Instrumentation for fuzzing tests does not work

[Evgeny Novikov]

Hi,

I am investigating fuzzing testing on Fuchsia. I could build and run some fuzzing tests according to documentation, but it seems, that instrumentation, both for fuzzer and for ASAN, is missed. Can you point out what I overlooked or did wrong?

I used commit ef72569502b7a9f7d064995ceb4f627b35544eaa. Here are commands, that I executed, and output for some of them.

$ fx 

set core.x64 --fuzz-with asan --include-clippy=false --with //examples/fuzzers:fuzzers

$ fx build

$ ffx emu start --headless

$ fx serve

$ ffx fuzz shell

$ fuzz » attach --output /home/novikov/work/fuchsia/out/fuzz fuchsia-pkg://fuchsia.com/example-fuzzers#meta/crash_fuzzer.cm

Attaching to 'fuchsia-pkg://fuchsia.com/example-fuzzers#meta/crash_fuzzer.cm'...

Attached; fuzzer is idle.

$ fuzz » run -t 10s

Starting workflow...

Press any key to pause fuzzer output.

Configuring fuzzer...

Running fuzzer...

[3072.721][.][][I]: [child-process.cc:306] /pkg/test/crash_fuzzer -max_total_time=10 -seed=3468502850 -exact_artifact_path=/tmp/result_input /tmp/live_corpus /tmp/seed_corpus 

WARNING: Failed to find function "__sanitizer_acquire_crash_state".

WARNING: Failed to find function "__sanitizer_print_stack_trace".

WARNING: Failed to find function "__sanitizer_set_death_callback".

INFO: Running with entropic power schedule (0xFF, 100).

INFO: Seed: 3468502850

==470369== INFO: libFuzzer starting.

INFO:        0 files found in /tmp/live_corpus

INFO:        0 files found in /tmp/seed_corpus

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes

INFO: A corpus is not provided, starting from an empty corpus

#2      INITED exec/s: 0 rss: 25Mb

WARNING: no interesting inputs were found so far. Is the code instrumented for coverage?

This may also happen if the target rejected all inputs we tried so far

#4194304        pulse  corp: 1/1b lim: 4096 exec/s: 2097152 rss: 4Mb

#8388608        pulse  corp: 1/1b lim: 4096 exec/s: 2097152 rss: 4Mb

#16777216       pulse  corp: 1/1b lim: 4096 exec/s: 2097152 rss: 4Mb

#20749912       DONE   corp: 1/1b lim: 4096 exec/s: 1886355 rss: 4Mb

Done 20749912 runs in 11 second(s)

The fuzzer did not detect any errors.

Workflow complete. Press any key to continue...

Above you can see warnings regarding missed functions and instrumentation. Also, there is no crash after all.

I made numerous attempts to configure, build and run fuzzing tests in other ways, but without success. I saw at Fuchsia's CI, in particular, https://ci.chromium.org/ui/p/fuchsia/builders/global.ci/core.x64-fuzz_asan-build_only/b8708770209437816001/overview, and in section "9. upload artifacts -> 1. emit artifactory manifest" in stdout there is:

stdout - x64-novariant/exe.unstripped/crash_fuzzer, //examples/fuzzers/cpp:crash_fuzzer_bin(//build/toolchain/fuchsia:x64-novariant)

So, it looks like CI also misses instrumentation for fuzzing tests. Though, this build may be not intended for running fuzzing tests and this is normal.

Best regards,

Evgeny

[Adam Barth]

+Laura Peskin do you know what might be going wrong for Evgeny?

Adam

--
All posts must follow the Fuchsia Code of Conduct https://fuchsia.dev/fuchsia-src/CODE_OF_CONDUCT or may be removed.
---
You received this message because you are subscribed to the Google Groups "discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@fuchsia.dev.
To view this discussion visit https://groups.google.com/a/fuchsia.dev/d/msgid/discuss/8a5540b9-d7a4-4ae6-99ce-1cb1d46b442cn%40fuchsia.dev.

[Laura Peskin]

Hi Adam and Evgeny,

My teammate Cameron (eep@) looked into this, and writes:

> Thanks for reporting this! It does appear to be broken, as of https://fuchsia-review.git.corp.google.com/c/fuchsia/+/631903. We will look into landing a proper fix soon, but a temporary workaround you can use is to add fuzzable = true to the library_fuzzer template in /build/fuzzing/internal/library_fuzzer.gni (See https://fuchsia-review.git.corp.google.com/c/fuchsia/+/1336853)

We appreciate the detailed report!

[Evgeny Novikov]

Thank you for analysis and workaround. I tried it and it worked for the mentioned fuzzing test. Then I made experiments with other fuzzing tests, in particular, I wanted to find issues with help of sanitizers. It looks like UBSAN (--fuzz-with ubsan) does find intentionally introduced bugs, but it is too silent. There is neither appropriate warnings nor stack traces in logs. My original configuration with ASAN does not work for me. I could not get either bug for "oveflow" fuzzing test or artificial buffer overflow, that I added to "crash" fuzzing test instead of __builtin_trap().

So, I am looking forward for further advice or/and fixes.

Evgeny

понедельник, 4 августа 2025 г. в 10:37:44 UTC+3, Laura Peskin: