I'm fairly sure your compiler (or rather linker) errors are coming from the fact that you are not linking to the C++ runtime library. Use `clang++ -std=c++11 *.o`, and I'm reasonably sure it will do what you want. -- Mats On 3 September 2015 at 12:26, Greg Stark via llvm-dev < llvm-dev at lists.llvm.org> wrote:> On Sun, Aug 30, 2015 at 3:30 PM, Greg Stark <stark at mit.edu> wrote: > > To do this effectively I think it would be best to invoke the fuzzer > > from inside Postgres. Essentially provide bindings for Libfuzzer so > > you can I can have Libfuzzer provide all the test cases to repeatedly > > call the internal functions on. > > > > Is there any example of doing something like this already? Am I taking > > a crazy approach? > > > So on further inspection it seems the API I want, at least for the > in-process plan is mostly there in LLVMFuzzerNoMain. It would be nice > if I could call the driver with a function pointer and void* and it > would call my callback passing that closure along with the fuzzed > input. But I can probably work around that with a global variable. > > I'm actually kind of frustrated by a more basic problem. The build > system. It seems LibFuzzer is meant to be compiled as part of LLVM but > it didn't get compiled when I built LLVM because I didn't build it > with sanitize-coverage enabled. Now I can't get it to build because I > get errors like: > > $ for i in *.cpp ; do clang -c -std=c++11 $i ; done > $ clang -std=c++11 *.o > FuzzerDriver.o: In function `fuzzer::ReadTokensFile(char const*)': > FuzzerDriver.cpp:(.text+0x56): undefined reference to > `std::allocator<char>::allocator()' > FuzzerDriver.cpp:(.text+0x6d): undefined reference to > `std::__cxx11::basic_string<char, std::char_traits<char>, > std::allocator<char> >::basic_string(char const*, std::allocator<char> > const&)' > FuzzerDriver.cpp:(.text+0x8d): undefined reference to > `std::__cxx11::basic_string<char, std::char_traits<char>, > std::allocator<char> >::~basic_string()' > FuzzerDriver.cpp:(.text+0x96): undefined reference to > `std::allocator<char>::~allocator()' > FuzzerDriver.cpp:(.text+0xab): undefined reference to > `std::__cxx11::basic_istringstream<char, std::char_traits<char>, > std::allocator<char> > >::basic_istringstream(std::__cxx11::basic_string<char, > std::char_traits<char>, std::allocator<char> > const&, > std::_Ios_Openmode)' > FuzzerDriver.cpp:(.text+0x14c): undefined reference to > `std::allocator<char>::allocator()' > FuzzerDriver.cpp:(.text+0x166): undefined reference to > `std::__cxx11::basic_string<char, std::char_traits<char>, > std::allocator<char> >::basic_string(char const*, std::allocator<char> > const&)' > FuzzerDriver.cpp:(.text+0x18f): undefined reference to > `std::__cxx11::basic_string<char, std::char_traits<char>, > std::allocator<char> >::~basic_string()' > > And I get similar errors if I try to build it using the LLVM CMake > generated makefiles (after running "cmake > -DLLVM_USE_SANITIZE_COVERAGE=1" in the LibFuzzer directory), in fact I > get errors that I need -std=c++11. Do I need to recompile *all* of > llvm as if I was going to fuzz LLVM just to get libfuzzer built? > > -- > greg > _______________________________________________ > LLVM Developers mailing list > llvm-dev at lists.llvm.org > http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150903/a35265f7/attachment.html>
On Thu, Sep 3, 2015 at 6:55 AM, mats petersson via llvm-dev < llvm-dev at lists.llvm.org> wrote:> I'm fairly sure your compiler (or rather linker) errors are coming from > the fact that you are not linking to the C++ runtime library. Use `clang++ > -std=c++11 *.o`, and I'm reasonably sure it will do what you want. >Correct.> > -- > Mats > > On 3 September 2015 at 12:26, Greg Stark via llvm-dev < > llvm-dev at lists.llvm.org> wrote: > >> On Sun, Aug 30, 2015 at 3:30 PM, Greg Stark <stark at mit.edu> wrote: >> > To do this effectively I think it would be best to invoke the fuzzer >> > from inside Postgres. Essentially provide bindings for Libfuzzer so >> > you can I can have Libfuzzer provide all the test cases to repeatedly >> > call the internal functions on. >> > >> > Is there any example of doing something like this already? Am I taking >> > a crazy approach? >> >> >> So on further inspection it seems the API I want, at least for the >> in-process plan is mostly there in LLVMFuzzerNoMain. It would be nice >> if I could call the driver with a function pointer and void* and it >> would call my callback passing that closure along with the fuzzed >> input. But I can probably work around that with a global variable. >> >Not sure I understood this correctly. Example?> >> I'm actually kind of frustrated by a more basic problem. The build >> system. It seems LibFuzzer is meant to be compiled as part of LLVM but >> it didn't get compiled when I built LLVM because I didn't build it >> with sanitize-coverage enabled. Now I can't get it to build because I >> get errors like: >> >> $ for i in *.cpp ; do clang -c -std=c++11 $i ; done >> $ clang -std=c++11 *.o >> FuzzerDriver.o: In function `fuzzer::ReadTokensFile(char const*)': >> FuzzerDriver.cpp:(.text+0x56): undefined reference to >> `std::allocator<char>::allocator()' >> FuzzerDriver.cpp:(.text+0x6d): undefined reference to >> `std::__cxx11::basic_string<char, std::char_traits<char>, >> std::allocator<char> >::basic_string(char const*, std::allocator<char> >> const&)' >> FuzzerDriver.cpp:(.text+0x8d): undefined reference to >> `std::__cxx11::basic_string<char, std::char_traits<char>, >> std::allocator<char> >::~basic_string()' >> FuzzerDriver.cpp:(.text+0x96): undefined reference to >> `std::allocator<char>::~allocator()' >> FuzzerDriver.cpp:(.text+0xab): undefined reference to >> `std::__cxx11::basic_istringstream<char, std::char_traits<char>, >> std::allocator<char> >> >::basic_istringstream(std::__cxx11::basic_string<char, >> std::char_traits<char>, std::allocator<char> > const&, >> std::_Ios_Openmode)' >> FuzzerDriver.cpp:(.text+0x14c): undefined reference to >> `std::allocator<char>::allocator()' >> FuzzerDriver.cpp:(.text+0x166): undefined reference to >> `std::__cxx11::basic_string<char, std::char_traits<char>, >> std::allocator<char> >::basic_string(char const*, std::allocator<char> >> const&)' >> FuzzerDriver.cpp:(.text+0x18f): undefined reference to >> `std::__cxx11::basic_string<char, std::char_traits<char>, >> std::allocator<char> >::~basic_string()' >> >> And I get similar errors if I try to build it using the LLVM CMake >> generated makefiles (after running "cmake >> -DLLVM_USE_SANITIZE_COVERAGE=1" in the LibFuzzer directory), in fact I >> get errors that I need -std=c++11. Do I need to recompile *all* of >> llvm as if I was going to fuzz LLVM just to get libfuzzer built? >> >> -- >> greg >> _______________________________________________ >> LLVM Developers mailing list >> llvm-dev at lists.llvm.org >> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev >> > > > _______________________________________________ > LLVM Developers mailing list > llvm-dev at lists.llvm.org > http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150903/c1fb7cf4/attachment.html>
On Thu, Sep 3, 2015 at 6:25 PM, Kostya Serebryany <kcc at google.com> wrote:> Not sure I understood this correctly. > Example?I've made a Postgres module which is dynamically loaded by Postgres as a shared library from which I can call the fuzzer on the SQL function of my choice. Postgres has enough meta information about the functions that I think the eventual interface might be pretty flexible and be able to specify which argument to fuzz and what other constant arguments to pass etc. So I would want to pass the function's id and these other arguments and so on through the fuzzer to the fuzz-one callback. As I said I think I can just use a global variable since there's no reason to the fuzzer needs to be reentrant. However I have run into a problem I'm stumped on. I'm not sure if it's the dynamic linker or something in Postgres that's interfering with the coverage feedback but it's exiting after one call thinking the newcoverage isn't increasing over the previous coverage. The test that causing it to exit is at FuzzerLoop.cpp:250 if (NewCoverage > OldCoverage || NumNewBits) return NewCoverage; 250 if (NewCoverage > OldCoverage || NumNewBits) (gdb) p NewCoverage $3 = 14422 (gdb) p OldCoverage $4 = 14422 (gdb) p NumNewBits $5 = 0 And after that it just returns. In fact the only call it makes to my test function is with Data=NULL Size=NULL which isn't a valid input to the function so I just return. I'm not clear why it's passing NULL for the data at all but even so that should still cause at least one bit of coverage. I do have a second longer term problem. I would really want to call the fuzzer for some limited number of iterations, say 1,000 or so, then do some other housekeeping (including checking for query cancellation). Then continue the fuzzing. However even if I specify -iterations or -runs AIUI it isn't possible to call the fuzzer a second time. It tests if it's already been called and if so aborts. Maybe there's some internal function I could call instead but I haven't read through all the source thoroughly yet. -- greg