Why dry run crashes are regarded as a normal queue corpus?

[junwha0511]

Hi all,

I'm experimenting one of the oss-fuzz application on my local machine,
and observed that AFLplusplus doesn't categorize the crashes from dry run as a crash.

and it is just regarded as one of queue corpus.

I think this is problematic for automatic cluster fuzzing platforms(e.g. oss-fuzz, clusterfuzz).
After the deployment of each application, oss-fuzz will re-run this application with the same input corpora, but with the different code. and some of this input can be result in crash.
however, with current strategy of perform_dry_run, AFL++ can not report this new bug from dry run to ossfuzz.

Is there any features that are already implemented for this issue or something I missed?

Thank you.

[vanhauser-thc]

the reasoning behind is that what is in a corpus is considered a known crash and the goal of fuzzing is to find new/unknown crashes
usually you would collect seeds, run afl-cmin to remove duplicates, and in this process the crashes are already detected but also removed.

what use would there be to have a crash in the starting seeds?

[junwha0511]

I see. but I think just considering the seed result in crash as known crash is not working well with oss-fuzz pipeline.
If I understood correctly, oss-fuzz re-run the fuzzers based on its previous seeds if the new version of a project is deployed.
but in here, we are using the different source code, thus fuzzer can be crashed with some of the seeds which didn't result in crash with the previous version of the source code. in other words, the project could introduce new bugs that can be triggered by seeds. isn't it?

[vanhauser-thc]

afaik oss-fuzz tests the corpus directory for the crashes so also the queue directory, and the crash will be part of the queue (just not being picked for fuzzing). or does oss-fuzz do that differently?
imho is that a thing in oss-fuzz to take care of, not afl-fuzz

[junwha0511]

Thank you for the information.

https://github.com/google/clusterfuzz/blob/eddca92265eb201bc3fb70062e9310960113c714/src/clusterfuzz/_internal/bot/fuzzers/afl/launcher.py#L911C24-L911C43
I think this is the feature that clusterfuzz recognizes the crashes from the input.

But still, I think it will be good to provide the mode which can categorize the crashes among the input(seeds) as new crash. (e.g. AFL_CRASH_ON_SEED_AS_KNOWN_CRASH=0)

How do you think about this feature? if you think it's not bad, I'd like to work on this one.

[vanhauser-thc]

cannot hurt. but please make it AFL_CRASHING_SEEDS_AS_NEW_CRASH=1