Brian Cain via llvm-dev
2015-Dec-03 03:17 UTC
[llvm-dev] fuzzer crash (but not the good kind)
Kostya,
Here's the git repo: https://bitbucket.org/ebadf/fuzzpy
I've only tested it on arm7 and x86_64 linux, I expect there's a good
chance it may not work on other OSs.
If you can build it successfully ("./build.sh", requires clang and
clang++
in your path), then you should run the "testemail" case like so:
while true; do ITERS=1000 ./run.sh tests/build/testemail
tests/testemail/inputs/; done
Let me know if you have any challenges building or running the test case.
On Tue, Dec 1, 2015 at 7:26 PM, Kostya Serebryany <kcc at google.com>
wrote:
> Hi Brian,
> Yes, looks like a bug in sanitizer coverage, please send the reproducer.
>
> On Tue, Dec 1, 2015 at 5:22 PM, Brian Cain <brian.cain at gmail.com>
wrote:
>
>>
>> Kostya,
>>
>> I think I've found what looks like a reproducible bug in libFuzzer.
The
>> code under test is built with ASan and the first ASan CHECK failure
shows
>> fuzzer in the stack trace. (see below)
>>
>> One of the factors that may be unique in my testing is that each
>> iteration can take a very long time to execute (tens or hundreds of
>> seconds).
>>
>> Let me know if you need more info, I think it shouldn't take much
test
>> time to reproduce this.
>>
>> ================== Job 2 exited with exit code 256 ===========>>
Flag: verbosity 3
>> Flag: use_traces 1
>> Flag: timeout 100
>> Flag: max_len 16384
>> Seed: 3259211893
>> PreferSmall: 0
>> #0 READ units: 4975 exec/s: 0
>> #1 pulse cov: 32410 bits: 30791 indir: 714 units: 4975 exec/s: 0
>> NEW0: 32410 L 13869
>> ==31301==AddressSanitizer CHECK failed:
>>
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467
>> "((n % 16)) == ((0))" (0x1, 0x0)
>> #0 0x11d3b7 in __asan::AsanCheckFailed(char const*, int, char
const*,
>> unsigned long long, unsigned long long)
>>
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:67:3
>> #1 0x122f1f in __sanitizer::CheckFailed(char const*, int, char
>> const*, unsigned long long, unsigned long long)
>>
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159:5
>> #2 0x134317 in
>>
__sanitizer::CoverageData::Update8bitCounterBitsetAndClearCounters(unsigned
>> char*)
>>
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5
>> #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun()
>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5
>> #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char,
>> std::allocator<unsigned char> > const&)
>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3
>> #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize()
>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:195:11
>> #6 0x14477b in fuzzer::FuzzerDriver(std::vector<std::string,
>> std::allocator<std::string> > const&,
fuzzer::UserSuppliedFuzzer&)
>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:303:3
>> #7 0x14183f in fuzzer::FuzzerDriver(int, char**,
>> fuzzer::UserSuppliedFuzzer&)
>>
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:201:10
>> #8 0x141427 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned
>> char const*, unsigned int))
>>
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:196:10
>> #9 0x1873e3 in main
>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerMain.cpp:19:10
>> #10 0xb6c86775 in __libc_start_main
>> /build/buildd/glibc-2.21/csu/libc-start.c:289
>>
>> DEATH:
>> artifact_prefix='./'; Test unit written to
>> ./crash-ec9fa023e9db127e2589d0ab4c506055e4174611
>>
>>
>> --
>> -Brian
>>
>
>
--
-Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20151202/01bed50c/attachment.html>
Kostya Serebryany via llvm-dev
2015-Dec-03 19:12 UTC
[llvm-dev] fuzzer crash (but not the good kind)
On Wed, Dec 2, 2015 at 7:17 PM, Brian Cain <brian.cain at gmail.com> wrote:> Kostya, > > Here's the git repo: https://bitbucket.org/ebadf/fuzzpy > > I've only tested it on arm7 and x86_64 linux, I expect there's a good > chance it may not work on other OSs. > > If you can build it successfully ("./build.sh", requires clang and clang++ > in your path), then you should run the "testemail" case like so: > >Does not build for me out of the box: ./build.sh: line 70: ./configure: No such file or directory I wonder if a smaller test possible here. Meanwhile, here is a workaround for you. Instead of SANITIZE_COV_OPTS="-fsanitize-coverage=bb,indirect-calls,8bit-counters" try using SANITIZE_COV_OPTS="-fsanitize-coverage=edge,indirect-calls" while true; do ITERS=1000 ./run.sh tests/build/testemail> tests/testemail/inputs/; done > > Let me know if you have any challenges building or running the test case. > > > On Tue, Dec 1, 2015 at 7:26 PM, Kostya Serebryany <kcc at google.com> wrote: > >> Hi Brian, >> Yes, looks like a bug in sanitizer coverage, please send the reproducer. >> >> On Tue, Dec 1, 2015 at 5:22 PM, Brian Cain <brian.cain at gmail.com> wrote: >> >>> >>> Kostya, >>> >>> I think I've found what looks like a reproducible bug in libFuzzer. The >>> code under test is built with ASan and the first ASan CHECK failure shows >>> fuzzer in the stack trace. (see below) >>> >>> One of the factors that may be unique in my testing is that each >>> iteration can take a very long time to execute (tens or hundreds of >>> seconds). >>> >>> Let me know if you need more info, I think it shouldn't take much test >>> time to reproduce this. >>> >>> ================== Job 2 exited with exit code 256 ===========>>> Flag: verbosity 3 >>> Flag: use_traces 1 >>> Flag: timeout 100 >>> Flag: max_len 16384 >>> Seed: 3259211893 >>> PreferSmall: 0 >>> #0 READ units: 4975 exec/s: 0 >>> #1 pulse cov: 32410 bits: 30791 indir: 714 units: 4975 exec/s: 0 >>> NEW0: 32410 L 13869 >>> ==31301==AddressSanitizer CHECK failed: >>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467 >>> "((n % 16)) == ((0))" (0x1, 0x0) >>> #0 0x11d3b7 in __asan::AsanCheckFailed(char const*, int, char >>> const*, unsigned long long, unsigned long long) >>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:67:3 >>> #1 0x122f1f in __sanitizer::CheckFailed(char const*, int, char >>> const*, unsigned long long, unsigned long long) >>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159:5 >>> #2 0x134317 in >>> __sanitizer::CoverageData::Update8bitCounterBitsetAndClearCounters(unsigned >>> char*) >>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5 >>> #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun() >>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5 >>> #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, >>> std::allocator<unsigned char> > const&) >>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3 >>> #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize() >>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:195:11 >>> #6 0x14477b in fuzzer::FuzzerDriver(std::vector<std::string, >>> std::allocator<std::string> > const&, fuzzer::UserSuppliedFuzzer&) >>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:303:3 >>> #7 0x14183f in fuzzer::FuzzerDriver(int, char**, >>> fuzzer::UserSuppliedFuzzer&) >>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:201:10 >>> #8 0x141427 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned >>> char const*, unsigned int)) >>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:196:10 >>> #9 0x1873e3 in main >>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerMain.cpp:19:10 >>> #10 0xb6c86775 in __libc_start_main >>> /build/buildd/glibc-2.21/csu/libc-start.c:289 >>> >>> DEATH: >>> artifact_prefix='./'; Test unit written to >>> ./crash-ec9fa023e9db127e2589d0ab4c506055e4174611 >>> >>> >>> -- >>> -Brian >>> >> >> > > > -- > -Brian >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20151203/743dfa1e/attachment.html>
Brian Cain via llvm-dev
2015-Dec-03 19:14 UTC
[llvm-dev] fuzzer crash (but not the good kind)
Ah, yes -- you need to clone with --recursive. I will try the workaround though. On Dec 3, 2015 1:12 PM, "Kostya Serebryany" <kcc at google.com> wrote:> > > On Wed, Dec 2, 2015 at 7:17 PM, Brian Cain <brian.cain at gmail.com> wrote: > >> Kostya, >> >> Here's the git repo: https://bitbucket.org/ebadf/fuzzpy >> >> I've only tested it on arm7 and x86_64 linux, I expect there's a good >> chance it may not work on other OSs. >> >> If you can build it successfully ("./build.sh", requires clang and >> clang++ in your path), then you should run the "testemail" case like so: >> >> > Does not build for me out of the box: > > ./build.sh: line 70: ./configure: No such file or directory > > I wonder if a smaller test possible here. > Meanwhile, here is a workaround for you. > Instead of > SANITIZE_COV_OPTS="-fsanitize-coverage=bb,indirect-calls,8bit-counters" > try using > SANITIZE_COV_OPTS="-fsanitize-coverage=edge,indirect-calls" > > > while true; do ITERS=1000 ./run.sh tests/build/testemail >> tests/testemail/inputs/; done >> >> Let me know if you have any challenges building or running the test case. >> >> >> On Tue, Dec 1, 2015 at 7:26 PM, Kostya Serebryany <kcc at google.com> wrote: >> >>> Hi Brian, >>> Yes, looks like a bug in sanitizer coverage, please send the reproducer. >>> >>> On Tue, Dec 1, 2015 at 5:22 PM, Brian Cain <brian.cain at gmail.com> wrote: >>> >>>> >>>> Kostya, >>>> >>>> I think I've found what looks like a reproducible bug in libFuzzer. >>>> The code under test is built with ASan and the first ASan CHECK failure >>>> shows fuzzer in the stack trace. (see below) >>>> >>>> One of the factors that may be unique in my testing is that each >>>> iteration can take a very long time to execute (tens or hundreds of >>>> seconds). >>>> >>>> Let me know if you need more info, I think it shouldn't take much test >>>> time to reproduce this. >>>> >>>> ================== Job 2 exited with exit code 256 ===========>>>> Flag: verbosity 3 >>>> Flag: use_traces 1 >>>> Flag: timeout 100 >>>> Flag: max_len 16384 >>>> Seed: 3259211893 >>>> PreferSmall: 0 >>>> #0 READ units: 4975 exec/s: 0 >>>> #1 pulse cov: 32410 bits: 30791 indir: 714 units: 4975 exec/s: 0 >>>> NEW0: 32410 L 13869 >>>> ==31301==AddressSanitizer CHECK failed: >>>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467 >>>> "((n % 16)) == ((0))" (0x1, 0x0) >>>> #0 0x11d3b7 in __asan::AsanCheckFailed(char const*, int, char >>>> const*, unsigned long long, unsigned long long) >>>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:67:3 >>>> #1 0x122f1f in __sanitizer::CheckFailed(char const*, int, char >>>> const*, unsigned long long, unsigned long long) >>>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159:5 >>>> #2 0x134317 in >>>> __sanitizer::CoverageData::Update8bitCounterBitsetAndClearCounters(unsigned >>>> char*) >>>> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5 >>>> #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun() >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5 >>>> #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, >>>> std::allocator<unsigned char> > const&) >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3 >>>> #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize() >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:195:11 >>>> #6 0x14477b in fuzzer::FuzzerDriver(std::vector<std::string, >>>> std::allocator<std::string> > const&, fuzzer::UserSuppliedFuzzer&) >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:303:3 >>>> #7 0x14183f in fuzzer::FuzzerDriver(int, char**, >>>> fuzzer::UserSuppliedFuzzer&) >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:201:10 >>>> #8 0x141427 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned >>>> char const*, unsigned int)) >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:196:10 >>>> #9 0x1873e3 in main >>>> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerMain.cpp:19:10 >>>> #10 0xb6c86775 in __libc_start_main >>>> /build/buildd/glibc-2.21/csu/libc-start.c:289 >>>> >>>> DEATH: >>>> artifact_prefix='./'; Test unit written to >>>> ./crash-ec9fa023e9db127e2589d0ab4c506055e4174611 >>>> >>>> >>>> -- >>>> -Brian >>>> >>> >>> >> >> >> -- >> -Brian >> > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20151203/4e99624f/attachment-0001.html>