[yaml2obj/obj2yaml] - Add support for .stack_sizes sections.
[llvm-complete.git] / tools / llvm-mc-disassemble-fuzzer / llvm-mc-disassemble-fuzzer.cpp
blobf998c465104388430f0815d29781e5abc1adde5b
1 //===-- llvm-mc-disassemble-fuzzer.cpp - Fuzzer for the MC layer ----------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 //===----------------------------------------------------------------------===//
11 #include "llvm-c/Disassembler.h"
12 #include "llvm-c/Target.h"
13 #include "llvm/MC/SubtargetFeature.h"
14 #include "llvm/Support/CommandLine.h"
15 #include "llvm/Support/raw_ostream.h"
17 using namespace llvm;
19 const unsigned AssemblyTextBufSize = 80;
21 static cl::opt<std::string>
22 TripleName("triple", cl::desc("Target triple to assemble for, "
23 "see -version for available targets"));
25 static cl::opt<std::string>
26 MCPU("mcpu",
27 cl::desc("Target a specific cpu type (-mcpu=help for details)"),
28 cl::value_desc("cpu-name"), cl::init(""));
30 // This is useful for variable-length instruction sets.
31 static cl::opt<unsigned> InsnLimit(
32 "insn-limit",
33 cl::desc("Limit the number of instructions to process (0 for no limit)"),
34 cl::value_desc("count"), cl::init(0));
36 static cl::list<std::string>
37 MAttrs("mattr", cl::CommaSeparated,
38 cl::desc("Target specific attributes (-mattr=help for details)"),
39 cl::value_desc("a1,+a2,-a3,..."));
40 // The feature string derived from -mattr's values.
41 std::string FeaturesStr;
43 static cl::list<std::string>
44 FuzzerArgs("fuzzer-args", cl::Positional,
45 cl::desc("Options to pass to the fuzzer"), cl::ZeroOrMore,
46 cl::PositionalEatsArgs);
47 static std::vector<char *> ModifiedArgv;
49 int DisassembleOneInput(const uint8_t *Data, size_t Size) {
50 char AssemblyText[AssemblyTextBufSize];
52 std::vector<uint8_t> DataCopy(Data, Data + Size);
54 LLVMDisasmContextRef Ctx = LLVMCreateDisasmCPUFeatures(
55 TripleName.c_str(), MCPU.c_str(), FeaturesStr.c_str(), nullptr, 0,
56 nullptr, nullptr);
57 assert(Ctx);
58 uint8_t *p = DataCopy.data();
59 unsigned Consumed;
60 unsigned InstructionsProcessed = 0;
61 do {
62 Consumed = LLVMDisasmInstruction(Ctx, p, Size, 0, AssemblyText,
63 AssemblyTextBufSize);
64 Size -= Consumed;
65 p += Consumed;
67 InstructionsProcessed ++;
68 if (InsnLimit != 0 && InstructionsProcessed < InsnLimit)
69 break;
70 } while (Consumed != 0);
71 LLVMDisasmDispose(Ctx);
72 return 0;
75 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
76 return DisassembleOneInput(Data, Size);
79 extern "C" LLVM_ATTRIBUTE_USED int LLVMFuzzerInitialize(int *argc,
80 char ***argv) {
81 // The command line is unusual compared to other fuzzers due to the need to
82 // specify the target. Options like -triple, -mcpu, and -mattr work like
83 // their counterparts in llvm-mc, while -fuzzer-args collects options for the
84 // fuzzer itself.
86 // Examples:
88 // Fuzz the big-endian MIPS32R6 disassembler using 100,000 inputs of up to
89 // 4-bytes each and use the contents of ./corpus as the test corpus:
90 // llvm-mc-fuzzer -triple mips-linux-gnu -mcpu=mips32r6 -disassemble \
91 // -fuzzer-args -max_len=4 -runs=100000 ./corpus
93 // Infinitely fuzz the little-endian MIPS64R2 disassembler with the MSA
94 // feature enabled using up to 64-byte inputs:
95 // llvm-mc-fuzzer -triple mipsel-linux-gnu -mcpu=mips64r2 -mattr=msa \
96 // -disassemble -fuzzer-args ./corpus
98 // If your aim is to find instructions that are not tested, then it is
99 // advisable to constrain the maximum input size to a single instruction
100 // using -max_len as in the first example. This results in a test corpus of
101 // individual instructions that test unique paths. Without this constraint,
102 // there will be considerable redundancy in the corpus.
104 char **OriginalArgv = *argv;
106 LLVMInitializeAllTargetInfos();
107 LLVMInitializeAllTargetMCs();
108 LLVMInitializeAllDisassemblers();
110 cl::ParseCommandLineOptions(*argc, OriginalArgv);
112 // Rebuild the argv without the arguments llvm-mc-fuzzer consumed so that
113 // the driver can parse its arguments.
115 // FuzzerArgs cannot provide the non-const pointer that OriginalArgv needs.
116 // Re-use the strings from OriginalArgv instead of copying FuzzerArg to a
117 // non-const buffer to avoid the need to clean up when the fuzzer terminates.
118 ModifiedArgv.push_back(OriginalArgv[0]);
119 for (const auto &FuzzerArg : FuzzerArgs) {
120 for (int i = 1; i < *argc; ++i) {
121 if (FuzzerArg == OriginalArgv[i])
122 ModifiedArgv.push_back(OriginalArgv[i]);
125 *argc = ModifiedArgv.size();
126 *argv = ModifiedArgv.data();
128 // Package up features to be passed to target/subtarget
129 // We have to pass it via a global since the callback doesn't
130 // permit any user data.
131 if (MAttrs.size()) {
132 SubtargetFeatures Features;
133 for (unsigned i = 0; i != MAttrs.size(); ++i)
134 Features.AddFeature(MAttrs[i]);
135 FeaturesStr = Features.getString();
138 if (TripleName.empty())
139 TripleName = sys::getDefaultTargetTriple();
141 return 0;