Add AFLTriage convenience wrapper flag

[appetrosyan]

After fuzzing the results a considerable amount of manual labour is required to e.g. narrow the crashes. Users of cargo test-fuzz would benefit greatly from adding at least the --triage flag which would replay the important crashes.

[smoelius]

Hi, @appetrosyan. Thanks for your suggestion but I am a little confused. Are you suggesting we incorporate something from here? https://gitlab.com/rc0r/afl-utils Is --triage an option for one of those tools?

[appetrosyan]

Yep.

I'll explain my reasoning. The scripts do the heavy lifting in terms of what needs to be done. The QOL improvement comes from cargo test-fuzz knowing the names of the targets, and being able to produce the same results as you would with afl-utils (that you linked to), without having to depend on target hashes.

Would you accept a PR that patched this functionality into test-fuzz?

[smoelius]

Sorry, but I still don't understand what the "heavy lifting" is. So --triage is an option of one of the afl-utils tools? Could you point me specifically to its documentation or to where it is handled in the code?

Alternatively (or additionally), could you provide some sample output produced from the option's use?

Also, is the idea that this additional functionality would work only if afl-utils is installed / in the user's path?

[appetrosyan]

Sorry, but I still don't understand what the "heavy lifting" is.

AFLreplaying the crashes in a convenient manner. afltriage is a standalone rust program that replays crash information using a debugger installed on the system. Basically it runs the program with the input that caused a crash and invokes gdb so that you can step through the crashing case.

The convenience aspect is not having to dig through target/afl to step through the crashes, but rather get the target names directly from cargo test-fuzz.

Alternatively (or additionally), could you provide some sample output produced from the option's use?

Would gladly, but it's exactly the same as running a CLI debuggger.

Also, is the idea that this additional functionality would work only if afl-utils is installed / in the user's path?

AFAICT, it's not yet cargo installable but should be soon. I'm keen on using both, so I think that any missing features I could add to afltriage.

[smoelius]

Thanks for the explanation. This makes much more sense now.

Please give me a few days to look into AFLTriage and I will get back to you.

[smoelius]

I think I got AFLTriage to work, but it didn't seem to drop me into a debugger.

Was it supposed to drop me into a debugger?

I think I am still confused as to what the --triage option will do.

For example, the original proposal was to wrap an afl-utils tool, but now it is to wrap AFLTriage. These codebases are unrelated, correct?

Perhaps you could help me understand what problem we are trying to solve.