luzer: reserve and handoff ctrs to lf

[azanegin]

Until now, luzer had not used at all coverage information for interpreted code. Hook-based instrumentation collected data, but it were never passed to libfuzzer to drew features from. Memory always were allocated in a fixed default kMax... size. This commit includes a fix to properly pass counters to libfuzzer, two systems to approximate optimal amount of 8-bit counters: one based on testing, pre-run phase, and one based on active bytecode size. Also, a minor fix to signal handling.

Fixes #12

[ligurio]

Alex, thanks for your patch!
I did an initial review, please take a look n my comments. In general, I like an idea, but we need to polish an implementation.

[ligurio]

I don't like the approach. Please rewrite to C.

[azanegin]

Would you be okay with C-binding-to-a-mangled-Cpp-symbol-of-libfuzzer or do you mean "write new, non-libfuzzer IO code in C without using fuzzer::ReadDirToVectorOfUnits()? I could do the former easily, but the latter would require significant work to be cross-platform.

[ligurio]

Would you be okay with C-binding-to-a-mangled-Cpp-symbol-of-libfuzzer or do you mean "write new, non-libfuzzer IO code in C without using fuzzer::ReadDirToVectorOfUnits()?

I would prefer a plain C variant, but C-binding-to-a-mangled-Cpp-symbol-of-libfuzzer would be okay too.

[ligurio]

I would split this commit to a number of commits:

• change datatype int -> size_t
• fix __sanitizer_cov_8bit_counters_init never invoked for interpreter #12
• patch that adds NO_SANITIZE
• ...

[ligurio]

dead code

[azanegin]

How so? They are not optional arguments, and this function call is the most important thing in this file. Do you mean inline-commented argument names? This is for readability. Should I remove them?

[ligurio]

How so? They are not optional arguments, and this function call is the most important thing in this file. Do you mean inline-commented argument names? This is for readability.

Sorry, overlooked a real code due to non-usual comment style.

Should I remove them?

I would rewrite it to:

	fuzzer::ReadDirToVectorOfUnits(
		dirpath,
		&seed_corpus,
		/*Epoch */
                nullptr,
		/*MaxSize */
                SIZE_MAX,
		/*ExitOnError */
                false,
		/*VPaths */
                nullptr
     };

to avoid confusion.
Or even add a prototype with self-explained names of arguments to a comment:

/*
  * void ReadDirToVectorOfUnits(const char *Path, std::vector<Unit> *V,
  *                             long *Epoch, size_t MaxSize, bool ExitOnError);
  */

[ligurio]

This requires a comment

[ligurio]

I believe debug information should be stripped (string.dump(v, 1)).

[ligurio]

I see a limitation of this approach: all Lua modules must be loaded before running the fuzzing process. Right?

[azanegin]

Right. In theory, we could update counters at runtime, but I would need to test if LF is okay with that. Tbh I guess second estimation strategy is better for the case when a lot of code is loaded dynamically.

The much bigger limitation r/n as I see it is local.

[ligurio]

Rename to something like lua_estimate_global_functions_bc_size.

[ligurio]

To be honestly, I don't like a current implementation. However, I don't know what would be better. Agree, that rewriting to Lua C will probably a waste of time and probably be less maintainable. Probably, we should put a Lua code to a separate file and embed it on build stage, see [^1] and [^2].

This Lua function could be loaded on initial stage like luaL_set_custom_mutator and exported in luzer module, see [^3].

1. ligurio/lunapark@719cf90
2. ligurio/lunapark@ba02938#diff-7fc5f49402ccaaa71949368218a21f5ee991358185ac6b01531b662259f9d585
3. https://github.com/ligurio/luzer/blob/f37950549bca59330117cbb44943b1984ab98b2c/luzer/luzer.c#L429C27-L429C50

[ligurio]

One commit - one changelog entry, please