Use debug info for func args (#1183)

* frontend: llvm: catch arg names using debug info The current way we extract function names from arguments in LLVM is rarely successful. This is because the names attached to the LLVM Argument objects are empty, likely removed during the compilation process. This adds an option for looking at debug information to spot the right argument name. Ref: ossf/fuzz-introspector#1175 Signed-off-by: David Korczynski <[email protected]> * nit Signed-off-by: David Korczynski <[email protected]> * output argNames to summary.json Signed-off-by: David Korczynski <[email protected]> --------- Signed-off-by: David Korczynski <[email protected]>
AlexDev08 · Aug 3, 2023 · aa8e4e4 · aa8e4e4
1 parent d1e1871
commit aa8e4e4
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/frontends/llvm/lib/Transforms/FuzzIntrospector/FuzzIntrospector.cpp b/frontends/llvm/lib/Transforms/FuzzIntrospector/FuzzIntrospector.cpp
@@ -1067,9 +1067,37 @@ FuzzerFunctionWrapper FuzzIntrospector::wrapFunction(Function *F) {
   FuncWrap.ReturnType = resolveTypeName(F->getReturnType());
 
   // Arguments
+  // errs() << "Function:\n";
+  // errs() << FuncWrap.FunctionName << "\n";
   for (auto &A : F->args()) {
     FuncWrap.ArgTypes.push_back(resolveTypeName(A.getType()));
-    FuncWrap.ArgNames.push_back(A.getName().str());
+    //FuncWrap.ArgNames.push_back(A.getName().str());
+    if (A.getName().str().empty()) {
+      const DILocalVariable* Var = NULL;
+      bool FoundArg = false;
+      for (auto &BB : *F) {
+        for (auto &I : BB) {
+          if (const DbgDeclareInst* DbgDeclare = dyn_cast<DbgDeclareInst>(&I)) {
+            if (auto DLV = dyn_cast<DILocalVariable>(DbgDeclare->getVariable())) {
+              if (  DLV->getArg() == A.getArgNo() + 1 &&
+                    !DLV->getName().empty() &&
+                     DLV->getScope()->getSubprogram() == F->getSubprogram()) {
+                //errs() << "--" << DLV->getName().str() << "\n";
+                FuncWrap.ArgNames.push_back(DLV->getName().str());
+                FoundArg = true;
+              }
+            }
+          }
+        }
+      }
+      if (FoundArg == false) {
+        FuncWrap.ArgNames.push_back("");
+      }
+    }
+    else {
+      // It's non empty, we just push that.
+      FuncWrap.ArgNames.push_back(A.getName().str());
+    }
   }
 
   // Log the amount of basic blocks, instruction count and cyclomatic

diff --git a/src/fuzz_introspector/html_report.py b/src/fuzz_introspector/html_report.py
@@ -136,6 +136,7 @@ def create_all_function_table(
         json_copy = row_element.copy()
         json_copy['Func name'] = demangled_func_name
         json_copy['Args'] = str(fd.arg_types)
+        json_copy['ArgNames'] = fd.arg_names
         json_copy['Reached by Fuzzers'] = fd.reached_by_fuzzers
         json_copy['return_type'] = fd.return_type
         json_copy['raw-function-name'] = fd.raw_function_name