Page MenuHomePhabricator

Unsuccessful stab at fuzzing for the bug in D23362
AbandonedPublic

Authored by jroelofs on Aug 24 2016, 7:30 AM.

Details

Reviewers
None

Diff Detail

Event Timeline

jroelofs updated this revision to Diff 69117.Aug 24 2016, 7:30 AM
jroelofs retitled this revision from to Unsuccessful stab at fuzzing for the bug in D23362.
jroelofs updated this object.
kcc added a subscriber: kcc.Aug 24 2016, 8:22 AM

Why is it unsuccessful?

lib/Fuzzer/CMakeLists.txt
7

also change the error message

tools/llvm-apint-fuzzer/llvm-apint-fuzzer.cpp
54

This function should always return 0.
Replace this with e.g.

if (Fst != Snd) abort();
return 0;

Unsuccessful because it let it run overnight, and it didn't find the UB in APInt::ashr (that was re-introduced in this patch).

The specific condition that the fuzzer would need to discover to trigger the bug would be to have a > 1bit -1, with a shift amount != the bitwidth.

lib/Fuzzer/CMakeLists.txt
7

Yeah, this was just a hacky one-off patch to play with the fuzzer, not something I was actually planning to commit upstream.

If you're ok with this particular part, I can put a real patch up to change this to "if asan or asan+ubsan", along with a more appropriate error message.

kcc added a comment.Aug 24 2016, 11:03 AM

Unsuccessful because it let it run overnight, and it didn't find the UB in APInt::ashr (that was re-introduced in this patch).

But can you reproduce the crash if you provide the crashy input?
I mean, if you know the bug (and actually have a fix) you have a way to reproduce it, don't you?

The specific condition that the fuzzer would need to discover to trigger the bug would be to have a > 1bit -1, with a shift amount != the bitwidth.

lib/Fuzzer/CMakeLists.txt
7

I would love to have your fuzzer and all related changes upstream.
As for this particular one:

  • yours is one good way.
  • another way is to allow optiona ubsan on top of asan, which will not require changing this file (AFAICT)
kcc added a comment.Aug 24 2016, 11:03 AM

If you have the crashy input, you can feed it to the fuzzer binary in a natural way:

./fuzzer-binary crashy-file
In D23838#524379, @kcc wrote:

Unsuccessful because it let it run overnight, and it didn't find the UB in APInt::ashr (that was re-introduced in this patch).

But can you reproduce the crash if you provide the crashy input?
I mean, if you know the bug (and actually have a fix) you have a way to reproduce it, don't you?

Humph. Good point. Thinking about it that way revealed a couple of bugs in my LLVMFuzzerTestOneInput implementation (I wasn't being careful enough about giving the fuzzer a chance to reproduce the same issue)... I'll post the fixes for that momentarily.

Even with the fixes though, I can't get the manual fuzz test to trip it. Also, I can no longer get the unit-test itself to trigger the UB either (which might explain quite a bit!). Not sure what's going on there :/

$ xxd crasher 
0000000: 0700 0000 ffff ffff ffff ffff 4000 0000  ............@...
$ ./bin/llvm-apint-fuzzer crasher 
INFO: Seed: 555293119
./bin/llvm-apint-fuzzer: Running 1 inputs 1 time(s) each.
Running: crasher
Executed crasher in 0 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***
jroelofs updated this revision to Diff 69162.Aug 24 2016, 1:19 PM
jroelofs marked an inline comment as done.
jroelofs added inline comments.
lib/Fuzzer/CMakeLists.txt
7

another way is to allow optiona ubsan on top of asan, which will not require changing this file (AFAICT)

Not sure I understand this... what did you have in mind here?

kcc added a comment.Aug 24 2016, 1:48 PM

Even with the fixes though, I can't get the manual fuzz test to trip it. Also, I can no longer get the unit-test itself to trigger the UB either (which might explain quite a bit!). Not sure what's going on there :/

Weird.
Can you trigger the bug if you revert to the buggy revision?

lib/Fuzzer/CMakeLists.txt
7

You don't have to allow asan *or ubsan in the cmake file.
Instead you may use asan *and* ubsan

jroelofs abandoned this revision.Jul 29 2020, 2:00 PM