[llvm-dev] Fuzzing complex programs

Greg Stark via llvm-dev llvm-dev at lists.llvm.org
Thu Sep 3 11:03:56 PDT 2015 

On Thu, Sep 3, 2015 at 6:54 PM, Kostya Serebryany <kcc at google.com> wrote:
> Looks correct.

Ah! With a fresh pair of eyes it's obvious what was wrong. I had
compiled everything with sanitize-coverage except the Fuzzer code
itself but that included the file with the wrapper function which
calls the target function. And with the NULL data argument it wasn't
passing the wrapper function. So no coverage. I'm still puzzled why
about the NULL argument but compiling that file with coverage checking
has made it proceed.

> Can you post the output of libFuzzer here?
> Something like

I haven't looked into why yet, this is probably something simple but
for the sake of it this is what I'm getting now with the above fixed:

/usr/local/pgsql/bin/psql -c 'select fuzz()'
Flag: verbosity 9
Flag: iterations 100
Flag: runs 10
Flag: save_minimized_corpus 1
Seed: 3416380570
SetTimer 601
Tokens: {}
PreferSmall: 1
#0 READ   cov: 0 bits: 0 units: 1 exec/s: 0
Called with Data=(nil) size=0
#1 pulse  cov: 13790 bits: 21 units: 1 exec/s: 0
NEW0: 13790 L 0
#1 INITED cov: 13790 bits: 21 units: 1 exec/s: 0
Written corpus of 1 files to /var/tmp/corpus
Reload: read 1 new units.
Called with Data=0x60600000e480 size=64
#2 pulse  cov: 14202 bits: 252 units: 1 exec/s: 0
#2 NEW    cov: 14202 bits: 252 units: 2 exec/s: 0 L: 64
Written to /var/tmp/corpus/67ffe57491b2903668530b6182e5aeb6113d3f28
Called with Data=0x60600000e480 size=64
#3 NEW    cov: 14278 bits: 257 units: 3 exec/s: 0 L: 64
Written to /var/tmp/corpus/67ffe57491b2903668530b6182e5aeb6113d3f28
Called with Data=0x60600000e480 size=64
#4 pulse  cov: 14298 bits: 262 units: 3 exec/s: 0
#4 NEW    cov: 14298 bits: 262 units: 4 exec/s: 0 L: 64
Written to /var/tmp/corpus/1ae4df94333696e5bba164df9cf5e93df7a72e20
Called with Data=0x60600000e480 size=64
#5 NEW    cov: 14311 bits: 267 units: 5 exec/s: 0 L: 64
Written to /var/tmp/corpus/c167e6439183f0df3ea25fcd30da80b27293e737
Called with Data=0x60600000e480 size=64
#6 NEW    cov: 14311 bits: 271 units: 6 exec/s: 0 L: 64
Written to /var/tmp/corpus/21e9212a20031de685b5b20d5d7752b17780303a
Reload: read 0 new units.
Called with Data=0x60600000e480 size=64
PANIC:  ERRORDATA_STACK_SIZE exceeded
STATEMENT:  select fuzz()
LOG:  server process (PID 8650) was terminated by signal 6: Aborted
DETAIL:  Failed process was running: select fuzz()
PANIC:  ERRORDATA_STACK_SIZE exceeded
server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.



-- 
greg

More information about the llvm-dev mailing list