[PULL 04/15] fuzz: accelerate non-crash detection

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Thomas Huth <thuth@redhat.com>
To: qemu-devel@nongnu.org, Peter Maydell <peter.maydell@linaro.org>
Cc: Alexander Bulekov <alxndr@bu.edu>, Warner Losh <imp@freebsd.org>,
	Qiuhao Li <Qiuhao.Li@outlook.com>
Subject: [PULL 04/15] fuzz: accelerate non-crash detection
Date: Mon, 11 Jan 2021 14:43:17 +0100	[thread overview]
Message-ID: <20210111134328.157775-5-thuth@redhat.com> (raw)
In-Reply-To: <20210111134328.157775-1-thuth@redhat.com>

From: Qiuhao Li <Qiuhao.Li@outlook.com>

We spend much time waiting for the timeout program during the minimization
process until it passes a time limit. This patch hacks the CLOSED (indicates
the redirection file closed) notification in QTest's output if it doesn't
crash.

Test with quadrupled trace input at:
  https://bugs.launchpad.net/qemu/+bug/1890333/comments/1

Original version:
  real	1m37.246s
  user	0m13.069s
  sys	0m8.399s

Refined version:
  real	0m45.904s
  user	0m16.874s
  sys	0m10.042s

Note:

Sometimes the mutated or the same trace may trigger a different crash
summary (second-to-last line) but indicates the same bug. For example, Bug
1910826 [1], which will trigger a stack overflow, may output summaries
like:

SUMMARY: AddressSanitizer: stack-overflow
/home/qiuhao/hack/qemu/build/../softmmu/physmem.c:488 in
flatview_do_translate

or

SUMMARY: AddressSanitizer: stack-overflow
(/home/qiuhao/hack/qemu/build/qemu-system-i386+0x27ca049) in __asan_memcpy

Etc.

If we use the whole summary line as the token, we may be prevented from
further minimization. So in this patch, we only use the first three words
which indicate the type of crash:

SUMMARY: AddressSanitizer: stack-overflow

[1] https://bugs.launchpad.net/qemu/+bug/1910826

Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <SYCPR01MB350251DC04003450348FAF68FCAB0@SYCPR01MB3502.ausprd01.prod.outlook.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 scripts/oss-fuzz/minimize_qtest_trace.py | 44 +++++++++++++++++-------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py
index 5e405a0d5f..a28913a2a7 100755
--- a/scripts/oss-fuzz/minimize_qtest_trace.py
+++ b/scripts/oss-fuzz/minimize_qtest_trace.py
@@ -29,8 +29,14 @@ whether the crash occred. Optionally, manually set a string that idenitifes the
 crash by setting CRASH_TOKEN=
 """.format((sys.argv[0])))
 
+deduplication_note = """\n\
+Note: While trimming the input, sometimes the mutated trace triggers a different
+type crash but indicates the same bug. Under this situation, our minimizer is
+incapable of recognizing and stopped from removing it. In the future, we may
+use a more sophisticated crash case deduplication method.
+\n"""
+
 def check_if_trace_crashes(trace, path):
-    global CRASH_TOKEN
     with open(path, "w") as tracefile:
         tracefile.write("".join(trace))
 
@@ -41,18 +47,31 @@ def check_if_trace_crashes(trace, path):
                            trace_path=path),
                           shell=True,
                           stdin=subprocess.PIPE,
-                          stdout=subprocess.PIPE)
-    stdo = rc.communicate()[0]
-    output = stdo.decode('unicode_escape')
-    if rc.returncode == 137:    # Timed Out
-        return False
-    if len(output.splitlines()) < 2:
-        return False
-
+                          stdout=subprocess.PIPE,
+                          encoding="utf-8")
+    global CRASH_TOKEN
     if CRASH_TOKEN is None:
-        CRASH_TOKEN = output.splitlines()[-2]
-
-    return CRASH_TOKEN in output
+        try:
+            outs, _ = rc.communicate(timeout=5)
+            CRASH_TOKEN = " ".join(outs.splitlines()[-2].split()[0:3])
+        except subprocess.TimeoutExpired:
+            print("subprocess.TimeoutExpired")
+            return False
+        print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
+        global deduplication_note
+        print(deduplication_note)
+        return True
+
+    for line in iter(rc.stdout.readline, ""):
+        if "CLOSED" in line:
+            return False
+        if CRASH_TOKEN in line:
+            return True
+
+    print("\nWarning:")
+    print("  There is no 'CLOSED'or CRASH_TOKEN in the stdout of subprocess.")
+    print("  Usually this indicates a different type of crash.\n")
+    return False
 
 
 def minimize_trace(inpath, outpath):
@@ -66,7 +85,6 @@ def minimize_trace(inpath, outpath):
     print("Crashed in {} seconds".format(end-start))
     TIMEOUT = (end-start)*5
     print("Setting the timeout for {} seconds".format(TIMEOUT))
-    print("Identifying Crashes by this string: {}".format(CRASH_TOKEN))
 
     i = 0
     newtrace = trace[:]
-- 
2.27.0

next prev parent reply	other threads:[~2021-01-11 13:51 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-11 13:43 [PULL 00/15] Testing, CI and bsd-user patches Thomas Huth
2021-01-11 13:43 ` [PULL 01/15] gitlab-ci.yml: Add openSUSE Leap 15.2 for gitlab CI/CD Thomas Huth
2021-01-11 13:43 ` [PULL 02/15] qtest/libqtest: fix heap-buffer-overflow in qtest_cb_for_every_machine() Thomas Huth
2021-01-11 13:43 ` [PULL 03/15] util/oslib-win32: Fix _aligned_malloc() arguments order Thomas Huth
2021-01-11 13:43 ` Thomas Huth [this message]
2021-01-11 13:43 ` [PULL 05/15] fuzz: double the IOs to remove for every loop Thomas Huth
2021-01-11 13:43 ` [PULL 06/15] fuzz: split write operand using binary approach Thomas Huth
2021-01-11 13:43 ` [PULL 07/15] fuzz: remove IO commands iteratively Thomas Huth
2021-01-11 13:43 ` [PULL 08/15] fuzz: set bits in operand of write/out to zero Thomas Huth
2021-01-11 13:43 ` [PULL 09/15] fuzz: add minimization options Thomas Huth
2021-01-11 13:43 ` [PULL 10/15] fuzz: heuristic split write based on past IOs Thomas Huth
2021-01-11 13:43 ` [PULL 11/15] bsd-user: regenerate FreeBSD's system call numbers Thomas Huth
2021-01-11 13:43 ` [PULL 12/15] bsd-user: move strace OS/arch dependent code to host/arch dirs Thomas Huth
2021-01-11 13:43 ` [PULL 13/15] bsd-user: Update strace.list for FreeBSD's latest syscalls Thomas Huth
2021-01-11 13:43 ` [PULL 14/15] tests/acceptance: Fix race conditions in s390x tests & skip fedora on gitlab-CI Thomas Huth
2021-01-11 13:43 ` [PULL 15/15] fuzz: map all BARs and enable PCI devices Thomas Huth
2021-01-11 13:46 ` [PULL 00/15] Testing, CI and bsd-user patches Peter Maydell
2021-01-11 13:56   ` Thomas Huth

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5e405a0d5 dfblob:a28913a2a )
 OR (
bs:"[PULL 04/15] fuzz: accelerate non-crash detection" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210111134328.157775-5-thuth@redhat.com \
    --to=thuth@redhat.com \
    --cc=Qiuhao.Li@outlook.com \
    --cc=alxndr@bu.edu \
    --cc=imp@freebsd.org \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).