Closed rmalmain closed 3 weeks ago
fatal runtime error: failed to initiate panic, error 5
thread 'DeserializeBadVarint
from which fuzzer exactly you get this error?
fuzzers/fuzzbench then make libafl incldue dump_state feature
i check
fatal runtime error: failed to initiate panic, error 5
^C^Cthread '<unnamed>' panicked at src/lib.rs:170:10:
An error occurred while fuzzing: Serialize("DeserializeBadVarint", 0: libafl_bolts::Error::serialize
at /home/toka/LibAFL/libafl_bolts/src/lib.rs:329:38
<libafl_bolts::Error as core::convert::From<postcard::error::Error>>::from
at /home/toka/LibAFL/libafl_bolts/src/lib.rs:534:9
1: <core::result::Result<T,F> as core::ops::try_trait::FromResidual<core::result::Result<core::convert::Infallible,E>>>::from_residual
at /rustc/8fcd4dd08e2ba3e922d917d819ba0be066bdb005/library/core/src/result.rs:1989:27
libafl_bolts::staterestore::StateRestorer<SP>::restore
at /home/toka/LibAFL/libafl_bolts/src/staterestore.rs:280:28
libafl::events::simple::SimpleRestartingEventManager<MT,S,SP>::launch
at /home/toka/LibAFL/libafl/src/events/simple.rs:553:34
2: fuzzbench::fuzz
at /home/toka/LibAFL/fuzzers/fuzzbench/src/lib.rs:229:34
3: libafl_main
at /home/toka/LibAFL/fuzzers/fuzzbench/src/lib.rs:169:5
4: main
at /home/toka/LibAFL/libafl_targets/src/libfuzzer.c:38:5
5: __libc_start_call_main
at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
6: __libc_start_main_impl
at ./csu/../csu/libc-start.c:392:3
Removing "libafl_bolts/unsafe_stable_anymap"
works.
What is the reason that you added it here?
advice from Dominik above. it should work nonetheless though
😅 🤚 but it doesn't
maybe it's just a bug of the unsafe_stable_anymap
feature, unrelated to dump_state
?
i confirm it's from the unsafe_stable_anymap
feature, i tried with the feature alone without dump_state and it still triggers the same crash.
can you have a look @domenukk?
what exactly does this feature do?
it makes the deseralization work across different compilations of libafl. the problem if TypeId is that it is an arbitrary number that can change from compilation to compilation. type_name is stable as long as the name of the type remains the same.
ok then it won't work without this.
But I agree,
for our experiment this is okay.
but for this to be merged, StdStateDump
and TestcaseDump
is too dirty
The only information that we can get now is just the bytes of the Testcase and the timestamp.
at this point I would just name this feature as Testcase dump
instead of State dump
.
then it's a useful feature, because you can still get the corpus without ondisk corpus.
The only information that we can get now is just the bytes of the Testcase and the timestamp.
at this point I would just name this feature as
Testcase dump
instead ofState dump
. then it's a useful feature, because you can still get the corpus without ondisk corpus.
I would take the feature out then. Timestamp and Testcase bytes are already in the ondisk corpus
Also we have the dump to disk stage which does a better job.
Also we have the dump to disk stage which does a better job.
yes. in theory we can just achieve the same thing with ifstage and disk stage
then we could still keep that INTERRUPT_FUZZER variable though. maybe it could be useful for something else
now that unsafe stable anymap works you can get the features back(?)
You could consider dumping to toml or something more human firendly(?)
i think we won't merge this in the end?
Having a proper state dump (like, a full one) could be good?
there are changes there that should be merged IMHO. I'll do a clean version of dump_state, i think it's good to have this around
i think dump_state should dump the state in a human-readable format (json or toml) and it does not need to dump the testcase, because we already have a stage for it.
i agree of the human-readable format. we still need a form of link between this and the tcs no? for example we can store the hash of tcs in the json stuff per fuzzing core or smth
if the purpose is to dump the state, there's more proper way to do it without using signals. i'll keep the really necessary part of this and merge
idk but this doesn't work with fuzzers/fuzzbench