1 //===--- fuzz-llvm-as.cpp - Fuzzer for llvm-as using lib/Fuzzer -----------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // Build tool to fuzz the LLVM assembler (llvm-as) using
11 // lib/Fuzzer. The main reason for using this tool is that it is much
12 // faster than using afl-fuzz, since it is run in-process.
13 //
14 //===----------------------------------------------------------------------===//
15 
16 #include "llvm/ADT/StringRef.h"
17 #include "llvm/AsmParser/Parser.h"
18 #include "llvm/IR/LLVMContext.h"
19 #include "llvm/IR/Module.h"
20 #include "llvm/IR/Verifier.h"
21 #include "llvm/Support/ErrorHandling.h"
22 #include "llvm/Support/MemoryBuffer.h"
23 #include "llvm/Support/raw_ostream.h"
24 #include "llvm/Support/SourceMgr.h"
25 
26 #include <csetjmp>
27 
28 using namespace llvm;
29 
30 static jmp_buf JmpBuf;
31 
32 namespace {
33 
MyFatalErrorHandler(void * user_data,const std::string & reason,bool gen_crash_diag)34 void MyFatalErrorHandler(void *user_data, const std::string& reason,
35                          bool gen_crash_diag) {
36   // Don't bother printing reason, just return to the test function,
37   // since a fatal error represents a successful parse (i.e. it correctly
38   // terminated with an error message to the user).
39   longjmp(JmpBuf, 1);
40 }
41 
42 static bool InstalledHandler = false;
43 
44 } // end of anonymous namespace
45 
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)46 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
47 
48   // Allocate space for locals before setjmp so that memory can be collected
49   // if parse exits prematurely (via longjmp).
50   StringRef Input((const char *)Data, Size);
51   // Note: We need to create a buffer to add a null terminator to the
52   // end of the input string. The parser assumes that the string
53   // parsed is always null terminated.
54   std::unique_ptr<MemoryBuffer> MemBuf = MemoryBuffer::getMemBufferCopy(Input);
55   SMDiagnostic Err;
56   LLVMContext Context;
57   std::unique_ptr<Module> M;
58 
59   if (setjmp(JmpBuf))
60     // If reached, we have returned with non-zero status, so exit.
61     return 0;
62 
63   // TODO(kschimpf) Write a main to do this initialization.
64   if (!InstalledHandler) {
65     llvm::install_fatal_error_handler(::MyFatalErrorHandler, nullptr);
66     InstalledHandler = true;
67   }
68 
69   M = parseAssembly(MemBuf->getMemBufferRef(), Err, Context);
70 
71   if (!M.get())
72     return 0;
73 
74   verifyModule(*M.get());
75   return 0;
76 }
77