[llvm] r298755 - [libFuzzer] read asan's dedup_token while minimizing a crash and stop minimization if another bug was found during minimization (https://github.com/google/oss-fuzz/issues/452)
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Fri Mar 24 17:56:08 PDT 2017
Author: kcc
Date: Fri Mar 24 19:56:08 2017
New Revision: 298755
URL: http://llvm.org/viewvc/llvm-project?rev=298755&view=rev
Log:
[libFuzzer] read asan's dedup_token while minimizing a crash and stop minimization if another bug was found during minimization (https://github.com/google/oss-fuzz/issues/452)
Added:
llvm/trunk/lib/Fuzzer/test/minimize_two_crashes.test
Modified:
llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=298755&r1=298754&r2=298755&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Fri Mar 24 19:56:08 2017
@@ -278,6 +278,17 @@ static bool AllInputsAreFiles() {
return true;
}
+static std::string GetDedupTokenFromFile(const std::string &Path) {
+ auto S = FileToString(Path);
+ auto Beg = S.find("DEDUP_TOKEN:");
+ if (Beg == std::string::npos)
+ return "";
+ auto End = S.find('\n', Beg);
+ if (End == std::string::npos)
+ return "";
+ return S.substr(Beg, End - Beg);
+}
+
int MinimizeCrashInput(const std::vector<std::string> &Args,
const FuzzingOptions &Options) {
if (Inputs->size() != 1) {
@@ -296,7 +307,10 @@ int MinimizeCrashInput(const std::vector
"INFO: defaulting to -max_total_time=600\n");
BaseCmd += " -max_total_time=600";
}
- // BaseCmd += " > /dev/null 2>&1 ";
+
+ auto LogFilePath = DirPlusFile(
+ TmpDir(), "libFuzzerTemp." + std::to_string(GetPid()) + ".txt");
+ auto LogFileRedirect = " > " + LogFilePath + " 2>&1 ";
std::string CurrentFilePath = InputFilePath;
while (true) {
@@ -304,7 +318,7 @@ int MinimizeCrashInput(const std::vector
Printf("CRASH_MIN: minimizing crash input: '%s' (%zd bytes)\n",
CurrentFilePath.c_str(), U.size());
- auto Cmd = BaseCmd + " " + CurrentFilePath;
+ auto Cmd = BaseCmd + " " + CurrentFilePath + LogFileRedirect;
Printf("CRASH_MIN: executing: %s\n", Cmd.c_str());
int ExitCode = ExecuteCommand(Cmd);
@@ -315,6 +329,9 @@ int MinimizeCrashInput(const std::vector
Printf("CRASH_MIN: '%s' (%zd bytes) caused a crash. Will try to minimize "
"it further\n",
CurrentFilePath.c_str(), U.size());
+ auto DedupToken1 = GetDedupTokenFromFile(LogFilePath);
+ if (!DedupToken1.empty())
+ Printf("CRASH_MIN: DedupToken1: %s\n", DedupToken1.c_str());
std::string ArtifactPath =
Flags.exact_artifact_path
@@ -324,6 +341,7 @@ int MinimizeCrashInput(const std::vector
ArtifactPath;
Printf("CRASH_MIN: executing: %s\n", Cmd.c_str());
ExitCode = ExecuteCommand(Cmd);
+ CopyFileToErr(LogFilePath);
if (ExitCode == 0) {
if (Flags.exact_artifact_path) {
CurrentFilePath = Flags.exact_artifact_path;
@@ -331,11 +349,26 @@ int MinimizeCrashInput(const std::vector
}
Printf("CRASH_MIN: failed to minimize beyond %s (%d bytes), exiting\n",
CurrentFilePath.c_str(), U.size());
- return 0;
+ break;
+ }
+ auto DedupToken2 = GetDedupTokenFromFile(LogFilePath);
+ if (!DedupToken2.empty())
+ Printf("CRASH_MIN: DedupToken2: %s\n", DedupToken2.c_str());
+
+ if (DedupToken1 != DedupToken2) {
+ if (Flags.exact_artifact_path) {
+ CurrentFilePath = Flags.exact_artifact_path;
+ WriteToFile(U, CurrentFilePath);
+ }
+ Printf("CRASH_MIN: mismatch in dedup tokens"
+ " (looks like a different bug). Won't minimize further\n");
+ break;
}
+
CurrentFilePath = ArtifactPath;
- Printf("\n\n\n\n\n\n*********************************\n");
+ Printf("*********************************\n");
}
+ RemoveFile(LogFilePath);
return 0;
}
Added: llvm/trunk/lib/Fuzzer/test/minimize_two_crashes.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/minimize_two_crashes.test?rev=298755&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/minimize_two_crashes.test (added)
+++ llvm/trunk/lib/Fuzzer/test/minimize_two_crashes.test Fri Mar 24 19:56:08 2017
@@ -0,0 +1,16 @@
+# Test that the minimizer stops when it sees a differe bug.
+
+RUN: rm -rf %t && mkdir %t
+RUN: echo H12345678901234667888090 > %t/long_crash
+RUN: ASAN_OPTIONS=dedup_token_length=3 LLVMFuzzer-TwoDifferentBugsTest -seed=1 -minimize_crash=1 %t/long_crash -exact_artifact_path=%t/result 2>&1 | FileCheck %s
+
+CHECK: DedupToken1: DEDUP_TOKEN: Bar
+CHECK: DedupToken2: DEDUP_TOKEN: Bar
+CHECK: DedupToken1: DEDUP_TOKEN: Bar
+CHECK: DedupToken2: DEDUP_TOKEN: Foo
+CHECK: CRASH_MIN: mismatch in dedup tokens
+
+RUN: not LLVMFuzzer-TwoDifferentBugsTest %t/result 2>&1 | FileCheck %s --check-prefix=VERIFY
+
+VERIFY: ERROR: AddressSanitizer:
+VERIFY: in Bar
More information about the llvm-commits
mailing list