[llvm-dev] Fuzzing complex programs

Greg Stark via llvm-dev llvm-dev at lists.llvm.org
Thu Sep 3 10:40:06 PDT 2015 

On Thu, Sep 3, 2015 at 6:25 PM, Kostya Serebryany <kcc at google.com> wrote:
> Not sure I understood this correctly.
> Example?

I've made a Postgres module which is dynamically loaded by Postgres as
a shared library from which I can call the fuzzer on the SQL function
of my choice. Postgres has enough meta information about the functions
that I think the eventual interface might be pretty flexible and be
able to specify which argument to fuzz and what other constant
arguments to pass etc. So I would want to pass the function's id and
these other arguments and so on through the fuzzer to the fuzz-one
callback. As I said I think I can just use a global variable since
there's no reason to the fuzzer needs to be reentrant.

However I have run into a problem I'm stumped on. I'm not sure if it's
the dynamic linker or something in Postgres that's interfering with
the coverage feedback but it's exiting after one call thinking the
newcoverage isn't increasing over the previous coverage.

The test that causing it to exit is at FuzzerLoop.cpp:250
  if (NewCoverage > OldCoverage || NumNewBits)
    return NewCoverage;

250  if (NewCoverage > OldCoverage || NumNewBits)
(gdb) p NewCoverage
$3 = 14422
(gdb) p OldCoverage
$4 = 14422
(gdb) p NumNewBits
$5 = 0

And after that it just returns.

In fact the only call it makes to my test function is with Data=NULL
Size=NULL which isn't a valid input to the function so I just return.
I'm not clear why it's passing NULL for the data at all but even so
that should still cause at least one bit of coverage.

I do have a second longer term problem. I would really want to call
the fuzzer for some limited number of iterations, say 1,000 or so,
then do some other housekeeping (including checking for query
cancellation). Then continue the fuzzing. However even if I specify
-iterations or -runs AIUI it isn't possible to call the fuzzer a
second time. It tests if it's already been called and if so aborts.
Maybe there's some internal function I could call instead but I
haven't read through all the source thoroughly yet.



-- 
greg

More information about the llvm-dev mailing list