[llvm-dev] Fuzzing complex programs

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Sun Aug 30 13:21:29 PDT 2015

On Sun, Aug 30, 2015 at 1:09 PM, Greg Stark <stark at mit.edu> wrote:

> On 30 Aug 2015 20:04, "Kostya Serebryany" <kcc at google.com> wrote:
> >
> >
> > In my (biased) opinion libFuzzer is particularly well suited for this
> task
> > (fuzzing individual libraries, as opposed to fuzzing the whole
> postgress).
> > I've played with a dozen of regular expression libs and found bugs in
> all of them
> > (e.g. search for "Fuzzer" in
> http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup&pathrev=360)
> >
> >
> >>>
> >>> To do this effectively I think it would be best to invoke the fuzzer
> >>> from inside Postgres.
> >
> >
> > Never tied this.
> > Can't you just link libFuzzer with a part of the code you want to test?
> The problem I'm specifically trying to tackle is that the code in question
> can use any of the internal postgres APIs and might have dependencies on
> anything in the environment.
> Even the simplest cases like the date/tone parser will depends on the
> timezone library which is initialised at startup, the server session state
> which specifies the current timezone and default date format, etc.
> The more interesting cases like arrays and other compound objects will
> depend on the internal caches of the database schema which is where it
> finds things like meta information about the data types stored within.
I see.
At least one of the users of Sanitizer Coverage did something similar with
their server,
but they implemented their own mutator/fuzzer (did not use libFuzzer).

With libFuzzer you can't do that today because it expects to receive the
coverage feedback from the same process.
With somewhat modification you probably can achieve this:
in Fuzzer::RunOneMaximizeTotalCoverage replace the calls to
with something that gets this value for the server process.

Similarly, for the 8-bit counters (-use_counters=1), in the server process
__sanitizer_update_counter_bitset_and_clear_counters and pass the result to
the client app.

If you can may the change general enough the patch would be more than
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150830/9558ad7a/attachment.html>

More information about the llvm-dev mailing list