[lldb] Add a fuzzer for target creation

This patch adds a generic fuzzer that interprets inputs as object files and uses them to create a target in lldb. It is very similar to the llvm-dwarfdump fuzzer which found a bunch of issues in libObject. Differential revision: https://reviews.llvm.org/D122461
2022-03-25 09:03:52 -07:00 · 2022-03-25 09:03:52 -07:00 · 61efe14e21
parent 6168b42225
commit 61efe14e21
7 changed files with 124 additions and 0 deletions
--- a/lldb/tools/CMakeLists.txt
+++ b/lldb/tools/CMakeLists.txt
@ -6,6 +6,7 @@ add_subdirectory(intel-features)
 # i.e. if a target requires it as dependency. The typical
 # example is `check-lldb`. So, we pass EXCLUDE_FROM_ALL here.
 add_subdirectory(lldb-test EXCLUDE_FROM_ALL)
+add_subdirectory(lldb-fuzzer EXCLUDE_FROM_ALL)

 add_lldb_tool_subdirectory(lldb-instr)
 add_lldb_tool_subdirectory(lldb-vscode)
--- a/lldb/tools/lldb-fuzzer/CMakeLists.txt
+++ b/lldb/tools/lldb-fuzzer/CMakeLists.txt
@ -0,0 +1,17 @@
+add_subdirectory(utils)
+
+set(LLVM_LINK_COMPONENTS
+  Support
+  )
+
+add_llvm_fuzzer(lldb-target-fuzzer
+  EXCLUDE_FROM_ALL
+  lldb-target-fuzzer.cpp
+  )
+
+target_link_libraries(lldb-target-fuzzer
+  PRIVATE
+  liblldb
+  lldbFuzzerUtils
+  )
+
--- a/lldb/tools/lldb-fuzzer/lldb-target-fuzzer.cpp
+++ b/lldb/tools/lldb-fuzzer/lldb-target-fuzzer.cpp
@ -0,0 +1,35 @@
+//===-- lldb-target-fuzzer.cpp - Fuzz target creation ---------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include <utils/TempFile.h>
+
+#include "lldb/API/SBDebugger.h"
+#include "lldb/API/SBTarget.h"
+
+using namespace lldb;
+using namespace lldb_fuzzer;
+using namespace llvm;
+
+extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
+  SBDebugger::Initialize();
+  return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) {
+  std::unique_ptr<TempFile> file = TempFile::Create(data, size);
+  if (!file)
+    return 1;
+
+  SBDebugger debugger = SBDebugger::Create(false);
+  SBTarget target = debugger.CreateTarget(file->GetPath().data());
+  debugger.DeleteTarget(target);
+  SBDebugger::Destroy(debugger);
+  SBModule::GarbageCollectAllocatedModules();
+
+  return 0;
+}
--- a/lldb/tools/lldb-fuzzer/utils/CMakeLists.txt
+++ b/lldb/tools/lldb-fuzzer/utils/CMakeLists.txt
@ -0,0 +1,6 @@
+add_lldb_library(lldbFuzzerUtils
+  TempFile.cpp
+
+  LINK_COMPONENTS
+    Support
+  )
--- a/lldb/tools/lldb-fuzzer/utils/TempFile.cpp
+++ b/lldb/tools/lldb-fuzzer/utils/TempFile.cpp
@ -0,0 +1,33 @@
+//===-- TempFile.cpp ------------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "llvm/Support/FileSystem.h"
+#include <TempFile.h>
+
+using namespace lldb_fuzzer;
+using namespace llvm;
+
+TempFile::~TempFile() {
+  if (!m_path.empty())
+    sys::fs::remove(m_path.str(), true);
+}
+
+std::unique_ptr<TempFile> TempFile::Create(uint8_t *data, size_t size) {
+  int fd;
+  std::unique_ptr<TempFile> temp_file = std::make_unique<TempFile>();
+  std::error_code ec = sys::fs::createTemporaryFile("lldb-fuzzer", "input", fd,
+                                                    temp_file->m_path);
+  if (ec)
+    return nullptr;
+
+  raw_fd_ostream os(fd, true);
+  os.write(reinterpret_cast<const char *>(data), size);
+  os.close();
+
+  return temp_file;
+}
--- a/lldb/tools/lldb-fuzzer/utils/TempFile.h
+++ b/lldb/tools/lldb-fuzzer/utils/TempFile.h
@ -0,0 +1,27 @@
+//===-- TempFile.h ----------------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "llvm/ADT/SmallString.h"
+#include "llvm/ADT/StringRef.h"
+#include "llvm/Support/Error.h"
+
+namespace lldb_fuzzer {
+
+class TempFile {
+public:
+  TempFile() = default;
+  ~TempFile();
+
+  static std::unique_ptr<TempFile> Create(uint8_t *data, size_t size);
+  llvm::StringRef GetPath() { return m_path.str(); }
+
+private:
+  llvm::SmallString<128> m_path;
+};
+
+} // namespace lldb_fuzzer
--- a/llvm/docs/FuzzingLLVM.rst
+++ b/llvm/docs/FuzzingLLVM.rst
@ -158,6 +158,11 @@ compatible with all of libFuzzer's features. See the notes above about
 .. |LLVM IR fuzzer|
   replace:: :ref:`structured LLVM IR fuzzer <fuzzing-llvm-ir>`

+lldb-target-fuzzer
+---------------------
+
+A |generic fuzzer| that interprets inputs as object files and uses them to
+create a target in lldb.

 Mutators and Input Generators
 =============================