This is an archive of the discontinued LLVM Phabricator instance.

Differential D49526

Updated llvm-proto-fuzzer to execute the compiled code
ClosedPublic

Authored by emmettneyman on Jul 18 2018, 5:43 PM.

Details

Reviewers
morehouse
kcc
alexander-shaposhnikov
Commits
rGe5581242a04a: Updated llvm-proto-fuzzer to execute the compiled code
rC338077: Updated llvm-proto-fuzzer to execute the compiled code
rL338077: Updated llvm-proto-fuzzer to execute the compiled code
Summary

Made changes to the llvm-proto-fuzzer

  • Added loop vectorizer optimization pass in order to have two IR versions
  • Updated old fuzz target to handle two different IR versions
  • Wrote code to execute both versions in memory

Diff Detail

Repository
rL LLVM

Event Timeline

emmettneyman created this revision.Jul 18 2018, 5:43 PM
Herald added a reviewer: alexander-shaposhnikov. · View Herald TranscriptJul 18 2018, 5:43 PM
Herald added subscribers: cfe-commits, mgorny. · View Herald Transcript
Harbormaster completed remote builds in B20500: Diff 156194.Jul 18 2018, 5:43 PM
emmettneyman added a comment.Jul 18 2018, 5:48 PM

The files

Object.h
Object.cpp
llvm-objcopy.h

are from llvm/tools/llvm-obj-copy with only slight modifications, mostly deleting irrelevant parts.

pcc added a subscriber: pcc.Jul 18 2018, 5:52 PM
pcc added inline comments.
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
209 ↗(On Diff #156194)

Did you look at using LLVM's JIT infrastructure to do this?

morehouse added a comment.Jul 19 2018, 9:02 AM

You can probably get rid of the llvm-objcopy code and make this a lot simpler with something like:

  1. Call getSection() on the Binary object to get the text section.
  2. Read the sh_offset and sh_size of that section.
  3. Copy sh_size bytes from the start of the binary buffer + sh_offset into your executable memory.
  4. Run it.
emmettneyman updated this revision to Diff 156362.Jul 19 2018, 2:47 PM
  • Switched to JIT for compilation and execution
Harbormaster completed remote builds in B20525: Diff 156362.Jul 19 2018, 2:47 PM
emmettneyman updated this revision to Diff 156364.Jul 19 2018, 2:53 PM
  • Cleaned up leftover code from mmap memcpy
Harbormaster completed remote builds in B20526: Diff 156364.Jul 19 2018, 2:53 PM
emmettneyman updated this revision to Diff 156370.Jul 19 2018, 3:00 PM
  • Fixed typo that broke build
morehouse added inline comments.Jul 19 2018, 3:20 PM
clang/tools/clang-fuzzer/handle-llvm/CMakeLists.txt
21 ↗(On Diff #156370)

How are you doing your diff? Some of these changes are already upstream. Please rebase

clang/tools/clang-fuzzer/handle-llvm/fuzzer_initialize.cpp
52 ↗(On Diff #156370)

Can we use fuzzer-initialize/ now?

clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
54 ↗(On Diff #156370)

Unless there's a good reason for global, let's make this a local.

pcc added inline comments.Jul 19 2018, 3:22 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
211–224 ↗(On Diff #156370)

Can you move this code (and maybe more of the duplicated code below) into a function and call it twice?

emmettneyman updated this revision to Diff 156862.Jul 23 2018, 1:25 PM

Made fixes to patch, rebased CMake file

Harbormaster completed remote builds in B20619: Diff 156862.Jul 23 2018, 1:25 PM
emmettneyman updated this revision to Diff 157138.Jul 24 2018, 3:00 PM

Cleaned up code

Tried to get rid of ParseCommandLineOptions() call but could not figure out
how to initialize a PassInfo object without it.

Harbormaster completed remote builds in B20674: Diff 157138.Jul 24 2018, 3:00 PM
morehouse added inline comments.Jul 24 2018, 4:04 PM
clang/tools/clang-fuzzer/handle-llvm/CMakeLists.txt
17 ↗(On Diff #157138)

Typo introduced here.

25 ↗(On Diff #157138)

Please don't add whitespace to a previously empty line.

clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
10 ↗(On Diff #157138)

an -> a

112 ↗(On Diff #157138)

Maybe this should be const std::string &IR or StringRef.

113 ↗(On Diff #157138)

Does this need to be called every time we get a new input? Can we call this from LLVMFuzzerInitialize()?

123 ↗(On Diff #157138)

This shouldn't be required. You should be able to directly add the passes you want. See llvm/lib/Passes/PassBuilder.cpp.

132 ↗(On Diff #157138)

Move this closer to where it's used.

133 ↗(On Diff #157138)

Options is never used.

136 ↗(On Diff #157138)

TM is never used.

137 ↗(On Diff #157138)

Does this do anything since CPUStr and FeaturesStr are empty?

145 ↗(On Diff #157138)

Can we just make FPasses on stack instead?

190 ↗(On Diff #157138)

These 3 lines can be combined to builder.setMCJITMemoryManager(new SectionMemoryManager())

emmettneyman added inline comments.Jul 24 2018, 5:36 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
190 ↗(On Diff #157138)

I use RTDyldMM on line 208. Should I just keep these lines as they are?

morehouse added inline comments.Jul 24 2018, 5:43 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
190 ↗(On Diff #157138)

Ah, missed that. In that case, you can probably simplify this line to
builder.setMCJITMemoryManager(RTDyldMM).

emmettneyman added inline comments.Jul 25 2018, 10:53 AM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
190 ↗(On Diff #157138)

It looks like set MCJITMemoryManager() needs to take a unique_ptr. I'm not sure how to clean it up any more than it already is.

morehouse added inline comments.Jul 25 2018, 11:03 AM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
190 ↗(On Diff #157138)

Does it not implicitly cast?

emmettneyman added inline comments.Jul 25 2018, 11:11 AM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
190 ↗(On Diff #157138)

No, I think it only works in the other direction.

morehouse added inline comments.Jul 25 2018, 11:24 AM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
190 ↗(On Diff #157138)

Ok, I see. The constructor we need is marked explicit...

208 ↗(On Diff #157138)

This cast shouldn't be necessary.

emmettneyman added inline comments.Jul 25 2018, 12:02 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
208 ↗(On Diff #157138)

Turns out this line is redundant anyways. EE->finalizeObject()calls invalidateInstructionCache().

emmettneyman updated this revision to Diff 157335.Jul 25 2018, 12:08 PM
  • cleaned up code and moved initialization code
  • removed fake command line parsing
morehouse added inline comments.Jul 25 2018, 1:07 PM
clang/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
44 ↗(On Diff #157335)

Unnecessary llvm::

clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
89 ↗(On Diff #157335)

If we do this, do we need to explicitly add the vectorizer pass below?

95 ↗(On Diff #157335)

OLvl is never used.

105 ↗(On Diff #157335)

Let's simplify to setFunctionAttributes(getCPUStr(), getFeaturesStr(), *M).

110 ↗(On Diff #157335)

Can simplify to Passes.add(new TargetLibraryInfoWrapperPass(M->getTargetTriple)).

115 ↗(On Diff #157335)

Why do we add a TargetTransformInfoWrapperPass to both Passes and FPasses?

115 ↗(On Diff #157335)

Do we need both Passes and FPasses?

121 ↗(On Diff #157335)

Let's simplify to Passes.add(createLoopVectorizePass()).

127 ↗(On Diff #157335)

Why do we keep adding passes in different places?

144 ↗(On Diff #157335)

Why not just rename Owner to M and remove this line?

158 ↗(On Diff #157335)

Please simplify to builder.setMCJITMemoryManager(std::make_unique<RTDyldMemoryManager>()).

159 ↗(On Diff #157335)

If the JIT does optimization already, do we need to call OptLLVM at all? Will the vectorizer kick in without OptLLVM?

168 ↗(On Diff #157335)

Move this closer to where it's used.

171 ↗(On Diff #157335)

Do we need to call this again to run destructors after we execute f() ?

181 ↗(On Diff #157335)

I think f(a, b, c, 1) will also work.

emmettneyman added inline comments.Jul 25 2018, 4:09 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
89 ↗(On Diff #157335)

No we don't. I've deleted the line below.

110 ↗(On Diff #157335)

Contrary to the function's name, getTargetTriple() actually returns a string, not a Triple. But I changed it to new TargetLibraryInfoWrapperPass(ModuleTriple) and deleted line 109.

115 ↗(On Diff #157335)

I think because we're just adding a loop vectorize pass, we don't need FPasses. The loop vectorize pass lives within the regular ModulePassManager, not the FunctionPassManager. I decided to put it in the code so, in the future, it would be easier to add different kinds of passes to the fuzz target. Should I remove it?

159 ↗(On Diff #157335)

I'll look into this more. I couldn't find an answer quickly.

emmettneyman updated this revision to Diff 157388.Jul 25 2018, 4:09 PM

Fixed some things, made code cleaner

emmettneyman added inline comments.Jul 25 2018, 4:17 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
159 ↗(On Diff #157335)

No, the JIT doesn't run any optimization passes. The optimization level given just controls CodeGen.

Source: http://lists.llvm.org/pipermail/llvm-dev/2016-May/099631.html

morehouse added inline comments.Jul 26 2018, 9:17 AM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
135 ↗(On Diff #157388)

The indentation looks off. Please fix.

147 ↗(On Diff #157388)

This uses llvm:make_unique, which was written when LLVM used C++11. But since LLVM now uses C++14, I think we should use std::make_unique instead.

169 ↗(On Diff #157388)

Remove whitespace on empty lines.

Actually, you could probably remove this line altogether since the call to f() can be grouped with the parameter setup above.

184 ↗(On Diff #157388)

We're allowing the JIT opt-level to be specified on the command line, but we're hard-coding OptLevel=3 for the optimization passes.

Do we need to allow the opt-level to be specified on the command line?

115 ↗(On Diff #157335)

Let's remove it since it's currently unnecessary.

pcc added inline comments.Jul 26 2018, 11:44 AM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
147 ↗(On Diff #157388)

LLVM doesn't use C++14 yet.

emmettneyman added inline comments.Jul 26 2018, 11:48 AM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
147 ↗(On Diff #157388)

We talked offline, but just to put it in writing: My current LLVM build uses C++11 so I'm keeping it llvm::make_unique.

184 ↗(On Diff #157388)

Good point. Will change to make OptLLVM() use the same optimization level as the JIT Engine.

144 ↗(On Diff #157335)

Reverted it back since the change caused the fuzzer to crash.

emmettneyman updated this revision to Diff 157544.Jul 26 2018, 11:48 AM
  • Code style fixes
  • Removed FPasses
  • Allowed CL Args to specify opt level for OptLLVM()
emmettneyman updated this revision to Diff 157545.Jul 26 2018, 11:50 AM

Small change to fix line length

Harbormaster completed remote builds in B20743: Diff 157545.Jul 26 2018, 11:50 AM
morehouse added a comment.Jul 26 2018, 12:25 PM

Do we need to parse the arguments for opt-level, or can we just hardcode -O2 and remove the argument parsing code?

clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
90 ↗(On Diff #157545)

Shouldn't OLvl be a CodeGenOpt::Level?

144 ↗(On Diff #157335)

You will need to move any uses of M above the call to std::move, since that leaves M in an invalid state.

emmettneyman added a comment.Jul 26 2018, 1:00 PM
In D49526#1177208, @morehouse wrote:

Do we need to parse the arguments for opt-level, or can we just hardcode -O2 and remove the argument parsing code?

I have the argument parsing code since the original clang-proto-fuzzer code had it and @kcc mentioned we might want to change the command line arguments in the future.

emmettneyman updated this revision to Diff 157553.Jul 26 2018, 1:03 PM

Changed int to CodeGenOpt::Level and fixed unique_ptr issue

Harbormaster completed remote builds in B20746: Diff 157553.Jul 26 2018, 1:03 PM
morehouse added inline comments.Jul 26 2018, 2:16 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
125 ↗(On Diff #157553)

We should be able to get rid of this line now, and rename Owner again.

morehouse added inline comments.Jul 26 2018, 2:18 PM
clang/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
152 ↗(On Diff #157545)

Can we use reinterpret_cast here?

emmettneyman updated this revision to Diff 157577.Jul 26 2018, 2:32 PM

Made some minor fixes

Harbormaster completed remote builds in B20750: Diff 157577.Jul 26 2018, 2:32 PM
morehouse accepted this revision.Jul 26 2018, 2:35 PM
This revision is now accepted and ready to land.Jul 26 2018, 2:35 PM
Closed by commit rL338077: Updated llvm-proto-fuzzer to execute the compiled code (authored by emmettneyman). · Explain WhyJul 26 2018, 3:23 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
tools/
clang-fuzzer/
fuzzer-initialize/
23 lines
handle-llvm/
12 lines
167 lines

Diff 157591

cfe/trunk/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp

Show All 10 Lines
/// This file implements two functions: one that returns the command line /// This file implements two functions: one that returns the command line
/// arguments for a given call to the fuzz target and one that initializes /// arguments for a given call to the fuzz target and one that initializes
/// the fuzzer with the correct command line arguments. /// the fuzzer with the correct command line arguments.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "fuzzer_initialize.h" #include "fuzzer_initialize.h"
#include "llvm/InitializePasses.h"
#include "llvm/PassRegistry.h"
#include "llvm/Support/TargetSelect.h" #include "llvm/Support/TargetSelect.h"
#include <cstring> #include <cstring>
using namespace clang_fuzzer; using namespace clang_fuzzer;
using namespace llvm;
namespace clang_fuzzer { namespace clang_fuzzer {
static std::vector<const char *> CLArgs; static std::vector<const char *> CLArgs;
const std::vector<const char *>& GetCLArgs() { const std::vector<const char *>& GetCLArgs() {
return CLArgs; return CLArgs;
} }
} }
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
llvm::InitializeAllTargets(); InitializeAllTargets();
llvm::InitializeAllTargetMCs(); InitializeAllTargetMCs();
llvm::InitializeAllAsmPrinters(); InitializeAllAsmPrinters();
llvm::InitializeAllAsmParsers(); InitializeAllAsmParsers();
PassRegistry &Registry = *PassRegistry::getPassRegistry();
initializeCore(Registry);
initializeScalarOpts(Registry);
initializeVectorization(Registry);
initializeIPO(Registry);
initializeAnalysis(Registry);
initializeTransformUtils(Registry);
initializeInstCombine(Registry);
initializeAggressiveInstCombine(Registry);
initializeInstrumentation(Registry);
initializeTarget(Registry);
CLArgs.push_back("-O2"); CLArgs.push_back("-O2");
for (int I = 1; I < *argc; I++) { for (int I = 1; I < *argc; I++) {
if (strcmp((*argv)[I], "-ignore_remaining_args=1") == 0) { if (strcmp((*argv)[I], "-ignore_remaining_args=1") == 0) {
for (I++; I < *argc; I++) for (I++; I < *argc; I++)
CLArgs.push_back((*argv)[I]); CLArgs.push_back((*argv)[I]);
break; break;
} }
} }
return 0; return 0;
} }

cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt

set(LLVM_LINK_COMPONENTS set(LLVM_LINK_COMPONENTS
CodeGen
Core Core
ExecutionEngine
IRReader IRReader
MC MC
MCJIT
Object
RuntimeDyld
SelectionDAG
Support Support
Analysis Target
TransformUtils
native
) )
# Depend on LLVM IR intrinsic generation. # Depend on LLVM IR intrinsic generation.
set(handle_llvm_deps intrinsics_gen) set(handle_llvm_deps intrinsics_gen)
if (CLANG_BUILT_STANDALONE) if (CLANG_BUILT_STANDALONE)
set(handle_llvm_deps) set(handle_llvm_deps)
endif() endif()
add_clang_library(clangHandleLLVM add_clang_library(clangHandleLLVM
handle_llvm.cpp handle_llvm.cpp
DEPENDS DEPENDS
${handle_llvm_deps} ${handle_llvm_deps}
) )

cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp

//==-- handle_llvm.cpp - Helper function for Clang fuzzers -----------------==// //==-- handle_llvm.cpp - Helper function for Clang fuzzers -----------------==//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// Implements HandleLLVM for use by the Clang fuzzers. Mimics the llc tool to // Implements HandleLLVM for use by the Clang fuzzers. First runs a loop
// compile an LLVM IR file to X86_64 assembly. // vectorizer optimization pass over the given IR code. Then mimics lli on both
// versions to JIT the generated code and execute it. Currently, functions are
// executed on dummy inputs.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "handle_llvm.h" #include "handle_llvm.h"
#include "llvm/ADT/Triple.h" #include "llvm/ADT/Triple.h"
#include "llvm/Analysis/TargetLibraryInfo.h" #include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/Analysis/TargetTransformInfo.h"
#include "llvm/CodeGen/CommandFlags.inc" #include "llvm/CodeGen/CommandFlags.inc"
#include "llvm/CodeGen/MachineModuleInfo.h" #include "llvm/CodeGen/MachineModuleInfo.h"
#include "llvm/CodeGen/TargetPassConfig.h"
#include "llvm/ExecutionEngine/JITEventListener.h"
#include "llvm/ExecutionEngine/JITSymbol.h"
#include "llvm/ExecutionEngine/MCJIT.h"
#include "llvm/ExecutionEngine/ObjectCache.h"
#include "llvm/ExecutionEngine/RTDyldMemoryManager.h"
#include "llvm/ExecutionEngine/SectionMemoryManager.h"
#include "llvm/IR/IRPrintingPasses.h"
#include "llvm/IR/LegacyPassManager.h" #include "llvm/IR/LegacyPassManager.h"
#include "llvm/IR/LegacyPassNameParser.h"
#include "llvm/IR/LLVMContext.h" #include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
#include "llvm/IR/Verifier.h" #include "llvm/IR/Verifier.h"
#include "llvm/IRReader/IRReader.h" #include "llvm/IRReader/IRReader.h"
#include "llvm/Pass.h"
#include "llvm/PassRegistry.h" #include "llvm/PassRegistry.h"
#include "llvm/Support/InitLLVM.h"
#include "llvm/Support/MemoryBuffer.h" #include "llvm/Support/MemoryBuffer.h"
#include "llvm/Support/SourceMgr.h" #include "llvm/Support/SourceMgr.h"
#include "llvm/Support/TargetRegistry.h" #include "llvm/Support/TargetRegistry.h"
#include "llvm/Support/TargetSelect.h"
#include "llvm/Target/TargetMachine.h" #include "llvm/Target/TargetMachine.h"
#include "llvm/Transforms/IPO/PassManagerBuilder.h"
#include <cstdlib> #include "llvm/Transforms/IPO.h"
#include "llvm/Transforms/Vectorize.h"
using namespace llvm; using namespace llvm;
// Helper function to parse command line args and find the optimization level
static void getOptLevel(const std::vector<const char *> &ExtraArgs, static void getOptLevel(const std::vector<const char *> &ExtraArgs,
CodeGenOpt::Level &OLvl) { CodeGenOpt::Level &OLvl) {
// Find the optimization level from the command line args // Find the optimization level from the command line args
OLvl = CodeGenOpt::Default; OLvl = CodeGenOpt::Default;
for (auto &A : ExtraArgs) { for (auto &A : ExtraArgs) {
if (A[0] == '-' && A[1] == 'O') { if (A[0] == '-' && A[1] == 'O') {
switch(A[2]) { switch(A[2]) {
case '0': OLvl = CodeGenOpt::None; break; case '0': OLvl = CodeGenOpt::None; break;
case '1': OLvl = CodeGenOpt::Less; break; case '1': OLvl = CodeGenOpt::Less; break;
case '2': OLvl = CodeGenOpt::Default; break; case '2': OLvl = CodeGenOpt::Default; break;
case '3': OLvl = CodeGenOpt::Aggressive; break; case '3': OLvl = CodeGenOpt::Aggressive; break;
default: default:
errs() << "error: opt level must be between 0 and 3.\n"; errs() << "error: opt level must be between 0 and 3.\n";
std::exit(1); std::exit(1);
} }
} }
} }
} }
void clang_fuzzer::HandleLLVM(const std::string &S, void ErrorAndExit(std::string message) {
const std::vector<const char *> &ExtraArgs) { errs()<< "ERROR: " << message << "\n";
// Parse ExtraArgs to set the optimization level std::exit(1);
CodeGenOpt::Level OLvl; }
getOptLevel(ExtraArgs, OLvl);
// Set the Module to include the the IR code to be compiled // Helper function to add optimization passes to the TargetMachine at the
// specified optimization level, OptLevel
static void AddOptimizationPasses(legacy::PassManagerBase &MPM,
CodeGenOpt::Level OptLevel,
unsigned SizeLevel) {
// Create and initialize a PassManagerBuilder
PassManagerBuilder Builder;
Builder.OptLevel = OptLevel;
Builder.SizeLevel = SizeLevel;
Builder.Inliner = createFunctionInliningPass(OptLevel, SizeLevel, false);
Builder.LoopVectorize = true;
Builder.populateModulePassManager(MPM);
}
// Mimics the opt tool to run an optimization pass over the provided IR
std::string OptLLVM(const std::string &IR, CodeGenOpt::Level OLvl) {
// Create a module that will run the optimization passes
SMDiagnostic Err; SMDiagnostic Err;
LLVMContext Context; LLVMContext Context;
std::unique_ptr<Module> M = parseIR(MemoryBufferRef(S, "IR"), Err, Context); std::unique_ptr<Module> M = parseIR(MemoryBufferRef(IR, "IR"), Err, Context);
if (!M) { if (!M || verifyModule(*M, &errs()))
errs() << "error: could not parse IR!\n"; ErrorAndExit("Could not parse IR");
std::exit(1);
}
// Create a new Target setFunctionAttributes(getCPUStr(), getFeaturesStr(), *M);
std::string Error;
const Target *TheTarget = TargetRegistry::lookupTarget(
sys::getDefaultTargetTriple(), Error);
if (!TheTarget) {
errs() << Error;
std::exit(1);
}
TargetOptions Options = InitTargetOptionsFromCodeGenFlags(); legacy::PassManager Passes;
Triple ModuleTriple(M->getTargetTriple());
// Create a new Machine Passes.add(new TargetLibraryInfoWrapperPass(ModuleTriple));
std::string CPUStr = getCPUStr(); Passes.add(createTargetTransformInfoWrapperPass(TargetIRAnalysis()));
std::string FeaturesStr = getFeaturesStr(); Passes.add(createVerifierPass());
std::unique_ptr<TargetMachine> Target(TheTarget->createTargetMachine(
sys::getDefaultTargetTriple(), CPUStr, FeaturesStr, Options, AddOptimizationPasses(Passes, OLvl, 0);
getRelocModel(), getCodeModel(), OLvl));
// Add a pass that writes the optimized IR to an output stream
// Create a new PassManager std::string outString;
legacy::PassManager PM; raw_string_ostream OS(outString);
TargetLibraryInfoImpl TLII(Triple(M->getTargetTriple())); Passes.add(createPrintModulePass(OS, "", false));
PM.add(new TargetLibraryInfoWrapperPass(TLII));
M->setDataLayout(Target->createDataLayout()); Passes.run(*M);
// Make sure the Module has no errors return OS.str();
if (verifyModule(*M, &errs())) {
errs() << "error: input module is broken!\n";
std::exit(1);
} }
setFunctionAttributes(CPUStr, FeaturesStr, *M); void CreateAndRunJITFun(const std::string &IR, CodeGenOpt::Level OLvl) {
SMDiagnostic Err;
LLVMContext Context;
std::unique_ptr<Module> M = parseIR(MemoryBufferRef(IR, "IR"), Err,
Context);
if (!M)
ErrorAndExit("Could not parse IR");
Function *EntryFunc = M->getFunction("foo");
if (!EntryFunc)
ErrorAndExit("Function not found in module");
std::string ErrorMsg;
EngineBuilder builder(std::move(M));
builder.setMArch(MArch);
builder.setMCPU(getCPUStr());
builder.setMAttrs(getFeatureList());
builder.setErrorStr(&ErrorMsg);
builder.setEngineKind(EngineKind::JIT);
builder.setUseOrcMCJITReplacement(false);
builder.setMCJITMemoryManager(make_unique<SectionMemoryManager>());
builder.setOptLevel(OLvl);
builder.setTargetOptions(InitTargetOptionsFromCodeGenFlags());
std::unique_ptr<ExecutionEngine> EE(builder.create());
if (!EE)
ErrorAndExit("Could not create execution engine");
EE->finalizeObject();
EE->runStaticConstructorsDestructors(false);
typedef void (*func)(int*, int*, int*, int);
func f = reinterpret_cast<func>(EE->getPointerToFunction(EntryFunc));
// Define some dummy arrays to use an input for now
int a[] = {1};
int b[] = {1};
int c[] = {1};
f(a, b, c, 1);
EE->runStaticConstructorsDestructors(true);
}
// Main fuzz target called by ExampleClangLLVMProtoFuzzer.cpp
// Mimics the lli tool to JIT the LLVM IR code and execute it
void clang_fuzzer::HandleLLVM(const std::string &IR,
const std::vector<const char *> &ExtraArgs) {
// Parse ExtraArgs to set the optimization level
CodeGenOpt::Level OLvl;
getOptLevel(ExtraArgs, OLvl);
// First we optimize the IR by running a loop vectorizer pass
std::string OptIR = OptLLVM(IR, OLvl);
raw_null_ostream OS; CreateAndRunJITFun(OptIR, OLvl);
Target->addPassesToEmitFile(PM, OS, nullptr, TargetMachine::CGFT_ObjectFile, CreateAndRunJITFun(IR, CodeGenOpt::None);
false);
PM.run(*M);
return; return;
} }