Stability is not 100% even with an empty fuzzing target

rust-fuzz / afl.rs

🐇 Fuzzing Rust code with American Fuzzy Lop

https://rust-fuzz.github.io/book/afl.html

Apache License 2.0

1.64k stars 107 forks source link

Stability is not 100% even with an empty fuzzing target #152

Open pedrocr opened 5 years ago

pedrocr commented 5 years ago

When fuzzing rawloader I'm getting these warnings on startup:

[!] WARNING: Instrumentation output varies across runs.

and when running the fuzzer stability is around 68% which is extremely low. Even an empty fuzzing target like this:

#[macro_use]
extern crate afl;

fn main() {
  fuzz!(|data: &[u8]| {
  });
}

Only shows 93 or 94% stability. Am I doing something wrong or is there a bug somewhere?

pedrocr commented 5 years ago

Apparently lazy_static is something that needs to be handled carefully for afl. It ends up only being initialized inside the loop instead of only once. It's easy to work around in this codebase but it may be something that needs to be fixed more fully for other codebases to work well.

pedrocr commented 5 years ago

Having kept at it I'm now hitting ~90% stability only. Since the empty fuzz target is showing ~94% this seems like a bug somewhere in how afl.rs is doing the instrumentation.

pedrocr commented 5 years ago

Apparently this happens because of the panic hook as well. Without it stability goes back to 100%.