[compiler-rt] r358306 - [libFuzzer] support -runs=N in the fork mode. Make sure we see one-line reports from ubsan in the fork mode. Test both
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Thu Apr 18 18:39:14 PDT 2019
should be fixed in r358726/r358727.
This was a real (minor) bug uncovered by the test.
thanks again for reporting.
--kcc
On Thu, Apr 18, 2019 at 10:19 AM Kostya Serebryany <kcc at google.com> wrote:
> thanks for the report, looking
>
> On Thu, Apr 18, 2019 at 9:31 AM Russell Gallop <russell.gallop at gmail.com>
> wrote:
>
>> Hi Kostya,
>>
>> We're seeing the fork-ubsan test hang occasionally on Linux. After 17
>> runs on my local machine the test hangs. Here's the backtrace of the
>> threads:
>>
>> Below "not" I see a process tree like:
>> 13066 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
>> -13080 llvm-symbolizer --inlining=true --default-arch=x86_64
>> -13068 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
>> -13067 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
>>
>> I've put backtraces from gdb below. Please could you take a look?
>>
>> Thanks
>> Russ
>>
>> 13066 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
>> #0 0x00007ffb347549d0 in __GI___nanosleep
>> (requested_time=requested_time at entry=0x7ffff9a61140,
>> remaining=remaining at entry=0x7ffff9a61140) at
>> ../sysdeps/unix/sysv/linux/nanosleep.c:28
>> #1 0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
>> ../sysdeps/posix/sleep.c:55
>> #2 0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
>> #3 0x00000000004369bf in fuzzer::FuzzWithFork (Rand=..., Options=...,
>> Args=std::vector of length 4, capacity 4 = {...}, CorpusDirs=...,
>> NumJobs=<optimized out>)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerFork.cpp:285
>> #4 0x000000000042c811 in fuzzer::FuzzerDriver (argc=argc at entry
>> =0x7ffff9a61b8c,
>> argv=argv at entry=0x7ffff9a61b80, Callback=0x5331c0
>> <LLVMFuzzerTestOneInput>)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:731
>> #5 0x000000000041e193 in main (argc=<optimized out>, argv=<optimized
>> out>)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19
>>
>> 13080 - llvm-symbolizer --inlining=true --default-arch=x86_64
>> #0 0x00007f7f48750081 in __GI___libc_read (fd=0, buf=0x7fffd6d97f00,
>> nbytes=4096)
>> at ../sysdeps/unix/sysv/linux/read.c:27
>> #1 0x00007f7f486cd148 in _IO_new_file_underflow (fp=0x7f7f48a2ba00
>> <_IO_2_1_stdin_>) at fileops.c:531
>> #2 0x00007f7f486ce3f2 in __GI__IO_default_uflow (fp=0x7f7f48a2ba00
>> <_IO_2_1_stdin_>) at genops.c:380
>> #3 0x00007f7f486bfe62 in __GI__IO_getline_info (eof=0x0,
>> extract_delim=<optimized out>, delim=10,
>> n=1023,
>> buf=0x7fffdf94aa10
>> "\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
>> 0x5331c0\n", fp=0x7f7f48a2ba00 <_IO_2_1_stdin_>, fp at entry=0x0)
>> at iogetline.c:60
>> #4 __GI__IO_getline (fp=fp at entry=0x7f7f48a2ba00 <_IO_2_1_stdin_>,
>> buf=buf at entry=0x7fffdf94aa10
>> "\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
>> 0x5331c0\n", n=<optimized out>, delim=delim at entry=10,
>> extract_delim=extract_delim at entry=1) at iogetline.c:34
>> #5 0x00007f7f486bebcd in _IO_fgets (
>> buf=0x7fffdf94aa10
>> "\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
>> 0x5331c0\n", n=<optimized out>, fp=0x7f7f48a2ba00 <_IO_2_1_stdin_>)
>> at iofgets.c:53
>> #6 0x00007f7f49dbd331 in main ()
>>
>> 13068 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
>> #0 0x00007ffb347549d0 in __GI___nanosleep
>> (requested_time=requested_time at entry=0x7ffb2f53fdc0,
>> remaining=remaining at entry=0x7ffb2f53fdc0) at
>> ../sysdeps/unix/sysv/linux/nanosleep.c:28
>> #1 0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
>> ../sysdeps/posix/sleep.c:55
>> #2 0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
>> #3 0x0000000000433e33 in fuzzer::WorkerThread (Stop=0x7ffff9a611e7,
>> FuzzQ=0x7ffff9a61270,
>> MergeQ=0x7ffff9a612f0)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerFork.cpp:225
>> #4 0x00007ffb3572d57f in ?? () from
>> /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>> #5 0x00007ffb350b76db in start_thread (arg=0x7ffb2f540700) at
>> pthread_create.c:463
>> #6 0x00007ffb3479188f in clone () at
>> ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
>>
>> 13067 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
>> #0 0x00007ffb347549d0 in __GI___nanosleep
>> (requested_time=requested_time at entry=0x7ffb2fd4fe00,
>> remaining=remaining at entry=0x7ffb2fd4fe00) at
>> ../sysdeps/unix/sysv/linux/nanosleep.c:28
>> #1 0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
>> ../sysdeps/posix/sleep.c:55
>> #2 0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
>> #3 0x000000000041f7aa in fuzzer::RssThread (F=0x617000000080,
>> RssLimitMb=2048)
>> at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:269
>> #4 0x00007ffb3572d57f in ?? () from
>> /usr/lib/x86_64-linux-gnu/libstdc++.so.6
>> #5 0x00007ffb350b76db in start_thread (arg=0x7ffb2fd50700) at
>> pthread_create.c:463
>> #6 0x00007ffb3479188f in clone () at
>> ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
>>
>> On Fri, 12 Apr 2019 at 21:19, Kostya Serebryany via llvm-commits <
>> llvm-commits at lists.llvm.org> wrote:
>>
>>> Author: kcc
>>> Date: Fri Apr 12 13:20:57 2019
>>> New Revision: 358306
>>>
>>> URL: http://llvm.org/viewvc/llvm-project?rev=358306&view=rev
>>> Log:
>>> [libFuzzer] support -runs=N in the fork mode. Make sure we see one-line
>>> reports from ubsan in the fork mode. Test both
>>>
>>> Added:
>>> compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp
>>> compiler-rt/trunk/test/fuzzer/fork-ubsan.test
>>> Modified:
>>> compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp
>>>
>>> Modified: compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp
>>> URL:
>>> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp?rev=358306&r1=358305&r2=358306&view=diff
>>>
>>> ==============================================================================
>>> --- compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp (original)
>>> +++ compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp Fri Apr 12 13:20:57 2019
>>> @@ -103,6 +103,7 @@ struct GlobalEnv {
>>> FuzzJob *CreateNewJob(size_t JobId) {
>>> Command Cmd(Args);
>>> Cmd.removeFlag("fork");
>>> + Cmd.removeFlag("runs");
>>> for (auto &C : CorpusDirs) // Remove all corpora from the args.
>>> Cmd.removeArgument(C);
>>> Cmd.addFlag("reload", "0"); // working in an isolated dir, no
>>> reload.
>>> @@ -278,7 +279,8 @@ void FuzzWithFork(Random &Rand, const Fu
>>> std::ifstream In(Job->LogPath);
>>> std::string Line;
>>> while (std::getline(In, Line, '\n'))
>>> - if (Line.find("ERROR:") != Line.npos)
>>> + if (Line.find("ERROR:") != Line.npos ||
>>> + Line.find("runtime error:") != Line.npos)
>>> Printf("%s\n", Line.c_str());
>>> } else {
>>> // And exit if we don't ignore this crash.
>>> @@ -298,6 +300,12 @@ void FuzzWithFork(Random &Rand, const Fu
>>> Env.secondsSinceProcessStartUp());
>>> Stop = true;
>>> }
>>> + if (Options.MaxNumberOfRuns >= 0 && !Stop &&
>>> + Env.NumRuns >= Options.MaxNumberOfRuns) {
>>> + Printf("INFO: fuzzed for %zd iterations, wrapping up soon\n",
>>> + Env.NumRuns);
>>> + Stop = true;
>>> + }
>>>
>>> if (!Stop)
>>> FuzzQ.Push(Env.CreateNewJob(JobId++));
>>>
>>> Added: compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp
>>> URL:
>>> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp?rev=358306&view=auto
>>>
>>> ==============================================================================
>>> --- compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp (added)
>>> +++ compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp Fri Apr 12
>>> 13:20:57 2019
>>> @@ -0,0 +1,17 @@
>>> +// Part of the LLVM Project, under the Apache License v2.0 with LLVM
>>> Exceptions.
>>> +// See https://llvm.org/LICENSE.txt for license information.
>>> +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
>>> +
>>> +// Simple test for a fuzzer. The fuzzer must find the string "Hi" and
>>> cause an
>>> +// integer overflow.
>>> +#include <cstddef>
>>> +#include <cstdint>
>>> +
>>> +static int Val = 1 << 30;
>>> +
>>> +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
>>> {
>>> + if (Size >= 2 && Data[0] == 'H' && Data[1] == 'i')
>>> + Val += Val;
>>> + return 0;
>>> +}
>>> +
>>>
>>> Added: compiler-rt/trunk/test/fuzzer/fork-ubsan.test
>>> URL:
>>> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/fork-ubsan.test?rev=358306&view=auto
>>>
>>> ==============================================================================
>>> --- compiler-rt/trunk/test/fuzzer/fork-ubsan.test (added)
>>> +++ compiler-rt/trunk/test/fuzzer/fork-ubsan.test Fri Apr 12 13:20:57
>>> 2019
>>> @@ -0,0 +1,6 @@
>>> +# UNSUPPORTED: darwin, freebsd
>>> +# Tests how the fork mode works together with ubsan.
>>> +RUN: %cpp_compiler %S/IntegerOverflowTest.cpp -o %t-IntegerOverflowTest
>>> -fsanitize=signed-integer-overflow
>>> -fno-sanitize-recover=signed-integer-overflow
>>> +RUN: not %run %t-IntegerOverflowTest -fork=1 -ignore_crashes=1
>>> -runs=10000 2>&1 | FileCheck %s --check-prefix=UBSAN_FORK
>>> +UBSAN_FORK: runtime error: signed integer overflow: 1073741824 +
>>> 1073741824 cannot be represented in type 'int'
>>> +UBSAN_FORK: INFO: fuzzed for {{.*}} iterations, wrapping up soon
>>>
>>>
>>> _______________________________________________
>>> llvm-commits mailing list
>>> llvm-commits at lists.llvm.org
>>> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190418/45bcdf97/attachment.html>
More information about the llvm-commits
mailing list