[sledge] Add a harness for lionhead fuzzers

Summary: This diff introduces a `-lib-fuzz` flag to `buck link`, which links in a simple main that calls the LLVMFuzzerTestOneInput function, which is the entry point of libFuzzer fuzzer. Reviewed By: jberdine, jvillard Differential Revision: D15821512 fbshipit-source-id: cff731ed3
6 years ago · 1614f78f6d
parent 696731523d
commit 1614f78f6d
4 changed files with 44 additions and 10 deletions
--- a/sledge/model/Makefile
+++ b/sledge/model/Makefile
@ -17,8 +17,11 @@ LIBCXXABI=$(ROOT)/llvm/projects/libcxxabi
 cxxabi.bc : cxxabi.cpp
 	$(LLVM)/bin/clang --sysroot=/usr $(CLANG_ARGS) -I$(LLVM)/include/c++/v1 -I$(LIBCXXABI)/include -I$(LIBCXXABI)/src -c -emit-llvm cxxabi.cpp

+lib_fuzzer_main.bc : lib_fuzzer_main.c
+	$(LLVM)/bin/clang $(CLANG_ARGS) -c -emit-llvm -o $@ $<
+
 clean:
-	rm cxxabi.bc
+	rm -f cxxabi.bc lib_fuzzer_main.bc

 fmt:
 	clang-format -i *.h *.c *.cpp
--- a/sledge/model/dune.in
+++ b/sledge/model/dune.in
@ -17,9 +17,15 @@ Jbuild_plugin.V1.send
 (deps cxxabi.cpp Makefile llair_intrinsics.h)
 (action (run make ROOT=../../.. cxxabi.bc)))

+(rule
+ (targets lib_fuzzer_main.bc)
+ (deps lib_fuzzer_main.c Makefile)
+ (action (run make ROOT=../../.. lib_fuzzer_main.bc)))
+
+
 (rule
 (targets model.ml)
- (deps cxxabi.bc)
+ (deps cxxabi.bc lib_fuzzer_main.bc)
 (action (run ocaml-crunch -m plain -e bc -o model.ml .)))

 (library
--- a/sledge/model/lib_fuzzer_main.c
+++ b/sledge/model/lib_fuzzer_main.c
@ -0,0 +1,17 @@
+/*
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+#include <stdint.h>
+#include <stdlib.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t* Data, size_t Size);
+
+int _llair_main() {
+  size_t Size = 13;
+  uint8_t Data[Size];
+  return LLVMFuzzerTestOneInput(Data, Size);
+}
--- a/sledge/src/sledge_buck.ml
+++ b/sledge/src/sledge_buck.ml
@ -130,16 +130,20 @@ let bitcode_files_of ~target =
  List.map ~f:(make_absolute (Lazy.force buck_root)) modules

 (* link and optimize the modules *)
-let llvm_link_opt ~output modules =
+let llvm_link_opt ~lib_fuzzer_harness ~output modules =
  let context = context () in
+  let modules = if lib_fuzzer_harness then "-" :: modules else modules in
  let open Process in
  eval ~context
-    ( run
-        (Lazy.force llvm_bin ^ "llvm-link")
-        ( "-internalize"
-        :: ( "-internalize-public-api-list="
-           ^ String.concat ~sep:"," (Config.find_list "entry_points") )
-        :: "-o=-" :: modules )
+    ( ( if lib_fuzzer_harness then
+        echo ~n:() (Option.value_exn (Model.read "/lib_fuzzer_main.bc"))
+      else return () )
+    |- run
+         (Lazy.force llvm_bin ^ "llvm-link")
+         ( "-internalize"
+         :: ( "-internalize-public-api-list="
+            ^ String.concat ~sep:"," (Config.find_list "entry_points") )
+         :: "-o=-" :: modules )
    |- run
         (Lazy.force llvm_bin ^ "opt")
         ["-o=" ^ output; "-globaldce"; "-globalopt"] )
@ -199,8 +203,12 @@ let main ~(command : unit Command.basic_command) ~analyze =
      and output =
        flag "output" (required abs_path_arg)
          ~doc:"<file> write linked output to <file>"
+      and lib_fuzzer_harness =
+        flag "lib-fuzzer" no_arg
+          ~doc:"add a harness for lib fuzzer binaries"
      in
-      fun () -> llvm_link_opt ~output (bitcode_files_of ~target)
+      fun () ->
+        llvm_link_opt ~lib_fuzzer_harness ~output (bitcode_files_of ~target)
    in
    command ~summary ~readme param
  in