Can't get libfuzzer_libpng_launcher to work

[smoelius]

Everything seems to build successfully, but when I run ./fuzzer_libpng --cores 0-3, this is what I see:

Workdir: "/home/smoelius/gh/AFLpluplus/libafl/fuzzers/libfuzzer_libpng_launcher"
spawning on cores: Cores { cmdline: "0-3", ids: [CoreId { id: 0 }, CoreId { id: 1 }, CoreId { id: 2 }, CoreId { id: 3 }] }
child spawned and bound to core 0
child spawned and bound to core 1
530794 PostFork
child spawned and bound to core 2
530795 PostFork
child spawned and bound to core 3
I am broker!!.
530796 PostFork
530797 PostFork
New connection: 127.0.0.1:59670/127.0.0.1:59670
[LOG Debug]: Loaded 0 initial testcases.
New connection: 127.0.0.1:59676/127.0.0.1:59676
[LOG Debug]: Loaded 0 initial testcases.
New connection: 127.0.0.1:59690/127.0.0.1:59690
[LOG Debug]: Loaded 0 initial testcases.
New connection: 127.0.0.1:59702/127.0.0.1:59702
[LOG Debug]: Loaded 0 initial testcases.
[Broker      #0]  (GLOBAL) run time: 0h-0m-30s, clients: 0, corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000
                  (CLIENT) corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000


[Broker      #0]  (GLOBAL) run time: 0h-1m-0s, clients: 1, corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000
                  (CLIENT) corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000


[Broker      #0]  (GLOBAL) run time: 0h-1m-30s, clients: 1, corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000
                  (CLIENT) corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000
...

In particular, executions never gets above 0. Also, cores 0-3 don't spike, as I would expect them to.

Any idea what I might be doing wrong?

I am using commit b7a0b82, LLVM 15.0.6, rustc 1.67.0 (fc594f156 2023-01-24), and Ubuntu 22.10.

(I opened a similar issue on cargo-libafl a few days ago. So I hope this issue does not seem impatient.)

[domenukk]

I would assume the clients crash immediately, probably they can't read from the corpus dir.

Try rerunning your fuzzer with LIBAFL_DEBUG_OUTPUT=1 to see stdout of each client, or try strace -ff :)

[smoelius]

LIBAFL_DEBUG_OUTPUT=1 adds a bunch of output like this:

thread '<unnamed>' panicked at 'Failed to run launcher: Empty("No entries in corpus", ErrorBacktrace)', src/lib.rs:250:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 5
thread '<unnamed>' panicked at 'Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! This can happen if the child calls `exit()`, in that case make sure it uses `abort()`, if it got killed unrecoverable (OOM), or if there is a bug in the fuzzer itself. (Child exited with: 6)', /home/smoelius/gh/AFLpluplus/libafl/libafl/src/events/llmp.rs:1003:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
fatal runtime error: failed to initiate panic, error 5

[smoelius]

./fuzzer_libpng --cores 0-3 --input corpus seems to do the trick. Thanks for your help.