diff options
| author | fanquake <fanquake@gmail.com> | 2023-09-15 10:08:02 +0100 |
|---|---|---|
| committer | fanquake <fanquake@gmail.com> | 2023-09-15 10:16:26 +0100 |
| commit | f608a409f7591b4f5cf170898bee58b9d9dcf1b6 (patch) | |
| tree | 8ce94fd2e3a2b8dc1a46d9e23e9d1104e3da850b | |
| parent | 8ef672937e572e16671fdbfdb5a90eaa882e6ee1 (diff) | |
| parent | 508d05f8a7b511dd53f543df8899813487eb03e5 (diff) | |
Merge bitcoin/bitcoin#28480: fuzz: Don't use afl++ deferred forkserver mode
508d05f8a7b511dd53f543df8899813487eb03e5 [fuzz] Don't use afl++ deferred forkserver mode (dergoegge)
Pull request description:
Fixes #28469
This makes our afl++ harness essentially behave like libFuzzer, with the exception that the whole program does fully reset every 100000 iterations. 100000 is somewhat arbitrary and we could also go with `std::numeric_limits<unsigned in>::max()` but a smaller limit does allow for the occasional reset to counter act some amount of instability in the fuzzing loop (e.g. non-determinism, statefulness).
It's a bit of a shame to do this just for the targets whose initial state can't be forked (e.g. threads) because other targets do benefit from not having to redo the state setup. An alternative would be https://github.com/bitcoin/bitcoin/issues/28469#issuecomment-1717526774:
```
If the goal is to be maximally performant, the fork would need to happen for each fuzz target specifically.
I guess it can be achieved by wrapping __AFL_INIT(); into a helper function and then require all fuzz
target initialize() to call it?
```
ACKs for top commit:
MarcoFalke:
lgtm ACK 508d05f8a7b511dd53f543df8899813487eb03e5
Tree-SHA512: d9fe94e2e3198795f8fb58f67eb383531a534bcd4ec75a1f0ae6ccb5531863dbc09800bb7d77536417745c4c8bc49a4f84dcc959918b27d4997a270eeacb0e7e
| -rw-r--r-- | src/test/fuzz/fuzz.cpp | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/src/test/fuzz/fuzz.cpp b/src/test/fuzz/fuzz.cpp index f5697f14b1..32bd00ec03 100644 --- a/src/test/fuzz/fuzz.cpp +++ b/src/test/fuzz/fuzz.cpp @@ -192,17 +192,11 @@ int main(int argc, char** argv) { initialize(); static const auto& test_one_input = *Assert(g_test_one_input); -#ifdef __AFL_HAVE_MANUAL_CONTROL - // Enable AFL deferred forkserver mode. Requires compilation using - // afl-clang-fast++. See fuzzing.md for details. - __AFL_INIT(); -#endif - #ifdef __AFL_LOOP // Enable AFL persistent mode. Requires compilation using afl-clang-fast++. // See fuzzing.md for details. const uint8_t* buffer = __AFL_FUZZ_TESTCASE_BUF; - while (__AFL_LOOP(1000)) { + while (__AFL_LOOP(100000)) { size_t buffer_len = __AFL_FUZZ_TESTCASE_LEN; test_one_input({buffer, buffer_len}); } |