[llvm-dev] Fuzzing complex programs

Brian Cain via llvm-dev llvm-dev at lists.llvm.org
Sun Aug 30 09:11:30 PDT 2015

On Sun, Aug 30, 2015 at 9:30 AM, Greg Stark via llvm-dev <
llvm-dev at lists.llvm.org> wrote:

> I have a project I want to do based on Libfuzzer. Is there a separate
> list for it or should I bring up any ideas for it here?
> What I have in mind is to fuzz Postgres. Trying to fuzz the SQL
> interpreter in general
> is not very productive because traditional fuzzers try to execute the
> entire program repeatedly and it has a fairly high startup and
> shutdown cost. Also the instrumentation-guided approach has

One challenge in leaving the daemon up while testing is knowing how well
isolated the test cases are from one another.  It may be the case that the
test cases somehow accumulate some global state (test case N triggers heap
corruption, N + 23 crashes as a result of that earlier corruption).  At
least that specific failure mode can probably be mitigated by using one or
more of the sanitizers though.

> limitations due to the way lexing and parsing works as well as the
> large amount of
> internal state causing non-deterministic internal behaviour (garbage
> collecting persistent data structures, etc).
> However there are a number of internal functions that would be very
> feasible to fuzz. Things like the datatype input/output functions (I'm
> particularly thinking of the datetime parser), regular expression
> library, etc.
> To do this effectively I think it would be best to invoke the fuzzer
> from inside Postgres. Essentially provide bindings for Libfuzzer so
> you can I can have Libfuzzer provide all the test cases to repeatedly
> call the internal functions on.
> Is there any example of doing something like this already? Am I taking
> a crazy approach?
I don't have enough experience to say if it's crazy or not.  But if
your LLVMFuzzerTestOneInput() queues some work for the server and pends on
a response -- that seems like a sane approach.

> There are other approaches possible. It would be nice if I could run
> afl or libfuzzer on a client program and have the client program tell
> afl or libfuzzer the pid of the server to watch and then request test
> cases to feed to the server. That seems like it would be a more
> flexible approach for a lot of use cases where the server requires
> setting up a complex environment.
Great idea, but it seems tricky to get the execution coverage feedback in
this case.

Let me know if you're interested in collaborating, it sounds interesting.
Though at first glance, I'd prefer the "not very productive" brute force
option and just toss more resources at it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150830/e73892ed/attachment.html>

More information about the llvm-dev mailing list