This is an archive of the discontinued LLVM Phabricator instance.

Build a lib/Fuzzer version for llvm-as.
ClosedPublic

Authored by kschimpf on Aug 28 2015, 10:22 AM.

Download Raw Diff

Details

Reviewers

kcc
filcab

Commits

rGb9c2c71d09ee: Build a lib/Fuzzer version for llvm-as.
rL246458: Build a lib/Fuzzer version for llvm-as.

Summary

This CL is associated with a fuzzing effort to find bugs in LLVM. The
first step is to fuzz llvm-as to find potential issues in generating
IR. Both afl-fuzz and LLVM's lib/Fuzzer are being used.

This CL introduces the executable that implements the in-process
fuzzer using LLVM's lib/Fuzzer. The motivation for using lib/Fuzzer is
based on time comparisons between afl-fuzz and lib/Fuzzer. Early
results show that per-process, the lib/Fuzzer implemenation of llvm-as
(i.e. this CL) generates over 30 times the number of mutations found
by afl-fuzz, per hour runtime. The speedup is due to the removal of
overhead of forking a process, and loading the executable into memory.

I placed this under the tools directory, since it is an executable. It
is also only conditionally built if (using cmake) the flag
LLVM_USEE_SANITIZE_COVERAGE is used, so that it isn't built by
default.

Diff Detail

Repository: rL LLVM

Event Timeline

kschimpf updated this revision to Diff 33439.Aug 28 2015, 10:22 AM

kschimpf retitled this revision from to Build a lib/Fuzzer version for llvm-as..

kschimpf updated this object.

kschimpf added reviewers: kcc, filcab.

kschimpf added a subscriber: llvm-commits.

LGTM++ (with one nit)

Once this is submitted, I'll set up a job on
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer

While I am glad to hear that libFuzzer generates more mutations than AFL I should remind that
a) AFL is more algorithmically advanced and may generate better mutations and
b) AFL now has a kind-of-in-process mode (http://lcamtuf.blogspot.com/2015/06/new-in-afl-persistent-mode.html)
which should be faster.

Yet I am confident that using two fuzzers is strictly better than using one.

tools/fuzz-llvm-as/fuzz-llvm-as.cpp
63 ↗	(On Diff #33439)	ideally, shit should be done outside of this function, so that the first input does not get credit for additional coverage. You can do this by having a constructor of a global object do this, or by defining your own main and using fuzzer::FuzzerDriver, However in practice this won't hurt much, if at all. So feel free to just add a FIXME in the comment

This revision is now accepted and ready to land.Aug 28 2015, 10:37 AM

For consistency with the two other fuzzers (clang-fuzzer, clang-format-fuzzer) it might be better to name this target llvm-as-fuzzer

Closed by commit rL246458: Build a lib/Fuzzer version for llvm-as. (authored by kschimpf). · Explain WhyAug 31 2015, 10:56 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

llvm/

trunk/

tools/

llvm-as-fuzzer/

CMakeLists.txt

13 lines

llvm-as-fuzzer.cpp

75 lines

Diff 33599

llvm/trunk/tools/llvm-as-fuzzer/CMakeLists.txt

				if( LLVM_USE_SANITIZE_COVERAGE )
				set(LLVM_LINK_COMPONENTS
				AsmParser
				BitWriter
				Core
				Support
				)
				add_llvm_tool(llvm-as-fuzzer
				llvm-as-fuzzer.cpp)
				target_link_libraries(llvm-as-fuzzer
				LLVMFuzzer
				)
				endif()

llvm/trunk/tools/llvm-as-fuzzer/llvm-as-fuzzer.cpp

				//===--- fuzz-llvm-as.cpp - Fuzzer for llvm-as using lib/Fuzzer -----------===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//
				//
				// Build tool to fuzz the LLVM assembler (llvm-as) using
				// lib/Fuzzer. The main reason for using this tool is that it is much
				// faster than using afl-fuzz, since it is run in-process.
				//
				//===----------------------------------------------------------------------===//

				#include "llvm/ADT/StringRef.h"
				#include "llvm/AsmParser/Parser.h"
				#include "llvm/IR/LLVMContext.h"
				#include "llvm/IR/Module.h"
				#include "llvm/IR/Verifier.h"
				#include "llvm/Support/ErrorHandling.h"
				#include "llvm/Support/MemoryBuffer.h"
				#include "llvm/Support/raw_ostream.h"
				#include "llvm/Support/SourceMgr.h"

				#include <csetjmp>

				using namespace llvm;

				static jmp_buf JmpBuf;

				namespace {

				void MyFatalErrorHandler(void *user_data, const std::string& reason,
				bool gen_crash_diag) {
				// Don't bother printing reason, just return to the test function,
				// since a fatal error represents a successful parse (i.e. it correctly
				// terminated with an error message to the user).
				longjmp(JmpBuf, 1);
				}

				static bool InstalledHandler = false;

				} // end of anonymous namespace

				extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

				// Allocate space for locals before setjmp so that memory can be collected
				// if parse exits prematurely (via longjmp).
				StringRef Input((const char *)Data, Size);
				// Note: We need to create a buffer to add a null terminator to the
				// end of the input string. The parser assumes that the string
				// parsed is always null terminated.
				std::unique_ptr<MemoryBuffer> MemBuf = MemoryBuffer::getMemBufferCopy(Input);
				SMDiagnostic Err;
				LLVMContext &Context = getGlobalContext();
				std::unique_ptr<Module> M;

				if (setjmp(JmpBuf))
				// If reached, we have returned with non-zero status, so exit.
				return;

				// TODO(kschimpf) Write a main to do this initialization.
				if (!InstalledHandler) {
				llvm::install_fatal_error_handler(::MyFatalErrorHandler, nullptr);
				InstalledHandler = true;
				}

				M = parseAssembly(MemBuf->getMemBufferRef(), Err, Context);

				if (!M.get())
				return;

				verifyModule(*M.get());
				}