This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lldb/docs/
-
docs/
-
index.rst
-
resources/
6/17
fuzzing.rst

Differential D132148

[lldb][docs] Add documentation for LLDB fuzzers
ClosedPublic

Authored by cassanova on Aug 18 2022, 10:43 AM.

Download Raw Diff

Details

Reviewers

JDevlieghere
mib

Commits

rG43d7320e7111: [lldb][docs] Add documentation for LLDB fuzzers

Summary

This commit adds a new page to the LLDB HTML documentation for the LLDB fuzzers. The page primarily explains what the fuzzers are as well as how to build them, run them and investigate and reproduce bugs.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

cassanova created this revision.Aug 18 2022, 10:43 AM

Herald added a project: Restricted Project. · View Herald TranscriptAug 18 2022, 10:43 AM

Herald added a subscriber: arphaman. · View Herald Transcript

cassanova requested review of this revision.Aug 18 2022, 10:43 AM

Herald added a subscriber: lldb-commits. · View Herald TranscriptAug 18 2022, 10:43 AM

Harbormaster completed remote builds in B182035: Diff 453707.Aug 18 2022, 10:46 AM

Left few comments :)

lldb/docs/resources/fuzzing.rst
13	missing word ?
29–34	Don't we have a top-level `ninja lldb-fuzzer` command that runs all the fuzzer ? If not, what about adding that ?
38	Is it an issue to have this enabled for the other fuzzers ? If not, may be you should just add it to the general cmake invocation

JDevlieghere added inline comments.Aug 18 2022, 12:37 PM

lldb/docs/resources/fuzzing.rst
15–27	I would simplify this a bit and say that in addition to your regular CMake arguments, you have to pass `-DLLVM_USE_SANITIZER='Address' -DLLVM_USE_SANITIZE_COVERAGE=On`. I think the libfuzzer documentation says something similar so in addition to listing that explicitly here, we should also include a link to that (in case that ever changes in the future).
43	I think this could be its own section that talks about where the fuzzers are (will be) running.
45
48–50	I would say "from the build directory" and use relative paths here.
70–73	This is specific to LLDB's target fuzzer and not something I think folks should rely on. libfuzzer makes it really easy to reproduce bugs (as you explain below) so we should encourage everyone to use that.

JDevlieghere added inline comments.Aug 18 2022, 12:42 PM

lldb/docs/resources/fuzzing.rst
29–34	Building all the fuzzers (`lldb-fuzzer(s)`) or running all the fuzzers (`fuzz-lldb`)? Personally +1 having a target that builds all the fuzzers. I'm not sure if I would ever want to run all the fuzzers in parallel, but I'm also not opposed to the idea as it would be similar to what `check-lldb` does.

mib added inline comments.Aug 18 2022, 12:46 PM

lldb/docs/resources/fuzzing.rst
29–34	Yeah, I meant for building the fuzzers (I haven't commented below on the running the fuzzer in parallel for that reason)

cassanova added inline comments.Aug 18 2022, 1:57 PM

lldb/docs/resources/fuzzing.rst
13	Yep :)
15–27	That's a good idea. I didn't mention this explicitly here but I put the entire CMake invocation because I assumed that someone who wanted to try this would be making a new, not-in-source-tree build directory.
38	Having this enabled doesn't cause problems for the other fuzzers. I had this on its own in case there were people that didn't want to use all of the fuzzers and therefore wouldn't need this option enabled all the time. I can place this in the line that would say "In addition to your regular CMake arguments...". Also having a target that builds all fuzzers is a good idea.
43	I can add a "Continuous Integration" section for OSS Fuzz
48–50	Sounds good, what's funny is that I originally had the relative directories and then I removed them to try and be more general :)
70–73	That makes sense, I used the target fuzzer as an example for using fuzzer inputs with LLDB itself but for reproducing it's better to use libFuzzer.

Removed the full CMake invocation for the fuzzer build configuration.

Added the information on OSS Fuzz to its own section.

Changed build directory in fuzzer execution command to use a relative path.

Removed reference to using LLDB with fuzzer inputs.

Fixed typos.

Harbormaster completed remote builds in B182101: Diff 453808.Aug 18 2022, 3:14 PM

LGTM modulo inline comment.

lldb/docs/resources/fuzzing.rst
16–18	Remove the `$` because these are not shell commands.

This revision is now accepted and ready to land.Aug 25 2022, 4:53 PM

Closed by commit rG43d7320e7111: [lldb][docs] Add documentation for LLDB fuzzers (authored by cassanova). · Explain WhyAug 26 2022, 4:35 PM

This revision was automatically updated to reflect the committed changes.

cassanova added a commit: rG43d7320e7111: [lldb][docs] Add documentation for LLDB fuzzers.

Revision Contents

Path

Size

lldb/

docs/

index.rst

1 line

resources/

fuzzing.rst

68 lines

Diff 456058

lldb/docs/index.rst

	Show First 20 Lines • Show All 144 Lines • ▼ Show 20 Lines
	.. toctree::			.. toctree::
	:hidden:			:hidden:
	:maxdepth: 1			:maxdepth: 1
	:caption: Development			:caption: Development

	resources/contributing			resources/contributing
	resources/build			resources/build
	resources/test			resources/test
				resources/fuzzing
	resources/bots			resources/bots
	resources/caveats			resources/caveats


	.. toctree::			.. toctree::
	:hidden:			:hidden:
	:maxdepth: 1			:maxdepth: 1
	:caption: Design			:caption: Design
	Show All 22 Lines

lldb/docs/resources/fuzzing.rst

This file was added.

Fuzzing LLDB

============

Overview

--------

LLDB has fuzzers that provide automated `fuzz testing <https://en.wikipedia.org/wiki/Fuzzing>`_ for different components of LLDB. The fuzzers are built with `libFuzzer <https://llvm.org/docs/LibFuzzer.html>`_ . Currently, there are fuzzers for target creation, LLDB's command interpreter and LLDB's expression evaluator.

Building the fuzzers

--------------------

Building the LLDB fuzzers requires a build configuration that has the address sanitizer and sanitizer coverage enabled. In addition to your regular CMake arguments, you will need these argumets to build the fuzzers:

mibUnsubmitted

Not Done

--------------------

- Building the LLDB fuzzers requires a build configuration that has the address sanitizer and sanitizer coverage. This CMake invocation will configure a build directory that can be used to build the LLDB fuzzers:

+ Building the LLDB fuzzers requires a build configuration that has the address sanitizer and sanitizer coverage enabled. This CMake invocation will configure a build directory that can be used to build the LLDB fuzzers:

$ cmake <path to root of llvm source tree> \

missing word ?

mib: missing word ?

cassanovaAuthorUnsubmitted

Done

Yep :)

cassanova: Yep :)

-DLLVM_USE_SANITIZER='Address' \

-DLLVM_USE_SANITIZE_COVERAGE=On \

-DCLANG_ENABLE_PROTO_FUZZER=ON

JDevlieghereUnsubmitted

Not Done

- $ -DLLVM_USE_SANITIZER='Address'

- $ -DLLVM_USE_SANITIZE_COVERAGE=On

- $ -DCLANG_ENABLE_PROTO_FUZZER=ON

+ -DLLVM_USE_SANITIZER='Address' \

+ -DLLVM_USE_SANITIZE_COVERAGE=On \

+ -DCLANG_ENABLE_PROTO_FUZZER=ON

More information on libFuzzer's sanitizer coverage is available here: `<https://llvm.org/docs/LibFuzzer.html#fuzzer-usage>`_

Remove the $ because these are not shell commands.

JDevlieghere: Remove the `$` because these are not shell commands.

More information on libFuzzer's sanitizer coverage is available here: `<https://llvm.org/docs/LibFuzzer.html#fuzzer-usage>`_

If you want to debug LLDB itself when you find a bug using the fuzzers, use the CMake option ``-DCMAKE_BUILD_TYPE='RelWithDebInfo'``

To build a fuzzer, run the desired ninja command for the fuzzer(s) you want to build:

$ ninja lldb-target-fuzzer

$ ninja lldb-commandinterpreter-fuzzer

JDevlieghereUnsubmitted

Not Done

I would simplify this a bit and say that in addition to your regular CMake arguments, you have to pass -DLLVM_USE_SANITIZER='Address' -DLLVM_USE_SANITIZE_COVERAGE=On. I think the libfuzzer documentation says something similar so in addition to listing that explicitly here, we should also include a link to that (in case that ever changes in the future).

JDevlieghere: I would simplify this a bit and say that in addition to your regular CMake arguments, you have…

cassanovaAuthorUnsubmitted

Done

That's a good idea. I didn't mention this explicitly here but I put the entire CMake invocation because I assumed that someone who wanted to try this would be making a new, not-in-source-tree build directory.

cassanova: That's a good idea. I didn't mention this explicitly here but I put the entire CMake invocation…

$ ninja lldb-expression-fuzzer

Once built, the binaries for the fuzzers will exist in the ``bin`` directory of your build folder.

Continuous integration

----------------------

mibUnsubmitted

Not Done

Don't we have a top-level ninja lldb-fuzzer command that runs all the fuzzer ? If not, what about adding that ?

mib: Don't we have a top-level `ninja lldb-fuzzer` command that runs all the fuzzer ? If not, what…

JDevlieghereUnsubmitted

Not Done

Building all the fuzzers (lldb-fuzzer(s)) or running all the fuzzers (fuzz-lldb)?

Personally +1 having a target that builds all the fuzzers. I'm not sure if I would ever want to run all the fuzzers in parallel, but I'm also not opposed to the idea as it would be similar to what check-lldb does.

JDevlieghere: Building all the fuzzers (`lldb-fuzzer(s)`) or running all the fuzzers (`fuzz-lldb`)?

mibUnsubmitted

Not Done

Yeah, I meant for building the fuzzers (I haven't commented below on the running the fuzzer in parallel for that reason)

mib: Yeah, I meant for building the fuzzers (I haven't commented below on the running the fuzzer in…

Currently, there are plans to integrate the LLDB fuzzers into the `OSS Fuzz <https://github.com/google/oss-fuzz>`_ project for continuous integration.

Running the fuzzers

-------------------

mibUnsubmitted

Not Done

Is it an issue to have this enabled for the other fuzzers ? If not, may be you should just add it to the general cmake invocation

mib: Is it an issue to have this enabled for the other fuzzers ? If not, may be you should just add…

cassanovaAuthorUnsubmitted

Done

Having this enabled doesn't cause problems for the other fuzzers. I had this on its own in case there were people that didn't want to use all of the fuzzers and therefore wouldn't need this option enabled all the time.

I can place this in the line that would say "In addition to your regular CMake arguments...". Also having a target that builds all fuzzers is a good idea.

cassanova: Having this enabled doesn't cause problems for the other fuzzers. I had this on its own in case…

If you want to run the fuzzers locally, you can run the binaries that were generated with ninja from the build directory:

$ ./bin/lldb-target-fuzzer

JDevlieghereUnsubmitted

Not Done

I think this could be its own section that talks about where the fuzzers are (will be) running.

JDevlieghere: I think this could be its own section that talks about where the fuzzers are (will be) running.

cassanovaAuthorUnsubmitted

Done

I can add a "Continuous Integration" section for OSS Fuzz

cassanova: I can add a "Continuous Integration" section for OSS Fuzz

$ ./bin/lldb-commandinterpreter-fuzzer

$ ./bin/lldb-expression-fuzzer

JDevlieghereUnsubmitted

Not Done

Currently, there are plans to integrate the LLDB fuzzers into the `OSS Fuzz <https://github.com/google/oss-fuzz>`_ project for continuous integration.

- If you want to run the fuzzers on your own machine, you can run the binaries that were generated with ninja:

+ If you want to run the fuzzers locally, you can run the binaries that were generated with ninja:

$ ./<lldb fuzzer build directory>/bin/lldb-target-fuzzer

JDevlieghere:

This will run the fuzzer binaries directly, and you can use the `libFuzzer options <https://llvm.org/docs/LibFuzzer.html#options>`_ to customize how the fuzzers are run.

Another way to run the fuzzers is to use a ninja target that will both build the fuzzers and then run them immediately after. These custom targets run each fuzzer with command-line arguments that provide better fuzzing for the components being tested. Running the fuzzers this way will also create directories that will store any inputs that caused LLDB to crash, timeout or run out of memory. The directories are created for each fuzzer.

JDevlieghereUnsubmitted

Not Done

If you want to run the fuzzers on your own machine, you can run the binaries that were generated with ninja:

- $ ./<lldb fuzzer build directory>/bin/lldb-target-fuzzer

- $ ./<lldb fuzzer build directory>/bin/lldb-commandinterpreter-fuzzer

- $ ./<lldb fuzzer build directory>/bin/lldb-expression-fuzzer

+ $ ./bin/lldb-target-fuzzer

+ $ ./bin/lldb-commandinterpreter-fuzzer

+ $ ./bin/lldb-expression-fuzzer

This will run the fuzzer binaries directly, and you can use the `libFuzzer options <https://llvm.org/docs/LibFuzzer.html#options>`_ to customize how the fuzzers are run.

I would say "from the build directory" and use relative paths here.

JDevlieghere: I would say "from the build directory" and use relative paths here.

cassanovaAuthorUnsubmitted

Done

Sounds good, what's funny is that I originally had the relative directories and then I removed them to try and be more general :)

cassanova: Sounds good, what's funny is that I originally had the relative directories and then I removed…

To run the custom ninja targets, run the command for your desired fuzzer:

$ ninja fuzz-lldb-target

$ ninja fuzz-lldb-commandinterpreter

$ ninja fuzz-lldb-expression

Investigating and reproducing bugs

----------------------------------

When the fuzzers find an input that causes LLDB to crash, timeout or run out of memory, the input is saved to a file in the build directory. When running the fuzzer binaries directly this input is stored in a file named ``<crash/timeout/oom>-<hash>``.

When running the fuzzers using the custom ninja targets shown above, the inputs will be stored in ``fuzzer-artifacts/<fuzzer name>-artifacts``, which is created in your build directory. The input files will have the name ``<fuzzer name>-<crash/timeout/oom>-<hash>``.

If you want to reproduce the issue found by a fuzzer once you have gotten the input, you can pass the individual input to the fuzzer binary as a command-line argument:

$ ./<fuzzer binary> <input you are investigating>

JDevlieghereUnsubmitted

Not Done

This is specific to LLDB's target fuzzer and not something I think folks should rely on. libfuzzer makes it really easy to reproduce bugs (as you explain below) so we should encourage everyone to use that.

JDevlieghere: This is specific to LLDB's target fuzzer and not something I think folks should rely on.

cassanovaAuthorUnsubmitted

Done

That makes sense, I used the target fuzzer as an example for using fuzzer inputs with LLDB itself but for reproducing it's better to use libFuzzer.

cassanova: That makes sense, I used the target fuzzer as an example for using fuzzer inputs with LLDB…

This is an archive of the discontinued LLVM Phabricator instance.

[lldb][docs] Add documentation for LLDB fuzzersClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 456058

lldb/docs/index.rst

lldb/docs/resources/fuzzing.rst

[lldb][docs] Add documentation for LLDB fuzzers
ClosedPublic