Experimental support for parallel fuzzing

trailofbits · May 9, 2024 · 224bce0 · 224bce0
1 parent 3ef9989
commit 224bce0
Show file tree

Hide file tree

Showing 4 changed files with 308 additions and 85 deletions.
diff --git a/README.md b/README.md
@@ -255,6 +255,7 @@ Options:
       --backtrace                 Display backtraces
       --consolidate               Move one target's crashes, hangs, and work queue to its corpus; to
                                   consolidate all targets, use --consolidate-all
+      --cpus <N>                  Fuzz using at most <N> cpus; default is all but one
       --display <OBJECT>          Display corpus, crashes, generic args, `impl` generic args, hangs,
                                   or work queue. By default, corpus uses an uninstrumented fuzz
                                   target; the others use an instrumented fuzz target. To display the
@@ -282,6 +283,8 @@ Options:
                                   reset all targets, use --reset-all
       --resume                    Resume target's last fuzzing session
       --run-until-crash           Stop fuzzing once a crash is found
+      --slice <SECONDS>           When there are not sufficiently many cpus to fuzz all targets
+                                  concurrently, fuzz them in intervals of <SECONDS> [default: 1200]
       --test <NAME>               Integration test containing fuzz target
       --timeout <TIMEOUT>         Number of seconds to consider a hang when fuzzing or replaying
                                   (equivalent to -- -t <TIMEOUT * 1000> when fuzzing)

diff --git a/cargo-test-fuzz/Cargo.toml b/cargo-test-fuzz/Cargo.toml
@@ -24,6 +24,8 @@ clap = { version = "4.5", features = ["cargo", "derive", "wrap_help"] }
 env_logger = "0.11"
 heck = "0.5"
 log = "0.4"
+mio = { version = "0.8", features = ["os-ext", "os-poll"] }
+num_cpus = "1.16"
 paste = "1.0"
 remain = "0.2"
 semver = "1.0"

diff --git a/cargo-test-fuzz/src/bin/cargo_test_fuzz/transition.rs b/cargo-test-fuzz/src/bin/cargo_test_fuzz/transition.rs
@@ -34,6 +34,12 @@ struct TestFuzzWithDeprecations {
     consolidate: bool,
     #[arg(long, hide = true)]
     consolidate_all: bool,
+    #[arg(
+        long,
+        value_name = "N",
+        help = "Fuzz using at most <N> cpus; default is all but one"
+    )]
+    cpus: Option<usize>,
     #[arg(
         long,
         value_name = "OBJECT",
@@ -107,6 +113,14 @@ struct TestFuzzWithDeprecations {
     resume: bool,
     #[arg(long, help = "Stop fuzzing once a crash is found")]
     run_until_crash: bool,
+    #[arg(
+        long,
+        value_name = "SECONDS",
+        default_value = "1200",
+        help = "When there are not sufficiently many cpus to fuzz all targets concurrently, fuzz \
+                them in intervals of <SECONDS>"
+    )]
+    slice: u64,
     #[arg(
         long,
         value_name = "NAME",
@@ -136,6 +150,7 @@ impl From<TestFuzzWithDeprecations> for super::TestFuzz {
             backtrace,
             consolidate,
             consolidate_all,
+            cpus,
             display,
             exact,
             exit_code,
@@ -155,6 +170,7 @@ impl From<TestFuzzWithDeprecations> for super::TestFuzz {
             reset_all,
             resume,
             run_until_crash,
+            slice,
             test,
             timeout,
             verbose,
@@ -165,6 +181,7 @@ impl From<TestFuzzWithDeprecations> for super::TestFuzz {
             backtrace,
             consolidate,
             consolidate_all,
+            cpus,
             display,
             exact,
             exit_code,
@@ -184,6 +201,7 @@ impl From<TestFuzzWithDeprecations> for super::TestFuzz {
             reset_all,
             resume,
             run_until_crash,
+            slice,
             test,
             timeout,
             verbose,