Atheris calls __sanitizer_cov_8bit_counters_init() for bytecode instrumentation counters from TestOneInput().
Libfuzzer excepts counters to be initialized before the fuzzing loop.
As a result, libfuzzer's output misses "INFO:" section about modules (if no native and instrumented module is loaded before by Python code). Possibly there are some more consequences, but they are not known to me. Lack of this output means we do not know how much counters are in use.
[afl++ atheris-crashes-4809e3f9-hgbmt] /workdir # gdb /usr/bin/python3
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
(gdb) run target.py
INFO: Instrumenting pathlib
INFO: Instrumenting fnmatch
INFO: Instrumenting ntpath
INFO: Instrumenting urllib
INFO: Instrumenting urllib.parse
INFO: Using built-in libfuzzer
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2374636383
[New Thread 0x7ffff5cbc640 (LWP 34934)]
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 39Mb
8<=================================
(gdb) b __sanitizer_cov_8bit_counters_init
Breakpoint 1 at 0x7ffff7428df0: file /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp, line 40.
(gdb) run target.py
INFO: Instrumenting pathlib
INFO: Instrumenting fnmatch
INFO: Instrumenting ntpath
INFO: Instrumenting urllib
INFO: Instrumenting urllib.parse
INFO: Using built-in libfuzzer
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1189053150
[New Thread 0x7ffff5cbc640 (LWP 36037)]
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
Thread 1 "python3" hit Breakpoint 1, __sanitizer_cov_8bit_counters_init (Start=0x7ffff53bc000 "", Stop=0x7ffff53bc5b2 "") at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:465
465 /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp: No such file or directory.
(gdb) bt
#0 __sanitizer_cov_8bit_counters_init (Start=0x7ffff53bc000 "", Stop=0x7ffff53bc5b2 "") at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:465
#1 0x00007ffff73d8165 in atheris::TestOneInput (data=0x555555ca0be0 "\360,\347\367\377\177", size=0) at src/native/core.cc:138
#2 0x00007ffff740f4a5 in fuzzer::Fuzzer::ExecuteCallback (this=this@entry=0x555555c8a090, Data=Data@entry=0x7fffffffc6df "", Size=Size@entry=0) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:617
#3 0x00007ffff741557e in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora (this=this@entry=0x555555c8a090, CorporaFiles=std::vector of length 0, capacity 0) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:810
#4 0x00007ffff7415c07 in fuzzer::Fuzzer::Loop (this=this@entry=0x555555c8a090, CorporaFiles=std::vector of length 0, capacity 0) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:870
#5 0x00007ffff73fdac7 in fuzzer::FuzzerDriver (argc=<optimized out>, argv=<optimized out>, Callback=<optimized out>) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912
#6 0x00007ffff73d8c75 in atheris::start_fuzzing(std::vector<std::string, std::allocator<std::string> > const&, std::function<void (pybind11::bytes)> const&) (args=std::vector of length 0, capacity 2, test_one_input=...) at src/native/core.cc:226
8<===============================================
#36 0x000055555577f225 in _start ()
(gdb) b TracePC::PrintModuleInfo()
Breakpoint 2 at 0x7ffff7427bd0: file /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp, line 81.
(gdb) run target.py
INFO: Instrumenting pathlib
INFO: Instrumenting fnmatch
INFO: Instrumenting ntpath
INFO: Instrumenting urllib
INFO: Instrumenting urllib.parse
INFO: Using built-in libfuzzer
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1525613820
Breakpoint 2, fuzzer::TracePC::PrintModuleInfo (this=this@entry=0x7ffff7454400 <fuzzer::TPC>) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:81
81 /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp: No such file or directory.
(gdb) bt
#0 fuzzer::TracePC::PrintModuleInfo (this=this@entry=0x7ffff7454400 <fuzzer::TPC>) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:81
#1 0x00007ffff740d5c8 in fuzzer::Fuzzer::Fuzzer (this=0x555555c8a090, CB=<optimized out>, Corpus=..., MD=..., Options=...) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:153
#2 0x00007ffff73fbe2f in fuzzer::FuzzerDriver (argc=<optimized out>, argv=<optimized out>, Callback=0x7ffff73d8100 <atheris::TestOneInput(unsigned char const*, unsigned long)>) at /root/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:813
#3 0x00007ffff73d8c75 in atheris::start_fuzzing(std::vector<std::string, std::allocator<std::string> > const&, std::function<void (pybind11::bytes)> const&) (args=std::vector of length 0, capacity 2, test_one_input=...) at src/native/core.cc:226
Atheris calls
__sanitizer_cov_8bit_counters_init()for bytecode instrumentation counters fromTestOneInput().Libfuzzer excepts counters to be initialized before the fuzzing loop.
As a result, libfuzzer's output misses "INFO:" section about modules (if no native and instrumented module is loaded before by Python code). Possibly there are some more consequences, but they are not known to me. Lack of this output means we do not know how much counters are in use.
Output in question:
This happens due to
TracePC::NumModulesincrease in https://github.com/llvm/llvm-project/blob/cfb702676cc181877482a282fe7e07109a24dc9d/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp#L39 not happening before a call to https://github.com/llvm/llvm-project/blob/cfb702676cc181877482a282fe7e07109a24dc9d/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp#L80 that is invoked from__sanitizer_cov_8bit_counters_init().