int main(int argc, char **argv) { // The command line is unusual compared to other fuzzers due to the need to // specify the target. Options like -triple, -mcpu, and -mattr work like // their counterparts in llvm-mc, while -fuzzer-args collects options for the // fuzzer itself. // // Examples: // // Fuzz the big-endian MIPS32R6 disassembler using 100,000 inputs of up to // 4-bytes each and use the contents of ./corpus as the test corpus: // llvm-mc-fuzzer -triple mips-linux-gnu -mcpu=mips32r6 -disassemble \ // -fuzzer-args -max_len=4 -runs=100000 ./corpus // // Infinitely fuzz the little-endian MIPS64R2 disassembler with the MSA // feature enabled using up to 64-byte inputs: // llvm-mc-fuzzer -triple mipsel-linux-gnu -mcpu=mips64r2 -mattr=msa \ // -disassemble -fuzzer-args ./corpus // // If your aim is to find instructions that are not tested, then it is // advisable to constrain the maximum input size to a single instruction // using -max_len as in the first example. This results in a test corpus of // individual instructions that test unique paths. Without this constraint, // there will be considerable redundancy in the corpus. LLVMInitializeAllTargetInfos(); LLVMInitializeAllTargetMCs(); LLVMInitializeAllDisassemblers(); cl::ParseCommandLineOptions(argc, argv); // Package up features to be passed to target/subtarget // We have to pass it via a global since the callback doesn't // permit any user data. if (MAttrs.size()) { SubtargetFeatures Features; for (unsigned i = 0; i != MAttrs.size(); ++i) Features.AddFeature(MAttrs[i]); FeaturesStr = Features.getString(); } // Insert the program name into the FuzzerArgv. FuzzerArgv.insert(FuzzerArgv.begin(), argv[0]); if (Action == AC_Assemble) errs() << "error: -assemble is not implemented\n"; else if (Action == AC_Disassemble) return fuzzer::FuzzerDriver(FuzzerArgv, DisassembleOneInput); llvm_unreachable("Unknown action"); return 1; }