diff options
| author | Emmett Neyman <eneyman@google.com> | 2018-08-16 20:13:40 +0000 |
|---|---|---|
| committer | Emmett Neyman <eneyman@google.com> | 2018-08-16 20:13:40 +0000 |
| commit | 70657f65efbd0bc220dbc9eb010d70ab2ce03bbe (patch) | |
| tree | 18835cab634ea7777d19446a70d23dd0bcb833d9 /clang/tools | |
| parent | fa9f78553a5033a9a073164a931b4fd47f446702 (diff) | |
| download | bcm5719-llvm-70657f65efbd0bc220dbc9eb010d70ab2ce03bbe.tar.gz bcm5719-llvm-70657f65efbd0bc220dbc9eb010d70ab2ce03bbe.zip | |
Update README and Dockerfile to include llvm-proto-fuzzer
Summary: Added commands to Dockerfile to build llvm-proto-fuzzer and the other related tools. Also added a section to the bottom of the README describing what llvm-proto-fuzzer does and how to run it.
Reviewers: morehouse, kcc
Reviewed By: morehouse
Subscribers: cfe-commits, llvm-commits
Differential Revision: https://reviews.llvm.org/D50829
llvm-svn: 339933
Diffstat (limited to 'clang/tools')
| -rw-r--r-- | clang/tools/clang-fuzzer/Dockerfile | 4 | ||||
| -rw-r--r-- | clang/tools/clang-fuzzer/README.txt | 34 |
2 files changed, 38 insertions, 0 deletions
diff --git a/clang/tools/clang-fuzzer/Dockerfile b/clang/tools/clang-fuzzer/Dockerfile index 1946b8bf88d..9f6336c4798 100644 --- a/clang/tools/clang-fuzzer/Dockerfile +++ b/clang/tools/clang-fuzzer/Dockerfile @@ -35,3 +35,7 @@ RUN mkdir build1 && cd build1 && cmake -GNinja -DCMAKE_BUILD_TYPE=Release ../llv RUN cd build1 && ninja clang-fuzzer RUN cd build1 && ninja clang-proto-fuzzer RUN cd build1 && ninja clang-proto-to-cxx +RUN cd build1 && ninja clang-loop-proto-to-cxx +RUN cd build1 && ninja clang-loop-proto-to-llvm +RUN cd build1 && ninja clang-loop-proto-fuzzer +RUN cd build1 && ninja clang-llvm-proto-fuzzer diff --git a/clang/tools/clang-fuzzer/README.txt b/clang/tools/clang-fuzzer/README.txt index 66a6a6332cd..9c25afdb22a 100644 --- a/clang/tools/clang-fuzzer/README.txt +++ b/clang/tools/clang-fuzzer/README.txt @@ -80,3 +80,37 @@ custom optimization level and target triple: To translate a clang-proto-fuzzer corpus output to C++: bin/clang-proto-to-cxx CORPUS_OUTPUT_FILE + +=================== + llvm-proto-fuzzer +=================== +Like, clang-proto-fuzzer, llvm-proto-fuzzer is also a protobuf-mutator based +fuzzer. It receives as input a cxx_loop_proto which it then converts into a +string of valid LLVM IR: a function with either a single loop or two nested +loops. It then creates a new string of IR by running optimization passes over +the original IR. Currently, it only runs a loop-vectorize pass but more passes +can easily be added to the fuzzer. Once there are two versions of the input +function (optimized and not), llvm-proto-fuzzer uses LLVM's JIT Engine to +compile both functions. Lastly, it runs both functions on a suite of inputs and +checks that both functions behave the same on all inputs. In this way, +llvm-proto-fuzzer can find not only compiler crashes, but also miscompiles +originating from LLVM's optimization passes. + +llvm-proto-fuzzer is built very similarly to clang-proto-fuzzer. You can run the +fuzzer with the following command: + bin/clang-llvm-proto-fuzzer CORPUS_DIR + +To translate a cxx_loop_proto file into LLVM IR do: + bin/clang-loop-proto-to-llvm CORPUS_OUTPUT_FILE +To translate a cxx_loop_proto file into C++ do: + bin/clang-loop-proto-to-cxx CORPUS_OUTPUT_FILE + +Note: To get a higher number of executions per second with llvm-proto-fuzzer it +helps to build it without ASan instrumentation and with the -O2 flag. Because +the fuzzer is not only compiling code, but also running it, as the inputs get +large, the time necessary to fuzz one input can get very high. +Example: + cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \ + -DCLANG_ENABLE_PROTO_FUZZER=ON -DLLVM_USE_SANITIZE_COVERAGE=YES \ + -DCMAKE_CXX_FLAGS="-O2" + ninja clang-llvm-proto-fuzzer clang-loop-proto-to-llvm |
