Skip to content

add ssa_afl_fuzzer, export SSA parser and interpreter#8640

Draft
michaeljklein wants to merge 19 commits intomasterfrom
michaeljklein/afl_ssa_fuzzer_branching
Draft

add ssa_afl_fuzzer, export SSA parser and interpreter#8640
michaeljklein wants to merge 19 commits intomasterfrom
michaeljklein/afl_ssa_fuzzer_branching

Conversation

@michaeljklein
Copy link
Contributor

@michaeljklein michaeljklein commented May 22, 2025
edited
Loading

Description

Problem*

It's hard to write a valid-input-AST generator while also generating counterintuitive SSA programs.

Summary*

#8407 is focused on modifying the existing ssa_fuzzer while this PR is focused on a new afl.rs fuzzer using the SSA interpreter.

  1. I was able to avoid writing a valid-input-AST generator by using the following to filter afl.rs-detected crashes:
  • std::process::exit(0) to filter invalid-input errors
  • The stacker crate to filter out stack overflow errors
  1. I found test cases for the defunctionalize SSA pass using this fuzzer: chore(test): add panicking tests for 'defunctionalize' #8510

Additional Context

  • I based this off of sn/ssa_fuzzer_branching, which was WIP when I started, to get the latest support for CFG-related instructions
  • Renamed from afl_ssa_fuzzer_branching
  • afl.rs docs
  • I think that std::process::exit(0)'s should only be enabled when a fuzzing-specific cfg feature is enabled

Documentation*

Check one:

  • No documentation needed.
  • Documentation included in this PR.
  • [For Experimental Features] Documentation to be submitted in a separate PR.

PR Checklist*

  • I have tested the changes locally.
  • I have formatted the changes with Prettier and/or cargo fmt on default settings.

defkit and others added 19 commits April 23, 2025 14:29
@defkit
a
64ee8e0
@defkit
.
f5bbeda
@defkit
.
dd81aff
@defkit
a
5eae4ca
@defkit
a
2ddb031
@defkit
Merge branch 'master' into sn/ssa_fuzzer_branching
b19562b
@defkit
dummy
5c3171a
@defkit
.
4d8dc37
@defkit
Merge remote-tracking branch 'origin' into sn/ssa_fuzzer_branching
7290d83
@defkit
refactor
4da7f7c
@defkit
Merge remote-tracking branch 'origin' into sn/ssa_fuzzer_branching
8e70347
@defkit
.
88349db
@michaeljklein
add ssa_afl_fuzzer, export SSA parser and interpreter
e7d0957
@michaeljklein
quick hack to dump SSA files
09fcca8
@michaeljklein
wip, disable SSA dump and 'test_transform_program_is_idempotent', 'co…
11bb267 
…llect_outputs' script, 'collect_unique_crashes' script, 'keep_inputs_upto_1kb', script for unique locations
@michaeljklein
use stacker method to prevent stack overflows in SSA parser, generate…
6959438 
… input files for fuzzing next pass, replace all blocking-panic locations during input validation (before the target pass) with successful exits, fix hang and clear previous outputs in collect_unique_crashes.rb, fuzzing 'inline_functions_with_at_most_one_instruction', use uninitalized parameters for all fuzzing-input parameters, add fuzzing readme, add some fuzzing results
@michaeljklein
fix stacker typo, enable passes using header comment, keep inputs up …
6419ed1 
…to 2kb, make_combined_inputs.rb, add final results from fuzz's
@michaeljklein
add script to find representative inputs for each crash location
af3ccd0
@michaeljklein
next pass of disabling input validation panics, test defunctionalize …
bcc7a4c 
…missing fn, add results, update readme, fix borrow error from cloning parameters
@michaeljklein michaeljklein mentioned this pull request Jun 10, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaeljklein @defkit