This is an archive of the discontinued LLVM Phabricator instance.

Differential D85554

[libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in CrossOver mutator.
ClosedPublic

Authored by dokyungs on Aug 7 2020, 1:46 PM.

Details

Reviewers
morehouse
kcc
hctim
Commits
rGc10e63677f5d: Recommit "[libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in…
rGbb54bcf84970: [libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in CrossOver mutator.
Summary

The CrossOver mutator is meant to cross over two given buffers (referred to as the first/second buffer below). Previously InsertPartOf/CopyPartOf calls used in the CrossOver mutator incorrectly inserted/copied part of the second buffer into a "scratch buffer" (MutateInPlaceHere of the size CurrentMaxMutationLen), rather than the first buffer. This is not intended behavior, because the scratch buffer does not always (i) contain the content of the first buffer, and (ii) have the same size as the first buffer; CurrentMaxMutationLen is typically a lot larger than the size of the first buffer. This patch fixes the issue by using the first buffer instead of the scratch buffer in InsertPartOf/CopyPartOf calls.

A FuzzBench experiment was run to make sure that this change does not inadvertently degrade the performance. The performance is largely the same; more details can be found at: https://storage.googleapis.com/fuzzer-test-suite-public/fixcrossover-report/index.html

This patch also adds two new tests, namely "cross_over_insert" and "cross_over_copy", which specifically target InsertPartOf and CopyPartOf, respectively.

  • cross_over_insert.test checks if the fuzzer can use InsertPartOf to trigger the crash.
  • cross_over_copy.test checks if the fuzzer can use CopyPartOf to trigger the crash.

These newly added tests were designed to pass with the current patch, but not without the it (with b216c80cc2496b87bf827260ce7e24dc62247d71 these tests do not pass). To achieve this, -max_len was intentionally given a high value. Without this patch, InsertPartOf/CopyPartOf will generate larger inputs, possibly with unpredictable data in it, thereby failing to trigger the crash.

The test pass condition for these new tests is narrowed down by (i) limiting mutation depth to 1 (i.e., a single CrossOver mutation should be able to trigger the crash) and (ii) checking whether the mutation sequence of "CrossOver-" leads to the crash.

Also note that these newly added tests and an existing test (cross_over.test) all use "-reduce_inputs=0" flags to prevent reducing inputs; it's easier to force the fuzzer to keep original input string this way than tweaking cov-instrumented basic blocks in the source code of the fuzzer executable.

Diff Detail

Event Timeline

dokyungs created this revision.Aug 7 2020, 1:46 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 7 2020, 1:46 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
dokyungs requested review of this revision.Aug 7 2020, 1:46 PM
dokyungs edited the summary of this revision. (Show Details)Aug 7 2020, 1:52 PM
dokyungs edited the summary of this revision. (Show Details)
dokyungs updated this revision to Diff 284041.Aug 7 2020, 1:56 PM

Remove REQUIRES: linux, x86_64 in the new test, since the test from which the new tests copied does not have it.

Harbormaster completed remote builds in B67533: Diff 284041.Aug 7 2020, 2:37 PM
Harbormaster completed remote builds in B67531: Diff 284036.
morehouse added inline comments.Aug 10 2020, 11:54 AM
compiler-rt/test/fuzzer/CrossOverTest.cpp
10

Please also list the original crossover test case here.

30

Since the new inputs also start with A and Z, would it be simpler to leave this test unchanged?

dokyungs updated this revision to Diff 284902.Aug 11 2020, 2:45 PM

Addressed comments.

dokyungs updated this revision to Diff 284906.Aug 11 2020, 2:57 PM
dokyungs marked an inline comment as done.

Further address comments.

dokyungs added inline comments.Aug 11 2020, 3:00 PM
compiler-rt/test/fuzzer/CrossOverTest.cpp
30

Reverted changes except for CrossOverTest.cpp:45 which needs changing because the inputs of the newly added tests are not always of size 10.

Harbormaster completed remote builds in B68013: Diff 284902.Aug 11 2020, 4:20 PM
Harbormaster completed remote builds in B68014: Diff 284906.Aug 11 2020, 4:25 PM
morehouse accepted this revision.Aug 11 2020, 4:45 PM

LGTM, but let's wait to merge until we get confirmation from FuzzBench that this doesn't hurt fuzzer performance.

This revision is now accepted and ready to land.Aug 11 2020, 4:45 PM
dokyungs updated this revision to Diff 286169.Aug 17 2020, 4:06 PM

Rebased.

dokyungs edited the summary of this revision. (Show Details)Aug 17 2020, 4:07 PM
Harbormaster completed remote builds in B68694: Diff 286169.Aug 17 2020, 4:31 PM
Closed by commit rGbb54bcf84970: [libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in CrossOver mutator. (authored by dokyungs). · Explain WhyAug 18 2020, 9:09 AM
This revision was automatically updated to reflect the committed changes.
dokyungs added a commit: rGbb54bcf84970: [libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in CrossOver mutator..
azharudd added a subscriber: azharudd.Aug 19 2020, 10:36 AM

Looks like this change is causing the value-profile-load.test test to fail. Can you please take a look?

******************** TEST 'libFuzzer :: value-profile-load.test' FAILED ********************
Script:
--
: 'RUN: at line 2';     /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/./bin/clang  --driver-mode=g++ -O2 -gline-tables-only -fsanitize=address,fuzzer -I/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/lib/fuzzer -arch x86_64 -stdlib=libc++ -mmacosx-version-min=10.9 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/LoadTest.cpp -fsanitize-coverage=trace-gep -o /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest
: 'RUN: at line 3';   not  /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest -seed=2 -use_cmp=0 -use_value_profile=1 -runs=20000000 2>&1 | FileCheck /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test
--
Exit Code: 1

Command Output (stderr):
--
+ : 'RUN: at line 2'
+ /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/./bin/clang --driver-mode=g++ -O2 -gline-tables-only -fsanitize=address,fuzzer -I/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/lib/fuzzer -arch x86_64 -stdlib=libc++ -mmacosx-version-min=10.9 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/LoadTest.cpp -fsanitize-coverage=trace-gep -o /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest
+ : 'RUN: at line 3'
+ not /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest -seed=2 -use_cmp=0 -use_value_profile=1 -runs=20000000
+ FileCheck /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test
/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test:1:8: error: CHECK: expected string not found in input
CHECK: AddressSanitizer: global-buffer-overflow
       ^
<stdin>:1:1: note: scanning from here
INFO: Seed: 2
^
<stdin>:5:27: note: possible intended match here
INFO: A corpus is not provided, starting from an empty corpus
                          ^

Input file: <stdin>
Check file: /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test

-dump-input=help explains the following input dump.

Input was:
<<<<<<
           1: INFO: Seed: 2
check:1'0     X~~~~~~~~~~~~ error: no match found
           2: INFO: Loaded 1 modules (3 inline 8-bit counters): 3 [0x10af2bac8, 0x10af2bacb), 
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           3: INFO: Loaded 1 PC tables (3 PCs): 3 [0x10af2bad0,0x10af2bb00), 
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           4: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           5: INFO: A corpus is not provided, starting from an empty corpus
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check:1'1                               ?                                   possible intended match
           6: #2 INITED cov: 2 ft: 4 corp: 1/1b exec/s: 0 rss: 31Mb
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           7: #14 NEW cov: 2 ft: 5 corp: 2/4b lim: 4 exec/s: 0 rss: 31Mb L: 3/3 MS: 2 CrossOver-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           8: #242 NEW cov: 2 ft: 6 corp: 3/9b lim: 6 exec/s: 0 rss: 31Mb L: 5/5 MS: 3 ShuffleBytes-ShuffleBytes-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           9: #477 NEW cov: 3 ft: 11 corp: 4/17b lim: 8 exec/s: 0 rss: 31Mb L: 8/8 MS: 5 EraseBytes-ChangeByte-EraseBytes-InsertRepeatedBytes-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          10: #480 NEW cov: 3 ft: 13 corp: 5/24b lim: 8 exec/s: 0 rss: 31Mb L: 7/8 MS: 3 ChangeByte-InsertByte-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           .
           .
           .
>>>>>>

--

********************
dokyungs added a comment.Aug 19 2020, 2:16 PM
In D85554#2226648, @azharudd wrote:

Looks like this change is causing the value-profile-load.test test to fail. Can you please take a look?

******************** TEST 'libFuzzer :: value-profile-load.test' FAILED ********************
Script:
--
: 'RUN: at line 2';     /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/./bin/clang  --driver-mode=g++ -O2 -gline-tables-only -fsanitize=address,fuzzer -I/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/lib/fuzzer -arch x86_64 -stdlib=libc++ -mmacosx-version-min=10.9 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/LoadTest.cpp -fsanitize-coverage=trace-gep -o /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest
: 'RUN: at line 3';   not  /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest -seed=2 -use_cmp=0 -use_value_profile=1 -runs=20000000 2>&1 | FileCheck /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test
--
Exit Code: 1

Command Output (stderr):
--
+ : 'RUN: at line 2'
+ /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/./bin/clang --driver-mode=g++ -O2 -gline-tables-only -fsanitize=address,fuzzer -I/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/lib/fuzzer -arch x86_64 -stdlib=libc++ -mmacosx-version-min=10.9 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/LoadTest.cpp -fsanitize-coverage=trace-gep -o /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest
+ : 'RUN: at line 3'
+ not /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest -seed=2 -use_cmp=0 -use_value_profile=1 -runs=20000000
+ FileCheck /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test
/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test:1:8: error: CHECK: expected string not found in input
CHECK: AddressSanitizer: global-buffer-overflow
       ^
<stdin>:1:1: note: scanning from here
INFO: Seed: 2
^
<stdin>:5:27: note: possible intended match here
INFO: A corpus is not provided, starting from an empty corpus
                          ^

Input file: <stdin>
Check file: /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test

-dump-input=help explains the following input dump.

Input was:
<<<<<<
           1: INFO: Seed: 2
check:1'0     X~~~~~~~~~~~~ error: no match found
           2: INFO: Loaded 1 modules (3 inline 8-bit counters): 3 [0x10af2bac8, 0x10af2bacb), 
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           3: INFO: Loaded 1 PC tables (3 PCs): 3 [0x10af2bad0,0x10af2bb00), 
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           4: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           5: INFO: A corpus is not provided, starting from an empty corpus
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check:1'1                               ?                                   possible intended match
           6: #2 INITED cov: 2 ft: 4 corp: 1/1b exec/s: 0 rss: 31Mb
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           7: #14 NEW cov: 2 ft: 5 corp: 2/4b lim: 4 exec/s: 0 rss: 31Mb L: 3/3 MS: 2 CrossOver-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           8: #242 NEW cov: 2 ft: 6 corp: 3/9b lim: 6 exec/s: 0 rss: 31Mb L: 5/5 MS: 3 ShuffleBytes-ShuffleBytes-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           9: #477 NEW cov: 3 ft: 11 corp: 4/17b lim: 8 exec/s: 0 rss: 31Mb L: 8/8 MS: 5 EraseBytes-ChangeByte-EraseBytes-InsertRepeatedBytes-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          10: #480 NEW cov: 3 ft: 13 corp: 5/24b lim: 8 exec/s: 0 rss: 31Mb L: 7/8 MS: 3 ChangeByte-InsertByte-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           .
           .
           .
>>>>>>

--

********************

Could you please apply the following patch and see if it fixes the regression?

https://reviews.llvm.org/D86247

azharudd added a comment.Aug 19 2020, 2:55 PM
In D85554#2227180, @dokyungs wrote:
In D85554#2226648, @azharudd wrote:

Looks like this change is causing the value-profile-load.test test to fail. Can you please take a look?

******************** TEST 'libFuzzer :: value-profile-load.test' FAILED ********************
Script:
--
: 'RUN: at line 2';     /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/./bin/clang  --driver-mode=g++ -O2 -gline-tables-only -fsanitize=address,fuzzer -I/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/lib/fuzzer -arch x86_64 -stdlib=libc++ -mmacosx-version-min=10.9 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/LoadTest.cpp -fsanitize-coverage=trace-gep -o /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest
: 'RUN: at line 3';   not  /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest -seed=2 -use_cmp=0 -use_value_profile=1 -runs=20000000 2>&1 | FileCheck /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test
--
Exit Code: 1

Command Output (stderr):
--
+ : 'RUN: at line 2'
+ /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/./bin/clang --driver-mode=g++ -O2 -gline-tables-only -fsanitize=address,fuzzer -I/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/lib/fuzzer -arch x86_64 -stdlib=libc++ -mmacosx-version-min=10.9 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.15.sdk /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/LoadTest.cpp -fsanitize-coverage=trace-gep -o /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest
+ : 'RUN: at line 3'
+ not /Users/buildslave/jenkins/workspace/clang-stage1-RA/clang-build/tools/clang/runtime/compiler-rt-bins/test/fuzzer/X86_64DefaultDarwinConfig/Output/value-profile-load.test.tmp-LoadTest -seed=2 -use_cmp=0 -use_value_profile=1 -runs=20000000
+ FileCheck /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test
/Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test:1:8: error: CHECK: expected string not found in input
CHECK: AddressSanitizer: global-buffer-overflow
       ^
<stdin>:1:1: note: scanning from here
INFO: Seed: 2
^
<stdin>:5:27: note: possible intended match here
INFO: A corpus is not provided, starting from an empty corpus
                          ^

Input file: <stdin>
Check file: /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/fuzzer/value-profile-load.test

-dump-input=help explains the following input dump.

Input was:
<<<<<<
           1: INFO: Seed: 2
check:1'0     X~~~~~~~~~~~~ error: no match found
           2: INFO: Loaded 1 modules (3 inline 8-bit counters): 3 [0x10af2bac8, 0x10af2bacb), 
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           3: INFO: Loaded 1 PC tables (3 PCs): 3 [0x10af2bad0,0x10af2bb00), 
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           4: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           5: INFO: A corpus is not provided, starting from an empty corpus
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check:1'1                               ?                                   possible intended match
           6: #2 INITED cov: 2 ft: 4 corp: 1/1b exec/s: 0 rss: 31Mb
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           7: #14 NEW cov: 2 ft: 5 corp: 2/4b lim: 4 exec/s: 0 rss: 31Mb L: 3/3 MS: 2 CrossOver-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           8: #242 NEW cov: 2 ft: 6 corp: 3/9b lim: 6 exec/s: 0 rss: 31Mb L: 5/5 MS: 3 ShuffleBytes-ShuffleBytes-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           9: #477 NEW cov: 3 ft: 11 corp: 4/17b lim: 8 exec/s: 0 rss: 31Mb L: 8/8 MS: 5 EraseBytes-ChangeByte-EraseBytes-InsertRepeatedBytes-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          10: #480 NEW cov: 3 ft: 13 corp: 5/24b lim: 8 exec/s: 0 rss: 31Mb L: 7/8 MS: 3 ChangeByte-InsertByte-CopyPart-
check:1'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           .
           .
           .
>>>>>>

--

********************

Could you please apply the following patch and see if it fixes the regression?

https://reviews.llvm.org/D86247

It fixes it. Thanks!

vitalybuka reopened this revision.Aug 20 2020, 11:57 PM
vitalybuka added a subscriber: vitalybuka.

msan.test is broken by this patch http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/29114/steps/test%20standalone%20compiler-rt/logs/stdio

This revision is now accepted and ready to land.Aug 20 2020, 11:57 PM
vitalybuka mentioned this in D86184: [libFuzzer] Un-XFAIL msan.test on SystemZ.Aug 20 2020, 11:57 PM
eugenis added a subscriber: eugenis.Aug 21 2020, 9:54 AM

Right, the bot has been red since http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/29113, which includes this change.
There has been another change in the same build that broke *everything*, so you likely did not get an actionable message from the buildbot at that time.
Please fix!

dokyungs added a comment.Aug 21 2020, 10:00 AM
In D85554#2229854, @vitalybuka wrote:

msan.test is broken by this patch http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/29114/steps/test%20standalone%20compiler-rt/logs/stdio

In D85554#2230771, @eugenis wrote:

Right, the bot has been red since http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/29113, which includes this change.
There has been another change in the same build that broke *everything*, so you likely did not get an actionable message from the buildbot at that time.
Please fix!

Working on a fix now.

azharudd added a reverting change: rG8831e34771fe: Revert "[libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in CrossOver….Aug 21 2020, 10:01 AM
azharudd added a comment.Aug 21 2020, 10:04 AM

Reverted this in 8831e34771fec4dfbe62a6e31d9bc9419a3b93c3 to get the bots green again. Please feel free to ping if you need someone to test this on macOS.

dokyungs added a comment.Aug 21 2020, 3:50 PM
In D85554#2230791, @azharudd wrote:

Reverted this in 8831e34771fec4dfbe62a6e31d9bc9419a3b93c3 to get the bots green again. Please feel free to ping if you need someone to test this on macOS.

Could you try this patch again on top of https://reviews.llvm.org/D86247 which hopefully fixes the failing test on macOS?

dokyungs added a comment.Aug 24 2020, 11:12 PM
In D85554#2230791, @azharudd wrote:

Reverted this in 8831e34771fec4dfbe62a6e31d9bc9419a3b93c3 to get the bots green again. Please feel free to ping if you need someone to test this on macOS.

Ping @azharudd

azharudd added a comment.Aug 25 2020, 9:50 AM

@dokyungs, looking into this now.

azharudd added a comment.EditedAug 25 2020, 12:26 PM
In D85554#2231462, @dokyungs wrote:
In D85554#2230791, @azharudd wrote:

Reverted this in 8831e34771fec4dfbe62a6e31d9bc9419a3b93c3 to get the bots green again. Please feel free to ping if you need someone to test this on macOS.

Could you try this patch again on top of https://reviews.llvm.org/D86247 which hopefully fixes the failing test on macOS?

@dokyungs, it works. The value-profile-load test didn't fail when I tried this and D86247 together. It would be better to commit them together in a single commit.

Closed by commit rGc10e63677f5d: Recommit "[libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in… (authored by dokyungs). · Explain WhyAug 27 2020, 2:59 PM
This revision was automatically updated to reflect the committed changes.
dokyungs added a commit: rGc10e63677f5d: Recommit "[libFuzzer] Fix arguments of InsertPartOf/CopyPartOf calls in….

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
14 lines
test/
fuzzer/
15 lines
4 lines
20 lines
20 lines

Diff 288466

compiler-rt/lib/fuzzer/FuzzerMutate.cpp

Show First 20 LinesShow All 419 Lines▼ Show 20 Lines
size_t MutationDispatcher::Mutate_CrossOver(uint8_t *Data, size_t Size, size_t MutationDispatcher::Mutate_CrossOver(uint8_t *Data, size_t Size,
size_t MaxSize) { size_t MaxSize) {
if (Size > MaxSize) return 0; if (Size > MaxSize) return 0;
if (Size == 0) return 0; if (Size == 0) return 0;
if (!CrossOverWith) return 0; if (!CrossOverWith) return 0;
const Unit &O = *CrossOverWith; const Unit &O = *CrossOverWith;
if (O.empty()) return 0; if (O.empty()) return 0;
MutateInPlaceHere.resize(MaxSize);
auto &U = MutateInPlaceHere;
size_t NewSize = 0; size_t NewSize = 0;
switch(Rand(3)) { switch(Rand(3)) {
case 0: case 0:
NewSize = CrossOver(Data, Size, O.data(), O.size(), U.data(), U.size()); MutateInPlaceHere.resize(MaxSize);
NewSize = CrossOver(Data, Size, O.data(), O.size(),
MutateInPlaceHere.data(), MaxSize);
memcpy(Data, MutateInPlaceHere.data(), NewSize);
break; break;
case 1: case 1:
NewSize = InsertPartOf(O.data(), O.size(), U.data(), U.size(), MaxSize); NewSize = InsertPartOf(O.data(), O.size(), Data, Size, MaxSize);
if (!NewSize) if (!NewSize)
NewSize = CopyPartOf(O.data(), O.size(), U.data(), U.size()); NewSize = CopyPartOf(O.data(), O.size(), Data, Size);
break; break;
case 2: case 2:
NewSize = CopyPartOf(O.data(), O.size(), U.data(), U.size()); NewSize = CopyPartOf(O.data(), O.size(), Data, Size);
break; break;
default: assert(0); default: assert(0);
} }
assert(NewSize > 0 && "CrossOver returned empty unit"); assert(NewSize > 0 && "CrossOver returned empty unit");
assert(NewSize <= MaxSize && "CrossOver returned overisized unit"); assert(NewSize <= MaxSize && "CrossOver returned overisized unit");
memcpy(Data, U.data(), NewSize);
return NewSize; return NewSize;
} }
void MutationDispatcher::StartMutationSequence() { void MutationDispatcher::StartMutationSequence() {
CurrentMutatorSequence.clear(); CurrentMutatorSequence.clear();
CurrentDictionaryEntrySequence.clear(); CurrentDictionaryEntrySequence.clear();
} }
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines

compiler-rt/test/fuzzer/CrossOverTest.cpp

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// Test for a fuzzer. The fuzzer must find the string // Test for a fuzzer. The fuzzer must find the string
// ABCDEFGHIJ // ABCDEFGHIJ
// We use it as a test for CrossOver functionality // We use it as a test for each of CrossOver functionalities
// by passing two inputs to it: // by passing the following sets of two inputs to it:
// ABCDE00000 // {ABCDE00000, ZZZZZFGHIJ}
// ZZZZZFGHIJ // {ABCDEHIJ, ZFG} to specifically test InsertPartOf
morehouseUnsubmitted
Done
ReplyInline Actions

Please also list the original crossover test case here.

morehouse: Please also list the original crossover test case here.
// {ABCDE00HIJ, ZFG} to specifically test CopyPartOf
// //
#include <assert.h> #include <assert.h>
#include <cstddef> #include <cstddef>
#include <cstdint> #include <cstdint>
#include <cstdlib> #include <cstdlib>
#include <iostream> #include <iostream>
#include <ostream> #include <ostream>
static volatile int Sink; static volatile int Sink;
static volatile int *NullPtr; static volatile int *NullPtr;
// A modified jenkins_one_at_a_time_hash initialized by non-zero, // A modified jenkins_one_at_a_time_hash initialized by non-zero,
// so that simple_hash(0) != 0. See also // so that simple_hash(0) != 0. See also
// https://en.wikipedia.org/wiki/Jenkins_hash_function // https://en.wikipedia.org/wiki/Jenkins_hash_function
static uint32_t simple_hash(const uint8_t *Data, size_t Size) { static uint32_t simple_hash(const uint8_t *Data, size_t Size) {
uint32_t Hash = 0x12039854; uint32_t Hash = 0x12039854;
for (uint32_t i = 0; i < Size; i++) { for (uint32_t i = 0; i < Size; i++) {
Hash += Data[i]; Hash += Data[i];
Hash += (Hash << 10); Hash += (Hash << 10);
morehouseUnsubmitted
Not Done
ReplyInline Actions

Since the new inputs also start with A and Z, would it be simpler to leave this test unchanged?

morehouse: Since the new inputs also start with A and Z, would it be simpler to leave this test unchanged?
dokyungsAuthorUnsubmitted
Not Done
ReplyInline Actions

Reverted changes except for CrossOverTest.cpp:45 which needs changing because the inputs of the newly added tests are not always of size 10.

dokyungs: Reverted changes except for CrossOverTest.cpp:45 which needs changing because the inputs of the…
Hash ^= (Hash >> 6); Hash ^= (Hash >> 6);
} }
Hash += (Hash << 3); Hash += (Hash << 3);
Hash ^= (Hash >> 11); Hash ^= (Hash >> 11);
Hash += (Hash << 15); Hash += (Hash << 15);
return Hash; return Hash;
} }
// Don't leave the string in the binary, so that fuzzer don't cheat; // Don't leave the string in the binary, so that fuzzer don't cheat;
// const char *ABC = "ABCDEFGHIJ"; // const char *ABC = "ABCDEFGHIJ";
// static uint32_t ExpectedHash = simple_hash((const uint8_t *)ABC, 10); // static uint32_t ExpectedHash = simple_hash((const uint8_t *)ABC, 10);
static const uint32_t ExpectedHash = 0xe1677acb; static const uint32_t ExpectedHash = 0xe1677acb;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
// fprintf(stderr, "ExpectedHash: %x\n", ExpectedHash); // fprintf(stderr, "ExpectedHash: %x\n", ExpectedHash);
if (Size != 10) return 0; if (Size == 10 && ExpectedHash == simple_hash(Data, Size))
*NullPtr = 0;
if (*Data == 'A') if (*Data == 'A')
Sink++; Sink++;
if (*Data == 'Z') if (*Data == 'Z')
Sink--; Sink--;
if (ExpectedHash == simple_hash(Data, Size))
*NullPtr = 0;
return 0; return 0;
} }

compiler-rt/test/fuzzer/cross_over.test

# Tests CrossOverTest. # Tests CrossOverTest.
# We want to make sure that the test can find the input # We want to make sure that the test can find the input
# ABCDEFGHIJ when given two other inputs in the seed corpus: # ABCDEFGHIJ when given two other inputs in the seed corpus:
# ABCDE00000 and # ABCDE00000 and
# ZZZZZFGHIJ # ZZZZZFGHIJ
# #
RUN: %cpp_compiler %S/CrossOverTest.cpp -o %t-CrossOverTest RUN: %cpp_compiler %S/CrossOverTest.cpp -o %t-CrossOverTest
RUN: rm -rf %t-corpus RUN: rm -rf %t-corpus
RUN: mkdir %t-corpus RUN: mkdir %t-corpus
RUN: echo -n ABCDE00000 > %t-corpus/A RUN: echo -n ABCDE00000 > %t-corpus/A
RUN: echo -n ZZZZZFGHIJ > %t-corpus/B RUN: echo -n ZZZZZFGHIJ > %t-corpus/B
RUN: not %run %t-CrossOverTest -max_len=10 -seed=1 -runs=10000000 %t-corpus RUN: not %run %t-CrossOverTest -max_len=10 -reduce_inputs=0 -seed=1 -runs=10000000 %t-corpus
# Test the same thing but using -seed_inputs instead of passing the corpus dir. # Test the same thing but using -seed_inputs instead of passing the corpus dir.
RUN: not %run %t-CrossOverTest -max_len=10 -seed=1 -runs=10000000 -seed_inputs=%t-corpus/A,%t-corpus/B RUN: not %run %t-CrossOverTest -max_len=10 -reduce_inputs=0 -seed=1 -runs=10000000 -seed_inputs=%t-corpus/A,%t-corpus/B

compiler-rt/test/fuzzer/cross_over_copy.test

  • This file was added.
# Tests CrossOver CopyPartOf.
# We want to make sure that the test can find the input
# ABCDEFGHIJ when given two other inputs in the seed corpus:
# ABCDE00HIJ and
# (Z) FG
#
RUN: %cpp_compiler %S/CrossOverTest.cpp -o %t-CrossOverTest
RUN: rm -rf %t-corpus
RUN: mkdir %t-corpus
RUN: echo -n ABCDE00HIJ > %t-corpus/A
RUN: echo -n ZFG > %t-corpus/B
RUN: not %run %t-CrossOverTest -mutate_depth=1 -max_len=1024 -reduce_inputs=0 -seed=1 -runs=10000000 %t-corpus 2>&1 | FileCheck %s
# Test the same thing but using -seed_inputs instead of passing the corpus dir.
RUN: not %run %t-CrossOverTest -mutate_depth=1 -max_len=1024 -reduce_inputs=0 -seed=1 -runs=10000000 -seed_inputs=%t-corpus/A,%t-corpus/B 2>&1 | FileCheck %s
CHECK: MS: 1 CrossOver-

compiler-rt/test/fuzzer/cross_over_insert.test

  • This file was added.
# Tests CrossOver InsertPartOf.
# We want to make sure that the test can find the input
# ABCDEFGHIJ when given two other inputs in the seed corpus:
# ABCDE HIJ and
# (Z) FG
#
RUN: %cpp_compiler %S/CrossOverTest.cpp -o %t-CrossOverTest
RUN: rm -rf %t-corpus
RUN: mkdir %t-corpus
RUN: echo -n ABCDEHIJ > %t-corpus/A
RUN: echo -n ZFG > %t-corpus/B
RUN: not %run %t-CrossOverTest -mutate_depth=1 -max_len=1024 -reduce_inputs=0 -seed=1 -runs=10000000 %t-corpus 2>&1 | FileCheck %s
# Test the same thing but using -seed_inputs instead of passing the corpus dir.
RUN: not %run %t-CrossOverTest -mutate_depth=1 -max_len=1024 -reduce_inputs=0 -seed=1 -runs=10000000 -seed_inputs=%t-corpus/A,%t-corpus/B 2>&1 | FileCheck %s
CHECK: MS: 1 CrossOver-