This is an archive of the discontinued LLVM Phabricator instance.

[libFuzzer] Add experimental feature to not use AFL's deferred forkserver.
ClosedPublic

Authored by metzman on Apr 17 2018, 3:59 PM.

Details

Summary

A small but substantial minority of libFuzzer-based fuzzers run code that does not play well with fork in global constructors or LLVMFuzzerInitialize.
This patch allows these fuzzers to use afl_driver by allowing them to opt-out of using AFL's deferred forkserver which deferres calling fork until after this code.

Event Timeline

metzman created this revision.Apr 17 2018, 3:59 PM
Herald added subscribers: Restricted Project, llvm-commits, delcypher. · View Herald TranscriptApr 17 2018, 3:59 PM

Won't this cause LLVMFuzzerInitialize to run every time AFL tries an input?

metzman updated this revision to Diff 142876.Apr 17 2018, 6:45 PM
  • Don't manually init the forkserver if we are not using the deferred one.

Won't this cause LLVMFuzzerInitialize to run every time AFL tries an input?

I don't think so. What makes you think this?
My understanding is that every time AFL tries a new input, lines 350-376 are executed, nothing here is really changed by this commit.

metzman edited the summary of this revision. (Show Details)Apr 17 2018, 6:57 PM
lebedev.ri retitled this revision from Add experimental feature to not use AFL's deferred forkserver. to [libFuzzer] Add experimental feature to not use AFL's deferred forkserver..Apr 18 2018, 4:35 AM

Oh, I see. It still looks like the process is only forked every 1000 inputs by default. So LLVMFuzzerInitialize will only run every 1000 inputs, or less if a higher N is specified on the command line.

This patch seems reasonable to me, but let Kostya comment on it.

If the Chromium fuzzers are currently using the default N, you may want to bump it up so you're not calling LLVMFuzzerInitialize multiple times a second.

Oh, I see. It still looks like the process is only forked every 1000 inputs by default. So LLVMFuzzerInitialize will only run every 1000 inputs, or less if a higher N is specified on the command line.

Right (unless the process is restarted because it OOMs or times out).

This patch seems reasonable to me, but let Kostya comment on it.

If the Chromium fuzzers are currently using the default N, you may want to bump it up so you're not calling LLVMFuzzerInitialize multiple times a second.

This makes sense. But I don't think it is necessary since, as you said N can be specified on the command line (we do this on ClusterFuzz so it isn't useful for me personally).

kcc added a comment.Apr 20 2018, 10:07 AM

is this testable?

I don't believe it is without AFL.

kcc accepted this revision.Apr 20 2018, 10:47 AM

LGTM

This revision is now accepted and ready to land.Apr 20 2018, 10:47 AM
This revision was automatically updated to reflect the committed changes.