1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
|
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Fuzzing LLVM libraries and tools — LLVM 13 documentation</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/llvm-theme.css" type="text/css" />
<script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/doctools.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Garbage Collection with LLVM" href="GarbageCollection.html" />
<link rel="prev" title="FaultMaps and implicit checks" href="FaultMaps.html" />
<style type="text/css">
table.right { float: right; margin-left: 20px; }
table.right td { border: 1px solid #ccc; }
</style>
</head><body>
<div class="logo">
<a href="index.html">
<img src="_static/logo.png"
alt="LLVM Logo" width="250" height="88"/></a>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="GarbageCollection.html" title="Garbage Collection with LLVM"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="FaultMaps.html" title="FaultMaps and implicit checks"
accesskey="P">previous</a> |</li>
<li><a href="https://llvm.org/">LLVM Home</a> | </li>
<li><a href="index.html">Documentation</a>»</li>
<li class="nav-item nav-item-1"><a href="Reference.html" accesskey="U">Reference</a> »</li>
<li class="nav-item nav-item-this"><a href="">Fuzzing LLVM libraries and tools</a></li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3>Documentation</h3>
<ul class="want-points">
<li><a href="https://llvm.org/docs/GettingStartedTutorials.html">Getting Started/Tutorials</a></li>
<li><a href="https://llvm.org/docs/UserGuides.html">User Guides</a></li>
<li><a href="https://llvm.org/docs/Reference.html">Reference</a></li>
</ul>
<h3>Getting Involved</h3>
<ul class="want-points">
<li><a href="https://llvm.org/docs/Contributing.html">Contributing to LLVM</a></li>
<li><a href="https://llvm.org/docs/HowToSubmitABug.html">Submitting Bug Reports</a></li>
<li><a href="https://llvm.org/docs/GettingInvolved.html#mailing-lists">Mailing Lists</a></li>
<li><a href="https://llvm.org/docs/GettingInvolved.html#irc">IRC</a></li>
<li><a href="https://llvm.org/docs/GettingInvolved.html#meetups-and-social-events">Meetups and Social Events</a></li>
</ul>
<h3>Additional Links</h3>
<ul class="want-points">
<li><a href="https://llvm.org/docs/FAQ.html">FAQ</a></li>
<li><a href="https://llvm.org/docs/Lexicon.html">Glossary</a></li>
<li><a href="https://llvm.org/pubs">Publications</a></li>
<li><a href="https://github.com/llvm/llvm-project//">Github Repository</a></li>
</ul>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/FuzzingLLVM.rst.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script>$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="fuzzing-llvm-libraries-and-tools">
<h1>Fuzzing LLVM libraries and tools<a class="headerlink" href="#fuzzing-llvm-libraries-and-tools" title="Permalink to this headline">¶</a></h1>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><p><a class="reference internal" href="#introduction" id="id7">Introduction</a></p></li>
<li><p><a class="reference internal" href="#available-fuzzers" id="id8">Available Fuzzers</a></p>
<ul>
<li><p><a class="reference internal" href="#clang-fuzzer" id="id9">clang-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#clang-proto-fuzzer" id="id10">clang-proto-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#clang-format-fuzzer" id="id11">clang-format-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#llvm-as-fuzzer" id="id12">llvm-as-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#llvm-dwarfdump-fuzzer" id="id13">llvm-dwarfdump-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#llvm-demangle-fuzzer" id="id14">llvm-demangle-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#llvm-isel-fuzzer" id="id15">llvm-isel-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#llvm-opt-fuzzer" id="id16">llvm-opt-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#llvm-mc-assemble-fuzzer" id="id17">llvm-mc-assemble-fuzzer</a></p></li>
<li><p><a class="reference internal" href="#llvm-mc-disassemble-fuzzer" id="id18">llvm-mc-disassemble-fuzzer</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#mutators-and-input-generators" id="id19">Mutators and Input Generators</a></p>
<ul>
<li><p><a class="reference internal" href="#generic-random-fuzzing" id="id20">Generic Random Fuzzing</a></p></li>
<li><p><a class="reference internal" href="#structured-fuzzing-using-libprotobuf-mutator" id="id21">Structured Fuzzing using <code class="docutils literal notranslate"><span class="pre">libprotobuf-mutator</span></code></a></p></li>
<li><p><a class="reference internal" href="#structured-fuzzing-of-llvm-ir" id="id22">Structured Fuzzing of LLVM IR</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#building-and-running" id="id23">Building and Running</a></p>
<ul>
<li><p><a class="reference internal" href="#configuring-llvm-to-build-fuzzers" id="id24">Configuring LLVM to Build Fuzzers</a></p></li>
<li><p><a class="reference internal" href="#continuously-running-and-finding-bugs" id="id25">Continuously Running and Finding Bugs</a></p></li>
</ul>
</li>
<li><p><a class="reference internal" href="#utilities-for-writing-fuzzers" id="id26">Utilities for Writing Fuzzers</a></p></li>
</ul>
</div>
<div class="section" id="introduction">
<h2><a class="toc-backref" href="#id7">Introduction</a><a class="headerlink" href="#introduction" title="Permalink to this headline">¶</a></h2>
<p>The LLVM tree includes a number of fuzzers for various components. These are
built on top of <a class="reference internal" href="LibFuzzer.html"><span class="doc">LibFuzzer</span></a>. In order to build and run these
fuzzers, see <a class="reference internal" href="#building-fuzzers"><span class="std std-ref">Configuring LLVM to Build Fuzzers</span></a>.</p>
</div>
<div class="section" id="available-fuzzers">
<h2><a class="toc-backref" href="#id8">Available Fuzzers</a><a class="headerlink" href="#available-fuzzers" title="Permalink to this headline">¶</a></h2>
<div class="section" id="clang-fuzzer">
<h3><a class="toc-backref" href="#id9">clang-fuzzer</a><a class="headerlink" href="#clang-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-generic"><span class="std std-ref">generic fuzzer</span></a> that tries to compile textual input as C++ code. Some of the
bugs this fuzzer has reported are <a class="reference external" href="https://llvm.org/pr23057">on bugzilla</a> and <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm+clang-fuzzer">on OSS Fuzz’s
tracker</a>.</p>
</div>
<div class="section" id="clang-proto-fuzzer">
<h3><a class="toc-backref" href="#id10">clang-proto-fuzzer</a><a class="headerlink" href="#clang-proto-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-protobuf"><span class="std std-ref">libprotobuf-mutator based fuzzer</span></a> that compiles valid C++ programs generated from a protobuf
class that describes a subset of the C++ language.</p>
<p>This fuzzer accepts clang command line options after <cite>ignore_remaining_args=1</cite>.
For example, the following command will fuzz clang with a higher optimization
level:</p>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>% bin/clang-proto-fuzzer <corpus-dir> -ignore_remaining_args<span class="o">=</span><span class="m">1</span> -O3
</pre></div>
</div>
</div>
<div class="section" id="clang-format-fuzzer">
<h3><a class="toc-backref" href="#id11">clang-format-fuzzer</a><a class="headerlink" href="#clang-format-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-generic"><span class="std std-ref">generic fuzzer</span></a> that runs <a class="reference external" href="https://clang.llvm.org/docs/ClangFormat.html">clang-format</a> on C++ text fragments. Some of the
bugs this fuzzer has reported are <a class="reference external" href="https://llvm.org/pr23052">on bugzilla</a>
and <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm+clang-format-fuzzer">on OSS Fuzz’s tracker</a>.</p>
</div>
<div class="section" id="llvm-as-fuzzer">
<h3><a class="toc-backref" href="#id12">llvm-as-fuzzer</a><a class="headerlink" href="#llvm-as-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-generic"><span class="std std-ref">generic fuzzer</span></a> that tries to parse text as <a class="reference internal" href="LangRef.html"><span class="doc">LLVM assembly</span></a>.
Some of the bugs this fuzzer has reported are <a class="reference external" href="https://llvm.org/pr24639">on bugzilla</a>.</p>
</div>
<div class="section" id="llvm-dwarfdump-fuzzer">
<h3><a class="toc-backref" href="#id13">llvm-dwarfdump-fuzzer</a><a class="headerlink" href="#llvm-dwarfdump-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-generic"><span class="std std-ref">generic fuzzer</span></a> that interprets inputs as object files and runs
<a class="reference internal" href="CommandGuide/llvm-dwarfdump.html"><span class="doc">llvm-dwarfdump</span></a> on them. Some of the bugs
this fuzzer has reported are <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm+llvm-dwarfdump-fuzzer">on OSS Fuzz’s tracker</a></p>
</div>
<div class="section" id="llvm-demangle-fuzzer">
<h3><a class="toc-backref" href="#id14">llvm-demangle-fuzzer</a><a class="headerlink" href="#llvm-demangle-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-generic"><span class="std std-ref">generic fuzzer</span></a> for the Itanium demangler used in various LLVM tools. We’ve
fuzzed __cxa_demangle to death, why not fuzz LLVM’s implementation of the same
function!</p>
</div>
<div class="section" id="llvm-isel-fuzzer">
<h3><a class="toc-backref" href="#id15">llvm-isel-fuzzer</a><a class="headerlink" href="#llvm-isel-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-ir"><span class="std std-ref">structured LLVM IR fuzzer</span></a> aimed at finding bugs in instruction selection.</p>
<p>This fuzzer accepts flags after <cite>ignore_remaining_args=1</cite>. The flags match
those of <a class="reference internal" href="CommandGuide/llc.html"><span class="doc">llc</span></a> and the triple is required. For example,
the following command would fuzz AArch64 with <a class="reference internal" href="GlobalISel/index.html"><span class="doc">Global Instruction Selection</span></a>:</p>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>% bin/llvm-isel-fuzzer <corpus-dir> -ignore_remaining_args<span class="o">=</span><span class="m">1</span> -mtriple aarch64 -global-isel -O0
</pre></div>
</div>
<p>Some flags can also be specified in the binary name itself in order to support
OSS Fuzz, which has trouble with required arguments. To do this, you can copy
or move <code class="docutils literal notranslate"><span class="pre">llvm-isel-fuzzer</span></code> to <code class="docutils literal notranslate"><span class="pre">llvm-isel-fuzzer--x-y-z</span></code>, separating options
from the binary name using “–”. The valid options are architecture names
(<code class="docutils literal notranslate"><span class="pre">aarch64</span></code>, <code class="docutils literal notranslate"><span class="pre">x86_64</span></code>), optimization levels (<code class="docutils literal notranslate"><span class="pre">O0</span></code>, <code class="docutils literal notranslate"><span class="pre">O2</span></code>), or specific
keywords, like <code class="docutils literal notranslate"><span class="pre">gisel</span></code> for enabling global instruction selection. In this
mode, the same example could be run like so:</p>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>% bin/llvm-isel-fuzzer--aarch64-O0-gisel <corpus-dir>
</pre></div>
</div>
</div>
<div class="section" id="llvm-opt-fuzzer">
<h3><a class="toc-backref" href="#id16">llvm-opt-fuzzer</a><a class="headerlink" href="#llvm-opt-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-ir"><span class="std std-ref">structured LLVM IR fuzzer</span></a> aimed at finding bugs in optimization passes.</p>
<p>It receives optimization pipeline and runs it for each fuzzer input.</p>
<p>Interface of this fuzzer almost directly mirrors <code class="docutils literal notranslate"><span class="pre">llvm-isel-fuzzer</span></code>. Both
<code class="docutils literal notranslate"><span class="pre">mtriple</span></code> and <code class="docutils literal notranslate"><span class="pre">passes</span></code> arguments are required. Passes are specified in a
format suitable for the new pass manager. You can find some documentation about
this format in the doxygen for <code class="docutils literal notranslate"><span class="pre">PassBuilder::parsePassPipeline</span></code>.</p>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>% bin/llvm-opt-fuzzer <corpus-dir> -ignore_remaining_args<span class="o">=</span><span class="m">1</span> -mtriple x86_64 -passes instcombine
</pre></div>
</div>
<p>Similarly to the <code class="docutils literal notranslate"><span class="pre">llvm-isel-fuzzer</span></code> arguments in some predefined configurations
might be embedded directly into the binary file name:</p>
<div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>% bin/llvm-opt-fuzzer--x86_64-instcombine <corpus-dir>
</pre></div>
</div>
</div>
<div class="section" id="llvm-mc-assemble-fuzzer">
<h3><a class="toc-backref" href="#id17">llvm-mc-assemble-fuzzer</a><a class="headerlink" href="#llvm-mc-assemble-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-generic"><span class="std std-ref">generic fuzzer</span></a> that fuzzes the MC layer’s assemblers by treating inputs as
target specific assembly.</p>
<p>Note that this fuzzer has an unusual command line interface which is not fully
compatible with all of libFuzzer’s features. Fuzzer arguments must be passed
after <code class="docutils literal notranslate"><span class="pre">--fuzzer-args</span></code>, and any <code class="docutils literal notranslate"><span class="pre">llc</span></code> flags must use two dashes. For
example, to fuzz the AArch64 assembler you might use the following command:</p>
<div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">llvm-mc-fuzzer --triple=aarch64-linux-gnu --fuzzer-args -max_len=4</span>
</pre></div>
</div>
<p>This scheme will likely change in the future.</p>
</div>
<div class="section" id="llvm-mc-disassemble-fuzzer">
<h3><a class="toc-backref" href="#id18">llvm-mc-disassemble-fuzzer</a><a class="headerlink" href="#llvm-mc-disassemble-fuzzer" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference internal" href="#fuzzing-llvm-generic"><span class="std std-ref">generic fuzzer</span></a> that fuzzes the MC layer’s disassemblers by treating inputs
as assembled binary data.</p>
<p>Note that this fuzzer has an unusual command line interface which is not fully
compatible with all of libFuzzer’s features. See the notes above about
<code class="docutils literal notranslate"><span class="pre">llvm-mc-assemble-fuzzer</span></code> for details.</p>
</div>
</div>
<div class="section" id="mutators-and-input-generators">
<h2><a class="toc-backref" href="#id19">Mutators and Input Generators</a><a class="headerlink" href="#mutators-and-input-generators" title="Permalink to this headline">¶</a></h2>
<p>The inputs for a fuzz target are generated via random mutations of a
<a class="reference internal" href="LibFuzzer.html#libfuzzer-corpus"><span class="std std-ref">corpus</span></a>. There are a few options for the kinds of
mutations that a fuzzer in LLVM might want.</p>
<div class="section" id="generic-random-fuzzing">
<span id="fuzzing-llvm-generic"></span><h3><a class="toc-backref" href="#id20">Generic Random Fuzzing</a><a class="headerlink" href="#generic-random-fuzzing" title="Permalink to this headline">¶</a></h3>
<p>The most basic form of input mutation is to use the built in mutators of
LibFuzzer. These simply treat the input corpus as a bag of bits and make random
mutations. This type of fuzzer is good for stressing the surface layers of a
program, and is good at testing things like lexers, parsers, or binary
protocols.</p>
<p>Some of the in-tree fuzzers that use this type of mutator are <a class="reference internal" href="#clang-fuzzer">clang-fuzzer</a>,
<a class="reference internal" href="#clang-format-fuzzer">clang-format-fuzzer</a>, <a class="reference internal" href="#llvm-as-fuzzer">llvm-as-fuzzer</a>, <a class="reference internal" href="#llvm-dwarfdump-fuzzer">llvm-dwarfdump-fuzzer</a>,
<a class="reference internal" href="#llvm-mc-assemble-fuzzer">llvm-mc-assemble-fuzzer</a>, and <a class="reference internal" href="#llvm-mc-disassemble-fuzzer">llvm-mc-disassemble-fuzzer</a>.</p>
</div>
<div class="section" id="structured-fuzzing-using-libprotobuf-mutator">
<span id="fuzzing-llvm-protobuf"></span><h3><a class="toc-backref" href="#id21">Structured Fuzzing using <code class="docutils literal notranslate"><span class="pre">libprotobuf-mutator</span></code></a><a class="headerlink" href="#structured-fuzzing-using-libprotobuf-mutator" title="Permalink to this headline">¶</a></h3>
<p>We can use <a class="reference external" href="https://github.com/google/libprotobuf-mutator">libprotobuf-mutator</a> in order to perform structured fuzzing and
stress deeper layers of programs. This works by defining a protobuf class that
translates arbitrary data into structurally interesting input. Specifically, we
use this to work with a subset of the C++ language and perform mutations that
produce valid C++ programs in order to exercise parts of clang that are more
interesting than parser error handling.</p>
<p>To build this kind of fuzzer you need <a class="reference external" href="https://github.com/google/protobuf">protobuf</a> and its dependencies
installed, and you need to specify some extra flags when configuring the build
with <a class="reference internal" href="CMake.html"><span class="doc">CMake</span></a>. For example, <a class="reference internal" href="#clang-proto-fuzzer">clang-proto-fuzzer</a> can be enabled by
adding <code class="docutils literal notranslate"><span class="pre">-DCLANG_ENABLE_PROTO_FUZZER=ON</span></code> to the flags described in
<a class="reference internal" href="#building-fuzzers"><span class="std std-ref">Configuring LLVM to Build Fuzzers</span></a>.</p>
<p>The only in-tree fuzzer that uses <code class="docutils literal notranslate"><span class="pre">libprotobuf-mutator</span></code> today is
<a class="reference internal" href="#clang-proto-fuzzer">clang-proto-fuzzer</a>.</p>
</div>
<div class="section" id="structured-fuzzing-of-llvm-ir">
<span id="fuzzing-llvm-ir"></span><h3><a class="toc-backref" href="#id22">Structured Fuzzing of LLVM IR</a><a class="headerlink" href="#structured-fuzzing-of-llvm-ir" title="Permalink to this headline">¶</a></h3>
<p>We also use a more direct form of structured fuzzing for fuzzers that take
<a class="reference internal" href="LangRef.html"><span class="doc">LLVM IR</span></a> as input. This is achieved through the <code class="docutils literal notranslate"><span class="pre">FuzzMutate</span></code>
library, which was <a class="reference external" href="https://www.youtube.com/watch?v=UBbQ_s6hNgg">discussed at EuroLLVM 2017</a>.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">FuzzMutate</span></code> library is used to structurally fuzz backends in
<a class="reference internal" href="#llvm-isel-fuzzer">llvm-isel-fuzzer</a>.</p>
</div>
</div>
<div class="section" id="building-and-running">
<h2><a class="toc-backref" href="#id23">Building and Running</a><a class="headerlink" href="#building-and-running" title="Permalink to this headline">¶</a></h2>
<div class="section" id="configuring-llvm-to-build-fuzzers">
<span id="building-fuzzers"></span><h3><a class="toc-backref" href="#id24">Configuring LLVM to Build Fuzzers</a><a class="headerlink" href="#configuring-llvm-to-build-fuzzers" title="Permalink to this headline">¶</a></h3>
<p>Fuzzers will be built and linked to libFuzzer by default as long as you build
LLVM with sanitizer coverage enabled. You would typically also enable at least
one sanitizer to find bugs faster. The most common way to build the fuzzers is
by adding the following two flags to your CMake invocation:
<code class="docutils literal notranslate"><span class="pre">-DLLVM_USE_SANITIZER=Address</span> <span class="pre">-DLLVM_USE_SANITIZE_COVERAGE=On</span></code>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If you have <code class="docutils literal notranslate"><span class="pre">compiler-rt</span></code> checked out in an LLVM tree when building
with sanitizers, you’ll want to specify <code class="docutils literal notranslate"><span class="pre">-DLLVM_BUILD_RUNTIME=Off</span></code>
to avoid building the sanitizers themselves with sanitizers enabled.</p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>You may run into issues if you build with BFD ld, which is the
default linker on many unix systems. These issues are being tracked
in <a class="reference external" href="https://llvm.org/PR34636">https://llvm.org/PR34636</a>.</p>
</div>
</div>
<div class="section" id="continuously-running-and-finding-bugs">
<h3><a class="toc-backref" href="#id25">Continuously Running and Finding Bugs</a><a class="headerlink" href="#continuously-running-and-finding-bugs" title="Permalink to this headline">¶</a></h3>
<p>There used to be a public buildbot running LLVM fuzzers continuously, and while
this did find issues, it didn’t have a very good way to report problems in an
actionable way. Because of this, we’re moving towards using <a class="reference external" href="https://github.com/google/oss-fuzz">OSS Fuzz</a> more
instead.</p>
<p>You can browse the <a class="reference external" href="https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Proj-llvm">LLVM project issue list</a> for the bugs found by
<a class="reference external" href="https://github.com/google/oss-fuzz/blob/master/projects/llvm">LLVM on OSS Fuzz</a>. These are also mailed to the <a class="reference external" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs">llvm-bugs mailing
list</a>.</p>
</div>
</div>
<div class="section" id="utilities-for-writing-fuzzers">
<h2><a class="toc-backref" href="#id26">Utilities for Writing Fuzzers</a><a class="headerlink" href="#utilities-for-writing-fuzzers" title="Permalink to this headline">¶</a></h2>
<p>There are some utilities available for writing fuzzers in LLVM.</p>
<p>Some helpers for handling the command line interface are available in
<code class="docutils literal notranslate"><span class="pre">include/llvm/FuzzMutate/FuzzerCLI.h</span></code>, including functions to parse command
line options in a consistent way and to implement standalone main functions so
your fuzzer can be built and tested when not built against libFuzzer.</p>
<p>There is also some handling of the CMake config for fuzzers, where you should
use the <code class="docutils literal notranslate"><span class="pre">add_llvm_fuzzer</span></code> to set up fuzzer targets. This function works
similarly to functions such as <code class="docutils literal notranslate"><span class="pre">add_llvm_tool</span></code>, but they take care of linking
to LibFuzzer when appropriate and can be passed the <code class="docutils literal notranslate"><span class="pre">DUMMY_MAIN</span></code> argument to
enable standalone testing.</p>
</div>
</div>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="GarbageCollection.html" title="Garbage Collection with LLVM"
>next</a> |</li>
<li class="right" >
<a href="FaultMaps.html" title="FaultMaps and implicit checks"
>previous</a> |</li>
<li><a href="https://llvm.org/">LLVM Home</a> | </li>
<li><a href="index.html">Documentation</a>»</li>
<li class="nav-item nav-item-1"><a href="Reference.html" >Reference</a> »</li>
<li class="nav-item nav-item-this"><a href="">Fuzzing LLVM libraries and tools</a></li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2003-2021, LLVM Project.
Last updated on 2021-09-18.
Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 3.5.4.
</div>
</body>
</html>
|
