Harden writer of munged bitcode for fuzzing

Hardens the writer of munged bitcode. Does this by adding error
recovery that guarantees the bitstream writer will not fail on
assertions.

Also cleans up error recovery in general and adds tests to show what
errors are reported by the writer, as well as what error recovery is
applied.

BUG= https://code.google.com/p/nativeclient/issues/detail?id=4169
[email protected]

Review URL: https://codereview.chromium.org/1139673004

Author: KarlSchimpf

include/llvm/Bitcode/NaCl/NaClBitcodeMunge.h

@@ -73,13 +73,13 @@ class NaClBitcodeMunger {
   }
 
   /// Creates MungedInput and DumpStream for running tests, based on
-  /// given Munges.
-  void setupTest(
+  /// given Munges. Returns true if able to set up test.
+  bool setupTest(
       const char *TestName, const uint64_t Munges[], size_t MungesSize,
       bool AddHeader);
 
-  /// Cleans up state after a test.
-  void cleanupTest();
+  /// Cleans up state after a test. Returns true if no errors found.
+  bool cleanupTest();
 
   /// Returns the resulting string generated by the corresponding test.
   const std::string &getTestResults() const {
@@ -110,6 +110,16 @@ class NaClBitcodeMunger {
     WriteFlags.setWriteBadAbbrevIndex(NewValue);
   }
 
+  /// Get access to munged bitcodes.
+  NaClMungedBitcode &getMungedBitcode() {
+    return MungedBitcode;
+  }
+
+  /// Apply given munges to the munged bitcode.
+  void munge(const uint64_t Munges[], size_t MungesSize) {
+    MungedBitcode.munge(Munges, MungesSize, RecordTerminator);
+  }
+
 protected:
   // The bitcode records being munged.
   NaClMungedBitcode MungedBitcode;
@@ -151,6 +161,35 @@ class NaClBitcodeMunger {
   }
 };
 
+/// Class to run tests writing munged bitcode.
+class NaClWriteMunger : public NaClBitcodeMunger {
+public:
+  NaClWriteMunger(const uint64_t Records[], size_t RecordsSize,
+                  uint64_t RecordTerminator)
+      : NaClBitcodeMunger(Records, RecordsSize, RecordTerminator) {}
+
+  /// Writes munged bitcode and puts error messages into DumpResults.
+  /// Returns true if successful.
+  bool runTest(const char* TestName, const uint64_t Munges[],
+               size_t MungesSize);
+
+  /// Same as above, but without test name.
+  bool runTest(const uint64_t Munges[], size_t MungesSize) {
+    return runTest("Test", Munges, MungesSize);
+  }
+
+  /// Same as above, but without any edits.
+  bool runTest(const char* TestName) {
+    uint64_t NoMunges[] = {0};
+    return runTest(TestName, NoMunges, 0);
+  }
+
+  /// Same as above, but without test name.
+  bool runTest() {
+    return runTest("Test");
+  }
+};
+
 /// Class to run tests for function llvm::NaClObjDump.
 class NaClObjDumpMunger : public NaClBitcodeMunger {
 public:
@@ -182,12 +221,17 @@ class NaClObjDumpMunger : public NaClBitcodeMunger {
     return runTestWithFlags(TestName, true, false, false);
   }
 
-  /// Same as runTest, but only print out assembly and errors.
+  /// Same as above but without test name.
+  bool runTest() {
+    return runTest("Test");
+  }
+
+  /// Same as above, but only print out assembly and errors.
   bool runTestForAssembly(const char *TestName) {
     return runTestWithFlags(TestName, true, true, false);
   }
 
-  /// Same as runTest, but only generate error messages.
+  /// Same as above, but only generate error messages.
   bool runTestForErrors(const char *TestName) {
     return runTestWithFlags(TestName, true, true, true);
   }
@@ -212,6 +256,10 @@ class NaClObjDumpMunger : public NaClBitcodeMunger {
     return runTestWithFlags(TestName, Munges, MungesSize, true, false, false);
   }
 
+  bool runTest(const uint64_t Munges[], size_t MungesSize) {
+    return runTest("Test", Munges, MungesSize);
+  }
+
   bool runTestForAssembly(const char* TestName, const uint64_t Munges[],
                           size_t MungesSize) {
     return runTestWithFlags(TestName, Munges, MungesSize, true, true, false);
@@ -235,6 +283,11 @@ class NaClParseBitcodeMunger : public NaClBitcodeMunger {
   bool runTest(const char* TestName, const uint64_t Munges[],
                size_t MungesSize, bool VerboseErrors);
 
+  /// Same as above, but without test name.
+  bool runTest(const uint64_t Munges[], size_t MungesSize, bool VerboseErrors) {
+    return runTest("Test", Munges, MungesSize, VerboseErrors);
+  }
+
   // Same as above, but without any edits.
   bool runTest(const char* TestName, bool VerboseErrors) {
     uint64_t NoMunges[] = {0};

include/llvm/Bitcode/NaCl/NaClBitstreamWriter.h

@@ -148,6 +148,12 @@ class NaClBitstreamWriter {
   /// \brief Retrieve the current position in the stream, in bits.
   uint64_t GetCurrentBitNo() const { return GetBufferOffset() * 8 + CurBit; }
 
+  /// \brief Returns the maximum abbreviation index allowed for the
+  /// current block.
+  size_t getMaxCurAbbrevIndex() const {
+    return CurAbbrevs.size() + naclbitc::DEFAULT_MAX_ABBREV;
+  }
+
   //===--------------------------------------------------------------------===//
   // Basic Primitives for emitting bits to the stream.
   //===--------------------------------------------------------------------===//

lib/Bitcode/NaCl/TestUtils/NaClBitcodeMunge.cpp

@@ -29,7 +29,7 @@ using namespace llvm;
 // For debugging. When true, shows each test being run.
 static bool TraceTestRuns = false;
 
-void NaClBitcodeMunger::setupTest(
+bool NaClBitcodeMunger::setupTest(
     const char *TestName, const uint64_t Munges[], size_t MungesSize,
     bool AddHeader) {
   assert(DumpStream == nullptr && "Test run with DumpStream already defined");
@@ -53,8 +53,10 @@ void NaClBitcodeMunger::setupTest(
       && !(WriteFlags.getTryToRecover()
            && Results.NumRepairs == Results.NumErrors)
       && !(WriteFlags.getWriteBadAbbrevIndex()
-           && Results.WroteBadAbbrevIndex && Results.NumErrors == 1))
-    report_fatal_error("Unable to generate bitcode file due to write errors");
+           && Results.WroteBadAbbrevIndex && Results.NumErrors == 1)) {
+    Error() << "Unable to generate bitcode file due to write errors\n";
+    return false;
+  }
 
   // Add null terminator, so that we meet the requirements of the
   // MemoryBuffer API.
@@ -63,9 +65,10 @@ void NaClBitcodeMunger::setupTest(
   MungedInput = MemoryBuffer::getMemBuffer(
       StringRef(MungedInputBuffer.data(), MungedInputBuffer.size()-1),
       TestName);
+  return true;
 }
 
-void NaClBitcodeMunger::cleanupTest() {
+bool NaClBitcodeMunger::cleanupTest() {
   RunAsDeathTest = false;
   WriteFlags.reset();
   MungedBitcode.removeEdits();
@@ -74,6 +77,7 @@ void NaClBitcodeMunger::cleanupTest() {
   DumpStream->flush();
   delete DumpStream;
   DumpStream = nullptr;
+  return !FoundErrors;
 }
 
 // Return the next line of input (including eoln), starting from
@@ -110,24 +114,38 @@ getLinesWithTextMatch(const std::string &Substring, bool MustBePrefix) const {
   return Messages;
 }
 
+bool NaClWriteMunger::runTest(const char* Name, const uint64_t Munges[],
+                              size_t MungesSize) {
+  bool AddHeader = true;
+  if (!setupTest(Name, Munges, MungesSize, AddHeader))
+    return cleanupTest();
+  MemoryBufferRef InputRef(MungedInput->getMemBufferRef());
+  NaClMungedBitcode WrittenBitcode(MemoryBuffer::getMemBuffer(InputRef));
+  WrittenBitcode.print(WriteFlags.getErrStream());
+  return cleanupTest();
+}
+
 bool NaClObjDumpMunger::runTestWithFlags(
     const char *Name, const uint64_t Munges[], size_t MungesSize,
     bool AddHeader, bool NoRecords, bool NoAssembly) {
-  setupTest(Name, Munges, MungesSize, AddHeader);
+  if (!setupTest(Name, Munges, MungesSize, AddHeader))
+    return cleanupTest();
 
   if (NaClObjDump(MungedInput.get()->getMemBufferRef(),
                   getDumpStream(), NoRecords, NoAssembly))
     FoundErrors = true;
-  cleanupTest();
-  return !FoundErrors;
+  return cleanupTest();
 }
 
 bool NaClParseBitcodeMunger::runTest(
     const char *Name, const uint64_t Munges[], size_t MungesSize,
     bool VerboseErrors) {
   bool AddHeader = true;
-  setupTest(Name, Munges, MungesSize, AddHeader);
+  if (!setupTest(Name, Munges, MungesSize, AddHeader))
+    return cleanupTest();
+
   LLVMContext &Context = getGlobalContext();
+
   raw_ostream *VerboseStrm = VerboseErrors ? &getDumpStream() : nullptr;
   ErrorOr<Module *> ModuleOrError =
       NaClParseBitcodeFile(MungedInput->getMemBufferRef(), Context,
@@ -139,16 +157,17 @@ bool NaClParseBitcodeMunger::runTest(
   } else {
     Error() << ModuleOrError.getError().message() << "\n";
   }
-  cleanupTest();
-  return !FoundErrors;
+  return cleanupTest();
 }
 
 bool NaClCompressMunger::runTest(const char* Name, const uint64_t Munges[],
                                  size_t MungesSize) {
   bool AddHeader = true;
-  setupTest(Name, Munges, MungesSize, AddHeader);
+  if (!setupTest(Name, Munges, MungesSize, AddHeader))
+    return cleanupTest();
+
   NaClBitcodeCompressor Compressor;
-  bool Result = Compressor.compress(MungedInput.get(), getDumpStream());
-  cleanupTest();
-  return Result;
+  if (!Compressor.compress(MungedInput.get(), getDumpStream()))
+    Error() << "Unable to compress\n";
+  return cleanupTest();
 }

lib/Bitcode/NaCl/TestUtils/NaClBitcodeMungeUtils.cpp

@@ -87,7 +87,7 @@ void readNaClBitcodeRecordList(NaClBitcodeRecordList &RecordList,
 } // end of namespace llvm
 
 void NaClBitcodeAbbrevRecord::print(raw_ostream &Out) const {
-  NaClBitcodeRecordData::Print(Out << format("%8u", Abbrev) << ": ");
+  NaClBitcodeRecordData::Print(Out << Abbrev << ": ");
 }
 
 void NaClBitcodeAbbrevRecord::read(const uint64_t Vals[], size_t ValsSize,
@@ -119,6 +119,13 @@ void NaClMungedBitcode::print(raw_ostream &Out) const {
     for (size_t i = 0; i < Indent; ++i) {
       Out << "  ";
     }
+    // Blank fill to make abbreviation indices right align, and then
+    // print record.
+    uint32_t Cutoff = 9999999;
+    while (Record.Abbrev <= Cutoff && Cutoff) {
+      Out << " ";
+      Cutoff /= 10;
+    }
     Out << Record << "\n";
     if (Record.Code == naclbitc::BLK_CODE_ENTER)
       ++Indent;