Page MenuHomePhabricator

[lib/Fuzzer] Add sanitizer runtime errors unit save option
AbandonedPublic

Authored by skomski on Jul 16 2015, 2:51 PM.

Details

Reviewers
kcc
Summary

Make it possible to save runtime errors units from for example fsanitize=undefined to make it easier to reproduce them.

Diff Detail

Repository
rL LLVM

Event Timeline

skomski updated this revision to Diff 29946.Jul 16 2015, 2:51 PM
skomski retitled this revision from to [lib/Fuzzer] Add sanitizer runtime errors unit save option.
skomski updated this object.
skomski added a reviewer: kcc.
skomski added a subscriber: llvm-commits.
kcc edited edge metadata.Jul 16 2015, 2:57 PM

First question: why is a log file not enough?
It will contain the full sanitizer report (not just summary) and the reproducer.
Frankly, to me this looks like a duplicated functionality.

lib/Fuzzer/FuzzerFlags.def
62

write more detailed description (e.g. "save sanitizer error report to a file with 'error-' prefix" or some such)

lib/Fuzzer/FuzzerLoop.cpp
16

__sanitizer_report_error_summary may be used by other parts of code linked with libSanitizer.
Also, summary is just a single line, not sure how it may be useful.

In D11277#206713, @kcc wrote:

First question: why is a log file not enough?
It will contain the full sanitizer report (not just summary) and the reproducer.
Frankly, to me this looks like a duplicated functionality.

In D11277#206713, @kcc wrote:

First question: why is a log file not enough?
It will contain the full sanitizer report (not just summary) and the reproducer.
Frankly, to me this looks like a duplicated functionality.

Can you not say the same thing for the current written timeout- and crash files? I like having the files right away it makes it more convenient.

lib/Fuzzer/FuzzerLoop.cpp
16

Is there an alternative to sanitizer_report_error_summary to receive the runtime error reports? I wanted to use asan_set_error_report_callback but that doesn't work

Also, summary is just a single line, not sure how it may be useful.

I wanted to use replicate the original behaviour of __sanitizer_report_error_summary that does fuzzer::Printf("%s\n", ErrorSummary);

kcc added a comment.Jul 17 2015, 1:53 PM
In D11277#206713, @kcc wrote:

First question: why is a log file not enough?
It will contain the full sanitizer report (not just summary) and the reproducer.
Frankly, to me this looks like a duplicated functionality.

In D11277#206713, @kcc wrote:

First question: why is a log file not enough?
It will contain the full sanitizer report (not just summary) and the reproducer.
Frankly, to me this looks like a duplicated functionality.

Can you not say the same thing for the current written timeout- and crash files? I like having the files right away it makes it more convenient.

That's a bit different. The timeout- and crash- files can be directly given back to the fuzzer (the target function).
The file with the log is for a human being to analyze -- the same as for the error report.

kcc added inline comments.Jul 17 2015, 1:56 PM
lib/Fuzzer/FuzzerLoop.cpp
16

asan_set_error_report_callback is closer to what you need but

  1. it's only available in asan (well, this *may* need to be fixed separately)
  2. it has the same problem: what if someone else want to call it to. I'e. it will need to be chained.
  3. You say it does not work. Strange. Will need more info separately.

Does __sanitizer_set_report_path do (almost) what you need?

skomski added a comment.EditedJul 17 2015, 2:40 PM
In D11277#207372, @kcc wrote:
In D11277#206713, @kcc wrote:

First question: why is a log file not enough?
It will contain the full sanitizer report (not just summary) and the reproducer.
Frankly, to me this looks like a duplicated functionality.

In D11277#206713, @kcc wrote:

First question: why is a log file not enough?
It will contain the full sanitizer report (not just summary) and the reproducer.
Frankly, to me this looks like a duplicated functionality.

Can you not say the same thing for the current written timeout- and crash files? I like having the files right away it makes it more convenient.

That's a bit different. The timeout- and crash- files can be directly given back to the fuzzer (the target function).
The file with the log is for a human being to analyze -- the same as for the error report.

I don't save the error log but the corresponding unit that is active during time the sanitizer reports the runtime error which results in the same file as timeout and crash files.

kcc added a comment.Jul 17 2015, 6:06 PM

I am sorry, I may be missing something, can we start again?
What problem exactly are you trying to solve?

In D11277#207577, @kcc wrote:

I am sorry, I may be missing something, can we start again?
What problem exactly are you trying to solve?

My problem is that I want to have an easy way to reproduce undefined behaviour errors for further debugging purposes or to put it into my testcases. I want to achieve that saving the active unit during the time ubsan reported the error.

lib/Fuzzer/FuzzerLoop.cpp
16
  1. Well it works but only the hard crashes from asan are reported that are already handled.

https://github.com/llvm-mirror/compiler-rt/blob/6e6e601da1cd63c2e797a4b185f5ebc77496e1dc/lib/asan/asan_report.cc#L666

kcc added a comment.Jul 21 2015, 9:50 AM
In D11277#207577, @kcc wrote:

I am sorry, I may be missing something, can we start again?
What problem exactly are you trying to solve?

My problem is that I want to have an easy way to reproduce undefined behaviour errors for further debugging purposes or to put it into my testcases. I want to achieve that saving the active unit during the time ubsan reported the error.

That's exactly what I always need too. But the way current way of doing this work fine to me:

  • Run the fuzzer with stderr pointed to a file (if running with -jobs=N, stderr is directed to fuzz-NN.log)
  • When the crash happens, the log file contains *all* the information needed to reproduce the error: the message from the sanitizers, the input file encoded in hex and base64, the name of a separate file where the reproducer has been dumped to.

So, before considering this patch I need to understand what's missing in the existing functionality.

BTW, I've noticed fixes in PCRE2 based on your reports. Great work!

My problem is that I want to have an easy way to reproduce undefined

behaviour errors for further debugging purposes or to put it into my
testcases. I want to achieve that saving the active unit during the time
ubsan reported the error.

It is about UBSAN (!) errors. Ubsan reports only and doesn't crash the
process.

For example:
src/pcre2_compile.c:6453:42: runtime error: unsigned integer overflow:
4294967295 + 1 cannot be represented in type 'unsigned int'
SUMMARY: AddressSanitizer: undefined-behavior src/pcre2_compile.c:6453:42
in

I want to save the unit that was running during the error.

Kind regards,

Karl Skomski

kcc added a comment.Jul 21 2015, 11:09 AM

It is about UBSAN (!) errors. Ubsan reports only and doesn't crash the
process.

Aha, so that's what you need to fix, not the fuzzer.
Will -fno-sanitize-recover=undefined work for you?

Yes that would be a way to handle it albeit I would still use my patch
because I don't really want the fuzzer to crash from undefined behaviour. I
only want a reproducible unit and some log event with the unit information.
Also I don't want it to save under crash-*. But I am not desperate to merge
it I am happy with my patch :D

Kind regards,

Karl Skomski

kcc added a comment.Jul 21 2015, 4:42 PM

Yes that would be a way to handle it albeit I would still use my patch
because I don't really want the fuzzer to crash from undefined behaviour. I

I think this is wrong.
The fuzzer is designed in assumption that any interesting bug leads to a process crash
and I'd like to preserve this simplicity.

skomski abandoned this revision.Aug 3 2015, 2:02 PM