Artifact • Reproduce Bugs • Quick Start • Installation • Extend Tzer
Coverage-Guided Tensor Compiler Fuzzing with Joint IR-Pass Mutation
This is the source code repo for "Coverage-Guided Tensor Compiler Fuzzing with Joint IR-Pass Mutation" (Conditionally accepted by OOPSLA'22).
Artifact
Please check here for detailed documentation of the artifact prepared for OOPSLA'22.
Reproduce Bugs
Till submission, Tzer has been detected 40 bugs for TVM with 30 confirmed and 24 fixed (merged in the latest branch). Due to the anonymous review policy of OOPSLA, the links of actual bug reports will be provided after the review process.
We provide strong reproducibility of our work. To reproduce all bugs, all you need to do is a single click on your browser. Since some bugs need to be triggered by some complex GPU settings, to maximumly ease the hardware and software effort, the bugs are summarized in a Google Colab environment (No GPU required, but just a browser!).
Quick Start
You can easily start using Tzer with docker.
docker run --rm -it tzerbot/oopsla
# Inside the image.
cd tzer
python3 src/main_tir.py --fuzz-time 10 --report-folder ten-minute-fuzz
# run for 10 min. bugs in folder `ten-minute-fuzz`
Successful installation looks like:
Report folder contents [click to expand]
cov_by_time.txt
: a csv file where columns means "time" (second) and edge coverage;${BUG_TYPE}_${BUG_ID}.error_message.txt
: error message snapshot of failures;${BUG_TYPE}_${BUG_ID}.ctx
: context data to reproduce bugs (stored in Pickle. See config.py)meta.txt
: metadata including git version of TVM and experiment time;tir_by_time.pickle
: generated <F, P> (i.e., TIR and Passes) files (ifTIR_REC=1
is set);valid_seed_new_cov_count.txt
: number of generated valid tests with new coverage;
Main commandline options [click to expand]
Commandline options (added as tail of commands):
--fuzz-time
: Time budget of fuzzing (minute);--tolerance
: Parameter $N_{max}$ in the paper (control the interleaving of IR and pass mutation);--report-folder
: Path to store results (e.g., coverage trend);
Environment variables to control the algorithm options (added the prefix of commands):
PASS=1
to enable pass mutation;NO_SEEDS=1
to disable initial seeds (start from an empty function);NO_COV=1
to disable the coverage feedback;TIR_REC=1
to record generated TIR files (for evaluating non-coverage version);
Reproduce ablation study [click to expand]
# (1): General IR Mutation (No Coverage)*
TVM_HOME=$TVM_NO_COV_HOME PYTHONPATH=$TVM_HOME/python TIR_REC=1 NO_COV=1 python3 src/main_tir.py --fuzz-time 240 --report-folder ablation-1
python3 src/get_cov.py --folders ablation-1 # Evaluate samples on instrumented TVM to get coverage results.
# (2): (1) + Coverage Guidance
python3 src/main_tir.py --fuzz-time 240 --report-folder ablation-2
# (3): (2) + Domain-Specific IR Mutation
LOW=1 python3 src/main_tir.py --fuzz-time 240 --report-folder ablation-3
# (4): (3) + Random Pass Mutation
PASS=1 RANDOM_PASS=1 LOW=1 python3 src/main_tir.py --fuzz-time 240 --report-folder ablation-4
# (5): (3) + Evolutionary IR-Pass Mutation
# aka: Best Tzer! Pleasse use this command if you want to compare Tzer with your own system~
PASS=1 LOW=1 python3 src/main_tir.py --fuzz-time 240 --report-folder ablation-5 --tolerance 4
Note that fuzzing is performance-sensitive: To obtain reliable results, evaluation should be conducted in a "clean" environment (e.g., close irrelavant processes as many as possible). To determine how "clean" your environment is, you can log the load average of your Linux system. Expected load average should be around 1 or lower (as what we did in the experiments).
Installation
Expected requirements [click to expand]
- Hardware: 8GB RAM; 256G Storage; X86 CPU; Good Network to GitHub; Docker (for Docker installation)
- Software: Linux (tested under Manjaro and Ubuntu20.04. Other Linux distributions should also work)
We provide 3 methods for installing Tzer:
Docker Hub (Recommended, Out-of-the-box!) [click to expand]
Directly run Tzer in pre-built container image! Make sure you have docker installed.
docker run --rm -it tzerbot/oopsla
Docker Build (10~20 min., for customized development) [click to expand]
Build Tzer under a docker environment! Make sure you have docker installed.
git clone https://github.com/Tzer-AnonBot/tzer.git && cd tzer
docker build --tag tzer-oopsla:eval .
docker run --rm -it tzer-oopsla:eval
Manual Build (20~30 min., for customized dev. and native performance) [click to expand]
Prepare dependencies:
# Arch Linux / Manjaro
sudo pacman -Syy
sudo pacman -S compiler-rt llvm llvm-libs compiler-rt clang cmake git python3
# Ubuntu
sudo apt update
sudo apt install -y libfuzzer-12-dev # If you fail, try "libfuzzer-11-dev", "-10-dev", ...
sudo apt install -y clang cmake git python3
Build TVM and Tzer:
git clone https://github.com/Tzer-AnonBot/tzer.git
cd tzer/tvm_cov_patch
# Build TVM with intruments
bash ./build_tvm.sh # If you fail, check the script for step-by-step instruction;
cd ../../../
# If success:
# tvm with coverage is installed under `tvm_cov_patch/tvm`
# tvm without coverage is under `tvm_cov_patch/tvm-no-cov`
# Install Python dependency
python3 -m pip install -r requirements.txt
# Set up TVM_HOME and PYTHONPATH env var before using TVM and Tzer.
export TVM_HOME=$(realpath tvm_cov_patch/tvm)
export TVM_NO_COV_HOME=$(realpath tvm_cov_patch/tvm-no-cov)
export PYTHONPATH=$TVM_HOME/python
Extend Tzer
We implemented many re-usable functionalities for future and open research! To easily implement other coverage-guided fuzzing algorithm for TVM, after your installing TVM with memcov by applying tvm_cov_patch/memcov4tvm.patch
to TVM (See tvm_cov_patch/build_tvm.sh), you can get current coverage of TVM by:
from tvm.contrib import coverage
print(coverage.get_now()) # Current visited # of CFG edges
print(coverage.get_total()) # Total number of # of CFG edges
coverage.push() # store current coverage snapshot to a stack and reset it to empty (useful for multi-process scenario)
coverage.pop() # merge the top snapshot from the stack.
Usage push-pop
combo: Some times the target program might crash, but we don't want the fuzzer to be affected by the failure. Therefore, you can set a "safe guard" by:
- push: save current snapshot and reset the coverage hitmap;
- raise a sub-process to compile target IR & passes with TVM;
- pop: merge the snapshot of the sub-process and last stored snapshot (top of the stack) to get a complete coverage.
Latency of the combo is optimized to ~1ms as we applied bit-level optimization.
Cite Us
Please cite our paper if you find our contributions are helpful. :-)
@inproceedings{tzer-2022,
title={Coverage-Guided Tensor Compiler Fuzzing with Joint IR-Pass Mutation},
author={Liu, Jiawei and Wei, Yuxiang and Yang, Sen and Deng, Yinlin and Zhang, Lingming},
booktitle={Proceedings of the ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages, and Applications},
year={2022}
}