Skip to content

differential fuzzer based on libFuzzer#556

Draft
kvpanch wants to merge 3 commits into
mainfrom
kvpanch/libfuzzer
Draft

differential fuzzer based on libFuzzer#556
kvpanch wants to merge 3 commits into
mainfrom
kvpanch/libfuzzer

Conversation

@kvpanch

@kvpanch kvpanch commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

fuzz/solidity_differential (libFuzzer + SanitizerCoverage) —
coverage-guided. Mutates inputs from SanCov edges in resolc's
Rust dep graph (revive-yul, resolc, revive-llvm-context,
revive-runner). Eight-template Solidity generator; solc → EVM
direct path.

Documented in book/src/developer_guide/fuzzing.md.

`fuzz/solidity_differential` (libFuzzer + SanitizerCoverage) —
 coverage-guided. Mutates inputs from SanCov edges in resolc's
 Rust dep graph (revive-yul, resolc, revive-llvm-context,
 revive-runner). Eight-template Solidity generator; `solc → EVM`
 direct path.

Documented in book/src/developer_guide/fuzzing.md.
@kvpanch kvpanch requested review from elle-j and xermicus June 30, 2026 01:43

@elle-j elle-j left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass. Excited to see this fuzzer coming together 🙂 Will do a more thorough review once you've integrated main's changes (importantly, the addition of newyork).

Also, please make sure the Files changed do not include revive-differential-tests. 👍

Comment on lines +3 to +4
`revive` ships a coverage-guided differential fuzzer that compares the
same logical contract execution between resolc's PVM lowering and

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you update this file to not split paragraphs mid-sentence (just have paragraphs on one line)? It makes it more consistent and also easier when updating the file without having to deal with certain formatting 👍

Comment on lines +109 to +115
SanitizerCoverage, so the libFuzzer mutation engine sees edges in:

* `revive-yul` parser
* `resolc` standard-json pipeline
* `revive-llvm-context` codegen (every lowering pattern)
* `revive-runner` / pallet-revive simulation
* `arbitrary` and the generator itself

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a revive-newyork once main is merged into this branch. (Same for revive/fuzz/README.md.)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. Also after reading Georgiy's post, there this fuzzer can be improved in many ways.

Comment on lines +133 to +137
> A SanCov-instrumented LLVM at `$LLVM_SYS_221_PREFIX` will break
> non-fuzz `cargo build` invocations: the linker needs
> `__sanitizer_cov_*` symbols that only the libFuzzer runtime
> supplies. Keep two LLVM trees if you need both: switch via
> `LLVM_SYS_221_PREFIX`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, what's your own workflow/setup when using both non-instrumented LLVM and the fuzzer (needing instrumented LLVM)?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have enough disk space to keep both LLVMs, so I do rebuild. Otherwise I would keep 2 LLVM versions like it's mentioned here, i.e. build LLVM once, move it to some target-llvm-1 and build another LLVM


## Divergence taxonomy

`Divergence` (in `crates/fuzz/src/differential.rs`) categorises every

@elle-j elle-j Jul 2, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Could you update the file to find wherever spellings should be updated to American spelling (e.g. categorises -> categorizes, optimiser -> optimizer, etc) for consistency.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure!

Comment on lines +196 to +200
Compile failures used to panic the whole process via
`.expect("source should compile")` inside resolc's `test_utils`. The
harness wraps both calls in `std::panic::catch_unwind` and routes the
payload into a dedicated variant, so a generator bug doesn't poison
the whole libFuzzer run.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Comment thread fuzz/README.md
Comment on lines +3 to +4
Coverage-guided fuzzer for the Solidity differential, driven by
[`cargo-fuzz`](https://github.com/rust-fuzz/cargo-fuzz) / libFuzzer.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to my comment to the dev guide update, could this file be updated to not break lines mid-sentence (i.e. keep paragraphs on one line)?

Comment thread Makefile
Comment on lines +55 to +57
install-llvm-sancov: install-llvm-builder
git submodule update --init --recursive --depth 1
CMAKE_BUILD_PARALLEL_LEVEL=$(JOBS) revive-llvm build --llvm-projects lld --llvm-projects clang --enable-sancov

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could consider moving git submodule update --init --recursive --depth 1 (from install-llvm-sancov and install-llvm) into install-llvm-builder instead so that it's only in one place.

Comment thread Makefile
Comment on lines +107 to +108
fuzz-libfuzzer:
cd fuzz && cargo +nightly fuzz run solidity_differential -- -fork=$(or $(JOBS),4) -ignore_crashes=0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this also cd back to ../ so that we don't have to do it manually after running the command.

Comment thread Makefile

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the clean target also need an update? I saw that fuzz's README suggested some cleanup.

Comment thread revive-differential-tests
@socket-security

socket-security Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedcargo/​libfuzzer-sys@​0.4.134710093100100

View full report

@socket-security

socket-security Bot commented Jul 2, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants