This is the implementation repository of our submit paper: Scuzer: A Scheduling Optimization Fuzzer for TVM.
Scuzer is a coverage-guided fuzzer specifically designed for TVM TE IR. The core of Scuzer includes two types of mutators and an adaptive multi-objective managing algorithm for selecting seeds and mutators. During each fixed-time fuzzing cycle, Scuzer evaluates four objectives: time, size, variety and complexity within the seed corpus and adopts a multi-armed bandit algorithm to determine the optimal combination of these objectives. Subsequently, Scuzer distributes each seed's energy based on the objective's values in the selected combination. Our evaluation results demonstrate the superiority of Scuzer compared to state-of-the-art approaches. Moreover, Scuzer successfully detected 17 bugs on two versions of TVM, with 14 related to scheduling optimizations.
Scuzer test 57 operators and 12 data types in TVM. The specific information can be viewed in the data_type_and_operator_list.md file.
The seed corpus is stored in ./src/seed_corpus_bak.
Before this step please make sure you have installed cmake, clang and the libraries required in the requirement.txt file. You can refer to the TVM official documentation for the minimal building requirements to ensure installation.
cd /Scuzer/tvm_cov_patch
bash /Scuzer/tvm_cov_patch/build_tvm.sh
See NNSmith GitHub page for installation.
After installation, use the content of /Scuzer/experiamnts/copy_to_beckends_tvm.py file to replace /nnsmith/backends/tvm.py and /Scuzer/experiamnts/copy_to_cli_fuzz.py t replace /nnsmith/cli/fuzz.py (please edit these files manually since nnsmith may changed the content).
It is contained in our /Scuzer/experiments/tvmfuzz_experiment.
LibFuzzer has been configured during TVM installation.
Please see our /Scuzer/experiments/expriments.md for more details.
cd /Scuzer/src
cp seed_corpus_bak -r seed_corpus
python main.py -r scuzer_report -s seed_corpus -e scuzer_corpus -m all -t 86400