<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 3, 2015 at 10:40 AM, Greg Stark <span dir="ltr"><<a href="mailto:stark@mit.edu" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=stark@mit.edu&cc=&bcc=&su=&body=','_blank');return false;">stark@mit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On Thu, Sep 3, 2015 at 6:25 PM, Kostya Serebryany <<a href="mailto:kcc@google.com" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=kcc@google.com&cc=&bcc=&su=&body=','_blank');return false;">kcc@google.com</a>> wrote:<br>
> Not sure I understood this correctly.<br>
> Example?<br>
<br>
</span>I've made a Postgres module which is dynamically loaded by Postgres as<br>
a shared library from which I can call the fuzzer on the SQL function<br>
of my choice. Postgres has enough meta information about the functions<br>
that I think the eventual interface might be pretty flexible and be<br>
able to specify which argument to fuzz and what other constant<br>
arguments to pass etc. So I would want to pass the function's id and<br>
these other arguments and so on through the fuzzer to the fuzz-one<br>
callback. As I said I think I can just use a global variable since<br>
there's no reason to the fuzzer needs to be reentrant.<br></blockquote><div><br></div><div>You can use a global, you can use C++: </div><div>Like here: </div><div><a href="https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/test/UserSuppliedFuzzerTest.cpp">https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/test/UserSuppliedFuzzerTest.cpp</a><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
However I have run into a problem I'm stumped on. I'm not sure if it's<br>
the dynamic linker or something in Postgres that's interfering with<br>
the coverage feedback but it's exiting after one call thinking the<br>
newcoverage isn't increasing over the previous coverage.<br></blockquote><div><br></div><div>Did you build the Postgres code with -fsanitize-coverage=... ? </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
The test that causing it to exit is at FuzzerLoop.cpp:250<br>
if (NewCoverage > OldCoverage || NumNewBits)<br>
return NewCoverage;<br>
<br>
250 if (NewCoverage > OldCoverage || NumNewBits)<br>
(gdb) p NewCoverage<br>
$3 = 14422<br>
(gdb) p OldCoverage<br>
$4 = 14422<br>
(gdb) p NumNewBits<br>
$5 = 0<br>
<br>
And after that it just returns.<br>
<br>
In fact the only call it makes to my test function is with Data=NULL<br>
Size=NULL which isn't a valid input to the function so I just return.<br>
I'm not clear why it's passing NULL for the data at all but even so<br>
that should still cause at least one bit of coverage.<br>
<br>
I do have a second longer term problem. I would really want to call<br>
the fuzzer for some limited number of iterations, say 1,000 or so,<br>
then do some other housekeeping (including checking for query<br>
cancellation). Then continue the fuzzing. However even if I specify<br>
-iterations or -runs AIUI it isn't possible to call the fuzzer a<br>
second time. It tests if it's already been called and if so aborts.<br>
Maybe there's some internal function I could call instead but I<br>
haven't read through all the source thoroughly yet.<br>
<span class=""><font color="#888888"><br>
<br>
<br>
--<br>
greg<br>
</font></span></blockquote></div><br></div></div>