FuzzingLLVM.rst 9.95 KB

Fuzzing LLVM libraries and tools

Introduction

The LLVM tree includes a number of fuzzers for various components. These are built on top of :doc:`LibFuzzer <LibFuzzer>`. In order to build and run these fuzzers, see :ref:`building-fuzzers`.

Available Fuzzers

clang-fuzzer

A |generic fuzzer| that tries to compile textual input as C++ code. Some of the bugs this fuzzer has reported are on bugzilla and on OSS Fuzz's tracker.

clang-proto-fuzzer

A |protobuf fuzzer| that compiles valid C++ programs generated from a protobuf class that describes a subset of the C++ language.

This fuzzer accepts clang command line options after ignore_remaining_args=1. For example, the following command will fuzz clang with a higher optimization level:

% bin/clang-proto-fuzzer <corpus-dir> -ignore_remaining_args=1 -O3

clang-format-fuzzer

A |generic fuzzer| that runs clang-format on C++ text fragments. Some of the bugs this fuzzer has reported are on bugzilla and on OSS Fuzz's tracker.

llvm-as-fuzzer

A |generic fuzzer| that tries to parse text as :doc:`LLVM assembly <LangRef>`. Some of the bugs this fuzzer has reported are on bugzilla.

llvm-dwarfdump-fuzzer

A |generic fuzzer| that interprets inputs as object files and runs :doc:`llvm-dwarfdump <CommandGuide/llvm-dwarfdump>` on them. Some of the bugs this fuzzer has reported are on OSS Fuzz's tracker

llvm-demangle-fuzzer

A |generic fuzzer| for the Itanium demangler used in various LLVM tools. We've fuzzed __cxa_demangle to death, why not fuzz LLVM's implementation of the same function!

llvm-isel-fuzzer

A |LLVM IR fuzzer| aimed at finding bugs in instruction selection.

This fuzzer accepts flags after ignore_remaining_args=1. The flags match those of :doc:`llc <CommandGuide/llc>` and the triple is required. For example, the following command would fuzz AArch64 with :doc:`GlobalISel/index`:

% bin/llvm-isel-fuzzer <corpus-dir> -ignore_remaining_args=1 -mtriple aarch64 -global-isel -O0

Some flags can also be specified in the binary name itself in order to support OSS Fuzz, which has trouble with required arguments. To do this, you can copy or move llvm-isel-fuzzer to llvm-isel-fuzzer--x-y-z, separating options from the binary name using "--". The valid options are architecture names (aarch64, x86_64), optimization levels (O0, O2), or specific keywords, like gisel for enabling global instruction selection. In this mode, the same example could be run like so:

% bin/llvm-isel-fuzzer--aarch64-O0-gisel <corpus-dir>

llvm-opt-fuzzer

A |LLVM IR fuzzer| aimed at finding bugs in optimization passes.

It receives optimzation pipeline and runs it for each fuzzer input.

Interface of this fuzzer almost directly mirrors llvm-isel-fuzzer. Both mtriple and passes arguments are required. Passes are specified in a format suitable for the new pass manager. You can find some documentation about this format in the doxygen for PassBuilder::parsePassPipeline.

% bin/llvm-opt-fuzzer <corpus-dir> -ignore_remaining_args=1 -mtriple x86_64 -passes instcombine

Similarly to the llvm-isel-fuzzer arguments in some predefined configurations might be embedded directly into the binary file name:

% bin/llvm-opt-fuzzer--x86_64-instcombine <corpus-dir>

llvm-mc-assemble-fuzzer

A |generic fuzzer| that fuzzes the MC layer's assemblers by treating inputs as target specific assembly.

Note that this fuzzer has an unusual command line interface which is not fully compatible with all of libFuzzer's features. Fuzzer arguments must be passed after --fuzzer-args, and any llc flags must use two dashes. For example, to fuzz the AArch64 assembler you might use the following command:

llvm-mc-fuzzer --triple=aarch64-linux-gnu --fuzzer-args -max_len=4

This scheme will likely change in the future.

llvm-mc-disassemble-fuzzer

A |generic fuzzer| that fuzzes the MC layer's disassemblers by treating inputs as assembled binary data.

Note that this fuzzer has an unusual command line interface which is not fully compatible with all of libFuzzer's features. See the notes above about llvm-mc-assemble-fuzzer for details.

Mutators and Input Generators

The inputs for a fuzz target are generated via random mutations of a :ref:`corpus <libfuzzer-corpus>`. There are a few options for the kinds of mutations that a fuzzer in LLVM might want.

Generic Random Fuzzing

The most basic form of input mutation is to use the built in mutators of LibFuzzer. These simply treat the input corpus as a bag of bits and make random mutations. This type of fuzzer is good for stressing the surface layers of a program, and is good at testing things like lexers, parsers, or binary protocols.

Some of the in-tree fuzzers that use this type of mutator are clang-fuzzer, clang-format-fuzzer, llvm-as-fuzzer, llvm-dwarfdump-fuzzer, llvm-mc-assemble-fuzzer, and llvm-mc-disassemble-fuzzer.

Structured Fuzzing using libprotobuf-mutator

We can use libprotobuf-mutator in order to perform structured fuzzing and stress deeper layers of programs. This works by defining a protobuf class that translates arbitrary data into structurally interesting input. Specifically, we use this to work with a subset of the C++ language and perform mutations that produce valid C++ programs in order to exercise parts of clang that are more interesting than parser error handling.

To build this kind of fuzzer you need protobuf and its dependencies installed, and you need to specify some extra flags when configuring the build with :doc:`CMake <CMake>`. For example, clang-proto-fuzzer can be enabled by adding -DCLANG_ENABLE_PROTO_FUZZER=ON to the flags described in :ref:`building-fuzzers`.

The only in-tree fuzzer that uses libprotobuf-mutator today is clang-proto-fuzzer.

Structured Fuzzing of LLVM IR

We also use a more direct form of structured fuzzing for fuzzers that take :doc:`LLVM IR <LangRef>` as input. This is achieved through the FuzzMutate library, which was discussed at EuroLLVM 2017.

The FuzzMutate library is used to structurally fuzz backends in llvm-isel-fuzzer.

Building and Running

Configuring LLVM to Build Fuzzers

Fuzzers will be built and linked to libFuzzer by default as long as you build LLVM with sanitizer coverage enabled. You would typically also enable at least one sanitizer to find bugs faster. The most common way to build the fuzzers is by adding the following two flags to your CMake invocation: -DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=On.

Note

If you have compiler-rt checked out in an LLVM tree when building with sanitizers, you'll want to specify -DLLVM_BUILD_RUNTIME=Off to avoid building the sanitizers themselves with sanitizers enabled.

Note

You may run into issues if you build with BFD ld, which is the default linker on many unix systems. These issues are being tracked in https://llvm.org/PR34636.

Continuously Running and Finding Bugs

There used to be a public buildbot running LLVM fuzzers continuously, and while this did find issues, it didn't have a very good way to report problems in an actionable way. Because of this, we're moving towards using OSS Fuzz more instead.

You can browse the LLVM project issue list for the bugs found by LLVM on OSS Fuzz. These are also mailed to the llvm-bugs mailing list.

Utilities for Writing Fuzzers

There are some utilities available for writing fuzzers in LLVM.

Some helpers for handling the command line interface are available in include/llvm/FuzzMutate/FuzzerCLI.h, including functions to parse command line options in a consistent way and to implement standalone main functions so your fuzzer can be built and tested when not built against libFuzzer.

There is also some handling of the CMake config for fuzzers, where you should use the add_llvm_fuzzer to set up fuzzer targets. This function works similarly to functions such as add_llvm_tool, but they take care of linking to LibFuzzer when appropriate and can be passed the DUMMY_MAIN argument to enable standalone testing.