Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.fuzz] internal/fuzz: ensure coordinator can reconstruct input during minimization #48165

Open
jayconrod opened this issue Sep 2, 2021 · 0 comments

Comments

@jayconrod
Copy link
Contributor

@jayconrod jayconrod commented Sep 2, 2021

Currently, I think there's a scenario where the fuzzing engine finds a value that causes a crash but can't reconstruct or record it.

  1. Worker finds a random mutation that expands coverage.
  2. Worker sends that entry back to the coordinator.
  3. Coordinator confirms entry expands coverage and sends it back to a worker for minimization.
  4. During minimization, worker terminates unexpectedly.

During normal fuzzing, if a worker terminates unexpectedly, the coordinator can reconstruct the entry that caused the crash using the initial entry and the execution count and PRNG state in shared memory. That process is deterministic.

That won't work during minimization since the worker makes many small decisions along the way. For example, after removing a byte from a string, the worker might proceed with the shorter string or revert the change depending on whether the shorter string triggered the same coverage.

One possible solution is to log these minimization decisions in shared memory so the coordinator can reconstruct the minimized input after a crash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants