2017 LLVM Developers' Meeting - Bay Area

Fuzzing is an effective way of finding compiler bugs. Generation-based fuzzers (e.g. Csmith) can create valid C/C++ inputs and stress deep corners of a compiler, but such tools require huge effort and ingenuity to implement for every small subset of the input language. Coverage-guided fuzzing engines (e.g. AFL or libFuzzer) can find bugs with much less effort, but, when applied to compilers, they typically ‘scratch the surface’, i.e. find bugs in the shallow layers of the compiler (lexer, parser). The obvious next step is to combine the semantics-awareness of generation-based fuzzers with the power and simplicity of coverage-guided mutation.

Protocol buffers are a widely used mechanism for describing and serializing structured data.
Libprotobuf-mutator is a library that applies random mutations to protocol buffers. LLVM’s libFuzzer is a general purpose fuzzing engine that can use libprotobuf-mutator as an external mutator. The idea of a structure-aware fuzzer for a C++ compiler is to loosely describe a subset of C++ as a protocol buffer and implement a protobuf-to-C++ converter. Then libFuzzer and llibprotobuf-mutator will generate a diverse corpus of valid C++ programs.

We will demonstrate the initial version of such ‘structure-aware’ fuzzer for Clang/LLVM, discuss the bugs it has already uncovered, propose more ways to fuzz LLVM, and speculate about fuzzer-driven development.