[libc-commits] [llvm] [libc] [libc] Add memcmp / bcmp fuzzers (PR #77741)
Guillaume Chatelet via libc-commits
libc-commits at lists.llvm.org
Thu Jan 11 02:01:04 PST 2024
https://github.com/gchatelet updated https://github.com/llvm/llvm-project/pull/77741
>From b425a07ba1502bc57a301c5927b6af766b36e431 Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Thu, 11 Jan 2024 09:46:26 +0000
Subject: [PATCH 1/5] [libc] Add memcmp / bcmp fuzzers
---
libc/fuzzing/CMakeLists.txt | 2 +-
libc/fuzzing/string/CMakeLists.txt | 16 ++++++++
libc/fuzzing/string/bcmp_fuzz.cpp | 52 ++++++++++++++++++++++++++
libc/fuzzing/string/memcmp_fuzz.cpp | 57 +++++++++++++++++++++++++++++
4 files changed, 126 insertions(+), 1 deletion(-)
create mode 100644 libc/fuzzing/string/bcmp_fuzz.cpp
create mode 100644 libc/fuzzing/string/memcmp_fuzz.cpp
diff --git a/libc/fuzzing/CMakeLists.txt b/libc/fuzzing/CMakeLists.txt
index a3ef888167ee3c..c08d46cd3ad769 100644
--- a/libc/fuzzing/CMakeLists.txt
+++ b/libc/fuzzing/CMakeLists.txt
@@ -1,4 +1,4 @@
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer,address")
add_custom_target(libc-fuzzer)
add_subdirectory(math)
diff --git a/libc/fuzzing/string/CMakeLists.txt b/libc/fuzzing/string/CMakeLists.txt
index 1885ee5f66ebf9..9dd4fceee3b596 100644
--- a/libc/fuzzing/string/CMakeLists.txt
+++ b/libc/fuzzing/string/CMakeLists.txt
@@ -24,3 +24,19 @@ add_libc_fuzzer(
libc.src.string.strstr
libc.src.string.strlen
)
+
+add_libc_fuzzer(
+ memcmp_fuzz
+ SRCS
+ memcmp_fuzz.cpp
+ DEPENDS
+ libc.src.string.memcmp
+)
+
+add_libc_fuzzer(
+ bcmp_fuzz
+ SRCS
+ bcmp_fuzz.cpp
+ DEPENDS
+ libc.src.string.bcmp
+)
diff --git a/libc/fuzzing/string/bcmp_fuzz.cpp b/libc/fuzzing/string/bcmp_fuzz.cpp
new file mode 100644
index 00000000000000..2b5685deda4e9e
--- /dev/null
+++ b/libc/fuzzing/string/bcmp_fuzz.cpp
@@ -0,0 +1,52 @@
+//===-- bcmp_fuzz.cpp ---------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc bcmp implementation.
+///
+//===----------------------------------------------------------------------===//
+#include "src/string/bcmp.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static int reference_bcmp(const void *pa, const void *pb, size_t count)
+ __attribute__((no_builtin)) {
+ const auto *a = reinterpret_cast<const unsigned char *>(pa);
+ const auto *b = reinterpret_cast<const unsigned char *>(pb);
+ for (size_t i = 0; i < count; ++i, ++a, ++b)
+ if (*a != *b)
+ return 1;
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ const auto normalize = [](int value) -> int {
+ if (value == 0)
+ return 0;
+ return 1;
+ };
+ const auto count = size / 2;
+ const char *a = reinterpret_cast<const char *>(data);
+ const char *b = reinterpret_cast<const char *>(data) + count;
+ const int actual = LIBC_NAMESPACE::bcmp(a, b, count);
+ const int reference = reference_bcmp(a, b, count);
+ if (normalize(actual) == normalize(reference))
+ return 0;
+ const auto print = [](const char *msg, const char *buffer, size_t size) {
+ printf("%s\"", msg);
+ for (size_t i = 0; i < size; ++i)
+ printf("\\x%02x", (uint8_t)buffer[i]);
+ printf("\"\n");
+ };
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("count : %zu\n", count);
+ printf("result: %d\n", reference);
+ __builtin_trap();
+}
diff --git a/libc/fuzzing/string/memcmp_fuzz.cpp b/libc/fuzzing/string/memcmp_fuzz.cpp
new file mode 100644
index 00000000000000..7690fb14956cbf
--- /dev/null
+++ b/libc/fuzzing/string/memcmp_fuzz.cpp
@@ -0,0 +1,57 @@
+//===-- memcmp_fuzz.cpp ---------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc memcmp implementation.
+///
+//===----------------------------------------------------------------------===//
+#include "src/string/memcmp.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static int reference_memcmp(const void *pa, const void *pb, size_t count)
+ __attribute__((no_builtin)) {
+ const auto *a = reinterpret_cast<const unsigned char *>(pa);
+ const auto *b = reinterpret_cast<const unsigned char *>(pb);
+ for (size_t i = 0; i < count; ++i, ++a, ++b) {
+ if (*a < *b)
+ return -1;
+ else if (*a > *b)
+ return 1;
+ }
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ const auto sign = [](int value) -> int {
+ if (value < 0)
+ return -1;
+ if (value > 0)
+ return 1;
+ return 0;
+ };
+ const auto count = size / 2;
+ const char *a = reinterpret_cast<const char *>(data);
+ const char *b = reinterpret_cast<const char *>(data) + count;
+ const int actual = LIBC_NAMESPACE::memcmp(a, b, count);
+ const int reference = reference_memcmp(a, b, count);
+ if (sign(actual) == sign(reference))
+ return 0;
+ const auto print = [](const char *msg, const char *buffer, size_t size) {
+ printf("%s\"", msg);
+ for (size_t i = 0; i < size; ++i)
+ printf("\\x%02x", (uint8_t)buffer[i]);
+ printf("\"\n");
+ };
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("count : %zu\n", count);
+ printf("result: %d\n", reference);
+ __builtin_trap();
+}
>From bf140155ddb0ef18b7fcc6d26f211028438645f1 Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Thu, 11 Jan 2024 09:56:38 +0000
Subject: [PATCH 2/5] remove address sanitizer addition from this patch
---
libc/fuzzing/CMakeLists.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libc/fuzzing/CMakeLists.txt b/libc/fuzzing/CMakeLists.txt
index c08d46cd3ad769..a3ef888167ee3c 100644
--- a/libc/fuzzing/CMakeLists.txt
+++ b/libc/fuzzing/CMakeLists.txt
@@ -1,4 +1,4 @@
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer,address")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
add_custom_target(libc-fuzzer)
add_subdirectory(math)
>From dbaf123bd7d9038bb91f10c584320baf8cfa25ec Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Thu, 11 Jan 2024 09:57:39 +0000
Subject: [PATCH 3/5] Add documentation about odd fuzzed data size
---
libc/fuzzing/string/bcmp_fuzz.cpp | 1 +
libc/fuzzing/string/memcmp_fuzz.cpp | 1 +
2 files changed, 2 insertions(+)
diff --git a/libc/fuzzing/string/bcmp_fuzz.cpp b/libc/fuzzing/string/bcmp_fuzz.cpp
index 2b5685deda4e9e..3d352cf7b40dca 100644
--- a/libc/fuzzing/string/bcmp_fuzz.cpp
+++ b/libc/fuzzing/string/bcmp_fuzz.cpp
@@ -31,6 +31,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
return 0;
return 1;
};
+ // We ignore the last byte is size is odd.
const auto count = size / 2;
const char *a = reinterpret_cast<const char *>(data);
const char *b = reinterpret_cast<const char *>(data) + count;
diff --git a/libc/fuzzing/string/memcmp_fuzz.cpp b/libc/fuzzing/string/memcmp_fuzz.cpp
index 7690fb14956cbf..6531038a8e1b45 100644
--- a/libc/fuzzing/string/memcmp_fuzz.cpp
+++ b/libc/fuzzing/string/memcmp_fuzz.cpp
@@ -36,6 +36,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
return 1;
return 0;
};
+ // We ignore the last byte is size is odd.
const auto count = size / 2;
const char *a = reinterpret_cast<const char *>(data);
const char *b = reinterpret_cast<const char *>(data) + count;
>From acecda962b128c58e2876f1d9c2f03ae20b33ed1 Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Thu, 11 Jan 2024 09:58:05 +0000
Subject: [PATCH 4/5] print count before buffers
---
libc/fuzzing/string/bcmp_fuzz.cpp | 2 +-
libc/fuzzing/string/memcmp_fuzz.cpp | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libc/fuzzing/string/bcmp_fuzz.cpp b/libc/fuzzing/string/bcmp_fuzz.cpp
index 3d352cf7b40dca..d2cedaeb775d58 100644
--- a/libc/fuzzing/string/bcmp_fuzz.cpp
+++ b/libc/fuzzing/string/bcmp_fuzz.cpp
@@ -45,9 +45,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
printf("\\x%02x", (uint8_t)buffer[i]);
printf("\"\n");
};
+ printf("count : %zu\n", count);
print("a : ", a, count);
print("b : ", b, count);
- printf("count : %zu\n", count);
printf("result: %d\n", reference);
__builtin_trap();
}
diff --git a/libc/fuzzing/string/memcmp_fuzz.cpp b/libc/fuzzing/string/memcmp_fuzz.cpp
index 6531038a8e1b45..fccce06306dd39 100644
--- a/libc/fuzzing/string/memcmp_fuzz.cpp
+++ b/libc/fuzzing/string/memcmp_fuzz.cpp
@@ -50,9 +50,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
printf("\\x%02x", (uint8_t)buffer[i]);
printf("\"\n");
};
+ printf("count : %zu\n", count);
print("a : ", a, count);
print("b : ", b, count);
- printf("count : %zu\n", count);
printf("result: %d\n", reference);
__builtin_trap();
}
>From 27bc3fa64981507a84c8915df9cbc6257751a894 Mon Sep 17 00:00:00 2001
From: Guillaume Chatelet <gchatelet at google.com>
Date: Thu, 11 Jan 2024 10:00:42 +0000
Subject: [PATCH 5/5] Add actual result as well as reference result
---
libc/fuzzing/string/bcmp_fuzz.cpp | 9 +++++----
libc/fuzzing/string/memcmp_fuzz.cpp | 9 +++++----
.../crash-f7dbdb2b330aad91f520099159e736e91bb9ddbf | Bin 0 -> 67 bytes
3 files changed, 10 insertions(+), 8 deletions(-)
create mode 100644 utils/bazel/crash-f7dbdb2b330aad91f520099159e736e91bb9ddbf
diff --git a/libc/fuzzing/string/bcmp_fuzz.cpp b/libc/fuzzing/string/bcmp_fuzz.cpp
index d2cedaeb775d58..65949dfdf0c562 100644
--- a/libc/fuzzing/string/bcmp_fuzz.cpp
+++ b/libc/fuzzing/string/bcmp_fuzz.cpp
@@ -45,9 +45,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
printf("\\x%02x", (uint8_t)buffer[i]);
printf("\"\n");
};
- printf("count : %zu\n", count);
- print("a : ", a, count);
- print("b : ", b, count);
- printf("result: %d\n", reference);
+ printf("count : %zu\n", count);
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("expected : %d\n", reference);
+ printf("actual : %d\n", actual);
__builtin_trap();
}
diff --git a/libc/fuzzing/string/memcmp_fuzz.cpp b/libc/fuzzing/string/memcmp_fuzz.cpp
index fccce06306dd39..879c214422870c 100644
--- a/libc/fuzzing/string/memcmp_fuzz.cpp
+++ b/libc/fuzzing/string/memcmp_fuzz.cpp
@@ -50,9 +50,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
printf("\\x%02x", (uint8_t)buffer[i]);
printf("\"\n");
};
- printf("count : %zu\n", count);
- print("a : ", a, count);
- print("b : ", b, count);
- printf("result: %d\n", reference);
+ printf("count : %zu\n", count);
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("expected : %d\n", reference);
+ printf("actual : %d\n", actual);
__builtin_trap();
}
diff --git a/utils/bazel/crash-f7dbdb2b330aad91f520099159e736e91bb9ddbf b/utils/bazel/crash-f7dbdb2b330aad91f520099159e736e91bb9ddbf
new file mode 100644
index 0000000000000000000000000000000000000000..5dd7dca5e358f48f0cc0fd92a530cc70cfea7189
GIT binary patch
literal 67
ZcmZQzI0*&}K)?ke at B?P3v@=54UjQvc1_S^A
literal 0
HcmV?d00001
More information about the libc-commits
mailing list