[llvm-dev] libfuzzer questions
Brian Cain via llvm-dev
llvm-dev at lists.llvm.org
Mon Aug 10 17:53:47 PDT 2015
First off, thanks -- this is a pretty great library and it feels like I'm
learning a lot. I'm getting some more experience with libfuzzer and
finding that I have a couple of questions:
- How does libfuzzer decide to write a new test file? What distinguishes
this one from all the other cases for which new test inputs were not
written? Must be something about the path taken through the code?
- Can I use afl-cmin or is there something similar for libFuzzer? I find
that sometimes I get an enormous amount of tests and it becomes
- sometimes my process being tested appears to deadlock. A common feature
seems to be that AlarmCallback is allocating memory and as a consequence
the ASan code is pending on a lock. I'll speculate that this is because
the alarm expired while the lock was already held. Is this expected? I
can share specific call stacks if it helps. I can just extend the timeout
but I think it's probably appropriate.
- AFL has a curses based display where a bunch of different stats are
shown. I'll be honest, I don't know how to read those yet. ;) But I'd
like to find some way to determine whether I'm seeing diminishing returns
with libfuzzer. Is there a good strategy?
- Can anyone share tips for how libFuzzer has been used with some success
-- anything beyond what's already available in
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the llvm-dev