This is an archive of the discontinued LLVM Phabricator instance.

Differential D69171

[clang-fuzzer] Add new fuzzer target for Objective-C
ClosedPublic

Authored by dgoldman on Oct 18 2019, 8:14 AM.

Details

Reviewers
morehouse
kcc
Commits
rGe5ecba4f53e7: [clang-fuzzer] Add new fuzzer target for Objective-C
rC375453: [clang-fuzzer] Add new fuzzer target for Objective-C
rL375453: [clang-fuzzer] Add new fuzzer target for Objective-C
Summary
  • Similar to that of clang-fuzzer itself but instead only targets Objective-C source files via cc1
  • Also adds an example corpus directory containing some input for Objective-C

Diff Detail

Event Timeline

dgoldman created this revision.Oct 18 2019, 8:14 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 18 2019, 8:14 AM
Herald added subscribers: cfe-commits, jfb, mgorny. · View Herald Transcript
Harbormaster completed remote builds in B39786: Diff 225633.Oct 18 2019, 8:20 AM
sammccall added a subscriber: sammccall.Oct 18 2019, 8:53 AM

Rather than adding a new fuzzer binary, can we make the language an option?
The whole implementation seems almost identical down to handleobjc/handlecxx...

dgoldman added a comment.Oct 18 2019, 10:07 AM
In D69171#1714624, @sammccall wrote:

Rather than adding a new fuzzer binary, can we make the language an option?
The whole implementation seems almost identical down to handleobjc/handlecxx...

It's similar at the moment (was initially going to add more flags), but I could swap it over to read an integer/Boolean to swap between the two languages. If we want to modify them in the future (which we might be interested in depending on how well this works) it probably makes sense to keep them separate though.

dgoldman added reviewers: morehouse, kcc.Oct 18 2019, 11:41 AM

Not sure who is best to review, feel free to add someone else instead.

morehouse added inline comments.Oct 18 2019, 4:31 PM
tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp
19

Nit: Since it does nothing, let's omit the LLVMFuzzerInitialize definition.

22

Nit: reinterpret_cast

tools/clang-fuzzer/handle-objc/handle_objc.cpp
50 ↗(On Diff #225633)

Since this is ~identical to handle_cxx, I'd like to reuse the implementation. Can we make a more generic function (e.g., handleLanguage(Language type, ...)) and use it for both?

dgoldman updated this revision to Diff 225898.Oct 21 2019, 9:00 AM
  • Refactor to use handle-cxx
Harbormaster completed remote builds in B39863: Diff 225898.Oct 21 2019, 9:02 AM
dgoldman updated this revision to Diff 225899.Oct 21 2019, 9:08 AM
  • Swap to reinterpret_cast
dgoldman marked 4 inline comments as done.Oct 21 2019, 9:10 AM
dgoldman added inline comments.
tools/clang-fuzzer/handle-objc/handle_objc.cpp
50 ↗(On Diff #225633)

Done but left as handleCXX

Harbormaster completed remote builds in B39864: Diff 225899.Oct 21 2019, 9:11 AM
morehouse accepted this revision.Oct 21 2019, 10:27 AM

LGTM

This revision is now accepted and ready to land.Oct 21 2019, 10:27 AM
Closed by commit rGe5ecba4f53e7: [clang-fuzzer] Add new fuzzer target for Objective-C (authored by dgoldman). · Explain WhyOct 21 2019, 1:46 PM
This revision was automatically updated to reflect the committed changes.
dgoldman marked an inline comment as done.
gribozavr added a subscriber: gribozavr.Oct 24 2019, 1:49 PM

Looks reasonable to me. The duplication is unfortunate, but it is reasonable while we have two binaries.

However, you could explore reading the command line flags for HandleCXX in LLVMFuzzerInitialize from fuzzer's command line flags.

RKSimon added a subscriber: RKSimon.Apr 12 2020, 10:15 AM
RKSimon added inline comments.
clang/tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp
19 ↗(On Diff #225950)

@dgoldman @morehouse Removing this has been causing link failures ever since it was committed on a number of targets including msvc (PR44414) and I've just noticed it on a linux release+asserts build. If it is superfluous why did you leave it in ClangFuzzer.cpp ?

morehouse added inline comments.Apr 13 2020, 8:33 AM
clang/tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp
19 ↗(On Diff #225950)

It is superfluous on Linux at least since libFuzzer defines its own weak definition. I'm not sure how it works for Windows.

I'm fine if you want to add it back in here.

RKSimon mentioned this in rG440b445fff84: [clang-objc-fuzzer] Add LLVMFuzzerInitialize to fix msvc builds (PR44414).Apr 14 2020, 5:50 AM

Revision Contents

PathSize
tools/
clang-fuzzer/
13 lines
2 lines
11 lines
1 line
43 lines
corpus_examples/
objc/
29 lines
20 lines
20 lines
34 lines
handle-cxx/
1 line
5 lines

Diff 225898

tools/clang-fuzzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD} FuzzMutate) set(LLVM_LINK_COMPONENTS ${LLVM_TARGETS_TO_BUILD} FuzzMutate)
set(CXX_FLAGS_NOFUZZ ${CMAKE_CXX_FLAGS}) set(CXX_FLAGS_NOFUZZ ${CMAKE_CXX_FLAGS})
set(DUMMY_MAIN DummyClangFuzzer.cpp) set(DUMMY_MAIN DummyClangFuzzer.cpp)
if(LLVM_LIB_FUZZING_ENGINE) if(LLVM_LIB_FUZZING_ENGINE)
unset(DUMMY_MAIN) unset(DUMMY_MAIN)
elseif(LLVM_USE_SANITIZE_COVERAGE) elseif(LLVM_USE_SANITIZE_COVERAGE)
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer") set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
set(CXX_FLAGS_NOFUZZ "${CXX_FLAGS_NOFUZZ} -fsanitize=fuzzer-no-link") set(CXX_FLAGS_NOFUZZ "${CXX_FLAGS_NOFUZZ} -fsanitize=fuzzer-no-link")
unset(DUMMY_MAIN) unset(DUMMY_MAIN)
endif() endif()
# Needed by LLVM's CMake checks because this file defines multiple targets. # Needed by LLVM's CMake checks because this file defines multiple targets.
set(LLVM_OPTIONAL_SOURCES set(LLVM_OPTIONAL_SOURCES
ClangFuzzer.cpp ClangFuzzer.cpp
ClangObjectiveCFuzzer.cpp
DummyClangFuzzer.cpp DummyClangFuzzer.cpp
ExampleClangProtoFuzzer.cpp ExampleClangProtoFuzzer.cpp
ExampleClangLoopProtoFuzzer.cpp ExampleClangLoopProtoFuzzer.cpp
ExampleClangLLVMProtoFuzzer.cpp ExampleClangLLVMProtoFuzzer.cpp
) )
if(CLANG_ENABLE_PROTO_FUZZER) if(CLANG_ENABLE_PROTO_FUZZER)
# Create protobuf .h and .cc files, and put them in a library for use by # Create protobuf .h and .cc files, and put them in a library for use by
▲ Show 20 LinesShow All 92 Lines▼ Show 20 Linesadd_clang_executable(clang-fuzzer
ClangFuzzer.cpp ClangFuzzer.cpp
) )
target_link_libraries(clang-fuzzer target_link_libraries(clang-fuzzer
PRIVATE PRIVATE
${LLVM_LIB_FUZZING_ENGINE} ${LLVM_LIB_FUZZING_ENGINE}
clangHandleCXX clangHandleCXX
) )
add_clang_executable(clang-objc-fuzzer
EXCLUDE_FROM_ALL
${DUMMY_MAIN}
ClangObjectiveCFuzzer.cpp
)
target_link_libraries(clang-objc-fuzzer
PRIVATE
${LLVM_LIB_FUZZING_ENGINE}
clangHandleCXX
)

tools/clang-fuzzer/ClangFuzzer.cpp

  • This file was copied to tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp.
Show All 14 Lines
#include "handle-cxx/handle_cxx.h" #include "handle-cxx/handle_cxx.h"
using namespace clang_fuzzer; using namespace clang_fuzzer;
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { return 0; } extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { return 0; }
extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) { extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
std::string s((const char *)data, size); std::string s((const char *)data, size);
HandleCXX(s, {"-O2"}); HandleCXX(s, "./test.cc", {"-O2"});
return 0; return 0;
} }

tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp

  • This file was copied from tools/clang-fuzzer/ClangFuzzer.cpp.
//===-- ClangFuzzer.cpp - Fuzz Clang --------------------------------------===// //===-- ClangObjectiveCFuzzer.cpp - Fuzz Clang ----------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// ///
/// \file /// \file
/// This file implements a function that runs Clang on a single /// This file implements a function that runs Clang on a single Objective-C
/// input. This function is then linked into the Fuzzer library. /// input. This function is then linked into the Fuzzer library.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "handle-cxx/handle_cxx.h" #include "handle-cxx/handle_cxx.h"
using namespace clang_fuzzer; using namespace clang_fuzzer;
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { return 0; }
extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) { extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: Since it does nothing, let's omit the LLVMFuzzerInitialize definition.

morehouse: Nit: Since it does nothing, let's omit the `LLVMFuzzerInitialize` definition.
std::string s((const char *)data, size); std::string s((const char *)data, size);
HandleCXX(s, {"-O2"}); HandleCXX(s, "./test.m", {"-O2"});
return 0; return 0;
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: reinterpret_cast

morehouse: Nit: reinterpret_cast
} }

tools/clang-fuzzer/Dockerfile

Show All 26 Lines
RUN mkdir build1 && cd build1 && cmake -GNinja -DCMAKE_BUILD_TYPE=Release ../llvm \ RUN mkdir build1 && cd build1 && cmake -GNinja -DCMAKE_BUILD_TYPE=Release ../llvm \
-DLLVM_ENABLE_ASSERTIONS=ON \ -DLLVM_ENABLE_ASSERTIONS=ON \
-DCMAKE_C_COMPILER=`pwd`/../build0/bin/clang \ -DCMAKE_C_COMPILER=`pwd`/../build0/bin/clang \
-DCMAKE_CXX_COMPILER=`pwd`/../build0/bin/clang++ \ -DCMAKE_CXX_COMPILER=`pwd`/../build0/bin/clang++ \
-DLLVM_USE_SANITIZE_COVERAGE=YES \ -DLLVM_USE_SANITIZE_COVERAGE=YES \
-DLLVM_USE_SANITIZER=Address -DCLANG_ENABLE_PROTO_FUZZER=ON -DLLVM_USE_SANITIZER=Address -DCLANG_ENABLE_PROTO_FUZZER=ON
# Build the fuzzers # Build the fuzzers
RUN cd build1 && ninja clang-fuzzer RUN cd build1 && ninja clang-fuzzer
RUN cd build1 && ninja clang-objc-fuzzer
RUN cd build1 && ninja clang-proto-fuzzer RUN cd build1 && ninja clang-proto-fuzzer
RUN cd build1 && ninja clang-proto-to-cxx RUN cd build1 && ninja clang-proto-to-cxx
RUN cd build1 && ninja clang-loop-proto-to-cxx RUN cd build1 && ninja clang-loop-proto-to-cxx
RUN cd build1 && ninja clang-loop-proto-to-llvm RUN cd build1 && ninja clang-loop-proto-to-llvm
RUN cd build1 && ninja clang-loop-proto-fuzzer RUN cd build1 && ninja clang-loop-proto-fuzzer
RUN cd build1 && ninja clang-llvm-proto-fuzzer RUN cd build1 && ninja clang-llvm-proto-fuzzer

tools/clang-fuzzer/README.txt

This directory contains two utilities for fuzzing Clang: clang-fuzzer and This directory contains three utilities for fuzzing Clang: clang-fuzzer,
clang-proto-fuzzer. Both use libFuzzer to generate inputs to clang via clang-objc-fuzzer, and clang-proto-fuzzer. All use libFuzzer to generate inputs
coverage-guided mutation. to clang via coverage-guided mutation.
The two utilities differ, however, in how they structure inputs to Clang. The three utilities differ, however, in how they structure inputs to Clang.
clang-fuzzer makes no attempt to generate valid C++ programs and is therefore clang-fuzzer makes no attempt to generate valid C++ programs and is therefore
primarily useful for stressing the surface layers of Clang (i.e. lexer, parser). primarily useful for stressing the surface layers of Clang (i.e. lexer, parser).
clang-objc-fuzzer is similar but for Objective-C: it makes no attempt to
generate a valid Objective-C program.
clang-proto-fuzzer uses a protobuf class to describe a subset of the C++ clang-proto-fuzzer uses a protobuf class to describe a subset of the C++
language and then uses libprotobuf-mutator to mutate instantiations of that language and then uses libprotobuf-mutator to mutate instantiations of that
class, producing valid C++ programs in the process. As a result, class, producing valid C++ programs in the process. As a result,
clang-proto-fuzzer is better at stressing deeper layers of Clang and LLVM. clang-proto-fuzzer is better at stressing deeper layers of Clang and LLVM.
Some of the fuzzers have example corpuses inside the corpus_examples directory.
=================================== ===================================
Building clang-fuzzer Building clang-fuzzer
=================================== ===================================
Within your LLVM build directory, run CMake with the following variable Within your LLVM build directory, run CMake with the following variable
definitions: definitions:
- CMAKE_C_COMPILER=clang - CMAKE_C_COMPILER=clang
- CMAKE_CXX_COMPILER=clang++ - CMAKE_CXX_COMPILER=clang++
- LLVM_USE_SANITIZE_COVERAGE=YES - LLVM_USE_SANITIZE_COVERAGE=YES
Show All 9 LinesExample:
ninja clang-fuzzer ninja clang-fuzzer
====================== ======================
Running clang-fuzzer Running clang-fuzzer
====================== ======================
bin/clang-fuzzer CORPUS_DIR bin/clang-fuzzer CORPUS_DIR
===================================
Building clang-objc-fuzzer
===================================
Within your LLVM build directory, run CMake with the following variable
definitions:
- CMAKE_C_COMPILER=clang
- CMAKE_CXX_COMPILER=clang++
- LLVM_USE_SANITIZE_COVERAGE=YES
- LLVM_USE_SANITIZER=Address
Then build the clang-objc-fuzzer target.
Example:
cd $LLVM_SOURCE_DIR
mkdir build && cd build
cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \
-DLLVM_USE_SANITIZE_COVERAGE=YES -DLLVM_USE_SANITIZER=Address
ninja clang-objc-fuzzer
======================
Running clang-objc-fuzzer
======================
bin/clang-objc-fuzzer CORPUS_DIR
e.g. using the example objc corpus,
bin/clang-objc-fuzzer <path to corpus_examples/objc> <path to new directory to store corpus findings>
======================================================= =======================================================
Building clang-proto-fuzzer (Linux-only instructions) Building clang-proto-fuzzer (Linux-only instructions)
======================================================= =======================================================
Install the necessary dependencies: Install the necessary dependencies:
- binutils // needed for libprotobuf-mutator - binutils // needed for libprotobuf-mutator
- liblzma-dev // needed for libprotobuf-mutator - liblzma-dev // needed for libprotobuf-mutator
- libz-dev // needed for libprotobuf-mutator - libz-dev // needed for libprotobuf-mutator
- docbook2x // needed for libprotobuf-mutator - docbook2x // needed for libprotobuf-mutator
▲ Show 20 LinesShow All 71 LinesShow Last 20 Lines

tools/clang-fuzzer/corpus_examples/objc/BasicClass.m

  • This file was added.
@interface RootObject
@end
@interface BasicClass : RootObject {
int _foo;
char _boolean;
}
@property(nonatomic, assign) int bar;
@property(atomic, retain) id objectField;
@property(nonatomic, assign) id delegate;
- (void)someMethod;
@end
@implementation BasicClass
@synthesize bar = _bar;
@synthesize objectField = _objectField;
@synthesize delegate = _delegate;
- (void)someMethod {
int value = self.bar;
_foo = (_boolean != 0) ? self.bar : [self.objectField bar];
[self setBar:value];
id obj = self.objectField;
}
@end

tools/clang-fuzzer/corpus_examples/objc/ClassCategory.m

  • This file was added.
@interface RootObject
@end
@interface BaseClass : RootObject
@property(atomic, assign, readonly) int field;
@end
@interface BaseClass(Private)
@property(atomic, assign, readwrite) int field;
- (int)something;
@end
@implementation BaseClass
- (int)something {
self.field = self.field + 1;
return self.field;
}
@end

tools/clang-fuzzer/corpus_examples/objc/ClassExtension.m

  • This file was added.
@interface RootObject
@end
@interface BaseClass : RootObject
@end
@interface BaseClass() {
int _field1;
}
@property(atomic, assign, readonly) int field2;
- (int)addFields;
@end
@implementation BaseClass
- (int)addFields {
return self->_field1 + [self field2];
}
@end

tools/clang-fuzzer/corpus_examples/objc/SharedInstance.m

  • This file was added.
@interface RootObject
+ (instancetype)alloc;
- (instancetype)init;
@end
@interface BaseClass : RootObject
+ (instancetype)sharedInstance;
- (instancetype)initWithFoo:(int)foo;
@end
static BaseClass *sharedInstance = (void *)0;
static int counter = 0;
@implementation BaseClass
+ (instancetype)sharedInstance {
if (sharedInstance) {
return sharedInstance;
}
sharedInstance = [[BaseClass alloc] initWithFoo:3];
return sharedInstance;
}
- (instancetype)initWithFoo:(int)foo {
self = [super init];
if (self) {
counter += foo;
}
return self;
}
@end

tools/clang-fuzzer/handle-cxx/handle_cxx.h

Show All 12 Lines
#ifndef LLVM_CLANG_TOOLS_CLANG_FUZZER_HANDLE_CXX_HANDLECXX_H #ifndef LLVM_CLANG_TOOLS_CLANG_FUZZER_HANDLE_CXX_HANDLECXX_H
#define LLVM_CLANG_TOOLS_CLANG_FUZZER_HANDLE_CXX_HANDLECXX_H #define LLVM_CLANG_TOOLS_CLANG_FUZZER_HANDLE_CXX_HANDLECXX_H
#include <string> #include <string>
#include <vector> #include <vector>
namespace clang_fuzzer { namespace clang_fuzzer {
void HandleCXX(const std::string &S, void HandleCXX(const std::string &S,
const char *FileName,
const std::vector<const char *> &ExtraArgs); const std::vector<const char *> &ExtraArgs);
} // namespace clang_fuzzer } // namespace clang_fuzzer
#endif #endif

tools/clang-fuzzer/handle-cxx/handle_cxx.cpp

Show All 15 Lines
#include "clang/Frontend/CompilerInstance.h" #include "clang/Frontend/CompilerInstance.h"
#include "clang/Lex/PreprocessorOptions.h" #include "clang/Lex/PreprocessorOptions.h"
#include "clang/Tooling/Tooling.h" #include "clang/Tooling/Tooling.h"
#include "llvm/Option/Option.h" #include "llvm/Option/Option.h"
using namespace clang; using namespace clang;
void clang_fuzzer::HandleCXX(const std::string &S, void clang_fuzzer::HandleCXX(const std::string &S,
const char *FileName,
const std::vector<const char *> &ExtraArgs) { const std::vector<const char *> &ExtraArgs) {
llvm::opt::ArgStringList CC1Args; llvm::opt::ArgStringList CC1Args;
CC1Args.push_back("-cc1"); CC1Args.push_back("-cc1");
for (auto &A : ExtraArgs) for (auto &A : ExtraArgs)
CC1Args.push_back(A); CC1Args.push_back(A);
CC1Args.push_back("./test.cc"); CC1Args.push_back(FileName);
llvm::IntrusiveRefCntPtr<FileManager> Files( llvm::IntrusiveRefCntPtr<FileManager> Files(
new FileManager(FileSystemOptions())); new FileManager(FileSystemOptions()));
IgnoringDiagConsumer Diags; IgnoringDiagConsumer Diags;
IntrusiveRefCntPtr<DiagnosticOptions> DiagOpts = new DiagnosticOptions(); IntrusiveRefCntPtr<DiagnosticOptions> DiagOpts = new DiagnosticOptions();
DiagnosticsEngine Diagnostics( DiagnosticsEngine Diagnostics(
IntrusiveRefCntPtr<clang::DiagnosticIDs>(new DiagnosticIDs()), &*DiagOpts, IntrusiveRefCntPtr<clang::DiagnosticIDs>(new DiagnosticIDs()), &*DiagOpts,
&Diags, false); &Diags, false);
std::unique_ptr<clang::CompilerInvocation> Invocation( std::unique_ptr<clang::CompilerInvocation> Invocation(
tooling::newInvocation(&Diagnostics, CC1Args)); tooling::newInvocation(&Diagnostics, CC1Args));
std::unique_ptr<llvm::MemoryBuffer> Input = std::unique_ptr<llvm::MemoryBuffer> Input =
llvm::MemoryBuffer::getMemBuffer(S); llvm::MemoryBuffer::getMemBuffer(S);
Invocation->getPreprocessorOpts().addRemappedFile("./test.cc", Invocation->getPreprocessorOpts().addRemappedFile(FileName,
Input.release()); Input.release());
std::unique_ptr<tooling::ToolAction> action( std::unique_ptr<tooling::ToolAction> action(
tooling::newFrontendActionFactory<clang::EmitObjAction>()); tooling::newFrontendActionFactory<clang::EmitObjAction>());
std::shared_ptr<PCHContainerOperations> PCHContainerOps = std::shared_ptr<PCHContainerOperations> PCHContainerOps =
std::make_shared<PCHContainerOperations>(); std::make_shared<PCHContainerOperations>();
action->runInvocation(std::move(Invocation), Files.get(), PCHContainerOps, action->runInvocation(std::move(Invocation), Files.get(), PCHContainerOps,
&Diags); &Diags);
} }