r375453 - [clang-fuzzer] Add new fuzzer target for Objective-C
David Goldman via cfe-commits
cfe-commits at lists.llvm.org
Mon Oct 21 13:45:02 PDT 2019
Author: dgoldman
Date: Mon Oct 21 13:45:02 2019
New Revision: 375453
URL: http://llvm.org/viewvc/llvm-project?rev=375453&view=rev
Log:
[clang-fuzzer] Add new fuzzer target for Objective-C
Summary:
- Similar to that of `clang-fuzzer` itself but instead only
targets Objective-C source files via cc1
- Also adds an example corpus directory containing some
input for Objective-C
Subscribers: mgorny, jfb, cfe-commits
Tags: #clang
Differential Revision: https://reviews.llvm.org/D69171
Added:
cfe/trunk/tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp
- copied, changed from r375167, cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp
cfe/trunk/tools/clang-fuzzer/corpus_examples/
cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/
cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/BasicClass.m
cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassCategory.m
cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassExtension.m
cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/SharedInstance.m
Modified:
cfe/trunk/tools/clang-fuzzer/CMakeLists.txt
cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp
cfe/trunk/tools/clang-fuzzer/Dockerfile
cfe/trunk/tools/clang-fuzzer/README.txt
cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp
cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.h
Modified: cfe/trunk/tools/clang-fuzzer/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/CMakeLists.txt?rev=375453&r1=375452&r2=375453&view=diff
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/CMakeLists.txt (original)
+++ cfe/trunk/tools/clang-fuzzer/CMakeLists.txt Mon Oct 21 13:45:02 2019
@@ -12,6 +12,7 @@ endif()
# Needed by LLVM's CMake checks because this file defines multiple targets.
set(LLVM_OPTIONAL_SOURCES
ClangFuzzer.cpp
+ ClangObjectiveCFuzzer.cpp
DummyClangFuzzer.cpp
ExampleClangProtoFuzzer.cpp
ExampleClangLoopProtoFuzzer.cpp
@@ -119,4 +120,16 @@ target_link_libraries(clang-fuzzer
PRIVATE
${LLVM_LIB_FUZZING_ENGINE}
clangHandleCXX
+ )
+
+add_clang_executable(clang-objc-fuzzer
+ EXCLUDE_FROM_ALL
+ ${DUMMY_MAIN}
+ ClangObjectiveCFuzzer.cpp
+ )
+
+target_link_libraries(clang-objc-fuzzer
+ PRIVATE
+ ${LLVM_LIB_FUZZING_ENGINE}
+ clangHandleCXX
)
Modified: cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp?rev=375453&r1=375452&r2=375453&view=diff
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp Mon Oct 21 13:45:02 2019
@@ -20,6 +20,6 @@ extern "C" int LLVMFuzzerInitialize(int
extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
std::string s((const char *)data, size);
- HandleCXX(s, {"-O2"});
+ HandleCXX(s, "./test.cc", {"-O2"});
return 0;
}
Copied: cfe/trunk/tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp (from r375167, cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp)
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp?p2=cfe/trunk/tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp&p1=cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp&r1=375167&r2=375453&rev=375453&view=diff
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/ClangFuzzer.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/ClangObjectiveCFuzzer.cpp Mon Oct 21 13:45:02 2019
@@ -1,4 +1,4 @@
-//===-- ClangFuzzer.cpp - Fuzz Clang --------------------------------------===//
+//===-- ClangObjectiveCFuzzer.cpp - Fuzz Clang ----------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
@@ -7,8 +7,8 @@
//===----------------------------------------------------------------------===//
///
/// \file
-/// This file implements a function that runs Clang on a single
-/// input. This function is then linked into the Fuzzer library.
+/// This file implements a function that runs Clang on a single Objective-C
+/// input. This function is then linked into the Fuzzer library.
///
//===----------------------------------------------------------------------===//
@@ -16,10 +16,9 @@
using namespace clang_fuzzer;
-extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { return 0; }
-
extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
- std::string s((const char *)data, size);
- HandleCXX(s, {"-O2"});
+ std::string s(reinterpret_cast<const char *>(data), size);
+ HandleCXX(s, "./test.m", {"-O2"});
return 0;
}
+
Modified: cfe/trunk/tools/clang-fuzzer/Dockerfile
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/Dockerfile?rev=375453&r1=375452&r2=375453&view=diff
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/Dockerfile (original)
+++ cfe/trunk/tools/clang-fuzzer/Dockerfile Mon Oct 21 13:45:02 2019
@@ -32,6 +32,7 @@ RUN mkdir build1 && cd build1 && cmake -
-DLLVM_USE_SANITIZER=Address -DCLANG_ENABLE_PROTO_FUZZER=ON
# Build the fuzzers
RUN cd build1 && ninja clang-fuzzer
+RUN cd build1 && ninja clang-objc-fuzzer
RUN cd build1 && ninja clang-proto-fuzzer
RUN cd build1 && ninja clang-proto-to-cxx
RUN cd build1 && ninja clang-loop-proto-to-cxx
Modified: cfe/trunk/tools/clang-fuzzer/README.txt
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/README.txt?rev=375453&r1=375452&r2=375453&view=diff
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/README.txt (original)
+++ cfe/trunk/tools/clang-fuzzer/README.txt Mon Oct 21 13:45:02 2019
@@ -1,15 +1,21 @@
-This directory contains two utilities for fuzzing Clang: clang-fuzzer and
-clang-proto-fuzzer. Both use libFuzzer to generate inputs to clang via
-coverage-guided mutation.
+This directory contains three utilities for fuzzing Clang: clang-fuzzer,
+clang-objc-fuzzer, and clang-proto-fuzzer. All use libFuzzer to generate inputs
+to clang via coverage-guided mutation.
-The two utilities differ, however, in how they structure inputs to Clang.
+The three utilities differ, however, in how they structure inputs to Clang.
clang-fuzzer makes no attempt to generate valid C++ programs and is therefore
primarily useful for stressing the surface layers of Clang (i.e. lexer, parser).
+
+clang-objc-fuzzer is similar but for Objective-C: it makes no attempt to
+generate a valid Objective-C program.
+
clang-proto-fuzzer uses a protobuf class to describe a subset of the C++
language and then uses libprotobuf-mutator to mutate instantiations of that
class, producing valid C++ programs in the process. As a result,
clang-proto-fuzzer is better at stressing deeper layers of Clang and LLVM.
+Some of the fuzzers have example corpuses inside the corpus_examples directory.
+
===================================
Building clang-fuzzer
===================================
@@ -35,6 +41,35 @@ Example:
bin/clang-fuzzer CORPUS_DIR
+===================================
+ Building clang-objc-fuzzer
+===================================
+Within your LLVM build directory, run CMake with the following variable
+definitions:
+- CMAKE_C_COMPILER=clang
+- CMAKE_CXX_COMPILER=clang++
+- LLVM_USE_SANITIZE_COVERAGE=YES
+- LLVM_USE_SANITIZER=Address
+
+Then build the clang-objc-fuzzer target.
+
+Example:
+ cd $LLVM_SOURCE_DIR
+ mkdir build && cd build
+ cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \
+ -DLLVM_USE_SANITIZE_COVERAGE=YES -DLLVM_USE_SANITIZER=Address
+ ninja clang-objc-fuzzer
+
+======================
+ Running clang-objc-fuzzer
+======================
+ bin/clang-objc-fuzzer CORPUS_DIR
+
+e.g. using the example objc corpus,
+
+ bin/clang-objc-fuzzer <path to corpus_examples/objc> <path to new directory to store corpus findings>
+
+
=======================================================
Building clang-proto-fuzzer (Linux-only instructions)
=======================================================
Added: cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/BasicClass.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/BasicClass.m?rev=375453&view=auto
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/BasicClass.m (added)
+++ cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/BasicClass.m Mon Oct 21 13:45:02 2019
@@ -0,0 +1,29 @@
+ at interface RootObject
+ at end
+
+ at interface BasicClass : RootObject {
+ int _foo;
+ char _boolean;
+}
+
+ at property(nonatomic, assign) int bar;
+ at property(atomic, retain) id objectField;
+ at property(nonatomic, assign) id delegate;
+
+- (void)someMethod;
+ at end
+
+ at implementation BasicClass
+
+ at synthesize bar = _bar;
+ at synthesize objectField = _objectField;
+ at synthesize delegate = _delegate;
+
+- (void)someMethod {
+ int value = self.bar;
+ _foo = (_boolean != 0) ? self.bar : [self.objectField bar];
+ [self setBar:value];
+ id obj = self.objectField;
+}
+ at end
+
Added: cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassCategory.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassCategory.m?rev=375453&view=auto
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassCategory.m (added)
+++ cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassCategory.m Mon Oct 21 13:45:02 2019
@@ -0,0 +1,20 @@
+ at interface RootObject
+ at end
+
+ at interface BaseClass : RootObject
+ at property(atomic, assign, readonly) int field;
+ at end
+
+ at interface BaseClass(Private)
+ at property(atomic, assign, readwrite) int field;
+
+- (int)something;
+ at end
+
+ at implementation BaseClass
+- (int)something {
+ self.field = self.field + 1;
+ return self.field;
+}
+ at end
+
Added: cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassExtension.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassExtension.m?rev=375453&view=auto
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassExtension.m (added)
+++ cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/ClassExtension.m Mon Oct 21 13:45:02 2019
@@ -0,0 +1,20 @@
+ at interface RootObject
+ at end
+
+ at interface BaseClass : RootObject
+ at end
+
+ at interface BaseClass() {
+ int _field1;
+}
+ at property(atomic, assign, readonly) int field2;
+
+- (int)addFields;
+ at end
+
+ at implementation BaseClass
+- (int)addFields {
+ return self->_field1 + [self field2];
+}
+ at end
+
Added: cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/SharedInstance.m
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/SharedInstance.m?rev=375453&view=auto
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/SharedInstance.m (added)
+++ cfe/trunk/tools/clang-fuzzer/corpus_examples/objc/SharedInstance.m Mon Oct 21 13:45:02 2019
@@ -0,0 +1,34 @@
+ at interface RootObject
++ (instancetype)alloc;
+
+- (instancetype)init;
+ at end
+
+ at interface BaseClass : RootObject
++ (instancetype)sharedInstance;
+
+- (instancetype)initWithFoo:(int)foo;
+ at end
+
+static BaseClass *sharedInstance = (void *)0;
+static int counter = 0;
+
+ at implementation BaseClass
++ (instancetype)sharedInstance {
+ if (sharedInstance) {
+ return sharedInstance;
+ }
+ sharedInstance = [[BaseClass alloc] initWithFoo:3];
+ return sharedInstance;
+}
+
+
+- (instancetype)initWithFoo:(int)foo {
+ self = [super init];
+ if (self) {
+ counter += foo;
+ }
+ return self;
+}
+ at end
+
Modified: cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp?rev=375453&r1=375452&r2=375453&view=diff
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp Mon Oct 21 13:45:02 2019
@@ -21,12 +21,13 @@
using namespace clang;
void clang_fuzzer::HandleCXX(const std::string &S,
+ const char *FileName,
const std::vector<const char *> &ExtraArgs) {
llvm::opt::ArgStringList CC1Args;
CC1Args.push_back("-cc1");
for (auto &A : ExtraArgs)
CC1Args.push_back(A);
- CC1Args.push_back("./test.cc");
+ CC1Args.push_back(FileName);
llvm::IntrusiveRefCntPtr<FileManager> Files(
new FileManager(FileSystemOptions()));
@@ -39,7 +40,7 @@ void clang_fuzzer::HandleCXX(const std::
tooling::newInvocation(&Diagnostics, CC1Args));
std::unique_ptr<llvm::MemoryBuffer> Input =
llvm::MemoryBuffer::getMemBuffer(S);
- Invocation->getPreprocessorOpts().addRemappedFile("./test.cc",
+ Invocation->getPreprocessorOpts().addRemappedFile(FileName,
Input.release());
std::unique_ptr<tooling::ToolAction> action(
tooling::newFrontendActionFactory<clang::EmitObjAction>());
Modified: cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.h
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.h?rev=375453&r1=375452&r2=375453&view=diff
==============================================================================
--- cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.h (original)
+++ cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.h Mon Oct 21 13:45:02 2019
@@ -18,6 +18,7 @@
namespace clang_fuzzer {
void HandleCXX(const std::string &S,
+ const char *FileName,
const std::vector<const char *> &ExtraArgs);
} // namespace clang_fuzzer
More information about the cfe-commits
mailing list