Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Debugging tips #2048

Merged
merged 3 commits into from
Apr 15, 2024
Merged

Debugging tips #2048

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5962e21
push
tokatoka Apr 12, 2024
89fdc52
add
tokatoka Apr 15, 2024
934db1a
book
tokatoka Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions DEBUGGING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# General debugging tips
This file answers some commmon questions that arise when you are writing a fuzzer using LibAFL.

## Q. My fuzzer crashed but the stack trace is useless.
You can enable `errors_backtrace` feature of `libafl` crate. With this the stacktrace is meaningful.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the errors_backtrace feature of the libafl_bolts crate


## Q. I started the fuzzer but the corpus count is 0.
Unless the initial corpus is loaded with the "load_initial_inputs_forced" function, we only store the interesting inputs, which is the inputs that triggered the feedback. So this usually means that your input was not interesting or your target was simply not propoerly implemented.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Unless the initial corpus is loaded with the "load_initial_inputs_forced" function, we only store the interesting inputs, which is the inputs that triggered the feedback. So this usually means that your input was not interesting or your target was simply not propoerly implemented.
Unless the initial corpus is loaded with the "load_initial_inputs_forced" function, we only store the interesting inputs, which is the inputs that triggered the feedback. So this usually means that your input was not interesting or your target was simply not properly implemented.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A solution/debugging tip for either scenario would go a long way:

  1. How to confirm that my input was not interesting?
  2. How to check if target is not properly implemented. This one can be tricky but common pit falls could be mentioned at least.


## Q. I started the fuzzer but the coverage is 0.
This could mean two things. Perhaps your target was not properly instrumented, or you are not using the correct observer, feedback feature.
In this case, what usually should do is to run the fuzzer with gdb and set a breakpoint at where the coverage is recorded (e.g. __sanitizer_coverage_trace_pcguard), and validate that the target is giving the feedback to the fuzzer.

## Q. I started the fuzzer but there's no output.
First, verify that your stdout and stderr are not redirected to `/dev/null`. If you get the log, then it should either fall into the previous 2 cases. Either the fuzzer crashed because you didn't have the initial seeds, or the coverage feedback is not working.

## Q. My fuzzer is slow.
Try running the fuzzer with `introspection` feature of `libafl`. This will show how much time is spent on each module of your fuzzer.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the ... feature of the ... crate

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A hyperlink here to the introspection feature would be nice that shows what it does


## Q. I still have problems with my fuzzer.
Finally, if you really have no idea what is going on, run your fuzzer with logger enabled. (You can use `env_logger`, `SimpleStdoutLogger`, `SimpleStderrLogger` from `libafl_bolts`) (Don't forget to enable stdout and stderr), and you can open an issue or ask us in Discord.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should provide an example or link to a fuzzer that uses it

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Finally, if you really have no idea what is going on, run your fuzzer with logger enabled. (You can use `env_logger`, `SimpleStdoutLogger`, `SimpleStderrLogger` from `libafl_bolts`) (Don't forget to enable stdout and stderr), and you can open an issue or ask us in Discord.
Finally, if you really have no idea what is going on, run your fuzzer with logging enabled. (You can use `env_logger`, `SimpleStdoutLogger`, `SimpleStderrLogger` from `libafl_bolts`) (Don't forget to enable stdout and stderr), and you can open an issue or ask us in Discord.

Loading