Download Raw Diff

Details

Reviewers

morehouse
hctim
kcc

Commits

rG98d91aecb26a: Add libFuzzer shared object build output

Summary

This change adds a CMake rule to produce shared object versions of libFuzzer (no-main). Unlike the static library versions, these shared libraries do not have a copy of libc++ statically linked in. Doing so is theoretically possible for x86-64 (via hacks); however, it is not possible for i386 because i386 does not suppot mixing position-independent and non-position-independent code in the same library.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

IanPudney created this revision.Jul 30 2020, 7:13 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 30 2020, 7:13 AM

Herald added subscribers: Restricted Project, mgorny. · View Herald Transcript

IanPudney requested review of this revision.Jul 30 2020, 7:13 AM

Harbormaster completed remote builds in B66393: Diff 281920.Jul 30 2020, 7:50 AM

Do we need a version for 32-bit at all?
Not having a private version of libc++ is likely to cause subtle stability issues.

(Matt, please help me with the review here)

Sticking just with x86_64 is possible; I actually have the code for that here, but it's a bit ugly:
https://reviews.llvm.org/differential/diff/281467/

However, what stability issues could dynamic linking cause? The change to privately link libc++ was only added in 2019, so things must have worked well before then:
https://github.com/llvm/llvm-project/commit/66c60d9d714bed88765c1575fbf57e7582fd27a3

I'm fine with whichever version you prefer.

In D84947#2186106, @IanPudney wrote:

Sticking just with x86_64 is possible; I actually have the code for that here, but it's a bit ugly:
https://reviews.llvm.org/differential/diff/281467/

If you don't need 32-bit .so, let's just have it in 64-bit version (and this fact documented)

However, what stability issues could dynamic linking cause? The change to privately link libc++ was only added in 2019, so things must have worked well before then:
https://github.com/llvm/llvm-project/commit/66c60d9d714bed88765c1575fbf57e7582fd27a3

Things didn't work well and we had a few workarounds, some were since reverted.
The problem with a non-private libc++ is that the common libc++ is instrumented for coverage.
Since libFuzzer itself uses libc++, the coverage instrumentation code is executed while inside libFuzzer,
screwing everything up.

I'm fine with whichever version you prefer.

Updated to skip building i386 output, but to statically link libc++.

Herald added a project: Restricted Project. · View Herald TranscriptAug 3 2020, 10:15 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Harbormaster completed remote builds in B66798: Diff 282670.Aug 3 2020, 11:30 AM

LGTM

This revision is now accepted and ready to land.Aug 3 2020, 5:35 PM

When I patch this in locally and run ninja check-fuzzer, I get a linking error for both i386 and x86_64:

FAILED: lib/clang/12.0.0/lib/linux/libclang_rt.fuzzer_no_main-i386.so                                                          
...
/usr/bin/ld: projects/compiler-rt/lib/fuzzer/CMakeFiles/RTfuzzer.i386.dir/FuzzerDriver.cpp.o: in function `fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int))':
/usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:130: undefined reference to `pthread_create'           
/usr/bin/ld: /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:130: undefined reference to `pthread_create'
/usr/bin/ld: projects/compiler-rt/lib/fuzzer/CMakeFiles/RTfuzzer.i386.dir/FuzzerFork.cpp.o: in function `fuzzer::FuzzWithFork(fuzzer::Random&, fuzzer::FuzzingOptions const&, std::vector<std::__cxx11::basic_stri
ng<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<std::__cxx11::basic_stri
ng<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, int)':
/usr/local/google/home/mascasa/code/llvm-project/compiler-rt/lib/fuzzer/FuzzerFork.cpp:(.text+0xd6d): undefined reference to `pthread_create'
clang: error: linker command failed with exit code 1 (use -v to see invocation)                                                
[655/3462] Linking CXX shared library lib/clang/12.0.0/lib/linux/libclang_rt.fuzzer_no_main-x86_64.so                          


FAILED: lib/clang/12.0.0/lib/linux/libclang_rt.fuzzer_no_main-x86_64.so                                                        
...                                                                           
/usr/bin/ld: projects/compiler-rt/lib/fuzzer/CMakeFiles/RTfuzzer.x86_64.dir/FuzzerDriver.cpp.o: in function `fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))':
/usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:130: undefined reference to `pthread_create'           
/usr/bin/ld: /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:130: undefined reference to `pthread_create'
/usr/bin/ld: /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:130: undefined reference to `pthread_create'
/usr/bin/ld: projects/compiler-rt/lib/fuzzer/CMakeFiles/RTfuzzer.x86_64.dir/FuzzerFork.cpp.o: in function `fuzzer::FuzzWithFork(fuzzer::Random&, fuzzer::FuzzingOptions const&, std::vector<std::__cxx11::basic_st
ring<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<std::__cxx11::basic_st
ring<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, int)':
/usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/thread:130: undefined reference to `pthread_create'

Ian, can you please take a look?

So it looks like the bug in question was pre-existing, and this change just exposes it. Specifically, when building with Ninja instead of Makefiles, the code path for statically linking libc++ isn't actually hit. Rather, the fallthrough "normal" code path is hit. I've confirmed this by verifying that the assemblies produced before my change with Ninja still want regular libc++.

Adjusted rule to skip -z,defs when building under Ninja.

morehouse added inline comments.Aug 4 2020, 3:52 PM

compiler-rt/lib/fuzzer/CMakeLists.txt
61	Nit: Can we rename this to `LIBFUZZER_SHARED_LINK_FLAGS` and move it down next to the case where it is used?

Harbormaster completed remote builds in B66998: Diff 283040.Aug 4 2020, 4:08 PM

IanPudney updated this revision to Diff 283071.Aug 4 2020, 5:23 PM

IanPudney marked an inline comment as done.

I'll land this tomorrow.

While this now builds with Ninja, there are some rtti-related issues with linking.

Harbormaster completed remote builds in B67017: Diff 283071.Aug 4 2020, 6:00 PM

Issue fixed.

This revision is now accepted and ready to land.Aug 4 2020, 6:20 PM

Harbormaster completed remote builds in B67029: Diff 283090.Aug 4 2020, 7:01 PM

This revision was landed with ongoing or failed builds.Aug 5 2020, 9:03 AM

Closed by commit rG98d91aecb26a: Add libFuzzer shared object build output (authored by morehouse). · Explain Why

This revision was automatically updated to reflect the committed changes.

morehouse added a commit: rG98d91aecb26a: Add libFuzzer shared object build output.

jfb added a subscriber: jfb.Aug 5 2020, 11:27 AM

jfb added inline comments.

compiler-rt/lib/fuzzer/CMakeLists.txt
192	This is broken on non-Linux and non-Fuchsia architectures which don't have libstdc++, for example Darwin. Can you please fix or revert?

morehouse added inline comments.Aug 5 2020, 12:00 PM

compiler-rt/lib/fuzzer/CMakeLists.txt
192	Would it be sufficient to add the following? if (DARWIN) list(APPEND LIBFUZZER_SHARED_LINK_LIBS "-lc++") else() list(APPEND LIBFUZZER_SHARED_LINK_LIBS "-lstdc++") endif() Or are there more platforms that are missing libstdc++?

lebedev.ri added a subscriber: lebedev.ri.Aug 5 2020, 12:09 PM

lebedev.ri added inline comments.

compiler-rt/lib/fuzzer/CMakeLists.txt
192	Why is this particular line hardcoding some particular C++ STD implementation in the first place? Ignoring distro defaults, one can always pass `-stdlib=libc++` to clang.

morehouse added a reverting change: rGb0c50ef759d3: Revert "Add libFuzzer shared object build output".Aug 5 2020, 12:12 PM

morehouse added inline comments.Aug 5 2020, 12:28 PM

compiler-rt/lib/fuzzer/CMakeLists.txt
194	This line was also failing on Android, where there is no pthreads library.

IanPudney added inline comments.Aug 5 2020, 12:29 PM

compiler-rt/lib/fuzzer/CMakeLists.txt
192	Passing -stdlib=libc++ into the CFLAGS of the rule doesn't solve the problem. The .so links, but at runtime it complains about missing symbols like _ZTVN10cxxabiv120si_class_type_infoE.
192	Added this in https://reviews.llvm.org/D85339. However, I don't have a Darwin machine to test with.

Updated to use -lc++ instead of lstdc++ on Darwin.

IanPudney reopened this revision.Aug 5 2020, 12:44 PM

This revision is now accepted and ready to land.Aug 5 2020, 12:44 PM

lebedev.ri added inline comments.Aug 5 2020, 1:13 PM

compiler-rt/lib/fuzzer/CMakeLists.txt
195	This is too fragile, basically duplicates defaults from `clang/lib/Driver/ToolChains` Is there no way to make compiler do the right thing?

IanPudney added inline comments.Aug 5 2020, 1:38 PM

compiler-rt/lib/fuzzer/CMakeLists.txt
195	I don't suppose you have any suggestions? I don't even know why libstdc++ isn't being linked in automatically.

Harbormaster completed remote builds in B67172: Diff 283354.Aug 5 2020, 2:15 PM

IanPudney abandoned this revision.Dec 28 2020, 5:11 PM

Herald added a subscriber: pengfei. · View Herald TranscriptDec 28 2020, 5:11 PM

Diff 283265

compiler-rt/lib/fuzzer/CMakeLists.txt

Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines	CHECK_CXX_SOURCE_COMPILES("
int main() {		int main() {
return 0;		return 0;
}		}
" HAS_THREAD_LOCAL)		" HAS_THREAD_LOCAL)

set(LIBFUZZER_CFLAGS ${SANITIZER_COMMON_CFLAGS})		set(LIBFUZZER_CFLAGS ${SANITIZER_COMMON_CFLAGS})

if(OS_NAME MATCHES "Linux\|Fuchsia" AND		if(OS_NAME MATCHES "Linux\|Fuchsia" AND
COMPILER_RT_LIBCXX_PATH AND		COMPILER_RT_LIBCXX_PATH AND
		morehouseUnsubmitted Done Reply Inline Actions Nit: Can we rename this to `LIBFUZZER_SHARED_LINK_FLAGS` and move it down next to the case where it is used? morehouse: Nit: Can we rename this to `LIBFUZZER_SHARED_LINK_FLAGS` and move it down next to the case…
COMPILER_RT_LIBCXXABI_PATH)		COMPILER_RT_LIBCXXABI_PATH)
list(APPEND LIBFUZZER_CFLAGS -nostdinc++ -D_LIBCPP_ABI_VERSION=Fuzzer)		list(APPEND LIBFUZZER_CFLAGS -nostdinc++ -D_LIBCPP_ABI_VERSION=Fuzzer)
# Remove -stdlib= which is unused when passing -nostdinc++.		# Remove -stdlib= which is unused when passing -nostdinc++.
string(REGEX REPLACE "-stdlib=[a-zA-Z+]*" "" CMAKE_CXX_FLAGS ${CMAKE_CXX_FLAGS})		string(REGEX REPLACE "-stdlib=[a-zA-Z+]*" "" CMAKE_CXX_FLAGS ${CMAKE_CXX_FLAGS})
elseif(TARGET cxx-headers OR HAVE_LIBCXX)		elseif(TARGET cxx-headers OR HAVE_LIBCXX)
set(LIBFUZZER_DEPS cxx-headers)		set(LIBFUZZER_DEPS cxx-headers)
endif()		endif()

▲ Show 20 Lines • Show All 95 Lines • ▼ Show 20 Lines	foreach(arch ${FUZZER_SUPPORTED_ARCH})
add_dependencies(RTfuzzer.${arch} libcxx_fuzzer_${arch}-build)		add_dependencies(RTfuzzer.${arch} libcxx_fuzzer_${arch}-build)
target_compile_options(RTfuzzer_main.${arch} PRIVATE -isystem ${LIBCXX_${arch}_PREFIX}/include/c++/v1)		target_compile_options(RTfuzzer_main.${arch} PRIVATE -isystem ${LIBCXX_${arch}_PREFIX}/include/c++/v1)
add_dependencies(RTfuzzer_main.${arch} libcxx_fuzzer_${arch}-build)		add_dependencies(RTfuzzer_main.${arch} libcxx_fuzzer_${arch}-build)
target_compile_options(RTfuzzer_interceptors.${arch} PRIVATE -isystem ${LIBCXX_${arch}_PREFIX}/include/c++/v1)		target_compile_options(RTfuzzer_interceptors.${arch} PRIVATE -isystem ${LIBCXX_${arch}_PREFIX}/include/c++/v1)
add_dependencies(RTfuzzer_interceptors.${arch} libcxx_fuzzer_${arch}-build)		add_dependencies(RTfuzzer_interceptors.${arch} libcxx_fuzzer_${arch}-build)
partially_link_libcxx(fuzzer_no_main ${LIBCXX_${arch}_PREFIX} ${arch})		partially_link_libcxx(fuzzer_no_main ${LIBCXX_${arch}_PREFIX} ${arch})
partially_link_libcxx(fuzzer_interceptors ${LIBCXX_${arch}_PREFIX} ${arch})		partially_link_libcxx(fuzzer_interceptors ${LIBCXX_${arch}_PREFIX} ${arch})
partially_link_libcxx(fuzzer ${LIBCXX_${arch}_PREFIX} ${arch})		partially_link_libcxx(fuzzer ${LIBCXX_${arch}_PREFIX} ${arch})
		if(NOT ${arch} MATCHES "i386") # i386 unsupported for .so version.
		add_custom_command(
		OUTPUT clang_rt.fuzzer_no_main-${arch}.so
		DEPENDS clang_rt.fuzzer_no_main-${arch}
		COMMAND ${CMAKE_CXX_COMPILER} ${EMULATION_ARGUMENT} -Wl,--whole-archive -rdynamic "$<TARGET_LINKER_FILE:clang_rt.fuzzer_no_main-${arch}>" -Wl,--no-whole-archive -shared -fPIC -o "$<TARGET_FILE_DIR:clang_rt.fuzzer_no_main-${arch}>/libclang_rt.fuzzer_no_main-${arch}.so"
		COMMENT "Building clang_rt.fuzzer_no_main-${arch}.so"
		)
		get_compiler_rt_install_dir(${arch} install_dir)
		install(FILES "$<TARGET_FILE_DIR:clang_rt.fuzzer_no_main-${arch}>/libclang_rt.fuzzer_no_main-${arch}.so"
		DESTINATION ${install_dir}
		)
		add_custom_target(
		clang_rt.fuzzer_no_main-${arch}-so ALL
		DEPENDS clang_rt.fuzzer_no_main-${arch}.so
		)
		endif()
endforeach()		endforeach()
		else()
		set(LIBFUZZER_SHARED_LINK_LIBS ${SANITIZER_COMMON_LINK_LIBS})
		list(APPEND LIBFUZZER_SHARED_LINK_LIBS "-lstdc++")
		jfbUnsubmitted Not Done Reply Inline Actions This is broken on non-Linux and non-Fuchsia architectures which don't have libstdc++, for example Darwin. Can you please fix or revert? jfb: This is broken on non-Linux and non-Fuchsia architectures which don't have libstdc++, for…
		morehouseUnsubmitted Not Done Reply Inline Actions Would it be sufficient to add the following? if (DARWIN) list(APPEND LIBFUZZER_SHARED_LINK_LIBS "-lc++") else() list(APPEND LIBFUZZER_SHARED_LINK_LIBS "-lstdc++") endif() Or are there more platforms that are missing libstdc++? morehouse: Would it be sufficient to add the following? ``` if (DARWIN) list(APPEND…
		lebedev.riUnsubmitted Not Done Reply Inline Actions Why is this particular line hardcoding some particular C++ STD implementation in the first place? Ignoring distro defaults, one can always pass `-stdlib=libc++` to clang. lebedev.ri: Why is this particular line hardcoding some particular C++ STD implementation in the first…
		IanPudneyAuthorUnsubmitted Done Reply Inline Actions Passing -stdlib=libc++ into the CFLAGS of the rule doesn't solve the problem. The .so links, but at runtime it complains about missing symbols like _ZTVN10cxxabiv120si_class_type_infoE. IanPudney: Passing -stdlib=libc++ into the CFLAGS of the rule doesn't solve the problem. The .so links…
		IanPudneyAuthorUnsubmitted Done Reply Inline Actions Added this in https://reviews.llvm.org/D85339. However, I don't have a Darwin machine to test with. IanPudney: Added this in https://reviews.llvm.org/D85339. However, I don't have a Darwin machine to test…
		list(APPEND LIBFUZZER_SHARED_LINK_LIBS "-lm")
		list(APPEND LIBFUZZER_SHARED_LINK_LIBS "-lpthread")
		morehouseUnsubmitted Not Done Reply Inline Actions This line was also failing on Android, where there is no pthreads library. morehouse: This line was also failing on Android, where there is no pthreads library.

		lebedev.riUnsubmitted Not Done Reply Inline Actions This is too fragile, basically duplicates defaults from `clang/lib/Driver/ToolChains` Is there no way to make compiler do the right thing? lebedev.ri: This is too fragile, basically duplicates defaults from `clang/lib/Driver/ToolChains` Is there…
		IanPudneyAuthorUnsubmitted Done Reply Inline Actions I don't suppose you have any suggestions? I don't even know why libstdc++ isn't being linked in automatically. IanPudney: I don't suppose you have any suggestions? I don't even know why libstdc++ isn't being linked in…
		# If we aren't statically linking libc++ into the fuzzer, we can build the shared object directly
		add_compiler_rt_runtime(clang_rt.fuzzer_no_main
		SHARED
		OS ${FUZZER_SUPPORTED_OS}
		ARCHS ${FUZZER_SUPPORTED_ARCH}
		OBJECT_LIBS RTfuzzer
		CFLAGS ${LIBFUZZER_CFLAGS}
		LINK_FLAGS ${SANITIZER_COMMON_LINK_FLAGS}
		LINK_LIBS ${LIBFUZZER_SHARED_LINK_LIBS}
		PARENT_TARGET fuzzer)
endif()		endif()

if(COMPILER_RT_INCLUDE_TESTS)		if(COMPILER_RT_INCLUDE_TESTS)
add_subdirectory(tests)		add_subdirectory(tests)
endif()		endif()

llvm/docs/LibFuzzer.rst

Show First 20 Lines • Show All 614 Lines • ▼ Show 20 Lines	.. code-block:: c++
extern "C" int LLVMFuzzerInitialize(int argc, char **argv) {		extern "C" int LLVMFuzzerInitialize(int argc, char **argv) {
ReadAndMaybeModify(argc, argv);		ReadAndMaybeModify(argc, argv);
return 0;		return 0;
}		}

Using libFuzzer as a library		Using libFuzzer as a library
----------------------------		----------------------------
If the code being fuzzed must provide its own `main`, it's possible to		If the code being fuzzed must provide its own `main`, it's possible to
invoke libFuzzer as a library. Be sure to pass ``-fsanitize=fuzzer-no-link``		invoke libFuzzer as a library. Static linking is available on all platforms
		supported by libFuzzer; however, dynamic linking is not available on
		certain platforms (notably 32-bit x86 Linux).

		When using libFuzzer as a library, be sure to pass ``-fsanitize=fuzzer-no-link``
during compilation, and link your binary against the no-main version of		during compilation, and link your binary against the no-main version of
libFuzzer. On Linux installations, this is typically located at:		libFuzzer. On Linux installations, this is typically located at:

.. code-block:: bash		.. code-block:: bash

/usr/lib/<llvm-version>/lib/clang/<clang-version>/lib/linux/libclang_rt.fuzzer_no_main-<architecture>.a		/usr/lib/<llvm-version>/lib/clang/<clang-version>/lib/linux/libclang_rt.fuzzer_no_main-<architecture>.a
		/usr/lib/<llvm-version>/lib/clang/<clang-version>/lib/linux/libclang_rt.fuzzer_no_main-<architecture>.so

If building libFuzzer from source, this is located at the following path		If building libFuzzer from source, this is located at the following path
in the build output directory:		in the build output directory:

.. code-block:: bash		.. code-block:: bash

lib/linux/libclang_rt.fuzzer_no_main-<architecture>.a		lib/linux/libclang_rt.fuzzer_no_main-<architecture>.a
		lib/linux/libclang_rt.fuzzer_no_main-<architecture>.so

From here, the code can do whatever setup it requires, and when it's ready		From here, the code can do whatever setup it requires, and when it's ready
to start fuzzing, it can call `LLVMFuzzerRunDriver`, passing in the program		to start fuzzing, it can call `LLVMFuzzerRunDriver`, passing in the program
arguments and a callback. This callback is invoked just like		arguments and a callback. This callback is invoked just like
`LLVMFuzzerTestOneInput`, and has the same signature.		`LLVMFuzzerTestOneInput`, and has the same signature.

.. code-block:: c++		.. code-block:: c++

extern "C" int LLVMFuzzerRunDriver(int argc, char **argv,		extern "C" int LLVMFuzzerRunDriver(int argc, char **argv,
int (UserCb)(const uint8_t Data, size_t Size));		int (UserCb)(const uint8_t Data, size_t Size));



Leaks		Leaks
-----		-----

Binaries built with AddressSanitizer_ or LeakSanitizer_ will try to detect		Binaries built with AddressSanitizer_ or LeakSanitizer_ will try to detect
memory leaks at the process shutdown.		memory leaks at the process shutdown.
For in-process fuzzing this is inconvenient		For in-process fuzzing this is inconvenient
since the fuzzer needs to report a leak with a reproducer as soon as the leaky		since the fuzzer needs to report a leak with a reproducer as soon as the leaky
mutation is found. However, running full leak detection after every mutation		mutation is found. However, running full leak detection after every mutation
▲ Show 20 Lines • Show All 170 Lines • Show Last 20 Lines

This is an archive of the discontinued LLVM Phabricator instance.

Add libFuzzer shared object build output
AbandonedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 283265

compiler-rt/lib/fuzzer/CMakeLists.txt

llvm/docs/LibFuzzer.rst

This is an archive of the discontinued LLVM Phabricator instance.

Add libFuzzer shared object build outputAbandonedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 283265

compiler-rt/lib/fuzzer/CMakeLists.txt

llvm/docs/LibFuzzer.rst

Add libFuzzer shared object build output
AbandonedPublic