[libc] Add memcmp / bcmp fuzzers #77741
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@llvm/pr-subscribers-libc Author: Guillaume Chatelet (gchatelet) ChangesFull diff: https://github.com/llvm/llvm-project/pull/77741.diff 4 Files Affected:
diff --git a/libc/fuzzing/CMakeLists.txt b/libc/fuzzing/CMakeLists.txt
index a3ef888167ee3c..c08d46cd3ad769 100644
--- a/libc/fuzzing/CMakeLists.txt
+++ b/libc/fuzzing/CMakeLists.txt
@@ -1,4 +1,4 @@
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer,address")
add_custom_target(libc-fuzzer)
add_subdirectory(math)
diff --git a/libc/fuzzing/string/CMakeLists.txt b/libc/fuzzing/string/CMakeLists.txt
index 1885ee5f66ebf9..9dd4fceee3b596 100644
--- a/libc/fuzzing/string/CMakeLists.txt
+++ b/libc/fuzzing/string/CMakeLists.txt
@@ -24,3 +24,19 @@ add_libc_fuzzer(
libc.src.string.strstr
libc.src.string.strlen
)
+
+add_libc_fuzzer(
+ memcmp_fuzz
+ SRCS
+ memcmp_fuzz.cpp
+ DEPENDS
+ libc.src.string.memcmp
+)
+
+add_libc_fuzzer(
+ bcmp_fuzz
+ SRCS
+ bcmp_fuzz.cpp
+ DEPENDS
+ libc.src.string.bcmp
+)
diff --git a/libc/fuzzing/string/bcmp_fuzz.cpp b/libc/fuzzing/string/bcmp_fuzz.cpp
new file mode 100644
index 00000000000000..2b5685deda4e9e
--- /dev/null
+++ b/libc/fuzzing/string/bcmp_fuzz.cpp
@@ -0,0 +1,52 @@
+//===-- bcmp_fuzz.cpp ---------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc bcmp implementation.
+///
+//===----------------------------------------------------------------------===//
+#include "src/string/bcmp.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static int reference_bcmp(const void *pa, const void *pb, size_t count)
+ __attribute__((no_builtin)) {
+ const auto *a = reinterpret_cast<const unsigned char *>(pa);
+ const auto *b = reinterpret_cast<const unsigned char *>(pb);
+ for (size_t i = 0; i < count; ++i, ++a, ++b)
+ if (*a != *b)
+ return 1;
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ const auto normalize = [](int value) -> int {
+ if (value == 0)
+ return 0;
+ return 1;
+ };
+ const auto count = size / 2;
+ const char *a = reinterpret_cast<const char *>(data);
+ const char *b = reinterpret_cast<const char *>(data) + count;
+ const int actual = LIBC_NAMESPACE::bcmp(a, b, count);
+ const int reference = reference_bcmp(a, b, count);
+ if (normalize(actual) == normalize(reference))
+ return 0;
+ const auto print = [](const char *msg, const char *buffer, size_t size) {
+ printf("%s\"", msg);
+ for (size_t i = 0; i < size; ++i)
+ printf("\\x%02x", (uint8_t)buffer[i]);
+ printf("\"\n");
+ };
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("count : %zu\n", count);
+ printf("result: %d\n", reference);
+ __builtin_trap();
+}
diff --git a/libc/fuzzing/string/memcmp_fuzz.cpp b/libc/fuzzing/string/memcmp_fuzz.cpp
new file mode 100644
index 00000000000000..7690fb14956cbf
--- /dev/null
+++ b/libc/fuzzing/string/memcmp_fuzz.cpp
@@ -0,0 +1,57 @@
+//===-- memcmp_fuzz.cpp ---------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc memcmp implementation.
+///
+//===----------------------------------------------------------------------===//
+#include "src/string/memcmp.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static int reference_memcmp(const void *pa, const void *pb, size_t count)
+ __attribute__((no_builtin)) {
+ const auto *a = reinterpret_cast<const unsigned char *>(pa);
+ const auto *b = reinterpret_cast<const unsigned char *>(pb);
+ for (size_t i = 0; i < count; ++i, ++a, ++b) {
+ if (*a < *b)
+ return -1;
+ else if (*a > *b)
+ return 1;
+ }
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ const auto sign = [](int value) -> int {
+ if (value < 0)
+ return -1;
+ if (value > 0)
+ return 1;
+ return 0;
+ };
+ const auto count = size / 2;
+ const char *a = reinterpret_cast<const char *>(data);
+ const char *b = reinterpret_cast<const char *>(data) + count;
+ const int actual = LIBC_NAMESPACE::memcmp(a, b, count);
+ const int reference = reference_memcmp(a, b, count);
+ if (sign(actual) == sign(reference))
+ return 0;
+ const auto print = [](const char *msg, const char *buffer, size_t size) {
+ printf("%s\"", msg);
+ for (size_t i = 0; i < size; ++i)
+ printf("\\x%02x", (uint8_t)buffer[i]);
+ printf("\"\n");
+ };
+ print("a : ", a, count);
+ print("b : ", b, count);
+ printf("count : %zu\n", count);
+ printf("result: %d\n", reference);
+ __builtin_trap();
+}
|
gchatelet
commented
Jan 11, 2024
libc/fuzzing/CMakeLists.txt
Outdated
| @@ -1,4 +1,4 @@ | |||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer") | |||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer,address") | |||
There was a problem hiding this comment.
https://llvm.org/docs/LibFuzzer.html#fuzzer-usage :
In most cases you may want to combine libFuzzer with AddressSanitizer (ASAN), UndefinedBehaviorSanitizer (UBSAN), or both.
There was a problem hiding this comment.
Let's do that in a separate patch
legrosbuffle
approved these changes
Jan 11, 2024
libc/fuzzing/CMakeLists.txt
Outdated
| @@ -1,4 +1,4 @@ | |||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer") | |||
| set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=fuzzer,address") | |||
There was a problem hiding this comment.
Let's do that in a separate patch
|
In preparation for #77081 |
justinfargnoli
pushed a commit
to justinfargnoli/llvm-project
that referenced
this pull request
Jan 28, 2024
rupprecht
reviewed
Feb 21, 2024
There was a problem hiding this comment.
Just noticed this file and couldn't quite figure out what its use is. It looks like maybe it's an artifact of running the fuzz test and forgetting to exclude it from the commit. Is it needed for anything, or should we remove it?
There was a problem hiding this comment.
yes it's an artifact from running the fuzzer, and yes it's safe to remove.
gchatelet
added a commit
to gchatelet/llvm-project
that referenced
this pull request
Feb 26, 2024
gchatelet
added a commit
that referenced
this pull request
Feb 26, 2024
Indentified in #77741 (review)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.