afl-fuzz crashing during dry-runs of previous corpus

[Brandon Perry]

I have a corpus generated by a previous fuzz job of about 10000 files. This corpus has been minimized with afl-cmin, then each file was minimized with afl-tmin (with default memory of 50mb).

However, after moving the final set back to the fuzzer directory queues, afl-fuzz crashes on random inputs during the dry run over these files. Increasing the memory helps sometimes, but I don’t understand why afl-fuzz would not be able to perform a dry run with a given input with 50mb memory limit when minimizing the corpus and the files with a memory limit of 50mb was performed without issue.

Any ideas on how to track down what could be causing afl-fuzz to crash (seemingly) randomly on inputs for a dry run when cmin and tmin have no issues with the inputs and minimize just fine?

afl-fuzz does not report instrumentation changing between runs on any of the inputs, so it should be deterministic.

Any thoughts are appreciated, thanks!

[Michal Zalewski]

> Any ideas on how to track down what could be causing afl-fuzz to crash (seemingly) randomly on inputs for a dry run when cmin and tmin have no issues with the inputs and minimize just fine?

My three guesses would be:

1) Some timing / signal handling / thread concurrency issue in the
targeted program.

2) A crash that depends on memory layout, which changes across runs due to ASLR,

3) Some external influencing factor, such as a collision with a
leftover temp file created by earlier runs.

You could probably test for it by running it outside of afl-fuzz with
one of the "randomly" crashing files in a loop. If you get random
crashes every now and then, it may help (and let you capture a core
dump, etc).