r339933 - Update README and Dockerfile to include llvm-proto-fuzzer
Author: emmettneyman Date: Thu Aug 16 13:13:40 2018 New Revision: 339933 URL: http://llvm.org/viewvc/llvm-project?rev=339933&view=rev Log: Update README and Dockerfile to include llvm-proto-fuzzer Summary: Added commands to Dockerfile to build llvm-proto-fuzzer and the other related tools. Also added a section to the bottom of the README describing what llvm-proto-fuzzer does and how to run it. Reviewers: morehouse, kcc Reviewed By: morehouse Subscribers: cfe-commits, llvm-commits Differential Revision: https://reviews.llvm.org/D50829 Modified: cfe/trunk/tools/clang-fuzzer/Dockerfile cfe/trunk/tools/clang-fuzzer/README.txt Modified: cfe/trunk/tools/clang-fuzzer/Dockerfile URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/Dockerfile?rev=339933&r1=339932&r2=339933&view=diff == --- cfe/trunk/tools/clang-fuzzer/Dockerfile (original) +++ cfe/trunk/tools/clang-fuzzer/Dockerfile Thu Aug 16 13:13:40 2018 @@ -35,3 +35,7 @@ RUN mkdir build1 && cd build1 && cmake - RUN cd build1 && ninja clang-fuzzer RUN cd build1 && ninja clang-proto-fuzzer RUN cd build1 && ninja clang-proto-to-cxx +RUN cd build1 && ninja clang-loop-proto-to-cxx +RUN cd build1 && ninja clang-loop-proto-to-llvm +RUN cd build1 && ninja clang-loop-proto-fuzzer +RUN cd build1 && ninja clang-llvm-proto-fuzzer Modified: cfe/trunk/tools/clang-fuzzer/README.txt URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/README.txt?rev=339933&r1=339932&r2=339933&view=diff == --- cfe/trunk/tools/clang-fuzzer/README.txt (original) +++ cfe/trunk/tools/clang-fuzzer/README.txt Thu Aug 16 13:13:40 2018 @@ -80,3 +80,37 @@ custom optimization level and target tri To translate a clang-proto-fuzzer corpus output to C++: bin/clang-proto-to-cxx CORPUS_OUTPUT_FILE + +=== + llvm-proto-fuzzer +=== +Like, clang-proto-fuzzer, llvm-proto-fuzzer is also a protobuf-mutator based +fuzzer. It receives as input a cxx_loop_proto which it then converts into a +string of valid LLVM IR: a function with either a single loop or two nested +loops. It then creates a new string of IR by running optimization passes over +the original IR. Currently, it only runs a loop-vectorize pass but more passes +can easily be added to the fuzzer. Once there are two versions of the input +function (optimized and not), llvm-proto-fuzzer uses LLVM's JIT Engine to +compile both functions. Lastly, it runs both functions on a suite of inputs and +checks that both functions behave the same on all inputs. In this way, +llvm-proto-fuzzer can find not only compiler crashes, but also miscompiles +originating from LLVM's optimization passes. + +llvm-proto-fuzzer is built very similarly to clang-proto-fuzzer. You can run the +fuzzer with the following command: + bin/clang-llvm-proto-fuzzer CORPUS_DIR + +To translate a cxx_loop_proto file into LLVM IR do: + bin/clang-loop-proto-to-llvm CORPUS_OUTPUT_FILE +To translate a cxx_loop_proto file into C++ do: + bin/clang-loop-proto-to-cxx CORPUS_OUTPUT_FILE + +Note: To get a higher number of executions per second with llvm-proto-fuzzer it +helps to build it without ASan instrumentation and with the -O2 flag. Because +the fuzzer is not only compiling code, but also running it, as the inputs get +large, the time necessary to fuzz one input can get very high. +Example: + cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \ +-DCLANG_ENABLE_PROTO_FUZZER=ON -DLLVM_USE_SANITIZE_COVERAGE=YES \ +-DCMAKE_CXX_FLAGS="-O2" + ninja clang-llvm-proto-fuzzer clang-loop-proto-to-llvm ___ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
r339832 - Implementation of nested loops in cxx_loop_proto
Author: emmettneyman
Date: Wed Aug 15 16:05:48 2018
New Revision: 339832
URL: http://llvm.org/viewvc/llvm-project?rev=339832&view=rev
Log:
Implementation of nested loops in cxx_loop_proto
Summary: Extended `cxx_loop_proto` to have neste for loops. Modified
`loop_proto_to_llvm` and `loop_proto_to_cxx` to handle the new protos. All
protos have a set of statements designated as "inner loop" statements and a set
of statements designated as "outer loop" statements.
Reviewers: morehouse, kcc
Reviewed By: morehouse
Subscribers: cfe-commits, llvm-commits
Differential Revision: https://reviews.llvm.org/D50670
Modified:
cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto
cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
Modified: cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto?rev=339832&r1=339831&r2=339832&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto (original)
+++ cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto Wed Aug 15 16:05:48 2018
@@ -9,10 +9,11 @@
///
/// \file
/// This file describes a subset of C++ as a protobuf. It is used to
-/// more easily find interesting inputs for fuzzing Clang. This subset
-/// differs from the one defined in cxx_proto.proto by eliminating while
-/// loops and conditionals. The goal is that the C++ code generated will be
-/// more likely to stress the LLVM loop vectorizer.
+/// more easily find interesting inputs for fuzzing LLVM's vectorizer.
+/// This subset differs from the one defined in cxx_proto.proto by eliminating
+/// while loops and conditionals. The goal is that the C++ code generated will
+/// be more likely to stress the LLVM loop vectorizer. The code generated will
+/// contain either a single loop or two nested loops.
///
//===--===//
@@ -74,7 +75,8 @@ message StatementSeq {
}
message LoopFunction {
- required StatementSeq statements = 1;
+ optional StatementSeq inner_statements = 1;
+ required StatementSeq outer_statements = 2;
}
package clang_fuzzer;
Modified: cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp?rev=339832&r1=339831&r2=339832&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp Wed Aug 15
16:05:48 2018
@@ -8,10 +8,10 @@
//===--===//
//
// Implements functions for converting between protobufs and C++. Differs from
-// proto_to_cxx.cpp by wrapping all the generated C++ code in a single for
-// loop. Also coutputs a different function signature that includes a
-// size_t parameter for the loop to use. The C++ code generated is meant to
-// stress the LLVM loop vectorizer.
+// proto_to_cxx.cpp by wrapping all the generated C++ code in either a single
+// for loop or two nested loops. Also outputs a different function signature
+// that includes a size_t parameter for the loop to use. The C++ code generated
+// is meant to stress the LLVM loop vectorizer.
//
// Still a work in progress.
//
@@ -28,6 +28,17 @@
namespace clang_fuzzer {
+static bool inner_loop = false;
+class InnerLoop {
+ public:
+ InnerLoop() {
+inner_loop = true;
+ }
+ ~InnerLoop() {
+inner_loop = false;
+ }
+};
+
// Forward decls.
std::ostream &operator<<(std::ostream &os, const BinaryOp &x);
std::ostream &operator<<(std::ostream &os, const StatementSeq &x);
@@ -37,13 +48,14 @@ std::ostream &operator<<(std::ostream &o
return os << "(" << x.val() << ")";
}
std::ostream &operator<<(std::ostream &os, const VarRef &x) {
+ std::string which_loop = inner_loop ? "j" : "i";
switch (x.arr()) {
case VarRef::ARR_A:
- return os << "a[i]";
+ return os << "a[" << which_loop << "]";
case VarRef::ARR_B:
- return os << "b[i]";
+ return os << "b[" << which_loop << "]";
case VarRef::ARR_C:
- return os << "c[i]";
+ return os << "c[" << which_loop << "]";
}
}
std::ostream &operator<<(std::ostream &os, const Rvalue &x) {
@@ -108,10 +120,27 @@ std::ostream &operator<<(std::ostream &o
os << st;
return os;
}
+void NestedLoopToString(std::ostream &os, const LoopFunction &x) {
+ os << "void foo(int *a, int *b, int *__restrict__ c, size_t s) {\n"
+ << "for (int i=0; ihttp://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp?rev=339832&r1=339831&r2=339832&view=diff
=
r339392 - Added LLVM metadata to generated IR to increase vectorization width
Author: emmettneyman
Date: Thu Aug 9 14:59:01 2018
New Revision: 339392
URL: http://llvm.org/viewvc/llvm-project?rev=339392&view=rev
Log:
Added LLVM metadata to generated IR to increase vectorization width
Summary: Edited `loop_proto_to_llvm` to emit metadata at the end of the
generated IR. This metadata will increase the vector width when the IR is
optimized.
Reviewers: morehouse, kcc
Reviewed By: morehouse
Subscribers: cfe-commits, llvm-commits
Differential Revision: https://reviews.llvm.org/D50530
Modified:
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
Modified: cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp?rev=339392&r1=339391&r2=339392&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp Thu Aug
9 14:59:01 2018
@@ -15,6 +15,7 @@
#include "loop_proto_to_llvm.h"
#include "cxx_loop_proto.pb.h"
+#include "../handle-llvm/input_arrays.h"
// The following is needed to convert protos in human-readable form
#include
@@ -135,7 +136,11 @@ std::ostream &operator<<(std::ostream &o
<< x.statements()
<< "%ctnew = add i64 %ct, 1\n"
<< "%j = icmp eq i64 %ctnew, %s\n"
-<< "br i1 %j, label %end, label %loop\n}\n";
+<< "br i1 %j, label %end, label %loop, !llvm.loop !0\n}\n"
+<< "!0 = distinct !{!0, !1, !2}\n"
+<< "!1 = !{!\"llvm.loop.vectorize.enable\", i1 true}\n"
+<< "!2 = !{!\"llvm.loop.vectorize.width\", i32 " << kArraySize
+<< "}\n";
}
// -
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
r339305 - Added another optimization pass to make vectorizing possible
Author: emmettneyman
Date: Wed Aug 8 17:58:23 2018
New Revision: 339305
URL: http://llvm.org/viewvc/llvm-project?rev=339305&view=rev
Log:
Added another optimization pass to make vectorizing possible
Summary: I noticed that my code wasn't going deep into the loop vectorizer code
so added another pass that makes it go further.
Reviewers: morehouse, kcc
Reviewed By: morehouse
Subscribers: cfe-commits, llvm-commits
Differential Revision: https://reviews.llvm.org/D50482
Modified:
cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
Modified: cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp?rev=339305&r1=339304&r2=339305&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp Wed Aug 8
17:58:23 2018
@@ -100,17 +100,29 @@ static std::string OptLLVM(const std::st
if (!M || verifyModule(*M, &errs()))
ErrorAndExit("Could not parse IR");
+ Triple ModuleTriple(M->getTargetTriple());
+ const TargetOptions Options = InitTargetOptionsFromCodeGenFlags();
+ std::string E;
+ const Target *TheTarget = TargetRegistry::lookupTarget(MArch, ModuleTriple,
E);
+ TargetMachine *Machine =
+ TheTarget->createTargetMachine(M->getTargetTriple(), getCPUStr(),
+ getFeaturesStr(), Options,
getRelocModel(),
+ getCodeModel(), OLvl);
+ std::unique_ptr TM(Machine);
setFunctionAttributes(getCPUStr(), getFeaturesStr(), *M);
-
+
legacy::PassManager Passes;
- Triple ModuleTriple(M->getTargetTriple());
Passes.add(new TargetLibraryInfoWrapperPass(ModuleTriple));
- Passes.add(createTargetTransformInfoWrapperPass(TargetIRAnalysis()));
+ Passes.add(createTargetTransformInfoWrapperPass(TM->getTargetIRAnalysis()));
+
+ LLVMTargetMachine
r339080 - Changed how LLVM IR was generated to increase vectorization
Author: emmettneyman
Date: Mon Aug 6 16:11:38 2018
New Revision: 339080
URL: http://llvm.org/viewvc/llvm-project?rev=339080&view=rev
Log:
Changed how LLVM IR was generated to increase vectorization
Summary: Changed the structure of the generated IR to make it easier to
vectorize
Reviewers: morehouse, kcc
Reviewed By: morehouse
Subscribers: cfe-commits, llvm-commits
Differential Revision: https://reviews.llvm.org/D50342
Modified:
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
Modified: cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp?rev=339080&r1=339079&r2=339080&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp Mon Aug
6 16:11:38 2018
@@ -53,7 +53,7 @@ std::string VarRefToString(std::ostream
break;
}
std::string ptr_var = get_var();
- os << ptr_var << " = getelementptr i32, i32* " << arr << ", i64 %ct\n";
+ os << ptr_var << " = getelementptr inbounds i32, i32* " << arr << ", i64
%ct\n";
return ptr_var;
}
std::string RvalueToString(std::ostream &os, const Rvalue &x) {
@@ -122,21 +122,20 @@ std::ostream &operator<<(std::ostream &o
return os;
}
std::ostream &operator<<(std::ostream &os, const LoopFunction &x) {
- return os << "define void @foo(i32* %a, i32* %b, i32* noalias %c, i64 %s)
{\n"
-<< "%i = alloca i64\n"
-<< "store i64 0, i64* %i\n"
-<< "br label %loop\n\n"
+ return os << "target triple = \"x86_64-unknown-linux-gnu\"\n"
+<< "define void @foo(i32* %a, i32* %b, i32* %c, i64 %s) {\n"
+<< "%1 = icmp sgt i64 %s, 0\n"
+<< "br i1 %1, label %start, label %end\n"
+<< "start:\n"
+<< "br label %loop\n"
+<< "end:\n"
+<< "ret void\n"
<< "loop:\n"
-<< "%ct = load i64, i64* %i\n"
-<< "%comp = icmp eq i64 %ct, %s\n"
-<< "br i1 %comp, label %endloop, label %body\n\n"
-<< "body:\n"
+<< " %ct = phi i64 [ %ctnew, %loop ], [ 0, %start ]\n"
<< x.statements()
-<< "%z = add i64 1, %ct\n"
-<< "store i64 %z, i64* %i\n"
-<< "br label %loop\n\n"
-<< "endloop:\n"
-<< "ret void\n}\n";
+<< "%ctnew = add i64 %ct, 1\n"
+<< "%j = icmp eq i64 %ctnew, %s\n"
+<< "br i1 %j, label %end, label %loop\n}\n";
}
// -
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
r338943 - LLVM Proto Fuzzer - Run Functions on Suite of Inputs
Author: emmettneyman
Date: Fri Aug 3 18:18:37 2018
New Revision: 338943
URL: http://llvm.org/viewvc/llvm-project?rev=338943&view=rev
Log:
LLVM Proto Fuzzer - Run Functions on Suite of Inputs
Summary:
Added corpus of arrays to use as inputs for the functions. Check that the two
functions modify the inputted arrays in the same way.
Reviewers: kcc, morehouse
Reviewed By: morehouse
Subscribers: mgorny, cfe-commits, llvm-commits
Differential Revision: https://reviews.llvm.org/D50194
Added:
cfe/trunk/tools/clang-fuzzer/handle-llvm/input_arrays.h
Modified:
cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.h
Modified: cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp?rev=338943&r1=338942&r2=338943&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp Fri Aug 3
18:18:37 2018
@@ -15,6 +15,7 @@
//===--===//
#include "handle_llvm.h"
+#include "input_arrays.h"
#include "llvm/ADT/Triple.h"
#include "llvm/Analysis/TargetLibraryInfo.h"
@@ -48,6 +49,9 @@
using namespace llvm;
+// Define a type for the functions that are compiled and executed
+typedef void (*LLVMFunc)(int*, int*, int*, int);
+
// Helper function to parse command line args and find the optimization level
static void getOptLevel(const std::vector &ExtraArgs,
CodeGenOpt::Level &OLvl) {
@@ -68,7 +72,7 @@ static void getOptLevel(const std::vecto
}
}
-void ErrorAndExit(std::string message) {
+static void ErrorAndExit(std::string message) {
errs()<< "ERROR: " << message << "\n";
std::exit(1);
}
@@ -88,7 +92,7 @@ static void AddOptimizationPasses(legacy
}
// Mimics the opt tool to run an optimization pass over the provided IR
-std::string OptLLVM(const std::string &IR, CodeGenOpt::Level OLvl) {
+static std::string OptLLVM(const std::string &IR, CodeGenOpt::Level OLvl) {
// Create a module that will run the optimization passes
SMDiagnostic Err;
LLVMContext Context;
@@ -117,11 +121,19 @@ std::string OptLLVM(const std::string &I
return OS.str();
}
-void CreateAndRunJITFun(const std::string &IR, CodeGenOpt::Level OLvl) {
+// Takes a function and runs it on a set of inputs
+// First determines whether f is the optimized or unoptimized function
+static void RunFuncOnInputs(LLVMFunc f, int Arr[kNumArrays][kArraySize]) {
+ for (int i = 0; i < kNumArrays / 3; i++)
+f(Arr[i], Arr[i + (kNumArrays / 3)], Arr[i + (2 * kNumArrays / 3)],
+ kArraySize);
+}
+
+// Takes a string of IR and compiles it using LLVM's JIT Engine
+static void CreateAndRunJITFunc(const std::string &IR, CodeGenOpt::Level OLvl)
{
SMDiagnostic Err;
LLVMContext Context;
- std::unique_ptr M = parseIR(MemoryBufferRef(IR, "IR"), Err,
- Context);
+ std::unique_ptr M = parseIR(MemoryBufferRef(IR, "IR"), Err, Context);
if (!M)
ErrorAndExit("Could not parse IR");
@@ -161,17 +173,14 @@ void CreateAndRunJITFun(const std::strin
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wpedantic"
#endif
- func f = reinterpret_cast(EE->getPointerToFunction(EntryFunc));
+ LLVMFunc f =
reinterpret_cast(EE->getPointerToFunction(EntryFunc));
#if defined(__GNUC__) && !defined(__clang) &&
\
((__GNUC__ == 4) && (__GNUC_MINOR__ < 9))
#pragma GCC diagnostic pop
#endif
- // Define some dummy arrays to use an input for now
- int a[] = {1};
- int b[] = {1};
- int c[] = {1};
- f(a, b, c, 1);
+ // Figure out if we are running the optimized func or the unoptimized func
+ RunFuncOnInputs(f, (OLvl == CodeGenOpt::None) ? UnoptArrays : OptArrays);
EE->runStaticConstructorsDestructors(true);
}
@@ -180,6 +189,10 @@ void CreateAndRunJITFun(const std::strin
// Mimics the lli tool to JIT the LLVM IR code and execute it
void clang_fuzzer::HandleLLVM(const std::string &IR,
const std::vector &ExtraArgs) {
+ // Populate OptArrays and UnoptArrays with the arrays from InputArrays
+ memcpy(OptArrays, InputArrays, kTotalSize);
+ memcpy(UnoptArrays, InputArrays, kTotalSize);
+
// Parse ExtraArgs to set the optimization level
CodeGenOpt::Level OLvl;
getOptLevel(ExtraArgs, OLvl);
@@ -187,8 +200,11 @@ void clang_fuzzer::HandleLLVM(const std:
// First we optimize the IR by running a loop vectorizer pass
std::string OptIR = OptLLVM(IR, OLvl);
- CreateAndRunJITFun(OptIR, OLvl);
- CreateAndRunJITFun(IR, CodeGenOpt::None);
-
+ CreateAndRunJITFunc(OptIR, OLvl);
+ CreateAndRunJITFunc(IR, CodeGenOpt::None);
+
+ if (memcmp(OptArrays, UnoptArrays, kTotalSize))
+ErrorAndExit("
r338091 - added shared library to fix buildbot
Author: emmettneyman Date: Thu Jul 26 17:43:26 2018 New Revision: 338091 URL: http://llvm.org/viewvc/llvm-project?rev=338091&view=rev Log: added shared library to fix buildbot Summary: added shared library to fix buildbot Subscribers: mgorny, cfe-commits Differential Revision: https://reviews.llvm.org/D49895 Modified: cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt Modified: cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt?rev=338091&r1=338090&r2=338091&view=diff == --- cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt (original) +++ cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt Thu Jul 26 17:43:26 2018 @@ -1,7 +1,9 @@ set(LLVM_LINK_COMPONENTS + Analysis CodeGen Core ExecutionEngine + IPO IRReader MC MCJIT ___ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
r338077 - Updated llvm-proto-fuzzer to execute the compiled code
Author: emmettneyman
Date: Thu Jul 26 15:23:25 2018
New Revision: 338077
URL: http://llvm.org/viewvc/llvm-project?rev=338077&view=rev
Log:
Updated llvm-proto-fuzzer to execute the compiled code
Summary:
Made changes to the llvm-proto-fuzzer
- Added loop vectorizer optimization pass in order to have two IR versions
- Updated old fuzz target to handle two different IR versions
- Wrote code to execute both versions in memory
Reviewers: morehouse, kcc, alexshap
Reviewed By: morehouse
Subscribers: pcc, mgorny, cfe-commits, llvm-commits
Differential Revision: https://reviews.llvm.org/D49526
Modified:
cfe/trunk/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt
cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
Modified: cfe/trunk/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp?rev=338077&r1=338076&r2=338077&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
(original)
+++ cfe/trunk/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp Thu
Jul 26 15:23:25 2018
@@ -16,10 +16,13 @@
#include "fuzzer_initialize.h"
+#include "llvm/InitializePasses.h"
+#include "llvm/PassRegistry.h"
#include "llvm/Support/TargetSelect.h"
#include
using namespace clang_fuzzer;
+using namespace llvm;
namespace clang_fuzzer {
@@ -33,10 +36,22 @@ const std::vector& GetCLAr
}
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
- llvm::InitializeAllTargets();
- llvm::InitializeAllTargetMCs();
- llvm::InitializeAllAsmPrinters();
- llvm::InitializeAllAsmParsers();
+ InitializeAllTargets();
+ InitializeAllTargetMCs();
+ InitializeAllAsmPrinters();
+ InitializeAllAsmParsers();
+
+ PassRegistry &Registry = *PassRegistry::getPassRegistry();
+ initializeCore(Registry);
+ initializeScalarOpts(Registry);
+ initializeVectorization(Registry);
+ initializeIPO(Registry);
+ initializeAnalysis(Registry);
+ initializeTransformUtils(Registry);
+ initializeInstCombine(Registry);
+ initializeAggressiveInstCombine(Registry);
+ initializeInstrumentation(Registry);
+ initializeTarget(Registry);
CLArgs.push_back("-O2");
for (int I = 1; I < *argc; I++) {
Modified: cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt?rev=338077&r1=338076&r2=338077&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt (original)
+++ cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt Thu Jul 26 15:23:25
2018
@@ -1,10 +1,18 @@
set(LLVM_LINK_COMPONENTS
+ CodeGen
Core
+ ExecutionEngine
IRReader
MC
+ MCJIT
+ Object
+ RuntimeDyld
+ SelectionDAG
Support
- Analysis
- )
+ Target
+ TransformUtils
+ native
+)
# Depend on LLVM IR intrinsic generation.
set(handle_llvm_deps intrinsics_gen)
Modified: cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp?rev=338077&r1=338076&r2=338077&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp (original)
+++ cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp Thu Jul 26
15:23:25 2018
@@ -7,8 +7,10 @@
//
//===--===//
//
-// Implements HandleLLVM for use by the Clang fuzzers. Mimics the llc tool to
-// compile an LLVM IR file to X86_64 assembly.
+// Implements HandleLLVM for use by the Clang fuzzers. First runs a loop
+// vectorizer optimization pass over the given IR code. Then mimics lli on both
+// versions to JIT the generated code and execute it. Currently, functions are
+// executed on dummy inputs.
//
//===--===//
@@ -16,24 +18,37 @@
#include "llvm/ADT/Triple.h"
#include "llvm/Analysis/TargetLibraryInfo.h"
+#include "llvm/Analysis/TargetTransformInfo.h"
#include "llvm/CodeGen/CommandFlags.inc"
#include "llvm/CodeGen/MachineModuleInfo.h"
+#include "llvm/CodeGen/TargetPassConfig.h"
+#include "llvm/ExecutionEngine/JITEventListener.h"
+#include "llvm/ExecutionEngine/JITSymbol.h"
+#include "llvm/ExecutionEngine/MCJIT.h"
+#include "llvm/ExecutionEngine/ObjectCache.h"
+#include "llvm/ExecutionEngine/RTDyldMemoryManager.h"
+#include "llvm/ExecutionEngine/SectionMemoryManager.h"
+#include "llvm/IR/IRPrintingPasses.h"
#include "llvm/IR/LegacyPassManager.h"
+#include "llvm/IR/LegacyPassNameParser.h"
#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/Verifier.h"
#include
r335374 - Implemented proto to LLVM conversion and LLVM fuzz target
Author: emmettneyman
Date: Fri Jun 22 11:05:00 2018
New Revision: 335374
URL: http://llvm.org/viewvc/llvm-project?rev=335374&view=rev
Log:
Implemented proto to LLVM conversion and LLVM fuzz target
Differential Revision: https://reviews.llvm.org/D48106
Added:
cfe/trunk/tools/clang-fuzzer/ExampleClangLLVMProtoFuzzer.cpp
cfe/trunk/tools/clang-fuzzer/handle-llvm/
cfe/trunk/tools/clang-fuzzer/handle-llvm/CMakeLists.txt
cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.cpp
cfe/trunk/tools/clang-fuzzer/handle-llvm/handle_llvm.h
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/CMakeLists.txt
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.cpp
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm.h
cfe/trunk/tools/clang-fuzzer/proto-to-llvm/loop_proto_to_llvm_main.cpp
Modified:
cfe/trunk/tools/clang-fuzzer/CMakeLists.txt
cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto
cfe/trunk/tools/clang-fuzzer/fuzzer-initialize/fuzzer_initialize.cpp
cfe/trunk/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp
cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx.cpp
cfe/trunk/tools/clang-fuzzer/proto-to-cxx/loop_proto_to_cxx_main.cpp
Modified: cfe/trunk/tools/clang-fuzzer/CMakeLists.txt
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/CMakeLists.txt?rev=335374&r1=335373&r2=335374&view=diff
==
--- cfe/trunk/tools/clang-fuzzer/CMakeLists.txt (original)
+++ cfe/trunk/tools/clang-fuzzer/CMakeLists.txt Fri Jun 22 11:05:00 2018
@@ -15,6 +15,7 @@ set(LLVM_OPTIONAL_SOURCES
DummyClangFuzzer.cpp
ExampleClangProtoFuzzer.cpp
ExampleClangLoopProtoFuzzer.cpp
+ ExampleClangLLVMProtoFuzzer.cpp
)
if(CLANG_ENABLE_PROTO_FUZZER)
@@ -49,6 +50,9 @@ if(CLANG_ENABLE_PROTO_FUZZER)
# Build the protobuf->C++ translation library and driver.
add_clang_subdirectory(proto-to-cxx)
+
+ # Build the protobuf->LLVM IR translation library and driver.
+ add_clang_subdirectory(proto-to-llvm)
# Build the fuzzer initialization library.
add_clang_subdirectory(fuzzer-initialize)
@@ -65,29 +69,45 @@ if(CLANG_ENABLE_PROTO_FUZZER)
ExampleClangLoopProtoFuzzer.cpp
)
+ # Build the llvm protobuf fuzzer
+ add_clang_executable(clang-llvm-proto-fuzzer
+${DUMMY_MAIN}
+ExampleClangLLVMProtoFuzzer.cpp
+)
+
set(COMMON_PROTO_FUZZ_LIBRARIES
${ProtobufMutator_LIBRARIES}
${PROTOBUF_LIBRARIES}
${LLVM_LIB_FUZZING_ENGINE}
clangFuzzerInitialize
-clangHandleCXX
)
target_link_libraries(clang-proto-fuzzer
PRIVATE
${COMMON_PROTO_FUZZ_LIBRARIES}
+clangHandleCXX
clangCXXProto
clangProtoToCXX
)
target_link_libraries(clang-loop-proto-fuzzer
PRIVATE
${COMMON_PROTO_FUZZ_LIBRARIES}
+clangHandleCXX
clangCXXLoopProto
clangLoopProtoToCXX
)
+ target_link_libraries(clang-llvm-proto-fuzzer
+PRIVATE
+${COMMON_PROTO_FUZZ_LIBRARIES}
+clangHandleLLVM
+clangCXXLoopProto
+clangLoopProtoToLLVM
+)
+
endif()
add_clang_subdirectory(handle-cxx)
+add_clang_subdirectory(handle-llvm)
add_clang_executable(clang-fuzzer
EXCLUDE_FROM_ALL
Added: cfe/trunk/tools/clang-fuzzer/ExampleClangLLVMProtoFuzzer.cpp
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/ExampleClangLLVMProtoFuzzer.cpp?rev=335374&view=auto
==
--- cfe/trunk/tools/clang-fuzzer/ExampleClangLLVMProtoFuzzer.cpp (added)
+++ cfe/trunk/tools/clang-fuzzer/ExampleClangLLVMProtoFuzzer.cpp Fri Jun 22
11:05:00 2018
@@ -0,0 +1,28 @@
+//===-- ExampleClangLLVMProtoFuzzer.cpp - Fuzz Clang
--===//
+//
+// The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===--===//
+///
+/// \file
+/// This file implements a function that compiles a single LLVM IR string as
+/// input and uses libprotobuf-mutator to find new inputs. This function is
+/// then linked into the Fuzzer library.
+///
+//===--===//
+
+#include "cxx_loop_proto.pb.h"
+#include "fuzzer-initialize/fuzzer_initialize.h"
+#include "handle-llvm/handle_llvm.h"
+#include "proto-to-llvm/loop_proto_to_llvm.h"
+#include "src/libfuzzer/libfuzzer_macro.h"
+
+using namespace clang_fuzzer;
+
+DEFINE_BINARY_PROTO_FUZZER(const LoopFunction &input) {
+ auto S = LoopFunctionToLLVMString(input);
+ HandleLLVM(S, GetCLArgs());
+}
Modified: cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/cxx_loop_proto.proto?rev=335374&r1=335373&r2=335374&view=diff
=
r335299 - Test commit, made a minor change to a comment
Author: emmettneyman Date: Thu Jun 21 15:08:20 2018 New Revision: 335299 URL: http://llvm.org/viewvc/llvm-project?rev=335299&view=rev Log: Test commit, made a minor change to a comment Modified: cfe/trunk/tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp Modified: cfe/trunk/tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp?rev=335299&r1=335298&r2=335299&view=diff == --- cfe/trunk/tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp (original) +++ cfe/trunk/tools/clang-fuzzer/ExampleClangLoopProtoFuzzer.cpp Thu Jun 21 15:08:20 2018 @@ -11,7 +11,7 @@ /// This file implements a function that runs Clang on a single /// input and uses libprotobuf-mutator to find new inputs. This function is /// then linked into the Fuzzer library. This file differs from -/// ExampleClangProtoFuzzer in that it uses the new protobuf that includes +/// ExampleClangProtoFuzzer in that it uses a different protobuf that includes /// C++ code with a single for loop. /// //===--===// ___ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
