Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection
On Sun, 2021-01-10 at 11:00 -0500, Alexander Bulekov wrote: > On 210110 2110, Qiuhao Li wrote: > > On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote: > > > On 201229 1240, Qiuhao Li wrote: > > > > We spend much time waiting for the timeout program during the > > > > minimization > > > > process until it passes a time limit. This patch hacks the > > > > CLOSED > > > > (indicates > > > > the redirection file closed) notification in QTest's output if > > > > it > > > > doesn't > > > > crash. > > > > > > > > Test with quadrupled trace input at: > > > > https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 > > > > > > > > Original version: > > > > real 1m37.246s > > > > user 0m13.069s > > > > sys 0m8.399s > > > > > > > > Refined version: > > > > real 0m45.904s > > > > user 0m16.874s > > > > sys 0m10.042s > > > > > > > > Signed-off-by: Qiuhao Li > > > > --- > > > > scripts/oss-fuzz/minimize_qtest_trace.py | 41 > > > > -- > > > > -- > > > > 1 file changed, 28 insertions(+), 13 deletions(-) > > > > > > > > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py > > > > b/scripts/oss-fuzz/minimize_qtest_trace.py > > > > index 5e405a0d5f..aa69c7963e 100755 > > > > --- a/scripts/oss-fuzz/minimize_qtest_trace.py > > > > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py > > > > @@ -29,30 +29,46 @@ whether the crash occred. Optionally, > > > > manually > > > > set a string that idenitifes the > > > > crash by setting CRASH_TOKEN= > > > > """.format((sys.argv[0]))) > > > > > > > > +deduplication_note = """\n\ > > > > +Note: While trimming the input, sometimes the mutated trace > > > > triggers a different > > > > +crash output but indicates the same bug. Under this situation, > > > > our > > > > minimizer is > > > > +incapable of recognizing and stopped from removing it. In the > > > > future, we may > > > > +use a more sophisticated crash case deduplication method. > > > > +\n""" > > > > + > > > > def check_if_trace_crashes(trace, path): > > > > -global CRASH_TOKEN > > > > with open(path, "w") as tracefile: > > > > tracefile.write("".join(trace)) > > > > > > > > -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} > > > > {qemu_args} 2>&1\ > > > > +proc = subprocess.Popen("timeout {timeout}s {qemu_path} > > > > {qemu_args} 2>&1\ > > > > > > Why remove the -s 9 here? I ran into a case where the minimizer > > > got > > > stuck on one iteration. Adding back "sigkill" to the timeout can > > > be a > > > safety net to catch those bad cases. > > > -Alex > > > > Hi Alex, > > > > After reviewed this patch again, I think this get-stuck bug may be > > caused by code: > > > > -return CRASH_TOKEN in output > > Hi, > Thanks for fixing this. Strangely, I was able to fix it by swapping > the b'' for a ' ' when I was stuck on a testcase a few days ago. > vvv > > +for line in iter(rc.stdout.readline, b''): > > +if "CLOSED" in line: > > +return False > > +if CRASH_TOKEN in line: > > +return True > > > > I think your proposed change essentially does the same? > -Alex Hi Alex, It looks like I misused the bytes type. Instead of b'', '' (the str type) should be used here: -for line in iter(rc.stdout.readline, b''): +for line in iter(rc.stdout.readline, ''): And you are right, if we use iter() with sentinel parameter '', it's does the same as: +if line == "": +return False But if we just fix the get-stuck bug here, we may fail the assert(check_if_trace_crashes(newtrace, outpath)) check after remove_lines() or clear_bits() since the same trace input may trigger a different output between runs. My solution is instead of using the whole second-to-last line as token, we only use the the first three words which indicate the type of crash: -CRASH_TOKEN = output.splitlines()[-2] +CRASH_TOKEN = " ".join(outs.splitlines()[-2].split()[0:3]) Example: "SUMMARY: AddressSanitizer: stack-overflow" And thus, we may a get a more trimmed input trace. > > > I assumed there are only two end cases in lines of stdout, but > > while we > > are trimming the trace input, the crash output (second-to-last > > line) > > may changes, in which case we will go through the output and fail > > to > > find "CLOSED" and CRASH_TOKEN, thus get stuck in the loop above. > > > > To fix this bug and get a more trimmed input trace, we can: > > > > Use the first three words of the second-to-last line instead of the > > whole string, which indicate the type of crash as the token. > > > > -CRASH_TOKEN = output.splitlines()[-2] > > +CRASH_TOKEN = " ".join(outs.splitlines()[-2].split()[0:3]) > > > > If we reach the end of a subprocess' output, return False. > > > > +if line == "": > > +return False > > > > I fix it in [PATCH v7 1/7] and give an example. Could you review > > again? > > Thanks :-) > >
Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection
On 210110 2110, Qiuhao Li wrote: > On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote: > > On 201229 1240, Qiuhao Li wrote: > > > We spend much time waiting for the timeout program during the > > > minimization > > > process until it passes a time limit. This patch hacks the CLOSED > > > (indicates > > > the redirection file closed) notification in QTest's output if it > > > doesn't > > > crash. > > > > > > Test with quadrupled trace input at: > > > https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 > > > > > > Original version: > > > real1m37.246s > > > user0m13.069s > > > sys 0m8.399s > > > > > > Refined version: > > > real0m45.904s > > > user0m16.874s > > > sys 0m10.042s > > > > > > Signed-off-by: Qiuhao Li > > > --- > > > scripts/oss-fuzz/minimize_qtest_trace.py | 41 -- > > > -- > > > 1 file changed, 28 insertions(+), 13 deletions(-) > > > > > > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py > > > b/scripts/oss-fuzz/minimize_qtest_trace.py > > > index 5e405a0d5f..aa69c7963e 100755 > > > --- a/scripts/oss-fuzz/minimize_qtest_trace.py > > > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py > > > @@ -29,30 +29,46 @@ whether the crash occred. Optionally, manually > > > set a string that idenitifes the > > > crash by setting CRASH_TOKEN= > > > """.format((sys.argv[0]))) > > > > > > +deduplication_note = """\n\ > > > +Note: While trimming the input, sometimes the mutated trace > > > triggers a different > > > +crash output but indicates the same bug. Under this situation, our > > > minimizer is > > > +incapable of recognizing and stopped from removing it. In the > > > future, we may > > > +use a more sophisticated crash case deduplication method. > > > +\n""" > > > + > > > def check_if_trace_crashes(trace, path): > > > -global CRASH_TOKEN > > > with open(path, "w") as tracefile: > > > tracefile.write("".join(trace)) > > > > > > -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} > > > {qemu_args} 2>&1\ > > > +proc = subprocess.Popen("timeout {timeout}s {qemu_path} > > > {qemu_args} 2>&1\ > > > > Why remove the -s 9 here? I ran into a case where the minimizer got > > stuck on one iteration. Adding back "sigkill" to the timeout can be a > > safety net to catch those bad cases. > > -Alex > > Hi Alex, > > After reviewed this patch again, I think this get-stuck bug may be > caused by code: > > -return CRASH_TOKEN in output Hi, Thanks for fixing this. Strangely, I was able to fix it by swapping the b'' for a ' ' when I was stuck on a testcase a few days ago. vvv > +for line in iter(rc.stdout.readline, b''): > +if "CLOSED" in line: > +return False > +if CRASH_TOKEN in line: > +return True > I think your proposed change essentially does the same? -Alex > I assumed there are only two end cases in lines of stdout, but while we > are trimming the trace input, the crash output (second-to-last line) > may changes, in which case we will go through the output and fail to > find "CLOSED" and CRASH_TOKEN, thus get stuck in the loop above. > > To fix this bug and get a more trimmed input trace, we can: > > Use the first three words of the second-to-last line instead of the > whole string, which indicate the type of crash as the token. > > -CRASH_TOKEN = output.splitlines()[-2] > +CRASH_TOKEN = " ".join(outs.splitlines()[-2].split()[0:3]) > > If we reach the end of a subprocess' output, return False. > > +if line == "": > +return False > > I fix it in [PATCH v7 1/7] and give an example. Could you review again? > Thanks :-) > > FYI, I mentioned this situation firstly in [PATCH 1/4], where I gave a > more detailed example: > > https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg05888.html > > > > > > < {trace_path}".format(timeout=TIMEOUT, > > > qemu_path=QEMU_PATH, > > > qemu_args=QEMU_ARGS, > > > trace_path=path), > > >shell=True, > > >stdin=subprocess.PIPE, > > > - stdout=subprocess.PIPE) > > > -stdo = rc.communicate()[0] > > > -output = stdo.decode('unicode_escape') > > > -if rc.returncode == 137:# Timed Out > > > -return False > > > -if len(output.splitlines()) < 2: > > > -return False > > > - > > > + stdout=subprocess.PIPE, > > > + encoding="utf-8") > > > +global CRASH_TOKEN > > > if CRASH_TOKEN is None: > > > -CRASH_TOKEN = output.splitlines()[-2] > > > +try: > > > +outs, _ = proc.communicate(timeout=5) > > > +CRASH_TOKEN = outs.splitlines()[-2] > > > +except subprocess.TimeoutExpired: > > > +print("subprocess.TimeoutExpired") > > >
Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection
On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote: > On 201229 1240, Qiuhao Li wrote: > > We spend much time waiting for the timeout program during the > > minimization > > process until it passes a time limit. This patch hacks the CLOSED > > (indicates > > the redirection file closed) notification in QTest's output if it > > doesn't > > crash. > > > > Test with quadrupled trace input at: > > https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 > > > > Original version: > > real 1m37.246s > > user 0m13.069s > > sys 0m8.399s > > > > Refined version: > > real 0m45.904s > > user 0m16.874s > > sys 0m10.042s > > > > Signed-off-by: Qiuhao Li > > --- > > scripts/oss-fuzz/minimize_qtest_trace.py | 41 -- > > -- > > 1 file changed, 28 insertions(+), 13 deletions(-) > > > > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py > > b/scripts/oss-fuzz/minimize_qtest_trace.py > > index 5e405a0d5f..aa69c7963e 100755 > > --- a/scripts/oss-fuzz/minimize_qtest_trace.py > > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py > > @@ -29,30 +29,46 @@ whether the crash occred. Optionally, manually > > set a string that idenitifes the > > crash by setting CRASH_TOKEN= > > """.format((sys.argv[0]))) > > > > +deduplication_note = """\n\ > > +Note: While trimming the input, sometimes the mutated trace > > triggers a different > > +crash output but indicates the same bug. Under this situation, our > > minimizer is > > +incapable of recognizing and stopped from removing it. In the > > future, we may > > +use a more sophisticated crash case deduplication method. > > +\n""" > > + > > def check_if_trace_crashes(trace, path): > > -global CRASH_TOKEN > > with open(path, "w") as tracefile: > > tracefile.write("".join(trace)) > > > > -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} > > {qemu_args} 2>&1\ > > +proc = subprocess.Popen("timeout {timeout}s {qemu_path} > > {qemu_args} 2>&1\ > > Why remove the -s 9 here? I ran into a case where the minimizer got > stuck on one iteration. Adding back "sigkill" to the timeout can be a > safety net to catch those bad cases. > -Alex Hi Alex, After reviewed this patch again, I think this get-stuck bug may be caused by code: -return CRASH_TOKEN in output +for line in iter(rc.stdout.readline, b''): +if "CLOSED" in line: +return False +if CRASH_TOKEN in line: +return True I assumed there are only two end cases in lines of stdout, but while we are trimming the trace input, the crash output (second-to-last line) may changes, in which case we will go through the output and fail to find "CLOSED" and CRASH_TOKEN, thus get stuck in the loop above. To fix this bug and get a more trimmed input trace, we can: Use the first three words of the second-to-last line instead of the whole string, which indicate the type of crash as the token. -CRASH_TOKEN = output.splitlines()[-2] +CRASH_TOKEN = " ".join(outs.splitlines()[-2].split()[0:3]) If we reach the end of a subprocess' output, return False. +if line == "": +return False I fix it in [PATCH v7 1/7] and give an example. Could you review again? Thanks :-) FYI, I mentioned this situation firstly in [PATCH 1/4], where I gave a more detailed example: https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg05888.html > > > < {trace_path}".format(timeout=TIMEOUT, > > qemu_path=QEMU_PATH, > > qemu_args=QEMU_ARGS, > > trace_path=path), > >shell=True, > >stdin=subprocess.PIPE, > > - stdout=subprocess.PIPE) > > -stdo = rc.communicate()[0] > > -output = stdo.decode('unicode_escape') > > -if rc.returncode == 137:# Timed Out > > -return False > > -if len(output.splitlines()) < 2: > > -return False > > - > > + stdout=subprocess.PIPE, > > + encoding="utf-8") > > +global CRASH_TOKEN > > if CRASH_TOKEN is None: > > -CRASH_TOKEN = output.splitlines()[-2] > > +try: > > +outs, _ = proc.communicate(timeout=5) > > +CRASH_TOKEN = outs.splitlines()[-2] > > +except subprocess.TimeoutExpired: > > +print("subprocess.TimeoutExpired") > > +return False > > +print("Identifying Crashes by this string: > > {}".format(CRASH_TOKEN)) > > +global deduplication_note > > +print(deduplication_note) > > +return True > > > > -return CRASH_TOKEN in output > > +for line in iter(proc.stdout.readline, b''): > > +if "CLOSED" in line: > > +return False > > +if CRASH_TOKEN in line: > > +return True > > + > > +return False > > > > > > def minimize_trace(inpath, outpath): > >
Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection
On Wed, 2021-01-06 at 23:18 -0500, Alexander Bulekov wrote: > On 201229 1240, Qiuhao Li wrote: > > We spend much time waiting for the timeout program during the > > minimization > > process until it passes a time limit. This patch hacks the CLOSED > > (indicates > > the redirection file closed) notification in QTest's output if it > > doesn't > > crash. > > > > Test with quadrupled trace input at: > > https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 > > > > Original version: > > real 1m37.246s > > user 0m13.069s > > sys 0m8.399s > > > > Refined version: > > real 0m45.904s > > user 0m16.874s > > sys 0m10.042s > > > > Signed-off-by: Qiuhao Li > > --- > > scripts/oss-fuzz/minimize_qtest_trace.py | 41 -- > > -- > > 1 file changed, 28 insertions(+), 13 deletions(-) > > > > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py > > b/scripts/oss-fuzz/minimize_qtest_trace.py > > index 5e405a0d5f..aa69c7963e 100755 > > --- a/scripts/oss-fuzz/minimize_qtest_trace.py > > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py > > @@ -29,30 +29,46 @@ whether the crash occred. Optionally, manually > > set a string that idenitifes the > > crash by setting CRASH_TOKEN= > > """.format((sys.argv[0]))) > > > > +deduplication_note = """\n\ > > +Note: While trimming the input, sometimes the mutated trace > > triggers a different > > +crash output but indicates the same bug. Under this situation, our > > minimizer is > > +incapable of recognizing and stopped from removing it. In the > > future, we may > > +use a more sophisticated crash case deduplication method. > > +\n""" > > + > > def check_if_trace_crashes(trace, path): > > -global CRASH_TOKEN > > with open(path, "w") as tracefile: > > tracefile.write("".join(trace)) > > > > -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} > > {qemu_args} 2>&1\ > > +proc = subprocess.Popen("timeout {timeout}s {qemu_path} > > {qemu_args} 2>&1\ > > Why remove the -s 9 here? I ran into a case where the minimizer got > stuck on one iteration. Adding back "sigkill" to the timeout can be a > safety net to catch those bad cases. > -Alex Oops, I thought SIGKILL is the default signal timeout will send. Fixed in version 5, thanks. > > > < {trace_path}".format(timeout=TIMEOUT, > > qemu_path=QEMU_PATH, > > qemu_args=QEMU_ARGS, > > trace_path=path), > >shell=True, > >stdin=subprocess.PIPE, > > - stdout=subprocess.PIPE) > > -stdo = rc.communicate()[0] > > -output = stdo.decode('unicode_escape') > > -if rc.returncode == 137:# Timed Out > > -return False > > -if len(output.splitlines()) < 2: > > -return False > > - > > + stdout=subprocess.PIPE, > > + encoding="utf-8") > > +global CRASH_TOKEN > > if CRASH_TOKEN is None: > > -CRASH_TOKEN = output.splitlines()[-2] > > +try: > > +outs, _ = proc.communicate(timeout=5) > > +CRASH_TOKEN = outs.splitlines()[-2] > > +except subprocess.TimeoutExpired: > > +print("subprocess.TimeoutExpired") > > +return False > > +print("Identifying Crashes by this string: > > {}".format(CRASH_TOKEN)) > > +global deduplication_note > > +print(deduplication_note) > > +return True > > > > -return CRASH_TOKEN in output > > +for line in iter(proc.stdout.readline, b''): > > +if "CLOSED" in line: > > +return False > > +if CRASH_TOKEN in line: > > +return True > > + > > +return False > > > > > > def minimize_trace(inpath, outpath): > > @@ -66,7 +82,6 @@ def minimize_trace(inpath, outpath): > > print("Crashed in {} seconds".format(end-start)) > > TIMEOUT = (end-start)*5 > > print("Setting the timeout for {} seconds".format(TIMEOUT)) > > -print("Identifying Crashes by this string: > > {}".format(CRASH_TOKEN)) > > > > i = 0 > > newtrace = trace[:] > > -- > > 2.25.1 > >
Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection
On 201229 1240, Qiuhao Li wrote: > We spend much time waiting for the timeout program during the minimization > process until it passes a time limit. This patch hacks the CLOSED (indicates > the redirection file closed) notification in QTest's output if it doesn't > crash. > > Test with quadrupled trace input at: > https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 > > Original version: > real1m37.246s > user0m13.069s > sys 0m8.399s > > Refined version: > real0m45.904s > user0m16.874s > sys 0m10.042s > > Signed-off-by: Qiuhao Li > --- > scripts/oss-fuzz/minimize_qtest_trace.py | 41 > 1 file changed, 28 insertions(+), 13 deletions(-) > > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py > b/scripts/oss-fuzz/minimize_qtest_trace.py > index 5e405a0d5f..aa69c7963e 100755 > --- a/scripts/oss-fuzz/minimize_qtest_trace.py > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py > @@ -29,30 +29,46 @@ whether the crash occred. Optionally, manually set a > string that idenitifes the > crash by setting CRASH_TOKEN= > """.format((sys.argv[0]))) > > +deduplication_note = """\n\ > +Note: While trimming the input, sometimes the mutated trace triggers a > different > +crash output but indicates the same bug. Under this situation, our minimizer > is > +incapable of recognizing and stopped from removing it. In the future, we may > +use a more sophisticated crash case deduplication method. > +\n""" > + > def check_if_trace_crashes(trace, path): > -global CRASH_TOKEN > with open(path, "w") as tracefile: > tracefile.write("".join(trace)) > > -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} {qemu_args} > 2>&1\ > +proc = subprocess.Popen("timeout {timeout}s {qemu_path} {qemu_args} 2>&1\ Why remove the -s 9 here? I ran into a case where the minimizer got stuck on one iteration. Adding back "sigkill" to the timeout can be a safety net to catch those bad cases. -Alex > < {trace_path}".format(timeout=TIMEOUT, > qemu_path=QEMU_PATH, > qemu_args=QEMU_ARGS, > trace_path=path), >shell=True, >stdin=subprocess.PIPE, > - stdout=subprocess.PIPE) > -stdo = rc.communicate()[0] > -output = stdo.decode('unicode_escape') > -if rc.returncode == 137:# Timed Out > -return False > -if len(output.splitlines()) < 2: > -return False > - > + stdout=subprocess.PIPE, > + encoding="utf-8") > +global CRASH_TOKEN > if CRASH_TOKEN is None: > -CRASH_TOKEN = output.splitlines()[-2] > +try: > +outs, _ = proc.communicate(timeout=5) > +CRASH_TOKEN = outs.splitlines()[-2] > +except subprocess.TimeoutExpired: > +print("subprocess.TimeoutExpired") > +return False > +print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) > +global deduplication_note > +print(deduplication_note) > +return True > > -return CRASH_TOKEN in output > +for line in iter(proc.stdout.readline, b''): > +if "CLOSED" in line: > +return False > +if CRASH_TOKEN in line: > +return True > + > +return False > > > def minimize_trace(inpath, outpath): > @@ -66,7 +82,6 @@ def minimize_trace(inpath, outpath): > print("Crashed in {} seconds".format(end-start)) > TIMEOUT = (end-start)*5 > print("Setting the timeout for {} seconds".format(TIMEOUT)) > -print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) > > i = 0 > newtrace = trace[:] > -- > 2.25.1 >
Re: [PATCH v4 1/7] fuzz: accelerate non-crash detection
On 201229 1240, Qiuhao Li wrote: > We spend much time waiting for the timeout program during the minimization > process until it passes a time limit. This patch hacks the CLOSED (indicates > the redirection file closed) notification in QTest's output if it doesn't > crash. > > Test with quadrupled trace input at: > https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 > > Original version: > real1m37.246s > user0m13.069s > sys 0m8.399s > > Refined version: > real0m45.904s > user0m16.874s > sys 0m10.042s > > Signed-off-by: Qiuhao Li This makes a huge difference, thanks! Maybe there is some edge-case where the crash happens after "CLOSED" (e.g. a timer fires after the last command), but I haven't found such an example among existing reproducers. Reviewed-by: Alexander Bulekov > --- > scripts/oss-fuzz/minimize_qtest_trace.py | 41 > 1 file changed, 28 insertions(+), 13 deletions(-) > > diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py > b/scripts/oss-fuzz/minimize_qtest_trace.py > index 5e405a0d5f..aa69c7963e 100755 > --- a/scripts/oss-fuzz/minimize_qtest_trace.py > +++ b/scripts/oss-fuzz/minimize_qtest_trace.py > @@ -29,30 +29,46 @@ whether the crash occred. Optionally, manually set a > string that idenitifes the > crash by setting CRASH_TOKEN= > """.format((sys.argv[0]))) > > +deduplication_note = """\n\ > +Note: While trimming the input, sometimes the mutated trace triggers a > different > +crash output but indicates the same bug. Under this situation, our minimizer > is > +incapable of recognizing and stopped from removing it. In the future, we may > +use a more sophisticated crash case deduplication method. > +\n""" > + > def check_if_trace_crashes(trace, path): > -global CRASH_TOKEN > with open(path, "w") as tracefile: > tracefile.write("".join(trace)) > > -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} {qemu_args} > 2>&1\ > +proc = subprocess.Popen("timeout {timeout}s {qemu_path} {qemu_args} 2>&1\ > < {trace_path}".format(timeout=TIMEOUT, > qemu_path=QEMU_PATH, > qemu_args=QEMU_ARGS, > trace_path=path), >shell=True, >stdin=subprocess.PIPE, > - stdout=subprocess.PIPE) > -stdo = rc.communicate()[0] > -output = stdo.decode('unicode_escape') > -if rc.returncode == 137:# Timed Out > -return False > -if len(output.splitlines()) < 2: > -return False > - > + stdout=subprocess.PIPE, > + encoding="utf-8") > +global CRASH_TOKEN > if CRASH_TOKEN is None: > -CRASH_TOKEN = output.splitlines()[-2] > +try: > +outs, _ = proc.communicate(timeout=5) > +CRASH_TOKEN = outs.splitlines()[-2] > +except subprocess.TimeoutExpired: > +print("subprocess.TimeoutExpired") > +return False > +print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) > +global deduplication_note > +print(deduplication_note) > +return True > > -return CRASH_TOKEN in output > +for line in iter(proc.stdout.readline, b''): > +if "CLOSED" in line: > +return False > +if CRASH_TOKEN in line: > +return True > + > +return False > > > def minimize_trace(inpath, outpath): > @@ -66,7 +82,6 @@ def minimize_trace(inpath, outpath): > print("Crashed in {} seconds".format(end-start)) > TIMEOUT = (end-start)*5 > print("Setting the timeout for {} seconds".format(TIMEOUT)) > -print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) > > i = 0 > newtrace = trace[:] > -- > 2.25.1 >
[PATCH v4 1/7] fuzz: accelerate non-crash detection
We spend much time waiting for the timeout program during the minimization process until it passes a time limit. This patch hacks the CLOSED (indicates the redirection file closed) notification in QTest's output if it doesn't crash. Test with quadrupled trace input at: https://bugs.launchpad.net/qemu/+bug/1890333/comments/1 Original version: real 1m37.246s user 0m13.069s sys 0m8.399s Refined version: real 0m45.904s user 0m16.874s sys 0m10.042s Signed-off-by: Qiuhao Li --- scripts/oss-fuzz/minimize_qtest_trace.py | 41 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py index 5e405a0d5f..aa69c7963e 100755 --- a/scripts/oss-fuzz/minimize_qtest_trace.py +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -29,30 +29,46 @@ whether the crash occred. Optionally, manually set a string that idenitifes the crash by setting CRASH_TOKEN= """.format((sys.argv[0]))) +deduplication_note = """\n\ +Note: While trimming the input, sometimes the mutated trace triggers a different +crash output but indicates the same bug. Under this situation, our minimizer is +incapable of recognizing and stopped from removing it. In the future, we may +use a more sophisticated crash case deduplication method. +\n""" + def check_if_trace_crashes(trace, path): -global CRASH_TOKEN with open(path, "w") as tracefile: tracefile.write("".join(trace)) -rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} {qemu_args} 2>&1\ +proc = subprocess.Popen("timeout {timeout}s {qemu_path} {qemu_args} 2>&1\ < {trace_path}".format(timeout=TIMEOUT, qemu_path=QEMU_PATH, qemu_args=QEMU_ARGS, trace_path=path), shell=True, stdin=subprocess.PIPE, - stdout=subprocess.PIPE) -stdo = rc.communicate()[0] -output = stdo.decode('unicode_escape') -if rc.returncode == 137:# Timed Out -return False -if len(output.splitlines()) < 2: -return False - + stdout=subprocess.PIPE, + encoding="utf-8") +global CRASH_TOKEN if CRASH_TOKEN is None: -CRASH_TOKEN = output.splitlines()[-2] +try: +outs, _ = proc.communicate(timeout=5) +CRASH_TOKEN = outs.splitlines()[-2] +except subprocess.TimeoutExpired: +print("subprocess.TimeoutExpired") +return False +print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) +global deduplication_note +print(deduplication_note) +return True -return CRASH_TOKEN in output +for line in iter(proc.stdout.readline, b''): +if "CLOSED" in line: +return False +if CRASH_TOKEN in line: +return True + +return False def minimize_trace(inpath, outpath): @@ -66,7 +82,6 @@ def minimize_trace(inpath, outpath): print("Crashed in {} seconds".format(end-start)) TIMEOUT = (end-start)*5 print("Setting the timeout for {} seconds".format(TIMEOUT)) -print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) i = 0 newtrace = trace[:] -- 2.25.1