AFL, hongg Fuzzer doesn't create outputdir/sync_dir and outputdir/the_fuzzer

[akhikolla]

Hello,

I am testing a few functions using AFL. I don't see any crashes or any failures for those functions when run under deepstate-afl although it is evident that the code should crash/fail. The same code produces crashes and failures when run under deepstate's default fuzzer.

The functions I am testing have the following issues in them - use after free, use after deallocate, uninitialized values, read and write out of bound.

The output directory structure that I got when I run binary using afl is not same as the one that is mentioned in deepstate documentation:
PUSH_DIR - out/sync_dir/queue
PULL_DIR - out/the_fuzzer/queue
CRASH_DIR - out/the_fuzzer/crashes

The afl output folder that I got contains the following :

akhila@ml-experiments:~/R/x86_64-pc-linux-gnu-library/3.6/RcppDeepState/testpkgs/testSAN/inst/testfiles/rcpp_write_index_outofbound/afl_rcpp_write_index_outofbound_output$ ls
crashes fuzz_bitmap fuzzer_stats hangs plot_data queue

Also, I cannot see the inputs(.crash/.pass/.fail files) that are passed on to the target binary like we see when we run the executable with default fuzzer in deepstate. Is there a way to get those inputs that are passed on to the executable by the fuzzer?.

Code when run under honggfuzz also doesn't really show any issues. It keeps showing that the dynamic input queue shouldn't be empty even when inputs are specified.

Is there something wrong with the way I fuzz test the functions or any issue with input specifications?.

Can someone please help me with this?

Thanks

[agroce]

I think there are some general fuzzer output structure consistency issues, though there seems to be some other issue with the fuzzer here. But I plan to clean up the fuzzer file system usage at some point to be consistent, including a clear place for the "native" structure plus what DeepState copies for consistent UI.