[llvm-dev] libfuzzer questions
Kostya Serebryany via llvm-dev
llvm-dev at lists.llvm.org
Mon Aug 10 18:08:15 PDT 2015
On Mon, Aug 10, 2015 at 5:53 PM, Brian Cain via llvm-dev <
llvm-dev at lists.llvm.org> wrote:
>
> First off, thanks -- this is a pretty great library and it feels like I'm
> learning a lot.
>
Thanks!
> I'm getting some more experience with libfuzzer and finding that I have a
> couple of questions:
>
>
> - How does libfuzzer decide to write a new test file? What distinguishes
> this one from all the other cases for which new test inputs were not
> written? Must be something about the path taken through the code?
>
Exactly.
It uses http://clang.llvm.org/docs/SanitizerCoverage.html to figure out if
any new edge in the control flow graph has been discovered with the given
input.
>
> - Can I use afl-cmin or is there something similar for libFuzzer?
>
I've never tried that. I'd expect you can.
libFuzzer and afl both use plain files to store the corpus.
I find that sometimes I get an enormous amount of tests and it becomes
> unmanageable.
>
libFuzzer has an option to minimize the corpus.
It's not perfect, but very simple.
-------------
save_minimized_corpus 0 If 1, the minimized corpus is saved
into the first input directory
-------------
>
> - sometimes my process being tested appears to deadlock. A common feature
> seems to be that AlarmCallback is allocating memory and as a consequence
> the ASan code is pending on a lock. I'll speculate that this is because
> the alarm expired while the lock was already held. Is this expected? I
> can share specific call stacks if it helps. I can just extend the timeout
> but I think it's probably appropriate.
>
Yes, please give more details.
>
> - AFL has a curses based display where a bunch of different stats are
> shown. I'll be honest, I don't know how to read those yet. ;) But I'd
> like to find some way to determine whether I'm seeing diminishing returns
> with libfuzzer. Is there a good strategy?
>
libFuzzer just dumps stats to stderr.
As long as you periodically see lines like
#325 NEW cov 11985 bits 14108 units 113 exec/s 325 ...
you are good.
Once you stop getting those, you may start playing with the flags.
(e.g. increase the max_len).
Unlike AFL which knows it all, libFuzzer still relies on a bit of user
help. :)
> - Can anyone share tips for how libFuzzer has been used with some success
> -- anything beyond what's already available in
> http://llvm.org/docs/LibFuzzer.html ?
>
We've found a few bugs in internal code.
Also, some bugs in GLIBC and MUSL LIBCs.
https://sourceware.org/glibc/wiki/FuzzingLibc
http://git.musl-libc.org/cgit/musl/commit/?id=39dfd58417ef642307d90306e1c7e50aaec5a35c
http://www.openwall.com/lists/oss-security/2015/03/30/3
mclow@ yesterday reported a but in libc++ regex.
I guess I need to start tracking the list of trophies at
http://llvm.org/docs/LibFuzzer.html
Your additions are welcome!
--kcc
>
>
> --
> -Brian
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org http://llvm.cs.uiuc.edu
> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150810/a1a5aceb/attachment.html>
More information about the llvm-dev
mailing list