rust-fuzz / honggfuzz-rs Goto Github PK
View Code? Open in Web Editor NEWFuzz your Rust code with Google-developed Honggfuzz !
Home Page: https://crates.io/crates/honggfuzz
License: Apache License 2.0
Fuzz your Rust code with Google-developed Honggfuzz !
Home Page: https://crates.io/crates/honggfuzz
License: Apache License 2.0
As can be seen in the following commit history, this was fixed in early January, but the current honggfuzz version is from early December of last year.
https://github.com/google/honggfuzz/commits/master/linux/bfd.c
Compilation currently fails on my system because of this.
--- stderr
linux/bfd.c: In Funktion »arch_getSectionForPc«:
linux/bfd.c:125:36: Fehler: Implizite Deklaration der Funktion »bfd_get_section_vma«; meinten Sie »bfd_set_section_vma«? [-Werror=implicit-function-declaration]
125 | uintptr_t vma = (uintptr_t)bfd_get_section_vma(bfdh, section);
| ^~~~~~~~~~~~~~~~~~~
| bfd_set_section_vma
linux/bfd.c:126:35: Fehler: Implizite Deklaration der Funktion »bfd_get_section_size«; meinten Sie »bfd_set_section_size«? [-Werror=implicit-function-declaration]
126 | uintptr_t sz = (uintptr_t)bfd_get_section_size(section);
| ^~~~~~~~~~~~~~~~~~~~
| bfd_set_section_size
cc1: Alle Warnungen werden als Fehler behandelt
make: *** [Makefile:249: linux/bfd.o] Fehler 1
thread 'main' panicked at 'assertion failed: status.success()', /home/btr/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.46/build.rs:46:5
I'm sorry for the German text in there but I'm sure its still readable.
In the meantime, I'll use docker.
Thanks so much for updating to 2.0, I really appreciate it :)
Is there an API that would yield the cov code of a given vector?
I'd like to be able to shrink test cases using custom code (truncating to a length determined from contents, for example), and such an API would provide a convenient way to do it.
Alternatively, a way to provide a function that yields shrink candidates would also work.
Or any other convenient way to achieve the same goal of shrinking test cases.
Hey,
It would be nice to add --help
to display a more descriptive help for cargo hfuzz
as currently it only lists the possible commands:
$ cargo hfuzz --help
possible commands are: run, run-no-instr, run-debug, build, build-no-instr, build-debug, clean, version
(at least on travis). See, eg, build at https://travis-ci.org/rust-bitcoin/rust-lightning/jobs/446288104 which fails with "note: /usr/bin/ld: __sancov_guards has both ordered [`__sancov_guards' in /home/travis/build/rust-bitcoin/rust-lightning/fuzz/hfuzz_target/x86_64-unknown-linux-gnu/release/deps/chanmon_deser_target-b3cbf469215400a7.chanmon_deser_target.7gmhrznz-cgu.1.rcgu.o] and unordered [`__sancov_guards' in /home/travis/build/rust-bitcoin/rust-lightning/fuzz/hfuzz_target/x86_64-unknown-linux-gnu/release/deps/chanmon_deser_target-b3cbf469215400a7.chanmon_deser_target.7gmhrznz-cgu.1.rcgu.o] sections"
The current version of honggfuzz-rs
has a bug that was fixed in honggfuzz 2.2. It is now affecting our CI:
--- stderr
/usr/bin/ld: cannot find -llzma
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [honggfuzz] Error 1
thread 'main' panicked at 'assertion failed: status.success()', /builds/<redacted>/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.48/build.rs:46:5
Version 2.2 of honggfuzz mentions a "fixed linking with ld.lld" which would probably resolve this. I don't have much time to test it though, so an update is very much appreciated!
Not sure if this is an issue with rust-honggfuzz or rust or my sistem:
I am using:
invoking:
env HFUZZ_RUN_ARGS="--exit_upon_crash" cargo hfuzz run sound_producer my_input
does not give any errors, but calling the same with:
env HFUZZ_RUN_ARGS="--exit_upon_crash" cargo hfuzz run-debug sound_producer my_input
got the following:
(lldb) command script import "/home/neithanmo/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/etc/lldb_rust_formatters.py"
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python3/dist-packages/lldb/__init__.py", line 255, in <module>
eFormatUnicode8 = _lldb.eFormatUnicode8
AttributeError: module '_lldb' has no attribute 'eFormatUnicode8'
Traceback (most recent call last):
File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
error: module importing failed: module '_lldb' has no attribute 'eFormatUnicode8'
File "temp.py", line 1, in <module>
File "/home/neithanmo/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/etc/lldb_rust_formatters.py", line 1, in <module>
import lldb
File "/usr/lib/python3/dist-packages/lldb/__init__.py", line 255, in <module>
eFormatUnicode8 = _lldb.eFormatUnicode8
however, switching to nightly and running in debug mode gives me a different error:
error: file specified in --source (-s) option doesn't exist: './lldb_commands'
Someone has any advice on what the solution would be?
thanks in advance.
I figured out to use hongfuzz
with Raspbian 10 (buster). I had to add the following environment variables to compile it:
LDFLAGS="-lm -latomic -lc" RUSTFLAGS="-C link-arg=-latomic" cargo hfuzz run decode_encode_decode
Maybe add this to the documentation?
I created a bin target for using Honggfuzz with my library (reverted on master because of this issue and also because cargo-fuzz
works on WSL now):
However, I cannot pass the honggfuzz
feature to Cargo because the cargo-hfuzz
executable doesn't support it.
When trying to run the example:
cc -o honggfuzz cmdline.o display.o fuzz.o honggfuzz.o input.o mangle.o report.o sanitizers.o socketfuzzer.o subproc.o linux/arch.o linux/bfd.o linux/perf.o linux/pt.o linux/trace.o linux/unwind.o libhfcommon/libhfcommon.a -pthread -lm -L/usr/local/include -lunwind-ptrace -lunwind-generic -lunwind -llzma -lopcodes -lbfd -lrt -ldl -lm -g -ggdb -g3
Makefile:275: recipe for target 'honggfuzz' failed
make: Leaving directory '/home/eddy/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.49/honggfuzz'
--- stderr
/usr/bin/ld: cannot find -llzma
collect2: error: ld returned 1 exit status
make: *** [honggfuzz] Error 1
After installing it, it works fine:
------------------------[ 0 days 00 hrs 02 mins 22 secs ]----------------------
Iterations : 33843329 [33.84M]
Mode [3/3] : Feedback Driven Mode
Target : hfuzz_target/x86_64-unknown-linux-gnu/release/example
Threads : 4, CPUs: 8, CPU%: 529% [66%/CPU]
Speed : 229686/sec [avg: 238333]
Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
Timeouts : 0 [1 sec]
Corpus Size : 74, max: 8192 bytes, init: 0 files
Cov Update : 0 days 00 hrs 00 mins 05 secs ago
Coverage : edge: 37/80 [46%] pc: 1 cmp: 420
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.2 /-
z:6 Tm:20us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/2
Test case resembles:
fuzz!(|mut data: &[u8]| {
loop {
match hubpack::deserialize::<Structy>(data) {
Err(_) => break,
Ok((_, rest)) => data = rest,
}
}
});
Alas:
28 | fuzz!(|mut data: &[u8]| {
| ^^^^ no rules expected this token in macro call
I assume the fuzz!
macro is currently parsing the closure header too narrowly.
We recently updated our honggfuzz dependency to 0.5.47 and started seeing the following build errors within our Debian Jessie based build container:
make: Entering directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'
rm -f -r core Makefile.bak cmdline.o display.o fuzz.o honggfuzz.o input.o mangle.o report.o sanitizers.o socketfuzzer.o subproc.o linux/arch.o linux/bfd.o linux/perf.o linux/pt.o linux/trace.o linux/unwind.o honggfuzz hfuzz_cc/hfuzz-cc libhfuzz/libhfuzz.a libhfuzz/libhfuzz.so libhfuzz/fetch.o libhfuzz/instrument.o libhfuzz/linux.o libhfuzz/memorycmp.o libhfuzz/persistent.o libhfcommon/libhfcommon.a libhfcommon/files.o libhfcommon/log.o libhfcommon/ns.o libhfcommon/util.o libhfnetdriver/libhfnetdriver.a libhfnetdriver/netdriver.o obj libs ./*.o ./*~ ./core ./*.a ./*.dSYM ./*.la ./*.so ./*.dylib linux/*.o linux/*~ linux/core linux/*.a linux/*.dSYM linux/*.la linux/*.so linux/*.dylib mac/*.o mac/*~ mac/core mac/*.a mac/*.dSYM mac/*.la mac/*.so mac/*.dylib netbsd/*.o netbsd/*~ netbsd/core netbsd/*.a netbsd/*.dSYM netbsd/*.la netbsd/*.so netbsd/*.dylib posix/*.o posix/*~ posix/core posix/*.a posix/*.dSYM posix/*.la posix/*.so posix/*.dylib libhfuzz/*.o libhfuzz/*~ libhfuzz/core libhfuzz/*.a libhfuzz/*.dSYM libhfuzz/*.la libhfuzz/*.so libhfuzz/*.dylib libhfcommon/*.o libhfcommon/*~ libhfcommon/core libhfcommon/*.a libhfcommon/*.dSYM libhfcommon/*.la libhfcommon/*.so libhfcommon/*.dylib libhfnetdriver/*.o libhfnetdriver/*~ libhfnetdriver/core libhfnetdriver/*.a libhfnetdriver/*.dSYM libhfnetdriver/*.la libhfnetdriver/*.so libhfnetdriver/*.dylib
make: Leaving directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'
make: Entering directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o cmdline.o cmdline.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o display.o display.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o fuzz.o fuzz.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o honggfuzz.o honggfuzz.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o input.o input.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o mangle.o mangle.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o report.o report.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o sanitizers.o sanitizers.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o socketfuzzer.o socketfuzzer.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o subproc.o subproc.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o linux/arch.o linux/arch.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o linux/bfd.o linux/bfd.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o linux/perf.o linux/perf.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o linux/pt.o linux/pt.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3 -o linux/trace.o linux/trace.c
Makefile:251: recipe for target 'linux/trace.o' failed
make: Leaving directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'
--- stderr
linux/trace.c: In function 'arch_traceSaveData':
linux/trace.c:528:5: error: missing initializer for field 'si_signo' of 'siginfo_t' [-Werror=missing-field-initializers]
siginfo_t si = {};
^
In file included from /usr/include/signal.h:80:0,
from /usr/include/x86_64-linux-gnu/sys/param.h:28,
from ./honggfuzz.h:33,
from ./linux/trace.h:29,
from linux/trace.c:24:
/usr/include/x86_64-linux-gnu/bits/siginfo.h:64:9: note: 'si_signo' declared here
int si_signo; /* Signal number. */
^
linux/trace.c: At top level:
cc1: error: unrecognized command line option "-Wno-format-truncation" [-Werror]
cc1: all warnings being treated as errors
make: *** [linux/trace.o] Error 1
I installed binutils-devel
and libunwind-devel
on Fedora 32 (as readme suggest), but got error about missing lzma library (-llzma
)
In case of Fedora, xz-devel
is also needed
EDIT: run-debug
also requires LLDB
It seems the update to arbitrary
1.0 requires const generics, which were stabilized only incredibly recently (March of this year). This breaks most distro rustc users as relatively few distros have shipped 1.51 into their normal release channels. The requiring of super recent rustc in a minor-minor version is somewhat surprising, and broke some of our build pipeline.
Is it possible to define the MSRV policy and maybe make the arbitrary
feature optional, given its not required unless you want the fuzzer to map the types automagically?
The fuzz!()
macro uses items from the arbitrary
crate but does not declare extern crate arbitrary
(it probably needs to be pub extern crate arbitrary
for the macro to use it). The arbitrary
crate should be added to this crate's dependencies and then imports from arbitrary
can be prefixed by the $crate
metavar (references to honggfuzz
should be replaced with $crate
as well or else if the user renames it with extern crate honggfuzz as ...
then it will not be found).
Fixed fuzz!()
macro:
macro_rules! fuzz {
(|$buf:ident| $body:block) => {
$crate::fuzz(|$buf| $body);
};
(|$buf:ident: &[u8]| $body:block) => {
$crate::fuzz(|$buf| $body);
};
(|$buf:ident: $dty: ty| $body:block) => {
$crate::fuzz(|$buf| {
let $buf: $dty = {
use $crate::arbitrary::{Arbitrary, RingBuffer};
if let Ok(d) = RingBuffer::new($buf, $buf.len()).and_then(|mut b|{
Arbitrary::arbitrary(&mut b).map_err(|_| "")
}) {
d
} else {
return
}
};
$body
});
};
}
I want to use honggfuzz-rs to fuzz some unsafe code, however, the ASAN doesn't seem to work. For example, I use the code just from the example directory, and replace the code in main.rs with
#[macro_use] extern crate honggfuzz;
fn main() {
loop {
fuzz!(|data: &[u8]| {
// use after free bug
let xs = vec![0, 1, 2, 3];
let y = xs.as_ptr();
drop(xs);
let z = unsafe { *y };
});
}
}
I fuzz the project with
RUSTFLAGS="-Z sanitizer=address" cargo hfuzz run example
However, the fuzzer can not detect the bug(Theres should be only one path).
There's one warning message from honggfuzz.
I hope you can check if this can work properly. Thanks a lot.
In https://github.com/rust-bitcoin/rust-bitcoin/ we have some potential issues on 32 bits architectures because usize
is obviously different on this architecture.
Since 32 bits software could run on 64 bits machine, I would have liked fuzzing with a target different than the host machine, like i686-unknown-linux-gnu
but I have seen is not possible to specify a different triplet than the host system with cargo hfuzz
honggfuzz-rs/src/bin/cargo-hfuzz.rs
Line 23 in f45aef1
I would like to know if this is some issue only of how parameters are handled in cargo hfuzz
or if there are inherently other issues in the fuzzing process on 32 bits (on a 64 bits host)
I have followed the guidance provided here, but could not succeeded with following error..
error: failed to run custom build command for honggfuzz v0.5.45 (/mnt/c/Users/Ali/honggfuzz-rs)
Caused by:
process didn't exit successfully: /mnt/c/Users/Ali/honggfuzz-rs/example/hfuzz_target/release/build/honggfuzz-e77bf1f3f654a6c3/build-script-build
(exit code: 101)
--- stdout
make: Entering directory '/mnt/c/Users/Ali/honggfuzz-rs/honggfuzz'
make: Leaving directory '/mnt/c/Users/Ali/honggfuzz-rs/honggfuzz'
--- stderr
make: *** No rule to make target 'clean'. Stop.
thread 'main' panicked at 'assertion failed: status.success()', /mnt/c/Users/Ali/honggfuzz-rs/build.rs:38:5
note: run with RUST_BACKTRACE=1
environment variable to display a backtrace.
warning: build failed, waiting for other jobs to finish...
error: build failed
It would be nice to have a build-grcov
command that would build honggfuzz-rs with profiling support, so the fuzzed binary can later be run with all fuzzing-generated inputs and crashes to get the coverage data, e.g. through Mozilla's grcov.
This, more or less requires the build to use the following flags:
CARGO_INCREMENTAL=0 RUSTFLAGS='-Zprofile -Ccodegen-units=1 -Cinline-threshold=0 -Clink-dead-code -Coverflow-checks=off -Zno-landing-pads'
Our CI fuzzing recently broke as our fuzz target became too large so that honggfuzz would fail with errors like This process has too many PC guards
. It seems this is based on a hard-coded constant _HF_PC_GUARD_MAX
in the honggfuzz.h
header which can only be changed when honggfuzz is built.
Hence, for now I resorted to adding
// increase _HF_PC_GUARD_MAX
let status = Command::new("sed")
.args(&["-e", "s/^#define _HF_PC_GUARD_MAX .*/#define _HF_PC_GUARD_MAX (2U * 1024U * 1024U * 16U)/", "-i", "honggfuzz/honggfuzz.h"])
.status()
.expect("failed to patch hongfuzz.h using sed");
assert!(status.success());
to this crate's build script.
Would this be something you would accept upstream (controlled via an environment variable by the Cargo hfuzz
subcommand)? Do you have any other ideas how to avoid this problem? Thank you for your help!
I am not sure if this is technically and issue with honggfuzz-rs or some other part of the pipeline, but I noticed that when using the memory sanitizer, there will always be at least 1 unique failure even if using an empty fuzz target.
To reproduce, use this fuzz target:
fuzz!(|_data: &[u8]| { return });
run it with the memory sanitizer:
RUSTFLAGS="-Z sanitizer=memory" cargo hfuzz run hfuzz
will get one unique error:
Crash (dup): 'hfuzz_workspace/hfuzz/SIGABRT.PC.7ffff7dc6755.STACK.192f69358f.CODE.-6.ADDR.(nil).INSTR.mov____0x108(%rsp),%rax.fuzz' already exists, skipping [2019-10-09T23:26:46-0700][W][28005] arch_checkWait():248 Persistent mode: pid=28308 exited with status: SIGNALED, signal: 6 (Aborted)
When running in debug, the actual error is: Uninitialized bytes in __interceptor_memchr at offset 0 inside [0x701000000000, 4
and it doesn't give a backtrace.
As of the update today, it seems our fuzzers always fail to build. See CI run here: https://github.com/rust-bitcoin/rust-lightning/pull/688/checks?check_run_id=1104734709, or local logs:
matt@cdev1:~/Documents/Projects/Bitcoin/rust-lightning-2/fuzz$ export PATH=$PATH:/home/matt/.cargo/bin
matt@cdev1:~/Documents/Projects/Bitcoin/rust-lightning-2/fuzz$ HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" cargo hfuzz build
/usr/bin/ld.gold
Compiling honggfuzz v0.5.50
Compiling secp256k1-sys v0.2.0
error: failed to run custom build command for `honggfuzz v0.5.50`
Caused by:
process didn't exit successfully: `/home/matt/Documents/Projects/Bitcoin/rust-lightning-2/fuzz/hfuzz_target/release/build/honggfuzz-9a99ce2b93b654e1/build-script-build` (exit code: 101)
--- stderr
make: *** honggfuzz: No such file or directory. Stop.
thread 'main' panicked at 'assertion failed: status.success()', /home/matt/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.50/build.rs:38:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
error: build failed
Hi,
I have a minimal code example where I would expect to find three unique crashes. However the fuzzer classifies the bugs as identical and therefore only one unique crash file is saved.
use honggfuzz::fuzz;
const MAGIC_NUMBER: u8 = 254;
fn main() {
loop {
fuzz!(|data: &[u8]| {
if data.len() != 2 {
return;
}
let _ = buggy_math_function(data[0], data[1]);
panic_function(data[0]);
});
}
}
pub fn buggy_math_function(input1: u8, input2: u8) -> u8 {
// causes div-by-zero if input2 == 254
// causes subtract with overflow if input2 == 255 because overflow-checks = true for profile.release
let divisor = MAGIC_NUMBER - input2;
input1 / divisor
}
pub fn panic_function(input1: u8) {
// panics if input1 == 97
if input1 == b'a' {
panic!("BOOM")
}
}
--save_all
option to honggfuzz to save all crashes, I can find all expected three crash cases (input1 = 97, input2 = 254 or 255), so it does not look the code was somehow optimized to prevent the bugs. However the crash names are all with the same filename SIGABRT.PC.7ffff7c8e83c.STACK.d0d9781a0.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebx.2023-08-30.15:55:32.535662.fuzz
besides the time-stamp.My setup:
Any help or hints are appreciated.
Just tried this out on macOS 10.13.3, but running into this compiler error when I build the crate:
corey@mac /p/t/hong> cargo hfuzz run hong
Compiling honggfuzz v0.5.3
error: failed to run custom build command for `honggfuzz v0.5.3`
process didn't exit successfully: `/private/tmp/hong/hfuzz_target/release/build/honggfuzz-aa6fe05b2573cde2/build-script-build` (exit code: 101)
--- stdout
rm -f -r core Makefile.bak cmdline.o display.o fuzz.o honggfuzz.o input.o mangle.o report.o sancov.o sanitizers.o socketfuzzer.o subproc.o mac/arch.o mac/mach_excServer.o mac/mach_excUser.o honggfuzz hfuzz_cc/hfuzz-cc libhfuzz/libhfuzz.a libhfuzz/instrument.o libhfuzz/linux.o libhfuzz/main.o libhfuzz/memorycmp.o libhfuzz/persistent.o libhfcommon/libhfcommon.a libhfcommon/files.o libhfcommon/log.o libhfcommon/ns.o libhfcommon/util.o libhfnetdriver/libhfnetdriver.a libhfnetdriver/netdriver.o mac/mach_exc.h mac/mach_excServer.c mac/mach_excServer.h mac/mach_excUser.c obj libs ./*.o ./*~ ./core ./*.a ./*.dSYM ./*.la ./*.so ./*.dylib linux/*.o linux/*~ linux/core linux/*.a linux/*.dSYM linux/*.la linux/*.so linux/*.dylib mac/*.o mac/*~ mac/core mac/*.a mac/*.dSYM mac/*.la mac/*.so mac/*.dylib posix/*.o posix/*~ posix/core posix/*.a posix/*.dSYM posix/*.la posix/*.so posix/*.dylib libhfuzz/*.o libhfuzz/*~ libhfuzz/core libhfuzz/*.a libhfuzz/*.dSYM libhfuzz/*.la libhfuzz/*.so libhfuzz/*.dylib libhfcommon/*.o libhfcommon/*~ libhfcommon/core libhfcommon/*.a libhfcommon/*.dSYM libhfcommon/*.la libhfcommon/*.so libhfcommon/*.dylib libhfnetdriver/*.o libhfnetdriver/*~ libhfnetdriver/core libhfnetdriver/*.a libhfnetdriver/*.dSYM libhfnetdriver/*.la libhfnetdriver/*.so libhfnetdriver/*.dylib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o cmdline.o cmdline.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o display.o display.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o fuzz.o fuzz.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o honggfuzz.o honggfuzz.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o input.o input.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o mangle.o mangle.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o report.o report.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o sancov.o sancov.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o sanitizers.o sanitizers.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o socketfuzzer.o socketfuzzer.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o subproc.o subproc.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o mac/arch.o mac/arch.c
--- stderr
mac/arch.c:61:10: fatal error: 'mach_exc.h' file not found
#include "mach_exc.h"
^~~~~~~~~~~~
1 error generated.
make: *** [mac/arch.o] Error 1
thread 'main' panicked at 'assertion failed: status.success()', /Users/corey/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.3/build.rs:34:5
note: Run with `RUST_BACKTRACE=1` for a backtrace.
Not sure if this is a problem upstream, or if there's something that needs to be changed in the build logic in this crate, or if there's something wrong with my setup. Hmm
See upstream issue at google/honggfuzz#243
While having a basic example is good, it would be nice to show a more advanced example too, i.e. one that covers using arbitrary to get started more quickly.
I am happy to do a PR if that'd be viable addition to the examples.
error: failed to run custom build command for `honggfuzz v0.5.53`
Caused by:
process didn't exit successfully: `/media/supersonic1t/projects/parity/rsc-perf/fuzzit/hfuzz_target/release/build/honggfuzz-e79e9d36b487ef79/build-script-build` (exit code: 1)
--- stderr
honggfuzz dependency (0.5.53) and build command (0.5.52) versions do not match
happens since the update in Cargo.toml
.
Build script does not trigger making required artifacts for MacOS.
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libhfcommon/libhfcommon.a(ns.o) has no symbols
Undefined symbols for architecture x86_64:
"_mach_exc_server", referenced from:
_wait_for_exception in arch.o
ld: symbol(s) not found for architecture x86_64
You can see how it can be hacked around in here.
See: https://rustsec.org/advisories/RUSTSEC-2020-0077.html
An alternative is https://github.com/RazrFalcon/memmap2-rs
Looks like this was fixed upstream in google/honggfuzz@90fdf81 -- but on my system I get
linux/bfd.c: In function ‘arch_bfdDisasm’:
linux/bfd.c:231:5: error: too few arguments to function ‘init_disassemble_info’
231 | init_disassemble_info(&info, instr, arch_bfdFPrintF);
| ^~~~~~~~~~~~~~~~~~~~~
In file included from linux/bfd.c:29:
/usr/include/dis-asm.h:472:13: note: declared here
472 | extern void init_disassemble_info (struct disassemble_info *dinfo, void *stream,
| ^~~~~~~~~~~~~~~~~~~~~
make: *** [Makefile:259: linux/bfd.o] Error 1
with honggfuzz 0.5.54.
I haven't thought through the full repercussions of a change like this, but the SafeUnwind
requirement is causing some performance issues in that there's not as that can be setup outside of the main fuzzing loop, which causes a lot of avoidable initialization overhead in some fuzz tests.
I'm wondering if, in lieu of just taking this change as is, offering an alternative macro that doesn't require SafeUnwind
would be something you're interested in?
Example diff:
mcginty@66b32e1
EDIT: just noticed #8, which is trying to fix the same problem in a different way. Leaving this open for discussion.
@robertswiecki has implemented a coverage-based minimizer in honggfuzz recently.
google/honggfuzz#195 (comment)
It will be awesome to have this feature available over cargo like:
cargo hfuzz cmin ...
Hi,
I'm having troubles running hfuzz in a CI environment.
The error I'm getting:
RUST_BACKTRACE="full" HFUZZ_RUN_ARGS="--exit_upon_crash --iterations 10000 -v --timeout 2 --input coordinatord_fuzz_corpus" cargo hfuzz run send_msg && cd ..
/usr/bin/ld.gold
Updating crates.io index
Updating git repository `https://github.com/revault/revault_net`
Updating git repository `https://github.com/revault/revault_tx`
Downloading crates ...
Downloaded block-buffer v0.9.0
Downloaded lazy_static v1.4.0
Downloaded log v0.4.14
Downloaded futures-executor v0.3.17
Downloaded futures-core v0.3.17
Downloaded getrandom v0.2.3
Downloaded ed25519 v1.2.0
Downloaded crypto-mac v0.10.1
Downloaded instant v0.1.11
Downloaded ppv-lite86 v0.2.10
Downloaded subtle v2.4.1
Downloaded stringprep v0.1.2
Downloaded socket2 v0.4.2
Downloaded semver v0.9.0
Downloaded opaque-debug v0.3.0
Downloaded num-integer v0.1.44
Downloaded num-traits v0.2.14
Downloaded parking_lot_core v0.8.5
Downloaded parking_lot v0.11.2
Downloaded proc-macro-nested v0.1.7
Downloaded proc-macro-hack v0.5.19
Downloaded pin-project-lite v0.2.7
Downloaded unicode-bidi v0.3.6
Downloaded byteorder v1.4.3
Downloaded cpufeatures v0.2.1
Downloaded cc v1.0.70
Downloaded futures-task v0.3.17
Downloaded futures-channel v0.3.17
Downloaded chrono v0.4.19
Downloaded version_check v0.9.3
Downloaded same-file v1.0.6
Downloaded serde_derive v1.0.130
Downloaded time v0.1.43
Downloaded walkdir v2.3.2
Downloaded tokio-macros v1.3.0
Downloaded tokio-util v0.6.8
Downloaded lock_api v0.4.5
Downloaded pkg-config v0.3.20
Downloaded postgres-types v0.2.1
Downloaded dirs v3.0.2
Downloaded scopeguard v1.1.0
Downloaded signature v1.3.1
Downloaded sha2 v0.9.8
Downloaded miniscript v6.0.1
Downloaded semver-parser v0.7.0
Downloaded rand_core v0.5.1
Downloaded typenum v1.14.0
Downloaded unicode-normalization v0.1.19
Downloaded toml v0.5.8
Downloaded rand v0.8.4
Downloaded syn v1.0.77
Downloaded num_cpus v1.13.0
Downloaded smallvec v1.6.1
Downloaded serde_json v1.0.68
Downloaded revault_tx v0.3.0
Downloaded proc-macro2 v1.0.29
Downloaded secp256k1-sys v0.4.1
Downloaded tinyvec v1.5.0
Downloaded tokio-postgres v0.7.2
Downloaded secp256k1 v0.20.3
Downloaded postgres-protocol v0.6.1
Downloaded snow v0.7.2
Downloaded fern v0.5.9
Downloaded bitcoin v0.27.1
Downloaded rustc_version v0.2.3
Downloaded phf v0.8.0
Downloaded percent-encoding v2.1.0
Downloaded bitcoin_hashes v0.10.0
Downloaded bech32 v0.8.1
Downloaded phf_shared v0.8.0
Downloaded slab v0.4.4
Downloaded siphasher v0.3.7
Downloaded md-5 v0.9.1
Downloaded futures-util v0.3.17
Downloaded futures-io v0.3.17
Downloaded tokio v1.12.0
Downloaded tinyvec_macros v0.1.0
Downloaded daemonize-simple v0.1.5
Downloaded unicode-xid v0.2.2
Downloaded ryu v1.0.5
Downloaded serde v1.0.130
Downloaded rand_core v0.6.3
Downloaded quote v1.0.9
Downloaded rand_chacha v0.3.1
Downloaded futures-sink v0.3.17
Downloaded dirs-sys v0.3.6
Downloaded digest v0.9.0
Downloaded bytes v1.1.0
Downloaded sodiumoxide v0.2.7
Downloaded base64 v0.13.0
Downloaded async-trait v0.1.51
Downloaded autocfg v1.0.1
Downloaded mio v0.7.13
Downloaded pin-utils v0.1.0
Downloaded itoa v0.4.8
Downloaded hmac v0.10.1
Downloaded generic-array v0.14.4
Downloaded futures-macro v0.3.17
Downloaded futures v0.3.17
Downloaded cfg-if v1.0.0
Downloaded memchr v2.4.1
Downloaded libc v0.2.103
Downloaded fallible-iterator v0.2.0
Downloaded libsodium-sys v0.2.7
Downloaded bitcoinconsensus v0.19.0-3
Compiling libc v0.2.103
Compiling proc-macro2 v1.0.29
Compiling unicode-xid v0.2.2
Compiling syn v1.0.77
Compiling autocfg v1.0.1
Compiling cc v1.0.70
Compiling cfg-if v1.0.0
error: failed to run LLVM passes: unknown pass name 'sancov'
error: could not compile `cfg-if` due to previous error
warning: build failed, waiting for other jobs to finish...
error: build failed
Error: Process completed with exit code 101.
OS: Github Actions with ubuntu-latest
rustc version: rustc 1.57.0-nightly (05044c2e6 2021-09-26)
cargo version: cargo 1.57.0-nightly (0121d66aa 2021-09-22)
.
I think the culprit is the rustc version, I can reproduce locally using rustc 1.57, but everything works correctly when I use rustc 1.53.
I hope I'm using this tool right. I followed the instructions as best I could on FreeBSD, though the dependencies listed for Linux don't all have the same names so I can't be sure I installed all of the correct packages.
$ cargo hfuzz run mre
/usr/local/bin/ld.gold
Compiling semver v1.0.20
Compiling honggfuzz v0.5.55
Compiling lazy_static v1.4.0
Compiling arbitrary v1.3.2
error: failed to run custom build command for `honggfuzz v0.5.55`
Caused by:
process didn't exit successfully: `/tmp/mre/hfuzz_target/release/build/honggfuzz-58913838721237ff/build-script-build` (exit status: 101)
--- stderr
thread 'main' panicked at $HOME/.cargo/registry/src/index.crates.io-6f17d22bba15001f/honggfuzz-0.5.55/build.rs:40:10:
failed to run "make -C honggfuzz clean": Os { code: 2, kind: NotFound, message: "No such file or directory" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
$ RUST_BACKTRACE=full cargo hfuzz run mre
/usr/local/bin/ld.gold
Compiling honggfuzz v0.5.55
Compiling rustc_version v0.4.0
error: failed to run custom build command for `honggfuzz v0.5.55`
note: To improve backtraces for build dependencies, set the CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG=true environment variable to enable debug information generation.
Caused by:
process didn't exit successfully: `/tmp/mre/hfuzz_target/release/build/honggfuzz-a9e34a03b3af2dd5/build-script-build` (exit status: 101)
--- stderr
thread 'main' panicked at $HOME/.cargo/registry/src/index.crates.io-6f17d22bba15001f/honggfuzz-0.5.55/build.rs:40:10:
failed to run "make -C honggfuzz clean": Os { code: 2, kind: NotFound, message: "No such file or directory" }
stack backtrace:
0: 0x2714a2b503ac - std::backtrace_rs::backtrace::libunwind::trace::h227f5e62bf94ac45
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
1: 0x2714a2b503ac - std::backtrace_rs::backtrace::trace_unsynchronized::h7da3bf221bb25a09
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x2714a2b503ac - std::sys_common::backtrace::_print_fmt::h0a4842961f78b152
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:67:5
3: 0x2714a2b503ac - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h8e328eaffb045fb1
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:44:22
4: 0x2714a2b7395c - core::fmt::rt::Argument::fmt::he393ddbce52f0eff
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/fmt/rt.rs:138:9
5: 0x2714a2b7395c - core::fmt::write::hc38cbbcb851d00ab
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/fmt/mod.rs:1114:21
6: 0x2714a2b4da5e - std::io::Write::write_fmt::h2f30843536039d94
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/io/mod.rs:1763:15
7: 0x2714a2b50184 - std::sys_common::backtrace::_print::he4e7414ad52cd2e8
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:47:5
8: 0x2714a2b50184 - std::sys_common::backtrace::print::h5eaa9f53ed14896f
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:34:9
9: 0x2714a2b515c3 - std::panicking::default_hook::{{closure}}::heb333e583b466c51
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:272:22
10: 0x2714a2b511ea - std::panicking::default_hook::he3bf93b45f0c8bd1
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:292:9
11: 0x2714a2b51d0d - std::panicking::rust_panic_with_hook::h6af3b63daf6de27e
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:731:13
12: 0x2714a2b51b11 - std::panicking::begin_panic_handler::{{closure}}::hf3b50bac472dc16f
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:609:13
13: 0x2714a2b508d6 - std::sys_common::backtrace::__rust_end_short_backtrace::ha47741bb9710fa20
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:170:18
14: 0x2714a2b51862 - rust_begin_unwind
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:597:5
15: 0x2714a2b72ac5 - core::panicking::panic_fmt::h66f296b00047aa1a
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/panicking.rs:72:14
16: 0x2714a2b72f23 - core::result::unwrap_failed::h202f1f68601af9aa
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/result.rs:1652:5
17: 0x2714a2b2a61c - core::result::Result<T,E>::expect::hbeaf8084282bbd8e
18: 0x2714a2b2db33 - build_script_build::main::h8d8ad70cbb5b0a8e
19: 0x2714a2b2c173 - core::ops::function::FnOnce::call_once::hbcfa998c06284903
20: 0x2714a2b29846 - std::sys_common::backtrace::__rust_begin_short_backtrace::h6e0688f9eff6d1d5
21: 0x2714a2b29d39 - std::rt::lang_start::{{closure}}::hdf8f0a5b50c15c52
22: 0x2714a2b4a49d - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h8aadaf873acc2c72
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs:284:13
23: 0x2714a2b4a49d - std::panicking::try::do_call::h7bb56876f347c565
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:504:40
24: 0x2714a2b4a49d - std::panicking::try::h4395597ca10fe0aa
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:468:19
25: 0x2714a2b4a49d - std::panic::catch_unwind::hfa68bfbf98842f18
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panic.rs:142:14
26: 0x2714a2b4a49d - std::rt::lang_start_internal::{{closure}}::h9f7924da836d3a43
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/rt.rs:148:48
27: 0x2714a2b4a49d - std::panicking::try::do_call::h8774a1b80793a52e
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:504:40
28: 0x2714a2b4a49d - std::panicking::try::hfa967256f930e851
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:468:19
29: 0x2714a2b4a49d - std::panic::catch_unwind::hd6154a51f87e940a
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panic.rs:142:14
30: 0x2714a2b4a49d - std::rt::lang_start_internal::h7670a540de2143b7
at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/rt.rs:148:20
31: 0x2714a2b29d17 - std::rt::lang_start::h95e510629df386b2
32: 0x2714a2b2ec35 - main
33: 0x271cc570dafa - __libc_start1
34: 0x2714a2b297bd - _start
at /usr/src/lib/csu/amd64/crt1_s.S:83
warning: build failed, waiting for other jobs to finish...
Hope it's obvious this is a MRE, and not my actual fuzzing code.
[package]
name = "mre"
version = "0.1.0"
edition = "2021"
[dependencies]
honggfuzz = "0.5.55"
fn main() {}
rustc --version --verbose
:
rustc 1.74.0 (79e9716c9 2023-11-13)
binary: rustc
commit-hash: 79e9716c980570bfd1f666e3b16ac583f0168962
commit-date: 2023-11-13
host: x86_64-unknown-freebsd
release: 1.74.0
LLVM version: 17.0.4
cargo --version --verbose
cargo 1.74.0 (ecb9851af 2023-10-18)
release: 1.74.0
commit-hash: ecb9851afd3095e988daaa35a48bc7f3cb748e04
commit-date: 2023-10-18
host: x86_64-unknown-freebsd
libgit2: 1.7.1 (sys:0.18.0 vendored)
libcurl: 8.4.0-DEV (sys:0.4.68+curl-8.4.0 vendored ssl:OpenSSL/1.1.1u)
ssl: OpenSSL 1.1.1u 30 May 2023
os: FreeBSD 14.0-RELEASE [64-bit]
uname -imrs
FreeBSD 14.0-RELEASE amd64 GENERIC
cargo hfuzz version
cargo-hfuzz 0.5.55
I want to fuzz my project (developed under rust), but when I run this command cargo hfuzz run myProject
. it show following error.
error: linking with cc
failed: exit code: 1
note: "cc" "-Wl,--as-needed" "-Wl,-z,noexecstack" "-m64" "-L" "/home/saarshah/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/x86_64-unknown-linux-gnu/lib"
.
.
.
.
undefined reference to '__sanitizer_cov_trace_div4'
collect2: error: ld returned 1 exit status
Any help to how to fuzz my project...
I've tried running honggfuzz
with both the original make that comes with OSX (3.81) and with one installed via homebrew (4.3) - in both cases I get this error:
❯ cargo hfuzz run try-hong
Compiling honggfuzz v0.5.54
Compiling arbitrary v1.0.1
Compiling lazy_static v1.4.0
error: failed to run custom build command for `honggfuzz v0.5.54`
Caused by:
process didn't exit successfully: `/Users/ilmoi/Downloads/try-hong/hfuzz_target/release/build/honggfuzz-f99475d7c12e0151/build-script-build` (exit code: 101)
--- stdout
make: Entering directory '/Users/ilmoi/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.54/honggfuzz'
make: Leaving directory '/Users/ilmoi/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.54/honggfuzz'
--- stderr
Makefile:103: *** Unsupported MAC OS X version. Stop.
thread 'main' panicked at 'assertion failed: status.success()', /Users/ilmoi/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.54/build.rs:41:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
error: build failed
The advice here didn't help and I'm not finding anything useful on google.
Is there anything else I can try and do?
I'm on Big Sur 11.4
Hello!
I'm currently trying to use honggfuzz for fuzzing a network interface using persistent fuzzing.
Here is my harness as of now (link refer to a specific commit): https://github.com/Devolutions/devolutions-gateway/blob/bf66f15933d9571574f2db8e65fd1c1019025551/fuzz/server/fuzz_targets/listeners_raw.rs
use honggfuzz::fuzz;
use server_fuzz::init;
use server_fuzz::oracles::raw::fuzz_listener;
fn main() {
let rt = tokio::runtime::Builder::new_current_thread()
.enable_all()
.build()
.unwrap();
let listeners = rt.block_on(init());
// At this point, sockets are binded and we can send data safely
loop {
fuzz!(|data: &[u8]| {
for l in &listeners {
fuzz_listener(data, l.addr().port());
let _ = rt.block_on(l.handle_one());
}
})
}
}
Note: the issue is the same regardless of the kind of tokio runtime used (new_current_thread()
and new_multi_thread()
both triggers the same behavior).
I'm running the fuzzing procedure with the following command:
$ RUSTFLAGS="-Z new-llvm-pass-manager=no -Z sanitizer=address" HFUZZ_RUN_ARGS="-t 10 -n 4 --tmout_sigvtalrm" cargo +nightly hfuzz run listeners_raw
-Z new-llvm-pass-manager=no
is because of #61
I introduced a panic when receiving specific pattern of bytes on the listener side just to test out. This cause the program to crash quick enough:
Sz:1566 Tm:252us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/17
Sz:268 Tm:425us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/3
Sz:264 Tm:2,827us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/29
rash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
Sz:266 Tm:374us (i/b/h/e/p/c) New:0/0/0/3/0/4, Cur:0/0/0/3/0/2
Sz:452 Tm:918us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/12
Crash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
Crash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
Sz:271 Tm:516us (i/b/h/e/p/c) New:0/0/0/1/0/59, Cur:0/0/0/3/0/13
z:5026 Tm:346us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/1
Sz:78 Tm:543us (i/b/h/e/p/c) New:0/0/0/2/0/19, Cur:0/0/0/2/0/23
Sz:149 Tm:401us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/1
Sz:269 Tm:1,005us (i/b/h/e/p/c) New:0/0/0/0/0/4, Cur:0/0/0/0/0/11
Sz:372 Tm:665us (i/b/h/e/p/c) New:0/0/0/0/0/3, Cur:0/0/0/0/0/38
Sz:156 Tm:547us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
z:8192 Tm:568us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/9
Sz:129 Tm:559us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/5
Sz:279 Tm:510us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
Sz:264 Tm:548us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/51
Sz:387 Tm:591us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/5
Sz:164 Tm:470us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
Sz:582 Tm:485us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/5
z:378 Tm:508us (i/b/h/e/p/c) New:0/0/0/1/0/0, Cur:0/0/0/1/0/8
Sz:82 Tm:315us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/12
Sz:273 Tm:654us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/16
Sz:164 Tm:643us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
Sz:136 Tm:573us (i/b/h/e/p/c) New:0/0/0/0/0/3, Cur:0/0/0/0/0/7
Crash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
2022-01-11T11:51:04-0500][W][41564] subproc_checkTimeLimit():529 pid=41571 took too much time (limit 10 s). Killing it with SIGVTALRM
[2022-01-11T11:51:04-0500][W][41565] subproc_checkTimeLimit():529 pid=41570 took too much time (limit 10 s). Killing it with SIGVTALRM
[2022-01-11T11:51:04-0500][W][41563] subproc_checkTimeLimit():529 pid=41568 took too much time (limit 10 s). Killing it with SIGVTALRM
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41563] subproc_checkTimeLimit():522 pid=41568 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
2022-01-11T11:51:05-0500][W][41563] subproc_checkTimeLimit():522 pid=41568 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41563] subproc_checkTimeLimit():522 pid=41568 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
…-- continue --…
However, it appears the crashed threads are not able to continue fuzzing and I get the warning above ad vitam aeternam, and no progress can be made anymore. The behavior is the same regardless of --tmout_sigvtalrm
.
Since updating to version 0.5.41, we see termination failures like
Size:407 (i,b,hw,edge,ip,cmp): 0/0/0/3/0/1, Tot:0/0/0/8005/15/167155
Entering phase 2/2: Dynamic Main
Size:788 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/3, Tot:0/0/0/8005/15/167158
Terminating thread no. #0, left: 3
Terminating thread no. #2, left: 1
[2019-02-18T13:16:27+0000][W][14] main():254 pthread_kill(thread=0, SIGUSR1): Interrupted system call
[2019-02-18T13:16:27+0000][W][14] main():254 pthread_kill(thread=2, SIGUSR1): Interrupted system call
Terminating forcefully
repeatedly in our CI. We don't think that anything changed on the host that runs the fuzzing job but more importantly we are not sure where to start investigating. Any ideas what could have caused this?
I tried to update honggfuzz-rs to use google/honggfuzz@d1de86d (2.0) today, but the linking fails when it tries to build the hfuzz binary for the example.
The main goal was to get #26 running using --minimize
, but the weird part is, that even when I comment out the example part from test.sh
, running hfuzz afterwards still doesn't know the parameter. So either I'm doing something wrong or it's just building the wrong version.
Either way, I'm opening this issue in the hopes that this project is not dead and someone more qualified like me can resolve this. I tried afl
, and honestly it kind of sucks because it's not multi-threaded, so you'd need to keep several instances open. Same goes for cargo-fuzz
, which uses libFuzzer - it's better but not reliable as the forking option is experimental and can sometimes not close correctly if you just want it running while collecting crash files (instead of instantly stopping as soon as a crash occured).
All in all, honggfuzz, and with it, this project, is my absolute favourite, and I hope someone takes the time to update it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.