Skip to content

wip: Split fuzz binary (take 2) #30882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

wip: Split fuzz binary (take 2) #30882

wants to merge 3 commits into from

Conversation

dergoegge
Copy link
Member

@dergoegge dergoegge commented Sep 12, 2024
edited
Loading

Closes #28971

In addition to the benefits listed in #28971, this should also enable us to use https://github.com/ossf/fuzz-introspector provided by oss-fuzz. Our current runtime harness selection blocks introspector's static analysis from working properly (e.g. it can't statically determine which functions are reachable by a given harness).

This PR uses the approach suggested here: #29010 (comment). The list of available harnesses is determined (prior to compiling) by grepping for harness names in FUZZ_TARGET invocations. When compiling with -DBUILD_INDIVIDUAL_FUZZ_BINARIES=ON, individual binaries for each harness are produced that no longer include the runtime lookup via the FUZZ environment variable.

cmake -B build_fuzz \
  -DBUILD_FOR_FUZZING=ON \
  -DBUILD_INDIVIDUAL_FUZZ_BINARIES=ON \
  -DSANITIZERS=fuzzer
cmake --build build_fuzz

build_fuzz/src/test/fuzz will contain the individual binaries, which are prefixed with fuzz_*.

I'm opening this now to get some early feedback, there are still a few things to address:

  • mention -DBUILD_INDIVIDUAL_FUZZ_BINARIES in the docs
  • include wallet harnesses
  • CI job that builds individual binaries (perhaps verify that the list of produced harnesses matches the monolithic binary)

@DrahtBot
Copy link
Contributor

DrahtBot commented Sep 12, 2024
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/30882.

Reviews

See the guideline for information on the review process.
A summary of reviews will appear here.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #31333 (fuzz: Implement G_TEST_GET_FULL_NAME by hodlinator)
  • #28676 ([WIP] Cluster mempool implementation by sdaftuar)
  • #28584 (Fuzz: extend CConnman tests by vasild)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

dergoegge
dergoegge commented Sep 12, 2024
View reviewed changes
src/test/fuzz/util/CMakeLists.txt
target_compile_definitions(test_fuzz PRIVATE PROVIDE_FUZZ_MAIN_FUNCTION)
if(BUILD_INDIVIDUAL_FUZZ_BINARIES)
# bash command produces list of harnesses: <harness name> <source file>
execute_process(
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently an individual test_fuzz_* lib and fuzz_* binary is produced for each harness. It's kind of ugly to duplicate this loop but I'm not sure to avoid it. Another loop would likely need to be added for the wallet harnesses as well.

@hebasto @fanquake @maflcko Any ideas?

@dergoegge
Copy link
Member Author

Trying to produce an introspector report using this branch: https://github.com/dergoegge/oss-fuzz/tree/2024-09-bitcoin-introspector

@DrahtBot
Copy link
Contributor

🚧 At least one of the CI tasks failed.
Debug: https://github.com/bitcoin/bitcoin/runs/30061858064

Hints

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

  • Possibly due to a silent merge conflict (the changes in this pull request being
    incompatible with the current code in the target branch). If so, make sure to rebase on the latest
    commit of the target branch.

  • A sanitizer issue, which can only be found by compiling with the sanitizer and running the
    affected test.

  • An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

@DrahtBot DrahtBot mentioned this pull request Sep 13, 2024
Open
8 tasks
This was referenced Sep 13, 2024
Open
Merged
@maflcko maflcko mentioned this pull request Oct 7, 2024
Closed
This was referenced Oct 8, 2024
Closed
Open
This was referenced Nov 9, 2024
Open
Open
@DrahtBot DrahtBot mentioned this pull request Nov 20, 2024
Merged
@DrahtBot
Copy link
Contributor

🐙 This pull request conflicts with the target branch and needs rebase.

@DrahtBot
Copy link
Contributor

⌛ There hasn't been much activity lately and the patch still needs rebase. What is the status here?

  • Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
  • Is it no longer relevant? ➡️ Please close.
  • Did the author lose interest or time to work on this? ➡️ Please close it and mark it 'Up for grabs' with the label, so that it can be picked up in the future.

@maflcko
Copy link
Member

maflcko commented Feb 18, 2025

It is now using FI-light, see https://introspector.oss-fuzz.com/project-profile?project=bitcoin-core and google/oss-fuzz#12983. Though, I am not sure about the takeaways.

@dergoegge
Copy link
Member Author

The full report (https://storage.googleapis.com/oss-fuzz-introspector/bitcoin-core/inspector-report/20250216/fuzz_report.html) still seems blocked on our dynamic harness look up. Maybe I'm looking at the wrong thing.

@maflcko
Copy link
Member

maflcko commented Feb 18, 2025

No it is the right thing. I just wanted to leave a comment to say that FI will now fallback to the light version by default, so the build is already passing, but the result didn't look like it could be used.

It could still make sense to try a FI run on this branch to see if it will help.

@maflcko
Copy link
Member

maflcko commented Feb 18, 2025

The changes here could even be useful for afl++ on their own, but I haven't tried that either, as I am using libfuzzer.

@dergoegge
Copy link
Member Author

It could still make sense to try a FI run on this branch to see if it will help.

I've tried in the past but I kept running out of memory on a 128GB machine (see ossf/fuzz-introspector#1742). I don't know how much more memory is needed currently. The maintainer indicated that they'd look at it but doesn't look like they had time for this so far.

The changes here could even be useful for afl++ on their own, but I haven't tried that either, as I am using libfuzzer.

Yes, I listed some of the benefits in #28971. I do think getting FI to work would be the bigger benefit however.

@DrahtBot
Copy link
Contributor

⌛ There hasn't been much activity lately and the patch still needs rebase. What is the status here?

  • Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
  • Is it no longer relevant? ➡️ Please close.
  • Did the author lose interest or time to work on this? ➡️ Please close it and mark it 'Up for grabs' with the label, so that it can be picked up in the future.

@maflcko
Copy link
Member

maflcko commented Jun 2, 2025

cc @dergoegge . the issue #28971 is still open, so I guess this pull can be closed or rebased?

@dergoegge dergoegge closed this Jun 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
CI failed Needs rebase Upstream
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fuzz, brainstorm: Individual binaries per harness
3 participants
@dergoegge @DrahtBot @maflcko