clang_fuzzer::HandleCXX(const std::string &S,
const std::vector<const char *> &ExtraArgs) { const std::vector<const char *> &ExtraArgs) {
llvm::InitializeAllTargets();
llvm::InitializeAllTargetMCs();
llvm::InitializeAllAsmPrinters();
llvm::InitializeAllAsmParsers();
llvm::opt::ArgStringList CC1Args; llvm::opt::ArgStringList CC1Args;
CC1Args.push_back("-cc1"); CC1Args.push_back("-cc1");
for (auto &A : ExtraArgs) for (auto &A : ExtraArgs)
CC1Args.push_back(A); CC1Args.push_back(A);
CC1Args.push_back("./test.cc"); CC1Args.push_back("./test.cc");
llvm::IntrusiveRefCntPtr<FileManager> Files( llvm::IntrusiveRefCntPtr<FileManager> Files(
new FileManager(FileSystemOptions())); new FileManager(FileSystemOptions()));
Show All 19 Lines

tools/clang-fuzzer/handle-llvm/CMakeLists.txt

  • This file was added.
set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD} Support)
add_clang_library(clangHandleLLVM
handle_llvm.cpp
)
morehouseUnsubmitted
Not Done
ReplyInline Actions

There's fewer libraries linked here than in handle-cxx/ (not saying this is wrong, but it could be). Do you get link errors if you build clang-llvm-proto-fuzzer with shared libraries?

morehouse: There's fewer libraries linked here than in `handle-cxx/` (not saying this is wrong, but it…
emmettneymanAuthorUnsubmitted
Not Done
ReplyInline Actions

It builds without any errors both with all the libraries from handle-cxx/ linked in and without any of the libraries linked in (as I have here). Which is preferred?

emmettneyman: It builds without any errors both with all the libraries from `handle-cxx/` linked in and…
morehouseUnsubmitted
Not Done
ReplyInline Actions

I prefer what you have here, if shared libraries are OK.

morehouse: I prefer what you have here, if shared libraries are OK.

tools/clang-fuzzer/handle-llvm/handle_llvm.h

  • This file was added.
//==-- handle_llvm.h - Helper function for Clang fuzzers -------------------==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Defines HandleLLVM for use by the Clang fuzzers.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_TOOLS_CLANG_FUZZER_HANDLE_LLVM_HANDLELLVM_H
#define LLVM_CLANG_TOOLS_CLANG_FUZZER_HANDLE_LLVM_HANDLELLVM_H
#include <string>
#include <vector>
namespace clang_fuzzer {
void HandleLLVM(const std::string &S,
const std::vector<const char *> &ExtraArgs);
} // namespace clang_fuzzer
#endif

tools/clang-fuzzer/handle-llvm/handle_llvm.cpp

  • This file was added.
//==-- handle_llvm.cpp - Helper function for Clang fuzzers -----------------==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implements HandleLLVM for use by the Clang fuzzers. Mimics the llc tool to
// compile an LLVM IR file to X86_64 assembly.
//
//===----------------------------------------------------------------------===//
#include "handle_llvm.h"
morehouseUnsubmitted
Not Done
ReplyInline Actions

Apparently you created a file called \ with the same text. Please remove that file, and apply my comments there to this file instead.

morehouse: Apparently you created a file called `\` with the same text. Please remove that file, and…
#include "llvm/ADT/Triple.h"
#include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/CodeGen/CommandFlags.inc"
#include "llvm/CodeGen/MachineModuleInfo.h"
#include "llvm/IR/LegacyPassManager.h"
#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/Verifier.h"
morehouseUnsubmitted
Not Done
ReplyInline Actions

This should come before llvm/IR/Module.h.

morehouse: This should come before llvm/IR/Module.h.
#include "llvm/IRReader/IRReader.h"
#include "llvm/PassRegistry.h"
#include "llvm/Support/InitLLVM.h"
#include "llvm/Support/MemoryBuffer.h"
#include "llvm/Support/SourceMgr.h"
#include "llvm/Support/TargetRegistry.h"
#include "llvm/Target/TargetMachine.h"
#include <cstdlib>
using namespace llvm;
morehouseUnsubmitted
Not Done
ReplyInline Actions

Can make this static to avoid future namespace collisions.

morehouse: Can make this static to avoid future namespace collisions.
static void getOptLevel(const std::vector<const char *> &ExtraArgs,
CodeGenOpt::Level &OLvl) {
// Find the optimization level from the command line args
OLvl = CodeGenOpt::Default;
for (auto &A : ExtraArgs) {
if (A[0] == '-' && A[1] == 'O') {
switch(A[2]) {
case '0': OLvl = CodeGenOpt::None; break;
case '1': OLvl = CodeGenOpt::Less; break;
case '2': OLvl = CodeGenOpt::Default; break;
case '3': OLvl = CodeGenOpt::Aggressive; break;
default:
errs() << "error: opt level must be between 0 and 3.\n";
morehouseUnsubmitted
Not Done
ReplyInline Actions

Maybe exit() as well on error? (here and below)

Exiting will cause the fuzz target to fail, so you can debug more easily. Otherwise, these error messages could go unnoticed.

morehouse: Maybe exit() as well on error? (here and below) Exiting will cause the fuzz target to fail…
std::exit(1);
}
morehouseUnsubmitted
Not Done
ReplyInline Actions

exit(1) will indicate an abnormal exit. (here and below)

morehouse: `exit(1)` will indicate an abnormal exit. (here and below)
}
}
}
void clang_fuzzer::HandleLLVM(const std::string &S,
const std::vector<const char *> &ExtraArgs) {
// Parse ExtraArgs to set the optimization level
CodeGenOpt::Level OLvl;
morehouseUnsubmitted
Not Done
ReplyInline Actions

It's easier to follow if you move this closer to where Context is first used.

morehouse: It's easier to follow if you move this closer to where Context is first used.
getOptLevel(ExtraArgs, OLvl);
// Set the Module to include the the IR code to be compiled
SMDiagnostic Err;
LLVMContext Context;
morehouseUnsubmitted
Not Done
ReplyInline Actions

This comment is unnecessary. Clearly a new Context is being created on the next line.

morehouse: This comment is unnecessary. Clearly a new Context is being created on the next line.
std::unique_ptr<Module> M = parseIR(MemoryBufferRef(S, "IR"), Err, Context);
if (!M) {
morehouseUnsubmitted
Not Done
ReplyInline Actions

You can actually omit the last argument here since you're using the default.

morehouse: You can actually omit the last argument here since you're using the default.
errs() << "error: could not parse IR!\n";
std::exit(1);
}
// Create a new Target
std::string Error;
const Target *TheTarget = TargetRegistry::lookupTarget(
sys::getDefaultTargetTriple(), Error);
if (!TheTarget) {
errs() << Error;
std::exit(1);
}
TargetOptions Options = InitTargetOptionsFromCodeGenFlags();
morehouseUnsubmitted
Not Done
ReplyInline Actions

Easier to follow if you move these two lines closer to where CPUStr and FeaturesStr are used.

morehouse: Easier to follow if you move these two lines closer to where `CPUStr` and `FeaturesStr` are…
// Create a new Machine
std::string CPUStr = getCPUStr();
std::string FeaturesStr = getFeaturesStr();
std::unique_ptr<TargetMachine> Target(TheTarget->createTargetMachine(
sys::getDefaultTargetTriple(), CPUStr, FeaturesStr, Options,
getRelocModel(), getCodeModel(), OLvl));
// Create a new PassManager
legacy::PassManager PM;
TargetLibraryInfoImpl TLII(Triple(M->getTargetTriple()));
PM.add(new TargetLibraryInfoWrapperPass(TLII));
M->setDataLayout(Target->createDataLayout());
// Make sure the Module has no errors
if (verifyModule(*M, &errs())) {
errs() << "error: input module is broken!\n";
std::exit(1);
}
setFunctionAttributes(CPUStr, FeaturesStr, *M);
raw_null_ostream OS;
Target->addPassesToEmitFile(PM, OS, nullptr, TargetMachine::CGFT_ObjectFile,
false);
morehouseUnsubmitted
Not Done
ReplyInline Actions

I believe you can avoid creating the MMI here since it looks like addPassesToEmitFile will do it for you.

morehouse: I believe you can avoid creating the MMI here since it looks like addPassesToEmitFile will do…
PM.run(*M);
return;
}

tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp

Show First 20 LinesShow All 61 Lines▼ Show 20 Lines case BinaryOp::PLUS:
os << "+"; os << "+";
break; break;
case BinaryOp::MINUS: case BinaryOp::MINUS:
os << "-"; os << "-";
break; break;
case BinaryOp::MUL: case BinaryOp::MUL:
os << "*"; os << "*";
break; break;
case BinaryOp::DIV:
os << "/";
break;
case BinaryOp::MOD:
os << "%";
break;
case BinaryOp::XOR: case BinaryOp::XOR:
os << "^"; os << "^";
break; break;
case BinaryOp::AND: case BinaryOp::AND:
os << "&"; os << "&";
break; break;
case BinaryOp::OR: case BinaryOp::OR:
os << "|"; os << "|";
Show All 17 Lines case BinaryOp::GT:
os << ">"; os << ">";
break; break;
} }
return os << x.right() << ")"; return os << x.right() << ")";
} }
std::ostream &operator<<(std::ostream &os, const AssignmentStatement &x) { std::ostream &operator<<(std::ostream &os, const AssignmentStatement &x) {
return os << x.varref() << "=" << x.rvalue() << ";\n"; return os << x.varref() << "=" << x.rvalue() << ";\n";
} }
std::ostream &operator<<(std::ostream &os, const IfElse &x) {
return os << "if (" << x.cond() << "){\n"
<< x.if_body() << "} else { \n"
<< x.else_body() << "}\n";
}
std::ostream &operator<<(std::ostream &os, const Statement &x) { std::ostream &operator<<(std::ostream &os, const Statement &x) {
return os << x.assignment(); return os << x.assignment();
} }
std::ostream &operator<<(std::ostream &os, const StatementSeq &x) { std::ostream &operator<<(std::ostream &os, const StatementSeq &x) {
for (auto &st : x.statements()) for (auto &st : x.statements())
os << st; os << st;
return os; return os;
} }
Show All 21 Lines

tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx_main.cpp

  • This file was copied to tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm_main.cpp.
//==-- loop_proto_to_cxx_main.cpp - Driver for protobuf-C++ conversion -----==// //==-- loop_proto_to_cxx_main.cpp - Driver for protobuf-C++ conversion -----==//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// Implements a simple driver to print a C++ program from a protobuf with loops. // Implements a simple driver to print a C++ program from a protobuf with loops.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// This is a copy and will be updated later to introduce changes
#include <fstream> #include <fstream>
#include <iostream> #include <iostream>
#include <streambuf> #include <streambuf>
#include <string> #include <string>
#include "proto_to_cxx.h" #include "proto_to_cxx.h"
Show All 10 Lines

tools/clang-fuzzer/proto-to-llvm/CMakeLists.txt

  • This file was added.
set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD})
set(CMAKE_CXX_FLAGS ${CXX_FLAGS_NOFUZZ})
# Needed by LLVM's CMake checks because this file defines multiple targets.
set(LLVM_OPTIONAL_SOURCES loop_proto_to_llvm.cpp loop_proto_to_llvm_main.cpp)
add_clang_library(clangLoopProtoToLLVM loop_proto_to_llvm.cpp
DEPENDS clangCXXLoopProto
LINK_LIBS clangCXXLoopProto ${PROTOBUF_LIBRARIES}
)
add_clang_executable(clang-loop-proto-to-llvm loop_proto_to_llvm_main.cpp)
target_link_libraries(clang-loop-proto-to-llvm PRIVATE clangLoopProtoToLLVM)

tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.h

  • This file was added.
//==-- loop_proto_to_llvm.h - Protobuf-C++ conversion ----------------------------==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Defines functions for converting between protobufs and LLVM IR.
//
//===----------------------------------------------------------------------===//
#include <cstdint>
#include <cstddef>
#include <string>
namespace clang_fuzzer {
class LoopFunction;
std::string LoopFunctionToLLVMString(const LoopFunction &input);
std::string LoopProtoToLLVM(const uint8_t *data, size_t size);
}

tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp

  • This file was added.
//==-- loop_proto_to_llvm.cpp - Protobuf-C++ conversion
//---------------------==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implements functions for converting between protobufs and LLVM IR.
//
//
//===----------------------------------------------------------------------===//
#include "loop_proto_to_llvm.h"
#include "cxx_loop_proto.pb.h"
// The following is needed to convert protos in human-readable form
#include <google/protobuf/text_format.h>
#include <ostream>
#include <sstream>
namespace clang_fuzzer {
// Forward decls
std::string BinopToString(std::ostream &os, const BinaryOp &x);
std::string StateSeqToString(std::ostream &os, const StatementSeq &x);
// Counter variable to generate new LLVM IR variable names and wrapper function
std::string get_var() {
static int ctr = 0;
morehouseUnsubmitted
Not Done
ReplyInline Actions

You can hide this as a static int inside get_var.

morehouse: You can hide this as a static int inside `get_var`.
return "%var" + std::to_string(ctr++);
morehouseUnsubmitted
Not Done
ReplyInline Actions

I'd suggest wrapper functions that return unused variable names, so your code below won't need to juggle these globals.

morehouse: I'd suggest wrapper functions that return unused variable names, so your code below won't need…
}
// Proto to LLVM.
std::string ConstToString(const Const &x) {
return std::to_string(x.val());
}
std::string VarRefToString(std::ostream &os, const VarRef &x) {
std::string arr;
switch(x.arr()) {
morehouseUnsubmitted
Not Done
ReplyInline Actions

The way these globals are being used seems confusing and error-prone.

Maybe what you want is to replace the operator<< overloads with functions that emit the LLVM and then return the variable name that the result is stored in. Then the parent node can use the returned variable name without juggling globals.

morehouse: The way these globals are being used seems confusing and error-prone. Maybe what you want is…
case VarRef::ARR_A:
arr = "%a";
break;
morehouseUnsubmitted
Not Done
ReplyInline Actions

What's the point of storing then loading the value? Can you just return val?

morehouse: What's the point of storing then loading the value? Can you just return `val`?
case VarRef::ARR_B:
arr = "%b";
morehouseUnsubmitted
Not Done
ReplyInline Actions

getelementptr should make this much simpler.

morehouse: `getelementptr` should make this much simpler.
break;
morehouseUnsubmitted
Not Done
ReplyInline Actions

Returning a pair can be confusing (which element is which?). I'd suggest passing os to these functions, writing the instructions to os, and then returning just the result variable.

morehouse: Returning a pair can be confusing (which element is which?). I'd suggest passing `os` to these…
case VarRef::ARR_C:
arr = "%c";
break;
}
std::string ptr_var = get_var();
os << ptr_var << " = getelementptr i32, i32* " << arr << ", i64 %ct\n";
return ptr_var;
}
morehouseUnsubmitted
Not Done
ReplyInline Actions

Simpler to do os << ptr_var << " = getelementptr" ... (here and below)

morehouse: Simpler to do `os << ptr_var << " = getelementptr" ...` (here and below)
std::string RvalueToString(std::ostream &os, const Rvalue &x) {
if(x.has_cons())
return ConstToString(x.cons());
if(x.has_binop())
return BinopToString(os, x.binop());
if(x.has_varref()) {
std::string var_ref = VarRefToString(os, x.varref());
std::string val_var = get_var();
os << val_var << " = load i32, i32* " << var_ref << "\n";
return val_var;
}
return "1";
}
morehouseUnsubmitted
Not Done
ReplyInline Actions

Is it still possible for the protobuf to not have a constant, a binOp, or a varRef?

morehouse: Is it still possible for the protobuf to not have a constant, a binOp, or a varRef?
emmettneymanAuthorUnsubmitted
Not Done
ReplyInline Actions

Right now, since the protobufs use oneof, it is possible for the protobuf to not have a constant binOp, or varRef. For now, I'll generate "dummy" code for this case.

Then, I'll submit a new patch that eliminates the use of oneof for both cxx_proto.proto and cxx_loop_proto so that "dummy" code isn't necessary.

emmettneyman: Right now, since the protobufs use `oneof`, it is possible for the protobuf to not have a…
std::string BinopToString(std::ostream &os, const BinaryOp &x) {
std::string left = RvalueToString(os, x.left());
std::string right = RvalueToString(os, x.right());
std::string op;
switch (x.op()) {
case BinaryOp::PLUS:
op = "add";
break;
case BinaryOp::MINUS:
morehouseUnsubmitted
Not Done
ReplyInline Actions

When will this last return be executed?

morehouse: When will this last return be executed?
op = "sub";
break;
case BinaryOp::MUL:
op = "mul";
break;
case BinaryOp::XOR:
op = "xor";
break;
case BinaryOp::AND:
op = "and";
break;
case BinaryOp::OR:
op = "or";
break;
// Support for Boolean operators will be added later
case BinaryOp::EQ:
case BinaryOp::NE:
case BinaryOp::LE:
case BinaryOp::GE:
case BinaryOp::LT:
case BinaryOp::GT:
op = "add";
break;
}
std::string val_var = get_var();
os << val_var << " = " << op << " i32 " << left << ", " << right << "\n";
return val_var;
}
std::ostream &operator<<(std::ostream &os, const AssignmentStatement &x) {
std::string rvalue = RvalueToString(os, x.rvalue());
std::string var_ref = VarRefToString(os, x.varref());
return os << "store i32 " << rvalue << ", i32* " << var_ref << "\n";
}
morehouseUnsubmitted
Not Done
ReplyInline Actions

Nit: Maybe var_ref or lvalue would be more descriptive names.

morehouse: Nit: Maybe `var_ref` or `lvalue` would be more descriptive names.
std::ostream &operator<<(std::ostream &os, const Statement &x) {
morehouseUnsubmitted
Not Done
ReplyInline Actions

Might make for slightly faster IR if you do the rvalue first. Would at least simplify register allocation.

morehouse: Might make for slightly faster IR if you do the rvalue first. Would at least simplify register…
return os << x.assignment();
}
std::ostream &operator<<(std::ostream &os, const StatementSeq &x) {
for (auto &st : x.statements()) {
os << st;
}
morehouseUnsubmitted
Not Done
ReplyInline Actions

If all these cases are the same, we can simplify the code to

case BinaryOp::EQ:
case BinaryOp::NE:
...
op = "add";
break;
morehouse: If all these cases are the same, we can simplify the code to ``` case BinaryOp::EQ: case…
return os;
}
std::ostream &operator<<(std::ostream &os, const LoopFunction &x) {
return os << "define void @foo(i32* %a, i32* %b, i32* noalias %c, i64 %s) {\n"
<< "%i = alloca i64\n"
<< "store i64 0, i64* %i\n"
<< "br label %loop\n\n"
<< "loop:\n"
<< "%ct = load i64, i64* %i\n"
morehouseUnsubmitted
Not Done
ReplyInline Actions

If AssignmentStatementToString has no extra return value, I think its more concise to just keep the operator<< overload. (Same for below functions)

morehouse: If `AssignmentStatementToString` has no extra return value, I think its more concise to just…
<< "%comp = icmp eq i64 %ct, %s\n"
<< "br i1 %comp, label %endloop, label %body\n\n"
<< "body:\n"
morehouseUnsubmitted
Not Done
ReplyInline Actions

Probably not a big deal, but maybe load the rvalue first? I'd expect the frontend to do that normally to simplify register allocation.

morehouse: Probably not a big deal, but maybe load the rvalue first? I'd expect the frontend to do that…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Also, I think it is easier to read if you put each statement on its own line.

morehouse: Also, I think it is easier to read if you put each statement on its own line.
<< x.statements()
<< "%z = add i64 1, %ct\n"
<< "store i64 %z, i64* %i\n"
<< "br label %loop\n\n"
<< "endloop:\n"
<< "ret void\n}\n";
}
// ---------------------------------
std::string LoopFunctionToLLVMString(const LoopFunction &input) {
std::ostringstream os;
morehouseUnsubmitted
Not Done
ReplyInline Actions

Space before %b.

morehouse: Space before `%b`.
os << input;
return os.str();
}
std::string LoopProtoToLLVM(const uint8_t *data, size_t size) {
LoopFunction message;
if (!message.ParsePartialFromArray(data, size))
return "#error invalid proto\n";
return LoopFunctionToLLVMString(message);
}
morehouseUnsubmitted
Not Done
ReplyInline Actions

Can we put %z = ... on the next line for consistency?

morehouse: Can we put `%z = ...` on the next line for consistency?
} // namespace clang_fuzzer
morehouseUnsubmitted
Not Done
ReplyInline Actions

Can we put the first newline on previous statement for consistency?

morehouse: Can we put the first newline on previous statement for consistency?

tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm_main.cpp

  • This file was copied from tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx_main.cpp.
//==-- loop_proto_to_cxx_main.cpp - Driver for protobuf-C++ conversion -----==// //==-- loop_proto_to_llvm_main.cpp - Driver for protobuf-LLVM conversion----==//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// Implements a simple driver to print a C++ program from a protobuf with loops. // Implements a simple driver to print a LLVM program from a protobuf with loops
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// This is a copy and will be updated later to introduce changes
#include <fstream> #include <fstream>
#include <iostream> #include <iostream>
#include <streambuf> #include <streambuf>
#include <string> #include <string>
#include "proto_to_cxx.h" #include "loop_proto_to_llvm.h"
int main(int argc, char **argv) { int main(int argc, char **argv) {
for (int i = 1; i < argc; i++) { for (int i = 1; i < argc; i++) {
std::fstream in(argv[i]); std::fstream in(argv[i]);
std::string str((std::istreambuf_iterator<char>(in)), std::string str((std::istreambuf_iterator<char>(in)),
std::istreambuf_iterator<char>()); std::istreambuf_iterator<char>());
std::cout << "// " << argv[i] << std::endl; std::cout << ";; " << argv[i] << std::endl;
std::cout << clang_fuzzer::LoopProtoToCxx( std::cout << clang_fuzzer::LoopProtoToLLVM(
reinterpret_cast<const uint8_t *>(str.data()), str.size()); reinterpret_cast<const uint8_t *>(str.data()), str.size());
} }
} }