This is an archive of the discontinued LLVM Phabricator instance.

Build a lib/Fuzzer version for llvm-as.
ClosedPublic

Authored by kschimpf on Aug 28 2015, 10:22 AM.

Details

Summary

This CL is associated with a fuzzing effort to find bugs in LLVM. The
first step is to fuzz llvm-as to find potential issues in generating
IR. Both afl-fuzz and LLVM's lib/Fuzzer are being used.

This CL introduces the executable that implements the in-process
fuzzer using LLVM's lib/Fuzzer. The motivation for using lib/Fuzzer is
based on time comparisons between afl-fuzz and lib/Fuzzer. Early
results show that per-process, the lib/Fuzzer implemenation of llvm-as
(i.e. this CL) generates over 30 times the number of mutations found
by afl-fuzz, per hour runtime. The speedup is due to the removal of
overhead of forking a process, and loading the executable into memory.

I placed this under the tools directory, since it is an executable. It
is also only conditionally built if (using cmake) the flag
LLVM_USEE_SANITIZE_COVERAGE is used, so that it isn't built by
default.

Diff Detail

Repository
rL LLVM

Event Timeline

kschimpf updated this revision to Diff 33439.Aug 28 2015, 10:22 AM
kschimpf retitled this revision from to Build a lib/Fuzzer version for llvm-as..
kschimpf updated this object.
kschimpf added reviewers: kcc, filcab.
kschimpf added a subscriber: llvm-commits.
kcc accepted this revision.Aug 28 2015, 10:37 AM
kcc edited edge metadata.

LGTM++ (with one nit)

Once this is submitted, I'll set up a job on
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer

While I am glad to hear that libFuzzer generates more mutations than AFL I should remind that
a) AFL is more algorithmically advanced and may generate better mutations and
b) AFL now has a kind-of-in-process mode (http://lcamtuf.blogspot.com/2015/06/new-in-afl-persistent-mode.html)
which should be faster.

Yet I am confident that using two fuzzers is strictly better than using one.

tools/fuzz-llvm-as/fuzz-llvm-as.cpp
63 ↗(On Diff #33439)

ideally, shit should be done outside of this function,
so that the first input does not get credit for additional coverage.
You can do this by having a constructor of a global object do this,
or by defining your own main and using fuzzer::FuzzerDriver,

However in practice this won't hurt much, if at all.
So feel free to just add a FIXME in the comment

This revision is now accepted and ready to land.Aug 28 2015, 10:37 AM
kcc added a comment.Aug 28 2015, 11:40 AM

For consistency with the two other fuzzers (clang-fuzzer, clang-format-fuzzer) it might be better to name this target llvm-as-fuzzer

This revision was automatically updated to reflect the committed changes.