rust-fuzz / afl.rs Goto Github PK

View Code? Open in Web Editor NEW

1.6K 31.0 105.0 7.47 MB

🐇 Fuzzing Rust code with American Fuzzy Lop

Home Page: https://rust-fuzz.github.io/book/afl.html

License: Apache License 2.0

Rust 99.53% Shell 0.47%

rust fuzz-testing afl fuzzing

afl.rs's People

Contributors

Stargazers

Watchers

Forkers

ruuda johnjohnsp1 zhuyue1314 tbg alex keruspe ihrwein hulunbier shekkbuilder security-geeks simple555a captheflag repos-rust majinxin2003 syntox chenouyu09 windli4367 fatgrass manuels splagoon idkwim kenofyugen chubbymaggie alanhdu u0xee jonil behnam fauxfaux brownbelt fuzzamos animeshbchowdhury cwtsing paulgrandperrin whiten1ght szennou trietptm-on-coding-algorithms kodraus aaron1011 singingtree liumuqing cheme pedrocr dingelish blt modulexcite richo gedigi julianvolodia divergentdave pentest-tools 5l1v3r1 srikwit binarybana xiaochencui chengniansun ralpha andreafioraldi microsvuln rttlico sirmc luro02 xampprocky mtrnord adomore taiki-e charlesxsh smoelius isgasho andrewpedia icodein ajunlonglive standardgalactic parkmycar cndigital disconnect3d playfloor valera-datasakura ahmedsakrr kianmeng paulusakomivn vkleen romarioext anfedotoff fornwall lincolnphu lrubasze dtolnay-contrib kveinaxel louismerlin mardcelo pczarn vanhauser-thc vschwaberow gmh5225 v0idmatr1x ofeni89 dimied legendsaber patriciobcs alisabunina

afl.rs's Issues

When running alf.rs using a Rust project build using cargo build I get 1600 execs / second. If I do cargo build --release I get around 1900 execs / second. Maybe we should be recommending --release?

Think about how to make afl-sys bindings that spawn a new Process for each AFL command

e.g. afl_sys::fuzz(..) should return a Process

Right now, I'm thinking we'll need to generate a binary for each AFL command we want to support, then have the lib call each binary in a Command. I need to find a way for a library to get the path for dependent binaries.

link broken in README.md

... Documentation for afl.rs can be found here:
https://frewsxcv.github.io/afl.rs/
== 404

Maybe change the URL to:
https://github.com/rust-fuzz/afl.rs/tree/master/docs/src

Compile failure

When I try to compile the 'regex-afl' crate in https://github.com/SeanRBurton/regex/tree/afl, I get the following error:

/home/usr/documents/regex/src/lib.rs:453:42: 453:52 error: /home/usr/documents/regex/regex-afl/target/debug/deps/libafl_plugin-86c859d7ecd403fc.so: undefined symbol: _ZNK4llvm10ModulePass17createPrinterPassERNS_11raw_ostreamERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE /home/sean/usr/documents/regex/src/lib.rs:453 #![cfg_attr(feature = "afl-fuzz", plugin(afl_plugin))]

Can you please help me debug this?

Track RFC 1513 (stabilizing 'no-landing-pads')

https://github.com/rust-lang/rfcs/blob/master/text/1513-less-unwinding.md

Since the documentation for afl.rs recommends -Z no-landing-pads, which is basically deprecated now

[question] Is this compilation failure due to the docker image's older rustc? Any way to update it?

First off, thanks in advance for your time, and thanks for making afl.rs :)

When I try to use afl.rs with my C++ symbol demangling crate, which depends on error-chain, I get the following errors. I assume these are becauses error-chain depends on a newer rustc than the one bundled; is there a way to use a newer rustc with afl.rs?

My normal rustc version (with which I can compile error-chain and my crate):

$ rustc --version
rustc 1.16.0-nightly (47c8d9fdc 2017-01-08)

The rustc in the docker image:

# rustc --version
rustc 1.11.0-nightly (01411937f 2016-07-01)

The logs when attempting to compile my crate and error-chain inside the docker image:

# cargo build --features fuzz
    Updating registry `https://github.com/rust-lang/crates.io-index`
 Downloading afl v0.1.5
 Downloading afl-plugin v0.1.5
 Downloading error-chain v0.7.1
 Downloading afl-sys v0.1.5
 Downloading libc v0.2.18
 Downloading gcc v0.3.39
 Downloading quale v1.0.0
 Downloading backtrace v0.3.0
 Downloading winapi v0.2.8
 Downloading dbghelp-sys v0.2.0
 Downloading backtrace-sys v0.1.5
 Downloading kernel32-sys v0.2.2
 Downloading cfg-if v0.1.0
 Downloading rustc-demangle v0.1.3
 Downloading winapi-build v0.1.1
   Compiling winapi v0.2.8
   Compiling cfg-if v0.1.0
   Compiling gcc v0.3.39
   Compiling winapi-build v0.1.1
   Compiling backtrace v0.3.0
   Compiling kernel32-sys v0.2.2
   Compiling libc v0.2.18
   Compiling rustc-demangle v0.1.3
   Compiling dbghelp-sys v0.2.0
   Compiling afl v0.1.5
   Compiling afl-sys v0.1.5
   Compiling quale v1.0.0
   Compiling backtrace-sys v0.1.5
   Compiling afl-plugin v0.1.5
   Compiling error-chain v0.7.1
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419:9: 419:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419         #[cfg(feature = "backtrace")]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419:9: 419:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424:9: 424:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424         #[cfg(not(feature = "backtrace"))]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424:9: 424:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435:9: 435:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435         #[cfg(feature = "backtrace")]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435:9: 435:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444:9: 444:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444         #[cfg(not(feature = "backtrace"))]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444:9: 444:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454:9: 454:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454         #[cfg(feature = "backtrace")]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454:9: 454:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456:9: 456:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456         #[cfg(not(feature = "backtrace"))]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456:9: 456:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364:20: 364:34 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364                 $( #[$meta_links] )*
                                                                                                                  ^~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:81:13: 83:81 note: in this expansion of impl_extract_backtrace! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:24:9: 30:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:9:9: 14:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:325:9: 330:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:319:9: 322:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:309:9: 312:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:299:9: 302:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:339:9: 342:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/example_generated.rs:27:1: 38:2 note: in this expansion of error_chain! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364:20: 364:34 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
error: aborting due to 7 previous errors
Build failed, waiting for other jobs to finish...
error: Could not compile `error-chain`.

To learn more, run the command again with --verbose.
#

Update rust toolchain in docker image

Hi,

I've been trying to fuzz a library which has a dependency on a git repository with workspaces. This is not supported with 1.11 that is currently used in the image. It fails with:

  no `package` or `project` section found.

I think this has been fixed in later cargo versions (rust-lang/cargo#2938), would it be possible to upgrade the docker image with a newer rust toolchain?

Thanks!

Incorporate Cargo workspaces

`export PATH` in Vagrantfile is incorrect

Replace static image in README with animated image

Because gifs are great. Shouldn't be hard. Just make sure it doesn't take too long to load.

Check for llvm-config-3.8 in addition to llvm-config in path

Enable testing for afl-sys crate

https://github.com/frewsxcv/afl.rs/blob/master/afl-sys/fuzz.rs#L65-L74

Need to figure out a way to make this not run forevevr

Consider 'docker run' command that retrieves pre-bootstrapped Rustc + AFL

Bump clap-rs whenever a new version gets published to fix the --help issue

clap-rs/clap#1112

clap-rs/clap#1113

afl.rs/src/bin/cargo-afl.rs

Line 49 in c9537ea

 .arg(clap::Arg::with_name("help").long("help").help("known bug! rewrite as '-- --help' to see AFL help")) 

SIGSEGV compiling afl-coverage for `examples/hello.rs`

@bb80fc56f5ba096406c61f1790886d8edce878c9, $(which rustc) == /Users/tschottdorf/rust/rust/x86_64-apple-darwin/stage2/bin/rustc @ 1.0.0-beta-6833-g079f384:

$ cargo build --example hello --verbose
       Fresh gcc v0.3.19
       Fresh byteorder v0.3.13
   Compiling afl-coverage v0.0.1 (file:///Users/tschottdorf/rust/afl.rs)
     Running `/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/build-script-build`
       Fresh afl-coverage-plugin v0.0.1 (file:///Users/tschottdorf/rust/afl.rs)
     Running `rustc src/lib.rs --crate-name afl_coverage --crate-type lib -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -l static=afl-llvm-rt`
     Running `rustc examples/hello.rs --crate-name hello --crate-type bin -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug/examples --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps --extern byteorder=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libbyteorder-3e27c88aa235985f.rlib --extern afl_coverage_plugin=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libafl_coverage_plugin-a9b7f43301ffb1fc.dylib --extern afl_coverage=/Users/tschottdorf/rust/afl.rs/target/debug/libafl_coverage.rlib -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out`
afl-llvm-pass 1.77b by <[email protected]>
Could not compile `afl-coverage`.

Caused by:
  Process didn't exit successfully: `rustc examples/hello.rs --crate-name hello --crate-type bin -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug/examples --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps --extern byteorder=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libbyteorder-3e27c88aa235985f.rlib --extern afl_coverage_plugin=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libafl_coverage_plugin-a9b7f43301ffb1fc.dylib --extern afl_coverage=/Users/tschottdorf/rust/afl.rs/target/debug/libafl_coverage.rlib -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out` (signal: 11)

I've tried lldb to get more info about the segfault as in #11 but I can't just re-run the failing command (it needs the right env, I think) and wasn't versed enough to get lldb to attach to the forked child in cargo build. Pointers appreciated.

Automate mdbook deployment to gh-pages

Comparison between signed and unsigned integer warning, results in error.

While following the steps in the tutorial, when attempting cargo build I get the following:

$ cargo build
   Compiling afl v0.1.4
   Compiling afl-sys v0.1.4
   Compiling afl-plugin v0.1.4
error: failed to run custom build command for `afl-plugin v0.1.4`
process didn't exit successfully: `/home/ken/Desktop/afl-test/rust-url/target/debug/build/afl-plugin-62cbc3ca789f3664/build-script-build` (exit code: 101)
--- stdout
TARGET = Some("i686-unknown-linux-gnu")
PROFILE = Some("debug")
TARGET = Some("i686-unknown-linux-gnu")
debug=true opt-level=2
HOST = Some("i686-unknown-linux-gnu")
TARGET = Some("i686-unknown-linux-gnu")
TARGET = Some("i686-unknown-linux-gnu")
HOST = Some("i686-unknown-linux-gnu")
CXX_i686-unknown-linux-gnu = None
CXX_i686_unknown_linux_gnu = None
HOST_CXX = None
CXX = None
HOST = Some("i686-unknown-linux-gnu")
TARGET = Some("i686-unknown-linux-gnu")
HOST = Some("i686-unknown-linux-gnu")
CXXFLAGS_i686-unknown-linux-gnu = None
CXXFLAGS_i686_unknown_linux_gnu = None
HOST_CXXFLAGS = None
CXXFLAGS = None
running: "c++" "-O2" "-ffunction-sections" "-fdata-sections" "-g" "-m32" "-march=i686" "-fPIC" "-Wall" "-Werror" "-fno-rtti" "-c" "-I/usr/include" "-march=i686" "-mtune=generic" "-O2" "-pipe" "-fstack-protector-strong" "-fPIC" "-fvisibility-inlines-hidden" "-Wall" "-W" "-Wno-unused-parameter" "-Wwrite-strings" "-Wcast-qual" "-Wno-missing-field-initializers" "-pedantic" "-Wno-long-long" "-Wno-maybe-uninitialized" "-Wdelete-non-virtual-dtor" "-Wno-comment" "-std=c++11" "-ffunction-sections" "-fdata-sections" "-O3" "-DNDEBUG" "-fno-exceptions" "-D_GNU_SOURCE" "-D__STDC_CONSTANT_MACROS" "-D__STDC_FORMAT_MACROS" "-D__STDC_LIMIT_MACROS" "-o" "/home/ken/Desktop/afl-test/rust-url/target/debug/build/afl-plugin-62cbc3ca789f3664/out/afl-llvm-pass.so.o" "-c" "afl-llvm-pass.so.cc"
cargo:warning=afl-llvm-pass.so.cc: In member function ‘virtual bool {anonymous}::AFLCoverage::runOnModule(llvm::Module&)’:
cargo:warning=afl-llvm-pass.so.cc:113:28: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
cargo:warning=       if ((random() % 100) >= inst_ratio) continue;
cargo:warning=           ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~
cargo:warning=cc1plus: all warnings being treated as errors
ExitStatus(ExitStatus(256))


command did not execute successfully, got: exit code: 1



--- stderr
thread 'main' panicked at 'explicit panic', /home/ken/.cargo/registry/src/github.com-1ecc6299db9ec823/gcc-0.3.37/src/lib.rs:952
note: Run with `RUST_BACKTRACE=1` for a backtrace.

While it could be possible to override -Werror=sign-compare, isn't it better to fix the comparison in the source file?
Please correct me me if I am wrong here.

EDIT:
Just found out about #37. Isn't the fix included in 0.1.4?

serde_derive dependencies break afl build

Whenever I try to fuzz a library that has serde_derive as a dependency, I get this error message:

error: the linked panic runtime 'panic_unwind' is not compiled with this crate's panic strategy 'abort'

I think I grok what the error means but I'm not sure the exact solution. I thought I post this here to see if anybody else is running into this and has found a solution.

Consider different API for 'handle' utilities

#46 added some utilities to handle stdin and panics. Here's a different design I was thinking about:

struct Input(io::Stdin);

impl Input {
    pub fn into_bytes() -> Vec<u8> {
        unimplemented!()
    }

    pub fn into_string() -> Option<String> {
        let mut input = String::new();
        let result = io::stdin().read_to_string(&mut input);
        match result {
            Ok(_) => Some(input),
            Err(_) => None,
        }
    }
}

impl Read for Input {
    ...
}

pub fn handle<F>(closure: F)
    where F: FnOnce(Input) + UnwindSafe
{
    let input = Input(io::stdin());
    let result = panic::catch_unwind(|| {
        closure(input);
    });
    if result.is_err() {
        unsafe {
            abort();
        }
    }
}

instead of handle_* functions, just one handle function with one input type: Input. The downsides of this design though is that a user might want a string and to input.into_string().unwrap() which will cause a panic sometimes which will result in a crash for AFL.

Host upstream AFL as .tgz?

Extract with the GZIP + Tar libraries. Not a fan of hosting the entire source in the repository; could try just uncompressing+extracting the .tgz as part of the build process

https://github.com/alexcrichton/flate2-rs

https://github.com/alexcrichton/tar-rs

Rethink API

Would be nice to make this library simpler to use. I've been thinking an API like this:

use afl;

fn main() {
    // Some setup can happen here

    // Loop that AFL will run
    afl::run(|inputted_string| {
        let _ = some_library::parse_string(inputted_string);
    });
}

inputted_string would be a String. the closure inside afl::run is the only thing that gets run upon every subsequent call by AFL using the deferred init strategy

Create logo

Might fun to do something like this but with the rust logo instead of a rabbit

http://lcamtuf.coredump.cx/afl/rabbit.gif

https://groups.google.com/d/msg/afl-users/_kNrt_n5Nug/vcZvl2Y7C7EJ

Publish a release on crates.io

It would be fine to get a release uploaded there

Consider 'cargo fuzz' command

Is it possible?

"linked panic runtime not compiled with ..." error

I get this error when I try running an example in my repo with afl.rs.

$ cargo afl build --example chat
...
error: the linked panic runtime `panic_unwind` is not compiled with this crate's panic strategy `abort`
error: aborting due to previous error
error: Could not compile `serde_derive`.

The example in the document is no longer working

I think it is caused by the out-dated rust in the Dockerfile.

Use default values for command line arguments

In the tutorial, it shows that you should use this command:

cargo afl fuzz -i in -o out target/debug/url-fuzz-target

I don't think many people would change the in or out directories, so it seems like those should only need to be provided in the rare case that someone does.

The target executable could also be inferred for most cases, I would imagine.

Ideally, the user could just run cargo afl fuzz and get sane results.

"WARNING: No instrumentation targets found."

I'm trying to run AFL against https://github.com/postmates/quantiles/. Following the information available at https://frewsxcv.github.io/afl.rs/tutorial.html I run into some kind of build failure:

    ➜  quantiles git:(afl_fuzzy) ✗ docker run -v $(pwd):/source -it corey/afl.rs sh
        Updating registry `https://github.com/rust-lang/crates.io-index`
     Downloading afl v0.1.5
     Downloading afl-plugin v0.1.5
     Downloading serde v0.8.13
     Downloading afl-sys v0.1.5
     Downloading libc v0.2.17
     Downloading gcc v0.3.40
     Downloading quale v1.0.0
     Downloading serde_codegen v0.8.13
     Downloading syn v0.9.0
     Downloading syntex_syntax v0.45.0
     Downloading serde_codegen_internals v0.10.0
     Downloading quote v0.3.3
     Downloading syntex v0.45.0
     Downloading unicode-xid v0.0.3
     Downloading syntex_pos v0.45.0
     Downloading rustc-serialize v0.3.19
     Downloading term v0.4.4
     Downloading log v0.3.6
     Downloading syntex_errors v0.45.0
     Downloading bitflags v0.7.0
     Downloading winapi v0.2.8
     Downloading kernel32-sys v0.2.2
     Downloading winapi-build v0.1.1
       Compiling quantiles v0.2.0 (file:///source)
    afl-llvm-pass by <[email protected]>
    WARNING: No instrumentation targets found.

I've pushed my modifications up to https://github.com/postmates/quantiles/compare/afl_fuzzy. Have I goofed something?

Upgrading to a new rustc doesn't trigger a recompilation of cargo-afl

I (incorrectly) made the assumption that when upgrading rustc, cargo-afl would be rebuilt with the new version such that the archive file would get rebuilt. This is apparently not the case

Think about what an 'afl-sys' crate might look like

It might be possible to use rust-bindgen to generate Rust bindings that map directly to AFL C functions. This would allow us to run AFL without relying on using the AFL CLI interface. It also means the user wouldn't have to install AFL since it would get bundled with afl.rs.

Update 'requirements' section of README to mention compatible LLVM versions

one only needs to use LLVM 3.8 (as far as I know) to get AFL to work with Rust programs. we can then stop requiring users to compile Rust to use afl.rs.

Turn on sanitizing

rust-lang/rust#38699

Consider making cargo command that will assist in the docker workflow

Simplify some of the process described in http://blog.troutwine.us/2017/01/06/american-fuzzy-loping-rust/

Ideally, the user should never have to directly run docker themselves. It could also set up a Docker volume which maps to somewhere in the host filesystem acting as a cargo cache so we didn't have to fetch dependencies each time we run start a docker container and do cargo build.

Figure out a way to get 'plugin/' to build on travis

It might require building LLVM and Rust on travis? :(

Error when trying to test html5ever

Hi,
I wanted to do some fuzzy testing on the Servo project, starting with html5ever.
So I tried setting afl.rs up according to the readme. But even if I just add the two dependencies, I get the following errors from cargo build:

failed to run custom build command for `afl-plugin v0.1.0`
Process didn't exit successfully: `/home/vagrant/html5ever/target/debug/build/afl-plugin-584d29624accb60e/build-script-build` (exit code: 101)
--- stdout
[*] $LLVM_CONFIG not set. Will assume you built rustc from source.

--- stderr
++ /opt/rust/x86_64-unknown-linux-gnu/stage2/bin/../../llvm/Release/bin/llvm-config --cxxflags
+ CXXFLAGS='-I/opt/rust/src/llvm/include -I/opt/rust/x86_64-unknown-linux-gnu/llvm/include  -DNDEBUG -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -O3 -fomit-frame-pointer -std=c++11 -fvisibility-inlines-hidden -fno-exceptions -fno-rtti -fPIC -ffunction-sections -fdata-sections -Wcast-qual -O2 -fPIC -Wall -Werror -fno-rtti'
+ g++ -I/opt/rust/src/llvm/include -I/opt/rust/x86_64-unknown-linux-gnu/llvm/include -DNDEBUG -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -O3 -fomit-frame-pointer -std=c++11 -fvisibility-inlines-hidden -fno-exceptions -fno-rtti -fPIC -ffunction-sections -fdata-sections -Wcast-qual -O2 -fPIC -Wall -Werror -fno-rtti -c src/afl-llvm-pass.so.cc -o /home/vagrant/html5ever/target/debug/build/afl-plugin-584d29624accb60e/out/afl-llvm-pass.o
src/afl-llvm-pass.so.cc: In member function ‘virtual bool {anonymous}::AFLCoverage::runOnModule(llvm::Module&)’:
src/afl-llvm-pass.so.cc:106:25: error: no matching function for call to ‘llvm::IRBuilder<>::IRBuilder(llvm::BasicBlock::iterator&)’
       IRBuilder<> IRB(IP);
                         ^
In file included from src/afl-llvm-pass.so.cc:30:0:
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:579:3: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, llvm::BasicBlock::iterator, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>; llvm::BasicBlock::iterator = llvm::ilist_iterator<llvm::Instruction>]
   IRBuilder(BasicBlock *TheBB, BasicBlock::iterator IP,
   ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:579:3: note:   candidate expects 4 arguments, 1 provided


[package]
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:572:3: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, llvm::BasicBlock::iterator, const T&, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>; llvm::BasicBlock::iterator = llvm::ilist_iterator<llvm::Instruction>]
   IRBuilder(BasicBlock *TheBB, BasicBlock::iterator IP, const T &F,
   ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:572:3: note:   candidate expects 5 arguments, 1 provided
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:566:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::Instruction*, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
   explicit IRBuilder(Instruction *IP, MDNode *FPMathTag = nullptr,
            ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:566:12: note:   no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::Instruction*’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:560:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
   explicit IRBuilder(BasicBlock *TheBB, MDNode *FPMathTag = nullptr,
            ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:560:12: note:   no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::BasicBlock*’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:554:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, const T&, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
   explicit IRBuilder(BasicBlock *TheBB, const T &F, MDNode *FPMathTag = nullptr,
            ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:554:12: note:   candidate expects 4 arguments, 1 provided
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:550:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::LLVMContext&, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
   explicit IRBuilder(LLVMContext &C, MDNode *FPMathTag = nullptr,
            ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:550:12: note:   no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::LLVMContext&’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:544:3: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::LLVMContext&, const T&, Inserter, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
   IRBuilder(LLVMContext &C, const T &F, Inserter I = Inserter(),
   ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:544:3: note:   candidate expects 5 arguments, 1 provided
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note: candidate: llvm::IRBuilder<>::IRBuilder(const llvm::IRBuilder<>&)
 class IRBuilder : public IRBuilderBase, public Inserter {
       ^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note:   no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘const llvm::IRBuilder<>&’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note: candidate: llvm::IRBuilder<>::IRBuilder(llvm::IRBuilder<>&&)
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note:   no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::IRBuilder<>&&’
thread '<main>' panicked at 'assertion failed: Command::new("bash").arg("build.bash").status().unwrap().success()', /home/vagrant/.cargo/registry/src/github.com-88ac128001ac3a9a/afl-plugin-0.1.0/build.rs:13
note: Run with `RUST_BACKTRACE=1` for a backtrace.

This was done in the vagrant VM provided by html5ever. So to reproduce:

clone html5ever
vagrant up (takes 1-2 hours)
vagrant ssh
add afl.rs as dependency
build breaks with the above errors

Merge in changes for afl-llvm-rt.o.c and afl-llvm-pass.so.cc from upstream

https://github.com/mcarpenter/afl/blob/master/llvm_mode/afl-llvm-rt.o.c

https://github.com/mcarpenter/afl/blob/master/llvm_mode/afl-llvm-pass.so.cc

Convert panics to crashes

So that afl can detect them. This should be optional, because sometimes we're only interested in memory corruption and not "benign" panics.

Use system memory allocator in instrumented binaries

As we've found in rust-lang/rust#36705, jemalloc has abysmal fork performance in some kernel configurations, notably on recent Ubuntu versions.

Even on good configurations system default allocator has about 20% better fork performance than jemalloc.

This can be done in documentation, by adding the 2 lines described in https://doc.rust-lang.org/nightly/book/custom-allocators.html to the instrumentation instructions.

Travis should run AFL and make sure a crash happens

Use AFL_NO_UI when running integration tests

http://lcamtuf.coredump.cx/afl/ChangeLog.txt

Added support for AFL_NO_UI, as suggested by Leo Barnes.

Figure out why LLVM cache on Travis isn't working

a0eced2

Doesn't appear to do anything helpful. Maybe need to check if the directory already exists?

Incorporate Travis CI

LLVM Assertion "Invalid type for pointer element!" failed

I tried to use AFL on the project https://github.com/tomprogrammer/uuid/tree/afl (rather small) but encountered the following error:

cargo build
   Compiling uuid v0.1.17 (file:///home/thomas/development/uuid)
afl-llvm-pass 1.77b by <[email protected]>
rustc: /home/rustbuild/src/rust-buildbot/slave/nightly-dist-rustc-linux/build/src/llvm/lib/IR/Type.cpp:737: static llvm::PointerType* llvm::PointerType::get(llvm::Type*, unsigned int): Assertion `isValidElementType(EltTy) && "Invalid type for pointer element!"' failed.
Could not compile `uuid`.

My version of AFL is 1.89b, I used llvm-config compiled from the rust sources. Do you have a idea what could be the cause of this error?

SIGILL while compiling a project with afl.rs

Hi,

I do not know if this bug comes from my setup or from afl.rs, so I'll post it here. I am trying to setup fuzzing for a tar parser built with nom, but I get a SIGILL while building the project. Here is the GDB output for the incriminated rustc call:

(gdb) r src/main.rs --crate-name tar_example --crate-type bin -g --out-dir /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug --emit=dep-info,link -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps --extern afl_coverage=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage-b12fdfb78ced2df1.rlib --extern tar=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libtar-8c75079877dd814c.rlib --extern afl_coverage_plugin=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so --extern nom=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libnom-8d822f881e715e50.rlib -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out
Starting program: /usr/local/bin/rustc src/main.rs --crate-name tar_example --crate-type bin -g --out-dir /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug --emit=dep-info,link -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps --extern afl_coverage=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage-b12fdfb78ced2df1.rlib --extern tar=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libtar-8c75079877dd814c.rlib --extern afl_coverage_plugin=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so --extern nom=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libnom-8d822f881e715e50.rlib -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
    from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
[New Thread 0x7fffefbff700 (LWP 13085)]
warning: Missing auto-load scripts referenced in section .debug_gdb_scripts
of file /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so
Use `info auto-load python-scripts [REGEXP]' to list them.
afl-llvm-pass 1.77b by <[email protected]>

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffefbff700 (LWP 13085)]
0x00007ffff3a57388 in llvm::PointerType::get(llvm::Type*, unsigned int) () from /usr/local/lib/librustc_llvm-d8ace771.so
(gdb) bt
#0  0x00007ffff3a57388 in llvm::PointerType::get(llvm::Type*, unsigned int) () from /usr/local/lib/librustc_llvm-d8ace771.so
#1  0x00007ffff04514a6 in (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) () from /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so
#2  0x00007ffff3a3e76f in llvm::FPPassManager::runOnFunction(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#3  0x00007ffff3a3e84e in llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#4  0x00007ffff3a3e944 in llvm::legacy::FunctionPassManager::run(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#5  0x00007ffff2addc40 in LLVMRustRunFunctionPassManager (PM=0x7fffe8116270, M=0x7fffe8004e00) at /home/geal/dev/rust/rust/src/rustllvm/PassWrapper.cpp:205
#6  0x00007ffff62ea584 in back::write::execute_work_item::h57fe4379208c73afFjd () from /usr/local/lib/librustc_trans-d8ace771.so
#7  0x00007ffff62e3417 in back::write::run_passes::h0b7edf1f79d9711erZc () from /usr/local/lib/librustc_trans-d8ace771.so
#8  0x00007ffff7ac74b4 in driver::phase_5_run_llvm_passes::h401bc1bb79e26ccfJPa () from /usr/local/lib/librustc_driver-d8ace771.so
#9  0x00007ffff7a9a018 in driver::compile_input::h5f7ce1a1b74fe3e9Tba () from /usr/local/lib/librustc_driver-d8ace771.so
#10 0x00007ffff7b769f4 in run_compiler::h99fee4b1ff194bd3x7b () from /usr/local/lib/librustc_driver-d8ace771.so
#11 0x00007ffff7b743cf in boxed::F.FnBox$LT$A$GT$::call_box::h15186281694418648608 () from /usr/local/lib/librustc_driver-d8ace771.so
#12 0x00007ffff7b73c1a in rt::unwind::try::try_fn::h4127295356855569320 () from /usr/local/lib/librustc_driver-d8ace771.so
#13 0x00007ffff75db1d9 in rust_try_inner () from /usr/local/lib/libstd-d8ace771.so
#14 0x00007ffff75db1c6 in rust_try () from /usr/local/lib/libstd-d8ace771.so
#15 0x00007ffff754eb68 in rt::unwind::try::inner_try::hc82de977351d5e1crJw () from /usr/local/lib/libstd-d8ace771.so
#16 0x00007ffff7b73e2c in boxed::F.FnBox$LT$A$GT$::call_box::h16559282529075441406 () from /usr/local/lib/librustc_driver-d8ace771.so
#17 0x00007ffff7562412 in sys::thread::Thread::new::thread_start::h63af462716e59b66oTv () from /usr/local/lib/libstd-d8ace771.so
#18 0x00007ffff1e75182 in start_thread (arg=0x7fffefbff700) at pthread_create.c:312
#19 0x00007ffff71ab47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb)

I suspect that my version of rustc may be too new (I built it this morning):

$ rustc -V
rustc 1.2.0-dev (e749f724b 2015-06-23)

This is on a Linux machine, but I made it work previously on a Macbook, although with an older rustc:

$ rustc -V
rustc 1.2.0-dev (717e8831b 2015-06-08)

I have to add that this project is a great help, fuzzing the nom projects is fun :)

Utilize std::panic::recover?

https://manishearth.github.io/rust-internals-docs/std/panic/fn.recover.html

Could this be utilized to catch panics? In combination with:

https://manishearth.github.io/rust-internals-docs/std/intrinsics/fn.abort.html

Instead of having to use -Z no-landing-pads

Extend RUSTFLAGS instead of overwriting exiting env var value

Improve documentation

update root README.md to be much simpler and less intimidating (but keep the trophies)
add separate document with tutorial that utilizes the vagrantfile
indicate what all crates do: afl, afl-sys, afl-plugin

Does not work with the latest Rust nightlies

Stopped working after rust-lang/rust@3fd5fdd

Output I get when I try to compile a Rust version after the change above: https://gist.githubusercontent.com/frewsxcv/ca3ef34cab9fd96edd44fc5de585044d/raw/837b8b6ccbfa682a34977233f535c186e4375c93/gistfile1.txt

A lot of errors like:

/root/.cargo/registry/src/github.com-1ecc6299db9ec823/rayon-0.4.2/src/par_iter/weight.rs:48: undefined reference to `__afl_prev_loc'