This is an archive of the discontinued LLVM Phabricator instance.

Differential D107023

[libfuzzer] Handle more than one exception in Fuchsia.
AcceptedPublic

Authored by charco on Jul 28 2021, 7:36 PM.

Details

Reviewers
mcgrathr
aarongreen
Summary

This change modifies FuzzerUtilFuchsia so that it can handle more than
one exception from the fuzzed threads.

The current implementation restores each thread that generates an
exception, making it go through a crash trampoline. There are two
problems with that approach:

  • We don't know what happens if two threads crash at the same time, as the trampoline code is not marked as thread-safe. The stored crash artifact might be invalid, as well as the backtrace.
  • If the StaticCrashHandler crashes (i.e: a thread crashes while it is handling the exception), it would be resumed in the StaticCrashHandler again, and that would most probably cause another crash, and an infinite loop, which would be eventually caught by the fuzzer timeout.

The new proposed change, keeps track of the first thread id that caused
an exception. New exceptions that come from different thread ids are not
processed (meaning that those thread would remain suspended). If a new
exception comes from the same thread id as the first exception, then we
just exit the fuzzer. This will cause a crash artifact to be generated.

To make this change work, there's a refactor on the ScopedHandle struct,
to make it a movable object, so the handles can be stored in a vector
and don't get closed.

Diff Detail

Event Timeline

charco requested review of this revision.Jul 28 2021, 7:36 PM
charco created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJul 28 2021, 7:36 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
charco updated this revision to Diff 362609.Jul 28 2021, 7:37 PM

Fix typo

Harbormaster completed remote builds in B116851: Diff 362609.Jul 28 2021, 8:15 PM
mcgrathr accepted this revision.Aug 25 2021, 2:57 PM

lgtm

This revision is now accepted and ready to land.Aug 25 2021, 2:57 PM

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
50 lines

Diff 362609

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp

Show First 20 LinesShow All 204 Lines▼ Show 20 Lines ".cfi_startproc\n"
: FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM) : FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
#if defined(__aarch64__) #if defined(__aarch64__)
ASM_OPERAND_REG(pc) ASM_OPERAND_REG(lr) ASM_OPERAND_REG(pc) ASM_OPERAND_REG(lr)
#endif #endif
[StaticCrashHandler] "i"(StaticCrashHandler)); [StaticCrashHandler] "i"(StaticCrashHandler));
} }
void CrashHandler(zx_handle_t *Event) { void CrashHandler(zx_handle_t *Event) {
// This structure is used to ensure we close handles to objects we create in // ScopedHandle is a helper class that makes sure handles are closed when they
// this handler. // go out of scope. This also allows handles to be moved.
struct ScopedHandle { class ScopedHandle {
~ScopedHandle() { _zx_handle_close(Handle); } public:
ScopedHandle() { reset(); }
explicit ScopedHandle(zx_handle_t H) { reset(H); }
ScopedHandle(ScopedHandle &&Other) : Handle(Other.release()) {}
ScopedHandle &operator=(ScopedHandle &&Other) {
Handle = Other.release();
return *this;
}
ScopedHandle(const ScopedHandle &Other) = delete;
ScopedHandle &operator=(const ScopedHandle &) = delete;
~ScopedHandle() { reset(Handle); }
zx_handle_t release() { return std::exchange(Handle, ZX_HANDLE_INVALID); }
void reset(zx_handle_t H = ZX_HANDLE_INVALID) {
_zx_handle_close(std::exchange(Handle, H));
}
zx_handle_t Handle = ZX_HANDLE_INVALID; zx_handle_t Handle = ZX_HANDLE_INVALID;
}; };
// Create the exception channel. We need to claim to be a "debugger" so the // Create the exception channel. We need to claim to be a "debugger" so the
// kernel will allow us to modify and resume dying threads (see below). Once // kernel will allow us to modify and resume dying threads (see below). Once
// the channel is set, we can signal the main thread to continue and wait // the channel is set, we can signal the main thread to continue and wait
// for the exception to arrive. // for the exception to arrive.
ScopedHandle Channel; ScopedHandle Channel;
zx_handle_t Self = _zx_process_self(); zx_handle_t Self = _zx_process_self();
ExitOnErr(_zx_task_create_exception_channel( ExitOnErr(_zx_task_create_exception_channel(
Self, ZX_EXCEPTION_CHANNEL_DEBUGGER, &Channel.Handle), Self, ZX_EXCEPTION_CHANNEL_DEBUGGER, &Channel.Handle),
"_zx_task_create_exception_channel"); "_zx_task_create_exception_channel");
ExitOnErr(_zx_object_signal(*Event, 0, ZX_USER_SIGNAL_0), ExitOnErr(_zx_object_signal(*Event, 0, ZX_USER_SIGNAL_0),
"_zx_object_signal"); "_zx_object_signal");
zx_koid_t crashed_tid = ZX_KOID_INVALID;
// Multiple exceptions can be fired while handling the first exception
// unhandled_exceptions holds all the other exception handles so the
// other crashing threads are suspended until the first exception
// finishes.
std::vector<ScopedHandle> unhandled_exceptions;
// This thread lives as long as the process in order to keep handling // This thread lives as long as the process in order to keep handling
// crashes. In practice, the first crashed thread to reach the end of the // crashes. In practice, the first crashed thread to reach the end of the
// StaticCrashHandler will end the process. // StaticCrashHandler will end the process.
while (true) { while (true) {
ExitOnErr(_zx_object_wait_one(Channel.Handle, ZX_CHANNEL_READABLE, ExitOnErr(_zx_object_wait_one(Channel.Handle, ZX_CHANNEL_READABLE,
ZX_TIME_INFINITE, nullptr), ZX_TIME_INFINITE, nullptr),
"_zx_object_wait_one"); "_zx_object_wait_one");
Show All 22 Lines ExitOnErr(_zx_exception_get_thread(Exception.Handle, &Thread.Handle),
"_zx_exception_get_thread"); "_zx_exception_get_thread");
zx_thread_state_general_regs_t GeneralRegisters; zx_thread_state_general_regs_t GeneralRegisters;
ExitOnErr(_zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS, ExitOnErr(_zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
&GeneralRegisters, &GeneralRegisters,
sizeof(GeneralRegisters)), sizeof(GeneralRegisters)),
"_zx_thread_read_state"); "_zx_thread_read_state");
if (crashed_tid != ZX_KOID_INVALID) {
// If we reach this point, it means that we received more than
// one exception. This new exception could either be from the
// same thread as the first exception or from another thread.
Printf("libFuzzer: An exception occurred while handling a previous "
"crash.\n");
if (crashed_tid == ExceptionInfo.tid) {
// Exception came from the same thread. This means that the
// exception handling code crashed. This is bad. Generate a crashing
// artifact and exit.
exit(1);
} else {
// We received a crash from a different thread. Leave it suspended and
// wait for the next exception.
unhandled_exceptions.push_back(std::move(Exception));
continue;
}
}
crashed_tid = ExceptionInfo.tid;
// To unwind properly, we need to push the crashing thread's register state // To unwind properly, we need to push the crashing thread's register state
// onto the stack and jump into a trampoline with CFI instructions on how // onto the stack and jump into a trampoline with CFI instructions on how
// to restore it. // to restore it.
#if defined(__x86_64__) #if defined(__x86_64__)
uintptr_t StackPtr = uintptr_t StackPtr =
(GeneralRegisters.rsp - (128 + sizeof(GeneralRegisters))) & (GeneralRegisters.rsp - (128 + sizeof(GeneralRegisters))) &
-(uintptr_t)16; -(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters, __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
▲ Show 20 LinesShow All 251 LinesShow Last 20 Lines