============
The LLVM tree includes a number of fuzzers for various components. These are
-built on top of :doc:`LibFuzzer <LibFuzzer>`.
+built on top of :doc:`LibFuzzer <LibFuzzer>`. In order to build and run these
+fuzzers, see :ref:`building-fuzzers`.
Available Fuzzers
__ https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj-llvm+llvm-dwarfdump-fuzzer
+llvm-demangle-fuzzer
+---------------------
+
+A |generic fuzzer| for the Itanium demangler used in various LLVM tools. We've
+fuzzed __cxa_demangle to death, why not fuzz LLVM's implementation of the same
+function!
+
llvm-isel-fuzzer
----------------
% bin/llvm-isel-fuzzer--aarch64-O0-gisel <corpus-dir>
+llvm-opt-fuzzer
+---------------
+
+A |LLVM IR fuzzer| aimed at finding bugs in optimization passes.
+
+It receives optimzation pipeline and runs it for each fuzzer input.
+
+Interface of this fuzzer almost directly mirrors ``llvm-isel-fuzzer``. Both
+``mtriple`` and ``passes`` arguments are required. Passes are specified in a
+format suitable for the new pass manager. You can find some documentation about
+this format in the doxygen for ``PassBuilder::parsePassPipeline``.
+
+.. code-block:: shell
+
+ % bin/llvm-opt-fuzzer <corpus-dir> -ignore_remaining_args=1 -mtriple x86_64 -passes instcombine
+
+Similarly to the ``llvm-isel-fuzzer`` arguments in some predefined configurations
+might be embedded directly into the binary file name:
+
+.. code-block:: shell
+
+ % bin/llvm-opt-fuzzer--x86_64-instcombine <corpus-dir>
+
llvm-mc-assemble-fuzzer
-----------------------
Fuzzers will be built and linked to libFuzzer by default as long as you build
LLVM with sanitizer coverage enabled. You would typically also enable at least
-one sanitizer for the fuzzers to be particularly likely, so the most common way
-to build the fuzzers is by adding the following two flags to your CMake
-invocation: ``-DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=On``.
+one sanitizer to find bugs faster. The most common way to build the fuzzers is
+by adding the following two flags to your CMake invocation:
+``-DLLVM_USE_SANITIZER=Address -DLLVM_USE_SANITIZE_COVERAGE=On``.
.. note:: If you have ``compiler-rt`` checked out in an LLVM tree when building
with sanitizers, you'll want to specify ``-DLLVM_BUILD_RUNTIME=Off``
to avoid building the sanitizers themselves with sanitizers enabled.
+.. note:: You may run into issues if you build with BFD ld, which is the
+ default linker on many unix systems. These issues are being tracked
+ in https://llvm.org/PR34636.
+
Continuously Running and Finding Bugs
-------------------------------------