[compiler-rt] r358306 - [libFuzzer] support -runs=N in the fork mode. Make sure we see one-line reports from ubsan in the fork mode. Test both

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Thu Apr 18 10:19:37 PDT 2019 

thanks for the report, looking

On Thu, Apr 18, 2019 at 9:31 AM Russell Gallop <russell.gallop at gmail.com>
wrote:

> Hi Kostya,
>
> We're seeing the fork-ubsan test hang occasionally on Linux. After 17 runs
> on my local machine the test hangs. Here's the backtrace of the threads:
>
> Below "not" I see a process tree like:
> 13066 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
> -13080 llvm-symbolizer --inlining=true --default-arch=x86_64
> -13068 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
> -13067 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
>
> I've put backtraces from gdb below. Please could you take a look?
>
> Thanks
> Russ
>
> 13066 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
> #0  0x00007ffb347549d0 in __GI___nanosleep
> (requested_time=requested_time at entry=0x7ffff9a61140,
>     remaining=remaining at entry=0x7ffff9a61140) at
> ../sysdeps/unix/sysv/linux/nanosleep.c:28
> #1  0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
> ../sysdeps/posix/sleep.c:55
> #2  0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
> #3  0x00000000004369bf in fuzzer::FuzzWithFork (Rand=..., Options=...,
>     Args=std::vector of length 4, capacity 4 = {...}, CorpusDirs=...,
> NumJobs=<optimized out>)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerFork.cpp:285
> #4  0x000000000042c811 in fuzzer::FuzzerDriver (argc=argc at entry
> =0x7ffff9a61b8c,
>     argv=argv at entry=0x7ffff9a61b80, Callback=0x5331c0
> <LLVMFuzzerTestOneInput>)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:731
> #5  0x000000000041e193 in main (argc=<optimized out>, argv=<optimized out>)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19
>
> 13080 - llvm-symbolizer --inlining=true --default-arch=x86_64
> #0  0x00007f7f48750081 in __GI___libc_read (fd=0, buf=0x7fffd6d97f00,
> nbytes=4096)
>     at ../sysdeps/unix/sysv/linux/read.c:27
> #1  0x00007f7f486cd148 in _IO_new_file_underflow (fp=0x7f7f48a2ba00
> <_IO_2_1_stdin_>) at fileops.c:531
> #2  0x00007f7f486ce3f2 in __GI__IO_default_uflow (fp=0x7f7f48a2ba00
> <_IO_2_1_stdin_>) at genops.c:380
> #3  0x00007f7f486bfe62 in __GI__IO_getline_info (eof=0x0,
> extract_delim=<optimized out>, delim=10,
>     n=1023,
>     buf=0x7fffdf94aa10
> "\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
> 0x5331c0\n", fp=0x7f7f48a2ba00 <_IO_2_1_stdin_>, fp at entry=0x0)
>     at iogetline.c:60
> #4  __GI__IO_getline (fp=fp at entry=0x7f7f48a2ba00 <_IO_2_1_stdin_>,
>     buf=buf at entry=0x7fffdf94aa10
> "\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
> 0x5331c0\n", n=<optimized out>, delim=delim at entry=10,
>     extract_delim=extract_delim at entry=1) at iogetline.c:34
> #5  0x00007f7f486bebcd in _IO_fgets (
>     buf=0x7fffdf94aa10
> "\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
> 0x5331c0\n", n=<optimized out>, fp=0x7f7f48a2ba00 <_IO_2_1_stdin_>)
>     at iofgets.c:53
> #6  0x00007f7f49dbd331 in main ()
>
> 13068 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
> #0  0x00007ffb347549d0 in __GI___nanosleep
> (requested_time=requested_time at entry=0x7ffb2f53fdc0,
>     remaining=remaining at entry=0x7ffb2f53fdc0) at
> ../sysdeps/unix/sysv/linux/nanosleep.c:28
> #1  0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
> ../sysdeps/posix/sleep.c:55
> #2  0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
> #3  0x0000000000433e33 in fuzzer::WorkerThread (Stop=0x7ffff9a611e7,
> FuzzQ=0x7ffff9a61270,
>     MergeQ=0x7ffff9a612f0)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerFork.cpp:225
> #4  0x00007ffb3572d57f in ?? () from
> /usr/lib/x86_64-linux-gnu/libstdc++.so.6
> #5  0x00007ffb350b76db in start_thread (arg=0x7ffb2f540700) at
> pthread_create.c:463
> #6  0x00007ffb3479188f in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
>
> 13067 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
> #0  0x00007ffb347549d0 in __GI___nanosleep
> (requested_time=requested_time at entry=0x7ffb2fd4fe00,
>     remaining=remaining at entry=0x7ffb2fd4fe00) at
> ../sysdeps/unix/sysv/linux/nanosleep.c:28
> #1  0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
> ../sysdeps/posix/sleep.c:55
> #2  0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
> #3  0x000000000041f7aa in fuzzer::RssThread (F=0x617000000080,
> RssLimitMb=2048)
>     at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:269
> #4  0x00007ffb3572d57f in ?? () from
> /usr/lib/x86_64-linux-gnu/libstdc++.so.6
> #5  0x00007ffb350b76db in start_thread (arg=0x7ffb2fd50700) at
> pthread_create.c:463
> #6  0x00007ffb3479188f in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
>
> On Fri, 12 Apr 2019 at 21:19, Kostya Serebryany via llvm-commits <
> llvm-commits at lists.llvm.org> wrote:
>
>> Author: kcc
>> Date: Fri Apr 12 13:20:57 2019
>> New Revision: 358306
>>
>> URL: http://llvm.org/viewvc/llvm-project?rev=358306&view=rev
>> Log:
>> [libFuzzer] support -runs=N in the fork mode. Make sure we see one-line
>> reports from ubsan in the fork mode. Test both
>>
>> Added:
>>     compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp
>>     compiler-rt/trunk/test/fuzzer/fork-ubsan.test
>> Modified:
>>     compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp
>>
>> Modified: compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp
>> URL:
>> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp?rev=358306&r1=358305&r2=358306&view=diff
>>
>> ==============================================================================
>> --- compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp (original)
>> +++ compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp Fri Apr 12 13:20:57 2019
>> @@ -103,6 +103,7 @@ struct GlobalEnv {
>>    FuzzJob *CreateNewJob(size_t JobId) {
>>      Command Cmd(Args);
>>      Cmd.removeFlag("fork");
>> +    Cmd.removeFlag("runs");
>>      for (auto &C : CorpusDirs) // Remove all corpora from the args.
>>        Cmd.removeArgument(C);
>>      Cmd.addFlag("reload", "0");  // working in an isolated dir, no
>> reload.
>> @@ -278,7 +279,8 @@ void FuzzWithFork(Random &Rand, const Fu
>>          std::ifstream In(Job->LogPath);
>>          std::string Line;
>>          while (std::getline(In, Line, '\n'))
>> -          if (Line.find("ERROR:") != Line.npos)
>> +          if (Line.find("ERROR:") != Line.npos ||
>> +              Line.find("runtime error:") != Line.npos)
>>              Printf("%s\n", Line.c_str());
>>        } else {
>>          // And exit if we don't ignore this crash.
>> @@ -298,6 +300,12 @@ void FuzzWithFork(Random &Rand, const Fu
>>               Env.secondsSinceProcessStartUp());
>>        Stop = true;
>>      }
>> +    if (Options.MaxNumberOfRuns >= 0 && !Stop &&
>> +        Env.NumRuns >= Options.MaxNumberOfRuns) {
>> +      Printf("INFO: fuzzed for %zd iterations, wrapping up soon\n",
>> +             Env.NumRuns);
>> +      Stop = true;
>> +    }
>>
>>      if (!Stop)
>>        FuzzQ.Push(Env.CreateNewJob(JobId++));
>>
>> Added: compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp
>> URL:
>> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp?rev=358306&view=auto
>>
>> ==============================================================================
>> --- compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp (added)
>> +++ compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp Fri Apr 12
>> 13:20:57 2019
>> @@ -0,0 +1,17 @@
>> +// Part of the LLVM Project, under the Apache License v2.0 with LLVM
>> Exceptions.
>> +// See https://llvm.org/LICENSE.txt for license information.
>> +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
>> +
>> +// Simple test for a fuzzer. The fuzzer must find the string "Hi" and
>> cause an
>> +// integer overflow.
>> +#include <cstddef>
>> +#include <cstdint>
>> +
>> +static int Val = 1 << 30;
>> +
>> +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
>> +  if (Size >= 2 && Data[0] == 'H' && Data[1] == 'i')
>> +    Val += Val;
>> +  return 0;
>> +}
>> +
>>
>> Added: compiler-rt/trunk/test/fuzzer/fork-ubsan.test
>> URL:
>> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/fork-ubsan.test?rev=358306&view=auto
>>
>> ==============================================================================
>> --- compiler-rt/trunk/test/fuzzer/fork-ubsan.test (added)
>> +++ compiler-rt/trunk/test/fuzzer/fork-ubsan.test Fri Apr 12 13:20:57 2019
>> @@ -0,0 +1,6 @@
>> +# UNSUPPORTED: darwin, freebsd
>> +# Tests how the fork mode works together with ubsan.
>> +RUN: %cpp_compiler %S/IntegerOverflowTest.cpp -o %t-IntegerOverflowTest
>> -fsanitize=signed-integer-overflow
>> -fno-sanitize-recover=signed-integer-overflow
>> +RUN: not %run %t-IntegerOverflowTest -fork=1 -ignore_crashes=1
>> -runs=10000 2>&1 | FileCheck %s --check-prefix=UBSAN_FORK
>> +UBSAN_FORK: runtime error: signed integer overflow: 1073741824 +
>> 1073741824 cannot be represented in type 'int'
>> +UBSAN_FORK: INFO: fuzzed for {{.*}} iterations, wrapping up soon
>>
>>
>> _______________________________________________
>> llvm-commits mailing list
>> llvm-commits at lists.llvm.org
>> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190418/932a00b7/attachment.html>

More information about the llvm-commits mailing list