cassanova updated this revision to Diff 444074. cassanova added a comment. The ProtobufMutator CMake module will build targets for clang and lldb individually depending on which project is building the mutator, instead of both fuzzers trying to build the same target.
The expression fuzzer's source file only includes handle-cxx and proto-to-cxx directly, instead of including them from their folders. The expression fuzzer's CMake file adds the clang-fuzzer binary directory as a include directory so that the lldb fuzzer does not need to generate a second copy of cxx_proto.pb.h and cxx_proto.pb.cc. It also requires the Protobuf library, grabs its definitions and includes the protobuf include dirs to prevent a protobuf header from not being found in the expression fuzzer source file. CHANGES SINCE LAST ACTION https://reviews.llvm.org/D129377/new/ https://reviews.llvm.org/D129377 Files: clang/cmake/modules/ProtobufMutator.cmake clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt lldb/tools/lldb-fuzzer/CMakeLists.txt lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp
Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/lldb-expression-fuzzer.cpp @@ -0,0 +1,73 @@ +//===-- lldb-expression-fuzzer.cpp ---------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===---------------------------------------------------------------------===// +// +// \file +// This file is a fuzzer for LLDB's expression evaluator. It uses protobufs +// and the libprotobuf-mutator to create valid C-like inputs for the +// expression evaluator. +// +//===---------------------------------------------------------------------===// + +#include <string> + +#include "cxx_proto.pb.h" +#include "handle_cxx.h" +#include "lldb/API/SBBreakpoint.h" +#include "lldb/API/SBDebugger.h" +#include "lldb/API/SBError.h" +#include "lldb/API/SBLaunchInfo.h" +#include "lldb/API/SBProcess.h" +#include "lldb/API/SBTarget.h" +#include "proto_to_cxx.h" +#include "src/libfuzzer/libfuzzer_macro.h" +#include "llvm/ADT/StringRef.h" +#include "llvm/Support/Error.h" + +using namespace lldb; +using namespace llvm; +using namespace clang_fuzzer; + +char **originalargv; + +extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { + SBDebugger::Initialize(); + + // The path for a simple compiled program is needed to create a + // target for the debugger and that path is passed in through argv + originalargv = *argv; + return 0; +} + +DEFINE_BINARY_PROTO_FUZZER(const clang_fuzzer::Function &input) { + auto S = clang_fuzzer::FunctionToString(input); + + // Get the second argument from argv and strip the '--' from it. + // This will be used as the path for the object file to create a target from + std::string rawpath = originalargv[2]; + StringRef objpath = rawpath.erase(0, 2); + + // Create a debugger and a target + SBDebugger debugger = SBDebugger::Create(false); + SBTarget target = debugger.CreateTarget(objpath.str().c_str()); + + // Create a breakpoint on the only line in the program + SBBreakpoint bp = target.BreakpointCreateByLocation(objpath.str().c_str(), 1); + + // Create launch info and error for launching the process + SBLaunchInfo li = target.GetLaunchInfo(); + SBError error; + + // Launch the process and evaluate the fuzzer's input data + // as an expression + SBProcess process = target.Launch(li, error); + target.EvaluateExpression(S.c_str()); + + debugger.DeleteTarget(target); + SBDebugger::Destroy(debugger); + SBModule::GarbageCollectAllocatedModules(); +} Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/cxx_proto.proto @@ -0,0 +1,92 @@ +//===-- cxx_proto.proto - Protobuf description of C++ ---------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +/// +/// \file +/// This file describes a subset of C++ as a protobuf. It is used to +/// more easily find interesting inputs for fuzzing Clang. +/// +//===----------------------------------------------------------------------===// + +syntax = "proto2"; + +message VarRef { + required int32 varnum = 1; +} + +message Lvalue { + required VarRef varref = 1; +} + +message Const { + required int32 val = 1; +} + +message BinaryOp { + enum Op { + PLUS = 0; + MINUS = 1; + MUL = 2; + DIV = 3; + MOD = 4; + XOR = 5; + AND = 6; + OR = 7; + EQ = 8; + NE = 9; + LE = 10; + GE = 11; + LT = 12; + GT = 13; + }; + required Op op = 1; + required Rvalue left = 2; + required Rvalue right = 3; +} + +message Rvalue { + oneof rvalue_oneof { + VarRef varref = 1; + Const cons = 2; + BinaryOp binop = 3; + } +} + +message AssignmentStatement { + required Lvalue lvalue = 1; + required Rvalue rvalue = 2; +} + + +message IfElse { + required Rvalue cond = 1; + required StatementSeq if_body = 2; + required StatementSeq else_body = 3; +} + +message While { + required Rvalue cond = 1; + required StatementSeq body = 2; +} + +message Statement { + oneof stmt_oneof { + AssignmentStatement assignment = 1; + IfElse ifelse = 2; + While while_loop = 3; + } +} + +message StatementSeq { + repeated Statement statements = 1; +} + +message Function { + required StatementSeq statements = 1; +} + +package clang_fuzzer; Index: lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/lldb-expression-fuzzer/CMakeLists.txt @@ -0,0 +1,54 @@ +if(CLANG_ENABLE_PROTO_FUZZER) + set(LLVM_LINK_COMPONENTS + Support + ) + + add_llvm_fuzzer(lldb-expression-fuzzer + EXCLUDE_FROM_ALL + lldb-expression-fuzzer.cpp + ) + + if(TARGET lldb-expression-fuzzer) + target_include_directories(lldb-expression-fuzzer PRIVATE ..) + find_package(Protobuf REQUIRED) + add_definitions(-DGOOGLE_PROTOBUF_NO_RTTI) + include_directories(${PROTOBUF_INCLUDE_DIRS}) + include_directories(${CMAKE_CURRENT_BINARY_DIR}/../../../../clang/tools/clang-fuzzer PRIVATE ..) + + set(CLANG_CMAKE_MODULE_PATH + ${CMAKE_CURRENT_SOURCE_DIR}/../../../../clang/cmake/modules) + + set(CMAKE_MODULE_PATH + ${CMAKE_MODULE_PATH} + ${CLANG_CMAKE_MODULE_PATH}) + + include(ProtobufMutator) + include_directories(${ProtobufMutator_INCLUDE_DIRS}) + + target_link_libraries(lldb-expression-fuzzer + PRIVATE + ${ProtobufMutator_LIBRARIES} + ${LLVM_LIB_FUZZING_ENGINE} + clangHandleCXX + clangCXXProto + clangProtoToCXX + liblldb + ) + + add_custom_command(TARGET lldb-expression-fuzzer PRE_BUILD + # Create and compile a simple C program using the command line. This is + # needed because LLDB's expression evaluator needs a legitmate target + # instead of a dummy target + COMMAND echo 'int main (int argc, char** argv) { return 0\; }' | clang -o main.out -xc - + ) + + # Create a directory for storing the fuzzer's artifacts and run the fuzzer with arguments that will + # not attempt to reduce the size of the inputs being generated + add_custom_target(fuzz-lldb-expression + COMMENT "Running the LLDB expression evaluator fuzzer..." + WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/fuzzer-artifacts/expression-artifacts + COMMAND $<TARGET_FILE:lldb-expression-fuzzer> -artifact_prefix=expression- -reduce_inputs=0 + USES_TERMINAL + ) + endif() +endif() Index: lldb/tools/lldb-fuzzer/CMakeLists.txt =================================================================== --- lldb/tools/lldb-fuzzer/CMakeLists.txt +++ lldb/tools/lldb-fuzzer/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(lldb-commandinterpreter-fuzzer) +add_subdirectory(lldb-expression-fuzzer) add_subdirectory(lldb-target-fuzzer) add_subdirectory(utils) Index: clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt =================================================================== --- clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt +++ clang/tools/clang-fuzzer/proto-to-cxx/CMakeLists.txt @@ -14,6 +14,8 @@ DEPENDS clangCXXLoopProto LINK_LIBS clangCXXLoopProto ${PROTOBUF_LIBRARIES} ) +target_include_directories(clangProtoToCXX PUBLIC .) +target_include_directories(clangLoopProtoToCXX PUBLIC .) add_clang_executable(clang-proto-to-cxx proto_to_cxx_main.cpp) add_clang_executable(clang-loop-proto-to-cxx loop_proto_to_cxx_main.cpp) Index: clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt =================================================================== --- clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt +++ clang/tools/clang-fuzzer/handle-cxx/CMakeLists.txt @@ -11,3 +11,5 @@ clangSerialization clangTooling ) + +target_include_directories(clangHandleCXX PUBLIC .) Index: clang/cmake/modules/ProtobufMutator.cmake =================================================================== --- clang/cmake/modules/ProtobufMutator.cmake +++ clang/cmake/modules/ProtobufMutator.cmake @@ -1,5 +1,9 @@ include(ExternalProject) -set(PBM_PREFIX protobuf_mutator) +if (${CMAKE_CURRENT_SOURCE_DIR} MATCHES "clang") + set (PBM_PREFIX clang_protobuf_mutator) +elseif(${CMAKE_CURRENT_SOURCE_DIR} MATCHES "lldb") + set (PBM_PREFIX lldb_protobuf_mutator) +endif() set(PBM_PATH ${CMAKE_CURRENT_BINARY_DIR}/${PBM_PREFIX}/src/${PBM_PREFIX}) set(PBM_LIB_PATH ${PBM_PATH}-build/src/libprotobuf-mutator.a) set(PBM_FUZZ_LIB_PATH ${PBM_PATH}-build/src/libfuzzer/libprotobuf-mutator-libfuzzer.a)
_______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
