[llvm-dev] Fuzzing complex programs

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Thu Sep 3 11:15:10 PDT 2015 

On Thu, Sep 3, 2015 at 11:03 AM, Greg Stark <stark at mit.edu> wrote:

> On Thu, Sep 3, 2015 at 6:54 PM, Kostya Serebryany <kcc at google.com> wrote:
> > Looks correct.
>
> Ah! With a fresh pair of eyes it's obvious what was wrong. I had
> compiled everything with sanitize-coverage except the Fuzzer code
> itself but that included the file with the wrapper function which
> calls the target function. And with the NULL data argument it wasn't
> passing the wrapper function. So no coverage. I'm still puzzled why
> about the NULL argument but compiling that file with coverage checking
> has made it proceed.
>
> > Can you post the output of libFuzzer here?
> > Something like
>
> I haven't looked into why yet, this is probably something simple but
> for the sake of it this is what I'm getting now with the above fixed:
>
> /usr/local/pgsql/bin/psql -c 'select fuzz()'
> Flag: verbosity 9
> Flag: iterations 100
> Flag: runs 10
> Flag: save_minimized_corpus 1
> Seed: 3416380570
> SetTimer 601
> Tokens: {}
> PreferSmall: 1
> #0 READ   cov: 0 bits: 0 units: 1 exec/s: 0
> Called with Data=(nil) size=0
> #1 pulse  cov: 13790 bits: 21 units: 1 exec/s: 0
> NEW0: 13790 L 0
> #1 INITED cov: 13790 bits: 21 units: 1 exec/s: 0
> Written corpus of 1 files to /var/tmp/corpus
> Reload: read 1 new units.
> Called with Data=0x60600000e480 size=64
> #2 pulse  cov: 14202 bits: 252 units: 1 exec/s: 0
> #2 NEW    cov: 14202 bits: 252 units: 2 exec/s: 0 L: 64
>
Ok, so now you are at least getting the coverage feedback.


> Written to /var/tmp/corpus/67ffe57491b2903668530b6182e5aeb6113d3f28
> Called with Data=0x60600000e480 size=64
> #3 NEW    cov: 14278 bits: 257 units: 3 exec/s: 0 L: 64
> Written to /var/tmp/corpus/67ffe57491b2903668530b6182e5aeb6113d3f28
> Called with Data=0x60600000e480 size=64
> #4 pulse  cov: 14298 bits: 262 units: 3 exec/s: 0
> #4 NEW    cov: 14298 bits: 262 units: 4 exec/s: 0 L: 64
> Written to /var/tmp/corpus/1ae4df94333696e5bba164df9cf5e93df7a72e20
> Called with Data=0x60600000e480 size=64
> #5 NEW    cov: 14311 bits: 267 units: 5 exec/s: 0 L: 64
> Written to /var/tmp/corpus/c167e6439183f0df3ea25fcd30da80b27293e737
> Called with Data=0x60600000e480 size=64
> #6 NEW    cov: 14311 bits: 271 units: 6 exec/s: 0 L: 64
> Written to /var/tmp/corpus/21e9212a20031de685b5b20d5d7752b17780303a
> Reload: read 0 new units.
> Called with Data=0x60600000e480 size=64
> PANIC:  ERRORDATA_STACK_SIZE exceeded
> STATEMENT:  select fuzz()
> LOG:  server process (PID 8650) was terminated by signal 6: Aborted
> DETAIL:  Failed process was running: select fuzz()
> PANIC:  ERRORDATA_STACK_SIZE exceeded
> server closed the connection unexpectedly
> This probably means the server terminated abnormally
> before or while processing the request.
>
>
>
> --
> greg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150903/9a362ae5/attachment.html>

More information about the llvm-dev mailing list