[llvm-dev] Fuzzing complex programs

Greg Stark via llvm-dev llvm-dev at lists.llvm.org
Thu Sep 3 04:26:49 PDT 2015 

On Sun, Aug 30, 2015 at 3:30 PM, Greg Stark <stark at mit.edu> wrote:
> To do this effectively I think it would be best to invoke the fuzzer
> from inside Postgres. Essentially provide bindings for Libfuzzer so
> you can I can have Libfuzzer provide all the test cases to repeatedly
> call the internal functions on.
>
> Is there any example of doing something like this already? Am I taking
> a crazy approach?


So on further inspection it seems the API I want, at least for the
in-process plan is mostly there in LLVMFuzzerNoMain. It would be nice
if I could call the driver with a function pointer and void* and it
would call my callback passing that closure along with the fuzzed
input. But I can probably work around that with a global variable.

I'm actually kind of frustrated by a more basic problem. The build
system. It seems LibFuzzer is meant to be compiled as part of LLVM but
it didn't get compiled when I built LLVM because I didn't build it
with sanitize-coverage enabled. Now I can't get it to build because I
get errors like:

$ for i in *.cpp ; do clang -c -std=c++11 $i ; done
$ clang -std=c++11 *.o
FuzzerDriver.o: In function `fuzzer::ReadTokensFile(char const*)':
FuzzerDriver.cpp:(.text+0x56): undefined reference to
`std::allocator<char>::allocator()'
FuzzerDriver.cpp:(.text+0x6d): undefined reference to
`std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::basic_string(char const*, std::allocator<char>
const&)'
FuzzerDriver.cpp:(.text+0x8d): undefined reference to
`std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::~basic_string()'
FuzzerDriver.cpp:(.text+0x96): undefined reference to
`std::allocator<char>::~allocator()'
FuzzerDriver.cpp:(.text+0xab): undefined reference to
`std::__cxx11::basic_istringstream<char, std::char_traits<char>,
std::allocator<char>
>::basic_istringstream(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&,
std::_Ios_Openmode)'
FuzzerDriver.cpp:(.text+0x14c): undefined reference to
`std::allocator<char>::allocator()'
FuzzerDriver.cpp:(.text+0x166): undefined reference to
`std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::basic_string(char const*, std::allocator<char>
const&)'
FuzzerDriver.cpp:(.text+0x18f): undefined reference to
`std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >::~basic_string()'

And I get similar errors if I try to build it using the LLVM CMake
generated makefiles (after running "cmake
-DLLVM_USE_SANITIZE_COVERAGE=1" in the LibFuzzer directory), in fact I
get errors that I need -std=c++11. Do I need to recompile *all* of
llvm as if I was going to fuzz LLVM just to get libfuzzer built?

-- 
greg

More information about the llvm-dev mailing list