[llvm-dev] Using Libfuzzer on a library - linking the library to the fuzz target
Shikhar Singh via llvm-dev
llvm-dev at lists.llvm.org
Tue Nov 12 10:02:06 PST 2019
Thank you for the response.
1. You don't need to build the library with `-fsanitize-coverage=...`,
using `-fsanitize=fuzzer-no-link,address` should be sufficient. -
2. (although you can actually build object files/shared libraries with
-fsanitize=fuzzer, and the libFuzzer main won't be linked, if this makes
your build process easier). - with just the *fuzzer *flag, it looks for
3. I've run a quick grep and can't find anything that would match
"apifunc() resp=0x7ff38f83ac20 uninitialized, fixing it." in libFuzzer (or
compiler-rt). What version of compiler-rt/llvm/clang are you trying this
with? - This was an oversight on my part, it was a log dump from the
library and somehow I mistook it be from libfuzzer. (I am using Clang 9
4. Have you tried visualising the coverage
the fuzz target is generating? It may give you an insight as to why your
desired function under test isn't being hit. - Yes, I am using lcov for
coverage and do see the relevant methods being exercised.
I am wondering if there is a reason I am not seeing the function in
the NEW_FUNC[x/xxx]: log lines.
To iterate my steps -
First I build the library with fuzzer-no-link,address flags. I *don't*
compile the fuzz_target (the file containing the LLVMFuzzerTestOneInput
function) with the library.
Then I build the fuzz target and link it with the library.
*clang++ -g -O1 -fsanitize=fuzzer,address -Iinclude -Ibuild/include .....
fuzztarget.c -Lbuild/lib -llib1 -llib2*
and then finally *./a.out -detect_leaks=0 corpus/*
I appreciate your help with this.
On Tue, Nov 12, 2019 at 11:38 AM Mitch Phillips <mitchp at google.com> wrote:
> Hi Shikhar,
> You don't need to build the library with `-fsanitize-coverage=...`, using
> `-fsanitize=fuzzer-no-link,address` should be sufficient. Without being
> able to inspect, it seems like you're building the library/fuzz target in a
> sane manner (although you can actually build object files/shared libraries
> with -fsanitize=fuzzer, and the libFuzzer main won't be linked, if this
> makes your build process easier).
> I've run a quick grep and can't find anything that would match "apifunc()
> resp=0x7ff38f83ac20 uninitialized, fixing it." in libFuzzer (or
> compiler-rt). What version of compiler-rt/llvm/clang are you trying this
> Have you tried visualising the coverage
> that the fuzz target is generating? It may give you an insight as to why
> your desired function under test isn't being hit.
> - Mitch
> On Tue, Nov 12, 2019 at 9:16 AM Shikhar Singh via llvm-dev <
> llvm-dev at lists.llvm.org> wrote:
>> I am working of using libfuzzer and asan to test out a third-party
>> As demonstrated in the tutorial, I wrote a fuzz target to fuzz a specific
>> function in the library. The fuzz target is then linked to the library and
>> compiles clean and I do see some tests generated by the fuzzer. However, I
>> have some questions regarding the "right" way to go about doing this. I
>> have doubts that the fuzzer taking coverage feedback from the
>> fuzztarget and not the library functions (not sure though). Suppose the
>> function in the library being tested is called - *apifunc()*. The
>> libfuzzer log has a line which says - *apifunc() resp=0x7ff38f83ac20
>> uninitialized, fixing it*. I am not sure what this means. Also, I can
>> see that the apifunc is called and it runs but it does not show up in the
>> *NEW_FUNC[x/xxx]: *log lines in the libfuzzer output.
>> To enable fuzzing. First I build the library with the following libfuzzer
>> *-fsanitize=fuzzer-no-link,address -fsanitize-coverage=edge,indirect-calls*
>> I also had to make a blacklist to avoid some buffer overflow and use
>> after free error during this build.
>> After this, I link the fuzz target with the library and use the following
>> libfuzzer options.
>> I am looking for some guidance and feedback if this is the right way to
>> go about fuzzing the library and the meaning of *uninitialized fixing
>> it *line in the log.
>> Live long and Prosper,
>> Shikhar Singh
>> LLVM Developers mailing list
>> llvm-dev at lists.llvm.org
Live long and Prosper,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the llvm-dev