On Thu, Sep 3, 2015 at 6:25 PM, Kostya Serebryany <kcc at google.com> wrote:> Not sure I understood this correctly. > Example?I've made a Postgres module which is dynamically loaded by Postgres as a shared library from which I can call the fuzzer on the SQL function of my choice. Postgres has enough meta information about the functions that I think the eventual interface might be pretty flexible and be able to specify which argument to fuzz and what other constant arguments to pass etc. So I would want to pass the function's id and these other arguments and so on through the fuzzer to the fuzz-one callback. As I said I think I can just use a global variable since there's no reason to the fuzzer needs to be reentrant. However I have run into a problem I'm stumped on. I'm not sure if it's the dynamic linker or something in Postgres that's interfering with the coverage feedback but it's exiting after one call thinking the newcoverage isn't increasing over the previous coverage. The test that causing it to exit is at FuzzerLoop.cpp:250 if (NewCoverage > OldCoverage || NumNewBits) return NewCoverage; 250 if (NewCoverage > OldCoverage || NumNewBits) (gdb) p NewCoverage $3 = 14422 (gdb) p OldCoverage $4 = 14422 (gdb) p NumNewBits $5 = 0 And after that it just returns. In fact the only call it makes to my test function is with Data=NULL Size=NULL which isn't a valid input to the function so I just return. I'm not clear why it's passing NULL for the data at all but even so that should still cause at least one bit of coverage. I do have a second longer term problem. I would really want to call the fuzzer for some limited number of iterations, say 1,000 or so, then do some other housekeeping (including checking for query cancellation). Then continue the fuzzing. However even if I specify -iterations or -runs AIUI it isn't possible to call the fuzzer a second time. It tests if it's already been called and if so aborts. Maybe there's some internal function I could call instead but I haven't read through all the source thoroughly yet. -- greg
On Thu, Sep 3, 2015 at 10:40 AM, Greg Stark <stark at mit.edu> wrote:> On Thu, Sep 3, 2015 at 6:25 PM, Kostya Serebryany <kcc at google.com> wrote: > > Not sure I understood this correctly. > > Example? > > I've made a Postgres module which is dynamically loaded by Postgres as > a shared library from which I can call the fuzzer on the SQL function > of my choice. Postgres has enough meta information about the functions > that I think the eventual interface might be pretty flexible and be > able to specify which argument to fuzz and what other constant > arguments to pass etc. So I would want to pass the function's id and > these other arguments and so on through the fuzzer to the fuzz-one > callback. As I said I think I can just use a global variable since > there's no reason to the fuzzer needs to be reentrant. >You can use a global, you can use C++: Like here: https://github.com/llvm-mirror/llvm/blob/master/lib/Fuzzer/test/UserSuppliedFuzzerTest.cpp> > However I have run into a problem I'm stumped on. I'm not sure if it's > the dynamic linker or something in Postgres that's interfering with > the coverage feedback but it's exiting after one call thinking the > newcoverage isn't increasing over the previous coverage. >Did you build the Postgres code with -fsanitize-coverage=... ?> > The test that causing it to exit is at FuzzerLoop.cpp:250 > if (NewCoverage > OldCoverage || NumNewBits) > return NewCoverage; > > 250 if (NewCoverage > OldCoverage || NumNewBits) > (gdb) p NewCoverage > $3 = 14422 > (gdb) p OldCoverage > $4 = 14422 > (gdb) p NumNewBits > $5 = 0 > > And after that it just returns. > > In fact the only call it makes to my test function is with Data=NULL > Size=NULL which isn't a valid input to the function so I just return. > I'm not clear why it's passing NULL for the data at all but even so > that should still cause at least one bit of coverage. > > I do have a second longer term problem. I would really want to call > the fuzzer for some limited number of iterations, say 1,000 or so, > then do some other housekeeping (including checking for query > cancellation). Then continue the fuzzing. However even if I specify > -iterations or -runs AIUI it isn't possible to call the fuzzer a > second time. It tests if it's already been called and if so aborts. > Maybe there's some internal function I could call instead but I > haven't read through all the source thoroughly yet. > > > > -- > greg >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150903/094f2fab/attachment-0001.html>
On Thu, Sep 3, 2015 at 6:45 PM, Kostya Serebryany <kcc at google.com> wrote:> Did you build the Postgres code with -fsanitize-coverage=... ?Yes: CC = clang CFLAGS = -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -Wno-unused-command-line-argument -g -O0 -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters What I'm now wondering is I saw somewhere that it was important to use clang to link. I think the build might have used ld to link. Is there a way I can test the binary to see what's up? -- greg