[funfuzz] jsInteresting does not deal with ASan crashes properly #25
Comments
|
The error at the following line seems to happen because m-crash.txt is not found: https://github.com/MozillaSecurity/funfuzz/blob/fmi/js/jsInteresting.py#L92 m-crash.txt is not supposed to exist because presumably there wasn't a crash dump generated, so there is no log from gdb since the ASan stack is dumped directly to stderr/out when run without jsInteresting. @jruderman, how best should we fix this? Should m-crash.txt be generated separately, or should we not look for m-crash.txt at all for ASan errors? |
|
Issues found via Valgrind on the harness might suffer from the same problem too. |
This should fix the exception in #25, but more changes are needed so we don't call grabCrashLog when we already have an ASan stack.
|
Commit above should fix the exception, but still won't do quite what we want: it will poll unnecessarily, and on Mac, may result in us having both an ASan stack and an Apple crash report. Need to do something like what domInteresting does to detect ASan output, and only look for a separate crash log if it's missing. I'll have to carefully consider how it interacts with the other if/else blocks in this function. |
nth10sd
changed the title
nth10sd
changed the title
|
Just spoke to @jruderman in-person - our current status seems to be that AppleCrashInfo is still prioritised over ASanCrashInfo for ASan crashes for some reason. |
nth10sd
changed the title
A non-ASan build crashes and jsInteresting deals with it properly:
$ ~/trees/venv-fm/bin/python -u ~/funfuzz/js/jsInteresting.py --minlevel=4 mozilla-central ~/shell-cache/js-dbg-32-prof-dm-armSim-linux-c0ba5835ca48/js-dbg-32-prof-dm-armSim-linux-c0ba5835ca48 --fuzzing-safe --no-threads testcase.js
crashInfo:
Short Signature: Assertion failure: isFunctionFrame(), at /home/ubuntu/trees/mozilla-central/js/src/vm/Stack.h:618
Class name: GDBCrashInfo
Stack trace:
Matches signature in FuzzManager:
Signature description: [@ callee]
Signature file:
m | 0.3s | 0 | fine
0
whereas:
$ ~/trees/venv-fm/bin/python -u ~/funfuzz/js/jsInteresting.py --minlevel=4 mozilla-central /home/ubuntu/shell-cache/js-dbg-64-dm-clang-asan-linux-c0ba5835ca48/js-dbg-64-dm-clang-asan-linux-c0ba5835ca48 --fuzzing-safe --no-threads testcase.js
throws the following stack:
Traceback (most recent call last):
File "/home/ubuntu/funfuzz/js/jsInteresting.py", line 297, in
main()
File "/home/ubuntu/funfuzz/js/jsInteresting.py", line 284, in main
res = ShellResult(options, options.jsengineWithArgs, tempPrefix, False)
File "/home/ubuntu/funfuzz/js/jsInteresting.py", line 92, in init
with open(logPrefix + "-crash.txt") as f:
IOError: [Errno 2] No such file or directory: 'm-crash.txt'
The text was updated successfully, but these errors were encountered: