On 210305 1551, Qiuhao Li wrote: > On Thu, 2021-03-04 at 10:23 -0500, Alexander Bulekov wrote: > > On 210304 1843, Yan Zhiqiang wrote: > > > Hello Alex, > > > I'm learning the fuzz in QEMU recently, I review the fuzz code > > > under > > > /tests/qtest/fuzz which is written by you. > > > I learn a lot from it, but I stuck when I want to debug the fuzz > > > code. > > > I use the gdb with command as follows: > > > > > > > gdb -q --args ./qemu-fuzz-i386 --fuzz-target=generic-fuzz- > > > > virtio-vga > > > > ./fuzz-output > > > > > > and set breakpoint at generic_fuzz.c:generic_fuzz. > > > It acctually stop when hit the breakpoint. But the function > > > argument Size > > > is zero and then goto _Exit(0). (try many times but always the > > > same) > > > > Hi Zhiqiang, > > Happy to have more people look at the fuzzing code. > > We run each input in a forked process. Maybe you need to run > > "set follow-fork-mode child" in gdb? > > Hi Alex, > > Just curious why you choose to use the libfuzzer at first instead of > AFL and its descendants like AFL++ since they use a forkserver by > design, and the performance also seems better [1]. > > [1] https://www.fuzzbench.com/reports/2021-02-13-paper/index.html
Hi Qiuhao, It was a primary goal to run the fuzzers on OSS-Fuzz, and at the time, AFL++ was not an option on OSS-Fuzz. Because I didn't find any great way to reset QEMU between inputs, we hacked-in a forkserver. It still seems that OSS-Fuzz is primarily designed around libfuzzer, but now that there seems to be AFL++ support, it would be nice to start using AFL++ as well. I just haven't had the time to look into it ;) I've seen the fuzz-bench results - It will be interesting to see the performance for an enormous target like QEMU. There are also some things that AFL++ doesn't do as well as libfuzzer - some: examples here: https://github.com/AFLplusplus/fuzzer-challenges/tree/main/libfuzzer -Alex > > Thank you. > Qiuhao Li > > >