This is an archive of the discontinued LLVM Phabricator instance.

Differential D50264

[libFuzzer] Add unstable function printing to print_unstable_stats flag
ClosedPublic

Authored by kevinwkt on Aug 3 2018, 10:54 AM.

Details

Reviewers
Dor1s
metzman
morehouse
Commits
rG84a48271d4bc: [libFuzzer] Add unstable function printing to print_unstable_stats flag
rL339081: [libFuzzer] Add unstable function printing to print_unstable_stats flag
rCRT339081: [libFuzzer] Add unstable function printing to print_unstable_stats flag
Summary

There may be cases in which a user wants to know which part of their code is unstable.
We use ObservedFuncs and UnstableCounters to print at exit which of the ObservedFunctions
are unstable under the -print_unstable_stats flag.

Patch by Kyungtak Woo (@kevinwkt).

Diff Detail

Event Timeline

kevinwkt created this revision.Aug 3 2018, 10:54 AM
kevinwkt retitled this revision from Print Unstable Functions to [libFuzzer] Add print unstable function flag.
kevinwkt added reviewers: Dor1s, metzman.
Dor1s added a comment.Aug 3 2018, 12:32 PM

Very nice!

lib/fuzzer/FuzzerFlags.def
105 ↗(On Diff #159045)

Let's re-phrase a bit, maybe: "If 1, at exit print functions that have unstable coverage edges. Requires -handle_unstable!=0"

Still sounds bad to me though, hopefully Jonathan can help :)

lib/fuzzer/FuzzerLoop.cpp
361 ↗(On Diff #159045)

but we need some assertion mechanism to make sure it's not possible to use -print_unstable_funcs without -handle_unstable.

Another idea I have: can we re-use PrintUnstableStats flag for that? I think it doesn't need handle_unstable. Let's just print functions under that flag as well.

test/fuzzer/print-unstable-funcs.test
1 ↗(On Diff #159045)

It would be nice if we could have at least one function with arguments, just to make sure it also gets printed properly.

metzman added inline comments.Aug 3 2018, 12:36 PM
lib/fuzzer/FuzzerFlags.def
105 ↗(On Diff #159045)

Sounds pretty good actually. I would just change the ordering slightly:
"If 1, print functions that have unstable coverage edges at exit. Requires -handle_unstable = 1 or 2".
Will it work with print_unstable_stats?
I think an option that depends on another is bad, we should avoid this.

kevinwkt updated this revision to Diff 159106.EditedAug 3 2018, 3:22 PM

PTAL
Merged -print_unstable_stats with -print_unstable_funcs.
Added better test cases with arguments.

kevinwkt marked an inline comment as done.Aug 3 2018, 3:22 PM
Dor1s added a comment.Aug 6 2018, 9:20 AM

Please update the CL summary and description. LGTM, otherwise.

metzman accepted this revision.Aug 6 2018, 9:22 AM

LGTM with Max's suggested fix.

This revision is now accepted and ready to land.Aug 6 2018, 9:22 AM
kevinwkt retitled this revision from [libFuzzer] Add print unstable function flag to [libFuzzer] Add unstable function printing to print_unstable_stats flag.Aug 6 2018, 9:26 AM
kevinwkt edited the summary of this revision. (Show Details)
kevinwkt added a reviewer: morehouse.Aug 6 2018, 9:29 AM
morehouse added inline comments.Aug 6 2018, 11:10 AM
lib/fuzzer/FuzzerTracePC.cpp
358

Since we always print this along with PrintUnstableStats, let's move the implementation there.

test/fuzzer/PrintUnstableStatsTest.cpp
26

Why are these changes necessary?

test/fuzzer/print_unstable_stats.test
6

I thought IsUnstable is set if there's any mismatch at all. Which would mean the ini functions should have IsUnstable set.

20

Are these {{^}} and {{$}} necessary?

kevinwkt updated this revision to Diff 159342.Aug 6 2018, 11:30 AM
kevinwkt marked 3 inline comments as done.
morehouse added inline comments.Aug 6 2018, 11:48 AM
lib/fuzzer/FuzzerTracePC.cpp
384

Can we put the counter increment inside this lambda as well?

test/fuzzer/PrintUnstableStatsTest.cpp
26

Why are these changes necessary?

test/fuzzer/print_unstable_stats.test
6

I thought IsUnstable is set if there's any mismatch at all. Which would mean the ini functions should have IsUnstable set.

kevinwkt added inline comments.Aug 6 2018, 12:48 PM
test/fuzzer/PrintUnstableStatsTest.cpp
26

These changes were requested by Max so that we could verify that a function with parameters will be printed correctly. We can revert if needed.

test/fuzzer/print_unstable_stats.test
6

IsUnstable is set but because the hit count for ini functions are set to 0, they are not picked up for ObservedFunctions. Because those functions were technically "not observed", they are not printed. Basically, this would only print unstable functions that are not caused by "initialization".

20

During fuzzing libFuzzer prints information containing function names such as:
#11 NEW cov: 18 ft: 19 corp: 5/6b lim: 4 exec/s: 0 rss: 28Mb L: 1/2 MS: 1 ChangeBit-
NEW_FUNC[1/1]: 0x584710 in t3() /.../llvm2/projects/compiler-rt/test/fuzzer/PrintUnstableStatsTest.cpp:24
#48 NEW cov: 20 ft: 21 corp: 6/8b lim: 4 exec/s: 0 rss: 28Mb L: 2/2 MS: 2 EraseBytes-CrossOver-

I wanted to make sure it was getting the functions I was checking for and not for the examples above.

kevinwkt updated this revision to Diff 159374.EditedAug 6 2018, 1:09 PM
kevinwkt marked an inline comment as done.

ptal
Included counter increase for stability stats within the lambda.

morehouse added inline comments.Aug 6 2018, 1:38 PM
test/fuzzer/print_unstable_stats.test
20

The check for UNSTABLE_FUNCTIONS: ensures any following matches will come after the UNSTABLE_FUNCTIONS: line, so there shouldn't be any other output from libFuzzer that will match.

kevinwkt updated this revision to Diff 159382.EditedAug 6 2018, 1:44 PM
kevinwkt marked 7 inline comments as done.

ptal
Fixed print_unstable_stats tests to simplify regex.

test/fuzzer/print_unstable_stats.test
20

Yeah, you're right. Will take out.

morehouse accepted this revision.Aug 6 2018, 1:46 PM
Dor1s accepted this revision.Aug 6 2018, 3:40 PM

LGTM, will land soon

Dor1s edited the summary of this revision. (Show Details)Aug 6 2018, 4:00 PM
Dor1s added subscribers: kcc, llvm-commits.
Dor1s updated this revision to Diff 159428.Aug 6 2018, 4:14 PM

rebase and getting ready to land

Harbormaster completed remote builds in B21164: Diff 159428.Aug 6 2018, 4:14 PM
Herald added subscribers: Restricted Project, delcypher. · View Herald TranscriptAug 6 2018, 4:14 PM
Closed by commit rCRT339081: [libFuzzer] Add unstable function printing to print_unstable_stats flag (authored by Dor1s). · Explain WhyAug 6 2018, 4:14 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
fuzzer/
16 lines
test/
fuzzer/
12 lines
6 lines
20 lines

Diff 159429

lib/fuzzer/FuzzerTracePC.cpp

Show First 20 LinesShow All 345 Lines▼ Show 20 Lines if (EF->__sanitizer_dump_coverage) {
for (size_t i = 0; i < GetNumPCs(); i++) for (size_t i = 0; i < GetNumPCs(); i++)
PCsCopy[i] = PCs()[i] ? GetPreviousInstructionPc(PCs()[i]) : 0; PCsCopy[i] = PCs()[i] ? GetPreviousInstructionPc(PCs()[i]) : 0;
EF->__sanitizer_dump_coverage(PCsCopy.data(), PCsCopy.size()); EF->__sanitizer_dump_coverage(PCsCopy.data(), PCsCopy.size());
} }
} }
void TracePC::PrintUnstableStats() { void TracePC::PrintUnstableStats() {
size_t count = 0; size_t count = 0;
for (size_t i = 0; i < NumInline8bitCounters; i++) Printf("UNSTABLE_FUNCTIONS:\n");
if (UnstableCounters[i].IsUnstable) IterateInline8bitCounters([&](int i, int j, int UnstableIdx) {
const PCTableEntry &TE = ModulePCTable[i].Start[j];
if (UnstableCounters[UnstableIdx].IsUnstable) {
count++; count++;
morehouseUnsubmitted
Done
ReplyInline Actions

Since we always print this along with PrintUnstableStats, let's move the implementation there.

morehouse: Since we always print this along with `PrintUnstableStats`, let's move the implementation there.
if (ObservedFuncs.count(TE.PC)) {
auto VisualizePC = GetNextInstructionPc(TE.PC);
std::string FunctionStr = DescribePC("%F", VisualizePC);
if (FunctionStr.find("in ") == 0)
FunctionStr = FunctionStr.substr(3);
Printf("%s\n", FunctionStr.c_str());
}
}
});
Printf("stat::stability_rate: %.2f\n", Printf("stat::stability_rate: %.2f\n",
100 - static_cast<float>(count * 100) / NumInline8bitCounters); 100 - static_cast<float>(count * 100) / NumInline8bitCounters);
} }
// Value profile. // Value profile.
// We keep track of various values that affect control flow. // We keep track of various values that affect control flow.
// These values are inserted into a bit-set-based hash map. // These values are inserted into a bit-set-based hash map.
// Every new bit in the map is treated as a new coverage. // Every new bit in the map is treated as a new coverage.
// //
// For memcmp/strcmp/etc the interesting value is the length of the common // For memcmp/strcmp/etc the interesting value is the length of the common
// prefix of the parameters. // prefix of the parameters.
// For cmp instructions the interesting value is a XOR of the parameters. // For cmp instructions the interesting value is a XOR of the parameters.
// The interesting value is mixed up with the PC and is then added to the map. // The interesting value is mixed up with the PC and is then added to the map.
ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_ALL
void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2, void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
morehouseUnsubmitted
Done
ReplyInline Actions

Can we put the counter increment inside this lambda as well?

morehouse: Can we put the counter increment inside this lambda as well?
size_t n, bool StopAtZero) { size_t n, bool StopAtZero) {
if (!n) return; if (!n) return;
size_t Len = std::min(n, Word::GetMaxSize()); size_t Len = std::min(n, Word::GetMaxSize());
const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1); const uint8_t *A1 = reinterpret_cast<const uint8_t *>(s1);
const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2); const uint8_t *A2 = reinterpret_cast<const uint8_t *>(s2);
uint8_t B1[Word::kMaxSize]; uint8_t B1[Word::kMaxSize];
uint8_t B2[Word::kMaxSize]; uint8_t B2[Word::kMaxSize];
// Copy the data into locals in this non-msan-instrumented function // Copy the data into locals in this non-msan-instrumented function
▲ Show 20 LinesShow All 297 LinesShow Last 20 Lines

test/fuzzer/PrintUnstableStatsTest.cpp

Show All 12 Lines
__attribute__((noinline)) void det2() { x++; } __attribute__((noinline)) void det2() { x++; }
__attribute__((noinline)) void det3() { x++; } __attribute__((noinline)) void det3() { x++; }
__attribute__((noinline)) void det4() { x++; } __attribute__((noinline)) void det4() { x++; }
__attribute__((noinline)) void ini0() { x++; } __attribute__((noinline)) void ini0() { x++; }
__attribute__((noinline)) void ini1() { x++; } __attribute__((noinline)) void ini1() { x++; }
__attribute__((noinline)) void ini2() { x++; } __attribute__((noinline)) void ini2() { x++; }
__attribute__((noinline)) void t0() { x++; } __attribute__((noinline)) void t0(int a) { x += a; }
__attribute__((noinline)) void t1() { x++; } __attribute__((noinline)) void t1() { x++; }
__attribute__((noinline)) void t2() { x++; } __attribute__((noinline)) void t2(int a, int b) { x += a + b; }
__attribute__((noinline)) void t3() { x++; } __attribute__((noinline)) void t3() { x++; }
__attribute__((noinline)) void t4() { x++; } __attribute__((noinline)) void t4(int a, int b, int c) { x += a + b +c; }
morehouseUnsubmitted
Done
ReplyInline Actions

Why are these changes necessary?

morehouse: Why are these changes necessary?
kevinwktAuthorUnsubmitted
Done
ReplyInline Actions

These changes were requested by Max so that we could verify that a function with parameters will be printed correctly. We can revert if needed.

kevinwkt: These changes were requested by Max so that we could verify that a function with parameters…
morehouseUnsubmitted
Done
ReplyInline Actions

Why are these changes necessary?

morehouse: Why are these changes necessary?
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size == 1 && Data[0] == 'A' && !skip0) { if (Size == 1 && Data[0] == 'A' && !skip0) {
skip0 = true; skip0 = true;
ini0(); ini0();
} }
if (Size == 1 && Data[0] == 'B' && !skip1) { if (Size == 1 && Data[0] == 'B' && !skip1) {
skip1 = true; skip1 = true;
ini1(); ini1();
} }
if (Size == 1 && Data[0] == 'C' && !skip2) { if (Size == 1 && Data[0] == 'C' && !skip2) {
skip2 = true; skip2 = true;
ini2(); ini2();
} }
det0(); det0();
det1(); det1();
int a = rand(); int a = rand();
det2(); det2();
switch (a % 5) { switch (a % 5) {
case 0: case 0:
t0(); t0(a);
break; break;
case 1: case 1:
t1(); t1();
break; break;
case 2: case 2:
t2(); t2(a, a);
break; break;
case 3: case 3:
t3(); t3();
break; break;
case 4: case 4:
t4(); t4(a, a, a);
break; break;
default: default:
assert(false); assert(false);
} }
det3(); det3();
det4(); det4();
return 0; return 0;
} }

test/fuzzer/handle-unstable.test

# Tests -handle_unstable # Tests -handle_unstable
UNSUPPORTED: aarch64 UNSUPPORTED: aarch64
RUN: %cpp_compiler %S/PrintUnstableStatsTest.cpp -o %t-HandleUnstableTest RUN: %cpp_compiler %S/PrintUnstableStatsTest.cpp -o %t-HandleUnstableTest
; Normal ; Normal
RUN: %run %t-HandleUnstableTest -print_coverage=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=NORMAL RUN: %run %t-HandleUnstableTest -print_coverage=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=NORMAL
NORMAL-DAG: det0() NORMAL-DAG: det0()
NORMAL-DAG: det1() NORMAL-DAG: det1()
NORMAL-DAG: det2() NORMAL-DAG: det2()
NORMAL-DAG: det3() NORMAL-DAG: det3()
NORMAL-DAG: det4() NORMAL-DAG: det4()
NORMAL-DAG: ini0() NORMAL-DAG: ini0()
NORMAL-DAG: ini1() NORMAL-DAG: ini1()
NORMAL-DAG: ini2() NORMAL-DAG: ini2()
NORMAL-DAG: t0() NORMAL-DAG: t0(int)
NORMAL-DAG: t1() NORMAL-DAG: t1()
NORMAL-DAG: t2() NORMAL-DAG: t2(int, int)
NORMAL-DAG: t3() NORMAL-DAG: t3()
NORMAL-DAG: t4() NORMAL-DAG: t4(int, int, int)
; MinUnstable ; MinUnstable
RUN: %run %t-HandleUnstableTest -print_coverage=1 -handle_unstable=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=MIN RUN: %run %t-HandleUnstableTest -print_coverage=1 -handle_unstable=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=MIN
MIN-NOT: ini0() MIN-NOT: ini0()
MIN-NOT: ini1() MIN-NOT: ini1()
MIN-NOT: ini2() MIN-NOT: ini2()
MIN: det0() MIN: det0()
MIN: det1() MIN: det1()
Show All 14 Lines

test/fuzzer/print_unstable_stats.test

RUN: %cpp_compiler %S/PrintUnstableStatsTest.cpp -o %t-PrintUnstableStatsTest RUN: %cpp_compiler %S/PrintUnstableStatsTest.cpp -o %t-PrintUnstableStatsTest
RUN: %run %t-PrintUnstableStatsTest -print_unstable_stats=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=LONG RUN: %run %t-PrintUnstableStatsTest -print_unstable_stats=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=LONG
LONG: stat::stability_rate: 27.59 ; We do not observe ini functions since we take the minimum hit counts, and minimum hit counts for ini is 0.
LONG: UNSTABLE_FUNCTIONS:
LONG-NOT: det0()
morehouseUnsubmitted
Done
ReplyInline Actions

I thought IsUnstable is set if there's any mismatch at all. Which would mean the ini functions should have IsUnstable set.

morehouse: I thought `IsUnstable` is set if there's any mismatch at all. Which would mean the ini…
kevinwktAuthorUnsubmitted
Done
ReplyInline Actions

IsUnstable is set but because the hit count for ini functions are set to 0, they are not picked up for ObservedFunctions. Because those functions were technically "not observed", they are not printed. Basically, this would only print unstable functions that are not caused by "initialization".

kevinwkt: IsUnstable is set but because the hit count for ini functions are set to 0, they are not picked…
morehouseUnsubmitted
Done
ReplyInline Actions

I thought IsUnstable is set if there's any mismatch at all. Which would mean the ini functions should have IsUnstable set.

morehouse: I thought `IsUnstable` is set if there's any mismatch at all. Which would mean the ini…
LONG-NOT: det1()
LONG-NOT: det2()
LONG-NOT: det3()
LONG-NOT: det4()
LONG-NOT: ini0()
LONG-NOT: ini1()
LONG-NOT: ini2()
LONG-DAG: t0(int)
LONG-DAG: t1()
LONG-DAG: t2(int, int)
LONG-DAG: t3()
LONG-DAG: t4(int, int, int)
LONG-DAG: stat::stability_rate: 27.59
morehouseUnsubmitted
Done
ReplyInline Actions

Are these {{^}} and {{$}} necessary?

morehouse: Are these `{{^}}` and `{{$}}` necessary?
kevinwktAuthorUnsubmitted
Done
ReplyInline Actions

During fuzzing libFuzzer prints information containing function names such as:
#11 NEW cov: 18 ft: 19 corp: 5/6b lim: 4 exec/s: 0 rss: 28Mb L: 1/2 MS: 1 ChangeBit-
NEW_FUNC[1/1]: 0x584710 in t3() /.../llvm2/projects/compiler-rt/test/fuzzer/PrintUnstableStatsTest.cpp:24
#48 NEW cov: 20 ft: 21 corp: 6/8b lim: 4 exec/s: 0 rss: 28Mb L: 2/2 MS: 2 EraseBytes-CrossOver-

I wanted to make sure it was getting the functions I was checking for and not for the examples above.

kevinwkt: During fuzzing libFuzzer prints information containing function names such as: #11 NEW cov…
morehouseUnsubmitted
Done
ReplyInline Actions

The check for UNSTABLE_FUNCTIONS: ensures any following matches will come after the UNSTABLE_FUNCTIONS: line, so there shouldn't be any other output from libFuzzer that will match.

morehouse: The check for `UNSTABLE_FUNCTIONS:` ensures any following matches will come after the…
kevinwktAuthorUnsubmitted
Not Done
ReplyInline Actions

Yeah, you're right. Will take out.

kevinwkt: Yeah, you're right. Will take out.