Support fuzzing without sanitizers

[Shnatsel]

There are use cases for fuzzing binaries with cargo-fuzz without sanitizers:

1. Fuzzing entirely safe code to test for panics
2. Building initial corpus to feed it to more resource-intensive fuzzers later on

However, this is not currently possible with cargo-fuzz: passing no -s flag defaults to address sanitizer, passing "" has no effect, passing "none" says there's no such sanitizer.

For now I'm forced to use leak sanitizer, which seems to be the least resource-hungry of the bunch, but it still introduces a performance penalty. It would be nice to be able to disable sanitizers altogether.

[Manishearth]

We need to build with sanitizers to get the hooks that make libfuzzer work

…

On Sat, Jun 23, 2018, 4:15 PM Shnatsel ***@***.***> wrote: There are use cases for fuzzing binaries with cargo-fuzz without sanitizers: 1. Fuzzing entirely safe code to test for panics 2. Building initial corpus to feed it to more resource-intensive fuzzers later on However, this is not currently possible with cargo-fuzz: passing no -s flag defaults to address sanitizer, passing "" has no effect, passing "none" says there's no such sanitizer. For now I'm forced to use leak sanitizer, which seems to be the least resource-hungry of the bunch, but it still introduces a performance penalty. It would be nice to be able to disable sanitizers altogether. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#158>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABivSNsmVLHTyKsrr_FRfpxbbLvV1X0Cks5t_swYgaJpZM4U09g-> .

[Shnatsel]

According to libfuzzer documentation you only need -fsanitize=fuzzer but not e.g. -fsanitize=fuzzer,address

Or is this something specific to Rust?

[PaulGrandperrin]

For the record, I can say that it's not related to Rust because honggfuzz-rs works well with and without sanitizer.

[Manishearth]

No, I think that sanitize option did not exist or was not recommended in the libfuzzer docs when I wrote this crate. Feel free to make it the default.

[Shnatsel]

I think changing the default should result in a major version bump, since it would effectively break existing deployments e.g. on CI that expect Address Sanitizer to be the default.

[dragostis]

-fsanitize=fuzzer is only available on clang, not rustc. libFuzzer requires sanitizers in order to work; when using -fsanitize=fuzzer with clang, I would imagine that it does sanitization as well as linking the fuzzer and creating the fuzz harness.

libFuzzer, however, doesn't seem to support our approach anymore:

-fsanitize-coverage=trace-pc-guard is no longer supported by libFuzzer.
Please either migrate to a compiler that supports -fsanitize=fuzzer
or use an older version of libFuzzer

In other words, this doesn't seem feasible unless we add support in rustc.

[kcc]

For C/C++, -fsanitize=fuzzer works fine w/o any sanitizers.
However there are some libFuzzer features that will kick in only when coupled with -fsanitize=address,
e.g. interceptors for memcmp.
I have not followed the Rust support for libFuzzer.

[Shnatsel]

This is supported in latest release:

    -s, --sanitizer <sanitizer>    Use a specific sanitizer [default: address]  [possible values: address, leak, memory, thread, none]

Closing.