-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gaps in rustc for effective fuzzing #92
Comments
I'm not sure I see a problem with the first point in this issue. Why is it a problem to compile library containing instrumentation separately, without the flags for instrumenting it and link it into the binary and/or libraries later on? That is pretty much exactly what would be happening in a C(++) project that uses a fuzzer implemented in C(++) as well, and solves precisely the same problem. The only thing you'd need to work around is As for the second point, I'm not sure It sounds to me that for Rust a fuzzer implementation will want a way to replace |
It's not necessarily an issue, but creates a semi-awkward build step. I suppose the solution here is to use a
It looks like my assumption here was wrong. I was concerned that there'd be no way to tell LLVM not to use an instristic Since the second point was my big concern that applied to this repo as well, I'm going to go ahead and close this issue. Thanks for letting me talk this out and rubber duck debug of sorts :) |
Hi folks,
I've been writing a Rust-based replacement for libFuzzer called Fazi, and I've encountered a couple of issues that have some crossover with libFuzzer usage and the potential for Fazi (or any Rust-based library) to replace libfuzzer for fuzzing rust code.
I apologize for this issue not strictly relating to this crate, but this is the best place I could think of for such discussion.
Issues with SanCov
You can compile a Rust crate with sancov instrumentation via:
When compiling a Rust binary that depends on another Rust library for fuzzing, we now have a scenario where everything in the Rust world is instrumented, including the fuzzing library itself. Even if I could mark the fuzzing crate as
#[no_sanitize(coverage)]
, its dependencies (including stdlib) would likely still be instrumented.This introduces at least two problems I encountered:
__sanitizer_cov_trace_{const_}_cmp*
functions being executed while a lock is held within the fuzzing codeCannot use function interceptors
libFuzzer supports hooking a collection of builtin functions such as
memcmp
,strcmp
, etc. by implicitly adding the-fno-builtin-memcmp
argument when-fsanitize=fuzzer
or-fsanitize=fuzzer-no-link
are provided to the clang frontend.As far as I can tell, disabling these builtins is only possible via clang and not supported with an LLVM argument . Support for this would likely fix issues such as #90 as the interceptors could be used.
So now for the questions I wanted to discuss:
The text was updated successfully, but these errors were encountered: