[llvm-bugs] [Bug 33829] New: implement a structured clang-fuzzer (aka clang-proto-fuzzer)

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Jul 17 17:12:07 PDT 2017 

https://bugs.llvm.org/show_bug.cgi?id=33829

            Bug ID: 33829
           Summary: implement a structured clang-fuzzer (aka
                    clang-proto-fuzzer)
           Product: new-bugs
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
          Assignee: mascasa at google.com
          Reporter: kcc at google.com
                CC: llvm-bugs at lists.llvm.org

Created attachment 18812
  --> https://bugs.llvm.org/attachment.cgi?id=18812&action=edit
cxx_proto.proto

I have a prototype of a "structured" fuzzer for clang based on 
https://github.com/google/libprotobuf-mutator
and tools/clang/tools/clang-fuzzer/ClangFuzzer.cpp. 
The idea is that we describe a subset of C++ as a protobuf, 
implement a protobuf=>C++ serialization, and  mutate the protobufs
during guided fuzzing. 

The prototype has already discovered several bugs: 
  https://bugs.llvm.org/show_bug.cgi?id=33747
  https://bugs.llvm.org/show_bug.cgi?id=33749
  https://bugs.llvm.org/show_bug.cgi?id=33494

and so it's time to make it available in LLVM trunk. 

The tricky part is that this fuzzer depends on the code that
is not part of the regular LLVM tree nor it's regular deps. 
We'll need: 
  * relatively recent libprotobuf-dev
  * fresh libprotobuf-mutator

I propose to implement clang-proto-fuzzer under a cmake flag (off by default),
so that the default build doesn't depend on
libprotobuf-dev/libprotobuf-mutator.
(An alternative is to drag this code into the LLVM tree, which is highly 
unpleasant). 

I suggest to add ClangProtoFuzzer.cpp adjacent to ClangFuzzer.cpp
(both should probably share some code) and add separate files 
  * proto description for C++-like language. 
  * proto=>C++ serialization code. 
  * simple driver to convert a proto to C++ 
My prototypes for these are attached. 


ClangProtoFuzzer will need to support LLVM flags (via libFuzzer's
-ignore_remaining_args=1)
so that we can fuzz non-default configurations (e.g. non-default '-triple').

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170718/01def0b3/attachment.html>

More information about the llvm-bugs mailing list