Open guidovranken opened 2 years ago
I'm not aware of any way to do this. I can keep this issue open for visibility. I agree this would be better to ask go-fuzz folks. But you can also try CCing contributors to go projects if you'd like.
Thanks Jonathan.
@josharian If you think you could get this to work, I'm willing to pay you for it.
@guidovranken thanks for the offer, but I'm not doing any contracting for the foreseeable future. Perhaps @thepudds might be interested? I don't know what their current situation is.
Hi @guidovranken, this sounds potentially interesting. I will send you an email.
Thanks for the mention @josharian.
Thank you both @josharian and @thepudds , I have replied to your e-mail @thepudds .
Cryptofuzz has support for fuzzing several Go libraries (including the Go standard library).
The harnessing code is mostly implemented in a
.go
file: https://github.com/guidovranken/cryptofuzz/blob/master/modules/golang/cryptofuzz.goIt exports functions so that they can be called from C++: https://github.com/guidovranken/cryptofuzz/blob/c49d3df24fdc63d960e0419202d09468e86fc101/modules/golang/cryptofuzz.go#L363-L364
The Go code is compiled into a static archive: https://github.com/guidovranken/cryptofuzz/blob/c49d3df24fdc63d960e0419202d09468e86fc101/modules/golang/Makefile#L16 which is then linked into the Cryptofuzz binary.
As such, no instrumentation is being applied to the Go code, unlike standalone Go fuzzers which use
go-fuzz
.While Cryptofuzz is capable of generating meaningful inputs without a code coverage signal, and therefore can find bugs in Go libraries, the lack of instrumentation is not optimal.
I've been trying to hack
go-fuzz
to instrument Go code without emitting a libFuzzer entry point (https://github.com/dvyukov/go-fuzz/blob/4980593459a186bd2a389fe4557a260cce742594/go-fuzz-build/main.go#L866-L887)Unfortunately it's not trivial to get it working as go-fuzz will complain about the use of
cgo
(could not import C (no metadata for C)
), which I require to export functions from Go to C++.I could rewrite my harness to use a single entry point (such as
func Fuzz(data []byte) int
), so that I don't need to export all the separate functions, but I still need to exportGetResult
(https://github.com/guidovranken/cryptofuzz/blob/c49d3df24fdc63d960e0419202d09468e86fc101/modules/golang/cryptofuzz.go#L195-L196) which I need to pass data from Go to C++.Are you aware of any way to apply coverage instrumentation to Go code that exports functions?
Perhaps I should ask this in the
go-fuzz
repository instead but I figured you might have run into this issue before in other projects.