fuzz-introspector: the reachability analysis can be misleading if gold/LTO flags aren't passed properly #7593
Comments
That was easy. It's 19 / 24 * 100 |
|
1238 = functions with coverage from the coverage reports
|
|
I wonder if something different happened here: if the core was compiled without LTO and thus not included in the analysis, this kind of matches the issues with meson, i.e. that gold was actually never used? Looking at the calltree, there's no depth to any of the calls, so there is a ton of content missing, which should be analysable I don't see a reason e.g. Searching for a given systemd function in the functino table (https://storage.googleapis.com/oss-fuzz-introspector/systemd/inspector-report/20220419/fuzz_report.html#Project-functions-overview) e.g. hashmap_put_stats_by_path I am unable to find it (https://github.com/systemd/systemd/blob/492f9e74ff2b7b07d0999a7241c16ed5e767fdeb/src/shared/conf-parser.c#L447), which confirms the reasoning of fuzz-introspector not running on the given code. (Logs would help here tbh and I have an issue open on fuzz-introspector for this ossf/fuzz-introspector#176) |
|
@DavidKorczynski I think systemd was probably built without lto and I suspect gold wasn't used there either so I'd put the question on hold until systemd is built properly. I have another question though. Why was it built and reported in the first place? I think fuzz-introspector should have failed to somehow signal that it simply can't handle that. |
Could you clarify a bit? What is it that it should have detected? |
|
What I was trying to say is that for example |
|
The build worked in that there no compilation issues. And fuzz-introspector did analyse a lot of functions in that 4800 functions are included in the report. So from a fuzz-introspector perspective the process went well -- I don't think it makes sense to include heuristics in fuzz-introspector about whether it "analysed the right code". It also seems that some fuzzers has more accurate data? https://storage.googleapis.com/oss-fuzz-introspector/systemd/inspector-report/20220419/fuzz_report.html#Fuzzer:-fuzz-journald-kmsg In essence this is similar in analogy to builds working finely if some code is sanitized despite there potentially not being a lot of code sanitized -- building will still work. What makes sense from my perspective here is to include a warning in the introspector report if there is a discrepancy between covered functions and reachable warnings. Another option could be to check if there are functions that are included in the coverage reports but not in the introspector static analysis component -- then we could also show a warning as it's likely the coverage reports and the fuzz-introspector static analysis component were compiled in different ways (i.e. not all fuzz-introspector static analysis were used for all code that received coverage) |
I have to admit I'm not sure what exactly it analyzed given that neither LTO nor gold was used.
I don't think it will. There are thresholds in the build check that prevent "bogus" fuzz targets from being ever run.
This can't be automated unfortunately. Waiting for warnings to pop up on OSS-Fuzz somewhere can't help me to catch for example meson regressions when it's updated by Dependabot on GitHub and the CI tries to make sure that it doesn't break anything. |
Doing some quick analysis on the report I could extract around 370 files (give or take -- it was a bit ad hoc scripting). that were analysed from the folders:
I think the threshold is 50 edges or something if I remember correctly, so arguable it has some but certainly doesn't ensure all code that should be sanitized is indeed sanitized.
Got it, I get where the question is coming from now. I think both should be added then -- for the visuals if a discrepancy happens and also something that can be used in the CI. I think it makes sense to deploy something similar to the minimum check that OSS-Fuzz does, i.e. we could deploy a check that looks at whether ~50 basic blocks (or whichever number OSS-Fuzz uses) are involved in the graph and if not provide an exit code that the CI can use. With that said, if you're considering this to be used in the OSS-Fuzz CI then I'm not sure if/when OSS-Fuzz will use a fuzz-introspector check in its CI -- @Navidem may have some input here. |
|
As far as I understand install -Dt "$OUT/src/shared/" \
"$build"/src/shared/libsystemd-shared-*.so \
"$build"/src/core/libsystemd-core-*.sosomehow confuse fuzz-introspector. |
|
FWIW it confuses CIFuzz as well: #7011 |
oliverchang
changed the title
|
@oliverchang on April 13 both |
Display visual warning in the event that covered funtions (at runtime, from coverage analysis) is larger than the functions deemed reachable by the static analysis component. We could insert more warnings other places, i.e. start to enforce a "certainty of analysis" for each analysis. Ref: google/oss-fuzz#7593
Display visual warning in the event that covered funtions (at runtime, from coverage analysis) is larger than the functions deemed reachable by the static analysis component. We could insert more warnings other places, i.e. start to enforce a "certainty of analysis" for each analysis. Ref: google/oss-fuzz#7593
|
In the meantime I've just opened systemd/systemd#23158 |
|
FWIW systemd isn't the only project using shared libraries. For example freeradius puts |
|
FI prints warnings now. I think this issue can be closed. |
Display visual warning in the event that covered funtions (at runtime, from coverage analysis) is larger than the functions deemed reachable by the static analysis component. We could insert more warnings other places, i.e. start to enforce a "certainty of analysis" for each analysis. Ref: google/oss-fuzz#7593
Display visual warning in the event that covered funtions (at runtime, from coverage analysis) is larger than the functions deemed reachable by the static analysis component. We could insert more warnings other places, i.e. start to enforce a "certainty of analysis" for each analysis. Ref: google/oss-fuzz#7593
Looking at https://storage.googleapis.com/oss-fuzz-introspector/systemd/inspector-report/20220419/fuzz_report.html#functions_cov_hit_9 where there are 1238 covered functions and 24 reachable functions I wonder how it works?
My understanding (based on the footnote) is that reachable functions are determined statically and because of that the numbers aren't supposed to match but if they are that far apart I'm not sure how they can be used to figure out what's reachable (along with blockers and so on). I also wonder where 79.17% comes from?
The text was updated successfully, but these errors were encountered: