This is an archive of the discontinued LLVM Phabricator instance.

Differential D54780

[llvm-demangle-fuzzer] Also fuzz microsoftDemangle().
ClosedPublic

Authored by morehouse on Nov 20 2018, 6:54 PM.

Details

Reviewers
kcc
thakis
Commits
rG4d7e47a5451d: [llvm-demangle-fuzzer] Also fuzz microsoftDemangle().
rL350534: [llvm-demangle-fuzzer] Also fuzz microsoftDemangle().
Summary

Use first byte of input to determine whether to call itaniumDemangle()
or microsoftDemangle().

Addresses https://bugs.llvm.org/show_bug.cgi?id=39582.

Diff Detail

Repository
rL LLVM

Event Timeline

morehouse created this revision.Nov 20 2018, 6:54 PM
Herald added a subscriber: erik.pilkington. · View Herald TranscriptNov 20 2018, 6:54 PM
Harbormaster completed remote builds in B25200: Diff 174862.Nov 20 2018, 6:54 PM
morehouse updated this revision to Diff 174863.Nov 20 2018, 6:57 PM
  • Formatting.
Harbormaster completed remote builds in B25201: Diff 174863.Nov 20 2018, 6:57 PM
morehouse added a comment.Nov 20 2018, 6:59 PM

microsoftDemangle crashes in 1 second with buffer overflows or ASSERT failures when I run locally.

morehouse added a comment.Nov 30 2018, 10:55 AM

@kcc Ping

erik.pilkington added a comment.Dec 4 2018, 2:01 PM

Hi, thanks for working on this! Fuzzing in the itanium demangler has caught *a lot* of bugs, so this seems pretty useful. Whats the argument for testing the two demanglers in the same path? There isn't really any shared code, so I think it makes more sense to separate these out.

@kcc: is there any oss-fuzz testing for llvm-demangle-fuzzer.cpp? I thought it was just for libcxxabi. Also, will reinterpreting the first char in Data break the existing itanium corpuses?

thakis mentioned this in D55713: Let llvm-demangle-fuzzer fuzz microsoftDemangle as well.Dec 14 2018, 10:36 AM
thakis accepted this revision.Dec 14 2018, 10:47 AM
thakis added a subscriber: thakis.

I believe this runs on oss-fuzz already: https://github.com/google/oss-fuzz/blob/master/projects/llvm/build.sh#L37

Having one or two fuzzer binaries seems like a toss-up (true it's a mostly independent branch, but we don't create a new fuzzer binary for each independent branch), and having just binary saves the work of hooking a new binary up on oss-fuzz.

Re corpus: I'd be very surprised if oss-fuzzer assumed that fuzzers never change. So I don't think (but don't know for sure) that this is a concern.

This revision is now accepted and ready to land.Dec 14 2018, 10:47 AM
erik.pilkington added a comment.Dec 14 2018, 10:54 AM
In D54780#1331426, @thakis wrote:

I believe this runs on oss-fuzz already: https://github.com/google/oss-fuzz/blob/master/projects/llvm/build.sh#L37

Oh, okay nice. Thanks for checking.

Having one or two fuzzer binaries seems like a toss-up (true it's a mostly independent branch, but we don't create a new fuzzer binary for each independent branch), and having just binary saves the work of hooking a new binary up on oss-fuzz.

I would probably prefer always calling microsoftDemangle() in llvm-demangler-fuzzer. The Itanium demanglers are identical, so we're just wasting cycles fuzzing them both independently.

Re corpus: I'd be very surprised if oss-fuzzer assumed that fuzzers never change. So I don't think (but don't know for sure) that this is a concern.

thakis added a comment.Dec 14 2018, 10:55 AM

I would probably prefer always calling microsoftDemangle() in llvm-demangler-fuzzer. The Itanium demanglers are identical, so we're just wasting cycles fuzzing them both independently.

That makes sense to me (with a comment explaining this).

kcc added a comment.Dec 17 2018, 5:13 PM

I would prefer to have two separate targets.

morehouse updated this revision to Diff 180340.Jan 4 2019, 4:42 PM
  • Separate fuzz targets.
Herald added a subscriber: mgorny. · View Herald TranscriptJan 4 2019, 4:42 PM
Harbormaster completed remote builds in B26416: Diff 180340.Jan 4 2019, 4:42 PM
kcc accepted this revision.Jan 4 2019, 4:52 PM

LGTM
Don't forget to add the new fuzz target to oss-fuzz

Closed by commit rL350534: [llvm-demangle-fuzzer] Also fuzz microsoftDemangle(). (authored by morehouse). · Explain WhyJan 7 2019, 8:17 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
tools/
llvm-demangle-fuzzer/
10 lines
19 lines
24 lines
llvm-itanium-demangle-fuzzer/
10 lines
19 lines
24 lines
llvm-microsoft-demangle-fuzzer/
10 lines
19 lines
21 lines

Diff 180502

llvm/trunk/tools/llvm-demangle-fuzzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS
Demangle
FuzzMutate
Support
)
add_llvm_fuzzer(llvm-demangle-fuzzer
llvm-demangle-fuzzer.cpp
DUMMY_MAIN DummyDemanglerFuzzer.cpp
)

llvm/trunk/tools/llvm-demangle-fuzzer/DummyDemanglerFuzzer.cpp

//===--- DummyDemanglerMain.cpp - Entry point to sanity check the fuzzer --===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implementation of main so we can build and test without linking libFuzzer.
//
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/FuzzerCLI.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int main(int argc, char *argv[]) {
return llvm::runFuzzerOnInputs(argc, argv, LLVMFuzzerTestOneInput);
}

llvm/trunk/tools/llvm-demangle-fuzzer/llvm-demangle-fuzzer.cpp

//===--- llvm-demangle-fuzzer.cpp - Fuzzer for the Itanium Demangler ------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "llvm/Demangle/Demangle.h"
#include <cstdint>
#include <cstdlib>
#include <string>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
std::string NullTerminatedString((const char *)Data, Size);
int status = 0;
if (char *demangle = llvm::itaniumDemangle(NullTerminatedString.c_str(), nullptr,
nullptr, &status))
free(demangle);
return 0;
}

llvm/trunk/tools/llvm-itanium-demangle-fuzzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS
Demangle
FuzzMutate
Support
)
add_llvm_fuzzer(llvm-itanium-demangle-fuzzer
llvm-itanium-demangle-fuzzer.cpp
DUMMY_MAIN DummyDemanglerFuzzer.cpp
)

llvm/trunk/tools/llvm-itanium-demangle-fuzzer/DummyDemanglerFuzzer.cpp

//===--- DummyDemanglerMain.cpp - Entry point to sanity check the fuzzer --===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implementation of main so we can build and test without linking libFuzzer.
//
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/FuzzerCLI.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int main(int argc, char *argv[]) {
return llvm::runFuzzerOnInputs(argc, argv, LLVMFuzzerTestOneInput);
}

llvm/trunk/tools/llvm-itanium-demangle-fuzzer/llvm-itanium-demangle-fuzzer.cpp

//===--- llvm-demangle-fuzzer.cpp - Fuzzer for the Itanium Demangler ------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "llvm/Demangle/Demangle.h"
#include <cstdint>
#include <cstdlib>
#include <string>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
std::string NullTerminatedString((const char *)Data, Size);
int status = 0;
if (char *demangle = llvm::itaniumDemangle(NullTerminatedString.c_str(), nullptr,
nullptr, &status))
free(demangle);
return 0;
}

llvm/trunk/tools/llvm-microsoft-demangle-fuzzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS
Demangle
FuzzMutate
Support
)
add_llvm_fuzzer(llvm-microsoft-demangle-fuzzer
llvm-microsoft-demangle-fuzzer.cpp
DUMMY_MAIN DummyDemanglerFuzzer.cpp
)

llvm/trunk/tools/llvm-microsoft-demangle-fuzzer/DummyDemanglerFuzzer.cpp

//===--- DummyDemanglerMain.cpp - Entry point to sanity check the fuzzer --===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Implementation of main so we can build and test without linking libFuzzer.
//
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/FuzzerCLI.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int main(int argc, char *argv[]) {
return llvm::runFuzzerOnInputs(argc, argv, LLVMFuzzerTestOneInput);
}

llvm/trunk/tools/llvm-microsoft-demangle-fuzzer/llvm-microsoft-demangle-fuzzer.cpp

//===--- llvm-demangle-fuzzer.cpp - Fuzzer for the Itanium Demangler ------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "llvm/Demangle/Demangle.h"
#include <cstdint>
#include <cstdlib>
#include <string>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
std::string NullTerminatedString((const char *)Data, Size);
free(llvm::microsoftDemangle(NullTerminatedString.c_str(), nullptr, nullptr,
nullptr));
return 0;
}
llvm/trunk/tools/llvm-demangle-fuzzer/CMakeLists.txt