search

AFLplusplus / AFLplusplus

The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
https://aflplus.plus
Apache License 2.0
5.19k stars 1.04k forks source link

Freezing when combining -D with post-process #2199

Closed bendrissou closed 2 months ago

bendrissou commented 2 months ago

Hi,

I am running AFL with a post-processing function. The fuzzer works well. However when I try to run the fuzzer with -D (the deterministic stage), the fuzzer executes very slowly then freezes after some time. On a local machine it eventually crashes with code 137. On a large machine, it freezes:

Screenshot 2024-08-23 at 15 42 38 
$ cat fuzzer_setup
# environment variables:
AFL_CUSTOM_MUTATOR_LIBRARY=/home/AFLplusplus/custom_mutators/rust/target/release/lib_lua_repair.so
AFL_CUSTOM_INFO_PROGRAM=/home/benchmarks/lua/src/lua
AFL_CUSTOM_INFO_PROGRAM_ARGV=@@
AFL_CUSTOM_INFO_OUT=/home/benchmarks/lua/findings-nautilus+aflrepair/aflrepair
AFL_SYNC_TIME=1
# command line:
'afl-fuzz' '-D' '-x' 'lua.dict' '-S' 'aflrepair' '-V' '360000' '-a' 'text' '-i' '/home/benchmarks/lua/one-seed' '-o' '/home/benchmarks/lua/findings-nautilus+aflrepair' '/home/benchmarks/lua/src/lua' '@@'

Any idea why the deterministic stage does not work well with custom mutators?

vanhauser-thc commented 2 months ago

Are not using the GitHub state? -D does nothing for quite some time now

bendrissou commented 2 months ago

I am using a slightly older commit. The fuzzer freezes for extremely long intervals during deterministic steps. Not sure how to debug this issue.

bendrissou commented 2 months ago

Each call to post-processing function consume around 10 milliseconds. This is not a problem in the non-deterministic mode, but once I enable the deterministic mode, the fuzzer starts to freeze. Could it be that deterministic mutations invoke post-processing multiple times at each cycle?

bendrissou commented 2 months ago

@vanhauser-thc I want to use the old deterministic mutations, including auto extras, so I have resorted back to a previous commit 1ffb1b6. I think it's useful to keep the deterministic strategy as I find it useful. I can't find documentation for the new enhanced deterministic strategy, plus the dashboard does not reflect the new changes!

vanhauser-thc commented 2 months ago

you are using an outdated version with a feature that does not exist anymore. please understand that I have zero time to support that... you are on your own.