[llvm-dev] libfuzzer questions

Brian Cain via llvm-dev llvm-dev at lists.llvm.org
Mon Aug 10 17:53:47 PDT 2015

First off, thanks -- this is a pretty great library and it feels like I'm
learning a lot.  I'm getting some more experience with libfuzzer and
finding that I have a couple of questions:

- How does libfuzzer decide to write a new test file?  What distinguishes
this one from all the other cases for which new test inputs were not
written?  Must be something about the path taken through the code?

- Can I use afl-cmin or is there something similar for libFuzzer?  I find
that sometimes I get an enormous amount of tests and it becomes

- sometimes my process being tested appears to deadlock.  A common feature
seems to be that AlarmCallback is allocating memory and as a consequence
the ASan code is pending on a lock.  I'll speculate that this is because
the alarm expired while the lock was already held.  Is this expected?  I
can share specific call stacks if it helps.  I can just extend the timeout
but I think it's probably appropriate.

- AFL has a curses based display where a bunch of different stats are
shown.  I'll be honest, I don't know how to read those yet. ;)  But I'd
like to find some way to determine whether I'm seeing diminishing returns
with libfuzzer.  Is there a good strategy?

- Can anyone share tips for how libFuzzer has been used with some success
-- anything beyond what's already available in
http://llvm.org/docs/LibFuzzer.html ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150810/4fc2adac/attachment.html>

More information about the llvm-dev mailing list