search

rust-fuzz / afl.rs

🐇 Fuzzing Rust code with American Fuzzy Lop
https://rust-fuzz.github.io/book/afl.html
Apache License 2.0
1.63k stars 105 forks source link

Reproducing crashes workflow #463

Closed jberryman closed 7 months ago

jberryman commented 7 months ago

This is more of a question or feature request, but I'm confused about an effective workflow for testing fixes to crashes found during fuzzing. as documented in the book I can do:

cargo afl run --release < fuzz_outputs/main/crashes/…

And observe a crash. However if I fix the bug this just hangs it seems. If I run the harness binary directly I see:

target/release/parser-fuzz-target <  /tmp/asdlklkjasdf
[1]  + 2729446 suspended (signal)  target/release/parser-fuzz-target < /tmp/asdlklkjasdf

My goal is to check that all the crashes are fixed; is there a way to script that without creating a new binary and compiling without instrumentation?

smoelius commented 7 months ago

My goal is to check that all the crashes are fixed; is there a way to script that without creating a new binary and compiling without instrumentation?

You're using the fuzz! macro, correct?

The only thing I can think of is to add a std::process::exit(0); as the last statement in the fuzz! closure body. But I suspect this will impact persistent fuzzing. So you may want to conditionally enable it.

I am sorry I don't have a better answer for you.

jberryman commented 7 months ago

You're using the fuzz! macro, correct?

yes. No worries and thanks for the feedback