Skip to content

Add --use-libafl toggle#426

Merged
fitzgen merged 2 commits into
rust-fuzz:mainfrom
Carbocarde:libafl
Oct 20, 2025
Merged

Add --use-libafl toggle#426
fitzgen merged 2 commits into
rust-fuzz:mainfrom
Carbocarde:libafl

Conversation

@Carbocarde
Copy link
Copy Markdown
Contributor

@Carbocarde Carbocarde commented Oct 20, 2025

I recently came across this issue from 2023: #330

Is there any interest in making libafl the default fuzzer for cargo fuzz? From what I can tell it’s faster/better than libfuzzer and is still being actively developed.

cc @Manishearth @fitzgen @addisoncrump @domenukk @frewsxcv

Stacked on #425.

@Carbocarde
Fix cargo clippy warnings and errors
6090dca
@Carbocarde
Add init --use-libafl toggle
7b069e2 
This toggle uses the libfuzzer-sys-compatible libafl implementation
instead of libfuzzer.
@addisoncrump
Copy link
Copy Markdown

addisoncrump commented Oct 20, 2025

Heyo, maintainer of libafl_libfuzzer here. I would say that it's still something that should be opt-in rather than default. As much as I would like to outright replace libfuzzer, there are several situations in which e.g. linkage gets complicated fast. Additionally, we are super fragile to even minor changes in Rust ABI or symbol naming.

Our solution works, but because we are written in Rust and require different sanitizer flags, it is rather unstable as we need to do quite a bit that assumes things about compiler output. If we had better support from Rust in these features, I'd feel more comfortable with trying to make a "stable" replacement.

@fitzgen
Copy link
Copy Markdown
Member

fitzgen commented Oct 20, 2025

Adding an option seems fine by me.

I would be wary of changing the default, at least initially, and without knowing more about the project. It is very important that binaries built with cargo fuzz Just Work with OSS-Fuzz, for example. Not saying that they won't after this change, just that I haven't spent the time to verify that, nor has anyone else, AFAICT. And @addisoncrump's comment reinforces the idea that this should remain an optional, disabled-by-default feature for the foreseeable moment in my mind.

That said, without having actually looked at the changes yet, I'd expect the changes to be limited to Cargo.toml dependencies and/or libfuzzer-sys features enabled in the fuzz target crate, rather than changes in cargo fuzz. For example, you can use https://github.com/rust-fuzz/libfuzzer#linking-to-a-local-libfuzzer to link to a local libafl++ instead of libfuzzer. So it seems like the necessary infrastructure to do this without any cargo fuzz changes already exists?

fitzgen
fitzgen approved these changes Oct 20, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@fitzgen fitzgen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah this is just for the project initialization. Sure, seems fine by me.

@fitzgen fitzgen merged commit ed6f50a into rust-fuzz:main Oct 20, 2025
1 check passed
@addisoncrump
Copy link
Copy Markdown

addisoncrump commented Oct 20, 2025

It is very important that binaries built with cargo fuzz Just Work with OSS-Fuzz, for example.

Yeah that's one of our long-term goals, but we want to make linkage nice and friendly first... we don't/can't test a lot of targets, yet. It could be nice to dogfood (well, kinda) fuzzing for Rust at some point.

@fitzgen fitzgen mentioned this pull request Oct 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fitzgen fitzgen fitzgen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Carbocarde @addisoncrump @fitzgen