[infra] Invoke run_fuzzer from bad_build_check for regression testing (fixes #1355). (#1357)

* [infra] Invoke run_fuzzer from bad_build_check for regression testing (fixes #1355). * Address review comments.
2018-04-26 07:17:44 -07:00 · 2018-04-26 07:17:44 -07:00 · 69ffa9bfdf
parent 36de5d7b29
commit 69ffa9bfdf
4 changed files with 34 additions and 27 deletions
--- a/infra/base-images/base-runner/bad_build_check
+++ b/infra/base-images/base-runner/bad_build_check
@ -54,7 +54,7 @@ function check_instrumentation {
    return 1
  fi

-  local NUMBER_OF_EDGES=$(grep -Po "INFO: Loaded [[:digit:]]+ module.*\(.*counters|guards\):[[:space:]]+\K[[:digit:]]+" $FUZZER_OUTPUT)
+  local NUMBER_OF_EDGES=$(grep -Po "INFO: Loaded [[:digit:]]+ module.*\(.*(counters|guards)\):[[:space:]]+\K[[:digit:]]+" $FUZZER_OUTPUT)

  if (( $NUMBER_OF_EDGES < $THRESHOLD_FOR_NUMBER_OF_EDGES )); then
    echo "BAD BUILD: the target seems to have only partial coverage instrumentation."
@ -165,6 +165,30 @@ function check_mixed_sanitizers {
  fi
 }

+# Verify that the given fuzz target doesn't crash on the seed corpus.
+function check_seed_corpus {
+  local FUZZER=$1
+  local FUZZER_NAME="$(basename $FUZZER)"
+  local FUZZER_OUTPUT="/tmp/$FUZZER_NAME.output"
+
+  if [[ "$FUZZING_ENGINE" != libfuzzer ]]; then
+    return
+  fi
+
+  # Set up common fuzzing arguments, otherwise "run_fuzzer" errors out.
+  if [ -z "$FUZZER_ARGS" ]; then
+    export FUZZER_ARGS="-rss_limit_mb=2048 -timeout=25"
+  fi
+
+  bash -c "run_fuzzer $FUZZER_NAME -runs=0" &> $FUZZER_OUTPUT
+
+  # Don't output anything if fuzz target hasn't crashed.
+  if [ $? -ne 0 ]; then
+    echo "$FUZZER_NAME has a crash input in its seed coprpus:"
+    cat $FUZZER_OUTPUT
+  fi
+}
+

 function main {
  local FUZZER=$1
@ -172,6 +196,7 @@ function main {
  check_instrumentation $FUZZER
  check_mixed_sanitizers $FUZZER
  check_startup_crash $FUZZER
+  check_seed_corpus $FUZZER
 }


--- a/infra/base-images/base-runner/run_fuzzer
+++ b/infra/base-images/base-runner/run_fuzzer
@ -24,14 +24,14 @@ cd $OUT
 FUZZER=$1
 shift

-rm -rf /tmp/input/ && mkdir /tmp/input/
+CORPUS_DIR="/tmp/${FUZZER}_corpus"
+
+rm -rf $CORPUS_DIR && mkdir $CORPUS_DIR

-CORPUS=
 SEED_CORPUS="${FUZZER}_seed_corpus.zip"
 if [ -f $SEED_CORPUS ]; then
  echo "Using seed corpus: $SEED_CORPUS"
-  unzip -d /tmp/input/ $SEED_CORPUS > /dev/null
-  CORPUS=/tmp/input
+  unzip -d ${CORPUS_DIR}/ $SEED_CORPUS > /dev/null
 fi

 if [[ "$FUZZING_ENGINE" = afl ]]; then
@ -43,14 +43,11 @@ if [[ "$FUZZING_ENGINE" = afl ]]; then
  export AFL_SKIP_CPUFREQ=1
  rm -rf /tmp/afl_output && mkdir /tmp/afl_output
  # AFL expects at least 1 file in the input dir.
-  echo input > /tmp/input/input
-  CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i /tmp/input -o /tmp/afl_output $@ $OUT/$FUZZER"
+  echo input > ${CORPUS_DIR}/input
+  CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i $CORPUS_DIR -o /tmp/afl_output $@ $OUT/$FUZZER"
 elif [[ "$FUZZING_ENGINE" = honggfuzz ]]; then
-  if [ -z "$CORPUS" ]; then
-    CORPUS=/tmp/input
-  fi
  # Honggfuzz expects at least 1 file in the input dir.
-  echo input > $CORPUS/input
+  echo input > $CORPUS_DIR/input
  rm -rf /tmp/honggfuzz_workdir && mkdir /tmp/honggfuzz_workdir
  # --exit_upon_crash: exit whith a first crash seen
  # -R (report): save report file to this location
@ -62,7 +59,7 @@ elif [[ "$FUZZING_ENGINE" = honggfuzz ]]; then
  # -n: number of fuzzing threads (and processes)
  CMD_LINE="$OUT/honggfuzz -n 1 --exit_upon_crash -R /tmp/HONGGFUZZ.REPORT.TXT -W /tmp/honggfuzz_workdir -v -z -P -f \"$CORPUS\" $@ -- \"$OUT/$FUZZER\""
 else
-  CMD_LINE="$OUT/$FUZZER $FUZZER_ARGS $@ $CORPUS"
+  CMD_LINE="$OUT/$FUZZER $FUZZER_ARGS $@ $CORPUS_DIR"

  OPTIONS_FILE="${FUZZER}.options"
  if [ -f $OPTIONS_FILE ]; then
--- a/infra/base-images/base-runner/test_all
+++ b/infra/base-images/base-runner/test_all
@ -46,17 +46,6 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do
    continue
  fi

-  if [ "$SKIP_TEST_TARGET_RUN" != "1" ]; then
-    if [[ "$FUZZING_ENGINE" = honggfuzz ]]; then
-      timeout --preserve-status -s INT 20s run_fuzzer $FUZZER
-    elif [[ "$FUZZING_ENGINE" = libfuzzer ]]; then
-      run_fuzzer $FUZZER -max_total_time=20
-    else
-      export AFL_NO_UI=1
-      timeout --preserve-status -s INT 20s run_fuzzer $FUZZER
-    fi
-  fi
-
  echo "INFO: performing bad build checks for $FUZZER_BINARY."

  LOG_PATH_FOR_BROKEN_TARGET="${BROKEN_TARGETS_DIR}/${FUZZER}"
--- a/infra/gcb/build.py
+++ b/infra/gcb/build.py
@ -195,10 +195,6 @@ def get_build_steps(project_yaml, dockerfile_path):
      env.append('OUT=' + out)
      env.append('MSAN_LIBS_PATH=/workspace/msan')

-      # To disable running of all fuzz targets while doing |test_all| step, as
-      # that step is currently being used for performing bad build checks only.
-      env.append('SKIP_TEST_TARGET_RUN=1')
-
      workdir = workdir_from_dockerfile(dockerfile_path)
      if not workdir:
        workdir = '/src'