This is an archive of the discontinued LLVM Phabricator instance.

Differential D28890

[libFuzzer] Fix minimize_crash issues.
AcceptedPublic

Authored by ochang on Jan 18 2017, 9:51 PM.

Details

Reviewers
aizatsky
Summary
  • Make size limits in minimize_crash more consistent.
  • Fix small enough units not being written to exact_artifact_path.

Diff Detail

Event Timeline

ochang created this revision.Jan 18 2017, 9:51 PM
ochang edited the summary of this revision. (Show Details)
ochang added inline comments.Jan 18 2017, 10:05 PM
FuzzerDriver.cpp
349

The loop in MinimizeCrashInput has this check:

if (U.size() < 2) {
  ...
  Printf("CRASH_MIN: '%s' is small enough\n", CurrentFilePath.c_str());

So this assert gets hit when the current item is size 2.

aizatsky accepted this revision.Jan 19 2017, 8:33 AM
aizatsky added a subscriber: aizatsky.

Do you need help landing it?

FuzzerDriver.cpp
303

pls change the summary to say smth like "saving small enough units". As far as I can see the issue was bigger than just artifact_path thing.

This revision is now accepted and ready to land.Jan 19 2017, 8:33 AM
ochang edited the summary of this revision. (Show Details)Jan 19 2017, 9:52 AM

Thanks for reviewing! Please help with landing this. I have no idea how to do so (or even if I can).

Revision Contents

PathSize
6 lines
2 lines

Diff 84929

FuzzerDriver.cpp

Show First 20 LinesShow All 294 Lines▼ Show 20 Lines if (Flags.runs <= 0 && Flags.max_total_time == 0) {
BaseCmd += " -max_total_time=600"; BaseCmd += " -max_total_time=600";
} }
// BaseCmd += " > /dev/null 2>&1 "; // BaseCmd += " > /dev/null 2>&1 ";
std::string CurrentFilePath = InputFilePath; std::string CurrentFilePath = InputFilePath;
while (true) { while (true) {
Unit U = FileToVector(CurrentFilePath); Unit U = FileToVector(CurrentFilePath);
if (U.size() < 2) { if (U.size() < 2) {
if (Flags.exact_artifact_path) {
aizatskyUnsubmitted
Not Done
ReplyInline Actions

pls change the summary to say smth like "saving small enough units". As far as I can see the issue was bigger than just artifact_path thing.

aizatsky: pls change the summary to say smth like "saving small enough units". As far as I can see the…
CurrentFilePath = Flags.exact_artifact_path;
WriteToFile(U, CurrentFilePath);
}
Printf("CRASH_MIN: '%s' is small enough\n", CurrentFilePath.c_str()); Printf("CRASH_MIN: '%s' is small enough\n", CurrentFilePath.c_str());
return 0; return 0;
} }
Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n", Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
CurrentFilePath.c_str(), U.size()); CurrentFilePath.c_str(), U.size());
auto Cmd = BaseCmd + " " + CurrentFilePath; auto Cmd = BaseCmd + " " + CurrentFilePath;
Show All 26 Linesint MinimizeCrashInput(const std::vector<std::string> &Args) {
} }
return 0; return 0;
} }
int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) { int MinimizeCrashInputInternalStep(Fuzzer *F, InputCorpus *Corpus) {
assert(Inputs->size() == 1); assert(Inputs->size() == 1);
std::string InputFilePath = Inputs->at(0); std::string InputFilePath = Inputs->at(0);
Unit U = FileToVector(InputFilePath); Unit U = FileToVector(InputFilePath);
assert(U.size() > 2); assert(U.size() >= 2);
ochangAuthorUnsubmitted
Not Done
ReplyInline Actions

The loop in MinimizeCrashInput has this check:

if (U.size() < 2) {
  ...
  Printf("CRASH_MIN: '%s' is small enough\n", CurrentFilePath.c_str());

So this assert gets hit when the current item is size 2.

ochang: The loop in MinimizeCrashInput has this check: ``` if (U.size() < 2) { ... Printf…
Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size()); Printf("INFO: Starting MinimizeCrashInputInternalStep: %zd\n", U.size());
Corpus->AddToCorpus(U, 0); Corpus->AddToCorpus(U, 0);
F->SetMaxInputLen(U.size()); F->SetMaxInputLen(U.size());
F->SetMaxMutationLen(U.size() - 1); F->SetMaxMutationLen(U.size() - 1);
F->MinimizeCrashLoop(U); F->MinimizeCrashLoop(U);
Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n"); Printf("INFO: Done MinimizeCrashInputInternalStep, no crashes found\n");
exit(0); exit(0);
return 0; return 0;
▲ Show 20 LinesShow All 195 LinesShow Last 20 Lines

FuzzerLoop.cpp

Show First 20 LinesShow All 786 Lines▼ Show 20 Lines while (true) {
MutateAndTestOne(); MutateAndTestOne();
} }
PrintStats("DONE ", "\n"); PrintStats("DONE ", "\n");
MD.PrintRecommendedDictionary(); MD.PrintRecommendedDictionary();
} }
void Fuzzer::MinimizeCrashLoop(const Unit &U) { void Fuzzer::MinimizeCrashLoop(const Unit &U) {
if (U.size() <= 2) return; if (U.size() < 2) return;
while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) { while (!TimedOut() && TotalNumberOfRuns < Options.MaxNumberOfRuns) {
MD.StartMutationSequence(); MD.StartMutationSequence();
memcpy(CurrentUnitData, U.data(), U.size()); memcpy(CurrentUnitData, U.data(), U.size());
for (int i = 0; i < Options.MutateDepth; i++) { for (int i = 0; i < Options.MutateDepth; i++) {
size_t NewSize = MD.Mutate(CurrentUnitData, U.size(), MaxMutationLen); size_t NewSize = MD.Mutate(CurrentUnitData, U.size(), MaxMutationLen);
assert(NewSize > 0 && NewSize <= MaxMutationLen); assert(NewSize > 0 && NewSize <= MaxMutationLen);
RunOne(CurrentUnitData, NewSize); RunOne(CurrentUnitData, NewSize);
TryDetectingAMemoryLeak(CurrentUnitData, NewSize, TryDetectingAMemoryLeak(CurrentUnitData, NewSize,
Show All 14 Lines