clusterfuzzlite icon indicating copy to clipboard operation
clusterfuzzlite copied to clipboard
verified publisher icon google

CFlite doesn't seem to show backtraces by default when bugs aren't reproducible

Open evverx opened this issue 4 years ago • 2 comments

https://github.com/evverx/elfutils/runs/4541456435?check_suite_focus=true

2021-12-16T00:15:02.4107312Z INFO: Seed: 1337
2021-12-16T00:15:02.4497204Z INFO: Loaded 1 modules   (15250 inline 8-bit counters): 15250 [0x7dee1b, 0x7e29ad), 
2021-12-16T00:15:02.4502091Z INFO: Loaded 1 PC tables (15250 PCs): 15250 [0x747a30,0x783350), 
2021-12-16T00:15:02.4510120Z INFO:        7 files found in /github/workspace/cifuzz-corpus/fuzz-dwfl-core
2021-12-16T00:15:02.4511154Z INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 249851 bytes
2021-12-16T00:15:02.4516748Z INFO: seed corpus: files: 7 min: 568b max: 249851b total: 279535b rss: 70Mb
2021-12-16T00:15:28.6084552Z 2021-12-16 00:15:28,513 - root - INFO - Fuzzer: fuzz-dwfl-core. Detected bug.
2021-12-16T00:15:28.6095082Z 2021-12-16 00:15:28,573 - root - INFO - Trying to reproduce crash using: /tmp/tmp1zc5yps3/tmp83o6vkm6.
2021-12-16T00:15:29.3282172Z 2021-12-16 00:15:29,325 - root - INFO - Reproduce command returned: 0. Not reproducible on /github/workspace/build-out/fuzz-dwfl-core.
2021-12-16T00:15:29.3303060Z 2021-12-16 00:15:29,326 - root - INFO - Crash is not reproducible.
2021-12-16T00:15:29.3436231Z 2021-12-16 00:15:29,341 - root - INFO - Deleting corpus and seed corpus of fuzz-dwfl-core to save disk.
2021-12-16T00:15:29.3456056Z 2021-12-16 00:15:29,344 - root - INFO - Deleting fuzz target: fuzz-dwfl-core.
2021-12-16T00:15:29.3475358Z 2021-12-16 00:15:29,345 - root - INFO - Done deleting.
2021-12-16T00:15:29.3488252Z 2021-12-16 00:15:29,347 - root - INFO - Fuzzer fuzz-dwfl-core finished running without reportable crashes.
2021-12-16T00:15:29.3543613Z 2021-12-16 00:15:29,353 - root - INFO - No crashes in /github/workspace/out/artifacts. Not uploading.

Looking at "report-unreproducible-crashes: false" it seems I can flip that flag to make it "reportable" but I think it would be great if backtraces were shown by default even when bugs aren't reproducible.

evverx avatar Dec 16 '21 00:12 evverx

Based on what ./infra/helper.py --external shows it seems to be a variation of OOM (that I think should have been handled by setting to allocator_may_return_null to 1):

INFO:        8 files found in /tmp/fuzz-dwfl-core_corpus
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 249856 bytes
INFO: seed corpus: files: 8 min: 568b max: 249856b total: 529391b rss: 67Mb
==13==ERROR: MemorySanitizer: allocator is out of memory trying to allocate 0x100000fff bytes
    #0 0x4d55f2 in __interceptor_calloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:880:3
    #1 0x634c77 in dwfl_segment_report_module /src/elfutils/libdwfl/dwfl_segment_report_module.c:914:24
    #2 0x537e1d in dwfl_core_file_report /src/elfutils/libdwfl/core-file.c:559:17
    #3 0x528c7b in LLVMFuzzerTestOneInput /src/elfutils/tests/fuzz-dwfl-core.c:39:7
    #4 0x456bc3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #5 0x4563aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp
    #6 0x458204 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp
    #7 0x458439 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp
    #8 0x447e6f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #9 0x470fc2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7fa0e451c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

DEDUP_TOKEN: __interceptor_calloc--dwfl_segment_report_module--dwfl_core_file_report
==13==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: MemorySanitizer: out-of-memory /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:880:3 in __interceptor_calloc
MS: 0 ; base unit: 0000000000000000000000000000000000000000
artifact_prefix='./'; Test unit written to ./crash-450f5fb653c17b0957ee5d9494b46fd1ae4b646d

with ./infra/helper.py run_fuzzer --external -e MSAN_OPTIONS=allocator_may_return_null=1 ~/elfutils fuzz-dwfl-core it crashes as usual

evverx avatar Dec 16 '21 01:12 evverx

Will look at this when I come back from vacation.

jonathanmetzman avatar Dec 16 '21 20:12 jonathanmetzman