Re: About libfuzzer in qemu

[Alexander Bulekov]

On 210305 1551, Qiuhao Li wrote:
> On Thu, 2021-03-04 at 10:23 -0500, Alexander Bulekov wrote:
> > On 210304 1843, Yan Zhiqiang wrote:
> > > Hello Alex,
> > > I'm learning the fuzz in QEMU recently, I review the fuzz code
> > > under
> > > /tests/qtest/fuzz which is written by you.
> > > I learn a lot from it, but I stuck when I want to debug the fuzz
> > > code.
> > > I use the gdb with command as follows:
> > > 
> > > >  gdb -q --args ./qemu-fuzz-i386 --fuzz-target=generic-fuzz-
> > > > virtio-vga
> > > > ./fuzz-output
> > > 
> > > and set breakpoint at generic_fuzz.c:generic_fuzz.
> > > It acctually stop when hit the breakpoint. But the function
> > > argument Size
> > > is zero and then goto _Exit(0). (try many times but always the
> > > same)
> > 
> > Hi Zhiqiang,
> > Happy to have more people look at the fuzzing code.
> > We run each input in a forked process. Maybe you need to run 
> > "set follow-fork-mode child" in gdb?
> 
> Hi Alex,
> 
> Just curious why you choose to use the libfuzzer at first instead of
> AFL and its descendants like AFL++ since they use a forkserver by
> design, and the performance also seems better [1].
> 
> [1] https://www.fuzzbench.com/reports/2021-02-13-paper/index.html

Hi Qiuhao,
It was a primary goal to run the fuzzers on OSS-Fuzz, and at the time,
AFL++ was not an option on OSS-Fuzz. Because I didn't find any great
way to reset QEMU between inputs, we hacked-in a forkserver.
It still seems that OSS-Fuzz is primarily designed around libfuzzer, but
now that there seems to be AFL++ support, it would be nice to start
using AFL++ as well. I just haven't had the time to look into it ;)

I've seen the fuzz-bench results - It will be interesting to see the
performance for an enormous target like QEMU. There are also some things
that AFL++ doesn't do as well as libfuzzer - some: examples here: 
https://github.com/AFLplusplus/fuzzer-challenges/tree/main/libfuzzer

-Alex

> 
> Thank you.
>   Qiuhao Li
> 
> 
>