[libc-commits] [libc] [libc] Add memcmp / bcmp fuzzers (PR #77741)
Guillaume Chatelet via libc-commits
libc-commits at lists.llvm.org
Thu Jan 11 01:47:11 PST 2024
https://github.com/gchatelet created https://github.com/llvm/llvm-project/pull/77741
None
>From b425a07ba1502bc57a301c5927b6af766b36e431 Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Thu, 11 Jan 2024 09:46:26 +0000
Subject: [PATCH] [libc] Add memcmp / bcmp fuzzers
---
libc/fuzzing/CMakeLists.txt | 2 +-
libc/fuzzing/string/CMakeLists.txt | 16 ++++++++
libc/fuzzing/string/bcmp_fuzz.cpp | 52 ++++++++++++++++++++++++++
libc/fuzzing/string/memcmp_fuzz.cpp | 57 +++++++++++++++++++++++++++++
4 files changed, 126 insertions(+), 1 deletion(-)
create mode 100644 libc/fuzzing/string/bcmp_fuzz.cpp
create mode 100644 libc/fuzzing/string/memcmp_fuzz.cpp
diff --git a/libc/fuzzing/CMakeLists.txt b/libc/fuzzing/CMakeLists.txt
index a3ef888167ee3c..c08d46cd3ad769 100644
--- a/libc/fuzzing/CMakeLists.txt
+++ b/libc/fuzzing/CMakeLists.txt
@@ -1,4 +1,4 @@
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer,address")
add_custom_target(libc-fuzzer)
add_subdirectory(math)
diff --git a/libc/fuzzing/string/CMakeLists.txt b/libc/fuzzing/string/CMakeLists.txt
index 1885ee5f66ebf9..9dd4fceee3b596 100644
--- a/libc/fuzzing/string/CMakeLists.txt
+++ b/libc/fuzzing/string/CMakeLists.txt
@@ -24,3 +24,19 @@ add_libc_fuzzer(
libc.src.string.strstr
libc.src.string.strlen
)
+
+add_libc_fuzzer(
+ memcmp_fuzz
+ SRCS
+ memcmp_fuzz.cpp
+ DEPENDS
+ libc.src.string.memcmp
+)
+
+add_libc_fuzzer(
+ bcmp_fuzz
+ SRCS
+ bcmp_fuzz.cpp
+ DEPENDS
+ libc.src.string.bcmp
+)
diff --git a/libc/fuzzing/string/bcmp_fuzz.cpp b/libc/fuzzing/string/bcmp_fuzz.cpp
new file mode 100644
index 00000000000000..2b5685deda4e9e
--- /dev/null
+++ b/libc/fuzzing/string/bcmp_fuzz.cpp
@@ -0,0 +1,52 @@
+//===-- bcmp_fuzz.cpp ---------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc bcmp implementation.
+///
+//===----------------------------------------------------------------------===//
+#include "src/string/bcmp.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static int reference_bcmp(const void *pa, const void *pb, size_t count)
+ __attribute__((no_builtin)) {
+ const auto *a = reinterpret_cast<const unsigned char *>(pa);
+ const auto *b = reinterpret_cast<const unsigned char *>(pb);
+ for (size_t i = 0; i < count; ++i, ++a, ++b)
+ if (*a != *b)
+ return 1;
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ const auto normalize = [](int value) -> int {
+ if (value == 0)
+ return 0;
+ return 1;
+ };
+ const auto count = size / 2;
+ const char *a = reinterpret_cast<const char *>(data);
+ const char *b = reinterpret_cast<const char *>(data) + count;
+ const int actual = LIBC_NAMESPACE::bcmp(a, b, count);
+ const int reference = reference_bcmp(a, b, count);
+ if (normalize(actual) == normalize(reference))
+ return 0;
+ const auto print = [](const char *msg, const char *buffer, size_t size) {
+ printf("%s\"", msg);
+ for (size_t i = 0; i < size; ++i)
+ printf("\\x%02x", (uint8_t)buffer[i]);
+ printf("\"\n");
+ };
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("count : %zu\n", count);
+ printf("result: %d\n", reference);
+ __builtin_trap();
+}
diff --git a/libc/fuzzing/string/memcmp_fuzz.cpp b/libc/fuzzing/string/memcmp_fuzz.cpp
new file mode 100644
index 00000000000000..7690fb14956cbf
--- /dev/null
+++ b/libc/fuzzing/string/memcmp_fuzz.cpp
@@ -0,0 +1,57 @@
+//===-- memcmp_fuzz.cpp ---------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc memcmp implementation.
+///
+//===----------------------------------------------------------------------===//
+#include "src/string/memcmp.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static int reference_memcmp(const void *pa, const void *pb, size_t count)
+ __attribute__((no_builtin)) {
+ const auto *a = reinterpret_cast<const unsigned char *>(pa);
+ const auto *b = reinterpret_cast<const unsigned char *>(pb);
+ for (size_t i = 0; i < count; ++i, ++a, ++b) {
+ if (*a < *b)
+ return -1;
+ else if (*a > *b)
+ return 1;
+ }
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ const auto sign = [](int value) -> int {
+ if (value < 0)
+ return -1;
+ if (value > 0)
+ return 1;
+ return 0;
+ };
+ const auto count = size / 2;
+ const char *a = reinterpret_cast<const char *>(data);
+ const char *b = reinterpret_cast<const char *>(data) + count;
+ const int actual = LIBC_NAMESPACE::memcmp(a, b, count);
+ const int reference = reference_memcmp(a, b, count);
+ if (sign(actual) == sign(reference))
+ return 0;
+ const auto print = [](const char *msg, const char *buffer, size_t size) {
+ printf("%s\"", msg);
+ for (size_t i = 0; i < size; ++i)
+ printf("\\x%02x", (uint8_t)buffer[i]);
+ printf("\"\n");
+ };
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("count : %zu\n", count);
+ printf("result: %d\n", reference);
+ __builtin_trap();
+}
More information about the libc-commits
mailing list