1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
//===-- lldb-expression-fuzzer.cpp ---------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===---------------------------------------------------------------------===//
//
// \file
// This file is a fuzzer for LLDB's expression evaluator. It uses protobufs
// and the libprotobuf-mutator to create valid C-like inputs for the
// expression evaluator.
//
//===---------------------------------------------------------------------===//
#include <string>
#include "cxx_proto.pb.h"
#include "handle-cxx/handle_cxx.h"
#include "lldb/API/SBBreakpoint.h"
#include "lldb/API/SBDebugger.h"
#include "lldb/API/SBError.h"
#include "lldb/API/SBLaunchInfo.h"
#include "lldb/API/SBProcess.h"
#include "lldb/API/SBTarget.h"
#include "proto-to-cxx/proto_to_cxx.h"
#include "src/libfuzzer/libfuzzer_macro.h"
#include "llvm/ADT/StringRef.h"
#include "llvm/Support/Error.h"
#include "llvm/Support/FileSystem.h"
#include "llvm/Support/FormatVariadic.h"
#include "llvm/Support/WithColor.h"
using namespace lldb;
using namespace llvm;
using namespace clang_fuzzer;
const char *target_path = nullptr;
void ReportError(llvm::StringRef message) {
WithColor::error() << message << '\n';
exit(1);
}
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
#if !defined(_WIN32)
signal(SIGPIPE, SIG_IGN);
#endif
// `target_path` can be set by either the "--lldb_fuzzer_target" commandline
// flag or the "LLDB_FUZZER_TARGET" environment variable. Arbitrarily, we
// always do flag parsing and only check the environment variable if the
// commandline flag is not set.
for (int i = 1; i < *argc; ++i) {
auto this_arg = llvm::StringRef((*argv)[i]);
WithColor::note() << "argv[" << i << "] = " << this_arg << "\n";
if (this_arg.consume_front("--lldb_fuzzer_target="))
target_path = this_arg.data();
}
if (!target_path)
target_path = ::getenv("LLDB_FUZZER_TARGET");
if (!target_path)
ReportError("No target path specified. Set one either as an environment "
"variable (i.e. LLDB_FUZZER_TARGET=target_path) or pass as a "
"command line flag (i.e. --lldb_fuzzer_target=target_path).");
if (!sys::fs::exists(target_path))
ReportError(formatv("target path '{0}' does not exist", target_path).str());
SBDebugger::Initialize();
return 0;
}
DEFINE_BINARY_PROTO_FUZZER(const clang_fuzzer::Function &input) {
std::string expression = clang_fuzzer::FunctionToString(input);
// Create a debugger and a target
SBDebugger debugger = SBDebugger::Create(false);
if (!debugger.IsValid())
ReportError("Couldn't create debugger");
SBTarget target = debugger.CreateTarget(target_path);
if (!target.IsValid())
ReportError(formatv("Couldn't create target '{0}'", target_path).str());
// Create a breakpoint on the only line in the program
SBBreakpoint breakpoint = target.BreakpointCreateByName("main", target_path);
if (!breakpoint.IsValid())
ReportError("Couldn't create breakpoint");
// Create launch info and error for launching the process
SBLaunchInfo launch_info = target.GetLaunchInfo();
SBError error;
// Launch the process and evaluate the fuzzer's input data
// as an expression
SBProcess process = target.Launch(launch_info, error);
if (!process.IsValid() || error.Fail())
ReportError("Couldn't launch process");
SBValue value = target.EvaluateExpression(expression.c_str());
debugger.DeleteTarget(target);
SBDebugger::Destroy(debugger);
SBModule::GarbageCollectAllocatedModules();
}
|
