[compiler-rt] r358306 - [libFuzzer] support -runs=N in the fork mode. Make sure we see one-line reports from ubsan in the fork mode. Test both

Russell Gallop via llvm-commits llvm-commits at lists.llvm.org
Thu Apr 18 09:31:28 PDT 2019 

Hi Kostya,

We're seeing the fork-ubsan test hang occasionally on Linux. After 17 runs
on my local machine the test hangs. Here's the backtrace of the threads:

Below "not" I see a process tree like:
13066 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
-13080 llvm-symbolizer --inlining=true --default-arch=x86_64
-13068 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
-13067 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000

I've put backtraces from gdb below. Please could you take a look?

Thanks
Russ

13066 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
#0  0x00007ffb347549d0 in __GI___nanosleep
(requested_time=requested_time at entry=0x7ffff9a61140,
    remaining=remaining at entry=0x7ffff9a61140) at
../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
../sysdeps/posix/sleep.c:55
#2  0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
#3  0x00000000004369bf in fuzzer::FuzzWithFork (Rand=..., Options=...,
    Args=std::vector of length 4, capacity 4 = {...}, CorpusDirs=...,
NumJobs=<optimized out>)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerFork.cpp:285
#4  0x000000000042c811 in fuzzer::FuzzerDriver (argc=argc at entry
=0x7ffff9a61b8c,
    argv=argv at entry=0x7ffff9a61b80, Callback=0x5331c0
<LLVMFuzzerTestOneInput>)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:731
#5  0x000000000041e193 in main (argc=<optimized out>, argv=<optimized out>)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19

13080 - llvm-symbolizer --inlining=true --default-arch=x86_64
#0  0x00007f7f48750081 in __GI___libc_read (fd=0, buf=0x7fffd6d97f00,
nbytes=4096)
    at ../sysdeps/unix/sysv/linux/read.c:27
#1  0x00007f7f486cd148 in _IO_new_file_underflow (fp=0x7f7f48a2ba00
<_IO_2_1_stdin_>) at fileops.c:531
#2  0x00007f7f486ce3f2 in __GI__IO_default_uflow (fp=0x7f7f48a2ba00
<_IO_2_1_stdin_>) at genops.c:380
#3  0x00007f7f486bfe62 in __GI__IO_getline_info (eof=0x0,
extract_delim=<optimized out>, delim=10,
    n=1023,
    buf=0x7fffdf94aa10
"\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
0x5331c0\n", fp=0x7f7f48a2ba00 <_IO_2_1_stdin_>, fp at entry=0x0)
    at iogetline.c:60
#4  __GI__IO_getline (fp=fp at entry=0x7f7f48a2ba00 <_IO_2_1_stdin_>,
    buf=buf at entry=0x7fffdf94aa10
"\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
0x5331c0\n", n=<optimized out>, delim=delim at entry=10,
    extract_delim=extract_delim at entry=1) at iogetline.c:34
#5  0x00007f7f486bebcd in _IO_fgets (
    buf=0x7fffdf94aa10
"\".../llvm/projects/compiler-rt/test/fuzzer/Output/fork-ubsan.test.tmp-IntegerOverflowTest\"
0x5331c0\n", n=<optimized out>, fp=0x7f7f48a2ba00 <_IO_2_1_stdin_>)
    at iofgets.c:53
#6  0x00007f7f49dbd331 in main ()

13068 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
#0  0x00007ffb347549d0 in __GI___nanosleep
(requested_time=requested_time at entry=0x7ffb2f53fdc0,
    remaining=remaining at entry=0x7ffb2f53fdc0) at
../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
../sysdeps/posix/sleep.c:55
#2  0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
#3  0x0000000000433e33 in fuzzer::WorkerThread (Stop=0x7ffff9a611e7,
FuzzQ=0x7ffff9a61270,
    MergeQ=0x7ffff9a612f0)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerFork.cpp:225
#4  0x00007ffb3572d57f in ?? () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007ffb350b76db in start_thread (arg=0x7ffb2f540700) at
pthread_create.c:463
#6  0x00007ffb3479188f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

13067 IntegerOverflowTest -fork=1 -ignore_crashes=1 -runs=10000
#0  0x00007ffb347549d0 in __GI___nanosleep
(requested_time=requested_time at entry=0x7ffb2fd4fe00,
    remaining=remaining at entry=0x7ffb2fd4fe00) at
../sysdeps/unix/sysv/linux/nanosleep.c:28
#1  0x00007ffb347548aa in __sleep (seconds=0, seconds at entry=1) at
../sysdeps/posix/sleep.c:55
#2  0x000000000045f83a in fuzzer::SleepSeconds (Seconds=Seconds at entry=1)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp:132
#3  0x000000000041f7aa in fuzzer::RssThread (F=0x617000000080,
RssLimitMb=2048)
    at .../llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:269
#4  0x00007ffb3572d57f in ?? () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007ffb350b76db in start_thread (arg=0x7ffb2fd50700) at
pthread_create.c:463
#6  0x00007ffb3479188f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

On Fri, 12 Apr 2019 at 21:19, Kostya Serebryany via llvm-commits <
llvm-commits at lists.llvm.org> wrote:

> Author: kcc
> Date: Fri Apr 12 13:20:57 2019
> New Revision: 358306
>
> URL: http://llvm.org/viewvc/llvm-project?rev=358306&view=rev
> Log:
> [libFuzzer] support -runs=N in the fork mode. Make sure we see one-line
> reports from ubsan in the fork mode. Test both
>
> Added:
>     compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp
>     compiler-rt/trunk/test/fuzzer/fork-ubsan.test
> Modified:
>     compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp
>
> Modified: compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp
> URL:
> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp?rev=358306&r1=358305&r2=358306&view=diff
>
> ==============================================================================
> --- compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp (original)
> +++ compiler-rt/trunk/lib/fuzzer/FuzzerFork.cpp Fri Apr 12 13:20:57 2019
> @@ -103,6 +103,7 @@ struct GlobalEnv {
>    FuzzJob *CreateNewJob(size_t JobId) {
>      Command Cmd(Args);
>      Cmd.removeFlag("fork");
> +    Cmd.removeFlag("runs");
>      for (auto &C : CorpusDirs) // Remove all corpora from the args.
>        Cmd.removeArgument(C);
>      Cmd.addFlag("reload", "0");  // working in an isolated dir, no reload.
> @@ -278,7 +279,8 @@ void FuzzWithFork(Random &Rand, const Fu
>          std::ifstream In(Job->LogPath);
>          std::string Line;
>          while (std::getline(In, Line, '\n'))
> -          if (Line.find("ERROR:") != Line.npos)
> +          if (Line.find("ERROR:") != Line.npos ||
> +              Line.find("runtime error:") != Line.npos)
>              Printf("%s\n", Line.c_str());
>        } else {
>          // And exit if we don't ignore this crash.
> @@ -298,6 +300,12 @@ void FuzzWithFork(Random &Rand, const Fu
>               Env.secondsSinceProcessStartUp());
>        Stop = true;
>      }
> +    if (Options.MaxNumberOfRuns >= 0 && !Stop &&
> +        Env.NumRuns >= Options.MaxNumberOfRuns) {
> +      Printf("INFO: fuzzed for %zd iterations, wrapping up soon\n",
> +             Env.NumRuns);
> +      Stop = true;
> +    }
>
>      if (!Stop)
>        FuzzQ.Push(Env.CreateNewJob(JobId++));
>
> Added: compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp
> URL:
> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp?rev=358306&view=auto
>
> ==============================================================================
> --- compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp (added)
> +++ compiler-rt/trunk/test/fuzzer/IntegerOverflowTest.cpp Fri Apr 12
> 13:20:57 2019
> @@ -0,0 +1,17 @@
> +// Part of the LLVM Project, under the Apache License v2.0 with LLVM
> Exceptions.
> +// See https://llvm.org/LICENSE.txt for license information.
> +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
> +
> +// Simple test for a fuzzer. The fuzzer must find the string "Hi" and
> cause an
> +// integer overflow.
> +#include <cstddef>
> +#include <cstdint>
> +
> +static int Val = 1 << 30;
> +
> +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
> +  if (Size >= 2 && Data[0] == 'H' && Data[1] == 'i')
> +    Val += Val;
> +  return 0;
> +}
> +
>
> Added: compiler-rt/trunk/test/fuzzer/fork-ubsan.test
> URL:
> http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/fuzzer/fork-ubsan.test?rev=358306&view=auto
>
> ==============================================================================
> --- compiler-rt/trunk/test/fuzzer/fork-ubsan.test (added)
> +++ compiler-rt/trunk/test/fuzzer/fork-ubsan.test Fri Apr 12 13:20:57 2019
> @@ -0,0 +1,6 @@
> +# UNSUPPORTED: darwin, freebsd
> +# Tests how the fork mode works together with ubsan.
> +RUN: %cpp_compiler %S/IntegerOverflowTest.cpp -o %t-IntegerOverflowTest
> -fsanitize=signed-integer-overflow
> -fno-sanitize-recover=signed-integer-overflow
> +RUN: not %run %t-IntegerOverflowTest -fork=1 -ignore_crashes=1
> -runs=10000 2>&1 | FileCheck %s --check-prefix=UBSAN_FORK
> +UBSAN_FORK: runtime error: signed integer overflow: 1073741824 +
> 1073741824 cannot be represented in type 'int'
> +UBSAN_FORK: INFO: fuzzed for {{.*}} iterations, wrapping up soon
>
>
> _______________________________________________
> llvm-commits mailing list
> llvm-commits at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20190418/dc7ffdc7/attachment.html>

More information about the llvm-commits mailing list