-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fuzzing improvements #1617
Fuzzing improvements #1617
Conversation
src/main.cpp
Outdated
} | ||
catch (const std::exception& ex) | ||
{ | ||
// failed to compile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure we should abort here, and let the fuzzer notify us. Does invalid IR result in an exception?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
llvm doesnt really care. Unless you really screwed up, in that case it segvs or goes oom. Thats why we have the codegen-validator check to find our IR mistakes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. then I leave it as is.
src/main.cpp
Outdated
|
||
#else | ||
|
||
#if !defined(NODE_MAX) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think i'd prefer a special fuzz only binary instead of doing ifdefs everywhere. That way you can just disable BTF support completely instead of what happens now.
So in src/CMakelist.txt
add_executable(bpftrace_fuzz, ..files.. fuzz_main.cpp ...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we also want to fuzz BTF related part, but the separate a binary seems good to me. I'll try it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added fuzz_main.cpp, and now when building fuzz binary that name is bpftrace_fuzz. I'll rebase commits if it's desirable.
Ah, before merging I need to update the document. I'll do it later. |
Updated. |
set(BPFTRACE bpftrace_fuzz) | ||
else() | ||
set(MAIN_SRC main.cpp) | ||
set(BPFTRACE bpftrace) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: might be good to unset (set(MAIN_SRC "") iirc
) these at the end to avoid them leaking into cmake state.
Although the current bpftrace can be fuzzed with AFL, there are several possible optimizations for fuzzing. This add -DBUILD_FUZZ CMake options and it defined FUZZ. We can use it in the source code to optimize bpftrace for fuzzing. Of course such bpftrace would not work for tracing.
Add simple main for fuzzing. This would make it easier to optimize some processing for fuzzing and integrate with another fuzzer. There are several duplicated lines in the original main function. I'll plan to unify them later.
I realized that reading debug/tracing/available_filter_functions takes time, and that slow down fuzzing severely. Especially, BTF's constructor always call the function no matter if it does not use the function. So this patches changes it, and now BTF's constructor does not call the function, and always report tracee function is available. It should be OK since during fuzzing we don't load the program in the kernel and trace. Now average AFL's exec speed becomes from 1 to up to 20 in my machine.
This PR includes three changes. Basically, add a main function for fuzzing for convenience.
1
2
3
I think we can add more several things to improve fuzzing, but I'll make this PR for the time being to make review easy.
Checklist
docs/reference_guide.md
CHANGELOG.md