<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - implement a structured clang-fuzzer (aka clang-proto-fuzzer)"
href="https://bugs.llvm.org/show_bug.cgi?id=33829">33829</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>implement a structured clang-fuzzer (aka clang-proto-fuzzer)
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>mascasa@google.com
</td>
</tr>
<tr>
<th>Reporter</th>
<td>kcc@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=18812" name="attach_18812" title="cxx_proto.proto">attachment 18812</a> <a href="attachment.cgi?id=18812&action=edit" title="cxx_proto.proto">[details]</a></span>
cxx_proto.proto
I have a prototype of a "structured" fuzzer for clang based on
<a href="https://github.com/google/libprotobuf-mutator">https://github.com/google/libprotobuf-mutator</a>
and tools/clang/tools/clang-fuzzer/ClangFuzzer.cpp.
The idea is that we describe a subset of C++ as a protobuf,
implement a protobuf=>C++ serialization, and mutate the protobufs
during guided fuzzing.
The prototype has already discovered several bugs:
<a class="bz_bug_link
bz_status_NEW "
title="NEW - use-after-poison in llvm::SelectionDAG::Combine"
href="show_bug.cgi?id=33747">https://bugs.llvm.org/show_bug.cgi?id=33747</a>
<a class="bz_bug_link
bz_status_NEW "
title="NEW - fatal error: error in backend: Cannot select: t195: i1 = add t192, t194 (in HexagonDAGToDAGISel::Select)"
href="show_bug.cgi?id=33749">https://bugs.llvm.org/show_bug.cgi?id=33749</a>
<a class="bz_bug_link
bz_status_NEW "
title="NEW - SelectionDAGISel::CodeGenAndEmitDAG takes 3 minutes to compile 11 lines of C++,"
href="show_bug.cgi?id=33494">https://bugs.llvm.org/show_bug.cgi?id=33494</a>
and so it's time to make it available in LLVM trunk.
The tricky part is that this fuzzer depends on the code that
is not part of the regular LLVM tree nor it's regular deps.
We'll need:
* relatively recent libprotobuf-dev
* fresh libprotobuf-mutator
I propose to implement clang-proto-fuzzer under a cmake flag (off by default),
so that the default build doesn't depend on
libprotobuf-dev/libprotobuf-mutator.
(An alternative is to drag this code into the LLVM tree, which is highly
unpleasant).
I suggest to add ClangProtoFuzzer.cpp adjacent to ClangFuzzer.cpp
(both should probably share some code) and add separate files
* proto description for C++-like language.
* proto=>C++ serialization code.
* simple driver to convert a proto to C++
My prototypes for these are attached.
ClangProtoFuzzer will need to support LLVM flags (via libFuzzer's
-ignore_remaining_args=1)
so that we can fuzz non-default configurations (e.g. non-default '-triple').</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>