Continuous fuzzing

[bookmoons]

Proposing to enable continuous fuzzing of the good fuzzing targets. I see this was mentioned in #306 as a possible future improvement.

This patch runs both existing targets on Fuzzit. There's a build under my Travis account I'm expecting to succeed.

The PR build will fail due to missing an API key. Setup is like this:

• In Fuzzit create targets cranelift-translate-module cranelift-reader-parse
• In Fuzzit settings grab an API key. In repo settings in Travis paste it to envvar FUZZIT_API_KEY.

Thank you for considering.

[bookmoons]

Looks like that test build did succeed.

https://travis-ci.org/bookmoons/cranelift/builds/577307862

[bjorn3]

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes

INFO: A corpus is not provided, starting from an empty corpus

#2 INITED cov: 1482 ft: 1332 corp: 1/1b lim: 4 exec/s: 0 rss: 35Mb

#2 DONE cov: 1482 ft: 1332 corp: 1/1b lim: 4 exec/s: 0 rss: 35Mb

Am I reading this correctly as: tried one input smaller than 4096 bytes?

[bookmoons]

Thanks for looking at it @bjorn3.

This comes from how the fuzzer binary is produced. Fuzzit docs give the cargo fuzz run command with flag -runs=0. Maybe cargo-fuzz just doesn't provide a build command. So it builds then does this brief run and you end up with the binary. The binary gets submitted to Fuzzit and does a long term fuzzing run.

That default max length is worth thinking about. If you think it's too small I can increase.

[bjorn3]

The binary gets submitted to Fuzzit and does a long term fuzzing run.

Is there anywhere I can see the fuzzing job?

[bookmoons]

I'll send the links, I'm not sure if they're private to the account or what.

https://app.fuzzit.dev/orgs/bookmoons/targets/cranelift-reader-parse
https://app.fuzzit.dev/orgs/bookmoons/targets/cranelift-translate-module

[bjorn3]

You have to login :(

[bookmoons]

Shoot. They're in my queue anyway. Let me cancel everything and let them run a little while, then I think I can pull the log to send.

[bookmoons]

There's the beginning of a worker log. Starting to build up a corpus.

INFO:root:/tmp/tmpgrikkiuq
INFO:root:running fuzzing job
INFO:root:Downloading fuzzer...
INFO:root:downloading orgs/bookmoons/targets/cranelift-translate-module/jobs/KJL4aMIJVfzsdSGtRBZr/fuzzer
INFO:root:Downloading seed corpus...
INFO:root:downloading orgs/bookmoons/targets/cranelift-translate-module/seed
INFO:root:artifact doesnt exist. skipping...
INFO:root:downloading orgs/bookmoons/targets/cranelift-translate-module/seed.tar.gz
INFO:root:artifact doesnt exist. skipping...
INFO:root:Syncing corpus from cloud
INFO:root:downloading orgs/bookmoons/targets/cranelift-translate-module/corpus.tar.gz
INFO:root:artifact doesnt exist. skipping...
INFO:root:Running fuzzer for 1hr...
FUZZER: INFO: Seed: 4065133800
FUZZER: INFO: Loaded 1 modules   (86961 guards): 86961 [0x55755003df68, 0x557550092e2c), 
FUZZER: INFO:        0 files found in corpus
FUZZER: INFO:        0 files found in seed
FUZZER: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
FUZZER: INFO: A corpus is not provided, starting from an empty corpus
FUZZER: #2	INITED cov: 15439 ft: 15255 corp: 1/1b lim: 4 exec/s: 0 rss: 48Mb
FUZZER: #4	NEW    cov: 15453 ft: 15565 corp: 2/3b lim: 4 exec/s: 0 rss: 48Mb L: 2/2 MS: 2 ShuffleBytes-InsertByte-
FUZZER: #5	NEW    cov: 15453 ft: 15872 corp: 3/4b lim: 4 exec/s: 0 rss: 48Mb L: 1/2 MS: 1 EraseBytes-
FUZZER: #6	NEW    cov: 15453 ft: 15931 corp: 4/6b lim: 4 exec/s: 0 rss: 48Mb L: 2/2 MS: 1 CopyPart-
FUZZER: #9	NEW    cov: 15453 ft: 16147 corp: 5/7b lim: 4 exec/s: 0 rss: 49Mb L: 1/2 MS: 3 EraseBytes-CopyPart-ChangeBit-
FUZZER: #10	NEW    cov: 15453 ft: 16154 corp: 6/10b lim: 4 exec/s: 0 rss: 49Mb L: 3/3 MS: 1 CrossOver-
FUZZER: #11	NEW    cov: 15466 ft: 16173 corp: 7/12b lim: 4 exec/s: 0 rss: 49Mb L: 2/3 MS: 1 ChangeByte-
FUZZER: #12	NEW    cov: 15466 ft: 16174 corp: 8/16b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 1 CrossOver-
FUZZER: #19	NEW    cov: 15468 ft: 16198 corp: 9/20b lim: 4 exec/s: 0 rss: 49Mb L: 4/4 MS: 2 CopyPart-ChangeBinInt-
FUZZER: #21	NEW    cov: 15468 ft: 16200 corp: 10/24b lim: 4 exec/s: 0 rss: 50Mb L: 4/4 MS: 2 ShuffleBytes-ChangeByte-
FUZZER: #27	NEW    cov: 15468 ft: 16337 corp: 11/28b lim: 4 exec/s: 0 rss: 50Mb L: 4/4 MS: 5 CopyPart-ShuffleBytes-InsertByte-CopyPart-InsertByte-
FUZZER: #42	NEW    cov: 15470 ft: 16339 corp: 12/31b lim: 4 exec/s: 0 rss: 51Mb L: 3/4 MS: 5 ChangeBit-CrossOver-CopyPart-ChangeByte-EraseBytes-
FUZZER: #45	NEW    cov: 15470 ft: 16343 corp: 13/35b lim: 4 exec/s: 0 rss: 52Mb L: 4/4 MS: 3 ChangeBit-ChangeBit-CrossOver-
FUZZER: #46	NEW    cov: 15470 ft: 16352 corp: 14/39b lim: 4 exec/s: 0 rss: 52Mb L: 4/4 MS: 1 ChangeByte-
FUZZER: #53	NEW    cov: 15470 ft: 16353 corp: 15/43b lim: 4 exec/s: 0 rss: 52Mb L: 4/4 MS: 2 CopyPart-CrossOver-
FUZZER: #71	NEW    cov: 15470 ft: 16355 corp: 16/45b lim: 4 exec/s: 0 rss: 53Mb L: 2/4 MS: 3 EraseBytes-ChangeByte-ChangeByte-
FUZZER: #74	NEW    cov: 15470 ft: 16356 corp: 17/49b lim: 4 exec/s: 0 rss: 54Mb L: 4/4 MS: 3 ChangeBit-ChangeBit-CopyPart-
FUZZER: #80	NEW    cov: 15470 ft: 16366 corp: 18/53b lim: 4 exec/s: 0 rss: 54Mb L: 4/4 MS: 5 InsertByte-InsertByte-ChangeBit-ShuffleBytes-ChangeBit-
FUZZER: #86	NEW    cov: 15470 ft: 16367 corp: 19/57b lim: 4 exec/s: 0 rss: 54Mb L: 4/4 MS: 1 ChangeBit-
FUZZER: #132	NEW    cov: 15470 ft: 16368 corp: 20/61b lim: 4 exec/s: 132 rss: 58Mb L: 4/4 MS: 1 ShuffleBytes-
FUZZER: #163	NEW    cov: 15470 ft: 16385 corp: 21/65b lim: 4 exec/s: 163 rss: 60Mb L: 4/4 MS: 1 ChangeBit-
FUZZER: #172	REDUCE cov: 15470 ft: 16385 corp: 21/64b lim: 4 exec/s: 172 rss: 60Mb L: 3/4 MS: 4 CopyPart-CopyPart-EraseBytes-ChangeByte-
FUZZER: #178	NEW    cov: 15470 ft: 16386 corp: 22/67b lim: 4 exec/s: 178 rss: 61Mb L: 3/4 MS: 1 EraseBytes-
FUZZER: #209	REDUCE cov: 15470 ft: 16386 corp: 22/66b lim: 4 exec/s: 104 rss: 63Mb L: 3/4 MS: 1 EraseBytes-
FUZZER: #215	NEW    cov: 15470 ft: 16387 corp: 23/69b lim: 4 exec/s: 107 rss: 63Mb L: 3/4 MS: 1 ChangeByte-
FUZZER: #256	pulse  cov: 15470 ft: 16387 corp: 23/69b lim: 4 exec/s: 128 rss: 66Mb
FUZZER: #309	NEW    cov: 15470 ft: 16388 corp: 24/72b lim: 4 exec/s: 103 rss: 69Mb L: 3/4 MS: 4 ChangeByte-EraseBytes-ShuffleBytes-ShuffleBytes-
FUZZER: #324	NEW    cov: 15470 ft: 16389 corp: 25/74b lim: 4 exec/s: 108 rss: 70Mb L: 2/4 MS: 5 ChangeByte-ChangeBit-ShuffleBytes-ChangeBinInt-EraseBytes-
FUZZER: #447	REDUCE cov: 15470 ft: 16389 corp: 25/72b lim: 4 exec/s: 111 rss: 78Mb L: 2/4 MS: 3 EraseBytes-ShuffleBytes-ChangeByte-
FUZZER: #512	pulse  cov: 15470 ft: 16389 corp: 25/72b lim: 4 exec/s: 102 rss: 82Mb
FUZZER: #540	REDUCE cov: 15470 ft: 16389 corp: 25/70b lim: 4 exec/s: 108 rss: 84Mb L: 2/4 MS: 3 CopyPart-ChangeBinInt-EraseBytes-
FUZZER: #608	REDUCE cov: 15470 ft: 16389 corp: 25/69b lim: 4 exec/s: 101 rss: 89Mb L: 3/4 MS: 3 CrossOver-CopyPart-EraseBytes-
FUZZER: #759	NEW    cov: 15470 ft: 16390 corp: 26/73b lim: 4 exec/s: 108 rss: 98Mb L: 4/4 MS: 1 ChangeByte-
FUZZER: #822	NEW    cov: 15470 ft: 16391 corp: 27/76b lim: 4 exec/s: 102 rss: 102Mb L: 3/4 MS: 3 ChangeByte-CopyPart-CopyPart-
FUZZER: #1024	pulse  cov: 15470 ft: 16391 corp: 27/76b lim: 4 exec/s: 102 rss: 115Mb
FUZZER: #1557	REDUCE cov: 15470 ft: 16391 corp: 27/75b lim: 4 exec/s: 103 rss: 149Mb L: 2/4 MS: 5 CrossOver-ShuffleBytes-CrossOver-CrossOver-EraseBytes-
FUZZER: #1751	REDUCE cov: 15470 ft: 16391 corp: 27/74b lim: 4 exec/s: 103 rss: 162Mb L: 3/4 MS: 4 CopyPart-ChangeBit-EraseBytes-InsertByte-
FUZZER: #1872	REDUCE cov: 15470 ft: 16391 corp: 27/73b lim: 4 exec/s: 98 rss: 170Mb L: 3/4 MS: 1 EraseBytes-
FUZZER: #2021	REDUCE cov: 15470 ft: 16391 corp: 27/72b lim: 4 exec/s: 101 rss: 179Mb L: 1/4 MS: 4 ShuffleBytes-CopyPart-EraseBytes-EraseBytes-
FUZZER: #2048	pulse  cov: 15470 ft: 16391 corp: 27/72b lim: 4 exec/s: 102 rss: 181Mb
FUZZER: #2091	REDUCE cov: 15470 ft: 16391 corp: 27/71b lim: 4 exec/s: 99 rss: 184Mb L: 2/4 MS: 5 ChangeByte-ChangeByte-EraseBytes-EraseBytes-InsertByte-
FUZZER: #2415	NEW    cov: 15470 ft: 16393 corp: 28/75b lim: 4 exec/s: 100 rss: 204Mb L: 4/4 MS: 4 EraseBytes-ChangeBinInt-CopyPart-ChangeBinInt-
FUZZER: #2714	REDUCE cov: 15470 ft: 16394 corp: 29/79b lim: 4 exec/s: 100 rss: 224Mb L: 4/4 MS: 4 ShuffleBytes-CopyPart-CrossOver-ChangeBit-
FUZZER: #2744	NEW    cov: 15470 ft: 16395 corp: 30/83b lim: 4 exec/s: 98 rss: 226Mb L: 4/4 MS: 5 ChangeBit-ShuffleBytes-ChangeByte-ChangeBinInt-CrossOver-
FUZZER: #4096	pulse  cov: 15470 ft: 16395 corp: 30/83b lim: 4 exec/s: 99 rss: 300Mb
FUZZER: #4165	REDUCE cov: 15470 ft: 16395 corp: 30/82b lim: 4 exec/s: 101 rss: 300Mb L: 2/4 MS: 1 EraseBytes-
FUZZER: #4855	NEW    cov: 15470 ft: 16397 corp: 31/85b lim: 4 exec/s: 101 rss: 301Mb L: 3/4 MS: 5 ChangeBinInt-CrossOver-CMP-ShuffleBytes-EraseBytes- DE: "\xff\xff\xff\xff"-
FUZZER: #5182	REDUCE cov: 15470 ft: 16397 corp: 31/83b lim: 4 exec/s: 101 rss: 301Mb L: 2/4 MS: 2 ShuffleBytes-EraseBytes-
FUZZER: #5219	REDUCE cov: 15470 ft: 16397 corp: 31/82b lim: 4 exec/s: 102 rss: 302Mb L: 2/4 MS: 2 EraseBytes-ChangeBit-
FUZZER: #5403	REDUCE cov: 15470 ft: 16397 corp: 31/81b lim: 4 exec/s: 101 rss: 302Mb L: 1/4 MS: 4 ChangeBit-EraseBytes-CopyPart-ChangeBinInt-
FUZZER: #5811	NEW    cov: 15470 ft: 16398 corp: 32/85b lim: 4 exec/s: 101 rss: 302Mb L: 4/4 MS: 3 CrossOver-ChangeByte-ChangeBit-
FUZZER: #6044	REDUCE cov: 15470 ft: 16398 corp: 32/84b lim: 4 exec/s: 102 rss: 302Mb L: 2/4 MS: 3 CrossOver-ShuffleBytes-EraseBytes-
FUZZER: #7134	NEW    cov: 15470 ft: 16399 corp: 33/87b lim: 4 exec/s: 101 rss: 302Mb L: 3/4 MS: 5 InsertByte-ChangeByte-ChangeBinInt-CopyPart-EraseBytes-
FUZZER: #8192	pulse  cov: 15470 ft: 16399 corp: 33/87b lim: 4 exec/s: 102 rss: 302Mb
FUZZER: #8903	REDUCE cov: 15470 ft: 16399 corp: 33/86b lim: 4 exec/s: 102 rss: 302Mb L: 3/4 MS: 4 ChangeByte-ChangeByte-CopyPart-EraseBytes-

[bookmoons]

You can also upload a seed corpus to Fuzzit. If you had a bunch of valid data laying around you could give it a kickstart.

[bookmoons]

Looks like it found a crash, in the translate-module target. Uploading the crashing input here.

artifact.zip

[bookmoons]

Took a little longer but it also found a crash in reader-parse. 62 byte input that gives exit code 76.

artifact-reader-parse.zip

[bjorn3]

I think the last one just ran out of memory. I reduced it to:

function %a(){
ebb477777777:
}

which will attempt to allocate 477777777 ebbs. Maybe we should add a reader config to deny such pathological inputs.

Edit: created issue #951 for this.

[bjorn3]

$ cargo +nightly fuzz run fuzz_translate_module artifact
[...]
INFO: Seed: 1619635779
INFO: Loaded 1 modules   (86922 guards): 86922 [0x560dea246488, 0x560dea29b2b0), 
fuzz/target/x86_64-unknown-linux-gnu/debug/fuzz_translate_module: Running 1 inputs 1 time(s) each.
Running: artifact
Executed artifact in 22 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

I don't seem to be able to reproduce the crash for translate-module.

[bookmoons]

Strange. Maybe it's also a memory error and the platform is running with less. Fuzzit shows the same return code 76 and labels it leak.

[bnjbvr]

Thanks! More fuzzing is always great. We've now moved over to Azure pipelines, is there a chance you could update your PR, please?

[bookmoons]

Will do! Thanks for looking at it. Just did that for wasmer so I have an idea what it takes.

[bookmoons]

This is updated. I see fuzzing runs happening in Fuzzit. There's a successful test build:
https://dev.azure.com/bookmoons/cranelift/_build/results?buildId=29

Fuzzit have kindly set up an org that I've preconfigured with targets. If you'd like to sign in to make an account I can get you added to the org.

Setup through Azure is now like this:

• In Fuzzit settings grab an API key.
• In Azure Pipelines, Edit the pipeline, open Variables, and paste the key to a FUZZIT_API_KEY variable. Make it secret to prevent exposure.

[bookmoons]

I had to update the reader_parse target. d755002 modifies the targeted function. I updated to use the new signature.

[bnjbvr]

Thanks! That seems correct, but I'll defer to Till for review, as well as setting up the Azure pipelines if we wanted to do it.

Two remarks:

• I'd like to make sure the commits are squashed before merging, either manually (by you) or by using the squash and merge button when we accept this.
• Can you comment on the CLI options "fuzzing" vs "local-regression", somewhere in the code, please?

[bookmoons]

Made these changes. I kept the target update separate. Put the type option docs into the usage message.

[tschneidereit]

This looks great to me, thank you so much, @bookmoons!

I'm traveling right now, and won't be able to thoroughly investigate the setup fully, unfortunately. @alexcrichton, could you take a look and see if this setup seems good? Perhaps also compared to what kind of fuzzing is done for Rust?

[bookmoons]

I'm seeing a little bug in the fuzz regression stage. Just tested and it's showing on this setup. Probably worth holding off merging until it's resolved.

Reported it in fuzzitdev/fuzzit#38

[bookmoons]

Upgrading the Fuzzit client resolved that. This is ready for review again. There's a successful test build:
https://dev.azure.com/bookmoons/cranelift/_build/results?buildId=36

The latest seems to require an API key, so the PR build will fail until that's in.

[alexcrichton]

While I haven't done much continuous fuzzing myself in Rust yet, this seems good to me!

Is there a way that API keys aren't required on PRs? Or is there perhaps a readonly key available for PRs and the read/write key could only be used for branches?

[jfoote]

👋 I am glad to see this! @bookmoons do you happen to know where reports will be sent when the fuzzer detects an issue? I took a quick look at the fuzzit.dev docs but it was not obvious to me.

[bookmoons]

Thanks a lot guys.

I think the reports go out to everyone on the account. There's a list of admins for the org, so if anyone who should be administering wants to sign up I can get you all added.

Is there a way that API keys aren't required on PRs? Or is there perhaps a readonly key available for PRs and the read/write key could only be used for branches?

I'm going ask Fuzzit about this. The recommendation was that you make the corpus public so it can run in PRs without a key. This seems to break that.

I see in settings you can make a readonly key, so maybe that's the right track.

[bookmoons]

I think the reports go out to everyone on the account. There's a list of admins for the org, so if anyone who should be administering wants to sign up I can get you all added.

When they get sent they go out by email, to the address on the GitHub account. Then you can pop in and download the crashing input.

[bookmoons]

The latest Fuzzit client brings back PR fuzzing. Made the upgrade to get that working again.

[tschneidereit]

Thank you again for doing this, @bookmoons!

I've defined the FUZZIT_API_KEY variable in Pipelines, so let's see what the results will look like :)

[tschneidereit]

Ah, I see. @bookmoons, can you add me to the org on Fuzzit? I'll revert the PR for now, because it causes the build to fail.

[bookmoons]

Got you added!

https://app.fuzzit.dev/orgs/cranelift/settings

[bookmoons]

If it helps I could open a new PR.

[pchickey]

@bookmoons can you add me to the org as well? Thanks!

[bookmoons]

Will do @pchickey.

Fuzzit doesn't seem to be finding an account. If you'd like to sign in to create one I can get you added.

[tschneidereit]

Thanks, @bookmoons! I just updated the API key.

It does indeed seem like we'll have to have a new PR, so could you open one?

[bookmoons]

Opened #1042 to replace this.