rust-fuzz / honggfuzz-rs Goto Github PK

View Code? Open in Web Editor NEW

438.0 6.0 41.0 232 KB

Fuzz your Rust code with Google-developed Honggfuzz !

Home Page: https://crates.io/crates/honggfuzz

License: Apache License 2.0

Rust 87.99% Shell 9.66% Nix 2.34%

fuzz fuzzer honggfuzz rust fuzzing fuzz-testing security security-tools security-testing crates

honggfuzz-rs's People

Contributors

Stargazers

Watchers

honggfuzz-rs's Issues

Build fails because of missing bfd_get_* functions

As can be seen in the following commit history, this was fixed in early January, but the current honggfuzz version is from early December of last year.

https://github.com/google/honggfuzz/commits/master/linux/bfd.c

Compilation currently fails on my system because of this.

--- stderr
linux/bfd.c: In Funktion »arch_getSectionForPc«:
linux/bfd.c:125:36: Fehler: Implizite Deklaration der Funktion »bfd_get_section_vma«; meinten Sie »bfd_set_section_vma«? [-Werror=implicit-function-declaration]
  125 |         uintptr_t vma = (uintptr_t)bfd_get_section_vma(bfdh, section);
      |                                    ^~~~~~~~~~~~~~~~~~~
      |                                    bfd_set_section_vma
linux/bfd.c:126:35: Fehler: Implizite Deklaration der Funktion »bfd_get_section_size«; meinten Sie »bfd_set_section_size«? [-Werror=implicit-function-declaration]
  126 |         uintptr_t sz = (uintptr_t)bfd_get_section_size(section);
      |                                   ^~~~~~~~~~~~~~~~~~~~
      |                                   bfd_set_section_size
cc1: Alle Warnungen werden als Fehler behandelt
make: *** [Makefile:249: linux/bfd.o] Fehler 1
thread 'main' panicked at 'assertion failed: status.success()', /home/btr/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.46/build.rs:46:5

I'm sorry for the German text in there but I'm sure its still readable.

In the meantime, I'll use docker.

Thanks so much for updating to 2.0, I really appreciate it :)

Shrinking test cases

Is there an API that would yield the cov code of a given vector?
I'd like to be able to shrink test cases using custom code (truncating to a length determined from contents, for example), and such an API would provide a convenient way to do it.
Alternatively, a way to provide a function that yields shrink candidates would also work.
Or any other convenient way to achieve the same goal of shrinking test cases.

Add --help

Hey,

It would be nice to add --help to display a more descriptive help for cargo hfuzz as currently it only lists the possible commands:

$ cargo hfuzz --help
possible commands are: run, run-no-instr, run-debug, build, build-no-instr, build-debug, clean, version

Rust 1.30 broke honggfuzz builds

(at least on travis). See, eg, build at https://travis-ci.org/rust-bitcoin/rust-lightning/jobs/446288104 which fails with "note: /usr/bin/ld: __sancov_guards has both ordered [`__sancov_guards' in /home/travis/build/rust-bitcoin/rust-lightning/fuzz/hfuzz_target/x86_64-unknown-linux-gnu/release/deps/chanmon_deser_target-b3cbf469215400a7.chanmon_deser_target.7gmhrznz-cgu.1.rcgu.o] and unordered [`__sancov_guards' in /home/travis/build/rust-bitcoin/rust-lightning/fuzz/hfuzz_target/x86_64-unknown-linux-gnu/release/deps/chanmon_deser_target-b3cbf469215400a7.chanmon_deser_target.7gmhrznz-cgu.1.rcgu.o] sections"

build fails on 2.1 with probably fixed issue in 2.2

The current version of honggfuzz-rs has a bug that was fixed in honggfuzz 2.2. It is now affecting our CI:

--- stderr
/usr/bin/ld: cannot find -llzma
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [honggfuzz] Error 1
thread 'main' panicked at 'assertion failed: status.success()', /builds/<redacted>/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.48/build.rs:46:5

Version 2.2 of honggfuzz mentions a "fixed linking with ld.lld" which would probably resolve this. I don't have much time to test it though, so an update is very much appreciated!

Remove useless/harmful coverage options

see rust-fuzz/cargo-fuzz#229

honggfuzz-rs does not currently support Windows

Hello,
I am trying to install honggfuzz-rs but I am facing this issue:

honggfuzz-rs does not currently support Windows but works well under WSL (Windows Subsystem for Linux)

Crash when running in debug mode

Not sure if this is an issue with rust-honggfuzz or rust or my sistem:
I am using:

rustc 1.45.2 (d3fb005a3 2020-07-31)
rustc 1.45.2 (d3fb005a3 2020-07-31)
Pop_os 19:10(ubuntu base distro)

invoking:
env HFUZZ_RUN_ARGS="--exit_upon_crash" cargo hfuzz run sound_producer my_input

does not give any errors, but calling the same with:

env HFUZZ_RUN_ARGS="--exit_upon_crash" cargo hfuzz run-debug sound_producer my_input

got the following:

(lldb) command script import "/home/neithanmo/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/etc/lldb_rust_formatters.py"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/lldb/__init__.py", line 255, in <module>
    eFormatUnicode8 = _lldb.eFormatUnicode8
AttributeError: module '_lldb' has no attribute 'eFormatUnicode8'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
  File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
  File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
  File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
  File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
Traceback (most recent call last):
  File "<string>", line 1, in <module>
NameError: name 'run_one_line' is not defined
error: module importing failed: module '_lldb' has no attribute 'eFormatUnicode8'
  File "temp.py", line 1, in <module>
  File "/home/neithanmo/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/etc/lldb_rust_formatters.py", line 1, in <module>
    import lldb
  File "/usr/lib/python3/dist-packages/lldb/__init__.py", line 255, in <module>
    eFormatUnicode8 = _lldb.eFormatUnicode8

however, switching to nightly and running in debug mode gives me a different error:

error: file specified in --source (-s) option doesn't exist: './lldb_commands'

Someone has any advice on what the solution would be?

thanks in advance.

Raspberry PI (Raspbian)

I figured out to use hongfuzz with Raspbian 10 (buster). I had to add the following environment variables to compile it:

LDFLAGS="-lm -latomic -lc" RUSTFLAGS="-C link-arg=-latomic" cargo hfuzz run decode_encode_decode

Maybe add this to the documentation?

Support passing features to Cargo

I created a bin target for using Honggfuzz with my library (reverted on master because of this issue and also because cargo-fuzz works on WSL now):

However, I cannot pass the honggfuzz feature to Cargo because the cargo-hfuzz executable doesn't support it.

On Debian I also needed liblzma-dev as prerequisite

When trying to run the example:

cc -o honggfuzz cmdline.o display.o fuzz.o honggfuzz.o input.o mangle.o report.o sanitizers.o socketfuzzer.o subproc.o linux/arch.o linux/bfd.o linux/perf.o linux/pt.o linux/trace.o linux/unwind.o libhfcommon/libhfcommon.a  -pthread -lm -L/usr/local/include -lunwind-ptrace -lunwind-generic -lunwind  -llzma -lopcodes -lbfd -lrt -ldl -lm -g -ggdb -g3
Makefile:275: recipe for target 'honggfuzz' failed
make: Leaving directory '/home/eddy/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.49/honggfuzz'

--- stderr
/usr/bin/ld: cannot find -llzma
collect2: error: ld returned 1 exit status
make: *** [honggfuzz] Error 1

After installing it, it works fine:

------------------------[  0 days 00 hrs 02 mins 22 secs ]----------------------
  Iterations : 33843329 [33.84M]
  Mode [3/3] : Feedback Driven Mode
      Target : hfuzz_target/x86_64-unknown-linux-gnu/release/example
     Threads : 4, CPUs: 8, CPU%: 529% [66%/CPU]
       Speed : 229686/sec [avg: 238333]
     Crashes : 0 [unique: 0, blacklist: 0, verified: 0]
    Timeouts : 0 [1 sec]
 Corpus Size : 74, max: 8192 bytes, init: 0 files
  Cov Update : 0 days 00 hrs 00 mins 05 secs ago
    Coverage : edge: 37/80 [46%] pc: 1 cmp: 420
---------------------------------- [ LOGS ] ------------------/ honggfuzz 2.2 /-
 z:6 Tm:20us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/2

`fuzz!` macro doesn't support mutable bindings

Test case resembles:

        fuzz!(|mut data: &[u8]| {
            loop {
                match hubpack::deserialize::<Structy>(data) {
                    Err(_) => break,
                    Ok((_, rest)) => data = rest,
                }
            }
        });

Alas:

28 |         fuzz!(|mut data: &[u8]| {
   |                    ^^^^ no rules expected this token in macro call

I assume the fuzz! macro is currently parsing the closure header too narrowly.

Build failures in version 0.5.47

We recently updated our honggfuzz dependency to 0.5.47 and started seeing the following build errors within our Debian Jessie based build container:

make: Entering directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'
rm -f -r core Makefile.bak cmdline.o display.o fuzz.o honggfuzz.o input.o mangle.o report.o sanitizers.o socketfuzzer.o subproc.o linux/arch.o linux/bfd.o linux/perf.o linux/pt.o linux/trace.o linux/unwind.o honggfuzz hfuzz_cc/hfuzz-cc libhfuzz/libhfuzz.a libhfuzz/libhfuzz.so libhfuzz/fetch.o libhfuzz/instrument.o libhfuzz/linux.o libhfuzz/memorycmp.o libhfuzz/persistent.o libhfcommon/libhfcommon.a libhfcommon/files.o libhfcommon/log.o libhfcommon/ns.o libhfcommon/util.o libhfnetdriver/libhfnetdriver.a libhfnetdriver/netdriver.o  obj libs ./*.o ./*~ ./core ./*.a ./*.dSYM ./*.la ./*.so ./*.dylib linux/*.o linux/*~ linux/core linux/*.a linux/*.dSYM linux/*.la linux/*.so linux/*.dylib mac/*.o mac/*~ mac/core mac/*.a mac/*.dSYM mac/*.la mac/*.so mac/*.dylib netbsd/*.o netbsd/*~ netbsd/core netbsd/*.a netbsd/*.dSYM netbsd/*.la netbsd/*.so netbsd/*.dylib posix/*.o posix/*~ posix/core posix/*.a posix/*.dSYM posix/*.la posix/*.so posix/*.dylib libhfuzz/*.o libhfuzz/*~ libhfuzz/core libhfuzz/*.a libhfuzz/*.dSYM libhfuzz/*.la libhfuzz/*.so libhfuzz/*.dylib libhfcommon/*.o libhfcommon/*~ libhfcommon/core libhfcommon/*.a libhfcommon/*.dSYM libhfcommon/*.la libhfcommon/*.so libhfcommon/*.dylib libhfnetdriver/*.o libhfnetdriver/*~ libhfnetdriver/core libhfnetdriver/*.a libhfnetdriver/*.dSYM libhfnetdriver/*.la libhfnetdriver/*.so libhfnetdriver/*.dylib
make: Leaving directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'
make: Entering directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o cmdline.o cmdline.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o display.o display.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o fuzz.o fuzz.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o honggfuzz.o honggfuzz.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o input.o input.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o mangle.o mangle.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o report.o report.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o sanitizers.o sanitizers.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o socketfuzzer.o socketfuzzer.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o subproc.o subproc.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o linux/arch.o linux/arch.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o linux/bfd.o linux/bfd.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o linux/perf.o linux/perf.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o linux/pt.o linux/pt.c
cc -c -O3 -mtune=native -funroll-loops -std=c11 -I/usr/local/include -D_GNU_SOURCE -Wall -Wextra -Werror -Wno-format-truncation -Wno-override-init -I. -D_FILE_OFFSET_BITS=64 -D_HF_ARCH_LINUX -g -ggdb -g3  -o linux/trace.o linux/trace.c
Makefile:251: recipe for target 'linux/trace.o' failed
make: Leaving directory '/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.47/honggfuzz'

--- stderr
linux/trace.c: In function 'arch_traceSaveData':
linux/trace.c:528:5: error: missing initializer for field 'si_signo' of 'siginfo_t' [-Werror=missing-field-initializers]
     siginfo_t si = {};
     ^
In file included from /usr/include/signal.h:80:0,
                 from /usr/include/x86_64-linux-gnu/sys/param.h:28,
                 from ./honggfuzz.h:33,
                 from ./linux/trace.h:29,
                 from linux/trace.c:24:
/usr/include/x86_64-linux-gnu/bits/siginfo.h:64:9: note: 'si_signo' declared here
     int si_signo;  /* Signal number.  */
         ^
linux/trace.c: At top level:
cc1: error: unrecognized command line option "-Wno-format-truncation" [-Werror]
cc1: all warnings being treated as errors
make: *** [linux/trace.o] Error 1

honggfuzz also depends on lzma library

I installed binutils-devel and libunwind-devel on Fedora 32 (as readme suggest), but got error about missing lzma library (-llzma)
In case of Fedora, xz-devel is also needed
~~EDIT: run-debug also requires LLDB~~

MSRV Policy/Disable arbitrary via feature

It seems the update to arbitrary 1.0 requires const generics, which were stabilized only incredibly recently (March of this year). This breaks most distro rustc users as relatively few distros have shipped 1.51 into their normal release channels. The requiring of super recent rustc in a minor-minor version is somewhat surprising, and broke some of our build pipeline.

Is it possible to define the MSRV policy and maybe make the arbitrary feature optional, given its not required unless you want the fuzzer to map the types automagically?

Missing `extern crate arbitrary` error

The fuzz!() macro uses items from the arbitrary crate but does not declare extern crate arbitrary (it probably needs to be pub extern crate arbitrary for the macro to use it). The arbitrary crate should be added to this crate's dependencies and then imports from arbitrary can be prefixed by the $crate metavar (references to honggfuzz should be replaced with $crate as well or else if the user renames it with extern crate honggfuzz as ... then it will not be found).

Fixed fuzz!() macro:

macro_rules! fuzz {
    (|$buf:ident| $body:block) => {
        $crate::fuzz(|$buf| $body);
    };
    (|$buf:ident: &[u8]| $body:block) => {
        $crate::fuzz(|$buf| $body);
    };
    (|$buf:ident: $dty: ty| $body:block) => {
        $crate::fuzz(|$buf| {
            let $buf: $dty = {
                use $crate::arbitrary::{Arbitrary, RingBuffer};
                if let Ok(d) = RingBuffer::new($buf, $buf.len()).and_then(|mut b|{
                        Arbitrary::arbitrary(&mut b).map_err(|_| "")
                    }) {
                    d
                } else {
                    return
                }
            };

            $body
        });
    };
}

Address sanitizer(ASAN) flag doesn't seem to work

I want to use honggfuzz-rs to fuzz some unsafe code, however, the ASAN doesn't seem to work. For example, I use the code just from the example directory, and replace the code in main.rs with

#[macro_use] extern crate honggfuzz;

fn main() {
    loop {
        fuzz!(|data: &[u8]| {
            // use after free bug
            let xs = vec![0, 1, 2, 3];
            let y = xs.as_ptr();
            drop(xs);
            let z = unsafe { *y };
        });
    }
}

I fuzz the project with

RUSTFLAGS="-Z sanitizer=address" cargo hfuzz run example

However, the fuzzer can not detect the bug(Theres should be only one path).
There's one warning message from honggfuzz.

I hope you can check if this can work properly. Thanks a lot.

Fuzz testing on 32 bits

In https://github.com/rust-bitcoin/rust-bitcoin/ we have some potential issues on 32 bits architectures because usize is obviously different on this architecture.

Since 32 bits software could run on 64 bits machine, I would have liked fuzzing with a target different than the host machine, like i686-unknown-linux-gnu but I have seen is not possible to specify a different triplet than the host system with cargo hfuzz

honggfuzz-rs/src/bin/cargo-hfuzz.rs

Line 23 in f45aef1

fn target_triple() -> String {

I would like to know if this is some issue only of how parameters are handled in cargo hfuzz or if there are inherently other issues in the fuzzing process on 32 bits (on a 64 bits host)

Example Build Failed

I have followed the guidance provided here, but could not succeeded with following error..

error: failed to run custom build command for honggfuzz v0.5.45 (/mnt/c/Users/Ali/honggfuzz-rs)

Caused by:
process didn't exit successfully: /mnt/c/Users/Ali/honggfuzz-rs/example/hfuzz_target/release/build/honggfuzz-e77bf1f3f654a6c3/build-script-build (exit code: 101)
--- stdout
make: Entering directory '/mnt/c/Users/Ali/honggfuzz-rs/honggfuzz'
make: Leaving directory '/mnt/c/Users/Ali/honggfuzz-rs/honggfuzz'

--- stderr
make: *** No rule to make target 'clean'. Stop.
thread 'main' panicked at 'assertion failed: status.success()', /mnt/c/Users/Ali/honggfuzz-rs/build.rs:38:5
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace.

warning: build failed, waiting for other jobs to finish...
error: build failed

Build with profiling

It would be nice to have a build-grcov command that would build honggfuzz-rs with profiling support, so the fuzzed binary can later be run with all fuzzing-generated inputs and crashes to get the coverage data, e.g. through Mozilla's grcov.

This, more or less requires the build to use the following flags:

CARGO_INCREMENTAL=0 RUSTFLAGS='-Zprofile -Ccodegen-units=1 -Cinline-threshold=0 -Clink-dead-code -Coverflow-checks=off -Zno-landing-pads'

Large fuzz target fails due to _HF_PC_GAURD_MAX being too small

Our CI fuzzing recently broke as our fuzz target became too large so that honggfuzz would fail with errors like This process has too many PC guards. It seems this is based on a hard-coded constant _HF_PC_GUARD_MAX in the honggfuzz.h header which can only be changed when honggfuzz is built.

Hence, for now I resorted to adding

// increase _HF_PC_GUARD_MAX
let status = Command::new("sed")
    .args(&["-e", "s/^#define _HF_PC_GUARD_MAX .*/#define _HF_PC_GUARD_MAX (2U * 1024U * 1024U * 16U)/", "-i", "honggfuzz/honggfuzz.h"])
    .status()
    .expect("failed to patch hongfuzz.h using sed");
assert!(status.success());

to this crate's build script.

Would this be something you would accept upstream (controlled via an environment variable by the Cargo hfuzz subcommand)? Do you have any other ideas how to avoid this problem? Thank you for your help!

Honggfuzz with memory sanitizer always fails

I am not sure if this is technically and issue with honggfuzz-rs or some other part of the pipeline, but I noticed that when using the memory sanitizer, there will always be at least 1 unique failure even if using an empty fuzz target.

To reproduce, use this fuzz target:
fuzz!(|_data: &[u8]| { return });
run it with the memory sanitizer:
RUSTFLAGS="-Z sanitizer=memory" cargo hfuzz run hfuzz

will get one unique error:
Crash (dup): 'hfuzz_workspace/hfuzz/SIGABRT.PC.7ffff7dc6755.STACK.192f69358f.CODE.-6.ADDR.(nil).INSTR.mov____0x108(%rsp),%rax.fuzz' already exists, skipping [2019-10-09T23:26:46-0700][W][28005] arch_checkWait():248 Persistent mode: pid=28308 exited with status: SIGNALED, signal: 6 (Aborted)

When running in debug, the actual error is: Uninitialized bytes in __interceptor_memchr at offset 0 inside [0x701000000000, 4 and it doesn't give a backtrace.

0.5.50 always fails build

As of the update today, it seems our fuzzers always fail to build. See CI run here: https://github.com/rust-bitcoin/rust-lightning/pull/688/checks?check_run_id=1104734709, or local logs:

matt@cdev1:~/Documents/Projects/Bitcoin/rust-lightning-2/fuzz$ export PATH=$PATH:/home/matt/.cargo/bin
matt@cdev1:~/Documents/Projects/Bitcoin/rust-lightning-2/fuzz$ HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" cargo hfuzz build
/usr/bin/ld.gold
   Compiling honggfuzz v0.5.50
   Compiling secp256k1-sys v0.2.0
error: failed to run custom build command for `honggfuzz v0.5.50`

Caused by:
  process didn't exit successfully: `/home/matt/Documents/Projects/Bitcoin/rust-lightning-2/fuzz/hfuzz_target/release/build/honggfuzz-9a99ce2b93b654e1/build-script-build` (exit code: 101)
--- stderr
make: *** honggfuzz: No such file or directory.  Stop.
thread 'main' panicked at 'assertion failed: status.success()', /home/matt/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.50/build.rs:38:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

warning: build failed, waiting for other jobs to finish...
error: build failed

Crashes not recognized as unique

Hi,
I have a minimal code example where I would expect to find three unique crashes. However the fuzzer classifies the bugs as identical and therefore only one unique crash file is saved.

use honggfuzz::fuzz;

const MAGIC_NUMBER: u8 = 254;

fn main() {
    loop {
        fuzz!(|data: &[u8]| {
            if data.len() != 2 {
                return;
            }

            let _ = buggy_math_function(data[0], data[1]);

            panic_function(data[0]);
        });
    }
}

pub fn buggy_math_function(input1: u8, input2: u8) -> u8 {
    // causes div-by-zero if input2 == 254
    // causes subtract with overflow if input2 == 255 because overflow-checks = true for profile.release
    let divisor = MAGIC_NUMBER - input2;
    input1 / divisor
}

pub fn panic_function(input1: u8) {
    // panics if input1 == 97
    if input1 == b'a' {
        panic!("BOOM")
    }
}

If I pass the --save_all option to honggfuzz to save all crashes, I can find all expected three crash cases (input1 = 97, input2 = 254 or 255), so it does not look the code was somehow optimized to prevent the bugs. However the crash names are all with the same filename SIGABRT.PC.7ffff7c8e83c.STACK.d0d9781a0.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebx.2023-08-30.15:55:32.535662.fuzz besides the time-stamp.
If I replay the crashes in debug environment, the stack traces are different as I would expect but then I don't understand why the stack signature in the crash filenames is always the same. Also the error messages are as expected.
If I correct the bugs one by one and run the fuzzer after each fix, the next unique crash is found until all bugs are fixed.
I tried to use also the AFL fuzzer with the exact same code and it works just fine as expected (3 unique crashes are found).
I tried to play (kind of randomly) with the --codegen opt-level and llvm-args parameters but with no luck.

My setup:

x86_64 GNU/Linux
cargo-hfuzz 0.5.55
rustc 1.70.0 (90c541806 2023-05-31)

Any help or hints are appreciated.

Compilation fails on macOS 10.13.3

Just tried this out on macOS 10.13.3, but running into this compiler error when I build the crate:

corey@mac /p/t/hong> cargo hfuzz run hong
   Compiling honggfuzz v0.5.3
error: failed to run custom build command for `honggfuzz v0.5.3`
process didn't exit successfully: `/private/tmp/hong/hfuzz_target/release/build/honggfuzz-aa6fe05b2573cde2/build-script-build` (exit code: 101)
--- stdout
rm -f -r core Makefile.bak cmdline.o display.o fuzz.o honggfuzz.o input.o mangle.o report.o sancov.o sanitizers.o socketfuzzer.o subproc.o mac/arch.o mac/mach_excServer.o mac/mach_excUser.o honggfuzz hfuzz_cc/hfuzz-cc libhfuzz/libhfuzz.a libhfuzz/instrument.o libhfuzz/linux.o libhfuzz/main.o libhfuzz/memorycmp.o libhfuzz/persistent.o libhfcommon/libhfcommon.a libhfcommon/files.o libhfcommon/log.o libhfcommon/ns.o libhfcommon/util.o libhfnetdriver/libhfnetdriver.a libhfnetdriver/netdriver.o mac/mach_exc.h mac/mach_excServer.c mac/mach_excServer.h mac/mach_excUser.c obj libs ./*.o ./*~ ./core ./*.a ./*.dSYM ./*.la ./*.so ./*.dylib linux/*.o linux/*~ linux/core linux/*.a linux/*.dSYM linux/*.la linux/*.so linux/*.dylib mac/*.o mac/*~ mac/core mac/*.a mac/*.dSYM mac/*.la mac/*.so mac/*.dylib posix/*.o posix/*~ posix/core posix/*.a posix/*.dSYM posix/*.la posix/*.so posix/*.dylib libhfuzz/*.o libhfuzz/*~ libhfuzz/core libhfuzz/*.a libhfuzz/*.dSYM libhfuzz/*.la libhfuzz/*.so libhfuzz/*.dylib libhfcommon/*.o libhfcommon/*~ libhfcommon/core libhfcommon/*.a libhfcommon/*.dSYM libhfcommon/*.la libhfcommon/*.so libhfcommon/*.dylib libhfnetdriver/*.o libhfnetdriver/*~ libhfnetdriver/core libhfnetdriver/*.a libhfnetdriver/*.dSYM libhfnetdriver/*.la libhfnetdriver/*.so libhfnetdriver/*.dylib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o cmdline.o cmdline.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o display.o display.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o fuzz.o fuzz.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o honggfuzz.o honggfuzz.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o input.o input.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o mangle.o mangle.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o report.o report.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o sancov.o sancov.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o sanitizers.o sanitizers.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o socketfuzzer.o socketfuzzer.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o subproc.o subproc.c
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc -c -O3 -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. -arch x86_64 -std=c99 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk -x objective-c -pedantic -fblocks -Wimplicit -Wunused -Wcomment -Wchar-subscripts -Wuninitialized -Wreturn-type -Wpointer-arith -Wno-gnu-case-range -Wno-gnu-designator -Wno-deprecated-declarations -Wno-unknown-pragmas -Wno-attributes -Wno-initializer-overrides -Wno-unknown-warning-option -Wno-gnu-empty-initializer -Wno-format-pedantic -Wno-gnu-statement-expression -D_HF_ARCH_DARWIN -fblocks -o mac/arch.o mac/arch.c

--- stderr
mac/arch.c:61:10: fatal error: 'mach_exc.h' file not found
#include "mach_exc.h"
         ^~~~~~~~~~~~
1 error generated.
make: *** [mac/arch.o] Error 1
thread 'main' panicked at 'assertion failed: status.success()', /Users/corey/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.3/build.rs:34:5
note: Run with `RUST_BACKTRACE=1` for a backtrace.

Not sure if this is a problem upstream, or if there's something that needs to be changed in the build logic in this crate, or if there's something wrong with my setup. Hmm

Non-x86 platforms fail to build

See upstream issue at google/honggfuzz#243

better example showing use case with `Arbitrary`

While having a basic example is good, it would be nice to show a more advanced example too, i.e. one that covers using arbitrary to get started more quickly.

I am happy to do a PR if that'd be viable addition to the examples.

Synchronize API with AFL.rs

rust-fuzz/afl.rs#137
rust-fuzz/afl.rs#31
rust-fuzz/rfcs#1

upgrade from 0.5.52 to 0.5.53 breaks

error: failed to run custom build command for `honggfuzz v0.5.53`

Caused by:
  process didn't exit successfully: `/media/supersonic1t/projects/parity/rsc-perf/fuzzit/hfuzz_target/release/build/honggfuzz-e79e9d36b487ef79/build-script-build` (exit code: 1)
  --- stderr
  honggfuzz dependency (0.5.53) and build command (0.5.52) versions do not match

happens since the update in Cargo.toml.

Not working on MacOS

Build script does not trigger making required artifacts for MacOS.

/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libhfcommon/libhfcommon.a(ns.o) has no symbols
Undefined symbols for architecture x86_64:
  "_mach_exc_server", referenced from:
      _wait_for_exception in arch.o
ld: symbol(s) not found for architecture x86_64

You can see how it can be hacked around in here.

`memmap` is unmaintained (RUSTSEC-2020-0077)

See: https://rustsec.org/advisories/RUSTSEC-2020-0077.html

An alternative is https://github.com/RazrFalcon/memmap2-rs

honggfuzz does not build with recent versions of the Linux headers

Looks like this was fixed upstream in google/honggfuzz@90fdf81 -- but on my system I get

  linux/bfd.c: In function ‘arch_bfdDisasm’:
  linux/bfd.c:231:5: error: too few arguments to function ‘init_disassemble_info’
    231 |     init_disassemble_info(&info, instr, arch_bfdFPrintF);
        |     ^~~~~~~~~~~~~~~~~~~~~
  In file included from linux/bfd.c:29:
  /usr/include/dis-asm.h:472:13: note: declared here
    472 | extern void init_disassemble_info (struct disassemble_info *dinfo, void *stream,
        |             ^~~~~~~~~~~~~~~~~~~~~
  make: *** [Makefile:259: linux/bfd.o] Error 1

with honggfuzz 0.5.54.

Exit code is 0 even if there is crash or timeout

Can't use references in `fuzz!` macro due to `SafeUnwind` requirement

I haven't thought through the full repercussions of a change like this, but the SafeUnwind requirement is causing some performance issues in that there's not as that can be setup outside of the main fuzzing loop, which causes a lot of avoidable initialization overhead in some fuzz tests.

I'm wondering if, in lieu of just taking this change as is, offering an alternative macro that doesn't require SafeUnwind would be something you're interested in?

Example diff:
mcginty@66b32e1

EDIT: just noticed #8, which is trying to fix the same problem in a different way. Leaving this open for discussion.

Add honggfuzz coverage-based minimizer.

@robertswiecki has implemented a coverage-based minimizer in honggfuzz recently.

google/honggfuzz#195 (comment)

It will be awesome to have this feature available over cargo like:
cargo hfuzz cmin ...

`failed to run LLVM passes: unknown pass name 'sancov'` when running hfuzz with rustc 1.57.0

Hi,
I'm having troubles running hfuzz in a CI environment.
The error I'm getting:

RUST_BACKTRACE="full" HFUZZ_RUN_ARGS="--exit_upon_crash --iterations 10000 -v --timeout 2 --input coordinatord_fuzz_corpus" cargo hfuzz run send_msg && cd ..
/usr/bin/ld.gold
    Updating crates.io index
    Updating git repository `https://github.com/revault/revault_net`
    Updating git repository `https://github.com/revault/revault_tx`
 Downloading crates ...
  Downloaded block-buffer v0.9.0
  Downloaded lazy_static v1.4.0
  Downloaded log v0.4.14
  Downloaded futures-executor v0.3.17
  Downloaded futures-core v0.3.17
  Downloaded getrandom v0.2.3
  Downloaded ed25519 v1.2.0
  Downloaded crypto-mac v0.10.1
  Downloaded instant v0.1.11
  Downloaded ppv-lite86 v0.2.10
  Downloaded subtle v2.4.1
  Downloaded stringprep v0.1.2
  Downloaded socket2 v0.4.2
  Downloaded semver v0.9.0
  Downloaded opaque-debug v0.3.0
  Downloaded num-integer v0.1.44
  Downloaded num-traits v0.2.14
  Downloaded parking_lot_core v0.8.5
  Downloaded parking_lot v0.11.2
  Downloaded proc-macro-nested v0.1.7
  Downloaded proc-macro-hack v0.5.19
  Downloaded pin-project-lite v0.2.7
  Downloaded unicode-bidi v0.3.6
  Downloaded byteorder v1.4.3
  Downloaded cpufeatures v0.2.1
  Downloaded cc v1.0.70
  Downloaded futures-task v0.3.17
  Downloaded futures-channel v0.3.17
  Downloaded chrono v0.4.19
  Downloaded version_check v0.9.3
  Downloaded same-file v1.0.6
  Downloaded serde_derive v1.0.130
  Downloaded time v0.1.43
  Downloaded walkdir v2.3.2
  Downloaded tokio-macros v1.3.0
  Downloaded tokio-util v0.6.8
  Downloaded lock_api v0.4.5
  Downloaded pkg-config v0.3.20
  Downloaded postgres-types v0.2.1
  Downloaded dirs v3.0.2
  Downloaded scopeguard v1.1.0
  Downloaded signature v1.3.1
  Downloaded sha2 v0.9.8
  Downloaded miniscript v6.0.1
  Downloaded semver-parser v0.7.0
  Downloaded rand_core v0.5.1
  Downloaded typenum v1.14.0
  Downloaded unicode-normalization v0.1.19
  Downloaded toml v0.5.8
  Downloaded rand v0.8.4
  Downloaded syn v1.0.77
  Downloaded num_cpus v1.13.0
  Downloaded smallvec v1.6.1
  Downloaded serde_json v1.0.68
  Downloaded revault_tx v0.3.0
  Downloaded proc-macro2 v1.0.29
  Downloaded secp256k1-sys v0.4.1
  Downloaded tinyvec v1.5.0
  Downloaded tokio-postgres v0.7.2
  Downloaded secp256k1 v0.20.3
  Downloaded postgres-protocol v0.6.1
  Downloaded snow v0.7.2
  Downloaded fern v0.5.9
  Downloaded bitcoin v0.27.1
  Downloaded rustc_version v0.2.3
  Downloaded phf v0.8.0
  Downloaded percent-encoding v2.1.0
  Downloaded bitcoin_hashes v0.10.0
  Downloaded bech32 v0.8.1
  Downloaded phf_shared v0.8.0
  Downloaded slab v0.4.4
  Downloaded siphasher v0.3.7
  Downloaded md-5 v0.9.1
  Downloaded futures-util v0.3.17
  Downloaded futures-io v0.3.17
  Downloaded tokio v1.12.0
  Downloaded tinyvec_macros v0.1.0
  Downloaded daemonize-simple v0.1.5
  Downloaded unicode-xid v0.2.2
  Downloaded ryu v1.0.5
  Downloaded serde v1.0.130
  Downloaded rand_core v0.6.3
  Downloaded quote v1.0.9
  Downloaded rand_chacha v0.3.1
  Downloaded futures-sink v0.3.17
  Downloaded dirs-sys v0.3.6
  Downloaded digest v0.9.0
  Downloaded bytes v1.1.0
  Downloaded sodiumoxide v0.2.7
  Downloaded base64 v0.13.0
  Downloaded async-trait v0.1.51
  Downloaded autocfg v1.0.1
  Downloaded mio v0.7.13
  Downloaded pin-utils v0.1.0
  Downloaded itoa v0.4.8
  Downloaded hmac v0.10.1
  Downloaded generic-array v0.14.4
  Downloaded futures-macro v0.3.17
  Downloaded futures v0.3.17
  Downloaded cfg-if v1.0.0
  Downloaded memchr v2.4.1
  Downloaded libc v0.2.103
  Downloaded fallible-iterator v0.2.0
  Downloaded libsodium-sys v0.2.7
  Downloaded bitcoinconsensus v0.19.0-3
   Compiling libc v0.2.103
   Compiling proc-macro2 v1.0.29
   Compiling unicode-xid v0.2.2
   Compiling syn v1.0.77
   Compiling autocfg v1.0.1
   Compiling cc v1.0.70
   Compiling cfg-if v1.0.0
error: failed to run LLVM passes: unknown pass name 'sancov'

error: could not compile `cfg-if` due to previous error
warning: build failed, waiting for other jobs to finish...
error: build failed
Error: Process completed with exit code 101.

OS: Github Actions with ubuntu-latest
rustc version: rustc 1.57.0-nightly (05044c2e6 2021-09-26)
cargo version: cargo 1.57.0-nightly (0121d66aa 2021-09-22).

I think the culprit is the rustc version, I can reproduce locally using rustc 1.57, but everything works correctly when I use rustc 1.53.

Failed to run custom build command on FreeBSD

I hope I'm using this tool right. I followed the instructions as best I could on FreeBSD, though the dependencies listed for Linux don't all have the same names so I can't be sure I installed all of the correct packages.

Command

$ cargo hfuzz run mre
/usr/local/bin/ld.gold
   Compiling semver v1.0.20
   Compiling honggfuzz v0.5.55
   Compiling lazy_static v1.4.0
   Compiling arbitrary v1.3.2
error: failed to run custom build command for `honggfuzz v0.5.55`

Caused by:
  process didn't exit successfully: `/tmp/mre/hfuzz_target/release/build/honggfuzz-58913838721237ff/build-script-build` (exit status: 101)
  --- stderr
  thread 'main' panicked at $HOME/.cargo/registry/src/index.crates.io-6f17d22bba15001f/honggfuzz-0.5.55/build.rs:40:10:
  failed to run "make -C honggfuzz clean": Os { code: 2, kind: NotFound, message: "No such file or directory" }
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...

Click here for RUST_BACKTRACE=full

$ RUST_BACKTRACE=full cargo hfuzz run mre
/usr/local/bin/ld.gold
 Compiling honggfuzz v0.5.55
 Compiling rustc_version v0.4.0
error: failed to run custom build command for `honggfuzz v0.5.55`
note: To improve backtraces for build dependencies, set the CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG=true environment variable to enable debug information generation.

Caused by:
process didn't exit successfully: `/tmp/mre/hfuzz_target/release/build/honggfuzz-a9e34a03b3af2dd5/build-script-build` (exit status: 101)
--- stderr
thread 'main' panicked at $HOME/.cargo/registry/src/index.crates.io-6f17d22bba15001f/honggfuzz-0.5.55/build.rs:40:10:
failed to run "make -C honggfuzz clean": Os { code: 2, kind: NotFound, message: "No such file or directory" }
stack backtrace:
   0:     0x2714a2b503ac - std::backtrace_rs::backtrace::libunwind::trace::h227f5e62bf94ac45
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
   1:     0x2714a2b503ac - std::backtrace_rs::backtrace::trace_unsynchronized::h7da3bf221bb25a09
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x2714a2b503ac - std::sys_common::backtrace::_print_fmt::h0a4842961f78b152
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:67:5
   3:     0x2714a2b503ac - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h8e328eaffb045fb1
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:44:22
   4:     0x2714a2b7395c - core::fmt::rt::Argument::fmt::he393ddbce52f0eff
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/fmt/rt.rs:138:9
   5:     0x2714a2b7395c - core::fmt::write::hc38cbbcb851d00ab
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/fmt/mod.rs:1114:21
   6:     0x2714a2b4da5e - std::io::Write::write_fmt::h2f30843536039d94
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/io/mod.rs:1763:15
   7:     0x2714a2b50184 - std::sys_common::backtrace::_print::he4e7414ad52cd2e8
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:47:5
   8:     0x2714a2b50184 - std::sys_common::backtrace::print::h5eaa9f53ed14896f
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:34:9
   9:     0x2714a2b515c3 - std::panicking::default_hook::{{closure}}::heb333e583b466c51
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:272:22
  10:     0x2714a2b511ea - std::panicking::default_hook::he3bf93b45f0c8bd1
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:292:9
  11:     0x2714a2b51d0d - std::panicking::rust_panic_with_hook::h6af3b63daf6de27e
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:731:13
  12:     0x2714a2b51b11 - std::panicking::begin_panic_handler::{{closure}}::hf3b50bac472dc16f
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:609:13
  13:     0x2714a2b508d6 - std::sys_common::backtrace::__rust_end_short_backtrace::ha47741bb9710fa20
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/sys_common/backtrace.rs:170:18
  14:     0x2714a2b51862 - rust_begin_unwind
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:597:5
  15:     0x2714a2b72ac5 - core::panicking::panic_fmt::h66f296b00047aa1a
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/panicking.rs:72:14
  16:     0x2714a2b72f23 - core::result::unwrap_failed::h202f1f68601af9aa
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/result.rs:1652:5
  17:     0x2714a2b2a61c - core::result::Result<T,E>::expect::hbeaf8084282bbd8e
  18:     0x2714a2b2db33 - build_script_build::main::h8d8ad70cbb5b0a8e
  19:     0x2714a2b2c173 - core::ops::function::FnOnce::call_once::hbcfa998c06284903
  20:     0x2714a2b29846 - std::sys_common::backtrace::__rust_begin_short_backtrace::h6e0688f9eff6d1d5
  21:     0x2714a2b29d39 - std::rt::lang_start::{{closure}}::hdf8f0a5b50c15c52
  22:     0x2714a2b4a49d - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h8aadaf873acc2c72
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/core/src/ops/function.rs:284:13
  23:     0x2714a2b4a49d - std::panicking::try::do_call::h7bb56876f347c565
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:504:40
  24:     0x2714a2b4a49d - std::panicking::try::h4395597ca10fe0aa
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:468:19
  25:     0x2714a2b4a49d - std::panic::catch_unwind::hfa68bfbf98842f18
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panic.rs:142:14
  26:     0x2714a2b4a49d - std::rt::lang_start_internal::{{closure}}::h9f7924da836d3a43
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/rt.rs:148:48
  27:     0x2714a2b4a49d - std::panicking::try::do_call::h8774a1b80793a52e
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:504:40
  28:     0x2714a2b4a49d - std::panicking::try::hfa967256f930e851
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panicking.rs:468:19
  29:     0x2714a2b4a49d - std::panic::catch_unwind::hd6154a51f87e940a
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/panic.rs:142:14
  30:     0x2714a2b4a49d - std::rt::lang_start_internal::h7670a540de2143b7
                               at /rustc/79e9716c980570bfd1f666e3b16ac583f0168962/library/std/src/rt.rs:148:20
  31:     0x2714a2b29d17 - std::rt::lang_start::h95e510629df386b2
  32:     0x2714a2b2ec35 - main
  33:     0x271cc570dafa - __libc_start1
  34:     0x2714a2b297bd - _start
                               at /usr/src/lib/csu/amd64/crt1_s.S:83
warning: build failed, waiting for other jobs to finish...

Files

Hope it's obvious this is a MRE, and not my actual fuzzing code.

Cargo.toml

[package]
name = "mre"
version = "0.1.0"
edition = "2021"

[dependencies]
honggfuzz = "0.5.55"

main.rs

fn main() {}

linking with `cc` failed: exit code: 1

I want to fuzz my project (developed under rust), but when I run this command cargo hfuzz run myProject. it show following error.
error: linking with cc failed: exit code: 1
note: "cc" "-Wl,--as-needed" "-Wl,-z,noexecstack" "-m64" "-L" "/home/saarshah/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/x86_64-unknown-linux-gnu/lib"
.
.
.
.
undefined reference to '__sanitizer_cov_trace_div4'
collect2: error: ld returned 1 exit status
Any help to how to fuzz my project...

Makefile:103: *** Unsupported MAC OS X version. Stop. (BigSur 11.4)

I've tried running honggfuzz with both the original make that comes with OSX (3.81) and with one installed via homebrew (4.3) - in both cases I get this error:

❯ cargo hfuzz run try-hong
   Compiling honggfuzz v0.5.54
   Compiling arbitrary v1.0.1
   Compiling lazy_static v1.4.0
error: failed to run custom build command for `honggfuzz v0.5.54`

Caused by:
  process didn't exit successfully: `/Users/ilmoi/Downloads/try-hong/hfuzz_target/release/build/honggfuzz-f99475d7c12e0151/build-script-build` (exit code: 101)
  --- stdout
  make: Entering directory '/Users/ilmoi/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.54/honggfuzz'
  make: Leaving directory '/Users/ilmoi/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.54/honggfuzz'

  --- stderr
  Makefile:103: *** Unsupported MAC OS X version.  Stop.
  thread 'main' panicked at 'assertion failed: status.success()', /Users/ilmoi/.cargo/registry/src/github.com-1ecc6299db9ec823/honggfuzz-0.5.54/build.rs:41:5
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
error: build failed

The advice here didn't help and I'm not finding anything useful on google.

Is there anything else I can try and do?

I'm on Big Sur 11.4

Starving on crash (subproc_checkTimeLimit():522 pid=XXX has already been signaled due to timeout. Killing it with SIGKILL)

Hello!

I'm currently trying to use honggfuzz for fuzzing a network interface using persistent fuzzing.

Here is my harness as of now (link refer to a specific commit): https://github.com/Devolutions/devolutions-gateway/blob/bf66f15933d9571574f2db8e65fd1c1019025551/fuzz/server/fuzz_targets/listeners_raw.rs

use honggfuzz::fuzz;
use server_fuzz::init;
use server_fuzz::oracles::raw::fuzz_listener;

fn main() {
    let rt = tokio::runtime::Builder::new_current_thread()
        .enable_all()
        .build()
        .unwrap();

    let listeners = rt.block_on(init());

    // At this point, sockets are binded and we can send data safely

    loop {
        fuzz!(|data: &[u8]| {
            for l in &listeners {
                fuzz_listener(data, l.addr().port());
                let _ = rt.block_on(l.handle_one());
            }
        })
    }
}

Note: the issue is the same regardless of the kind of tokio runtime used (new_current_thread() and new_multi_thread() both triggers the same behavior).

I'm running the fuzzing procedure with the following command:

$ RUSTFLAGS="-Z new-llvm-pass-manager=no -Z sanitizer=address" HFUZZ_RUN_ARGS="-t 10 -n 4 --tmout_sigvtalrm" cargo +nightly hfuzz run listeners_raw

-Z new-llvm-pass-manager=no is because of #61

I introduced a panic when receiving specific pattern of bytes on the listener side just to test out. This cause the program to crash quick enough:

Sz:1566 Tm:252us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/17
Sz:268 Tm:425us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/3
Sz:264 Tm:2,827us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/29
 rash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
Sz:266 Tm:374us (i/b/h/e/p/c) New:0/0/0/3/0/4, Cur:0/0/0/3/0/2
Sz:452 Tm:918us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/12
Crash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
Crash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
Sz:271 Tm:516us (i/b/h/e/p/c) New:0/0/0/1/0/59, Cur:0/0/0/3/0/13
 z:5026 Tm:346us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/1
Sz:78 Tm:543us (i/b/h/e/p/c) New:0/0/0/2/0/19, Cur:0/0/0/2/0/23
Sz:149 Tm:401us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/1
Sz:269 Tm:1,005us (i/b/h/e/p/c) New:0/0/0/0/0/4, Cur:0/0/0/0/0/11
Sz:372 Tm:665us (i/b/h/e/p/c) New:0/0/0/0/0/3, Cur:0/0/0/0/0/38
Sz:156 Tm:547us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
 z:8192 Tm:568us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/9
Sz:129 Tm:559us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/5
Sz:279 Tm:510us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
Sz:264 Tm:548us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/51
Sz:387 Tm:591us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/5
Sz:164 Tm:470us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
Sz:582 Tm:485us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/5
 z:378 Tm:508us (i/b/h/e/p/c) New:0/0/0/1/0/0, Cur:0/0/0/1/0/8
Sz:82 Tm:315us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/12
Sz:273 Tm:654us (i/b/h/e/p/c) New:0/0/0/0/0/2, Cur:0/0/0/0/0/16
Sz:164 Tm:643us (i/b/h/e/p/c) New:0/0/0/0/0/1, Cur:0/0/0/0/0/16
Sz:136 Tm:573us (i/b/h/e/p/c) New:0/0/0/0/0/3, Cur:0/0/0/0/0/7
Crash (dup): 'hfuzz_workspace/listeners_raw/SIGABRT.PC.7ffff794b24c.STACK.f05f9f061.CODE.-6.ADDR.0.INSTR.mov____%eax,%ebp.fuzz' already exists, skipping
 2022-01-11T11:51:04-0500][W][41564] subproc_checkTimeLimit():529 pid=41571 took too much time (limit 10 s). Killing it with SIGVTALRM
[2022-01-11T11:51:04-0500][W][41565] subproc_checkTimeLimit():529 pid=41570 took too much time (limit 10 s). Killing it with SIGVTALRM
[2022-01-11T11:51:04-0500][W][41563] subproc_checkTimeLimit():529 pid=41568 took too much time (limit 10 s). Killing it with SIGVTALRM
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
 2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41563] subproc_checkTimeLimit():522 pid=41568 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
 2022-01-11T11:51:05-0500][W][41563] subproc_checkTimeLimit():522 pid=41568 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41563] subproc_checkTimeLimit():522 pid=41568 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41564] subproc_checkTimeLimit():522 pid=41571 has already been signaled due to timeout. Killing it with SIGKILL
[2022-01-11T11:51:05-0500][W][41565] subproc_checkTimeLimit():522 pid=41570 has already been signaled due to timeout. Killing it with SIGKILL
…-- continue --…

However, it appears the crashed threads are not able to continue fuzzing and I get the warning above ad vitam aeternam, and no progress can be made anymore. The behavior is the same regardless of --tmout_sigvtalrm.

Termination issues since update to 0.5.41

Since updating to version 0.5.41, we see termination failures like

Size:407 (i,b,hw,edge,ip,cmp): 0/0/0/3/0/1, Tot:0/0/0/8005/15/167155
Entering phase 2/2: Dynamic Main
Size:788 (i,b,hw,edge,ip,cmp): 0/0/0/0/0/3, Tot:0/0/0/8005/15/167158
Terminating thread no. #0, left: 3
Terminating thread no. #2, left: 1
[2019-02-18T13:16:27+0000][W][14] main():254 pthread_kill(thread=0, SIGUSR1): Interrupted system call
[2019-02-18T13:16:27+0000][W][14] main():254 pthread_kill(thread=2, SIGUSR1): Interrupted system call
Terminating forcefully

repeatedly in our CI. We don't think that anything changed on the host that runs the fuzzing job but more importantly we are not sure where to start investigating. Any ideas what could have caused this?

Update to 2.0

I tried to update honggfuzz-rs to use google/honggfuzz@d1de86d (2.0) today, but the linking fails when it tries to build the hfuzz binary for the example.

The main goal was to get #26 running using --minimize, but the weird part is, that even when I comment out the example part from test.sh, running hfuzz afterwards still doesn't know the parameter. So either I'm doing something wrong or it's just building the wrong version.

Either way, I'm opening this issue in the hopes that this project is not dead and someone more qualified like me can resolve this. I tried afl, and honestly it kind of sucks because it's not multi-threaded, so you'd need to keep several instances open. Same goes for cargo-fuzz, which uses libFuzzer - it's better but not reliable as the forking option is experimental and can sometimes not close correctly if you just want it running while collecting crash files (instead of instantly stopping as soon as a crash occured).

All in all, honggfuzz, and with it, this project, is my absolute favourite, and I hope someone takes the time to update it.

rust-fuzz / honggfuzz-rs Goto Github PK

honggfuzz-rs's People

Contributors

Stargazers

Watchers

Forkers

honggfuzz-rs's Issues

Command

Files

Cargo.toml

main.rs

Meta

Recommend Projects

Recommend Topics

Recommend Org