96 lines
2.9 KiB
C++
96 lines
2.9 KiB
C++
//===-- lldb-expression-fuzzer.cpp ---------------------------------------===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===---------------------------------------------------------------------===//
|
|
//
|
|
// \file
|
|
// This file is a fuzzer for LLDB's expression evaluator. It uses protobufs
|
|
// and the libprotobuf-mutator to create valid C-like inputs for the
|
|
// expression evaluator.
|
|
//
|
|
//===---------------------------------------------------------------------===//
|
|
|
|
#include <string>
|
|
|
|
#include "cxx_proto.pb.h"
|
|
#include "handle-cxx/handle_cxx.h"
|
|
#include "lldb/API/SBBreakpoint.h"
|
|
#include "lldb/API/SBDebugger.h"
|
|
#include "lldb/API/SBError.h"
|
|
#include "lldb/API/SBLaunchInfo.h"
|
|
#include "lldb/API/SBProcess.h"
|
|
#include "lldb/API/SBTarget.h"
|
|
#include "proto-to-cxx/proto_to_cxx.h"
|
|
#include "src/libfuzzer/libfuzzer_macro.h"
|
|
#include "llvm/ADT/StringRef.h"
|
|
#include "llvm/Support/Error.h"
|
|
#include "llvm/Support/FileSystem.h"
|
|
#include "llvm/Support/FormatVariadic.h"
|
|
#include "llvm/Support/WithColor.h"
|
|
|
|
using namespace lldb;
|
|
using namespace llvm;
|
|
using namespace clang_fuzzer;
|
|
|
|
char *target_path;
|
|
|
|
void ReportError(llvm::StringRef message) {
|
|
WithColor::error() << message << '\n';
|
|
exit(1);
|
|
}
|
|
|
|
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
|
|
#if !defined(_WIN32)
|
|
signal(SIGPIPE, SIG_IGN);
|
|
#endif
|
|
|
|
target_path = ::getenv("LLDB_FUZZER_TARGET");
|
|
if (!target_path)
|
|
ReportError(
|
|
"no target path specified in with the LLDB_FUZZER_TARGET variable");
|
|
|
|
if (!sys::fs::exists(target_path))
|
|
ReportError(formatv("target path '{0}' does not exist", target_path).str());
|
|
|
|
SBDebugger::Initialize();
|
|
|
|
return 0;
|
|
}
|
|
|
|
DEFINE_BINARY_PROTO_FUZZER(const clang_fuzzer::Function &input) {
|
|
std::string expression = clang_fuzzer::FunctionToString(input);
|
|
|
|
// Create a debugger and a target
|
|
SBDebugger debugger = SBDebugger::Create(false);
|
|
if (!debugger.IsValid())
|
|
ReportError("Couldn't create debugger");
|
|
|
|
SBTarget target = debugger.CreateTarget(target_path);
|
|
if (!target.IsValid())
|
|
ReportError(formatv("Couldn't create target '{0}'", target_path).str());
|
|
|
|
// Create a breakpoint on the only line in the program
|
|
SBBreakpoint breakpoint = target.BreakpointCreateByName("main", target_path);
|
|
if (!breakpoint.IsValid())
|
|
ReportError("Couldn't create breakpoint");
|
|
|
|
// Create launch info and error for launching the process
|
|
SBLaunchInfo launch_info = target.GetLaunchInfo();
|
|
SBError error;
|
|
|
|
// Launch the process and evaluate the fuzzer's input data
|
|
// as an expression
|
|
SBProcess process = target.Launch(launch_info, error);
|
|
if (!process.IsValid() || error.Fail())
|
|
ReportError("Couldn't launch process");
|
|
|
|
SBValue value = target.EvaluateExpression(expression.c_str());
|
|
|
|
debugger.DeleteTarget(target);
|
|
SBDebugger::Destroy(debugger);
|
|
SBModule::GarbageCollectAllocatedModules();
|
|
}
|