This is an archive of the discontinued LLVM Phabricator instance.

Differential D85359

[libFuzzer] Fix minimizing timeouts
ClosedPublic

Authored by iii on Aug 5 2020, 1:57 PM.

Details

Reviewers
kcc
morehouse
Commits
rG9df7ee34e1b5: [libFuzzer] Fix minimizing timeouts
Summary

When one tries to minimize timeouts using -minimize_crash=1,
minimization immediately fails. The following sequence of events is
responsible for this:

[parent] SIGALRM occurs
[parent] read() returns -EINTR (or -ERESTARTSYS according to strace)
[parent] fgets() returns NULL
[parent] ExecuteCommand() closes child's stdout and returns
[child ] SIGALRM occurs
[child ] AlarmCallback() attempts to write "ALARM: ..." to stdout
[child ] Dies with SIGPIPE without calling DumpCurrentUnit()
[parent] Does not see -exact_artifact_path and exits

When minimizing, the timer in parent is not necessary, so fix by not
setting it in this case.

Diff Detail

Event Timeline

iii created this revision.Aug 5 2020, 1:57 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 5 2020, 1:57 PM
Herald added subscribers: Restricted Project, kristof.beyls. · View Herald Transcript
iii requested review of this revision.Aug 5 2020, 1:57 PM
Harbormaster completed remote builds in B67191: Diff 283384.Aug 5 2020, 3:26 PM
kcc added a comment.Aug 6 2020, 10:51 AM

O, wow, thanks for catching this.
Could you please add a test (in compiler-rt/test/fuzzer) that would reliably fail currently
and reliably pass with this change?

iii updated this revision to Diff 284310.Aug 10 2020, 4:11 AM
  • Added a test.
  • Moved Alrm after Abrt in order to maintain the alphabetic order.
Harbormaster completed remote builds in B67692: Diff 284310.Aug 10 2020, 4:37 AM
iii added a comment.EditedAug 10 2020, 3:02 PM

The failing test is libFuzzer :: cleanse.test, but I don't think this is due to my patch - it doesn't fail locally, and it didn't fail the last time. I wonder if build machines do parallel builds? If yes, then the following code might be the culprit:

auto TmpFilePath = TempPath("CleanseCrashInput", ".repro");
...
for (int NumAttempts = 0; NumAttempts < 5; NumAttempts++) {
    ...
    for (auto NewByte : ReplacementBytes) {
      U[Idx] = NewByte;
      WriteToFile(U, TmpFilePath);
      auto ExitCode = ExecuteCommand(Cmd);
      RemoveFile(TmpFilePath);

After the file is removed, a parallel build might be reusing its name, causing all sorts of chaos.

kcc added a reviewer: morehouse.Aug 11 2020, 9:51 AM
morehouse accepted this revision.Aug 11 2020, 10:38 AM

LGTM

This revision is now accepted and ready to land.Aug 11 2020, 10:38 AM
This revision was landed with ongoing or failed builds.Aug 11 2020, 1:16 PM
Closed by commit rG9df7ee34e1b5: [libFuzzer] Fix minimizing timeouts (authored by iii). · Explain Why
This revision was automatically updated to reflect the committed changes.
iii added a commit: rG9df7ee34e1b5: [libFuzzer] Fix minimizing timeouts.

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
1 line
1 line
2 lines
2 lines
2 lines
test/
fuzzer/
6 lines

Diff 284869

compiler-rt/lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 761 Lines▼ Show 20 Lines if (U.size() <= Word::GetMaxSize())
// Threads are only supported by Chrome. Don't use them with emscripten // Threads are only supported by Chrome. Don't use them with emscripten
// for now. // for now.
#if !LIBFUZZER_EMSCRIPTEN #if !LIBFUZZER_EMSCRIPTEN
StartRssThread(F, Flags.rss_limit_mb); StartRssThread(F, Flags.rss_limit_mb);
#endif // LIBFUZZER_EMSCRIPTEN #endif // LIBFUZZER_EMSCRIPTEN
Options.HandleAbrt = Flags.handle_abrt; Options.HandleAbrt = Flags.handle_abrt;
Options.HandleAlrm = !Flags.minimize_crash;
Options.HandleBus = Flags.handle_bus; Options.HandleBus = Flags.handle_bus;
Options.HandleFpe = Flags.handle_fpe; Options.HandleFpe = Flags.handle_fpe;
Options.HandleIll = Flags.handle_ill; Options.HandleIll = Flags.handle_ill;
Options.HandleInt = Flags.handle_int; Options.HandleInt = Flags.handle_int;
Options.HandleSegv = Flags.handle_segv; Options.HandleSegv = Flags.handle_segv;
Options.HandleTerm = Flags.handle_term; Options.HandleTerm = Flags.handle_term;
Options.HandleXfsz = Flags.handle_xfsz; Options.HandleXfsz = Flags.handle_xfsz;
Options.HandleUsr1 = Flags.handle_usr1; Options.HandleUsr1 = Flags.handle_usr1;
▲ Show 20 LinesShow All 93 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerOptions.h

Show First 20 LinesShow All 63 Lines▼ Show 20 Linesstruct FuzzingOptions {
bool PrintFinalStats = false; bool PrintFinalStats = false;
bool PrintCorpusStats = false; bool PrintCorpusStats = false;
bool PrintCoverage = false; bool PrintCoverage = false;
bool DumpCoverage = false; bool DumpCoverage = false;
bool DetectLeaks = true; bool DetectLeaks = true;
int PurgeAllocatorIntervalSec = 1; int PurgeAllocatorIntervalSec = 1;
int TraceMalloc = 0; int TraceMalloc = 0;
bool HandleAbrt = false; bool HandleAbrt = false;
bool HandleAlrm = false;
bool HandleBus = false; bool HandleBus = false;
bool HandleFpe = false; bool HandleFpe = false;
bool HandleIll = false; bool HandleIll = false;
bool HandleInt = false; bool HandleInt = false;
bool HandleSegv = false; bool HandleSegv = false;
bool HandleTerm = false; bool HandleTerm = false;
bool HandleXfsz = false; bool HandleXfsz = false;
bool HandleUsr1 = false; bool HandleUsr1 = false;
bool HandleUsr2 = false; bool HandleUsr2 = false;
}; };
} // namespace fuzzer } // namespace fuzzer
#endif // LLVM_FUZZER_OPTIONS_H #endif // LLVM_FUZZER_OPTIONS_H

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp

Show First 20 LinesShow All 348 Lines▼ Show 20 Linesvoid SetSignalHandler(const FuzzingOptions &Options) {
char Buf[64]; char Buf[64];
memset(Buf, 0, sizeof(Buf)); memset(Buf, 0, sizeof(Buf));
snprintf(Buf, sizeof(Buf), "==%lu== INFO: libFuzzer starting.\n", GetPid()); snprintf(Buf, sizeof(Buf), "==%lu== INFO: libFuzzer starting.\n", GetPid());
if (EF->__sanitizer_log_write) if (EF->__sanitizer_log_write)
__sanitizer_log_write(Buf, sizeof(Buf)); __sanitizer_log_write(Buf, sizeof(Buf));
Printf("%s", Buf); Printf("%s", Buf);
// Set up alarm handler if needed. // Set up alarm handler if needed.
if (Options.UnitTimeoutSec > 0) { if (Options.HandleAlrm && Options.UnitTimeoutSec > 0) {
std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1); std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1);
T.detach(); T.detach();
} }
// Set up interrupt handler if needed. // Set up interrupt handler if needed.
if (Options.HandleInt || Options.HandleTerm) { if (Options.HandleInt || Options.HandleTerm) {
std::thread T(InterruptHandler); std::thread T(InterruptHandler);
T.detach(); T.detach();
▲ Show 20 LinesShow All 200 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp

Show First 20 LinesShow All 107 Lines▼ Show 20 Lines if (setitimer(ITIMER_REAL, &T, nullptr)) {
Printf("libFuzzer: setitimer failed with %d\n", errno); Printf("libFuzzer: setitimer failed with %d\n", errno);
exit(1); exit(1);
} }
SetSigaction(SIGALRM, AlarmHandler); SetSigaction(SIGALRM, AlarmHandler);
} }
void SetSignalHandler(const FuzzingOptions& Options) { void SetSignalHandler(const FuzzingOptions& Options) {
// setitimer is not implemented in emscripten. // setitimer is not implemented in emscripten.
if (Options.UnitTimeoutSec > 0 && !LIBFUZZER_EMSCRIPTEN) if (Options.HandleAlrm && Options.UnitTimeoutSec > 0 && !LIBFUZZER_EMSCRIPTEN)
SetTimer(Options.UnitTimeoutSec / 2 + 1); SetTimer(Options.UnitTimeoutSec / 2 + 1);
if (Options.HandleInt) if (Options.HandleInt)
SetSigaction(SIGINT, InterruptHandler); SetSigaction(SIGINT, InterruptHandler);
if (Options.HandleTerm) if (Options.HandleTerm)
SetSigaction(SIGTERM, InterruptHandler); SetSigaction(SIGTERM, InterruptHandler);
if (Options.HandleSegv) if (Options.HandleSegv)
SetSigaction(SIGSEGV, SegvHandler); SetSigaction(SIGSEGV, SegvHandler);
if (Options.HandleBus) if (Options.HandleBus)
▲ Show 20 LinesShow All 61 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerUtilWindows.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines
static TimerQ Timer; static TimerQ Timer;
static void CrashHandler(int) { Fuzzer::StaticCrashSignalCallback(); } static void CrashHandler(int) { Fuzzer::StaticCrashSignalCallback(); }
void SetSignalHandler(const FuzzingOptions& Options) { void SetSignalHandler(const FuzzingOptions& Options) {
HandlerOpt = &Options; HandlerOpt = &Options;
if (Options.UnitTimeoutSec > 0) if (Options.HandleAlrm && Options.UnitTimeoutSec > 0)
Timer.SetTimer(Options.UnitTimeoutSec / 2 + 1); Timer.SetTimer(Options.UnitTimeoutSec / 2 + 1);
if (Options.HandleInt || Options.HandleTerm) if (Options.HandleInt || Options.HandleTerm)
if (!SetConsoleCtrlHandler(CtrlHandler, TRUE)) { if (!SetConsoleCtrlHandler(CtrlHandler, TRUE)) {
DWORD LastError = GetLastError(); DWORD LastError = GetLastError();
Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n", Printf("libFuzzer: SetConsoleCtrlHandler failed (Error code: %lu).\n",
LastError); LastError);
exit(1); exit(1);
▲ Show 20 LinesShow All 95 LinesShow Last 20 Lines

compiler-rt/test/fuzzer/minimize_timeout.test

  • This file was added.
RUN: %cpp_compiler %S/TimeoutTest.cpp -o %t-TimeoutTest
RUN: mkdir -p %t.dir
RUN: echo 'Hi!?' > %t.dir/not_minimal_timeout
RUN: %run %t-TimeoutTest -minimize_crash=1 %t.dir/not_minimal_timeout -timeout=1 -max_total_time=3 2>&1 | FileCheck %s
CHECK: CRASH_MIN: failed to minimize beyond {{.*}}minimized-from{{.*}} (3 bytes), exiting