[llvm-dev] Using Libfuzzer on a library - linking the library to the fuzz target
Shikhar Singh via llvm-dev
llvm-dev at lists.llvm.org
Tue Nov 12 09:16:09 PST 2019
I am working of using libfuzzer and asan to test out a third-party library.
As demonstrated in the tutorial, I wrote a fuzz target to fuzz a specific
function in the library. The fuzz target is then linked to the library and
compiles clean and I do see some tests generated by the fuzzer. However, I
have some questions regarding the "right" way to go about doing this. I
have doubts that the fuzzer taking coverage feedback from the
fuzztarget and not the library functions (not sure though). Suppose the
function in the library being tested is called - *apifunc()*. The libfuzzer
log has a line which says - *apifunc() resp=0x7ff38f83ac20 uninitialized,
fixing it*. I am not sure what this means. Also, I can see that the apifunc
is called and it runs but it does not show up in the *NEW_FUNC[x/xxx]: *log
lines in the libfuzzer output.
To enable fuzzing. First I build the library with the following libfuzzer
flags.
*-fsanitize=fuzzer-no-link,address -fsanitize-coverage=edge,indirect-calls*
I also had to make a blacklist to avoid some buffer overflow and use after
free error during this build.
After this, I link the fuzz target with the library and use the following
libfuzzer options.
*-fsanitize=fuzzer,address*
I am looking for some guidance and feedback if this is the right way to go
about fuzzing the library and the meaning of *uninitialized fixing it *line
in the log.
--
Live long and Prosper,
Shikhar Singh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20191112/782dfab1/attachment.html>
More information about the llvm-dev
mailing list