Update README and Dockerfile to include llvm-proto-fuzzer

Summary: Added commands to Dockerfile to build llvm-proto-fuzzer and the other related tools. Also added a section to the bottom of the README describing what llvm-proto-fuzzer does and how to run it.

Reviewers: morehouse, kcc

Reviewed By: morehouse

Subscribers: cfe-commits, llvm-commits

Differential Revision: https://reviews.llvm.org/D50829

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@339933 91177308-0d34-0410-b5e6-96231b3b80d8

2 files changed, 38 insertions, 0 deletions

diff --git a/tools/clang-fuzzer/Dockerfile b/tools/clang-fuzzer/Dockerfile
index 1946b8bf88..9f6336c479 100644
--- a/tools/clang-fuzzer/Dockerfile
+++ b/tools/clang-fuzzer/Dockerfile
@@ -35,3 +35,7 @@ RUN mkdir build1 && cd build1 && cmake -GNinja -DCMAKE_BUILD_TYPE=Release ../llv
 RUN cd build1 && ninja clang-fuzzer
 RUN cd build1 && ninja clang-proto-fuzzer
 RUN cd build1 && ninja clang-proto-to-cxx
+RUN cd build1 && ninja clang-loop-proto-to-cxx
+RUN cd build1 && ninja clang-loop-proto-to-llvm
+RUN cd build1 && ninja clang-loop-proto-fuzzer
+RUN cd build1 && ninja clang-llvm-proto-fuzzer
diff --git a/tools/clang-fuzzer/README.txt b/tools/clang-fuzzer/README.txt
index 66a6a6332c..9c25afdb22 100644
--- a/tools/clang-fuzzer/README.txt
+++ b/tools/clang-fuzzer/README.txt
@@ -80,3 +80,37 @@ custom optimization level and target triple:
 
 To translate a clang-proto-fuzzer corpus output to C++:
   bin/clang-proto-to-cxx CORPUS_OUTPUT_FILE
+
+===================
+ llvm-proto-fuzzer
+===================
+Like, clang-proto-fuzzer, llvm-proto-fuzzer is also a protobuf-mutator based
+fuzzer. It receives as input a cxx_loop_proto which it then converts into a
+string of valid LLVM IR: a function with either a single loop or two nested
+loops. It then creates a new string of IR by running optimization passes over
+the original IR. Currently, it only runs a loop-vectorize pass but more passes
+can easily be added to the fuzzer. Once there are two versions of the input
+function (optimized and not), llvm-proto-fuzzer uses LLVM's JIT Engine to
+compile both functions. Lastly, it runs both functions on a suite of inputs and
+checks that both functions behave the same on all inputs. In this way,
+llvm-proto-fuzzer can find not only compiler crashes, but also miscompiles
+originating from LLVM's optimization passes.
+
+llvm-proto-fuzzer is built very similarly to clang-proto-fuzzer. You can run the
+fuzzer with the following command:
+  bin/clang-llvm-proto-fuzzer CORPUS_DIR
+
+To translate a cxx_loop_proto file into LLVM IR do:
+  bin/clang-loop-proto-to-llvm CORPUS_OUTPUT_FILE
+To translate a cxx_loop_proto file into C++ do:
+  bin/clang-loop-proto-to-cxx CORPUS_OUTPUT_FILE
+
+Note: To get a higher number of executions per second with llvm-proto-fuzzer it
+helps to build it without ASan instrumentation and with the -O2 flag. Because
+the fuzzer is not only compiling code, but also running it, as the inputs get
+large, the time necessary to fuzz one input can get very high.
+Example:
+  cmake .. -GNinja -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ \
+    -DCLANG_ENABLE_PROTO_FUZZER=ON -DLLVM_USE_SANITIZE_COVERAGE=YES \
+    -DCMAKE_CXX_FLAGS="-O2"
+  ninja clang-llvm-proto-fuzzer clang-loop-proto-to-llvm