Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

internal/fuzz: improperly handling crash that occurs while minimizing interesting input #48731

Closed
katiehockman opened this issue Oct 1, 2021 · 7 comments
Closed

internal/fuzz: improperly handling crash that occurs while minimizing interesting input #48731

katiehockman opened this issue Oct 1, 2021 · 7 comments
Labels
FrozenDueToAge fuzz Issues related to native fuzzing support NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Milestone
Go1.18

Comments

@katiehockman
Copy link
Contributor

katiehockman commented Oct 1, 2021
edited

Found a very niche bug when trying things out locally. There is one case I've found where minimization doesn't occur, when it should.

To reproduce, run the target in #48320 with go test -run Fuzz -fuzz Fuzz -v. This happens consistently whenever there is something in the interesting cache and when -parallel is greater than 1.

Using the debugger, I was able to narrow it down to this scenario:
While fuzzing, an input which expands coverage is found. When minimizing said input, a new crash occurs. Currently, minimization is shut off if a crash is found during minimization
@katiehockman katiehockman added NeedsFix The path to resolution is known, but the work has not been done. release-blocker fuzz Issues related to native fuzzing support labels Oct 1, 2021
@katiehockman katiehockman added this to the Go1.18 milestone Oct 1, 2021
@katiehockman katiehockman self-assigned this Oct 1, 2021
@gopherbot
Copy link

Change https://golang.org/cl/353355 mentions this issue: testing: write output to buffer when fuzzing

@jayconrod jayconrod mentioned this issue Oct 12, 2021
Open
@katiehockman katiehockman mentioned this issue Oct 13, 2021
Closed
@gopherbot
Copy link

Change https://golang.org/cl/355691 mentions this issue: internal/fuzz: fix bugs with minimization

@katiehockman
Copy link
Contributor Author

I'm going to re-open this and have it track non-recoverable crashes that occur during minimization of interesting inputs.

Like @jayconrod says in #48163

#48731 is my main concern. We need to be able to reconstruct the entry that caused a problem, whether we're fuzzing or minimizing. Writing the entry to shared memory before every call to the fuzz target is too expensive because of the marshaling overhead, so we need to be able to rebuilt it from the input entry and some known sequence of transformations. For minimization, I think we should store the sequence of transformations in shared memory. For normal fuzzing, we already store initial RNG state and a count, and that works well enough. In any case, we do still need shared memory, but we could use a lot less of it since we don't need to store inputs there.

@katiehockman katiehockman reopened this Nov 10, 2021
@heschi
Copy link
Contributor

heschi commented Nov 24, 2021

The beta is getting close and this is currently marked as blocking the beta. Any news here?

@katiehockman
Copy link
Contributor Author

Yes I've been working on this for the past few days. I expect to send a patch next week, and will get it reviewed quickly.

If it ends up getting too close to the beta and we can't get the full fix in, I have a workaround that we can do which is a fairly small change. Will re-assess next week.

The beta won't come out until December 15 at the earliest, due to the 2 week delay, correct? Just want to make sure I understand the timeline correctly.

(For the fuzzing team - the smaller change would be to just fail minimization and use the initial input instead if a non-recoverable error occurs during minimization. This is especially fine if the reason we're minimizing is b/c we found a recoverable error. It's less great if it was during minimization of an interesting input, since that would bury a crash. But it would probably be reasonable for 1.18)

@heschi
Copy link
Contributor

heschi commented Nov 24, 2021

We're trying to get the beta done in early December -- if it's ready on Dec 1, we'll ship it then, if it's not ready until the 15th that's okay too. Earlier is better if convenient.

@gopherbot
Copy link

Change https://golang.org/cl/367848 mentions this issue: internal/fuzz: handle unrecoverable errors during minimization

@golang golang locked and limited conversation to collaborators Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge fuzz Issues related to native fuzzing support NeedsFix The path to resolution is known, but the work has not been done. release-blocker
Projects
Go Security
Status: No status
Milestone
Go1.18
Development

No branches or pull requests
3 participants
@gopherbot @heschi @katiehockman