search

google / fuzzbench

FuzzBench - Fuzzer benchmarking as a service.
https://google.github.io/fuzzbench/
Apache License 2.0
1.09k stars 266 forks source link

Enable dynamic library measurement in dispatcher #1842

Open xuesu opened 1 year ago

xuesu commented 1 year ago

I need to add 7z(binary 7z, with an instrumented 7z.so) as a new benchmark, in order to keep the testing manner as close as possible to fuzztrusion, I didn't statically link 7z.so. which means in the dispatcher, I need to run 

llvm-cov export ./fuzzer_7z -instr-profile=default.profdata -object=./7z.so -object=./fuzzer_7z > cov.json

instead of 

llvm-cov export ./fuzzer_7z -instr-profile=default.profdata > cov.json

right now I use an self-defined option cov_objects in benchmarks/7zip_7z/benchmark.yaml to solve this problem

jonathanmetzman commented 1 year ago

So is the question that one of your benchmarks needs a shared object that we don't use during measuring? I'd recommend using static linking to get around this.

xuesu commented 1 year ago

just a suggestion. However, I found a more severe problem with/without a dynamic library. And https://github.com/google/fuzzbench/commit/3ed8cc8a63b2bbddbc5a5cb391f9a404ad85d002 seems couldn't solve it?? I found that Libfuzzer loses its coverage whenever it encounters a crash e.g: corpus has 3000 seeds, the 1001th and 2001th seed are the crashes-related(oom, segment fault, timeout..) then the llvm-cov will output a branches coverage of 2001th->3000th as coverage of 3274 however, if I remove the 1001th and 2001th seed, and use the remained 2998 inputs to llvm-cov then the llvm-cov will output a branches coverage of 3436.. (edited) that is, libfuzzer cannot really process a corpus with crashes. I can use a solution of run libfuzzertarget -merge -dump_coverage=1 to catch which file causes crash, then remove them and run a second dryrun to get the real coverage however, as we have a strategy that will generate so many seeds, I cannot afford the price of twice measuring time should I alter the libfuzzer to run a merge of my own??? (maybe I have a talent for crashing a system that appears to be working?) or maybe I should replace the libfuzzer itself???? (still integrating p7zip, as a special target, it always generates some crashes within 5 mins)

xuesu commented 1 year ago

corpus_bin_withorwithout_crash_json.zip