Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
AFL stability fixes for objects (MPR#7725) and lazy values. #1754
For AFL fuzzing to be useful, code that does the same thing twice should produce exactly the same instrumentation output both times, but this currently fails for objects (see MPR#7725) and lazy values.
For objects, the class initialisation logic in
For lazy values, the GC can silently replace
gasche left a comment
I believe that the change is correct and an improvement for afl-fuzz user. Just like #1345, it also results in a performance degradation when using afl instrumentation -- an acceptable price for more robust bug-finding capabilities.
For the record (for other people than Stephen), I looked a bit at whether a more general solution to these stability problems would be possible, in stedolan/ocaml-afl-persistent#2; this was a prototype and my take-away was that a substantial rework of the afl-instrumentation layer would be required to do substantially better than the present work-arounds. (So: interesting, but requires more time than we have right now.)
I agree that the approach in stedolan/ocaml-afl-persistent#2 is promising-but-work.
Using this approach as an alternative to #1345 is challenging. Since class initialisation imports an arbitrary amount of stuff from the current environment, it can't easily be pulled out to a library function (at least, not without allocating a new closure, which would defeat the point of the optimisation). For instance, compiling