Fuzz testing COPY FROM parsing

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Fuzz testing COPY FROM parsing
Date: 2021-02-05 10:45:30
Message-ID: c70d47ad-0d7f-ed7c-5b2a-42f633d13d51@iki.fi
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

I've been mucking around with COPY FROM lately, and to test it, I wrote
some tools to generate input files and load them with COPY FROM:

https://github.com/hlinnaka/pgcopyfuzz

I used a fuzz testing tool called honggfuzz [1] to generate test inputs
for COPY FROM. At first I tried to use afl and libfuzzer, but honggfuzz
was much easier to use with PostgreSQL. It has a "persistent fuzzing
mode", which allows starting the server normally (well, in single-user
mode), and calling a function to get the next input. With the other
fuzzers I tried, you have to provide a callback function that the fuzzer
calls for each test iteration, and that was hard to integrate into the
PostgreSQL main processing loop.

I ran it for about 2 h on my laptop with the patch I was working on [2].
It didn't find any crashes, but it generated about 1300 input files that
it considered "interesting" based on code coverage analysis. When I took
those generated inputs, and ran them against unpatched and patched
server, some inputs produced different results. So that revealed a
couple of bugs in the patch. (I'll post a fixed patched version on that
thread soon.)

I hope others find this useful, too.

[1] https://github.com/google/honggfuzz
[2]
https://www.postgresql.org/message-id/11d39e63-b80a-5f8d-8043-fff04201fadc@iki.fi

- Heikki

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bharath Rupireddy 2021-02-05 11:45:15 Should we improve "PID XXXX is not a PostgreSQL server process" warning for pg_terminate_backend(<<postmaster_pid>>)?
Previous Message Ajin Cherian 2021-02-05 10:01:04 Re: Single transaction in the tablesync worker?