Panics Are Not Crashes

This post is part of the Input Coverage > Code Coverage series.

Rust unwinds on panic by default. Fuzzers differ.

• libFuzzer: in-process. A panic can be caught by the harness.
• AFL++: out-of-process. Needs a hard crash to record it.

Two ways to force crashes:

1) Compile with -C panic=abort when fuzzing.

export RUSTFLAGS="-C panic=abort"

2) Use afl::fuzz!. It maps panics to process::abort() in the harness.

Do not leak this flag into normal builds. Keep it in a wrapper script.

Next: One Function To Fuzz Them All