Re: About libfuzzer in qemu

[Alexander Bulekov]

On 210304 1843, Yan Zhiqiang wrote:
> Hello Alex,
> I'm learning the fuzz in QEMU recently, I review the fuzz code under
> /tests/qtest/fuzz which is written by you.
> I learn a lot from it, but I stuck when I want to debug the fuzz code.
> I use the gdb with command as follows:
> 
> >  gdb -q --args ./qemu-fuzz-i386 --fuzz-target=generic-fuzz-virtio-vga
> > ./fuzz-output
> 
> and set breakpoint at generic_fuzz.c:generic_fuzz.
> It acctually stop when hit the breakpoint. But the function argument Size
> is zero and then goto _Exit(0). (try many times but always the same)

Hi Zhiqiang,
Happy to have more people look at the fuzzing code.
We run each input in a forked process. Maybe you need to run 
"set follow-fork-mode child" in gdb?

> Then input `c` to continue.
> However, it never hit the breakpoint after that. Just as the picture showed.
> [image: 1614854239086.jpg]
> I tried the qtest debug method, but failed.
> I want to know the real process state to learn the QEMU fuzz and add a new
> fuzzer for QEMU.
> Could you tell me what's the right method to debug the fuzz code? Thank you!

For debugging crash, I usually build QEMU with --enable-sanitizers
(ASAN), and I convert the crash to a "QTest" reproducer, so it can be
debugged in a normal build of qemu. There's an RFC that has instructions
for how to do this:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06035.html

Let me know if I can provide any more info.
-Alex

> 
> Regards,
> Zhiqiang Yan