This is an archive of the discontinued LLVM Phabricator instance.

Differential D46277

[libFuzzer] Report at most one crash per input.
ClosedPublic

Authored by morehouse on Apr 30 2018, 11:15 AM.

Details

Reviewers
kcc
Commits
rG52fd16903569: [libFuzzer] Report at most one crash per input.
rCRT331310: [libFuzzer] Report at most one crash per input.
rL331310: [libFuzzer] Report at most one crash per input.
Summary

Fixes https://github.com/google/sanitizers/issues/788/, a deadlock
caused by multiple crashes happening at the same time. Before printing
a crash report, we now test and set an atomic flag. If the flag was
already set, the crash handler returns immediately.

Diff Detail

Repository
rL LLVM

Event Timeline

morehouse created this revision.Apr 30 2018, 11:15 AM
Harbormaster completed remote builds in B17544: Diff 144595.Apr 30 2018, 11:15 AM
Herald added a subscriber: kubamracek. · View Herald TranscriptApr 30 2018, 11:15 AM
kcc added inline comments.May 1 2018, 12:19 PM
compiler-rt/lib/asan/asan_report.cc
137 ↗(On Diff #144595)

Will check-asan pass with this?
__sanitizer_acquire_crash_state is weak, and is not defined w/o libFuzzer, so you should get a null deref here. No?

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
382 ↗(On Diff #144595)

I was thinking about implementing this function in sanitizer_common, and not making it weak.

morehouse added inline comments.May 1 2018, 12:26 PM
compiler-rt/lib/asan/asan_report.cc
137 ↗(On Diff #144595)

check-asan passes. This is defined weakly in sanitizer_common.cc, so it shouldn't be a nullptr.

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
382 ↗(On Diff #144595)

I defined it weakly in sanitizer_common.cc so that recovery mode shouldn't be affected.

kcc added inline comments.May 1 2018, 12:51 PM
compiler-rt/lib/asan/asan_report.cc
137 ↗(On Diff #144595)

I would rather define this function (non-weak) in sanitizer_common and check halt_on_error_ before calling it there.
This will make it work with the recovery mode. Right?

morehouse updated this revision to Diff 144770.May 1 2018, 1:16 PM
  • Define __sanitizer_acquire_crash_state() in sanitizer_common.
morehouse marked an inline comment as done.May 1 2018, 1:16 PM
kcc added inline comments.May 1 2018, 1:21 PM
compiler-rt/lib/sanitizer_common/sanitizer_common.cc
353 ↗(On Diff #144770)

redundant empty line

compiler-rt/lib/sanitizer_common/sanitizer_interface_internal.h
59 ↗(On Diff #144770)

Since this is used by libFuzzer, it's not an internal interface, but a public one, so move it to include/sanitizer/common_interface_defs.h
Also, make it return int, to make more C-friendly, update the comment accordingly.

compiler-rt/test/fuzzer/AcquireCrashStateTest.cpp
10 ↗(On Diff #144770)

Instead of this, include sanitizer/common_interface_defs.h

morehouse updated this revision to Diff 144776.May 1 2018, 1:44 PM
  • Add __sanitizer_acquire_crash_state to public interface.
Harbormaster completed remote builds in B17586: Diff 144776.May 1 2018, 1:45 PM
morehouse marked 3 inline comments as done.May 1 2018, 1:46 PM
morehouse added inline comments.
compiler-rt/lib/sanitizer_common/sanitizer_interface_internal.h
59 ↗(On Diff #144770)

Still kept this declaration also, following the pattern of other public interfaces that are defined internally.

kcc accepted this revision.May 1 2018, 1:49 PM

LGTM

This revision is now accepted and ready to land.May 1 2018, 1:49 PM
Closed by commit rL331310: [libFuzzer] Report at most one crash per input. (authored by morehouse). · Explain WhyMay 1 2018, 2:06 PM
This revision was automatically updated to reflect the committed changes.
morehouse marked an inline comment as done.
Herald added a subscriber: delcypher. · View Herald TranscriptMay 1 2018, 2:06 PM

Revision Contents

PathSize
compiler-rt/
trunk/
include/
sanitizer/
5 lines
lib/
asan/
4 lines
fuzzer/
1 line
12 lines
sanitizer_common/
7 lines
1 line
6 lines
test/
fuzzer/
18 lines
3 lines

Diff 144781

compiler-rt/trunk/include/sanitizer/common_interface_defs.h

Show First 20 LinesShow All 59 Lines▼ Show 20 Lines#endif
// to replace plain unaligned loads/stores with these calls. // to replace plain unaligned loads/stores with these calls.
uint16_t __sanitizer_unaligned_load16(const void *p); uint16_t __sanitizer_unaligned_load16(const void *p);
uint32_t __sanitizer_unaligned_load32(const void *p); uint32_t __sanitizer_unaligned_load32(const void *p);
uint64_t __sanitizer_unaligned_load64(const void *p); uint64_t __sanitizer_unaligned_load64(const void *p);
void __sanitizer_unaligned_store16(void *p, uint16_t x); void __sanitizer_unaligned_store16(void *p, uint16_t x);
void __sanitizer_unaligned_store32(void *p, uint32_t x); void __sanitizer_unaligned_store32(void *p, uint32_t x);
void __sanitizer_unaligned_store64(void *p, uint64_t x); void __sanitizer_unaligned_store64(void *p, uint64_t x);
// Returns 1 on the first call, then returns 0 thereafter. Called by the tool
// to ensure only one report is printed when multiple errors occur
// simultaneously.
int __sanitizer_acquire_crash_state();
// Annotate the current state of a contiguous container, such as // Annotate the current state of a contiguous container, such as
// std::vector, std::string or similar. // std::vector, std::string or similar.
// A contiguous container is a container that keeps all of its elements // A contiguous container is a container that keeps all of its elements
// in a contiguous region of memory. The container owns the region of memory // in a contiguous region of memory. The container owns the region of memory
// [beg, end); the memory [beg, mid) is used to store the current elements // [beg, end); the memory [beg, mid) is used to store the current elements
// and the memory [mid, end) is reserved for future elements; // and the memory [mid, end) is reserved for future elements;
// beg <= mid <= end. For example, in "std::vector<> v" // beg <= mid <= end. For example, in "std::vector<> v"
// beg = &v[0]; // beg = &v[0];
▲ Show 20 LinesShow All 123 LinesShow Last 20 Lines

compiler-rt/trunk/lib/asan/asan_report.cc

Show First 20 LinesShow All 128 Lines▼ Show 20 Lines explicit ScopedInErrorReport(bool fatal = false)
// We can lock them only here to avoid self-deadlock in case of // We can lock them only here to avoid self-deadlock in case of
// recursive reports. // recursive reports.
asanThreadRegistry().Lock(); asanThreadRegistry().Lock();
Printf( Printf(
"=================================================================\n"); "=================================================================\n");
} }
~ScopedInErrorReport() { ~ScopedInErrorReport() {
if (halt_on_error_ && !__sanitizer_acquire_crash_state()) {
asanThreadRegistry().Unlock();
return;
}
ASAN_ON_ERROR(); ASAN_ON_ERROR();
if (current_error_.IsValid()) current_error_.Print(); if (current_error_.IsValid()) current_error_.Print();
// Make sure the current thread is announced. // Make sure the current thread is announced.
DescribeThread(GetCurrentThread()); DescribeThread(GetCurrentThread());
// We may want to grab this lock again when printing stats. // We may want to grab this lock again when printing stats.
asanThreadRegistry().Unlock(); asanThreadRegistry().Unlock();
// Print memory stats. // Print memory stats.
▲ Show 20 LinesShow All 396 LinesShow Last 20 Lines

compiler-rt/trunk/lib/fuzzer/FuzzerExtFunctions.def

Show All 23 LinesEXT_FUNC(LLVMFuzzerCustomCrossOver, size_t,
const uint8_t * Data2, size_t Size2, const uint8_t * Data2, size_t Size2,
uint8_t * Out, size_t MaxOutSize, unsigned int Seed), uint8_t * Out, size_t MaxOutSize, unsigned int Seed),
false); false);
// Sanitizer functions // Sanitizer functions
EXT_FUNC(__lsan_enable, void, (), false); EXT_FUNC(__lsan_enable, void, (), false);
EXT_FUNC(__lsan_disable, void, (), false); EXT_FUNC(__lsan_disable, void, (), false);
EXT_FUNC(__lsan_do_recoverable_leak_check, int, (), false); EXT_FUNC(__lsan_do_recoverable_leak_check, int, (), false);
EXT_FUNC(__sanitizer_acquire_crash_state, bool, (), true);
EXT_FUNC(__sanitizer_install_malloc_and_free_hooks, int, EXT_FUNC(__sanitizer_install_malloc_and_free_hooks, int,
(void (*malloc_hook)(const volatile void *, size_t), (void (*malloc_hook)(const volatile void *, size_t),
void (*free_hook)(const volatile void *)), void (*free_hook)(const volatile void *)),
false); false);
EXT_FUNC(__sanitizer_purge_allocator, void, (), false); EXT_FUNC(__sanitizer_purge_allocator, void, (), false);
EXT_FUNC(__sanitizer_print_memory_profile, int, (size_t, size_t), false); EXT_FUNC(__sanitizer_print_memory_profile, int, (size_t, size_t), false);
EXT_FUNC(__sanitizer_print_stack_trace, void, (), true); EXT_FUNC(__sanitizer_print_stack_trace, void, (), true);
EXT_FUNC(__sanitizer_symbolize_pc, void, EXT_FUNC(__sanitizer_symbolize_pc, void,
(void *, const char *fmt, char *out_buf, size_t out_buf_size), false); (void *, const char *fmt, char *out_buf, size_t out_buf_size), false);
EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int, EXT_FUNC(__sanitizer_get_module_and_offset_for_pc, int,
(void *pc, char *module_path, (void *pc, char *module_path,
size_t module_path_len,void **pc_offset), false); size_t module_path_len,void **pc_offset), false);
EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true); EXT_FUNC(__sanitizer_set_death_callback, void, (void (*)(void)), true);
EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false); EXT_FUNC(__sanitizer_set_report_fd, void, (void*), false);
EXT_FUNC(__sanitizer_dump_coverage, void, (const uintptr_t *, uintptr_t), EXT_FUNC(__sanitizer_dump_coverage, void, (const uintptr_t *, uintptr_t),
false); false);

compiler-rt/trunk/lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 222 Lines▼ Show 20 Lines
} }
void Fuzzer::StaticFileSizeExceedCallback() { void Fuzzer::StaticFileSizeExceedCallback() {
Printf("==%lu== ERROR: libFuzzer: file size exceeded\n", GetPid()); Printf("==%lu== ERROR: libFuzzer: file size exceeded\n", GetPid());
exit(1); exit(1);
} }
void Fuzzer::CrashCallback() { void Fuzzer::CrashCallback() {
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf("==%lu== ERROR: libFuzzer: deadly signal\n", GetPid()); Printf("==%lu== ERROR: libFuzzer: deadly signal\n", GetPid());
if (EF->__sanitizer_print_stack_trace) if (EF->__sanitizer_print_stack_trace)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
Printf("NOTE: libFuzzer has rudimentary signal handlers.\n" Printf("NOTE: libFuzzer has rudimentary signal handlers.\n"
" Combine libFuzzer with AddressSanitizer or similar for better " " Combine libFuzzer with AddressSanitizer or similar for better "
"crash reports.\n"); "crash reports.\n");
Printf("SUMMARY: libFuzzer: deadly signal\n"); Printf("SUMMARY: libFuzzer: deadly signal\n");
DumpCurrentUnit("crash-"); DumpCurrentUnit("crash-");
PrintFinalStats(); PrintFinalStats();
_Exit(Options.ErrorExitCode); // Stop right now. _Exit(Options.ErrorExitCode); // Stop right now.
} }
void Fuzzer::ExitCallback() { void Fuzzer::ExitCallback() {
if (!RunningCB) if (!RunningCB)
return; // This exit did not come from the user callback return; // This exit did not come from the user callback
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf("==%lu== ERROR: libFuzzer: fuzz target exited\n", GetPid()); Printf("==%lu== ERROR: libFuzzer: fuzz target exited\n", GetPid());
if (EF->__sanitizer_print_stack_trace) if (EF->__sanitizer_print_stack_trace)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
Printf("SUMMARY: libFuzzer: fuzz target exited\n"); Printf("SUMMARY: libFuzzer: fuzz target exited\n");
DumpCurrentUnit("crash-"); DumpCurrentUnit("crash-");
PrintFinalStats(); PrintFinalStats();
_Exit(Options.ErrorExitCode); _Exit(Options.ErrorExitCode);
} }
Show All 23 Lines if (!RunningCB)
return; // We have not started running units yet. return; // We have not started running units yet.
size_t Seconds = size_t Seconds =
duration_cast<seconds>(system_clock::now() - UnitStartTime).count(); duration_cast<seconds>(system_clock::now() - UnitStartTime).count();
if (Seconds == 0) if (Seconds == 0)
return; return;
if (Options.Verbosity >= 2) if (Options.Verbosity >= 2)
Printf("AlarmCallback %zd\n", Seconds); Printf("AlarmCallback %zd\n", Seconds);
if (Seconds >= (size_t)Options.UnitTimeoutSec) { if (Seconds >= (size_t)Options.UnitTimeoutSec) {
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf("ALARM: working on the last Unit for %zd seconds\n", Seconds); Printf("ALARM: working on the last Unit for %zd seconds\n", Seconds);
Printf(" and the timeout value is %d (use -timeout=N to change)\n", Printf(" and the timeout value is %d (use -timeout=N to change)\n",
Options.UnitTimeoutSec); Options.UnitTimeoutSec);
DumpCurrentUnit("timeout-"); DumpCurrentUnit("timeout-");
Printf("==%lu== ERROR: libFuzzer: timeout after %d seconds\n", GetPid(), Printf("==%lu== ERROR: libFuzzer: timeout after %d seconds\n", GetPid(),
Seconds); Seconds);
if (EF->__sanitizer_print_stack_trace) if (EF->__sanitizer_print_stack_trace)
EF->__sanitizer_print_stack_trace(); EF->__sanitizer_print_stack_trace();
Printf("SUMMARY: libFuzzer: timeout\n"); Printf("SUMMARY: libFuzzer: timeout\n");
PrintFinalStats(); PrintFinalStats();
_Exit(Options.TimeoutExitCode); // Stop right now. _Exit(Options.TimeoutExitCode); // Stop right now.
} }
} }
void Fuzzer::RssLimitCallback() { void Fuzzer::RssLimitCallback() {
if (EF->__sanitizer_acquire_crash_state &&
!EF->__sanitizer_acquire_crash_state())
return;
Printf( Printf(
"==%lu== ERROR: libFuzzer: out-of-memory (used: %zdMb; limit: %zdMb)\n", "==%lu== ERROR: libFuzzer: out-of-memory (used: %zdMb; limit: %zdMb)\n",
GetPid(), GetPeakRSSMb(), Options.RssLimitMb); GetPid(), GetPeakRSSMb(), Options.RssLimitMb);
Printf(" To change the out-of-memory limit use -rss_limit_mb=<N>\n\n"); Printf(" To change the out-of-memory limit use -rss_limit_mb=<N>\n\n");
if (EF->__sanitizer_print_memory_profile) if (EF->__sanitizer_print_memory_profile)
EF->__sanitizer_print_memory_profile(95, 8); EF->__sanitizer_print_memory_profile(95, 8);
DumpCurrentUnit("oom-"); DumpCurrentUnit("oom-");
Printf("SUMMARY: libFuzzer: out-of-memory\n"); Printf("SUMMARY: libFuzzer: out-of-memory\n");
▲ Show 20 LinesShow All 532 LinesShow Last 20 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.cc

//===-- sanitizer_common.cc -----------------------------------------------===// //===-- sanitizer_common.cc -----------------------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is shared between AddressSanitizer and ThreadSanitizer // This file is shared between AddressSanitizer and ThreadSanitizer
// run-time libraries. // run-time libraries.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "sanitizer_common.h" #include "sanitizer_common.h"
#include "sanitizer_allocator_interface.h" #include "sanitizer_allocator_interface.h"
#include "sanitizer_allocator_internal.h" #include "sanitizer_allocator_internal.h"
#include "sanitizer_atomic.h"
#include "sanitizer_flags.h" #include "sanitizer_flags.h"
#include "sanitizer_libc.h" #include "sanitizer_libc.h"
#include "sanitizer_placement_new.h" #include "sanitizer_placement_new.h"
namespace __sanitizer { namespace __sanitizer {
const char *SanitizerToolName = "SanitizerTool"; const char *SanitizerToolName = "SanitizerTool";
▲ Show 20 LinesShow All 314 Lines▼ Show 20 Lines
extern "C" { extern "C" {
SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_report_error_summary, SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_report_error_summary,
const char *error_summary) { const char *error_summary) {
Printf("%s\n", error_summary); Printf("%s\n", error_summary);
} }
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
int __sanitizer_acquire_crash_state() {
static atomic_uint8_t in_crash_state = {};
return !atomic_exchange(&in_crash_state, 1, memory_order_relaxed);
}
SANITIZER_INTERFACE_ATTRIBUTE
void __sanitizer_set_death_callback(void (*callback)(void)) { void __sanitizer_set_death_callback(void (*callback)(void)) {
SetUserDieCallback(callback); SetUserDieCallback(callback);
} }
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
int __sanitizer_install_malloc_and_free_hooks(void (*malloc_hook)(const void *, int __sanitizer_install_malloc_and_free_hooks(void (*malloc_hook)(const void *,
uptr), uptr),
void (*free_hook)(const void *)) { void (*free_hook)(const void *)) {
return InstallMallocFreeHooks(malloc_hook, free_hook); return InstallMallocFreeHooks(malloc_hook, free_hook);
} }
} // extern "C" } // extern "C"

compiler-rt/trunk/lib/sanitizer_common/sanitizer_common_interface.inc

//===-- sanitizer_common_interface.inc ------------------------------------===// //===-- sanitizer_common_interface.inc ------------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Sanitizer Common interface list. // Sanitizer Common interface list.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
INTERFACE_FUNCTION(__sanitizer_acquire_crash_state)
INTERFACE_FUNCTION(__sanitizer_annotate_contiguous_container) INTERFACE_FUNCTION(__sanitizer_annotate_contiguous_container)
INTERFACE_FUNCTION(__sanitizer_contiguous_container_find_bad_address) INTERFACE_FUNCTION(__sanitizer_contiguous_container_find_bad_address)
INTERFACE_FUNCTION(__sanitizer_set_death_callback) INTERFACE_FUNCTION(__sanitizer_set_death_callback)
INTERFACE_FUNCTION(__sanitizer_set_report_path) INTERFACE_FUNCTION(__sanitizer_set_report_path)
INTERFACE_FUNCTION(__sanitizer_set_report_fd) INTERFACE_FUNCTION(__sanitizer_set_report_fd)
INTERFACE_FUNCTION(__sanitizer_verify_contiguous_container) INTERFACE_FUNCTION(__sanitizer_verify_contiguous_container)
INTERFACE_WEAK_FUNCTION(__sanitizer_report_error_summary) INTERFACE_WEAK_FUNCTION(__sanitizer_report_error_summary)
INTERFACE_WEAK_FUNCTION(__sanitizer_sandbox_on_notify) INTERFACE_WEAK_FUNCTION(__sanitizer_sandbox_on_notify)
Show All 22 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_interface_internal.h

Show First 20 LinesShow All 46 Lines▼ Show 20 Linesextern "C" {
void __sanitizer_report_error_summary(const char *error_summary); void __sanitizer_report_error_summary(const char *error_summary);
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump(); SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump();
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_coverage( SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_coverage(
const __sanitizer::uptr *pcs, const __sanitizer::uptr len); const __sanitizer::uptr *pcs, const __sanitizer::uptr len);
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_trace_pc_guard_coverage(); SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_trace_pc_guard_coverage();
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(__sanitizer::u32 *guard); SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(__sanitizer::u32 *guard);
// Returns 1 on the first call, then returns 0 thereafter. Called by the tool
// to ensure only one report is printed when multiple errors occur
// simultaneously.
SANITIZER_INTERFACE_ATTRIBUTE int __sanitizer_acquire_crash_state();
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
void __sanitizer_annotate_contiguous_container(const void *beg, void __sanitizer_annotate_contiguous_container(const void *beg,
const void *end, const void *end,
const void *old_mid, const void *old_mid,
const void *new_mid); const void *new_mid);
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
int __sanitizer_verify_contiguous_container(const void *beg, const void *mid, int __sanitizer_verify_contiguous_container(const void *beg, const void *mid,
const void *end); const void *end);
▲ Show 20 LinesShow All 49 LinesShow Last 20 Lines

compiler-rt/trunk/test/fuzzer/AcquireCrashStateTest.cpp

// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Ensures that error reports are suppressed after
// __sanitizer_acquire_crash_state() has been called the first time.
#include "sanitizer/common_interface_defs.h"
#include <cassert>
#include <cstdint>
#include <cstdlib>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
if (Size == 0) return 0;
__sanitizer_acquire_crash_state();
exit(0); // No report should be generated here.
}

compiler-rt/trunk/test/fuzzer/acquire-crash-state.test

RUN: %cpp_compiler %S/AcquireCrashStateTest.cpp -o %t
RUN: %t 2>&1 | FileCheck %s
CHECK-NOT: fuzz target exited