Overview

libFuzzer is described in the cited instruction-set-simulator (ISS) verification paper as an LLVM-based tool used as the foundation for a coverage-guided fuzzing (CGF) approach.^[1]

The paper frames CGF as using a code-coverage metric, then extends that baseline with a functional-coverage metric and an ISS-specific mutation procedure.^[2]

Use in RISC-V ISS verification

In Verifying Instruction Set Simulators using Coverage-guided Fuzzing, the authors built their CGF approach on top of libFuzzer to verify an RV32IMA ISS extracted from a publicly available RISC-V Virtual Prototype. They call this simulator ISS-UT. The case study used Spike, the official RISC-V ISA reference simulator, and Forvis, an ISS implemented in Haskell, as reference ISSs.^[3]

For branch coverage, the authors instrumented ISS-UT with the clang compiler. For functional coverage, they manually added calls to begin-fcov-trace and end-fcov-trace; the paper notes that this manual step could be automated by an LLVM pass.^[4]

The functional-coverage tracing is placed around the ISS execution step. The trace functions take the fetched instruction, the decoded operation, and a read-only snapshot of register values. Calling the trace functions before and after instruction execution lets the approach capture source-register values before execution and destination-register values after execution; immediate values are captured because they are encoded in the instruction itself.^[5]

Mutation support in the ISS case study

The ISS-specific mutation support described in the paper uses instruction sequences. A sequence is a list of concrete instructions in which some parameters are constrained to fixed values while others are randomized. The paper gives a common example: two instructions load a large constant value into a register by loading the lower and upper halves separately; the destination register is constrained to be the same for both instructions, while the actual value is randomized or selected from a set of special values. Such sequences are defined by a verification engineer and can be specialized for each instruction set.^[6]

Reported outcome

The paper reports that the libFuzzer-based approach was evaluated on three publicly available RISC-V ISSs. In its conclusion, the authors state that the fuzzer was effective at maximizing most coverage metrics and finding errors, and that it found new errors in every considered ISS, including one in Spike.^[7]

Related entities

• Coverage-guided Fuzzing: libFuzzer is used in the cited work as the basis for a coverage-guided fuzzing approach.
• Verifying Instruction Set Simulators using Coverage-guided Fuzzing: this paper used and extended libFuzzer for RISC-V ISS verification.
• LLVMFuzzerTestOneInput: related code artifact provided for libFuzzer.

^[1]: See citation "libFuzzer is described as LLVM-based and used as the basis for CGF". ^[2]: See citation "The ISS work added functional coverage and mutation extensions to CGF". ^[3]: See citation "The RISC-V ISS case study was built on libFuzzer". ^[4]: See citation "ISS-UT used clang branch-coverage instrumentation and manual functional-coverage trace calls". ^[5]: See citation "Functional-coverage tracing captures instruction, decoded operation, registers, and immediates". ^[6]: See citation "ISS-specific mutation uses engineer-defined instruction sequences". ^[7]: See citation "The libFuzzer-based ISS evaluation found errors across the evaluated ISSs".