googleprojectzero
The value of FUZZ_CHILD_CTRL_IN / OUT is too low.
There was no problem fuzzing my target (instrument using sancov) using 16 threads through the -nthreads argument, but Jackalope terminated suddenly when 32 was given as the factor.
At first, I thought the limitation of open files was the cause, but after a little debugging, I thought maybe it wasn't the cause.
# lldb-12 -- ./fuzzer -nthreads 32 <.....>
(lldb) k
(lldb) bt
* thread #2, name = 'fuzzer', stop reason = signal SIGPIPE
* frame #0: 0x00007ffff7f9d2cf libpthread.so.0`__libc_write at write.c:26:10
frame #1: 0x00007ffff7f9d2b2 libpthread.so.0`__libc_write(fd=102, buf=0x000000000048b915, nbytes=1) at write.c:24
frame #2: 0x0000000000482a48 fuzzer`SanCovInstrumentation::Run(int, char**, unsigned int, unsigned int) + 392
frame #3: 0x0000000000454339 fuzzer`Fuzzer::RunSampleAndGetCoverage(Fuzzer::ThreadContext*, Sample*, std::__cxx11::list<ModuleCoverage, std::allocator<ModuleCoverage> >*, unsigned int, unsigned int) + 633
frame #4: 0x0000000000454f77 fuzzer`Fuzzer::RunSample(Fuzzer::ThreadContext*, Sample*, int*, bool, bool, unsigned int, unsigned int, Sample*) + 807
frame #5: 0x00000000004577d0 fuzzer`Fuzzer::ProcessSample(Fuzzer::ThreadContext*, Fuzzer::FuzzerJob*) + 112
frame #6: 0x000000000045388e fuzzer`Fuzzer::RunFuzzerThread(Fuzzer::ThreadContext*) + 126
frame #7: 0x0000000000453805 fuzzer`StartFuzzThread(void*) + 37
frame #8: 0x00007ffff7f92609 libpthread.so.0`start_thread(arg=<unavailable>) at pthread_create.c:477:8
frame #9: 0x00007ffff7b6b163 libc.so.6`__clone + 67
(lldb) memory read 0x000000000048b915
0x0048b915: 63 00 5b 21 5d 20 57 41 52 4e 49 4e 47 3a 20 54 c.[!] WARNING: T
0x0048b925: 61 72 67 65 74 20 66 75 6e 63 74 69 6f 6e 20 6e arget function n
(lldb) q
strace -f <...>
<...>
[pid 111868] 21:13:39.929618 +++ killed by SIGPIPE +++
[pid 111844] 21:13:39.929988 write(101, "k", 1) = -1 EPIPE (Broken pipe)
[pid 111844] 21:13:39.930016 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=111844, si_uid=0} ---
[pid 111873] 21:13:39.930044 <... futex resumed>) = ?
[pid 111835] 21:13:39.930695 +++ exited with 0 +++
[pid 111834] 21:13:39.930911 write(101, "k", 1) = -1 EPIPE (Broken pipe)
[pid 111834] 21:13:39.930943 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=111834, si_uid=0} ---
[pid 111875] 21:13:39.930967 <... futex resumed>) = ?
[pid 111875] 21:13:39.931079 +++ killed by SIGPIPE +++
[pid 111833] 21:13:39.931258 write(101, "k", 1) = -1 EPIPE (Broken pipe)
[pid 111833] 21:13:39.931286 --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=111833, si_uid=0} ---
[pid 111876] 21:13:39.931302 <... futex resumed>) = ? <unavailable>
[pid 111876] 21:13:39.931342 +++ killed by SIGPIPE +++
[pid 111842] 21:13:39.931388 +++ killed by SIGPIPE +++
[pid 111838] 21:13:39.931429 +++ killed by SIGPIPE +++
[pid 111873] 21:13:39.931507 +++ killed by SIGPIPE +++
[pid 111844] 21:13:39.931510 +++ killed by SIGPIPE +++
[pid 111834] 21:13:39.932222 +++ killed by SIGPIPE +++
21:13:39.932565 +++ killed by SIGPIPE +++
I was looking the code, I found that the values of FUZZ_CHILD_CTRL_IN, FUZZ_CHILD_CTRL_OUT, the file descriptor that used in __post_fuzz / __pre_fuzz is quite low.
I haven't review the entire code, but I think the problem was that the program could open more than 100 fd.
Therefore, I changed the values of FUZZ_CHILD_CTRL_IN and FUZZ_CHILD_CTRL_OUT to 1000 and 1001, respectively, and the problem was solved.
So, the values of FUZZ_CHILD_CTRL_IN and FUZZ_CHILD_CTRL_OUT need to be changed.
I can't think of it right now, but I think there will be a better solution than simply modifying these values to a slightly larger value than now.
Thank you for reporting! I increased the constant values for now, but I agree this could be implemented in a better way.
