Skip to content

Instantly share code, notes, and snippets.

@andrewrk

andrewrk/readme.md

Created July 21, 2024 22:43
Show Gist options
  • Save andrewrk/937c2bd880b7016b5609bdd5f6b3122c to your computer and use it in GitHub Desktop.
Save andrewrk/937c2bd880b7016b5609bdd5f6b3122c to your computer and use it in GitHub Desktop.
Download ZIP
anatomy of fuzz tested llvm ir
Raw
readme.md 
$ clang -c test.c -fsanitize=fuzzer-no-link -S -emit-llvm
Raw
test.c
int printf(const char *, ...);
int main(int argc, char **argv) {
printf("hello world\n");
return 0;
}
Raw
test.ll
; ModuleID = 'test.c'
source_filename = "test.c"
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-i128:128-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
$main = comdat nodeduplicate
$sancov.module_ctor_8bit_counters = comdat any
@.str = private unnamed_addr constant [13 x i8] c"hello world\0A\00", align 1
@__sancov_lowest_stack = external thread_local(initialexec) global i64
@__sancov_gen_ = private global [1 x i8] zeroinitializer, section "__sancov_cntrs", comdat($main), align 1
@__sancov_gen_.1 = private constant [2 x ptr] [ptr @main, ptr inttoptr (i64 1 to ptr)], section "__sancov_pcs", comdat($main), align 8
@__start___sancov_cntrs = extern_weak hidden global i8
@__stop___sancov_cntrs = extern_weak hidden global i8
@llvm.global_ctors = appending global [1 x { i32, ptr, ptr }] [{ i32, ptr, ptr } { i32 2, ptr @sancov.module_ctor_8bit_counters, ptr @sancov.module_ctor_8bit_counters }]
@__start___sancov_pcs = extern_weak hidden global i64
@__stop___sancov_pcs = extern_weak hidden global i64
@llvm.used = appending global [1 x ptr] [ptr @sancov.module_ctor_8bit_counters], section "llvm.metadata"
@llvm.compiler.used = appending global [2 x ptr] [ptr @__sancov_gen_, ptr @__sancov_gen_.1], section "llvm.metadata"
; Function Attrs: noinline nounwind optforfuzzing optnone uwtable
define dso_local i32 @main(i32 noundef %argc, ptr noundef %argv) #0 comdat {
entry:
%retval = alloca i32, align 4
%argc.addr = alloca i32, align 4
%argv.addr = alloca ptr, align 8
%0 = load i8, ptr @__sancov_gen_, align 1, !nosanitize !6
%1 = add i8 %0, 1
store i8 %1, ptr @__sancov_gen_, align 1, !nosanitize !6
%2 = call ptr @llvm.frameaddress.p0(i32 0)
%3 = ptrtoint ptr %2 to i64
%4 = load i64, ptr @__sancov_lowest_stack, align 8, !nosanitize !6
%5 = icmp ult i64 %3, %4
br i1 %5, label %6, label %7
6: ; preds = %entry
store i64 %3, ptr @__sancov_lowest_stack, align 8, !nosanitize !6
br label %7
7: ; preds = %entry, %6
store i32 0, ptr %retval, align 4
store i32 %argc, ptr %argc.addr, align 4
store ptr %argv, ptr %argv.addr, align 8
%call = call i32 (ptr, ...) @printf(ptr noundef @.str) #4
ret i32 0
}
declare i32 @printf(ptr noundef, ...) #1
declare void @__sanitizer_cov_trace_pc_indir(i64)
declare void @__sanitizer_cov_trace_cmp1(i8 zeroext, i8 zeroext)
declare void @__sanitizer_cov_trace_cmp2(i16 zeroext, i16 zeroext)
declare void @__sanitizer_cov_trace_cmp4(i32 zeroext, i32 zeroext)
declare void @__sanitizer_cov_trace_cmp8(i64, i64)
declare void @__sanitizer_cov_trace_const_cmp1(i8 zeroext, i8 zeroext)
declare void @__sanitizer_cov_trace_const_cmp2(i16 zeroext, i16 zeroext)
declare void @__sanitizer_cov_trace_const_cmp4(i32 zeroext, i32 zeroext)
declare void @__sanitizer_cov_trace_const_cmp8(i64, i64)
declare void @__sanitizer_cov_load1(ptr)
declare void @__sanitizer_cov_load2(ptr)
declare void @__sanitizer_cov_load4(ptr)
declare void @__sanitizer_cov_load8(ptr)
declare void @__sanitizer_cov_load16(ptr)
declare void @__sanitizer_cov_store1(ptr)
declare void @__sanitizer_cov_store2(ptr)
declare void @__sanitizer_cov_store4(ptr)
declare void @__sanitizer_cov_store8(ptr)
declare void @__sanitizer_cov_store16(ptr)
declare void @__sanitizer_cov_trace_div4(i32 zeroext)
declare void @__sanitizer_cov_trace_div8(i64)
declare void @__sanitizer_cov_trace_gep(i64)
declare void @__sanitizer_cov_trace_switch(i64, ptr)
declare void @__sanitizer_cov_trace_pc()
declare void @__sanitizer_cov_trace_pc_guard(ptr)
; Function Attrs: nocallback nofree nosync nounwind willreturn memory(none)
declare ptr @llvm.frameaddress.p0(i32 immarg) #2
declare void @__sanitizer_cov_8bit_counters_init(ptr, ptr)
; Function Attrs: nounwind uwtable
define internal void @sancov.module_ctor_8bit_counters() #3 comdat {
call void @__sanitizer_cov_8bit_counters_init(ptr @__start___sancov_cntrs, ptr @__stop___sancov_cntrs)
call void @__sanitizer_cov_pcs_init(ptr @__start___sancov_pcs, ptr @__stop___sancov_pcs)
ret void
}
declare void @__sanitizer_cov_pcs_init(ptr, ptr)
attributes #0 = { noinline nounwind optforfuzzing optnone uwtable "frame-pointer"="all" "min-legal-vector-width"="0" "no-builtin-bcmp" "no-builtin-memcmp" "no-builtin-strcasecmp" "no-builtin-strcmp" "no-builtin-strncasecmp" "no-builtin-strncmp" "no-builtin-strstr" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cmov,+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" }
attributes #1 = { "frame-pointer"="all" "no-builtin-bcmp" "no-builtin-memcmp" "no-builtin-strcasecmp" "no-builtin-strcmp" "no-builtin-strncasecmp" "no-builtin-strncmp" "no-builtin-strstr" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cmov,+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" }
attributes #2 = { nocallback nofree nosync nounwind willreturn memory(none) }
attributes #3 = { nounwind uwtable "frame-pointer"="all" }
attributes #4 = { "no-builtin-bcmp" "no-builtin-memcmp" "no-builtin-strcasecmp" "no-builtin-strcmp" "no-builtin-strncasecmp" "no-builtin-strncmp" "no-builtin-strstr" }
!llvm.module.flags = !{!0, !1, !2, !3, !4}
!llvm.ident = !{!5}
!0 = !{i32 1, !"wchar_size", i32 4}
!1 = !{i32 8, !"PIC Level", i32 2}
!2 = !{i32 7, !"PIE Level", i32 2}
!3 = !{i32 7, !"uwtable", i32 2}
!4 = !{i32 7, !"frame-pointer", i32 2}
!5 = !{!"clang version 18.1.6 (https://github.com/llvm/llvm-project 1118c2e05e67a36ed8ca250524525cdb66a55256)"}
!6 = !{}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment