llvm.org GIT mirror llvm / 1318d71
Build a lib/Fuzzer version for llvm-as. Summary: This CL is associated with a fuzzing effort to find bugs in LLVM. The first step is to fuzz llvm-as to find potential issues in generating IR. Both afl-fuzz and LLVM's lib/Fuzzer are being used. This CL introduces the executable that implements the in-process fuzzer using LLVM's lib/Fuzzer. The motivation for using lib/Fuzzer is based on time comparisons between afl-fuzz and lib/Fuzzer. Early results show that per-process, the lib/Fuzzer implemenation of llvm-as (i.e. this CL) generates over 30 times the number of mutations found by afl-fuzz, per hour runtime. The speedup is due to the removal of overhead of forking a process, and loading the executable into memory. I placed this under the tools directory, since it is an executable. It is also only conditionally built if (using cmake) the flag LLVM_USEE_SANITIZE_COVERAGE is used, so that it isn't built by default. Reviewers: kcc, filcab Subscribers: llvm-commits Differential Revision: http://reviews.llvm.org/D12438 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@246458 91177308-0d34-0410-b5e6-96231b3b80d8 Karl Schimpf 5 years ago
2 changed file(s) with 88 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
0 if( LLVM_USE_SANITIZE_COVERAGE )
1 set(LLVM_LINK_COMPONENTS
2 AsmParser
3 BitWriter
4 Core
5 Support
6 )
7 add_llvm_tool(llvm-as-fuzzer
8 llvm-as-fuzzer.cpp)
9 target_link_libraries(llvm-as-fuzzer
10 LLVMFuzzer
11 )
12 endif()
0 //===--- fuzz-llvm-as.cpp - Fuzzer for llvm-as using lib/Fuzzer -----------===//
1 //
2 // The LLVM Compiler Infrastructure
3 //
4 // This file is distributed under the University of Illinois Open Source
5 // License. See LICENSE.TXT for details.
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Build tool to fuzz the LLVM assembler (llvm-as) using
10 // lib/Fuzzer. The main reason for using this tool is that it is much
11 // faster than using afl-fuzz, since it is run in-process.
12 //
13 //===----------------------------------------------------------------------===//
14
15 #include "llvm/ADT/StringRef.h"
16 #include "llvm/AsmParser/Parser.h"
17 #include "llvm/IR/LLVMContext.h"
18 #include "llvm/IR/Module.h"
19 #include "llvm/IR/Verifier.h"
20 #include "llvm/Support/ErrorHandling.h"
21 #include "llvm/Support/MemoryBuffer.h"
22 #include "llvm/Support/raw_ostream.h"
23 #include "llvm/Support/SourceMgr.h"
24
25 #include
26
27 using namespace llvm;
28
29 static jmp_buf JmpBuf;
30
31 namespace {
32
33 void MyFatalErrorHandler(void *user_data, const std::string& reason,
34 bool gen_crash_diag) {
35 // Don't bother printing reason, just return to the test function,
36 // since a fatal error represents a successful parse (i.e. it correctly
37 // terminated with an error message to the user).
38 longjmp(JmpBuf, 1);
39 }
40
41 static bool InstalledHandler = false;
42
43 } // end of anonymous namespace
44
45 extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
46
47 // Allocate space for locals before setjmp so that memory can be collected
48 // if parse exits prematurely (via longjmp).
49 StringRef Input((const char *)Data, Size);
50 // Note: We need to create a buffer to add a null terminator to the
51 // end of the input string. The parser assumes that the string
52 // parsed is always null terminated.
53 std::unique_ptr MemBuf = MemoryBuffer::getMemBufferCopy(Input);
54 SMDiagnostic Err;
55 LLVMContext &Context = getGlobalContext();
56 std::unique_ptr M;
57
58 if (setjmp(JmpBuf))
59 // If reached, we have returned with non-zero status, so exit.
60 return;
61
62 // TODO(kschimpf) Write a main to do this initialization.
63 if (!InstalledHandler) {
64 llvm::install_fatal_error_handler(::MyFatalErrorHandler, nullptr);
65 InstalledHandler = true;
66 }
67
68 M = parseAssembly(MemBuf->getMemBufferRef(), Err, Context);
69
70 if (!M.get())
71 return;
72
73 verifyModule(*M.get());
74 }