Update README and Dockerfile to include llvm-proto-fuzzer

Summary: Added commands to Dockerfile to build llvm-proto-fuzzer and the other related tools. Also added a section to the bottom of the README describing what llvm-proto-fuzzer does and how to run it. Reviewers: morehouse, kcc Reviewed By: morehouse Subscribers: cfe-commits, llvm-commits Differential Revision: https://reviews.llvm.org/D50829 llvm-svn: 339933
2018-08-16 20:13:40 +00:00 · 2018-08-16 20:13:40 +00:00 · 70657f65ef
parent fa9f78553a
commit 70657f65ef
2 changed files with 38 additions and 0 deletions
--- a/clang/tools/clang-fuzzer/Dockerfile
+++ b/clang/tools/clang-fuzzer/Dockerfile
@ -35,3 +35,7 @@ RUN mkdir build1 && cd build1 && cmake -GNinja -DCMAKE_BUILD_TYPE=Release ../llv
 RUN cd build1 && ninja clang-fuzzer
 RUN cd build1 && ninja clang-proto-fuzzer
 RUN cd build1 && ninja clang-proto-to-cxx
+RUN cd build1 && ninja clang-loop-proto-to-cxx
+RUN cd build1 && ninja clang-loop-proto-to-llvm
+RUN cd build1 && ninja clang-loop-proto-fuzzer
+RUN cd build1 && ninja clang-llvm-proto-fuzzer
--- a/clang/tools/clang-fuzzer/README.txt
+++ b/clang/tools/clang-fuzzer/README.txt
@ -80,3 +80,37 @@ custom optimization level and target triple:

 To translate a clang-proto-fuzzer corpus output to C++:
  bin/clang-proto-to-cxx CORPUS_OUTPUT_FILE
+
+===================
+ llvm-proto-fuzzer
+===================
+Like, clang-proto-fuzzer, llvm-proto-fuzzer is also a protobuf-mutator based
+fuzzer. It receives as input a cxx_loop_proto which it then converts into a
+string of valid LLVM IR: a function with either a single loop or two nested
+loops. It then creates a new string of IR by running optimization passes over
+the original IR. Currently, it only runs a loop-vectorize pass but more passes
+can easily be added to the fuzzer. Once there are two versions of the input
+function (optimized and not), llvm-proto-fuzzer uses LLVM's JIT Engine to
+compile both functions. Lastly, it runs both functions on a suite of inputs and
+checks that both functions behave the same on all inputs. In this way,
+llvm-proto-fuzzer can find not only compiler crashes, but also miscompiles
+originating from LLVM's optimization passes.
+
+llvm-proto-fuzzer is built very similarly to clang-proto-fuzzer. You can run the
+fuzzer with the following command:
+  bin/clang-llvm-proto-fuzzer CORPUS_DIR
+
+To translate a cxx_loop_proto file into LLVM IR do:
+  bin/clang-loop-proto-to-llvm CORPUS_OUTPUT_FILE
+To translate a cxx_loop_proto file into C++ do:
+  bin/clang-loop-proto-to-cxx CORPUS_OUTPUT_FILE
+
+Note: To get a higher number of executions per second with llvm-proto-fuzzer it
+helps to build it without ASan instrumentation and with the -O2 flag. Because
+the fuzzer is not only compiling code, but also running it, as the inputs get
+large, the time necessary to fuzz one input can get very high.
+Example:
+  cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \
+    -DCLANG_ENABLE_PROTO_FUZZER=ON -DLLVM_USE_SANITIZE_COVERAGE=YES \
+    -DCMAKE_CXX_FLAGS="-O2"
+  ninja clang-llvm-proto-fuzzer clang-loop-proto-to-llvm