This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: is there a fuzzer for libc?

On 19/03/15 18:25, Konstantin Serebryany wrote:
> Step1:
> If you can implement a function
> void TestOneInput(const unsigned char *Data, size_t Size);
> that uses one of the glibc APIs in an interesting way as in the examples above
> I can run it with the fuzzer on the instrumented glibc.
> You can run yourself too, but the build process is a bit too hairy today.
> The requirement for TestOneInput is that it runs reasonably fast (e.g. < 1ms)
> and does not crash on malformed inputs (unless there is a bug).
> For non-trivial kinds of input I may also need an initial set of
> inputs (test corpus),
> but for regcomp/fnmatch/wordexp and similar the fuzzer is capable of
> generating the corpus from scratch.
> Step2:
> Finish Glibc+Clang (
> and integrate the LLMV fuzzer
> (
> or any similar coverage-guided fuzzer with the glibc testing process.

it seems the coverage tool depends on asan

i could not yet get asan to work on my system
so i cant try the fuzzer

fuzzing glibc is a useful project but i'm looking
for a tool that helps catching regressions in musl
libc when some complex parser code like fnmatch
is updated.

maybe i can automate cutting out the relevant
code from the musl source tree and then run
fuzzing on that without libc instrumentation..
(but i was hoping for a nicer solution)

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]