<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 10, 2015 at 8:08 PM, Kostya Serebryany <span dir="ltr"><<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Mon, Aug 10, 2015 at 5:53 PM, Brian Cain via llvm-dev <span dir="ltr"><<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>></span> wrote:<br></span><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div>First off, thanks -- this is a pretty great library and it feels like I'm learning a lot. </div></blockquote><div><br></div></span><div>Thanks! </div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'm getting some more experience with libfuzzer and finding that I have a couple of questions:</div></blockquote><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>- How does libfuzzer decide to write a new test file? What distinguishes this one from all the other cases for which new test inputs were not written? Must be something about the path taken through the code?</div></div></blockquote><div><br></div></span><div>Exactly. </div><div>It uses <a href="http://clang.llvm.org/docs/SanitizerCoverage.html" target="_blank">http://clang.llvm.org/docs/SanitizerCoverage.html</a> to figure out if any new edge in the control flow graph has been discovered with the given input. </div><span class=""><div> </div></span></div></div></div></blockquote><div><br></div><div>So if I'm seeing tens of thousands of distinct test files, that represents tens of thousands of distinct edges? Does the CFG span functions/methods or are they scoped more sanely?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>- Can I use afl-cmin or is there something similar for libFuzzer? </div></div></blockquote><div><br></div></span><div>I've never tried that. I'd expect you can. </div><div>libFuzzer and afl both use plain files to store the corpus. </div><span class=""><div><br></div></span></div></div></div></blockquote><div><br></div><div>I think afl-cmin uses some afl-specific behavior.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I find that sometimes I get an enormous amount of tests and it becomes unmanageable.</div></div></blockquote><div><br></div></span><div>libFuzzer has an option to minimize the corpus. </div><div>It's not perfect, but very simple. </div><div>-------------</div><div><div> save_minimized_corpus <span style="white-space:pre-wrap"> </span>0<span style="white-space:pre-wrap"> </span>If 1, the minimized corpus is saved into the first input directory</div></div><div>-------------<br></div><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div></div></div></blockquote></span></div></div></div></blockquote><div><br></div><div>Ohh, ok. I think I misunderstood this to trying to minimize the size of the test case while still reproducing a crash. Similar to how afl-tmin works, I was thinking. I'll give this a try. </div><div><br></div><div>Should I only use this option periodically or can I run it this way all the time? Do we end up spending more execution time minimizing the corpus? Will it delete redundant test cases, including ones that were there before this test run started?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div> </div><div>- sometimes my process being tested appears to deadlock. A common feature seems to be that AlarmCallback is allocating memory and as a consequence the ASan code is pending on a lock. I'll speculate that this is because the alarm expired while the lock was already held. Is this expected? I can share specific call stacks if it helps. I can just extend the timeout but I think it's probably appropriate.</div></div></blockquote><div><br></div></span><div>Yes, please give more details. </div><span class=""><div> </div></span></div></div></div></blockquote><div><br></div><div>Traces attached. Not sure if the mailing list will preserve the attachments, though.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>- AFL has a curses based display where a bunch of different stats are shown. I'll be honest, I don't know how to read those yet. ;) But I'd like to find some way to determine whether I'm seeing diminishing returns with libfuzzer. Is there a good strategy?</div></div></blockquote><div><br></div></span><div>libFuzzer just dumps stats to stderr. </div><div>As long as you periodically see lines like </div><div>#325<span style="white-space:pre-wrap"> </span>NEW cov 11985 bits 14108 units 113 exec/s 325 ...<br></div><div>you are good. </div><div><br></div><div>Once you stop getting those, you may start playing with the flags. </div><div>(e.g. increase the max_len).</div><div>Unlike AFL which knows it all, libFuzzer still relies on a bit of user help. :) </div><span class=""><div><br></div><div></div></span></div></div></div></blockquote></div><div class="gmail_extra"><br></div><div class="gmail_extra">Ok, that's good advice.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><br clear="all"><div><br></div>-- <br><div class="gmail_signature">-Brian</div>
</div></div>