This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/Fuzzer/
-
Fuzzer/
-
FuzzerInternal.h
-
FuzzerLoop.cpp
-
FuzzerUtil.cpp

Differential D20461

[LibFuzzer] Fix sending SIGALRM to main thread under Mac OSX
AbandonedPublic

Authored by delcypher on May 19 2016, 9:51 PM.

Download Raw Diff

Details

Reviewers

kcc
kubamracek

Summary

[LibFuzzer] Fix sending SIGALRM signal to main thread on Mac OSX.

This replaces the Linux only implementation with an implementation that
relies on pthread_kill() which is more portable. For this to work
the Fuzzer now records the thread it was created in (presumably the main
thread).

This isn't an ideal fix because now we have a pthreads dependency
but arguably if we wanted portability we shouldn't be using signals
either.

Diff Detail

Event Timeline

delcypher updated this revision to Diff 57891.May 19 2016, 9:51 PM

delcypher retitled this revision from to [LibFuzzer] Fix sending SIGALRM to main thread under Mac OSX.

delcypher updated this object.

delcypher added reviewers: kcc, kubamracek.

delcypher added subscribers: llvm-commits, kcc.

dependency on -lpthread would be unfortunate...
And I don't like the current code either.
Let me rethink this one.
This may be solved by printing and Exiting_ in the getrusage thread --
the only question is how to avoid the race on CurrentUnitData/CurrentUnitSize w/o having to use a Mutex.

Want to try this?

Or maybe just grab a mutex around CurrentUnitData/CurrentUnitSize
and see how much it affects performance on e.g. test/FullCoverageSetTest.cpp
If not much, just use a mutex.

@kcc : Just to note I think you already have an implicit pthreads dependency. The CMakeLists.txt file seems to link
against it also (side note: why are the flags only being set for the CMake build type being RELEASE?).

I didn't need to pass -lpthread when building (I'm building independently of LLVM's CMake build system) on my system. I suspect that std::thread might already be using pthreads internally.

In D20461#435255, @delcypher wrote:

@kcc : Just to note I think you already have an implicit pthreads dependency.

Very likely. But it's more like I want to stay away from including pthread.h, if possible.
And also, the current way of dying on OOMs is less portable than just dying inside the getrusage thread.

The CMakeLists.txt file seems to link
against it also (side note: why are the flags only being set for the CMake build type being RELEASE?).

For no good reason, feel free to fix that.

I didn't need to pass -lpthread when building (I'm building independently of LLVM's CMake build system) on my system. I suspect that std::thread might already be using pthreads internally.

Note that the majority of users use libFuzzer outside of the llvm build system,
will they need to add -lphtread to their build rules?

@kcc

This may be solved by printing and Exiting_ in the getrusage thread --
the only question is how to avoid the race on CurrentUnitData/CurrentUnitSize w/o having to use a Mutex.

Want to try this?

I'll take a look tomorrow. I need to first take a look at how CurrentUnitData and CurrentUnitSize are being used and consequently where they need to locked.

Just a thought. Why not just be single threaded and call getrusage() after every iteration of LLVMFuzzerTestOneInput(...)? It will mean for long running and non-terminating runs of LLVMFuzzerTestOneInput(...) we might not (or ever) detect OOM but it would avoid the complexity and the races. Personally I feel like detecting OOM should really be done externally using something like cgroups, but maybe that's a bad idea.

Note that the majority of users use libFuzzer outside of the llvm build system,
will they need to add -lphtread to their build rules?

I found that I didn't need to under OSX or Linux. Note I didn't really test under Linux properly as something about my distro's clang is broken (__sanitizer_get_coverage_pc_buffer seems to be NULL at runtime). I need to rebuild on trunk and test more thoroughly.

In D20461#435258, @delcypher wrote:

@kcc

This may be solved by printing and Exiting_ in the getrusage thread --

the only question is how to avoid the race on CurrentUnitData/CurrentUnitSize w/o having to use a Mutex.

Want to try this?

I'll take a look tomorrow. I need to first take a look at how CurrentUnitData and CurrentUnitSize are being used and consequently where they need to locked.

CurrentUnitData is used to dump the reproducer on disk.

Just a thought. Why not just be single threaded and call getrusage() after every iteration of LLVMFuzzerTestOneInput(...)? It will mean for long running and non-terminating runs of LLVMFuzzerTestOneInput(...) we might not (or ever) detect OOM but it would avoid the complexity and the races. Personally I feel like detecting OOM should really be done externally using something like cgroups, but maybe that's a bad idea.

One of the two reasons for detecting OOMs in libFuzzer is to not let it kill your machine.
You can't do it by checking getrusage after your machine has died.

cgroups are hard to set up, you should not expect every libFuzzer user to do it.
AFAICT, they also require sudo (no?)
Ideally we would have kernel support for RLIMIT_RSS, but there is no such thing today. :(

FYI: am working on refactoring this part, hold on your changes please...

@kcc:

FYI: am working on refactoring this part, hold on your changes please...

Thanks for the info. I took a break from doing this as I wanted to make it possible to run the tests on OSX first. Glad to hear you are taking a look at it.

I think I've fixed this in r270945.
This part is tricky because it involves both threads and signals,
so I tried to make it simpler.

This change isn't needed any more.

Revision Contents

Path

Size

lib/

Fuzzer/

FuzzerInternal.h

7 lines

FuzzerLoop.cpp

8 lines

FuzzerUtil.cpp

8 lines

Diff 57891

lib/Fuzzer/FuzzerInternal.h

Show All 12 Lines
#define LLVM_FUZZER_INTERNAL_H		#define LLVM_FUZZER_INTERNAL_H

#include <algorithm>		#include <algorithm>
#include <cassert>		#include <cassert>
#include <chrono>		#include <chrono>
#include <climits>		#include <climits>
#include <cstddef>		#include <cstddef>
#include <cstdlib>		#include <cstdlib>
		#include <pthread.h>
#include <random>		#include <random>
#include <string.h>		#include <string.h>
#include <string>		#include <string>
#include <unordered_set>		#include <unordered_set>
#include <vector>		#include <vector>

#include "FuzzerInterface.h"		#include "FuzzerInterface.h"
#include "FuzzerTracePC.h"		#include "FuzzerTracePC.h"
▲ Show 20 Lines • Show All 91 Lines • ▼ Show 20 Lines

// Changes U to contain only ASCII (isprint+isspace) characters.		// Changes U to contain only ASCII (isprint+isspace) characters.
// Returns true iff U has been changed.		// Returns true iff U has been changed.
bool ToASCII(uint8_t *Data, size_t Size);		bool ToASCII(uint8_t *Data, size_t Size);
bool IsASCII(const Unit &U);		bool IsASCII(const Unit &U);

int NumberOfCpuCores();		int NumberOfCpuCores();
int GetPid();		int GetPid();
int SignalToMainThread();		int SignalToMainThread(pthread_t MainThread);
void SleepSeconds(int Seconds);		void SleepSeconds(int Seconds);

class Random {		class Random {
public:		public:
Random(unsigned int seed) : R(seed) {}		Random(unsigned int seed) : R(seed) {}
size_t Rand() { return R(); }		size_t Rand() { return R(); }
size_t RandBool() { return Rand() % 2; }		size_t RandBool() { return Rand() % 2; }
size_t operator()(size_t n) { return n ? Rand() % n : 0; }		size_t operator()(size_t n) { return n ? Rand() % n : 0; }
▲ Show 20 Lines • Show All 316 Lines • ▼ Show 20 Lines	private:
FuzzingOptions Options;		FuzzingOptions Options;
system_clock::time_point ProcessStartTime = system_clock::now();		system_clock::time_point ProcessStartTime = system_clock::now();
system_clock::time_point UnitStartTime;		system_clock::time_point UnitStartTime;
long TimeOfLongestUnitInSeconds = 0;		long TimeOfLongestUnitInSeconds = 0;
long EpochOfLastReadOfOutputCorpus = 0;		long EpochOfLastReadOfOutputCorpus = 0;

// Maximum recorded coverage.		// Maximum recorded coverage.
Coverage MaxCoverage;		Coverage MaxCoverage;

		// Used to allow other threads to communicate with
		// the thread the fuzzer was created in.
		pthread_t MainThread;
};		};

}; // namespace fuzzer		}; // namespace fuzzer

#endif // LLVM_FUZZER_INTERNAL_H		#endif // LLVM_FUZZER_INTERNAL_H

lib/Fuzzer/FuzzerLoop.cpp

Show First 20 Lines • Show All 141 Lines • ▼ Show 20 Lines	if (NewPcBufferLen > C->PcBufferLen) {
C->PcBufferLen = NewPcBufferLen;		C->PcBufferLen = NewPcBufferLen;
}		}

return Res;		return Res;
}		}
};		};

Fuzzer::Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options)		Fuzzer::Fuzzer(UserCallback CB, MutationDispatcher &MD, FuzzingOptions Options)
: CB(CB), MD(MD), Options(Options) {		: CB(CB), MD(MD), Options(Options), MainThread(pthread_self()) {
SetDeathCallback();		SetDeathCallback();
InitializeTraceState();		InitializeTraceState();
assert(!F);		assert(!F);
F = this;		F = this;
ResetCoverage();		ResetCoverage();
}		}

void Fuzzer::SetDeathCallback() {		void Fuzzer::SetDeathCallback() {
▲ Show 20 Lines • Show All 94 Lines • ▼ Show 20 Lines	if (Seconds >= (size_t)Options.UnitTimeoutSec) {
Printf("SUMMARY: libFuzzer: timeout\n");		Printf("SUMMARY: libFuzzer: timeout\n");
PrintFinalStats();		PrintFinalStats();
_Exit(Options.TimeoutExitCode); // Stop right now.		_Exit(Options.TimeoutExitCode); // Stop right now.
}		}
}		}

void Fuzzer::RssLimitCallback() {		void Fuzzer::RssLimitCallback() {
InOOMState = true;		InOOMState = true;
SignalToMainThread();		if (SignalToMainThread(MainThread)) {
		Printf("WARNING: Failed to signal main thread.\n");
		}
SleepSeconds(5);		SleepSeconds(5);
Printf("Signal to main thread failed (non-linux?). Exiting.\n");		Printf("ERROR: Should have exited already. Forcing exit.\n");
_Exit(Options.ErrorExitCode);		_Exit(Options.ErrorExitCode);
return;		return;
}		}

void Fuzzer::PrintStats(const char Where, const char End) {		void Fuzzer::PrintStats(const char Where, const char End) {
size_t ExecPerSec = execPerSec();		size_t ExecPerSec = execPerSec();
if (Options.OutputCSV) {		if (Options.OutputCSV) {
static bool csvHeaderPrinted = false;		static bool csvHeaderPrinted = false;
▲ Show 20 Lines • Show All 512 Lines • Show Last 20 Lines

lib/Fuzzer/FuzzerUtil.cpp

Show First 20 Lines • Show All 242 Lines • ▼ Show 20 Lines	bool ParseDictionaryFile(const std::string &Text, std::vector<Unit> *Units) {
return true;		return true;
}		}

void SleepSeconds(int Seconds) {		void SleepSeconds(int Seconds) {
std::this_thread::sleep_for(std::chrono::seconds(Seconds));		std::this_thread::sleep_for(std::chrono::seconds(Seconds));
}		}

int GetPid() { return getpid(); }		int GetPid() { return getpid(); }
int SignalToMainThread() {		int SignalToMainThread(pthread_t MainThread) {
#ifdef __linux__		return pthread_kill(MainThread, SIGALRM);
return syscall(SYS_tgkill, GetPid(), GetPid(), SIGALRM);
#else
return 0;
#endif
}		}

std::string Base64(const Unit &U) {		std::string Base64(const Unit &U) {
static const char Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"		static const char Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"		"abcdefghijklmnopqrstuvwxyz"
"0123456789+/";		"0123456789+/";
std::string Res;		std::string Res;
size_t i;		size_t i;
Show All 38 Lines