1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
//===--- llvm-opt-fuzzer.cpp - Fuzzer for instruction selection ----------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// Tool to fuzz optimization passes using libFuzzer.
//
//===----------------------------------------------------------------------===//
#include "llvm/Bitcode/BitcodeReader.h"
#include "llvm/Bitcode/BitcodeWriter.h"
#include "llvm/CodeGen/CommandFlags.inc"
#include "llvm/FuzzMutate/FuzzerCLI.h"
#include "llvm/FuzzMutate/IRMutator.h"
#include "llvm/IR/Verifier.h"
#include "llvm/Passes/PassBuilder.h"
#include "llvm/Support/SourceMgr.h"
#include "llvm/Support/TargetRegistry.h"
#include "llvm/Support/TargetSelect.h"
using namespace llvm;
static cl::opt<std::string>
TargetTripleStr("mtriple", cl::desc("Override target triple for module"));
// Passes to run for this fuzzer instance. Expects new pass manager syntax.
static cl::opt<std::string> PassPipeline(
"passes",
cl::desc("A textual description of the pass pipeline for testing"));
static std::unique_ptr<IRMutator> Mutator;
static std::unique_ptr<TargetMachine> TM;
std::unique_ptr<IRMutator> createOptMutator() {
std::vector<TypeGetter> Types{
Type::getInt1Ty, Type::getInt8Ty, Type::getInt16Ty, Type::getInt32Ty,
Type::getInt64Ty, Type::getFloatTy, Type::getDoubleTy};
std::vector<std::unique_ptr<IRMutationStrategy>> Strategies;
Strategies.push_back(
llvm::make_unique<InjectorIRStrategy>(
InjectorIRStrategy::getDefaultOps()));
Strategies.push_back(
llvm::make_unique<InstDeleterIRStrategy>());
return llvm::make_unique<IRMutator>(std::move(Types), std::move(Strategies));
}
extern "C" LLVM_ATTRIBUTE_USED size_t LLVMFuzzerCustomMutator(
uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) {
assert(Mutator &&
"IR mutator should have been created during fuzzer initialization");
LLVMContext Context;
auto M = parseAndVerify(Data, Size, Context);
if (!M) {
errs() << "error: mutator input module is broken!\n";
return 0;
}
Mutator->mutateModule(*M, Seed, Size, MaxSize);
if (verifyModule(*M, &errs())) {
errs() << "mutation result doesn't pass verification\n";
#ifndef NDEBUG
M->dump();
#endif
// Avoid adding incorrect test cases to the corpus.
return 0;
}
std::string Buf;
{
raw_string_ostream OS(Buf);
WriteBitcodeToFile(*M, OS);
}
if (Buf.size() > MaxSize)
return 0;
// There are some invariants which are not checked by the verifier in favor
// of having them checked by the parser. They may be considered as bugs in the
// verifier and should be fixed there. However until all of those are covered
// we want to check for them explicitly. Otherwise we will add incorrect input
// to the corpus and this is going to confuse the fuzzer which will start
// exploration of the bitcode reader error handling code.
auto NewM = parseAndVerify(
reinterpret_cast<const uint8_t*>(Buf.data()), Buf.size(), Context);
if (!NewM) {
errs() << "mutator failed to re-read the module\n";
#ifndef NDEBUG
M->dump();
#endif
return 0;
}
memcpy(Data, Buf.data(), Buf.size());
return Buf.size();
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(TM && "Should have been created during fuzzer initialization");
if (Size <= 1)
// We get bogus data given an empty corpus - ignore it.
return 0;
// Parse module
//
LLVMContext Context;
auto M = parseAndVerify(Data, Size, Context);
if (!M) {
errs() << "error: input module is broken!\n";
return 0;
}
// Set up target dependant options
//
M->setTargetTriple(TM->getTargetTriple().normalize());
M->setDataLayout(TM->createDataLayout());
setFunctionAttributes(TM->getTargetCPU(), TM->getTargetFeatureString(), *M);
// Create pass pipeline
//
PassBuilder PB(TM.get());
LoopAnalysisManager LAM;
FunctionAnalysisManager FAM;
CGSCCAnalysisManager CGAM;
ModulePassManager MPM;
ModuleAnalysisManager MAM;
FAM.registerPass([&] { return PB.buildDefaultAAPipeline(); });
PB.registerModuleAnalyses(MAM);
PB.registerCGSCCAnalyses(CGAM);
PB.registerFunctionAnalyses(FAM);
PB.registerLoopAnalyses(LAM);
PB.crossRegisterProxies(LAM, FAM, CGAM, MAM);
auto Err = PB.parsePassPipeline(MPM, PassPipeline, false, false);
assert(!Err && "Should have been checked during fuzzer initialization");
// Only fail with assert above, otherwise ignore the parsing error.
consumeError(std::move(Err));
// Run passes which we need to test
//
MPM.run(*M, MAM);
// Check that passes resulted in a correct code
if (verifyModule(*M, &errs())) {
errs() << "Transformation resulted in an invalid module\n";
abort();
}
return 0;
}
static void handleLLVMFatalError(void *, const std::string &Message, bool) {
// TODO: Would it be better to call into the fuzzer internals directly?
dbgs() << "LLVM ERROR: " << Message << "\n"
<< "Aborting to trigger fuzzer exit handling.\n";
abort();
}
extern "C" LLVM_ATTRIBUTE_USED int LLVMFuzzerInitialize(
int *argc, char ***argv) {
EnableDebugBuffering = true;
// Make sure we print the summary and the current unit when LLVM errors out.
install_fatal_error_handler(handleLLVMFatalError, nullptr);
// Initialize llvm
//
InitializeAllTargets();
InitializeAllTargetMCs();
PassRegistry &Registry = *PassRegistry::getPassRegistry();
initializeCore(Registry);
initializeCoroutines(Registry);
initializeScalarOpts(Registry);
initializeObjCARCOpts(Registry);
initializeVectorization(Registry);
initializeIPO(Registry);
initializeAnalysis(Registry);
initializeTransformUtils(Registry);
initializeInstCombine(Registry);
initializeAggressiveInstCombine(Registry);
initializeInstrumentation(Registry);
initializeTarget(Registry);
// Parse input options
//
handleExecNameEncodedOptimizerOpts(*argv[0]);
parseFuzzerCLOpts(*argc, *argv);
// Create TargetMachine
//
if (TargetTripleStr.empty()) {
errs() << *argv[0] << ": -mtriple must be specified\n";
exit(1);
}
Triple TargetTriple = Triple(Triple::normalize(TargetTripleStr));
std::string Error;
const Target *TheTarget =
TargetRegistry::lookupTarget(MArch, TargetTriple, Error);
if (!TheTarget) {
errs() << *argv[0] << ": " << Error;
exit(1);
}
TargetOptions Options = InitTargetOptionsFromCodeGenFlags();
TM.reset(TheTarget->createTargetMachine(
TargetTriple.getTriple(), getCPUStr(), getFeaturesStr(),
Options, getRelocModel(), getCodeModel(), CodeGenOpt::Default));
assert(TM && "Could not allocate target machine!");
// Check that pass pipeline is specified and correct
//
if (PassPipeline.empty()) {
errs() << *argv[0] << ": at least one pass should be specified\n";
exit(1);
}
PassBuilder PB(TM.get());
ModulePassManager MPM;
if (auto Err = PB.parsePassPipeline(MPM, PassPipeline, false, false)) {
errs() << *argv[0] << ": " << toString(std::move(Err)) << "\n";
exit(1);
}
// Create mutator
//
Mutator = createOptMutator();
return 0;
}
|