Details
- Reviewers
- None
Diff Detail
Event Timeline
Unsuccessful because it let it run overnight, and it didn't find the UB in APInt::ashr (that was re-introduced in this patch).
The specific condition that the fuzzer would need to discover to trigger the bug would be to have a > 1bit -1, with a shift amount != the bitwidth.
lib/Fuzzer/CMakeLists.txt | ||
---|---|---|
7 | Yeah, this was just a hacky one-off patch to play with the fuzzer, not something I was actually planning to commit upstream. If you're ok with this particular part, I can put a real patch up to change this to "if asan or asan+ubsan", along with a more appropriate error message. |
But can you reproduce the crash if you provide the crashy input?
I mean, if you know the bug (and actually have a fix) you have a way to reproduce it, don't you?
The specific condition that the fuzzer would need to discover to trigger the bug would be to have a > 1bit -1, with a shift amount != the bitwidth.
lib/Fuzzer/CMakeLists.txt | ||
---|---|---|
7 | I would love to have your fuzzer and all related changes upstream.
|
If you have the crashy input, you can feed it to the fuzzer binary in a natural way:
./fuzzer-binary crashy-file
Humph. Good point. Thinking about it that way revealed a couple of bugs in my LLVMFuzzerTestOneInput implementation (I wasn't being careful enough about giving the fuzzer a chance to reproduce the same issue)... I'll post the fixes for that momentarily.
Even with the fixes though, I can't get the manual fuzz test to trip it. Also, I can no longer get the unit-test itself to trigger the UB either (which might explain quite a bit!). Not sure what's going on there :/
$ xxd crasher 0000000: 0700 0000 ffff ffff ffff ffff 4000 0000 ............@... $ ./bin/llvm-apint-fuzzer crasher INFO: Seed: 555293119 ./bin/llvm-apint-fuzzer: Running 1 inputs 1 time(s) each. Running: crasher Executed crasher in 0 ms *** *** NOTE: fuzzing was not performed, you have only *** executed the target code on a fixed set of inputs. ***
lib/Fuzzer/CMakeLists.txt | ||
---|---|---|
7 |
Not sure I understand this... what did you have in mind here? |
Even with the fixes though, I can't get the manual fuzz test to trip it. Also, I can no longer get the unit-test itself to trigger the UB either (which might explain quite a bit!). Not sure what's going on there :/
Weird.
Can you trigger the bug if you revert to the buggy revision?
lib/Fuzzer/CMakeLists.txt | ||
---|---|---|
7 | You don't have to allow asan *or ubsan in the cmake file. |
also change the error message