This is an archive of the discontinued LLVM Phabricator instance.

Differential D68067

[libFuzzer] Dump trace and provide correct msg for overwritten input.
ClosedPublic

Authored by hctim on Sep 25 2019, 6:05 PM.

Details

Reviewers
morehouse
Dor1s
Commits
rGd1e222e552d9: [libFuzzer] Dump trace and provide correct msg for overwritten input.
rL373130: [libFuzzer] Dump trace and provide correct msg for overwritten input.
rCRT373130: [libFuzzer] Dump trace and provide correct msg for overwritten input.
Summary

Now crashes with a stacktrace and uses 'overwrites-const-input' as the error
message instead of 'out-of-memory'.

Diff Detail

Event Timeline

hctim created this revision.Sep 25 2019, 6:05 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptSep 25 2019, 6:05 PM
Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B38569: Diff 221874.Sep 25 2019, 6:05 PM
morehouse added inline comments.Sep 25 2019, 6:18 PM
compiler-rt/lib/fuzzer/FuzzerLoop.cpp
518

I don't see a benefit to printing this stack trace -- it will always be in libFuzzer code.

521

Also not sure if stats are actually valuable. Overwriting the input means there's a bug in the fuzz target, probably not the library being fuzzed.

Dor1s accepted this revision.Sep 25 2019, 9:25 PM

I think Matt is right, but I wouldn't mind to have the stacktrace and stats just to be consistent with the other crashes. Also, having a stacktrace should increase the chances that such a crash would be handled by fuzzing infrastructure and reported to people.

This revision is now accepted and ready to land.Sep 25 2019, 9:25 PM
hctim marked 2 inline comments as done.Sep 26 2019, 11:44 AM
hctim added inline comments.
compiler-rt/lib/fuzzer/FuzzerLoop.cpp
518

From @Dor1s above - it may be nice to have just for consistency's sake.

521

Not necessarily, they could const_cast away deep in a library and mangle the data down there.

morehouse accepted this revision.Sep 27 2019, 2:42 PM

LGTM

Closed by commit rL373130: [libFuzzer] Dump trace and provide correct msg for overwritten input. (authored by hctim). · Explain WhySep 27 2019, 3:03 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptSep 27 2019, 3:03 PM

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
4 lines

Diff 221874

compiler-rt/lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 509 Lines▼ Show 20 Linessize_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
assert(InFuzzingThread()); assert(InFuzzingThread());
*Data = CurrentUnitData; *Data = CurrentUnitData;
return CurrentUnitSize; return CurrentUnitSize;
} }
void Fuzzer::CrashOnOverwrittenData() { void Fuzzer::CrashOnOverwrittenData() {
Printf("==%d== ERROR: libFuzzer: fuzz target overwrites its const input\n", Printf("==%d== ERROR: libFuzzer: fuzz target overwrites its const input\n",
GetPid()); GetPid());
PrintStackTrace();
morehouseUnsubmitted
Not Done
ReplyInline Actions

I don't see a benefit to printing this stack trace -- it will always be in libFuzzer code.

morehouse: I don't see a benefit to printing this stack trace -- it will always be in libFuzzer code.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

From @Dor1s above - it may be nice to have just for consistency's sake.

hctim: From @Dor1s above - it may be nice to have just for consistency's sake.
Printf("SUMMARY: libFuzzer: overwrites-const-input\n");
DumpCurrentUnit("crash-"); DumpCurrentUnit("crash-");
Printf("SUMMARY: libFuzzer: out-of-memory\n"); PrintFinalStats();
morehouseUnsubmitted
Not Done
ReplyInline Actions

Also not sure if stats are actually valuable. Overwriting the input means there's a bug in the fuzz target, probably not the library being fuzzed.

morehouse: Also not sure if stats are actually valuable. Overwriting the input means there's a bug in the…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Not necessarily, they could const_cast away deep in a library and mangle the data down there.

hctim: Not necessarily, they could `const_cast` away deep in a library and mangle the data down there.
_Exit(Options.ErrorExitCode); // Stop right now. _Exit(Options.ErrorExitCode); // Stop right now.
} }
// Compare two arrays, but not all bytes if the arrays are large. // Compare two arrays, but not all bytes if the arrays are large.
static bool LooseMemeq(const uint8_t *A, const uint8_t *B, size_t Size) { static bool LooseMemeq(const uint8_t *A, const uint8_t *B, size_t Size) {
const size_t Limit = 64; const size_t Limit = 64;
if (Size <= 64) if (Size <= 64)
return !memcmp(A, B, Size); return !memcmp(A, B, Size);
▲ Show 20 LinesShow All 341 LinesShow Last 20 Lines