[Lldb-commits] [PATCH] D129377: [lldb/Fuzzer] Add fuzzer for expression evaluator

Chelsea Cassanova via Phabricator via lldb-commits Tue, 12 Jul 2022 15:34:20 -0700

cassanova updated this revision to Diff 443768.
cassanova added a comment.

Shows top-of-tree changes, however CMake generation fails that the 
ProtobufMutator target already exists for clang-fuzzer:


  CMake Error at 
/opt/homebrew/Cellar/cmake/3.23.1_1/share/cmake/Modules/ExternalProject.cmake:3453
 (add_custom_target):
    add_custom_target cannot create target "protobuf_mutator" because another
    target with the same name already exists.  The existing target is a custom
    target created in source directory
    "/Users/chelseacassanova/code/llvm-project/clang/tools/clang-fuzzer".


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D129377/new/

https://reviews.llvm.org/D129377

Files:
  clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt
  clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
  lldb/tools/lldb-fuzzer/CMakeLists.txt
  lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt
  lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto
  lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp

Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp
===================================================================
--- /dev/null
+++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp
@@ -0,0 +1,73 @@
+//===-- lldb-expression-fuzzer.cpp ---------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===---------------------------------------------------------------------===//
+//
+// \file
+// This file is a fuzzer for LLDB's expression evaluator. It uses protobufs
+// and the libprotobuf-mutator to create valid C-like inputs for the
+// expression evaluator.
+//
+//===---------------------------------------------------------------------===//
+
+#include <string>
+
+#include "cxx_proto.pb.h"
+#include "handle-cxx/handle_cxx.h"
+#include "lldb/API/SBBreakpoint.h"
+#include "lldb/API/SBDebugger.h"
+#include "lldb/API/SBError.h"
+#include "lldb/API/SBLaunchInfo.h"
+#include "lldb/API/SBProcess.h"
+#include "lldb/API/SBTarget.h"
+#include "proto-to-cxx/proto_to_cxx.h"
+#include "src/libfuzzer/libfuzzer_macro.h"
+#include "llvm/ADT/StringRef.h"
+#include "llvm/Support/Error.h"
+
+using namespace lldb;
+using namespace llvm;
+using namespace clang_fuzzer;
+
+char **originalargv;
+
+extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
+  SBDebugger::Initialize();
+
+  // The path for a simple compiled program is needed to create a
+  // target for the debugger and that path is passed in through argv
+  originalargv = *argv;
+  return 0;
+}
+
+DEFINE_BINARY_PROTO_FUZZER(const clang_fuzzer::Function &input) {
+  auto S = clang_fuzzer::FunctionToString(input);
+
+  // Get the second argument from argv and strip the '--' from it.
+  // This will be used as the path for the object file to create a target from
+  std::string rawpath = originalargv[2];
+  StringRef objpath = rawpath.erase(0, 2);
+
+  // Create a debugger and a target
+  SBDebugger debugger = SBDebugger::Create(false);
+  SBTarget target = debugger.CreateTarget(objpath.str().c_str());
+
+  // Create a breakpoint on the only line in the program
+  SBBreakpoint bp = target.BreakpointCreateByLocation(objpath.str().c_str(), 1);
+
+  // Create launch info and error for launching the process
+  SBLaunchInfo li = target.GetLaunchInfo();
+  SBError error;
+
+  // Launch the process and evaluate the fuzzer's input data
+  // as an expression
+  SBProcess process = target.Launch(li, error);
+  target.EvaluateExpression(S.c_str());
+
+  debugger.DeleteTarget(target);
+  SBDebugger::Destroy(debugger);
+  SBModule::GarbageCollectAllocatedModules();
+}
Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto
===================================================================
--- /dev/null
+++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto
@@ -0,0 +1,92 @@
+//===-- cxx_proto.proto - Protobuf description of C++ ---------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// \file
+/// This file describes a subset of C++ as a protobuf.  It is used to
+///  more easily find interesting inputs for fuzzing Clang.
+///
+//===----------------------------------------------------------------------===//
+
+syntax = "proto2";
+
+message VarRef {
+  required int32 varnum = 1;
+}
+
+message Lvalue {
+  required VarRef varref = 1;
+}
+
+message Const {
+  required int32 val = 1;
+}
+
+message BinaryOp {
+  enum Op {
+    PLUS = 0;
+    MINUS = 1;
+    MUL = 2;
+    DIV = 3;
+    MOD = 4;
+    XOR = 5;
+    AND = 6;
+    OR = 7;
+    EQ = 8;
+    NE = 9;
+    LE = 10;
+    GE = 11;
+    LT = 12;
+    GT = 13;
+  };
+  required Op op = 1;
+  required Rvalue left = 2;
+  required Rvalue right = 3;
+}
+
+message Rvalue {
+  oneof rvalue_oneof {
+    VarRef varref = 1;
+    Const cons = 2;
+    BinaryOp binop = 3;
+  }
+}
+
+message AssignmentStatement {
+  required Lvalue lvalue = 1;
+  required Rvalue rvalue = 2;
+}
+
+
+message IfElse {
+  required Rvalue cond = 1;
+  required StatementSeq if_body = 2;
+  required StatementSeq else_body = 3;
+}
+
+message While {
+  required Rvalue cond = 1;
+  required StatementSeq body = 2;
+}
+
+message Statement {
+  oneof stmt_oneof {
+    AssignmentStatement assignment = 1;
+    IfElse              ifelse     = 2;
+    While               while_loop = 3;
+  }
+}
+
+message StatementSeq {
+  repeated Statement statements = 1;
+}
+
+message Function {
+  required StatementSeq statements = 1;
+}
+
+package clang_fuzzer;
Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt
===================================================================
--- /dev/null
+++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt
@@ -0,0 +1,50 @@
+if(CLANG_ENABLE_PROTO_FUZZER)
+  set(LLVM_LINK_COMPONENTS
+    Support
+    )
+
+  add_llvm_fuzzer(lldb-expression-fuzzer
+    EXCLUDE_FROM_ALL
+    lldb-expression-fuzzer.cpp
+    )
+
+  if(TARGET lldb-expression-fuzzer)
+    target_include_directories(lldb-expression-fuzzer PRIVATE ..)
+
+    set(CLANG_CMAKE_MODULE_PATH
+      ${CMAKE_CURRENT_SOURCE_DIR}/../../../../clang/cmake/modules)
+
+    set(CMAKE_MODULE_PATH
+      ${CMAKE_MODULE_PATH}
+      ${CLANG_CMAKE_MODULE_PATH})
+
+    include(ProtobufMutator)
+    include_directories(${ProtobufMutator_INCLUDE_DIRS})
+
+    target_link_libraries(lldb-expression-fuzzer
+      PRIVATE
+      ${ProtobufMutator_LIBRARIES}
+      ${LLVM_LIB_FUZZING_ENGINE}
+      clangHandleCXX
+      clangCXXProto
+      clangProtoToCXX
+      liblldb
+      )
+
+    add_custom_command(TARGET lldb-expression-fuzzer PRE_BUILD
+      # Create and compile a simple C program using the command line. This is
+      # needed because LLDB's expression evaluator needs a legitmate target
+      # instead of a dummy target
+      COMMAND echo 'int main (int argc, char** argv) { return 0\; }' | clang -o main.out -xc -
+      )
+
+    # Create a directory for storing the fuzzer's artifacts and run the fuzzer with arguments that will
+    # not attempt to reduce the size of the inputs being generated
+    add_custom_target(fuzz-lldb-expression
+      COMMENT "Running the LLDB expression evaluator fuzzer..."
+      WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/fuzzer-artifacts/expression-artifacts
+      COMMAND $<TARGET_FILE:lldb-expression-fuzzer> -artifact_prefix=expression- -reduce_inputs=0
+      USES_TERMINAL
+      )
+  endif()
+endif()
Index: lldb/tools/lldb-fuzzer/CMakeLists.txt
===================================================================
--- lldb/tools/lldb-fuzzer/CMakeLists.txt
+++ lldb/tools/lldb-fuzzer/CMakeLists.txt
@@ -1,3 +1,4 @@
 add_subdirectory(lldb-commandinterpreter-fuzzer)
+add_subdirectory(lldb-expression-fuzzer)
 add_subdirectory(lldb-target-fuzzer)
 add_subdirectory(utils)
Index: clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
===================================================================
--- clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
+++ clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt
@@ -14,6 +14,8 @@
                   DEPENDS clangCXXLoopProto
                   LINK_LIBS clangCXXLoopProto ${PROTOBUF_LIBRARIES}
                   )
+target_include_directories(clangProtoToCXX PUBLIC .)
+target_include_directories(clangLoopProtoToCXX PUBLIC .)
 
 add_clang_executable(clang-proto-to-cxx proto_to_cxx_main.cpp)
 add_clang_executable(clang-loop-proto-to-cxx loop_proto_to_cxx_main.cpp)
Index: clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt
===================================================================
--- clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt
+++ clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt
@@ -11,3 +11,5 @@
   clangSerialization
   clangTooling
   )
+
+target_include_directories(clangHandleCXX PUBLIC .)

_______________________________________________
lldb-commits mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits

[Lldb-commits] [PATCH] D129377: [lldb/Fuzzer] Add fuzzer for expression evaluator

Reply via email to