>It should be possible to turn the qtest process into a test postprocessor,
OSS-Fuzz doesn't support AFL's preprocessors, but adding support shouldn't be hard. >It's much harder to remove the QEMU process as well and turn it into a TestOneInput function. Got it. I am not familiar with postprocessors but I guess this should work as long as the QEMU process can interpret the buffer output by the postprocessor. There may be some other complications with having an AFL-only fuzzer on OSS-Fuzz. The main one is no pruning. On OSS-Fuzz pruning is only done by libFuzzer, since AFL and libFuzzer share a corpus. I'm not sure how we would handle this. On Fri, Jan 11, 2019 at 12:27 PM Paolo Bonzini <pbonz...@redhat.com> wrote: > On 11/01/19 20:09, Jonathan Metzman wrote: > > Could you clarify what you think the relationship between the qtest > > process, QEMU, and afl-fuzz will look like when fuzzing? > > > > Is it something like this: > > 1. afl-fuzz mutates a buffer, starts a qtest process, and gives the > > qtest process the mutated buffer. > > 2. The qtest process starts a QEMU process and interacts with QEMU > > process based on the buffer AFL gave it (qtest). > > 3. goto 1 > > > > I don't think this works (under normal circumstances). AFL will think it > > is fuzzing qtest and will not learn about coverage or crashes from qsym. > > There probably are ways to get this working, but I just want to make > > sure I understand. > > It should be possible to turn the qtest process into a test > postprocessor, and remove the second process. It's much harder to > remove the QEMU process as well and turn it into a TestOneInput function. > > Paolo >
