Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Coverage Feedback for Custom Mutators
141 views
Skip to first unread message
chibin zhang
Mar 30, 2021, 10:32:10 AM3/30/21
to libfuzzer
Hi LibFuzzer Developers,
I'm a junior student from ShanghaiTech University planning to participate in GSoC21, in particular, the idea on Fuzzing LLVM IR passes. Current LLVM fuzzing implementation uses `LLVMFuzzerCustomMutator` for structural mutation (mainly instruction insertion & deletion). I'm trying to add some more mutations like function & basic block insertion or deletion.
Since it is a **set** of mutations instead of just one, the scheduler might want to bias certain mutation instead of others because one may yield more coverage. I wonder if it is possible to get coverage feedback when implementing a custom mutator (Or ways to add multiple mutators)? And how LibFuzzer schedule mutations when using the custom mutator?
```
if (EF->LLVMFuzzerCustomMutator)
Mutators.push_back({&MutationDispatcher::Mutate_Custom, "Custom"});
else
Mutators = DefaultMutators;
if (EF->LLVMFuzzerCustomCrossOver)
Mutators.push_back( {&MutationDispatcher::Mutate_CustomCrossOver, "CustomCrossOver"});
Mutators.push_back({&MutationDispatcher::Mutate_Custom, "Custom"});
else
Mutators = DefaultMutators;
if (EF->LLVMFuzzerCustomCrossOver)
Mutators.push_back( {&MutationDispatcher::Mutate_CustomCrossOver, "CustomCrossOver"});
```
A peek into the constructor of `MutationDispatcher` in `FuzzerMutate.cpp` seems to suggest that when the custom mutator is used, generic mutators like bit flip and byte flip are disabled... Not sure this is the case...
Any suggestion or advice on how to fuzz llvm ir passes are also welcomed! :)
Regards,
Chibin Zhang
2020.3.30
Konstantin Serebryany
Apr 7, 2021, 4:46:42 PM4/7/21
to chibin zhang, libfuzzer
Hi Chibin,
If you are using a custom mutator, all the logic is implemented there, libFuzzer doesn't manage the mutations any more. (libFuzzer's byte-array mutators can be called from the custom mutator if you need to mutate raw data)
I don't think you can use the coverage feedback in the custom mutator in a meaningful way. (with the current implementation)
--kcc
--
You received this message because you are subscribed to the Google Groups "libfuzzer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libfuzzer+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/1b98ae1b-48bf-4a6c-b231-e31b37606e90n%40googlegroups.com.
chibin zhang
Apr 8, 2021, 12:27:42 PM4/8/21
to libfuzzer
Okay, I see👌
Chibin Zhang
Reply all
Reply to author
Forward
0 new messages