AFL dynamic allocation #11877
AFL dynamic allocation #11877
Conversation
Ensures that trunk compiles again in -with-afl mode.
There was a problem hiding this comment.
The original bug in #10107 was running tests/flambda/afl_lazy.ml in flambda mode on Windows, which is a mode not covered by CI testing at the moment, sadly. The dummy caml_setup_afl also needs to allocate the buffer and I think it's worth hardening caml_reset_afl_instrumentation, given that all this began with an "unexpected" configuration!
xavierleroy
force-pushed
the
afl-dynamic-allocation
branch
from
839ef9f
to
84792cd
Compare
|
I've checked and |
|
Looking at the |
|
Thanks for the ping. I'm looking at it now. I'm getting a test failure locally which I'm investigating. |
There was a problem hiding this comment.
OK, I've now had a look at this.
On my Linux box by default systemd is set up to handle crashes - rather than do a good old core dump. AFL detects that and fails early, which caused the test to fail for me:
https://github.com/google/AFL/blob/61037103ae3722c8060ff7082994836a794f978e/afl-fuzz.c#L7326-L7347
I therefore needed to make the following change to get things running again:
index bb4329abd..29140fdb0 100755
--- a/testsuite/tests/afl-instrumentation/afl-fuzz-test.run
+++ b/testsuite/tests/afl-instrumentation/afl-fuzz-test.run
@@ -5,7 +5,7 @@ exec > ${output} 2>&1
mkdir readline-input
echo a > readline-input/testcase
-export AFL_SKIP_CPUFREQ=1 AFL_FAST_CAL=1 AFL_NO_UI=1 AFL_BENCH_UNTIL_CRASH=1
+export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_SKIP_CPUFREQ=1 AFL_FAST_CAL=1 AFL_NO_UI=1 AFL_BENCH_UNTIL_CRASH=1
timeout 10s afl-fuzz -m none -i readline-input -o readline-output ./readline > afl-output
if [ `grep "unique_crashes" readline-output/fuzzer_stats | cut -d ':' -f 2` -gt 0 ];The environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES is not well documented, but I note that AFL has used it in its own CI tests.
With that in place the tests run smoothly for me.
Overall the code looks good to me. I'm wondering about potentially needless dynamic allocations in the non-AFL mode when there are multiple instrumented modules (commented inline above).
@Octachron Which version of afl are you using? I'm on 2.52b here (installed via opam) but I see unique_crashes is output in 2.57b too:
https://github.com/google/AFL/blob/master/afl-fuzz.c#L3470
runtime/afl.c
Outdated
| { | ||
| /* AFL is not supported, but we still need to allocate space for the bitmap | ||
| (the instrumented OCaml code will write into it). */ | ||
| caml_afl_area_ptr = caml_stat_alloc(INITIAL_AFL_AREA_SIZE); |
There was a problem hiding this comment.
Does this allocate for each of the instrumented modules, but only save the last one into the global pointer?
If so, we might consider guarding like the AFL case below in lines 90-91:
https://github.com/xavierleroy/ocaml/blob/84792cd3de00a07c0c555cfed45e2199f6d92cd9/runtime/afl.c#L90-L91
There was a problem hiding this comment.
Indeed - the afl_initialised static from the other half also wants to be made common
There was a problem hiding this comment.
You're right, the allocation and initialization should be done once per program, not once per instrumented module. I just pushed a fix, using caml_afl_area_ptr != NULL to detect previous initialization.
|
Ah, I was using |
To be fair, the original author is no longer maintaining |
Instrumented code produced by `ocamlopt -afl-instrument` but not run under AFL needs a 64 k dummy buffer at run-time. Before, this buffer was allocated statically, and therefore present in all ocamlopt-generated executables, whether compiled with `-afl-instrument` or without, whether AFL was selected at configuration-time or not. This commit implements dynamic allocation of the AFL buffer the first time an AFL-instrumented module runs its initialization code. It is based on the proposal at ocaml#10167 and its discussion. Fixes: ocaml#10117 Closes: ocaml#10167
xavierleroy
force-pushed
the
afl-dynamic-allocation
branch
from
84792cd
to
55685d1
Compare
|
Re: testing, I was using |
|
LGTM |
| (the instrumented OCaml code will write into it). */ | ||
| if (caml_afl_area_ptr == NULL) { | ||
| caml_afl_area_ptr = caml_stat_alloc(INITIAL_AFL_AREA_SIZE); | ||
| memset(caml_afl_area_ptr, 0, INITIAL_AFL_AREA_SIZE); |
There was a problem hiding this comment.
Just an aside while looking over this PR: it might be useful to have a caml_stat_calloc call in the runtime that uses calloc() instead of malloc(); memset(). We only have caml_stat_calloc_noexc which wouldn't be much of a saving here, and it just uses memset() under the hood anyway.
The friendly bot reminded me to submit this code as a PR.
Instrumented code produced by
ocamlopt -afl-instrumentbut not run under AFL needs a 64 k dummy buffer at run-time. Currently, this buffer is allocated statically, and therefore present in all ocamlopt-generated executables, whether compiled with-afl-instrumentor without, whether AFL was selected at configuration-time or not. That's a bit of a waste.This PR implements dynamic allocation of the AFL buffer when an AFL-instrumented executable starts. It is based on the proposal at #10167 and its discussion. It also un-breaks the build when configured with
-with-afl.The tests in
testsuite/tests/afl-instrumentationfail on my machine, both with and without this PR, both on trunk and on 5.0 and on 4.14. So, that's probably a problem with my installation of AFL tools. Yet, if @jmid (the author of the 5.0 tests) could have a look at this PR, I would feel reassured.Fixes: #10117
Closes: #10167