LLVMはlibFuzzerというFuzzingの仕組みがあって、LDCからその機能を使うことができる。
こういうコードで試してみる。LDCは1.19.0。
import ldc.libfuzzer; import std.string; mixin DefineTestOneInput!fuzz_target; int fuzz_target(in ubyte[] data) { if (data == "FU".representation) assert(false); return 0; }
コンパイルオプションで -fsanitize=fuzzer
をつけることで試せるらしい。
実行してみる。
$ ldc2 -g -fsanitize=fuzzer fuzz.d $ ./fuzz WARNING: Failed to find function "__sanitizer_acquire_crash_state". WARNING: Failed to find function "__sanitizer_print_stack_trace". WARNING: Failed to find function "__sanitizer_set_death_callback". INFO: Seed: 1969889841 INFO: Loaded 1 modules (25 inline 8-bit counters): 25 [0x56393139edb0, 0x56393139edc9), INFO: Loaded 1 PC tables (25 PCs): 25 [0x56393139edd0,0x56393139ef60), INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes INFO: A corpus is not provided, starting from an empty corpus #2 INITED cov: 7 ft: 7 corp: 1/1b exec/s: 0 rss: 24Mb NEW_FUNC[1/1]: 0x5639313194b1 #5 NEW cov: 9 ft: 9 corp: 2/3b lim: 4 exec/s: 0 rss: 24Mb L: 2/2 MS: 3 ChangeByte-CopyPart-InsertByte- #4194304 pulse cov: 9 ft: 9 corp: 2/3b lim: 4096 exec/s: 2097152 rss: 24Mb #8388608 pulse cov: 9 ft: 9 corp: 2/3b lim: 4096 exec/s: 1677721 rss: 24Mb core.exception.AssertError@fuzz.d(10): Assertion failure ---------------- ??:? [0x563931355425] ??:? [0x563931374daa] ??:? [0x56393135bbdd] ??:? [0x56393135533c] fuzz.d:10 [0x5639313192f1] libfuzzer.di:66 [0x56393131918a] FuzzerLoop.cpp:553 [0x563931337486] FuzzerLoop.cpp:469 [0x56393133d437] FuzzerLoop.cpp:696 [0x56393133f62b] FuzzerLoop.cpp:831 [0x5639313407aa] FuzzerDriver.cpp:825 [0x56393132ad79] FuzzerMain.cpp:19 [0x563931318ef2] ??:? __libc_start_main [0x7f6dc7dccb96] ??:? [0x563931318fa9] uncaught exception core.exception.AssertError@/home/kubo39/dlang/ldc-1.19.0/bin/../import/ldc/libfuzzer.di(73): Assertion failure ---------------- ??:? [0x563931355425] ??:? [0x563931374daa] ??:? [0x56393135bbdd] ??:? [0x56393135533c] libfuzzer.di:73 [0x563931319204] FuzzerLoop.cpp:553 [0x563931337486] FuzzerLoop.cpp:469 [0x56393133d437] FuzzerLoop.cpp:696 [0x56393133f62b] FuzzerLoop.cpp:831 [0x5639313407aa] FuzzerDriver.cpp:825 [0x56393132ad79] FuzzerMain.cpp:19 [0x563931318ef2] ??:? __libc_start_main [0x7f6dc7dccb96] ??:? [0x563931318fa9] ==5215== ERROR: libFuzzer: deadly signal NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal MS: 3 ChangeBit-InsertByte-ChangeBinInt-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc 0x46,0x55, FU artifact_prefix='./'; Test unit written to ./crash-510e70573bca51a824e345d5cff7448f740203fb Base64: RlU=
なんだか出力の結果が怪しいが、とりあえずlibFuzzer runtime上で動いているようにみえる。