emmettneyman updated this revision to Diff 150200.
emmettneyman added a comment.
Hopefully rebased correctly.
Repository:
rC Clang
https://reviews.llvm.org/D47843
Files:
tools/clang-fuzzer/CMakeLists.txt
tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp
tools/clang-fuzzer/cxx_loop_proto.proto
tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp
tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.h
tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx_main.cpp
Index: tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx_main.cpp
===================================================================
--- /dev/null
+++ tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx_main.cpp
@@ -0,0 +1,33 @@
+//==-- loop_proto_to_cxx_main.cpp - Driver for protobuf-C++ conversion -----==//
+//
+// The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Implements a simple driver to print a C++ program from a protobuf with loops.
+//
+//===----------------------------------------------------------------------===//
+
+// This is a copy and will be updated later to introduce changes
+
+#include <fstream>
+#include <iostream>
+#include <streambuf>
+#include <string>
+
+#include "loop_proto_to_cxx.h"
+
+int main(int argc, char **argv) {
+ for (int i = 1; i < argc; i++) {
+ std::fstream in(argv[i]);
+ std::string str((std::istreambuf_iterator<char>(in)),
+ std::istreambuf_iterator<char>());
+ std::cout << "// " << argv[i] << std::endl;
+ std::cout << clang_fuzzer::LoopProtoToCxx(
+ reinterpret_cast<const uint8_t *>(str.data()), str.size());
+ }
+}
+
Index: tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.h
===================================================================
--- /dev/null
+++ tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.h
@@ -0,0 +1,22 @@
+//==-- loop_proto_to_cxx.h - Protobuf-C++ conversion ----------------------------==//
+//
+// The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Defines functions for converting between protobufs with loops and C++.
+//
+//===----------------------------------------------------------------------===//
+
+#include <cstdint>
+#include <cstddef>
+#include <string>
+
+namespace clang_fuzzer {
+class Function;
+std::string FunctionToString(const Function &input);
+std::string LoopProtoToCxx(const uint8_t *data, size_t size);
+}
Index: tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp
===================================================================
--- /dev/null
+++ tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp
@@ -0,0 +1,115 @@
+//==-- loop_proto_to_cxx.cpp - Protobuf-C++ conversion ---------------------==//
+//
+// The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Implements functions for converting between protobufs and C++. Extends
+// proto_to_cxx.cpp by wrapping all the generated C++ code in a single for
+// loop. Also coutputs a different function signature that includes a
+// size_t parameter for the loop to use.
+//
+//===----------------------------------------------------------------------===//
+
+#include "loop_proto_to_cxx.h"
+#include "cxx_loop_proto.pb.h"
+
+// The following is needed to convert protos in human-readable form
+#include <google/protobuf/text_format.h>
+
+
+#include <ostream>
+#include <sstream>
+
+namespace clang_fuzzer {
+
+// Forward decls.
+std::ostream &operator<<(std::ostream &os, const BinaryOp &x);
+std::ostream &operator<<(std::ostream &os, const StatementSeq &x);
+
+// Proto to C++.
+std::ostream &operator<<(std::ostream &os, const Const &x) {
+ return os << "(" << x.val() << ")";
+}
+std::ostream &operator<<(std::ostream &os, const VarRef &x) {
+ if (x.is_loop_var()) {
+ return os << "a[loop_ctr]";
+ } else {
+ return os << "a[" << static_cast<uint32_t>(x.varnum()) << " % s]";
+ }
+}
+std::ostream &operator<<(std::ostream &os, const Lvalue &x) {
+ return os << x.varref();
+}
+std::ostream &operator<<(std::ostream &os, const Rvalue &x) {
+ if (x.has_varref()) return os << x.varref();
+ if (x.has_cons()) return os << x.cons();
+ if (x.has_binop()) return os << x.binop();
+ return os << "1";
+}
+std::ostream &operator<<(std::ostream &os, const BinaryOp &x) {
+ os << "(" << x.left();
+ switch (x.op()) {
+ case BinaryOp::PLUS: os << "+"; break;
+ case BinaryOp::MINUS: os << "-"; break;
+ case BinaryOp::MUL: os << "*"; break;
+ case BinaryOp::DIV: os << "/"; break;
+ case BinaryOp::MOD: os << "%"; break;
+ case BinaryOp::XOR: os << "^"; break;
+ case BinaryOp::AND: os << "&"; break;
+ case BinaryOp::OR: os << "|"; break;
+ case BinaryOp::EQ: os << "=="; break;
+ case BinaryOp::NE: os << "!="; break;
+ case BinaryOp::LE: os << "<="; break;
+ case BinaryOp::GE: os << ">="; break;
+ case BinaryOp::LT: os << "<"; break;
+ case BinaryOp::GT: os << ">"; break;
+ }
+ return os << x.right() << ")";
+}
+std::ostream &operator<<(std::ostream &os, const AssignmentStatement &x) {
+ return os << x.lvalue() << "=" << x.rvalue();
+}
+std::ostream &operator<<(std::ostream &os, const IfElse &x) {
+ return os << "if (" << x.cond() << "){\n"
+ << x.if_body() << "} else { \n"
+ << x.else_body() << "}\n";
+}
+std::ostream &operator<<(std::ostream &os, const While &x) {
+ return os << "while (" << x.cond() << "){\n" << x.body() << "}\n";
+}
+std::ostream &operator<<(std::ostream &os, const Statement &x) {
+ if (x.has_assignment()) return os << x.assignment() << ";\n";
+ if (x.has_ifelse()) return os << x.ifelse();
+ if (x.has_while_loop()) return os << x.while_loop();
+ return os << "(void)0;\n";
+}
+std::ostream &operator<<(std::ostream &os, const StatementSeq &x) {
+ for (auto &st : x.statements()) os << st;
+ return os;
+}
+std::ostream &operator<<(std::ostream &os, const Function &x) {
+ return os << "void foo(int *a, size_t s) {\n"
+ << "for (int loop_ctr = 0; loop_ctr < s; loop_ctr++){\n"
+ << x.statements() << "}\n}\n";
+}
+
+// ---------------------------------
+
+std::string FunctionToString(const Function &input) {
+ std::ostringstream os;
+ os << input;
+ return os.str();
+
+}
+std::string LoopProtoToCxx(const uint8_t *data, size_t size) {
+ Function message;
+ if (!message.ParsePartialFromArray(data, size))
+ return "#error invalid proto, may not be binary encoded\n";
+ return FunctionToString(message);
+}
+
+} // namespace clang_fuzzer
Index: tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
===================================================================
--- tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
+++ tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
@@ -2,12 +2,21 @@
set(CMAKE_CXX_FLAGS ${CXX_FLAGS_NOFUZZ})
# Needed by LLVM's CMake checks because this file defines multiple targets.
-set(LLVM_OPTIONAL_SOURCES proto_to_cxx.cpp proto_to_cxx_main.cpp)
+set(LLVM_OPTIONAL_SOURCES proto_to_cxx.cpp proto_to_cxx_main.cpp
+ loop_proto_to_cxx.cpp loop_proto_to_cxx_main.cpp)
add_clang_library(clangProtoToCXX proto_to_cxx.cpp
DEPENDS clangCXXProto
LINK_LIBS clangCXXProto ${PROTOBUF_LIBRARIES}
)
+add_clang_library(clangLoopProtoToCXX loop_proto_to_cxx.cpp
+ DEPENDS clangCXXLoopProto
+ LINK_LIBS clangCXXLoopProto ${PROTOBUF_LIBRARIES}
+ )
+
add_clang_executable(clang-proto-to-cxx proto_to_cxx_main.cpp)
+add_clang_executable(clang-loop-proto-to-cxx loop_proto_to_cxx_main.cpp)
+
target_link_libraries(clang-proto-to-cxx PRIVATE clangProtoToCXX)
+target_link_libraries(clang-loop-proto-to-cxx PRIVATE clangLoopProtoToCXX)
Index: tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
===================================================================
--- tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
+++ tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
@@ -8,9 +8,9 @@
//===----------------------------------------------------------------------===//
///
/// \file
-/// This file implements two functions: one that returns the command line
+/// This file implements two functions: one that returns the command line
/// arguments for a given call to the fuzz target and one that initializes
-/// the fuzzer with the correct command line arguments.
+/// the fuzzer with the correct command line arguments.
///
//===----------------------------------------------------------------------===//
Index: tools/clang-fuzzer/cxx_loop_proto.proto
===================================================================
--- /dev/null
+++ tools/clang-fuzzer/cxx_loop_proto.proto
@@ -0,0 +1,97 @@
+//===-- cxx_loop_proto.proto - Protobuf description of C++ with for loops -===//
+//
+// The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+///
+/// \file
+/// This file describes a subset of C++ as a protobuf. It is used to
+/// more easily find interesting inputs for fuzzing Clang. This subset
+/// extends the one defined in cxx_proto.proto by adding the option that
+/// a VarRef can use the for loop's counter variable.
+///
+//===----------------------------------------------------------------------===//
+
+
+syntax = "proto2";
+
+message VarRef {
+ required int32 varnum = 1;
+ required bool is_loop_var = 2;
+}
+
+message Lvalue {
+ required VarRef varref = 1;
+}
+
+message Const {
+ required int32 val = 1;
+}
+
+message BinaryOp {
+ enum Op {
+ PLUS = 0;
+ MINUS = 1;
+ MUL = 2;
+ DIV = 3;
+ MOD = 4;
+ XOR = 5;
+ AND = 6;
+ OR = 7;
+ EQ = 8;
+ NE = 9;
+ LE = 10;
+ GE = 11;
+ LT = 12;
+ GT = 13;
+ };
+ required Op op = 1;
+ required Rvalue left = 2;
+ required Rvalue right = 3;
+}
+
+message Rvalue {
+ oneof rvalue_oneof {
+ VarRef varref = 1;
+ Const cons = 2;
+ BinaryOp binop = 3;
+ }
+}
+
+message AssignmentStatement {
+ required Lvalue lvalue = 1;
+ required Rvalue rvalue = 2;
+}
+
+
+message IfElse {
+ required Rvalue cond = 1;
+ required StatementSeq if_body = 2;
+ required StatementSeq else_body = 3;
+}
+
+message While {
+ required Rvalue cond = 1;
+ required StatementSeq body = 2;
+}
+
+message Statement {
+ oneof stmt_oneof {
+ AssignmentStatement assignment = 1;
+ IfElse ifelse = 2;
+ While while_loop = 3;
+ }
+}
+
+message StatementSeq {
+ repeated Statement statements = 1;
+}
+
+message Function {
+ required StatementSeq statements = 1;
+}
+
+package clang_fuzzer;
Index: tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp
===================================================================
--- /dev/null
+++ tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp
@@ -0,0 +1,31 @@
+//===-- ExampleClangLoopProtoFuzzer.cpp - Fuzz Clang ----------------------===//
+//
+// The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+///
+/// \file
+/// This file implements a function that runs Clang on a single
+/// input and uses libprotobuf-mutator to find new inputs. This function is
+/// then linked into the Fuzzer library. This file differs from
+/// ExampleClangProtoFuzzer in that it uses the new protobuf that includes
+/// C++ code with a single for loop.
+///
+//===----------------------------------------------------------------------===//
+
+#include "cxx_loop_proto.pb.h"
+#include "handle-cxx/handle_cxx.h"
+#include "proto-to-cxx/loop_proto_to_cxx.h"
+#include "fuzzer-initialize/fuzzer_initialize.h"
+#include "src/libfuzzer/libfuzzer_macro.h"
+
+
+using namespace clang_fuzzer;
+
+DEFINE_BINARY_PROTO_FUZZER(const Function& input) {
+ auto S = FunctionToString(input);
+ HandleCXX(S, GetCLArgs());
+}
Index: tools/clang-fuzzer/CMakeLists.txt
===================================================================
--- tools/clang-fuzzer/CMakeLists.txt
+++ tools/clang-fuzzer/CMakeLists.txt
@@ -14,6 +14,7 @@
ClangFuzzer.cpp
DummyClangFuzzer.cpp
ExampleClangProtoFuzzer.cpp
+ ExampleClangLoopProtoFuzzer.cpp
)
if(CLANG_ENABLE_PROTO_FUZZER)
@@ -24,6 +25,7 @@
include_directories(${PROTOBUF_INCLUDE_DIRS})
include_directories(${CMAKE_CURRENT_BINARY_DIR})
protobuf_generate_cpp(PROTO_SRCS PROTO_HDRS cxx_proto.proto)
+ protobuf_generate_cpp(PROTO_SRCS PROTO_HDRS cxx_loop_proto.proto)
set(LLVM_OPTIONAL_SOURCES ${LLVM_OPTIONAL_SOURCES} ${PROTO_SRCS})
add_clang_library(clangCXXProto
${PROTO_SRCS}
@@ -33,12 +35,23 @@
${PROTOBUF_LIBRARIES}
)
+ add_clang_library(clangCXXLoopProto
+ ${PROTO_SRCS}
+ ${PROTO_HDRS}
+
+ LINK_LIBS
+ ${PROTOBUF_LIBRARIES}
+ )
+
# Build and include libprotobuf-mutator
include(ProtobufMutator)
include_directories(${ProtobufMutator_INCLUDE_DIRS})
# Build the protobuf->C++ translation library and driver.
add_clang_subdirectory(proto-to-cxx)
+
+ # Build the fuzzer initialization library.
+ add_clang_subdirectory(fuzzer-initialize)
# Build the fuzzer initialization library.
add_clang_subdirectory(fuzzer-initialize)
@@ -49,6 +62,12 @@
ExampleClangProtoFuzzer.cpp
)
+ # Build the loop protobuf fuzzer
+ add_clang_executable(clang-loop-proto-fuzzer
+ ${DUMMY_MAIN}
+ ExampleClangLoopProtoFuzzer.cpp
+ )
+
target_link_libraries(clang-proto-fuzzer
PRIVATE
${ProtobufMutator_LIBRARIES}
@@ -59,6 +78,16 @@
clangHandleCXX
clangProtoToCXX
)
+ target_link_libraries(clang-loop-proto-fuzzer
+ PRIVATE
+ ${ProtobufMutator_LIBRARIES}
+ ${PROTOBUF_LIBRARIES}
+ ${LLVM_LIB_FUZZING_ENGINE}
+ clangCXXLoopProto
+ clangFuzzerInitialize
+ clangHandleCXX
+ clangLoopProtoToCXX
+ )
endif()
add_clang_subdirectory(handle-cxx)
_______________________________________________
cfe-commits mailing list
[email protected]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
