[llvm-bugs] [Bug 38422] New: Investigate why 3 (disabled) tests hang on AArch64

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Aug 2 06:27:34 PDT 2018 

https://bugs.llvm.org/show_bug.cgi?id=38422

            Bug ID: 38422
           Summary: Investigate why 3 (disabled) tests hang on AArch64
           Product: compiler-rt
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: fuzzer
          Assignee: unassignedbugs at nondot.org
          Reporter: peter.smith at linaro.org
                CC: llvm-bugs at lists.llvm.org

This is a follow up from PR38034, where 3 libfuzzer tests were marked
unsupported on AArch64 as they were hanging. Ideally we would like to
understand why the tests are hanging on AArch64 and fix the underlying cause.

The 3 tests marked unsupported are:
countertest.test
fuzzer-oom.test
disable-leaks.test

I've investigated a little further to work out why the -timeout flag doesn't
abort the test. The -timeout flag is per run of the user callback and not the
overall test. As each run of the user callback is very fast (< 100ms) then we
are extremely unlikely to hit the 15s timeout. I've checked that
-max_total_time works. 

I've also been able to make the test pass at -O0 and -O1. This makes me
suspicious of the conditional instructions like cinc that are present in the
-O2 compilation of LLVMFuzzerTestOneInput. It is possible that the code
coverage isn't increasing when different paths of the cinc (increment) are
being taken and this is causing no new coverage information from being
generated.

Information copied from PR38034
When I run countertest.test on my Ubuntu 16.04 X86 box I very quickly get:
INFO: Seed: 1
INFO: Loaded 1 modules   (53 inline 8-bit counters): 53 [0x7e6f00, 0x7e6f35), 
INFO: Loaded 1 PC tables (53 PCs): 53 [0x5aaed0,0x5ab220), 
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 4 ft: 5 corp: 1/1b lim: 4 exec/s: 0 rss: 26Mb
#10     NEW    cov: 8 ft: 9 corp: 2/3b lim: 4 exec/s: 0 rss: 27Mb L: 2/2 MS: 3
CopyPart-ChangeBit-InsertByte-
#15     NEW    cov: 9 ft: 12 corp: 3/7b lim: 4 exec/s: 0 rss: 27Mb L: 4/4 MS: 5
CopyPart-ShuffleBytes-ShuffleBytes-InsertByte-CrossOver-
#1029   NEW    cov: 10 ft: 13 corp: 4/11b lim: 4 exec/s: 0 rss: 27Mb L: 4/4 MS:
4 ChangeBinInt-CopyPart-ChangeByte-CrossOver-
#1047   REDUCE cov: 10 ft: 13 corp: 4/10b lim: 4 exec/s: 0 rss: 27Mb L: 3/4 MS:
3 CopyPart-CopyPart-EraseBytes-
#1088   REDUCE cov: 10 ft: 13 corp: 4/9b lim: 4 exec/s: 0 rss: 27Mb L: 2/4 MS:
1 EraseBytes-
#1125   REDUCE cov: 11 ft: 14 corp: 5/10b lim: 4 exec/s: 0 rss: 27Mb L: 1/4 MS:
2 ShuffleBytes-EraseBytes-
#1338   REDUCE cov: 11 ft: 15 corp: 6/14b lim: 4 exec/s: 0 rss: 27Mb L: 4/4 MS:
3 InsertByte-CopyPart-ChangeBinInt-
#1764   REDUCE cov: 12 ft: 16 corp: 7/16b lim: 4 exec/s: 0 rss: 27Mb L: 2/4 MS:
1 ChangeByte-
#3772   NEW    cov: 12 ft: 19 corp: 8/22b lim: 6 exec/s: 0 rss: 27Mb L: 6/6 MS:
3 CMP-InsertByte-InsertByte- DE: "seed"-
#18577  NEW    cov: 12 ft: 20 corp: 9/28b lim: 6 exec/s: 0 rss: 28Mb L: 6/6 MS:
5 CrossOver-ShuffleBytes-ChangeBit-ChangeByte-ChangeBit-
BINGO!

When I run on aarch64 I get:
INFO: Seed: 1
INFO: Loaded 1 modules   (12 inline 8-bit counters): 12 [0x609080, 0x60908c), 
INFO: Loaded 1 PC tables (12 PCs): 12 [0x5c6b40,0x5c6c00), 
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 4 ft: 6 corp: 1/1b lim: 4 exec/s: 0 rss: 30Mb
#10     NEW    cov: 4 ft: 7 corp: 2/3b lim: 4 exec/s: 0 rss: 30Mb L: 2/2 MS: 3
CopyPart-ChangeBit-InsertByte-
#14     NEW    cov: 5 ft: 8 corp: 3/6b lim: 4 exec/s: 0 rss: 30Mb L: 3/3 MS: 4
CopyPart-ShuffleBytes-ShuffleBytes-InsertByte-
#17     NEW    cov: 5 ft: 9 corp: 4/10b lim: 4 exec/s: 0 rss: 31Mb L: 4/4 MS: 3
InsertByte-EraseBytes-CrossOver-
#2029   NEW    cov: 5 ft: 10 corp: 5/16b lim: 6 exec/s: 0 rss: 31Mb L: 6/6 MS:
2 CopyPart-CrossOver-
#6660   NEW    cov: 6 ft: 11 corp: 6/17b lim: 6 exec/s: 0 rss: 31Mb L: 1/6 MS:
1 ChangeByte-
#1048576        pulse  cov: 6 ft: 11 corp: 6/17b lim: 6 exec/s: 349525 rss:
78Mb
#2097152        pulse  cov: 6 ft: 11 corp: 6/17b lim: 6 exec/s: 349525 rss:
125Mb
#4194304        pulse  cov: 6 ft: 11 corp: 6/17b lim: 6 exec/s: 349525 rss:
219Mb
#8388608        pulse  cov: 6 ft: 11 corp: 6/17b lim: 6 exec/s: 335544 rss:
408Mb
#16777216       pulse  cov: 6 ft: 11 corp: 6/17b lim: 6 exec/s: 328965 rss:
785Mb
...
The pulses continue but at a much slower rate.

When I print out the printable characters in the output they don't seem to be
varying much from:
"
((((
((h(
(((h(
(((h(
(((h(
0
U0
U0
U0(
U10(
((((
(((
T((
T(%(
"

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180802/55ae8fd0/attachment.html>

More information about the llvm-bugs mailing list