
<div dir="ltr">One problem: with the current structure of flags libFuzzer's -jobs=10 does not work... <div>Thoughts? </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 16, 2015 at 9:25 PM, Kostya Serebryany <span dir="ltr"><<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Cool! I'll add it to the bot when time permits. <div>I forgot to ask you to document the fuzzer</div><div>at <a href="http://llvm.org/docs/LibFuzzer.html#fuzzing-components-of-llvm" target="_blank">http://llvm.org/docs/LibFuzzer.html#fuzzing-components-of-llvm</a></div><div>Feel free to do it w/o prior review. </div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 16, 2015 at 4:49 AM, Daniel Sanders via llvm-commits <span dir="ltr"><<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: dsanders<br>

Date: Wed Sep 16 06:49:49 2015<br>

New Revision: 247786<br>

<br>

URL: <a href="http://llvm.org/viewvc/llvm-project?rev=247786&view=rev" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project?rev=247786&view=rev</a><br>

Log:<br>

llvm-mc-fuzzer: A fuzzing tool for the MC layer.<br>

<br>

Summary:<br>

Only the disassembler is supported in this patch but it has already found a few<br>

issues in the Mips disassembler (mostly invalid instructions being successfully<br>

disassembled).<br>

<br>

Reviewers: kcc<br>

<br>

Subscribers: russell.gallop, silvas, kcc, llvm-commits<br>

<br>

Differential Revision: <a href="http://reviews.llvm.org/D12723" rel="noreferrer" target="_blank">http://reviews.llvm.org/D12723</a><br>

<br>

Added:<br>

    llvm/trunk/tools/llvm-mc-fuzzer/<br>

    llvm/trunk/tools/llvm-mc-fuzzer/CMakeLists.txt<br>

    llvm/trunk/tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp<br>

Modified:<br>

    llvm/trunk/docs/LibFuzzer.rst<br>

<br>

Modified: llvm/trunk/docs/LibFuzzer.rst<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/docs/LibFuzzer.rst?rev=247786&r1=247785&r2=247786&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/docs/LibFuzzer.rst?rev=247786&r1=247785&r2=247786&view=diff</a><br>

==============================================================================<br>

--- llvm/trunk/docs/LibFuzzer.rst (original)<br>

+++ llvm/trunk/docs/LibFuzzer.rst Wed Sep 16 06:49:49 2015<br>

@@ -453,7 +453,14 @@ Trophies<br>

<br>

   * llvm-as: <a href="https://llvm.org/bugs/show_bug.cgi?id=24639" rel="noreferrer" target="_blank">https://llvm.org/bugs/show_bug.cgi?id=24639</a><br>

<br>

-<br>

+  * Disassembler:<br>

+    * Mips: Discovered a number of untested instructions for the Mips target<br>

+      (see valid-mips*.s in <a href="http://reviews.llvm.org/rL247405" rel="noreferrer" target="_blank">http://reviews.llvm.org/rL247405</a>,<br>

+      <a href="http://reviews.llvm.org/rL247414" rel="noreferrer" target="_blank">http://reviews.llvm.org/rL247414</a>, <a href="http://reviews.llvm.org/rL247416" rel="noreferrer" target="_blank">http://reviews.llvm.org/rL247416</a>,<br>

+      <a href="http://reviews.llvm.org/rL247417" rel="noreferrer" target="_blank">http://reviews.llvm.org/rL247417</a>, <a href="http://reviews.llvm.org/rL247420" rel="noreferrer" target="_blank">http://reviews.llvm.org/rL247420</a>,<br>

+      and <a href="http://reviews.llvm.org/rL247422" rel="noreferrer" target="_blank">http://reviews.llvm.org/rL247422</a>) as well some instructions that<br>

+      successfully disassembled on ISA's where they were not valid (see<br>

+      invalid-xfail.s files in the same commits).<br>

<br>

 .. _pcre2: <a href="http://www.pcre.org/" rel="noreferrer" target="_blank">http://www.pcre.org/</a><br>

<br>

<br>

Added: llvm/trunk/tools/llvm-mc-fuzzer/CMakeLists.txt<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/tools/llvm-mc-fuzzer/CMakeLists.txt?rev=247786&view=auto" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/tools/llvm-mc-fuzzer/CMakeLists.txt?rev=247786&view=auto</a><br>

==============================================================================<br>

--- llvm/trunk/tools/llvm-mc-fuzzer/CMakeLists.txt (added)<br>

+++ llvm/trunk/tools/llvm-mc-fuzzer/CMakeLists.txt Wed Sep 16 06:49:49 2015<br>

@@ -0,0 +1,18 @@<br>

+if( LLVM_USE_SANITIZE_COVERAGE )<br>

+  include_directories(BEFORE<br>

+    ${CMAKE_CURRENT_SOURCE_DIR}/../../lib/Fuzzer)<br>

+<br>

+  set(LLVM_LINK_COMPONENTS<br>

+      AllTargetsDescs<br>

+      AllTargetsDisassemblers<br>

+      AllTargetsInfos<br>

+      MC<br>

+      MCDisassembler<br>

+      Support<br>

+      )<br>

+  add_llvm_tool(llvm-mc-fuzzer<br>

+                llvm-mc-fuzzer.cpp)<br>

+  target_link_libraries(llvm-mc-fuzzer<br>

+                        LLVMFuzzerNoMain<br>

+                        )<br>

+endif()<br>

<br>

Added: llvm/trunk/tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/llvm/trunk/tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp?rev=247786&view=auto" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/llvm/trunk/tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp?rev=247786&view=auto</a><br>

==============================================================================<br>

--- llvm/trunk/tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp (added)<br>

+++ llvm/trunk/tools/llvm-mc-fuzzer/llvm-mc-fuzzer.cpp Wed Sep 16 06:49:49 2015<br>

@@ -0,0 +1,129 @@<br>

+//===--- llvm-mc-fuzzer.cpp - Fuzzer for the MC layer ---------------------===//<br>

+//<br>

+//                     The LLVM Compiler Infrastructure<br>

+//<br>

+// This file is distributed under the University of Illinois Open Source<br>

+// License. See LICENSE.TXT for details.<br>

+//<br>

+//===----------------------------------------------------------------------===//<br>

+//<br>

+//===----------------------------------------------------------------------===//<br>

+<br>

+#include "llvm-c/Disassembler.h"<br>

+#include "llvm-c/Target.h"<br>

+#include "llvm/ADT/ArrayRef.h"<br>

+#include "llvm/MC/SubtargetFeature.h"<br>

+#include "llvm/Support/CommandLine.h"<br>

+#include "llvm/Support/raw_ostream.h"<br>

+#include "FuzzerInterface.h"<br>

+<br>

+using namespace llvm;<br>

+<br>

+const unsigned AssemblyTextBufSize = 80;<br>

+<br>

+enum ActionType {<br>

+  AC_Assemble,<br>

+  AC_Disassemble<br>

+};<br>

+<br>

+static cl::opt<ActionType><br>

+Action(cl::desc("Action to perform:"),<br>

+       cl::init(AC_Assemble),<br>

+       cl::values(clEnumValN(AC_Assemble, "assemble",<br>

+                             "Assemble a .s file (default)"),<br>

+                  clEnumValN(AC_Disassemble, "disassemble",<br>

+                             "Disassemble strings of hex bytes"),<br>

+                  clEnumValEnd));<br>

+<br>

+static cl::opt<std::string><br>

+    TripleName("triple", cl::desc("Target triple to assemble for, "<br>

+                                  "see -version for available targets"));<br>

+<br>

+static cl::opt<std::string><br>

+    MCPU("mcpu",<br>

+         cl::desc("Target a specific cpu type (-mcpu=help for details)"),<br>

+         cl::value_desc("cpu-name"), cl::init(""));<br>

+<br>

+static cl::list<std::string><br>

+    MAttrs("mattr", cl::CommaSeparated,<br>

+           cl::desc("Target specific attributes (-mattr=help for details)"),<br>

+           cl::value_desc("a1,+a2,-a3,..."));<br>

+// The feature string derived from -mattr's values.<br>

+std::string FeaturesStr;<br>

+<br>

+static cl::list<std::string><br>

+    FuzzerArgv("fuzzer-args", cl::Positional,<br>

+               cl::desc("Options to pass to the fuzzer"), cl::ZeroOrMore,<br>

+               cl::PositionalEatsArgs);<br>

+<br>

+void DisassembleOneInput(const uint8_t *Data, size_t Size) {<br>

+  char AssemblyText[AssemblyTextBufSize];<br>

+<br>

+  std::vector<uint8_t> DataCopy(Data, Data + Size);<br>

+<br>

+  LLVMDisasmContextRef Ctx = LLVMCreateDisasmCPUFeatures(<br>

+      TripleName.c_str(), MCPU.c_str(), FeaturesStr.c_str(), nullptr, 0,<br>

+      nullptr, nullptr);<br>

+  assert(Ctx);<br>

+  uint8_t *p = DataCopy.data();<br>

+  unsigned Consumed;<br>

+  do {<br>

+    Consumed = LLVMDisasmInstruction(Ctx, p, Size, 0, AssemblyText,<br>

+                                     AssemblyTextBufSize);<br>

+    Size -= Consumed;<br>

+    p += Consumed;<br>

+  } while (Consumed != 0);<br>

+  LLVMDisasmDispose(Ctx);<br>

+}<br>

+<br>

+int main(int argc, char **argv) {<br>

+  // The command line is unusual compared to other fuzzers due to the need to<br>

+  // specify the target. Options like -triple, -mcpu, and -mattr work like<br>

+  // their counterparts in llvm-mc, while -fuzzer-args collects options for the<br>

+  // fuzzer itself.<br>

+  //<br>

+  // Examples:<br>

+  //<br>

+  // Fuzz the big-endian MIPS32R6 disassembler using 100,000 inputs of up to<br>

+  // 4-bytes each and use the contents of ./corpus as the test corpus:<br>

+  //   llvm-mc-fuzzer -triple mips-linux-gnu -mcpu=mips32r6 -disassemble \<br>

+  //       -fuzzer-args -max_len=4 -runs=100000 ./corpus<br>

+  //<br>

+  // Infinitely fuzz the little-endian MIPS64R2 disassembler with the MSA<br>

+  // feature enabled using up to 64-byte inputs:<br>

+  //   llvm-mc-fuzzer -triple mipsel-linux-gnu -mcpu=mips64r2 -mattr=msa \<br>

+  //       -disassemble -fuzzer-args ./corpus<br>

+  //<br>

+  // If your aim is to find instructions that are not tested, then it is<br>

+  // advisable to constrain the maximum input size to a single instruction<br>

+  // using -max_len as in the first example. This results in a test corpus of<br>

+  // individual instructions that test unique paths. Without this constraint,<br>

+  // there will be considerable redundancy in the corpus.<br>

+<br>

+  LLVMInitializeAllTargetInfos();<br>

+  LLVMInitializeAllTargetMCs();<br>

+  LLVMInitializeAllDisassemblers();<br>

+<br>

+  cl::ParseCommandLineOptions(argc, argv);<br>

+<br>

+  // Package up features to be passed to target/subtarget<br>

+  // We have to pass it via a global since the callback doesn't<br>

+  // permit any user data.<br>

+  if (MAttrs.size()) {<br>

+    SubtargetFeatures Features;<br>

+    for (unsigned i = 0; i != MAttrs.size(); ++i)<br>

+      Features.AddFeature(MAttrs[i]);<br>

+    FeaturesStr = Features.getString();<br>

+  }<br>

+<br>

+  // Insert the program name into the FuzzerArgv.<br>

+  FuzzerArgv.insert(FuzzerArgv.begin(), argv[0]);<br>

+<br>

+  if (Action == AC_Assemble)<br>

+    errs() << "error: -assemble is not implemented\n";<br>

+  else if (Action == AC_Disassemble)<br>

+    return fuzzer::FuzzerDriver(FuzzerArgv, DisassembleOneInput);<br>

+<br>

+  llvm_unreachable("Unknown action");<br>

+  return 1;<br>

+}<br>

<br>

<br>

_______________________________________________<br>

llvm-commits mailing list<br>

<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a><br>

<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits</a><br>

</blockquote></div><br></div>

</div></div></blockquote></div><br></div>