[llvm-dev] Fuzzing complex programs
Kostya Serebryany via llvm-dev
llvm-dev at lists.llvm.org
Thu Sep 3 10:45:11 PDT 2015
On Thu, Sep 3, 2015 at 10:40 AM, Greg Stark <stark at mit.edu> wrote:
> On Thu, Sep 3, 2015 at 6:25 PM, Kostya Serebryany <kcc at google.com> wrote:
> > Not sure I understood this correctly.
> > Example?
>
> I've made a Postgres module which is dynamically loaded by Postgres as
> a shared library from which I can call the fuzzer on the SQL function
> of my choice. Postgres has enough meta information about the functions
> that I think the eventual interface might be pretty flexible and be
> able to specify which argument to fuzz and what other constant
> arguments to pass etc. So I would want to pass the function's id and
> these other arguments and so on through the fuzzer to the fuzz-one
> callback. As I said I think I can just use a global variable since
> there's no reason to the fuzzer needs to be reentrant.
>
You can use a global, you can use C++:
Like here:
https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/test/UserSuppliedFuzzerTest.cpp
>
> However I have run into a problem I'm stumped on. I'm not sure if it's
> the dynamic linker or something in Postgres that's interfering with
> the coverage feedback but it's exiting after one call thinking the
> newcoverage isn't increasing over the previous coverage.
>
Did you build the Postgres code with -fsanitize-coverage=... ?
>
> The test that causing it to exit is at FuzzerLoop.cpp:250
> if (NewCoverage > OldCoverage || NumNewBits)
> return NewCoverage;
>
> 250 if (NewCoverage > OldCoverage || NumNewBits)
> (gdb) p NewCoverage
> $3 = 14422
> (gdb) p OldCoverage
> $4 = 14422
> (gdb) p NumNewBits
> $5 = 0
>
> And after that it just returns.
>
> In fact the only call it makes to my test function is with Data=NULL
> Size=NULL which isn't a valid input to the function so I just return.
> I'm not clear why it's passing NULL for the data at all but even so
> that should still cause at least one bit of coverage.
>
> I do have a second longer term problem. I would really want to call
> the fuzzer for some limited number of iterations, say 1,000 or so,
> then do some other housekeeping (including checking for query
> cancellation). Then continue the fuzzing. However even if I specify
> -iterations or -runs AIUI it isn't possible to call the fuzzer a
> second time. It tests if it's already been called and if so aborts.
> Maybe there's some internal function I could call instead but I
> haven't read through all the source thoroughly yet.
>
>
>
> --
> greg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150903/094f2fab/attachment-0001.html>
More information about the llvm-dev
mailing list