[compiler-rt] 597e407 - [libFuzzer] tests/examples for using libFuzzer for out-of-process targets
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Wed Aug 4 17:37:46 PDT 2021
Author: Kostya Serebryany
Date: 2021-08-04T17:37:26-07:00
New Revision: 597e407cf23b92db202732e6890561b2f2830a58
URL: https://github.com/llvm/llvm-project/commit/597e407cf23b92db202732e6890561b2f2830a58
DIFF: https://github.com/llvm/llvm-project/commit/597e407cf23b92db202732e6890561b2f2830a58.diff
LOG: [libFuzzer] tests/examples for using libFuzzer for out-of-process targets
[libFuzzer] tests/examples for using libFuzzer for out-of-process targets
Reviewed By: kostik
Differential Revision: https://reviews.llvm.org/D107498
Added:
compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp
compiler-rt/test/fuzzer/SanCovDump.cpp
compiler-rt/test/fuzzer/out-of-process-fuzz.test
Modified:
Removed:
################################################################################
diff --git a/compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp b/compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp
new file mode 100644
index 0000000000000..5a797103ebb80
--- /dev/null
+++ b/compiler-rt/test/fuzzer/OutOfProcessFuzzTarget.cpp
@@ -0,0 +1,86 @@
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+// This is a fuzz target for running out-of-process fuzzing for a
+// binary specified via environment variable LIBFUZZER_OOP_TARGET.
+// libFuzzer is not designed for out-of-process fuzzing and so this
+// ad-hoc rig lacks many of the in-process libFuzzer features, and is slow,
+// but it does provide the basic functionality, which is to run the target
+// many times in parallel, feeding in the mutants, and expanding the corpus.
+// Use this only for very slow targets (slower than ~ 10 exec/s)
+// that you can't convert to conventional libFuzzer fuzz targets.
+//
+// The target binary (which could be a shell script, or anything),
+// consumes one file as an input and produces the file with coverage counters
+// as the output (output path is passed via SANCOV_OUT).
+// One way to produce a valid binary target is to build it with
+// -fsanitize-coverage=inline-8bit-counters and link it with SanCovDump.cpp,
+// found in the same directory.
+//
+// Example usage:
+/*
+ clang -fsanitize=fuzzer OutOfProcessFuzzTarget.cpp -o oop-fuzz &&
+ clang -c -fsanitize-coverage=inline-8bit-counters SimpleTest.cpp &&
+ clang -c ../../lib/fuzzer/standalone/StandaloneFuzzTargetMain.c &&
+ clang -c SanCovDump.cpp &&
+ clang++ SanCovDump.o SimpleTest.o StandaloneFuzzTargetMain.o -o oop-target &&
+ rm -rf CORPUS && mkdir CORPUS && echo > CORPUS/seed &&
+ LIBFUZZER_OOP_TARGET="./oop-target > /dev/null 2>&1 " ./oop-fuzz CORPUS -jobs=42
+
+*/
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <string>
+
+// An arbitrary large number.
+// If your target is so large that it has more than this number of coverage
+// edges, you may want to increase this number to match your binary,
+// otherwise part of the coverage will be lost.
+// For small targets there is no reason to reduce this number.
+static const size_t kCountersSize = 1 << 20;
+
+__attribute__((section(
+ "__libfuzzer_extra_counters"))) static uint8_t Counters[kCountersSize];
+
+static std::string *Run, *IN, *COV;
+
+void TearDown() {
+ unlink(COV->c_str());
+ unlink(IN->c_str());
+}
+
+bool Initialize() {
+ IN = new std::string("lf-oop-in-" + std::to_string(getpid()));
+ COV = new std::string("lf-oop-cov-" + std::to_string(getpid()));
+ const char *TargetEnv = getenv("LIBFUZZER_OOP_TARGET");
+ if (!TargetEnv) {
+ fprintf(stderr, "Please define LIBFUZZER_OOP_TARGET\n");
+ exit(1);
+ }
+ Run = new std::string("SANCOV_OUT=" + *COV + " " + TargetEnv + " " + *IN);
+ fprintf(stderr, "libFuzzer: OOP command: %s\n", Run->c_str());
+ atexit(TearDown);
+ return true;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ static bool Inited = Initialize();
+ if (size == 0)
+ return 0;
+ if (FILE *f = fopen(IN->c_str(), "w")) {
+ fwrite(data, 1, size, f);
+ fclose(f);
+ }
+ system(Run->c_str());
+ if (FILE *f = fopen(COV->c_str(), "r")) {
+ fread(Counters, 1, kCountersSize, f);
+ fclose(f);
+ }
+ return 0;
+}
diff --git a/compiler-rt/test/fuzzer/SanCovDump.cpp b/compiler-rt/test/fuzzer/SanCovDump.cpp
new file mode 100644
index 0000000000000..c1b21a22568d6
--- /dev/null
+++ b/compiler-rt/test/fuzzer/SanCovDump.cpp
@@ -0,0 +1,31 @@
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+// Link this tiny library to a binary compiled with
+// -fsanitize-coverage=inline-8bit-counters.
+// When passed SANCOV_OUT=OUTPUT_PATH, the process will
+// dump the 8-bit coverage counters to the file, assuming
+// the regular exit() is called.
+//
+// See OutOfProcessFuzzTarget.cpp for usage.
+#include <stdio.h>
+#include <stdlib.h>
+
+static char *CovStart, *CovEnd;
+
+static void DumpCoverage() {
+ if (const char *DumpPath = getenv("SANCOV_OUT")) {
+ fprintf(stderr, "SanCovDump: %p %p %s\n", CovStart, CovEnd, DumpPath);
+ if (FILE *f = fopen(DumpPath, "w")) {
+ fwrite(CovStart, 1, CovEnd - CovStart, f);
+ fclose(f);
+ }
+ }
+}
+
+extern "C" void __sanitizer_cov_8bit_counters_init(char *Start, char *End) {
+ CovStart = Start;
+ CovEnd = End;
+ atexit(DumpCoverage);
+}
diff --git a/compiler-rt/test/fuzzer/out-of-process-fuzz.test b/compiler-rt/test/fuzzer/out-of-process-fuzz.test
new file mode 100644
index 0000000000000..4bd866061f1fc
--- /dev/null
+++ b/compiler-rt/test/fuzzer/out-of-process-fuzz.test
@@ -0,0 +1,21 @@
+REQUIRES: linux, x86_64
+RUN: rm -rf %t && mkdir %t
+RUN: cd %t
+RUN: %cpp_compiler %S/OutOfProcessFuzzTarget.cpp -o oop-fuzzer
+RUN: %no_fuzzer_cpp_compiler -fsanitize-coverage=inline-8bit-counters %S/SimpleTest.cpp -c -o SimpleTestOOP.o
+RUN: %no_fuzzer_c_compiler %S/../../lib/fuzzer/standalone/StandaloneFuzzTargetMain.c -c -o StandaloneFuzzTargetMainOOP.o
+RUN: %no_fuzzer_cpp_compiler %S/SanCovDump.cpp -c -o SanCovDumpOOP.o
+RUN: %no_fuzzer_cpp_compiler SimpleTestOOP.o StandaloneFuzzTargetMainOOP.o SanCovDumpOOP.o -o oop-target
+RUN: rm -rf OOP_CORPUS
+RUN: mkdir OOP_CORPUS
+RUN: echo "Hi" > OOP_CORPUS/seed
+RUN: echo %t
+
+# Out-of-process fuzzing with this rig is slow,
+# we can not wait for the fuzzer to find the faulty input.
+# Just run for a bit and observe the corpus expansion.
+RUN: LIBFUZZER_OOP_TARGET="./oop-target > /dev/null 2>&1 " ./oop-fuzzer -max_len=3 OOP_CORPUS -runs=1000 -jobs=4
+CHECK: Running: OOP_CORPUS/
+CHECK: Running: OOP_CORPUS/
+CHECK: Running: OOP_CORPUS/
+RUN: ./oop-target OOP_CORPUS/* 2>&1 | FileCheck %s
More information about the llvm-commits
mailing list