[llvm-dev] Using Libfuzzer on a library - linking the library to the fuzz target

Mitch Phillips via llvm-dev llvm-dev at lists.llvm.org
Tue Nov 12 09:38:33 PST 2019

Hi Shikhar,

You don't need to build the library with `-fsanitize-coverage=...`, using
`-fsanitize=fuzzer-no-link,address` should be sufficient. Without being
able to inspect, it seems like you're building the library/fuzz target in a
sane manner (although you can actually build object files/shared libraries
with -fsanitize=fuzzer, and the libFuzzer main won't be linked, if this
makes your build process easier).

I've run a quick grep and can't find anything that would match "apifunc()
resp=0x7ff38f83ac20 uninitialized, fixing it." in libFuzzer (or
compiler-rt). What version of compiler-rt/llvm/clang are you trying this

Have you tried visualising the coverage
that the fuzz target is generating? It may give you an insight as to why
your desired function under test isn't being hit.

- Mitch

On Tue, Nov 12, 2019 at 9:16 AM Shikhar Singh via llvm-dev <
llvm-dev at lists.llvm.org> wrote:

> I am working of using libfuzzer and asan to test out a third-party library.
> As demonstrated in the tutorial, I wrote a fuzz target to fuzz a specific
> function in the library. The fuzz target is then linked to the library and
> compiles clean and I do see some tests generated by the fuzzer. However, I
> have some questions regarding the "right" way to go about doing this. I
> have doubts that the fuzzer taking coverage feedback from the
> fuzztarget and not the library functions (not sure though). Suppose the
> function in the library being tested is called - *apifunc()*. The
> libfuzzer log has a line which says - *apifunc() resp=0x7ff38f83ac20
> uninitialized, fixing it*. I am not sure what this means. Also, I can see
> that the apifunc is called and it runs but it does not show up in the
> *NEW_FUNC[x/xxx]: *log lines in the libfuzzer output.
> To enable fuzzing. First I build the library with the following libfuzzer
> flags.
> *-fsanitize=fuzzer-no-link,address -fsanitize-coverage=edge,indirect-calls*
> I also had to make a blacklist to avoid some buffer overflow and use after
> free error during this build.
> After this, I link the fuzz target with the library and use the following
> libfuzzer options.
> *-fsanitize=fuzzer,address*
> I am looking for some guidance and feedback if this is the right way to go
> about fuzzing the library and the meaning of *uninitialized fixing it *line
> in the log.
> --
> Live long and Prosper,
> Shikhar Singh
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20191112/65b373cc/attachment.html>

More information about the llvm-dev mailing list