[llvm-dev] Fuzzing complex programs

[Greg Stark via llvm-dev]

I have a project I want to do based on Libfuzzer. Is there a separate
list for it or should I bring up any ideas for it here?

What I have in mind is to fuzz Postgres. Trying to fuzz the SQL
interpreter in general
is not very productive because traditional fuzzers try to execute the
entire program repeatedly and it has a fairly high startup and
shutdown cost. Also the instrumentation-guided approach has
limitations due to the way lexing and parsing works as well as the
large amount of
internal state causing non-deterministic internal behaviour (garbage
collecting persistent data structures, etc).

However there are a number of internal functions that would be very
feasible to fuzz. Things like the datatype input/output functions (I'm
particularly thinking of the datetime parser), regular expression
library, etc.

To do this effectively I think it would be best to invoke the fuzzer
from inside Postgres. Essentially provide bindings for Libfuzzer so
you can I can have Libfuzzer provide all the test cases to repeatedly
call the internal functions on.

Is there any example of doing something like this already? Am I taking
a crazy approach?

There are other approaches possible. It would be nice if I could run
afl or libfuzzer on a client program and have the client program tell
afl or libfuzzer the pid of the server to watch and then request test
cases to feed to the server. That seems like it would be a more
flexible approach for a lot of use cases where the server requires
setting up a complex environment.

-- 
greg