[llvm-dev] Fuzzing complex programs
Kostya Serebryany via llvm-dev
llvm-dev at lists.llvm.org
Sun Aug 30 13:21:29 PDT 2015
On Sun, Aug 30, 2015 at 1:09 PM, Greg Stark <stark at mit.edu> wrote:
>
> On 30 Aug 2015 20:04, "Kostya Serebryany" <kcc at google.com> wrote:
> >
> >
> > In my (biased) opinion libFuzzer is particularly well suited for this
> task
> > (fuzzing individual libraries, as opposed to fuzzing the whole
> postgress).
> > I've played with a dozen of regular expression libs and found bugs in
> all of them
> > (e.g. search for "Fuzzer" in
> http://vcs.pcre.org/pcre2/code/trunk/ChangeLog?view=markup&pathrev=360)
> >
> >
> >>>
> >>> To do this effectively I think it would be best to invoke the fuzzer
> >>> from inside Postgres.
> >
> >
> > Never tied this.
> > Can't you just link libFuzzer with a part of the code you want to test?
>
> The problem I'm specifically trying to tackle is that the code in question
> can use any of the internal postgres APIs and might have dependencies on
> anything in the environment.
>
> Even the simplest cases like the date/tone parser will depends on the
> timezone library which is initialised at startup, the server session state
> which specifies the current timezone and default date format, etc.
>
> The more interesting cases like arrays and other compound objects will
> depend on the internal caches of the database schema which is where it
> finds things like meta information about the data types stored within.
>
I see.
At least one of the users of Sanitizer Coverage did something similar with
their server,
but they implemented their own mutator/fuzzer (did not use libFuzzer).
With libFuzzer you can't do that today because it expects to receive the
coverage feedback from the same process.
With somewhat modification you probably can achieve this:
in Fuzzer::RunOneMaximizeTotalCoverage replace the calls to
__sanitizer_get_total_unique_coverage
with something that gets this value for the server process.
https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/FuzzerLoop.cpp#L231
Similarly, for the 8-bit counters (-use_counters=1), in the server process
call
__sanitizer_update_counter_bitset_and_clear_counters and pass the result to
the client app.
If you can may the change general enough the patch would be more than
welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150830/9558ad7a/attachment.html>
More information about the llvm-dev
mailing list