<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:DengXian;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin:0cm;
text-align:justify;
text-justify:inter-ideograph;
text-indent:21.0pt;
font-size:10.5pt;
font-family:DengXian;}
.MsoChpDefault
{mso-style-type:export-only;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1251695275;
mso-list-type:hybrid;
mso-list-template-ids:1325167486 -1 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:39.0pt;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:63.0pt;
text-indent:-21.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:84.0pt;
text-indent:-21.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:105.0pt;
text-indent:-21.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-text:"%5\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:126.0pt;
text-indent:-21.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:147.0pt;
text-indent:-21.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0pt;
text-indent:-21.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-text:"%8\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:189.0pt;
text-indent:-21.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:210.0pt;
text-indent:-21.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="ZH-CN" link="blue" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi Johannes,</span></p>
<p class="MsoNormal"><span lang="EN-US"> Glad to hear from you! I understand that the title listed in the llvm GSoC 2021 webpage serves as a general guideline but a project proposal might need limit its scope and focus on the deliverables. The ideas proposed
all seems quite appealing and relevant to me. I</span>’<span lang="EN-US">ve been browsing through llvm.rog/docs/FuzzingLLVM.html and llvm-project/*/tools/*-fuzzer recently as well as the youtube video that you mentioned on the GSoC site. The following are
some questions I’ve accumulated. (forgive me if they are too naïve…).</span></p>
<p class="MsoListParagraph" style="margin-left:39.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">Truth to be told, I</span>’<span lang="EN-US">ve used OpenMP before for my course project, but I haven</span>’<span lang="EN-US">t look into the inner workings of it, e.g. how it actually instruments programs
decorated with #pragma, and how it interact with the OS</span>’<span lang="EN-US">s threading. If llvm</span>’<span lang="EN-US">s OpenMP implementation hasn</span>’<span lang="EN-US">t been fuzzed before, then it surely is a valuable fuzz target. Could you
give some clue on how we could fuzz OpenMP? Like writing a parser for fuzzer input and calling openmp library function in LLVMFuzzOneInput function? Or we fuzz it through clang? I</span>’<span lang="EN-US">ll look into llvm-project/openmp some more.</span></p>
<p class="MsoListParagraph" style="margin-left:39.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">For the custom mutator idea. My understanding is that currently there are 2 kinds of mutators, the generic one that is shipped with LibFuzzer (Bit flipping, splicing, etc.), and a structural mutator. Is the
structural mutator related to IRMutator.cpp in the FuzzMutate folder?</span></p>
<p class="MsoListParagraph" style="margin-left:39.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">Most of the bugs found by fuzzers are usually crashes or hangs. Correctness testing is interesting but hard to achieve from my limited knowledge. I wonder if this is related to the
</span>‘<span lang="EN-US">Alive</span>’<span lang="EN-US"> tool mentioned by Florian? The fuzzer provides input to some llvm pass, and
</span>‘<span lang="EN-US">Alive</span>’<span lang="EN-US"> will verify that the transformation is valid. Please correct me if my understanding is wrong</span>…</p>
<p class="MsoNormal" style="text-indent:21.0pt"><span lang="EN-US">To be honest, previous llvm passes I wrote are out tree passes. I’ve just setuped my machine, built llvm configured with fuzzer support, and started fiddling around lately. I have a rough picture
of what each idea is about, but it would take some preparation work for me to split them into incremental steps and deliverables. Since it’s still early in the application process, I wonder if you can spare me some time researching the ideas that you proposed
and making inquiries before finally deciding on my project proposal? </span><span lang="EN-US" style="font-family:"Segoe UI Emoji",sans-serif">😊</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:21.0pt"><span lang="EN-US">I am living in Shanghai, in the GMT+8 time zone. How about 15:00 tommorrow (March. 10), or 13:30 on Friday afternoon (March. 12)? I am not sure which time zone you are located in, so feel free
to propose another time slot if the prior two are not convenient for you (later that day or on weekends are both fine). Hope to have a chat with you soon.</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Cheers,</span></p>
<p class="MsoNormal"><span lang="EN-US">Chibin Zhang</span></p>
<p class="MsoNormal"><span lang="EN-US">2021.3.9</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="border:none;padding:0cm"><b>发件人<span lang="EN-US">: </span>
</b><span lang="EN-US"><a href="mailto:johannesdoerfert@gmail.com">Johannes Doerfert</a><br>
</span><b>发送时间<span lang="EN-US">: </span></b><span lang="EN-US">2021</span>年<span lang="EN-US">3</span>月<span lang="EN-US">9</span>日<span lang="EN-US"> 7:17<br>
</span><b>收件人<span lang="EN-US">: </span></b><span lang="EN-US"><a href="mailto:florian_hahn@apple.com">Florian Hahn</a>;
<a href="mailto:llvm-dev@lists.llvm.org">llvm-dev</a><br>
</span><b>抄送<span lang="EN-US">: </span></b><span lang="EN-US"><a href="mailto:zhangchb1@shanghaitech.edu.cn"><span lang="EN-US"><span lang="EN-US">张驰斌</span></span></a>;
<a href="mailto:regehr@cs.utah.edu">John Regehr</a><br>
</span><b>主题<span lang="EN-US">: </span></b><span lang="EN-US">Re: [llvm-dev] Applying for GSoC 2021(Fuzzing LLVM-IR Passes)</span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:SimSun"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Having Alive2 as oracle would certainly be great.</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Some rough ideas that can be worked on in parallel if we have multiple
</span></p>
<p class="MsoNormal"><span lang="EN-US">GSoC students:</span></p>
<p class="MsoNormal"><span lang="EN-US"> - mutation rules we know are sound, e.g., remove guarantees, add 1
</span></p>
<p class="MsoNormal"><span lang="EN-US">iteration loops, etc.</span></p>
<p class="MsoNormal"><span lang="EN-US"> - input generation, equivalence checking (alive, partial evaluation, ...)</span></p>
<p class="MsoNormal"><span lang="EN-US"> - fragment extraction from larger codes + input tracking ->
</span></p>
<p class="MsoNormal"><span lang="EN-US">reproducer splitting, faster equivalence checking, ...</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We certainly can come up with more things.</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Would either or both of your (or anyone else) be interested in
</span></p>
<p class="MsoNormal"><span lang="EN-US">co-mentoring students?</span></p>
<p class="MsoNormal"><span lang="EN-US">We have multiple interested ones already, even though my project
</span></p>
<p class="MsoNormal"><span lang="EN-US">description is lacking any detail.</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">~ Johannes</span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">On 3/8/21 3:34 PM, Florian Hahn wrote:</span></p>
<p class="MsoNormal"><span lang="EN-US">><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">>> On Mar 8, 2021, at 20:26, John Regehr via llvm-dev <llvm-dev@lists.llvm.org> wrote:</span></p>
<p class="MsoNormal"><span lang="EN-US">>><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">>> Hi folks, an angle related to IR fuzzing that I would be happy to help out with is using Alive2 as a test oracle.</span></p>
<p class="MsoNormal"><span lang="EN-US">>><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">>> Using Alive2 incurs a set of problems (not all IR features supported, can be very slow) but has corresponding advantages (considers all inputs at once, handles UB gracefully).</span></p>
<p class="MsoNormal"><span lang="EN-US">>><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">> If anyone</span>’<span lang="EN-US">s interested in combing LLVM</span>’<span lang="EN-US">s libFuzzer & Alive2, I</span>’<span lang="EN-US">ve put up https://reviews.llvm.org/D96654 which uses Alive2 to verify candidates
generated by fuzzing. It works out quite well, but I think there</span>’<span lang="EN-US">s lots of potential to improve the
</span>‘<span lang="EN-US">interestingness</span>’<span lang="EN-US"> of the IR generated by libFuzzer.</span></p>
<p class="MsoNormal"><span lang="EN-US">><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">> Cheers,</span></p>
<p class="MsoNormal"><span lang="EN-US">> Florian</span></p>
<p class="MsoNormal"><span lang="EN-US">><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>