- User Since
- Jun 12 2016, 2:10 AM (267 w, 4 d)
Dec 11 2019
Can't you also generate LLVMFuzzerTestOneInput so that it calls LLVMFuzzerCustomOutput when e.g.LPM_DUMP_NATIVE_INPUT=1 ./binary <crash_input>
Dec 9 2019
- if a crash happens, execute LPM_DUMP_NATIVE_INPUT=1 ./binary <crash_input> to get the input fancy printed
Sorry, I wasn't clear. I mean if you write fuzz targets with the getenv() based solution I proposed, cargo fuzz can be extended so that it will execute the crashing input with the necessary env variable set. That way we achieve the following:
Dec 6 2019
Oh, why do you need to print it every time fuzz target hits a crash? It should be an option controlled during runtime, so that users or an automated infrastructure can easily turn it on when reproducing an individual crash.
Also, to be clear, since we build libFuzzer ourselves, this patch doesn't _have_ to be upstreamed for us to be able to use it, but we'd prefer to not have to fork libFuzzer, and I strongly feel that there will be other people for whom this patch will be useful.
Dec 5 2019
Looking more closely at the libfuzzer+protobuf stuff, what we're doing is quite similar to the protobuf thing, except we're not using protobufs since Rust lets you do custom derives which allow us to directly create a bits-to-structured data function.
I can totally see how this is helpful in some cases when running libFuzzer manually, but it can also be very annoying when the reproducer is large.
In any kind of automated scenario, it should be easy to add a separate binary that prints the inputs in human readable form.
Nov 26 2019
I don't see how this is a corner case: anything fuzzing with structured data by parsing the bytestring into something more structured will benefit from this. cargo-fuzz is used by a lot of Rust programs and some of them use the automatic structured data stuff, so they'd all benefit. I wish C++ codebases had something like this so that it would be easier to write good fuzz testcases, but as of now they don't and you have to convert bytestrings into input by hand. Still, such tests could still make use of a custom output formatter.
We're hoping to use this in cargo-fuzz: https://github.com/rust-fuzz/libfuzzer-sys/pull/48