High-Throughput, Formal-Methods-Assisted Fuzzing for LLVM

2024 IEEE/ACM International Symposium on Code Generation and Optimization (CGO) Pub Date : 2024-03-02 DOI:10.1109/CGO57630.2024.10444854

Yuyou Fan, John Regehr

{"title":"High-Throughput, Formal-Methods-Assisted Fuzzing for LLVM","authors":"Yuyou Fan, John Regehr","doi":"10.1109/CGO57630.2024.10444854","DOIUrl":null,"url":null,"abstract":"It is very difficult to thoroughly test a compiler, and as a consequence it is common for released versions of production compilers to contain bugs that cause them to crash and to emit incorrect object code. We created alive-mutate, a mutation-based fuzzing tool that takes test cases written by humans and randomly modifies them, based on the hypothesis that while compiler developers are fundamentally good at writing tests, they also tend to miss corner cases. Alive-mutate is integrated with the Alive2 translation validation tool for LLVM, which is useful because it checks the behavior of optimizations for all possible values of input variables. Alive-mutate is also integrated with the LLVM middle-end, allowing it to perform mutations, optimizations, and formal verification of the optimizations all within a single program—avoiding numerous sources of overhead. Alive-mutate's fuzzing throughput is 12x higher, on average, than a fuzzing workflow that runs mutation, optimization, and formal verification in separate processes. So far we have used alive-mutate to find and report 33 previously unknown bugs in LLVM.","PeriodicalId":517814,"journal":{"name":"2024 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)","volume":"42 9","pages":"349-358"},"PeriodicalIF":0.0000,"publicationDate":"2024-03-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2024 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CGO57630.2024.10444854","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

It is very difficult to thoroughly test a compiler, and as a consequence it is common for released versions of production compilers to contain bugs that cause them to crash and to emit incorrect object code. We created alive-mutate, a mutation-based fuzzing tool that takes test cases written by humans and randomly modifies them, based on the hypothesis that while compiler developers are fundamentally good at writing tests, they also tend to miss corner cases. Alive-mutate is integrated with the Alive2 translation validation tool for LLVM, which is useful because it checks the behavior of optimizations for all possible values of input variables. Alive-mutate is also integrated with the LLVM middle-end, allowing it to perform mutations, optimizations, and formal verification of the optimizations all within a single program—avoiding numerous sources of overhead. Alive-mutate's fuzzing throughput is 12x higher, on average, than a fuzzing workflow that runs mutation, optimization, and formal verification in separate processes. So far we have used alive-mutate to find and report 33 previously unknown bugs in LLVM.

查看原文本刊更多论文

针对 LLVM 的高吞吐量、形式化方法辅助模糊测试

对编译器进行彻底测试是非常困难的，因此，已发布的编译器版本中经常会出现导致编译器崩溃和生成错误目标代码的错误。我们创建了 alive-mutate，这是一款基于突变的模糊测试工具，它能接收人类编写的测试用例并对其进行随机修改。Alive-mutate 与用于 LLVM 的 Alive2 翻译验证工具集成在一起，该工具非常有用，因为它可以检查输入变量所有可能值的优化行为。Alive-mutate 还与 LLVM 中端集成，允许在单个程序中执行突变、优化和优化的形式验证，避免了大量开销。与在独立进程中运行突变、优化和形式验证的模糊工作流程相比，Alive-mutate 的模糊吞吐量平均高出 12 倍。到目前为止，我们已经利用 alive-mutate 在 LLVM 中发现并报告了 33 个以前未知的错误。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2024 IEEE/ACM International Symposium on Code Generation and Optimization (CGO)

自引率

0.00%

发文量