Data

Tools

Indexes

Applications

Experiments

Open Source Science

rustlantis

UB-free and deterministic rustc fuzzer

https://github.com/cbeuw/rustlantis

Science Score: 54.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
    1 of 3 committers (33.3%) from academic institutions
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.1%) to scientific vocabulary
Last synced: 7 months ago · JSON representation ·

Repository

UB-free and deterministic rustc fuzzer

Basic Info
  • Host: GitHub
  • Owner: cbeuw
  • License: apache-2.0
  • Language: Rust
  • Default Branch: master
  • Homepage:
  • Size: 486 KB
Statistics
  • Stars: 87
  • Watchers: 4
  • Forks: 5
  • Open Issues: 3
  • Releases: 0
Created almost 3 years ago · Last pushed 9 months ago
Metadata Files
Readme License Citation

README.md

Rustlantis

A Rust Mid-level Intermediate Representation fuzzer

It can generate custom MIR programs containing: - All primitive integer and floating point types, bool, char, arrays, tuples, references, raw pointers, structs, and enums. - Functions containing multiple basic blocks - Terminators: Goto, Return, SwitchInt (match), Call. - Intrinsic functions: arith_offset (for pointer arithmetics), transmute, bswap, fmaf64. - Operators: all arithmetic, logical and bitwise operations on integers and floating points, and checked arithmetic (Add, Sub, Mul) on integers - All primitive literal expressions, as well as tuple, array, and struct aggregate expressions - Creating references and raw pointers, and dereferencing them - Casts between integers, floating points, char, and bool

Generated programs are terminating, UB-free, and deterministic. A discrepancy between testing backends always indicate a bug in them (or a bug in Rustlantis).

Requirements

  • Rust nightly
  • rustup

Config

Install Miri and Cranelift with Rustup rustup component add miri rustc-codegen-cranelift-preview, then copy config.toml.example to config.toml

Usage

To generate and difftest one seed, run

bash ./fuzz-one.sh <seed>

A program will be generated to $TMPDIR and tested. If difftest passes (no bug), it will exit with 0. If difftest spots a difference between testing backends, it will exit with 1 and save the reproduction file to ./repros/.

To generate a program only, run generate ``` Usage: generate [OPTIONS]

Arguments: generation seed

Options: -d, --debug generate a program where values are printed instead of hashed (slow) --call-syntax switch between different versions of Call syntaxes [default: v4] [possible values: v1, v2, v3, v4] -h, --help Print help -V, --version Print version ```

To difftest an existing program, run difftest ``` Usage: difftest

Arguments:

Options: -h, --help Print help ```

Quirks

  • Cranelift not supported on AArch64 macOS: https://github.com/bjorn3/rustccodegencranelift/issues/1248
  • rustc_codegen_gcc can be used as a backend, but it doesn't support enough language features yet to be usable

Namesake

The Space Shuttle Atlantis docked with Mir space station seven times: https://en.wikipedia.org/wiki/Shuttle%E2%80%93Mir_program

Trophies

🦀: Root cause in Rust 🐉: Root cause in LLVM 🏗️: Root cause in Cranelift

Crashes & ICEs

  • 🦀 RenameReturnPlace is broken: https://github.com/rust-lang/rust/issues/110902
  • 🦀 ReferencePropagation prevents partial initialisation: https://github.com/rust-lang/rust/issues/111426
  • 🐉 phi nodes assumed to be non-empty: https://github.com/llvm/llvm-project/issues/63013
  • 🐉 Assertion failure in RegisterCoalescer: https://github.com/llvm/llvm-project/issues/63033
  • 🦀 MIR inlining inserts statements at the wrong place: https://github.com/rust-lang/rust/issues/117355
  • 🏗️ Overflowing shift triggers panic in Cranelift: https://github.com/rust-lang/rustccodegencranelift/issues/1455 & https://github.com/bytecodealliance/wasmtime/issues/7865

Silent Miscompilations

  • 🦀 ConstProp propagates over mutating borrows: https://github.com/rust-lang/rust/issues/110947
  • 🦀 *const T in function parameters annotated with readonly: https://github.com/rust-lang/rust/issues/111502
  • 🐉 Aliasing analysis merges loads from different offsets: https://github.com/rust-lang/rust/issues/112061 & https://github.com/llvm/llvm-project/issues/63019
  • 🐉 Constant folding produces invalid boolean values: https://github.com/rust-lang/rust/issues/112170 & https://github.com/llvm/llvm-project/issues/63055
  • 🐉 Aliasing analysis broken for overflowing pointer offsets: https://github.com/rust-lang/rust/issues/112526 & https://github.com/llvm/llvm-project/issues/63266
  • https://github.com/rust-lang/rust/issues/112548
  • 🐉 Copy elision corrupts stack arguments with two parts: https://github.com/rust-lang/rust/issues/112767 & https://github.com/llvm/llvm-project/issues/63430
  • 🐉 Copy elision reads stack arguments from the wrong offsets: https://github.com/llvm/llvm-project/issues/63475
  • 🦀 Subnormal f64 to f32 cast is wrong: https://github.com/rust-lang/rust/issues/113407
  • 🐉 AST size merging is wrong: https://github.com/llvm/llvm-project/issues/64897
  • 🦀 ConstProp propagates over assignment of unknown values: https://github.com/rust-lang/rust/issues/118328
  • 🐉 Bad undef/poison handling in InstCombine: https://github.com/llvm/llvm-project/issues/74890
  • 🦀 GVN merges moved function arguments: https://github.com/rust-lang/rust/issues/120613
  • 🐉 GVNPass forgets to remove poison generating flags: https://github.com/llvm/llvm-project/issues/82884
  • 🏗️ Misoptimization of imul + ireduce: https://github.com/rust-lang/rustccodegencranelift/issues/1460 & https://github.com/bytecodealliance/wasmtime/issues/7999
  • 🐉 InstCombine calculates wrong insertelement instructions: https://github.com/rust-lang/rust/issues/121996 & https://github.com/llvm/llvm-project/issues/84025
  • 🐉 Funnel shifts by a constant 0 are lowered wrong on AArch64: https://github.com/llvm/llvm-project/issues/139866
  • 🦀 GVN misunderstands aliasing, can create overlapping assignments: https://github.com/rust-lang/rust/issues/141038
  • 🦀 ReferencePropagation misunderstands aliasing, can add reads of uninitialized memory: https://github.com/rust-lang/rust/issues/141101
  • 🦀 CopyProp doesn't always respect Tree Borrows aliasing: https://github.com/rust-lang/rust/issues/141122
  • 🦀 EarlyOtherwiseBranch can insert storage markers incorrectly, creating use of a dead local https://github.com/rust-lang/rust/issues/141212
  • 🦀 GVN makes an incorrect index access: https://github.com/rust-lang/rust/issues/141251
  • 🐉 CorrelatedValuePropagation miscompilation: https://github.com/llvm/llvm-project/issues/142286
  • 🐉 InstCombine miscompilation: https://github.com/llvm/llvm-project/issues/142518

Previously known bugs

  • 🦀 Const eval gives x % x wrong sign when x is a negative float: https://github.com/rust-lang/rust/issues/109567 (first reported https://github.com/rust-lang/rust/issues/102403)
  • 🐉 Write to dangling pointer is hoisted outside of condition: https://github.com/rust-lang/rust/issues/112213 (first reported https://github.com/llvm/llvm-project/issues/51838)

License

Rustlantis is distributed under the terms of both the MIT License and the Apache License (Version 2.0), at your choice.

© ETH Zurich and contributors

Owner

  • Name: Andy Wang
  • Login: cbeuw
  • Kind: user
  • Location: United Kingdom

Qian

Citation (CITATION.cff) 

cff-version: 1.2.0
title: Rustlantis
message: A fuzzer for the Rust compiler
type: software
authors:
  - given-names: Qian (Andy)
    family-names: Wang
    orcid: 'https://orcid.org/0009-0006-0779-8651'
    affiliation: ETH Zürich
  - given-names: Ralf
    family-names: Jung
    orcid: 'https://orcid.org/0000-0001-7669-6348'
    affiliation: ETH Zürich
identifiers:
  - type: doi
    value: 10.1145/3689780
repository-code: 'https://github.com/cbeuw/rustlantis'
keywords:
  - Compiler testing
  - Rust
  - Fuzzing
license:
  - Apache-2.0
  - MIT

GitHub Events

Total
  • Issues event: 1
  • Watch event: 36
  • Issue comment event: 5
  • Push event: 6
  • Pull request event: 6
  • Fork event: 2
Last Year
  • Issues event: 1
  • Watch event: 36
  • Issue comment event: 5
  • Push event: 6
  • Pull request event: 6
  • Fork event: 2

Committers

Last synced: 10 months ago

All Time
  • Total Commits: 294
  • Total Committers: 3
  • Avg Commits per committer: 98.0
  • Development Distribution Score (DDS): 0.007
Past Year
  • Commits: 20
  • Committers: 2
  • Avg Commits per committer: 10.0
  • Development Distribution Score (DDS): 0.05
Top Committers
Name Email Commits
Qian Wang w****n@s****h 292
Olivier FAURE c****u@g****m 1
Ben Kimock k****b@g****m 1
Committer Domains (Top 20 + Academic)
student.ethz.ch: 1

Issues and Pull Requests

Last synced: 11 months ago

All Time
  • Total issues: 1
  • Total pull requests: 3
  • Average time to close issues: N/A
  • Average time to close pull requests: about 3 hours
  • Total issue authors: 1
  • Total pull request authors: 3
  • Average comments per issue: 9.0
  • Average comments per pull request: 1.0
  • Merged pull requests: 2
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 1
  • Average time to close issues: N/A
  • Average time to close pull requests: about 2 hours
  • Issue authors: 0
  • Pull request authors: 1
  • Average comments per issue: 0
  • Average comments per pull request: 1.0
  • Merged pull requests: 1
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • PoignardAzur (1)
  • saethlin (1)
Pull Request Authors
  • saethlin (4)
  • FractalFir (1)
  • PoignardAzur (1)
Top Labels
Issue Labels
Pull Request Labels

Dependencies

Cargo.lock cargo
  • aho-corasick 1.0.2
  • anstream 0.3.2
  • anstyle 1.0.1
  • anstyle-parse 0.2.1
  • anstyle-query 1.0.0
  • anstyle-wincon 1.0.1
  • async-trait 0.1.68
  • atty 0.2.14
  • autocfg 1.1.0
  • bimap 0.6.3
  • bitflags 1.3.2
  • bitflags 2.3.3
  • cc 1.0.79
  • cfg-if 1.0.0
  • clap 4.3.10
  • clap_builder 4.3.10
  • clap_lex 0.5.0
  • colorchoice 1.0.0
  • colored 2.0.0
  • config 0.13.3
  • crossbeam-channel 0.5.8
  • crossbeam-deque 0.8.3
  • crossbeam-epoch 0.9.15
  • crossbeam-utils 0.8.16
  • either 1.8.1
  • env_logger 0.10.0
  • errno 0.3.1
  • errno-dragonfly 0.1.2
  • fastrand 1.9.0
  • fixedbitset 0.4.2
  • getrandom 0.2.10
  • hashbrown 0.12.3
  • hermit-abi 0.1.19
  • hermit-abi 0.3.1
  • humantime 2.1.0
  • index_vec 0.1.3
  • indexmap 1.9.3
  • instant 0.1.12
  • io-lifetimes 1.0.11
  • is-terminal 0.4.8
  • lazy_static 1.4.0
  • libc 0.2.147
  • libm 0.2.7
  • linux-raw-sys 0.3.8
  • linux-raw-sys 0.4.3
  • log 0.4.19
  • memchr 2.5.0
  • memoffset 0.9.0
  • minimal-lexical 0.2.1
  • nom 7.1.3
  • num-traits 0.2.15
  • num_cpus 1.16.0
  • once_cell 1.18.0
  • pathdiff 0.2.1
  • petgraph 0.6.3
  • ppv-lite86 0.2.17
  • proc-macro2 1.0.63
  • quote 1.0.29
  • rand 0.8.5
  • rand_chacha 0.3.1
  • rand_core 0.6.4
  • rand_distr 0.4.3
  • rayon 1.7.0
  • rayon-core 1.11.0
  • redox_syscall 0.3.5
  • regex 1.8.4
  • regex-syntax 0.7.2
  • rustix 0.37.21
  • rustix 0.38.1
  • scopeguard 1.1.0
  • serde 1.0.164
  • smallvec 1.10.0
  • strsim 0.10.0
  • syn 2.0.22
  • tempfile 3.6.0
  • termcolor 1.2.0
  • toml 0.5.11
  • unicode-ident 1.0.9
  • utf8parse 0.2.1
  • wasi 0.11.0+wasi-snapshot-preview1
  • winapi 0.3.9
  • winapi-i686-pc-windows-gnu 0.4.0
  • winapi-util 0.1.5
  • winapi-x86_64-pc-windows-gnu 0.4.0
  • windows-sys 0.48.0
  • windows-targets 0.48.1
  • windows_aarch64_gnullvm 0.48.0
  • windows_aarch64_msvc 0.48.0
  • windows_i686_gnu 0.48.0
  • windows_i686_msvc 0.48.0
  • windows_x86_64_gnu 0.48.0
  • windows_x86_64_gnullvm 0.48.0
  • windows_x86_64_msvc 0.48.0
Cargo.toml cargo
abi/Cargo.toml cargo
difftest/Cargo.toml cargo
generate/Cargo.toml cargo
mir/Cargo.toml cargo
rangemap/Cargo.toml cargo