-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[xs] Disable stack-use-after-return detection #8923
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
How did you figure this out btw? |
I've been working on improving this fuzzer. After running some local tests on seed corpus, I noticed nothing seemed to have an effect on fuzzer progress -- running for a long time would not show any new functions or paths. Also, producing coverage reports showed areas in code that should be covered by the seed corpus, but were reported uncovered (also the case on oss-fuzz's reports). When I ran the helper shell command and ran manually it seemed to work fine. At first I thought it might be an issue with linking/portability, since shell runs the project container but other commands run the target on base-runner containers, but we don't really use any 3rd-party libs that need to be statically linked. Eventually I ran with manually As an aside, another possibility I explored was that a clash between the default |
The `detect_stack_use_after_return=1` option in `ASAN_OPTIONS` set by the runner seemed to cause the fuzzer to not pick up any coverage. Setting `detect_stack_use_after_return=0` fixed it -- local runs picked up coverage with seed corpus, and even a couple crashes.
7f2cb59
to
95e952e
Compare
Should we move to an issue to track, and merge the option in the meanwhile? I'm concerned the fuzzer is not picking up any coverage feedback and/or crashes. |
Weird but the output you posted doesn't have a crash and there shouldn't be prof files because this isn't a coverage build. |
I meant the coverage builds separately, source coverage reports did not look like expected. It turned out the source coverage instrumentation and the fuzzer instrumentation weren't working for different reasons. As for the crash, it was fixed since it was a fuzzer issue. |
The
detect_stack_use_after_return=1
option inASAN_OPTIONS
set by the runner seemed to cause the fuzzer to not pick up any coverage.I'm not quite sure why this happens. Any guidance would be appreciated. The fuzzer seems stuck with this flag set:
python infra/helper.py run_fuzzer --corpus-dir ../corpus_xst_json/ xs xst_jsonparse -- seed=1
However disabling it seems to make progress, with the same command (note same seed and corpus). After rebuilding image with
detect_stack_use_after_return
disabled:python infra/helper.py run_fuzzer --corpus-dir ../corpus_xst_json/ xs xst_jsonparse -- seed=1
Setting
detect_stack_use_after_return=0
fixed it -- local runs picked up coverage with seed corpus, and even a couple of crashes. Until I work around this it would be preferable to gain some coverage, even if we don't detectstack-use-after-return
for now.