<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 10, 2015 at 5:53 PM, Brian Cain via llvm-dev <span dir="ltr"><<a href="mailto:llvm-dev@lists.llvm.org" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=llvm-dev@lists.llvm.org&cc=&bcc=&su=&body=','_blank');return false;">llvm-dev@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div>First off, thanks -- this is a pretty great library and it feels like I'm learning a lot. </div></blockquote><div><br></div><div>Thanks! </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm getting some more experience with libfuzzer and finding that I have a couple of questions:</div></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>- How does libfuzzer decide to write a new test file? What distinguishes this one from all the other cases for which new test inputs were not written? Must be something about the path taken through the code?</div></div></blockquote><div><br></div><div>Exactly. </div><div>It uses <a href="http://clang.llvm.org/docs/SanitizerCoverage.html">http://clang.llvm.org/docs/SanitizerCoverage.html</a> to figure out if any new edge in the control flow graph has been discovered with the given input. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>- Can I use afl-cmin or is there something similar for libFuzzer? </div></div></blockquote><div><br></div><div>I've never tried that. I'd expect you can. </div><div>libFuzzer and afl both use plain files to store the corpus. </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I find that sometimes I get an enormous amount of tests and it becomes unmanageable.</div></div></blockquote><div><br></div><div>libFuzzer has an option to minimize the corpus. </div><div>It's not perfect, but very simple. </div><div>-------------</div><div><div> save_minimized_corpus <span class="Apple-tab-span" style="white-space:pre"> </span>0<span class="Apple-tab-span" style="white-space:pre"> </span>If 1, the minimized corpus is saved into the first input directory</div></div><div>-------------<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div> </div><div>- sometimes my process being tested appears to deadlock. A common feature seems to be that AlarmCallback is allocating memory and as a consequence the ASan code is pending on a lock. I'll speculate that this is because the alarm expired while the lock was already held. Is this expected? I can share specific call stacks if it helps. I can just extend the timeout but I think it's probably appropriate.</div></div></blockquote><div><br></div><div>Yes, please give more details. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>- AFL has a curses based display where a bunch of different stats are shown. I'll be honest, I don't know how to read those yet. ;) But I'd like to find some way to determine whether I'm seeing diminishing returns with libfuzzer. Is there a good strategy?</div></div></blockquote><div><br></div><div>libFuzzer just dumps stats to stderr. </div><div>As long as you periodically see lines like </div><div>#325<span class="Apple-tab-span" style="white-space:pre"> </span>NEW cov 11985 bits 14108 units 113 exec/s 325 ...<br></div><div>you are good. </div><div><br></div><div>Once you stop getting those, you may start playing with the flags. </div><div>(e.g. increase the max_len).</div><div>Unlike AFL which knows it all, libFuzzer still relies on a bit of user help. :) </div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>- Can anyone share tips for how libFuzzer has been used with some success -- anything beyond what's already available in <a href="http://llvm.org/docs/LibFuzzer.html" target="_blank">http://llvm.org/docs/LibFuzzer.html</a> ?</div></div></blockquote><div><br></div><div>We've found a few bugs in internal code. </div><div>Also, some bugs in GLIBC and MUSL LIBCs.</div><div><a href="https://sourceware.org/glibc/wiki/FuzzingLibc">https://sourceware.org/glibc/wiki/FuzzingLibc</a><br></div><a href="http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c">http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c</a></div><div class="gmail_quote"><a href="http://www.openwall.com/lists/oss-security/2015/03/30/3">http://www.openwall.com/lists/oss-security/2015/03/30/3</a></div><div class="gmail_quote"><br><div>mclow@ yesterday reported a but in libc++ regex.</div><div><br></div><div>I guess I need to start tracking the list of trophies at <a href="http://llvm.org/docs/LibFuzzer.html" target="_blank">http://llvm.org/docs/LibFuzzer.html</a></div><div>Your additions are welcome! </div><div><br></div><div>--kcc </div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span class="HOEnZb"><font color="#888888"><br clear="all"><div><br></div>-- <br><div>-Brian</div>
</font></span></div></div>
<br>_______________________________________________<br>
LLVM Developers mailing list<br>
<a href="mailto:llvm-dev@lists.llvm.org" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=llvm-dev@lists.llvm.org&cc=&bcc=&su=&body=','_blank');return false;">llvm-dev@lists.llvm.org</a> <a href="http://llvm.cs.uiuc.edu" rel="noreferrer" target="_blank">http://llvm.cs.uiuc.edu</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a><br>
<br></blockquote></div><br></div></div>