Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fuzz test the compiler #1125

Closed
chriseth opened this issue Sep 30, 2016 · 7 comments
Closed

fuzz test the compiler #1125

chriseth opened this issue Sep 30, 2016 · 7 comments
Assignees
@chriseth

Comments

@chriseth
Copy link
Contributor

Set up a server to continuously fuzz test the compiler with the goal to find crashes.

There are two kinds of crashes:

  1. Actual crashes (segmentation fault and others)
  2. internal compiler errors

For the second kind, it is hard to find "unanticipated" crashes because some internal compiler errors correctly signal non-implemented features. We might split this exception class into two different classes in the future to be able to detect "real" errors.
@chriseth chriseth self-assigned this Sep 30, 2016
@pirapira
Copy link
Member

Very similar project CSmith.

Some months ago I was running solc under American Fuzzy Lop, but didn't find a crash back then.

@chriseth chriseth mentioned this issue Sep 30, 2016
Merged
@axic
Copy link
Member

axic commented Sep 30, 2016

We might split this exception class into two different classes in the future to be able to detect "real" errors.

I think this should be done in any case.

@axic axic mentioned this issue Sep 30, 2016
Closed
@chriseth
Copy link
Contributor Author

chriseth commented Oct 5, 2016

I am using libfuzzer (from the llvm project) manually now and it detects quite a lot of crashes. The problem is that it exits for the first crash, not sure if that is intended use.

@pirapira
Copy link
Member

pirapira commented Oct 5, 2016

Yes that is the intended use.

@holiman
Copy link
Contributor

holiman commented Oct 19, 2016

I am running an AFL-fuzz now, found it pretty straight-forward to set up.

Build and install AFL

[~/tools/afl/afl-2.35b]
#make
[~/tools/afl/afl-2.35b]
#sudo make install

Instrument the solidity source:

[~/workspace/solidity/build]
#cmake -DCMAKE_CXX_COMPILER=afl-g++ -DCMAKE_C_COMPILER=afl-gcc .. && make

Create a sample input file, and an output directory, then do fuzzing

#afl-fuzz -i /home/martin/workspace/solidity/testcases/input -o /home/martin/workspace/solidity/testcases/output /home/martin/workspace/solidity/build/solc/solc

It's running, no crashes yet.

@chriseth
Copy link
Contributor Author

@holiman we do not only want to detect segmentation faults but also InternalCompilerErrors. The problem with the latter is that this is still blocked by #1133

Furthermore, if you want to get better example input, you can use https://github.com/ethereum/solidity/blob/develop/scripts/isolateTests.py to extract the end to end test cases from the .cpp file.

@chriseth chriseth added soon and removed nextrelease labels Oct 25, 2016
@axic axic mentioned this issue Feb 3, 2017
Closed
6 tasks
@chriseth chriseth added in progress and removed soon labels Feb 16, 2017
@chriseth
Copy link
Contributor Author

chriseth commented Mar 3, 2017

Closing this as we have the necessary infrastructure in place now.

@chriseth chriseth closed this as completed Mar 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chriseth chriseth

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@axic @pirapira @holiman @chriseth