Page MenuHomePhabricator

[libFuzzer] Un-XFAIL msan.test on SystemZ
ClosedPublic

Authored by iii on Aug 18 2020, 6:01 PM.

Diff Detail

Event Timeline

iii created this revision.Aug 18 2020, 6:01 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 18 2020, 6:01 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
iii requested review of this revision.Aug 18 2020, 6:01 PM

Maybe SimpleCmpTest.cpp is not so simple?
Should we rather simplify it. On my workstation it takes 7s, which looks quite long.
Removing any condition makes it just 0.02s

iii added a comment.Aug 19 2020, 5:45 PM

Hm, it actually looks fairly simple as is: just a bunch of comparisons of unmodified ints from the input buffer with constants. So I would expect Mutate_AddWordFromTORC to help solving it this fairly quickly. Do you have an idea why this might not be happening? Maybe it could be worth looking into it a bit deeper.

In D86184#2227506, @iii wrote:

Hm, it actually looks fairly simple as is: just a bunch of comparisons of unmodified ints from the input buffer with constants. So I would expect Mutate_AddWordFromTORC to help solving it this fairly quickly. Do you have an idea why this might not be happening? Maybe it could be worth looking into it a bit deeper.

My point is that it's already too long for lit test. So we should either investigate or simplify, but do not let it run longer.

Actually it's simple with -use_value_profile=1 which is not used here.
For different seeds even for a half of of this conditions it can reach 10^7
I believe other platforms or tests without use_value_profile just lucky.

Longest condition is "a == 0x4242 && PrintOnce(LINE) &&"

for changed

if (a == 0x4242 && PrintOnce(__LINE__) &&
    true) {
  fprintf(stderr, "BINGO; Found the target: size %zd (%zd, %zd, %d, %d), exiting.\n",
          Size, x, y, z, a);
  exit
clang  --driver-mode=g++ -O2 -gline-tables-only -fsanitize=address,fuzzer -I/usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer -m32 /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/test/fuzzer/SimpleCmpTest.cpp -o /usr/local/google/home/vitalybuka/src/llvm.git/out/z/projects/compiler-rt/test/fuzzer/I386DefaultLinuxConfig/Output/value-profile-cmp.test.tmp-SimpleCmpTest
/usr/local/google/home/vitalybuka/src/llvm.git/out/z/projects/compiler-rt/test/fuzzer/I386DefaultLinuxConfig/Output/value-profile-cmp.test.tmp-SimpleCmpTest -runs=100000000
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 40Mb
#2157   NEW    cov: 3 ft: 3 corp: 2/25b lim: 25 exec/s: 0 rss: 40Mb L: 24/24 MS: 5 InsertRepeatedBytes-ShuffleBytes-ChangeBit-InsertByte-InsertRepeatedBytes-
#2097152        pulse  cov: 3 ft: 3 corp: 2/25b lim: 4096 exec/s: 1048576 rss: 224Mb
#4194304        pulse  cov: 3 ft: 3 corp: 2/25b lim: 4096 exec/s: 838860 rss: 406Mb
#8388608        pulse  cov: 3 ft: 3 corp: 2/25b lim: 4096 exec/s: 838860 rss: 552Mb
#16777216       pulse  cov: 3 ft: 3 corp: 2/25b lim: 4096 exec/s: 798915 rss: 554Mb
Seen line 32
BINGO; Found the target: size 24 (-241, -1, -1048577, -59), exiting.
==3072934== ERROR: libFuzzer: fuzz target exited
    #0 0x811f8a2 in __sanitizer_print_stack_trace /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:86:3
    #1 0x8099ed5 in fuzzer::PrintStackTrace() /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x8082527 in fuzzer::Fuzzer::ExitCallback() /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:250:3
    #3 0x80824be in fuzzer::Fuzzer::StaticExitCallback() /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:209:6
    #4 0xf7a791dd  (/lib/i386-linux-gnu/libc.so.6+0x371dd)
    #5 0xf7a793c0 in exit (/lib/i386-linux-gnu/libc.so.6+0x373c0)
    #6 0x814c0d2 in LLVMFuzzerTestOneInput /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/test/fuzzer/SimpleCmpTest.cpp:36:5
    #7 0x80838a6 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:559:15
    #8 0x808307e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned int, bool, fuzzer::InputInfo*, bool*) /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:471:3
    #9 0x808488a in fuzzer::Fuzzer::MutateAndTestOne() /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:702:19
    #10 0x8085454 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:838:5
    #11 0x80741cd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:852:6
    #12 0x809a927 in main /usr/local/google/home/vitalybuka/src/llvm.git/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #13 0xf7a60ef0 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1eef0)
    #14 0x8069931 in _start (/usr/local/google/home/vitalybuka/src/llvm.git/out/z/projects/compiler-rt/test/fuzzer/I386DefaultLinuxConfig/Output/value-profile-cmp.test.tmp-SimpleCmpTest+0x8069931)

SUMMARY: libFuzzer: fuzz target exited
MS: 5 CMP-CopyPart-ShuffleBytes-EraseBytes-CMP- DE: "\x17\x00"-"BB\x00\x00"-; base unit: e77b6be5a40f31857870a32bc55ad4a84e093f3d
0xf,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xef,0xff,0xc5,0xff,0xff,0xff,0xef,0xff,0xc5,0xff,0x42,0x42,0x0,0x0,
\x0f\xff\xff\xff\xff\xff\xff\xff\xff\xff\xef\xff\xc5\xff\xff\xff\xef\xff\xc5\xffBB\x00\x00
artifact_prefix='./'; Test unit written to ./crash-bab75b2babdb30c78d9667b358e0d5a52d8eacdd

Other tests on this file use either use_value_profile or more iterations.
Here we test msan and not particular counters, so I would recommend just to add -use_value_profile=1

this looks like regression after D85554

iii updated this revision to Diff 287464.Aug 24 2020, 12:19 PM
  • D86382 works - so changing the patch to simply un-XFAIL the test.
morehouse accepted this revision.Aug 24 2020, 12:23 PM

Please update the title and description.

This revision is now accepted and ready to land.Aug 24 2020, 12:23 PM
iii retitled this revision from [libFuzzer] Use 100m runs for SimpleCmpTest in msan.test to [libFuzzer] Un-XFAIL msan.test on SystemZ.Aug 24 2020, 12:48 PM
iii edited the summary of this revision. (Show Details)
This revision was automatically updated to reflect the committed changes.