fuzzing: Update to afl++, adding persisten-fuzzing example #19562
Conversation
github-actions
bot
added
Area: build system
benpicco
added
the
CI: ready for build
| @@ -1,5 +1,6 @@ | |||
| include ../Makefile.fuzzing_common | |||
|
|
|||
| USEMODULE += nanocoap_resources | |||
There was a problem hiding this comment.
Thanks for waiting.
Otherwise coap_resources and coap_resources_numof are not defined. See /sys/net/application_layer/nanocoap/nanocoap.c:448. The file gets pulled in as soon as you use the gcoap module.
With normal llvm/gcc this isn't an issue, only AFL++ is affected.
As far as I understand it, this is usually not a problem as the code paths containing the undefined values aren't used and get removed during build. AFL++ seems to do this differently and immediately complains about the undefined references even though they aren't used.
There was a problem hiding this comment.
Mhm sounds a bit vague, to make my explanation clear:
You can comment out coap_well_known_core_default_handler and coap_handle_req in nanocoap.c and still compile & run examples/gcoap/ using gcc/llvm. In this modified state, the gcoap fuzzing examples also builds fine via AFL++ without the nanocoap_resources module.
There was a problem hiding this comment.
that's a bit concerning because the if (IS_USED(MODULE_…)) { pattern is used quite a lot in RIOT.
What is the error you are getting?
There was a problem hiding this comment.
/usr/bin/ld: RIOT/fuzzing/gcoap/bin/native/nanocoap/nanocoap.o: in function `coap_handle_req':
RIOT/sys/net/application_layer/nanocoap/nanocoap.c:449: undefined reference to `coap_resources_numof'
/usr/bin/ld: RIOT/sys/net/application_layer/nanocoap/nanocoap.c:448: undefined reference to `coap_resources'
/usr/bin/ld: RIOT/fuzzing/gcoap/bin/native/nanocoap/nanocoap.o: in function `coap_well_known_core_default_handler':
RIOT/sys/net/application_layer/nanocoap/nanocoap.c:(.text.coap_well_known_core_default_handler[coap_well_known_core_default_handler]+0x387): undefined reference to `coap_resources_numof'
/usr/bin/ld: RIOT/sys/net/application_layer/nanocoap/nanocoap.c:1262: undefined reference to `coap_resources'
There was a problem hiding this comment.
Ah I see what's happening, looks like --gc-sections does not happen with AFL++.
In the 'old style' applications were expected to define coap_resources/coap_resources_numof, now with nanocoap_resources this is an XFA and the definitions are inside nanoCoAP. But to not break applications we keep support for the legacy definitions unless the application requests nanocoap_resources.
The GCoAP fuzzing example doesn't make use of nanoCoAP resources at all (as GCoAP has it's own way to define resources as a linked list of resource arrays) but the functions that would interact with nanocoap_resources are still compiled as they are part of common code, they are just not used by GCoAP so they are normally discarded on linking.
benpicco
added
CI: ready for build
|
CI is not happy - does this need an update of the CI riotdocker? |
Not sure, it is by design that the macros e.g. |
The |
|
Remind myself to check in on this again |
Contribution description
Hello! 🦐
This upgrades the fuzzing infrastructure from AFL to AFL++.
The PR also adds an example usage of AFL++ persistent fuzzing, which increases the execution speed by about 4500%; from ~1800 exec/s to 81.000 exec/s, at least on my machine :). I picked, once again, the uri_parser as the example use-case.
To enable persistent fuzzing, one has to use
afl-clang-fastinstead of the oldafl-gcc, I adjusted the Makefile accordingly - which might break backwards compatibility with certain afl-gcc-only setups. All fuzzing examples present in RIOT work fine with this change, with the exception ofgcoap, where a small change of the used modules was necessary.Testing procedure
Testing is done as usual with fuzzing:
cd RIOT/fuzzing/<target>/make all-asanmake fuzz