[libFuzzer] Fix minimizing timeouts

iii-i · iii-i · commit 9df7ee34e1b5 · 2020-08-11T22:16:12.000+02:00
When one tries to minimize timeouts using -minimize_crash=1, minimization immediately fails. The following sequence of events is responsible for this: [parent] SIGALRM occurs [parent] read() returns -EINTR (or -ERESTARTSYS according to strace) [parent] fgets() returns NULL [parent] ExecuteCommand() closes child's stdout and returns [child ] SIGALRM occurs [child ] AlarmCallback() attempts to write "ALARM: ..." to stdout [child ] Dies with SIGPIPE without calling DumpCurrentUnit() [parent] Does not see -exact_artifact_path and exits When minimizing, the timer in parent is not necessary, so fix by not setting it in this case. Reviewed By: morehouse Differential Revision: https://reviews.llvm.org/D85359
diff --git a/compiler-rt/lib/fuzzer/FuzzerDriver.cpp b/compiler-rt/lib/fuzzer/FuzzerDriver.cpp
@@ -767,6 +767,7 @@ int FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
 #endif // LIBFUZZER_EMSCRIPTEN
 
   Options.HandleAbrt = Flags.handle_abrt;
+  Options.HandleAlrm = !Flags.minimize_crash;
   Options.HandleBus = Flags.handle_bus;
   Options.HandleFpe = Flags.handle_fpe;
   Options.HandleIll = Flags.handle_ill;
diff --git a/compiler-rt/lib/fuzzer/FuzzerOptions.h b/compiler-rt/lib/fuzzer/FuzzerOptions.h
@@ -69,6 +69,7 @@ struct FuzzingOptions {
   int PurgeAllocatorIntervalSec = 1;
   int  TraceMalloc = 0;
   bool HandleAbrt = false;
+  bool HandleAlrm = false;
   bool HandleBus = false;
   bool HandleFpe = false;
   bool HandleIll = false;
diff --git a/compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp b/compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp
@@ -354,7 +354,7 @@ void SetSignalHandler(const FuzzingOptions &Options) {
   Printf("%s", Buf);
 
   // Set up alarm handler if needed.
-  if (Options.UnitTimeoutSec > 0) {
+  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0) {
     std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1);
     T.detach();
   }
diff --git a/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp b/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp
@@ -113,7 +113,7 @@ void SetTimer(int Seconds) {
 
 void SetSignalHandler(const FuzzingOptions& Options) {
   // setitimer is not implemented in emscripten.
-  if (Options.UnitTimeoutSec > 0 && !LIBFUZZER_EMSCRIPTEN)
+  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0 && !LIBFUZZER_EMSCRIPTEN)
     SetTimer(Options.UnitTimeoutSec / 2 + 1);
   if (Options.HandleInt)
     SetSigaction(SIGINT, InterruptHandler);
diff --git a/compiler-rt/lib/fuzzer/FuzzerUtilWindows.cpp b/compiler-rt/lib/fuzzer/FuzzerUtilWindows.cpp
@@ -115,7 +115,7 @@ static void CrashHandler(int) { Fuzzer::StaticCrashSignalCallback(); }
 void SetSignalHandler(const FuzzingOptions& Options) {
   HandlerOpt = &Options;
 
-  if (Options.UnitTimeoutSec > 0)
+  if (Options.HandleAlrm && Options.UnitTimeoutSec > 0)
     Timer.SetTimer(Options.UnitTimeoutSec / 2 + 1);
 
   if (Options.HandleInt || Options.HandleTerm)
diff --git a/compiler-rt/test/fuzzer/minimize_timeout.test b/compiler-rt/test/fuzzer/minimize_timeout.test
@@ -0,0 +1,6 @@
+RUN: %cpp_compiler %S/TimeoutTest.cpp -o %t-TimeoutTest
+RUN: mkdir -p %t.dir
+
+RUN: echo 'Hi!?' > %t.dir/not_minimal_timeout
+RUN: %run %t-TimeoutTest -minimize_crash=1 %t.dir/not_minimal_timeout -timeout=1 -max_total_time=3 2>&1 | FileCheck %s
+CHECK: CRASH_MIN: failed to minimize beyond {{.*}}minimized-from{{.*}} (3 bytes), exiting

Original file line number	Diff line number	Diff line change
`@@ -354,7 +354,7 @@ void SetSignalHandler(const FuzzingOptions &Options) {`
`354`	`354`	`Printf("%s", Buf);`
`355`	`355`
`356`	`356`	`// Set up alarm handler if needed.`
`357`		`- if (Options.UnitTimeoutSec > 0) {`
	`357`	`+ if (Options.HandleAlrm && Options.UnitTimeoutSec > 0) {`
`358`	`358`	`std::thread T(AlarmHandler, Options.UnitTimeoutSec / 2 + 1);`
`359`	`359`	`T.detach();`
`360`	`360`	`}`