JDevlieghere created this revision. JDevlieghere added a reviewer: LLDB. Herald added a subscriber: mgorny. Herald added a project: All. JDevlieghere requested review of this revision.
This patch adds a fuzzer that interprets inputs as object files and makes lldb create targets from them. It is very similar to the llvm-dwarfdump fuzzer which found a bunch of issues in libObject. I let it run in the background for an hour or so and it identified 15 or so inputs that cause lldb to crash. https://reviews.llvm.org/D122461 Files: lldb/tools/CMakeLists.txt lldb/tools/lldb-fuzzer/CMakeLists.txt lldb/tools/lldb-fuzzer/lldb-fuzzer-target.cpp lldb/tools/lldb-fuzzer/utils/CMakeLists.txt lldb/tools/lldb-fuzzer/utils/TempFile.cpp lldb/tools/lldb-fuzzer/utils/TempFile.h
Index: lldb/tools/lldb-fuzzer/utils/TempFile.h =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/utils/TempFile.h @@ -0,0 +1,27 @@ +//===-- Utils.h -----------------------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#include "llvm/ADT/SmallString.h" +#include "llvm/ADT/StringRef.h" +#include "llvm/Support/Error.h" + +namespace lldb_fuzzer { + +class TempFile { +public: + TempFile() = default; + ~TempFile(); + + static std::unique_ptr<TempFile> Create(uint8_t *data, size_t size); + llvm::StringRef GetPath() { return m_path.str(); } + +private: + llvm::SmallString<128> m_path; +}; + +} // namespace lldb_fuzzer Index: lldb/tools/lldb-fuzzer/utils/TempFile.cpp =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/utils/TempFile.cpp @@ -0,0 +1,33 @@ +//===-- Utils.cpp ---------------------------------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#include "llvm/Support/FileSystem.h" +#include <TempFile.h> + +using namespace lldb_fuzzer; +using namespace llvm; + +TempFile::~TempFile() { + if (!m_path.empty()) + sys::fs::remove(m_path.str(), true); +} + +std::unique_ptr<TempFile> TempFile::Create(uint8_t *data, size_t size) { + int fd; + std::unique_ptr<TempFile> temp_file = std::make_unique<TempFile>(); + std::error_code ec = sys::fs::createTemporaryFile("lldb-fuzzer", "input", fd, + temp_file->m_path); + if (ec) + return nullptr; + + raw_fd_ostream os(fd, true); + os.write(reinterpret_cast<const char *>(data), size); + os.close(); + + return temp_file; +} Index: lldb/tools/lldb-fuzzer/utils/CMakeLists.txt =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/utils/CMakeLists.txt @@ -0,0 +1,6 @@ +add_lldb_library(lldbFuzzerUtils + TempFile.cpp + + LINK_COMPONENTS + Support + ) Index: lldb/tools/lldb-fuzzer/lldb-fuzzer-target.cpp =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/lldb-fuzzer-target.cpp @@ -0,0 +1,34 @@ +//===-- lldb-fuzzer-target.cpp - Fuzz LLDB --------------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#include <utils/TempFile.h> + +#include "lldb/API/SBDebugger.h" +#include "lldb/API/SBTarget.h" + +using namespace lldb; +using namespace lldb_fuzzer; +using namespace llvm; + +extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { + SBDebugger::Initialize(); + return 0; +} + +extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) { + auto file = TempFile::Create(data, size); + if (!file) + return 1; + + SBDebugger debugger = SBDebugger::Create(false); + SBTarget target = debugger.CreateTarget(file->GetPath().data()); + debugger.DeleteTarget(target); + SBDebugger::Destroy(debugger); + + return 0; +} Index: lldb/tools/lldb-fuzzer/CMakeLists.txt =================================================================== --- /dev/null +++ lldb/tools/lldb-fuzzer/CMakeLists.txt @@ -0,0 +1,17 @@ +add_subdirectory(utils) + +set(LLVM_LINK_COMPONENTS + Support + ) + +add_llvm_fuzzer(lldb-fuzzer-target + EXCLUDE_FROM_ALL + lldb-fuzzer-target.cpp + ) + +target_link_libraries(lldb-fuzzer-target + PRIVATE + liblldb + lldbFuzzerUtils + ) + Index: lldb/tools/CMakeLists.txt =================================================================== --- lldb/tools/CMakeLists.txt +++ lldb/tools/CMakeLists.txt @@ -6,6 +6,7 @@ # i.e. if a target requires it as dependency. The typical # example is `check-lldb`. So, we pass EXCLUDE_FROM_ALL here. add_subdirectory(lldb-test EXCLUDE_FROM_ALL) +add_subdirectory(lldb-fuzzer EXCLUDE_FROM_ALL) add_lldb_tool_subdirectory(lldb-instr) add_lldb_tool_subdirectory(lldb-vscode)
_______________________________________________ lldb-commits mailing list lldb-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
