Ensure _LLVMFuzzerInitialize is always exported and marked used on Mac.

The linker's -dead_strip was removing the fuzzer initializer because it was unreachable and not exported. This adds a new libfuzzer_exports.h header that fuzzers can include to ensure the symbols have the proper visibility. Bug: 687076 Change-Id: I8fe5c523ade491a48cd7abbf85c69edb872c97db Reviewed-on: https://chromium-review.googlesource.com/721340Reviewed-by: Varun Khaneja <vakh@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#509558}

Ensure _LLVMFuzzerInitialize is always exported and marked used on Mac.
The linker's -dead_strip was removing the fuzzer initializer because it was unreachable and not exported. This adds a new libfuzzer_exports.h header that fuzzers can include to ensure the symbols have the proper visibility. Bug: 687076 Change-Id: I8fe5c523ade491a48cd7abbf85c69edb872c97db Reviewed-on: https://chromium-review.googlesource.com/721340Reviewed-by: Varun Khaneja <vakh@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#509558}
d88ebf8b · Robert Sesek · Commit Bot · a022559b · d88ebf8b · d88ebf8b
Commit d88ebf8b authored Oct 17, 2017 by Robert Sesek Committed by Commit Bot Oct 17, 2017
5 changed files
--- a/chrome/utility/safe_browsing/mac/BUILD.gn
+++ b/chrome/utility/safe_browsing/mac/BUILD.gn
@@ -69,8 +69,6 @@ fuzzer_test("safe_browsing_dmg_fuzzer") {
    ":dmg_common",
    "//base",
  ]
-
-  libfuzzer_options = [ "close_fd_mask=2" ]
 }

 fuzzer_test("safe_browsing_hfs_fuzzer") {

--- a/chrome/utility/safe_browsing/mac/dmg_fuzzer.cc
+++ b/chrome/utility/safe_browsing/mac/dmg_fuzzer.cc
@@ -13,6 +13,7 @@
 #include "chrome/utility/safe_browsing/mac/hfs.h"
 #include "chrome/utility/safe_browsing/mac/read_stream.h"
 #include "chrome/utility/safe_browsing/mac/udif.h"
+#include "testing/libfuzzer/libfuzzer_exports.h"

 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
  base::CommandLine::Init(*argc, *argv);

--- a/chrome/utility/safe_browsing/mac/hfs_fuzzer.cc
+++ b/chrome/utility/safe_browsing/mac/hfs_fuzzer.cc
@@ -10,6 +10,7 @@

 #include "chrome/utility/safe_browsing/mac/hfs.h"
 #include "chrome/utility/safe_browsing/mac/read_stream.h"
+#include "testing/libfuzzer/libfuzzer_exports.h"

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  safe_browsing::dmg::MemoryReadStream input(data, size);

--- a/testing/libfuzzer/fuzzer_test.gni
+++ b/testing/libfuzzer/fuzzer_test.gni
@@ -136,6 +136,10 @@ template("fuzzer_test") {
      if (defined(invoker.suppressed_configs)) {
        configs -= invoker.suppressed_configs
      }
+
+      if (is_mac) {
+        sources += [ "libfuzzer_exports.h" ]
+      }
    }
  } else {
    # noop on unsupported platforms.

--- a/testing/libfuzzer/libfuzzer_exports.h
+++ b/testing/libfuzzer/libfuzzer_exports.h
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef TESTING_LIBFUZZER_LIBFUZZER_EXPORTS_H_
+#define TESTING_LIBFUZZER_LIBFUZZER_EXPORTS_H_
+
+#include "build/build_config.h"
+
+// On macOS, the linker may strip symbols for functions that are not reachable
+// by the program entrypoint. Several libFuzzer functions are resolved via
+// dlsym at runtime and therefore may be dead-stripped as a result. Including
+// this header in the fuzzer's implementation file will ensure that all the
+// symbols are kept and exported.
+
+#if defined(OS_MACOSX)
+#define EXPORT_FUZZER_FUNCTION \
+  __attribute__((used)) __attribute__((visibility("default")))
+#else
+#define EXPORT_FUZZER_FUNCTION
+#endif
+
+extern "C" {
+
+EXPORT_FUZZER_FUNCTION int LLVMFuzzerInitialize(int* argc, char*** argv);
+EXPORT_FUZZER_FUNCTION int LLVMFuzzerTestOneInput(const uint8_t* data,
+                                                  size_t size);
+EXPORT_FUZZER_FUNCTION size_t LLVMFuzzerCustomMutator(uint8_t* data,
+                                                      size_t size,
+                                                      size_t max_size,
+                                                      unsigned int seed);
+EXPORT_FUZZER_FUNCTION size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1,
+                                                        size_t size1,
+                                                        const uint8_t* data2,
+                                                        size_t size2,
+                                                        uint8_t* out,
+                                                        size_t max_out_size,
+                                                        unsigned int seed);
+EXPORT_FUZZER_FUNCTION size_t LLVMFuzzerMutate(uint8_t* data,
+                                               size_t size,
+                                               size_t max_size);
+
+}  // extern "C"
+
+#undef EXPORT_FUZZER_FUNCTION
+
+#endif  // TESTING_LIBFUZZER_LIBFUZZER_EXPORTS_H_