On 11/01/19 20:09, Jonathan Metzman wrote: > Could you clarify what you think the relationship between the qtest > process, QEMU, and afl-fuzz will look like when fuzzing? > > Is it something like this: > 1. afl-fuzz mutates a buffer, starts a qtest process, and gives the > qtest process the mutated buffer. > 2. The qtest process starts a QEMU process and interacts with QEMU > process based on the buffer AFL gave it (qtest). > 3. goto 1 > > I don't think this works (under normal circumstances). AFL will think it > is fuzzing qtest and will not learn about coverage or crashes from qsym. > There probably are ways to get this working, but I just want to make > sure I understand.
It should be possible to turn the qtest process into a test postprocessor, and remove the second process. It's much harder to remove the QEMU process as well and turn it into a TestOneInput function. Paolo
