On 210304 1843, Yan Zhiqiang wrote: > Hello Alex, > I'm learning the fuzz in QEMU recently, I review the fuzz code under > /tests/qtest/fuzz which is written by you. > I learn a lot from it, but I stuck when I want to debug the fuzz code. > I use the gdb with command as follows: > > > gdb -q --args ./qemu-fuzz-i386 --fuzz-target=generic-fuzz-virtio-vga > > ./fuzz-output > > and set breakpoint at generic_fuzz.c:generic_fuzz. > It acctually stop when hit the breakpoint. But the function argument Size > is zero and then goto _Exit(0). (try many times but always the same)
Hi Zhiqiang, Happy to have more people look at the fuzzing code. We run each input in a forked process. Maybe you need to run "set follow-fork-mode child" in gdb? > Then input `c` to continue. > However, it never hit the breakpoint after that. Just as the picture showed. > [image: 1614854239086.jpg] > I tried the qtest debug method, but failed. > I want to know the real process state to learn the QEMU fuzz and add a new > fuzzer for QEMU. > Could you tell me what's the right method to debug the fuzz code? Thank you! For debugging crash, I usually build QEMU with --enable-sanitizers (ASAN), and I convert the crash to a "QTest" reproducer, so it can be debugged in a normal build of qemu. There's an RFC that has instructions for how to do this: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06035.html Let me know if I can provide any more info. -Alex > > Regards, > Zhiqiang Yan