RFC: Use incremental snapshots?

[maflcko]

My understanding is that currently a single snapshot is created on the first fuzz input?

If so, I wonder if improvements are possible to allow the fuzz engine to take several snapshots and pick any one to work on it.

Just leaving a note here, because I recall https://arxiv.org/pdf/2111.03013v1 ("Nyx-Net: Network Fuzzing with Incremental Snapshots")

[dergoegge]

Yes, currently a single snapshot is being used.

I think incremental snapshots would be something interesting to look into. My intuition would be that incremental snapshots could be useful to explore more of the state space of full nodes, because we'd be taking snapshots at "random" states reached through fuzzing and then fuzz even more on top of those. If we can come up with some smart guidance for taking the snapshots we might even be able to guide the fuzzer to bugs that require a lot of data to be send to a node (e.g. https://bitcoincore.org/en/2024/07/31/disclose-addrman-int-overflow/).

Quoting one of the nyx-net authors: "incremental snapshots are probably less important than they seem at first - We were generally somewhat underwhelmed by them, except for cases where you need very long sequences of packages". I've looked at the input distribution produced by fuzzamoto-libafl and it does look like there are clusters of inputs around longer message sequences as well as a long tail for very long sequences, which could be a hint that incremental snapshots are worth exploring. (There's likely also some amount of noise in this data due to e.g. instability.)

Number of messages send per testcase

  0-0   sends      [  46]: █████
  1-1   sends      [ 504]: ████████████████████████████████████████████████████████████
  2-2   sends      [ 267]: ███████████████████████████████
  3-3   sends      [ 210]: █████████████████████████
  4-4   sends      [ 244]: █████████████████████████████
  5-5   sends      [ 198]: ███████████████████████
  6-6   sends      [ 243]: ████████████████████████████
  7-7   sends      [ 152]: ██████████████████
  8-8   sends      [ 221]: ██████████████████████████
  9-9   sends      [ 135]: ████████████████
 10-10  sends      [ 176]: ████████████████████
 11-11  sends      [ 117]: █████████████
 12-12  sends      [ 144]: █████████████████
 13-13  sends      [ 100]: ███████████
 14-14  sends      [ 135]: ████████████████
 15-15  sends      [  77]: █████████
 16-16  sends      [  92]: ██████████
 17-17  sends      [  75]: ████████
 18-18  sends      [  81]: █████████
 19-19  sends      [  73]: ████████
 20-20  sends      [  66]: ███████
 21-21  sends      [  63]: ███████
 22-22  sends      [  68]: ████████
 23-23  sends      [  44]: █████
 24-24  sends      [  50]: █████
 25-25  sends      [  45]: █████
 26-26  sends      [  39]: ████
 27-27  sends      [  32]: ███
 28-28  sends      [  40]: ████
 29-29  sends      [  35]: ████
 30-30  sends      [  30]: ███
 31-31  sends      [  46]: █████
 32-32  sends      [  31]: ███
 33-33  sends      [  31]: ███
 34-34  sends      [  34]: ████
 35-35  sends      [  40]: ████
 36-36  sends      [  35]: ████
 37-37  sends      [  26]: ███
 38-38  sends      [  38]: ████
 39-39  sends      [  26]: ███
 40-40  sends      [  25]: ██
 41-41  sends      [  32]: ███
 42-42  sends      [  21]: ██
 43-43  sends      [  33]: ███
 44-44  sends      [  20]: ██
 45-45  sends      [  14]: █
 46-46  sends      [  27]: ███
 47-47  sends      [  17]: ██
 48-48  sends      [  17]: ██
 49-49  sends      [  16]: █
 50-50  sends      [  26]: ███
 51-51  sends      [  19]: ██
 52-52  sends      [  53]: ██████
 53-53  sends      [  32]: ███
 54-54  sends      [  84]: ██████████
 55-55  sends      [  43]: █████
 56-56  sends      [  62]: ███████
 57-57  sends      [  36]: ████
 58-58  sends      [  81]: █████████
 59-59  sends      [  48]: █████
 60-60  sends      [  64]: ███████
 61-61  sends      [  41]: ████
 62-62  sends      [  73]: ████████
 63-63  sends      [  44]: █████
 64-64  sends      [  69]: ████████
 65-65  sends      [  30]: ███
 66-66  sends      [  50]: █████
 67-67  sends      [  41]: ████
 68-68  sends      [  38]: ████
 69-69  sends      [  33]: ███
 70-70  sends      [  54]: ██████
 71-71  sends      [  37]: ████
 72-72  sends      [  19]: ██
 73-73  sends      [  33]: ███
 74-74  sends      [  25]: ██
 75-75  sends      [  44]: █████
 76-76  sends      [  30]: ███
 77-77  sends      [  29]: ███
 78-78  sends      [  19]: ██
 79-79  sends      [  21]: ██
 80-80  sends      [  18]: ██
 81-81  sends      [  25]: ██
 82-82  sends      [  24]: ██
 83-83  sends      [  24]: ██
 84-84  sends      [  16]: █
 85-85  sends      [  20]: ██
 86-86  sends      [  19]: ██
 87-87  sends      [  18]: ██
 88-88  sends      [  17]: ██
 89-89  sends      [  23]: ██
 90-90  sends      [  25]: ██
 91-91  sends      [  15]: █
 92-92  sends      [  19]: ██
 93-93  sends      [  17]: ██
 94-94  sends      [  14]: █
 95-95  sends      [  13]: █
 96-96  sends      [  14]: █
 97-97  sends      [  12]: █
 98-98  sends      [  11]: █
 99-99  sends      [  20]: ██
100-100 sends      [  19]: ██
101-101 sends      [  23]: ██
102-102 sends      [  15]: █
103-103 sends      [  28]: ███
104-104 sends      [  29]: ███
105-105 sends      [  27]: ███
106-106 sends      [  28]: ███
107-107 sends      [  16]: █
108-108 sends      [  37]: ████
109-109 sends      [  21]: ██
110-110 sends      [  28]: ███
111-111 sends      [  31]: ███
112-112 sends      [  33]: ███
113-113 sends      [  25]: ██
114-114 sends      [  34]: ████
115-115 sends      [  30]: ███
116-116 sends      [  35]: ████
117-117 sends      [  25]: ██
118-118 sends      [  23]: ██
119-119 sends      [  23]: ██
120-120 sends      [  32]: ███
121-121 sends      [  20]: ██
122-122 sends      [  27]: ███
123-123 sends      [  27]: ███
124-124 sends      [  27]: ███
125-125 sends      [  20]: ██
126-126 sends      [  19]: ██
127-127 sends      [  12]: █
128-128 sends      [  14]: █
129-129 sends      [  25]: ██
130-130 sends      [  13]: █
131-131 sends      [   9]: █
132-132 sends      [  18]: ██
133-133 sends      [  11]: █
134-134 sends      [  17]: ██
135-135 sends      [  10]: █
136-136 sends      [   8]:
137-137 sends      [  17]: ██
138-138 sends      [  16]: █
139-139 sends      [   7]:
140-140 sends      [  15]: █
141-141 sends      [  15]: █
142-142 sends      [  11]: █
143-143 sends      [  12]: █
144-144 sends      [  13]: █
145-145 sends      [   4]:
146-146 sends      [   8]:
147-147 sends      [  13]: █
148-148 sends      [   7]:
149-149 sends      [   9]: █
150-150 sends      [  16]: █
151-151 sends      [   8]:
152-152 sends      [  14]: █
153-153 sends      [   9]: █
154-154 sends      [  23]: ██
155-155 sends      [  14]: █
156-156 sends      [  13]: █
157-157 sends      [  10]: █
158-158 sends      [  15]: █
159-159 sends      [  17]: ██
160-160 sends      [  21]: ██
161-161 sends      [   9]: █
162-162 sends      [  13]: █
163-163 sends      [  14]: █
164-164 sends      [  13]: █
165-165 sends      [  16]: █
166-166 sends      [  12]: █
167-167 sends      [  10]: █
168-168 sends      [  17]: ██
169-169 sends      [  13]: █
170-170 sends      [  13]: █
171-171 sends      [  13]: █
172-172 sends      [  15]: █
173-173 sends      [   6]:
174-174 sends      [  12]: █
175-175 sends      [  17]: ██
176-176 sends      [  10]: █
177-177 sends      [  14]: █
178-178 sends      [  20]: ██
179-179 sends      [   7]:
180-180 sends      [  13]: █
181-181 sends      [  12]: █
182-182 sends      [  17]: ██
183-183 sends      [  10]: █
184-184 sends      [   7]:
185-185 sends      [   7]:
186-186 sends      [   6]:
187-187 sends      [   9]: █
188-188 sends      [   2]:
189-189 sends      [  11]: █
190-190 sends      [   6]:
191-191 sends      [   6]:
192-192 sends      [   9]: █
193-193 sends      [   9]: █
194-194 sends      [   6]:
195-195 sends      [   4]:
196-196 sends      [   4]:
197-197 sends      [   6]:
198-198 sends      [  10]: █
199-199 sends      [   5]:
200-200 sends      [  16]: █
201-201 sends      [   7]:
202-202 sends      [   4]:
203-203 sends      [   9]: █
204-204 sends      [   4]:
205-205 sends      [  13]: █
206-206 sends      [   9]: █
207-207 sends      [   6]:
208-208 sends      [   9]: █
209-209 sends      [   2]:
210-210 sends      [   9]: █
211-211 sends      [   6]:
212-212 sends      [   6]:
213-213 sends      [  12]: █
214-214 sends      [   9]: █
215-215 sends      [  13]: █
216-216 sends      [   7]:
217-217 sends      [   7]:
218-218 sends      [   7]:
219-219 sends      [   9]: █
220-220 sends      [   8]:
221-221 sends      [   7]:
222-222 sends      [  10]: █
223-223 sends      [  12]: █
224-224 sends      [  11]: █
225-225 sends      [   9]: █
226-226 sends      [  12]: █
227-227 sends      [   8]:
228-228 sends      [   9]: █
229-229 sends      [   9]: █
230-230 sends      [  21]: ██
231-231 sends      [   8]:
232-232 sends      [   7]:
233-233 sends      [   6]:
234-234 sends      [   5]:
235-235 sends      [  11]: █
236-236 sends      [   7]:
237-237 sends      [   7]:
238-238 sends      [   4]:
239-239 sends      [   5]:
240-240 sends      [  10]: █
241-241 sends      [   9]: █
242-242 sends      [   5]:
243-243 sends      [   3]:
244-244 sends      [   4]:
245-245 sends      [   5]:
246-246 sends      [   7]:
247-247 sends      [   9]: █
248-248 sends      [  10]: █
249-249 sends      [   9]: █
250-250 sends      [  10]: █
251-251 sends      [   3]:
252-252 sends      [   5]:
253-253 sends      [   6]:
254-254 sends      [   2]:
255-255 sends      [   6]:
256-256 sends      [   3]:
257-257 sends      [   4]:
258-258 sends      [   7]:
259-259 sends      [   5]:
260-260 sends      [   4]:
261-261 sends      [   7]:
262-262 sends      [   2]:
263-263 sends      [   3]:
264-264 sends      [   5]:
265-265 sends      [   6]:
266-266 sends      [   2]:
267-267 sends      [   6]:
268-268 sends      [   2]:
269-269 sends      [  11]: █
270-270 sends      [   3]:
271-271 sends      [   7]:
272-272 sends      [   8]:
273-273 sends      [  20]: ██
274-274 sends      [   7]:
275-275 sends      [  12]: █
276-276 sends      [  13]: █
277-277 sends      [  12]: █
278-278 sends      [   8]:
279-279 sends      [   6]:
280-280 sends      [   5]:
281-281 sends      [   8]:
282-282 sends      [   1]:
283-283 sends      [   9]: █
284-284 sends      [   2]:
285-285 sends      [   7]:
286-286 sends      [   6]:
287-287 sends      [   7]:
288-288 sends      [  11]: █
289-289 sends      [   7]:
290-290 sends      [  10]: █
291-291 sends      [  13]: █
292-292 sends      [   2]:
293-293 sends      [   8]:
294-294 sends      [   6]:
295-295 sends      [   3]:
296-296 sends      [   3]:
297-297 sends      [   9]: █
298-298 sends      [   6]:
299-299 sends      [   5]:
300-300 sends      [   7]:
301-301 sends      [   1]:
302-302 sends      [   4]:
303-303 sends      [   1]:
304-304 sends      [   2]:
305-305 sends      [   8]:
306-306 sends      [   8]:
307-307 sends      [   6]:
308-308 sends      [   4]:
309-309 sends      [   2]:
310-310 sends      [   5]:
311-311 sends      [   7]:
312-312 sends      [   7]:
313-313 sends      [   4]:
314-314 sends      [   1]:
315-315 sends      [  13]: █
316-316 sends      [   7]:
317-317 sends      [   2]:
318-318 sends      [   2]:
319-319 sends      [   8]:
320-320 sends      [  35]: ████
321-321 sends      [   5]:
322-322 sends      [   6]:
323-323 sends      [   3]:
325-325 sends      [   2]:
326-326 sends      [   6]:
327-327 sends      [   3]:
328-328 sends      [   7]:
329-329 sends      [   5]:
330-330 sends      [   3]:
331-331 sends      [   2]:
332-332 sends      [   6]:
333-333 sends      [   5]:
334-334 sends      [   6]:
335-335 sends      [  18]: ██
336-336 sends      [   2]:
337-337 sends      [   2]:
338-338 sends      [   4]:
343-343 sends      [  11]: █
345-345 sends      [   2]:
348-348 sends      [   2]:
349-349 sends      [   2]:
350-350 sends      [   2]:
351-351 sends      [   2]:
353-353 sends      [   4]:
356-356 sends      [   3]:
357-357 sends      [   1]:
358-358 sends      [   1]:
359-359 sends      [   4]:
360-360 sends      [   1]:
362-362 sends      [   3]:
363-363 sends      [   2]:
364-364 sends      [   1]:
366-366 sends      [   3]:
367-367 sends      [   1]:
369-369 sends      [   1]:
380-380 sends      [   1]:
382-382 sends      [   1]:
385-385 sends      [   1]:

[Crypt-iQ]

I hacked the IR a little to fuzz bitcoin/bitcoin#33191 and something I noticed was that it would be nice if we could have a kind of large mempool for generating block templates (and other things). It's possible to either generate one during setup similar to how the blocks are mined, but incremental snapshots would be even better imo.

[dergoegge]

Just dumping some thoughts:

I looked at https://github.com/nyx-fuzz/QEMU-Nyx this morning at it does seem to have support for nested/incremental snapshots as described in the nyx-net paper (cc @str8outtaheap we talked about this a little last week).

So I think the biggest blocker for us to use it is libafl/libafl_nyx support and the appropriate changes to fuzzamoto:

• We'd have a separate corpus for each incremental snapshot, I think?
• Program contexts are different for each snapshot (essentially the base context plus additional context from each testcase up to the latest snapshot)
• What are good strategies for deciding when to take snapshots?

[Crypt-iQ]

Reading the QEMU-Nyx code for the CREATE_TMP_SNAPSHOT hypercall, it seems like only one incremental snapshot can be in-use at a time (per-core?) and then it needs to be discarded after use. Libnyx exposes a option_set_delete_incremental_snapshot function which toggles the discard_tmp_snapshot bool in QEMU-Nyx. This function at least should already be accessible by libafl/libafl_nyx.

We'd have a separate corpus for each incremental snapshot, I think?

I wonder if this is necessary? Could there instead be a IncrementalSnapshotMutator that inserted a snapshot operation (per the paper) and when the scenario processed this, it would trigger an incremental snapshot? Then this special mutator could remember where the insert occurred and set a variable that the other mutators & minimizers would check so they don't modify anything before the snapshot op-code. After N iterations, then the snapshot could be discarded.

What are good strategies for deciding when to take snapshots?

Thinking out loud: maybe we could bias the mutator to insert the snapshot operation after all sorts of things (long chains of txns or blocks, after many addr messages). I think one downside is that certain interesting inputs may hit the 4096 limit.

[Crypt-iQ]

I've started toying around with this with generous help from Claude and it doesn't seem like changes are needed to libafl/libafl_nyx (but I could totally be missing something). It does seem like QEMU-Nyx is broken when it comes to creating temporary snapshots and I have a fix for that (this is a bit confusing as I think other projects may have been able to get it to work without any patches). It seems like a lot of the work is in getting the mutators and minimizers to behave if the "insert incremental opcode" approach is used.