1//===-- lldb-expression-fuzzer.cpp ---------------------------------------===// 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===---------------------------------------------------------------------===// 8// 9// \file 10// This file is a fuzzer for LLDB's expression evaluator. It uses protobufs 11// and the libprotobuf-mutator to create valid C-like inputs for the 12// expression evaluator. 13// 14//===---------------------------------------------------------------------===// 15 16#include <string> 17 18#include "cxx_proto.pb.h" 19#include "handle-cxx/handle_cxx.h" 20#include "lldb/API/SBBreakpoint.h" 21#include "lldb/API/SBDebugger.h" 22#include "lldb/API/SBError.h" 23#include "lldb/API/SBLaunchInfo.h" 24#include "lldb/API/SBProcess.h" 25#include "lldb/API/SBTarget.h" 26#include "proto-to-cxx/proto_to_cxx.h" 27#include "src/libfuzzer/libfuzzer_macro.h" 28#include "llvm/ADT/StringRef.h" 29#include "llvm/Support/Error.h" 30#include "llvm/Support/FileSystem.h" 31#include "llvm/Support/FormatVariadic.h" 32#include "llvm/Support/WithColor.h" 33 34using namespace lldb; 35using namespace llvm; 36using namespace clang_fuzzer; 37 38const char *target_path = nullptr; 39 40void ReportError(llvm::StringRef message) { 41 WithColor::error() << message << '\n'; 42 exit(1); 43} 44 45extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { 46#if !defined(_WIN32) 47 signal(SIGPIPE, SIG_IGN); 48#endif 49 50 // `target_path` can be set by either the "--lldb_fuzzer_target" commandline 51 // flag or the "LLDB_FUZZER_TARGET" environment variable. Arbitrarily, we 52 // always do flag parsing and only check the environment variable if the 53 // commandline flag is not set. 54 for (int i = 1; i < *argc; ++i) { 55 auto this_arg = llvm::StringRef((*argv)[i]); 56 WithColor::note() << "argv[" << i << "] = " << this_arg << "\n"; 57 if (this_arg.consume_front("--lldb_fuzzer_target=")) 58 target_path = this_arg.data(); 59 } 60 61 if (!target_path) 62 target_path = ::getenv("LLDB_FUZZER_TARGET"); 63 64 if (!target_path) 65 ReportError("No target path specified. Set one either as an environment " 66 "variable (i.e. LLDB_FUZZER_TARGET=target_path) or pass as a " 67 "command line flag (i.e. --lldb_fuzzer_target=target_path)."); 68 69 if (!sys::fs::exists(target_path)) 70 ReportError(formatv("target path '{0}' does not exist", target_path).str()); 71 72 SBDebugger::Initialize(); 73 74 return 0; 75} 76 77DEFINE_BINARY_PROTO_FUZZER(const clang_fuzzer::Function &input) { 78 std::string expression = clang_fuzzer::FunctionToString(input); 79 80 // Create a debugger and a target 81 SBDebugger debugger = SBDebugger::Create(false); 82 if (!debugger.IsValid()) 83 ReportError("Couldn't create debugger"); 84 85 SBTarget target = debugger.CreateTarget(target_path); 86 if (!target.IsValid()) 87 ReportError(formatv("Couldn't create target '{0}'", target_path).str()); 88 89 // Create a breakpoint on the only line in the program 90 SBBreakpoint breakpoint = target.BreakpointCreateByName("main", target_path); 91 if (!breakpoint.IsValid()) 92 ReportError("Couldn't create breakpoint"); 93 94 // Create launch info and error for launching the process 95 SBLaunchInfo launch_info = target.GetLaunchInfo(); 96 SBError error; 97 98 // Launch the process and evaluate the fuzzer's input data 99 // as an expression 100 SBProcess process = target.Launch(launch_info, error); 101 if (!process.IsValid() || error.Fail()) 102 ReportError("Couldn't launch process"); 103 104 SBValue value = target.EvaluateExpression(expression.c_str()); 105 106 debugger.DeleteTarget(target); 107 SBDebugger::Destroy(debugger); 108 SBModule::GarbageCollectAllocatedModules(); 109} 110