Skip to content

sound-open-firmware: add build files #4527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
inferno-chromium merged 1 commit into from
Dec 14, 2020
Merged

sound-open-firmware: add build files #4527

inferno-chromium merged 1 commit into from
Dec 14, 2020
+92 −0

Conversation

@cujomalainey
Copy link
Contributor

@cujomalainey cujomalainey commented Oct 12, 2020
edited
Loading

Initial build files for sound open firmware fuzzer

thesofproject/sof#3505 needs to merge first

TODO

  • missing seed corpus
  • Redirect to origin repo once PR is merged

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Oct 12, 2020

@lgirdwood @ranj063 FYI

lgirdwood
lgirdwood reviewed Oct 15, 2020
View reviewed changes
Copy link

@lgirdwood lgirdwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

inferno-chromium
inferno-chromium requested changes Oct 17, 2020
View reviewed changes
@inferno-chromium
Copy link
Contributor

inferno-chromium commented Oct 17, 2020

ubsan build is crashing, see failure

INFO: A corpus is not provided, starting from an empty corpus
/src/sof/src/ipc/handler.c:1385:9: runtime error: left shift of 15 by 28 places cannot be represented in type 'int'
    #0 0x4b248c in ipc_cmd /src/sof/src/ipc/handler.c:1385:9
    #1 0x4af795 in LLVMFuzzerTestOneInput /src/sof/tools/oss-fuzz/fuzz_ipc.c:32:2
    #2 0x440771 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
    #3 0x43fcba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:503:3
    #4 0x441e52 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:793:5
    #5 0x4420f9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:841:3
    #6 0x431774 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:902:6
    #7 0x4598e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7fbe7331783f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #9 0x406b18 in _start (/tmp/not-out/fuzz_ipc+0x406b18)

DEDUP_TOKEN: ipc_cmd--LLVMFuzzerTestOneInput--fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/sof/src/ipc/handler.c:1385:9 in 
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0xa,
\x0a
artifact_prefix='./'; Test unit written to ./crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
Base64: Cg==
ERROR: 100% of fuzz targets seem to be broken. See the list above for a detailed information.```

you need to get this bug fixed so that this startup/quick to hit crash is fixed, we wont archive build if fuzzer instantly crashes

Also, afl fuzzing engine is crashing on another issue, see if you can fix that. otherwise disable afl by specifying fuzzing_engines property in project.yaml

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Oct 17, 2020

ubsan build is crashing, see failure

INFO: A corpus is not provided, starting from an empty corpus
/src/sof/src/ipc/handler.c:1385:9: runtime error: left shift of 15 by 28 places cannot be represented in type 'int'
    #0 0x4b248c in ipc_cmd /src/sof/src/ipc/handler.c:1385:9
    #1 0x4af795 in LLVMFuzzerTestOneInput /src/sof/tools/oss-fuzz/fuzz_ipc.c:32:2
    #2 0x440771 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
    #3 0x43fcba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:503:3
    #4 0x441e52 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:793:5
    #5 0x4420f9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:841:3
    #6 0x431774 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:902:6
    #7 0x4598e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7fbe7331783f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #9 0x406b18 in _start (/tmp/not-out/fuzz_ipc+0x406b18)

DEDUP_TOKEN: ipc_cmd--LLVMFuzzerTestOneInput--fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/sof/src/ipc/handler.c:1385:9 in 
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0xa,
\x0a
artifact_prefix='./'; Test unit written to ./crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
Base64: Cg==
ERROR: 100% of fuzz targets seem to be broken. See the list above for a detailed information.```

you need to get this bug fixed so that this startup/quick to hit crash is fixed, we wont archive build if fuzzer instantly crashes

Also, afl fuzzing engine is crashing on another issue, see if you can fix that. otherwise disable afl by specifying fuzzing_engines property in project.yaml

Thanks, I have only been testing with default args for run_fuzzer. Once I finish stabilizing that (currently crashing due to some missing configs) I will take a look at ubsan as that is very broken.

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Oct 22, 2020

ubsan build is crashing, see failure

INFO: A corpus is not provided, starting from an empty corpus
/src/sof/src/ipc/handler.c:1385:9: runtime error: left shift of 15 by 28 places cannot be represented in type 'int'
    #0 0x4b248c in ipc_cmd /src/sof/src/ipc/handler.c:1385:9
    #1 0x4af795 in LLVMFuzzerTestOneInput /src/sof/tools/oss-fuzz/fuzz_ipc.c:32:2
    #2 0x440771 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15
    #3 0x43fcba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:503:3
    #4 0x441e52 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:793:5
    #5 0x4420f9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:841:3
    #6 0x431774 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:902:6
    #7 0x4598e2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #8 0x7fbe7331783f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #9 0x406b18 in _start (/tmp/not-out/fuzz_ipc+0x406b18)

DEDUP_TOKEN: ipc_cmd--LLVMFuzzerTestOneInput--fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/sof/src/ipc/handler.c:1385:9 in 
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0xa,
\x0a
artifact_prefix='./'; Test unit written to ./crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
Base64: Cg==
ERROR: 100% of fuzz targets seem to be broken. See the list above for a detailed information.```

you need to get this bug fixed so that this startup/quick to hit crash is fixed, we wont archive build if fuzzer instantly crashes

Also, afl fuzzing engine is crashing on another issue, see if you can fix that. otherwise disable afl by specifying fuzzing_engines property in project.yaml

Thanks, I have only been testing with default args for run_fuzzer. Once I finish stabilizing that (currently crashing due to some missing configs) I will take a look at ubsan as that is very broken.

This is fixed in thesofproject/sof#3543 our first legitimate fuzzer found bug :)

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Oct 22, 2020

@inferno-chromium i took a look at the AFL failures and they all appear to be linker failures in the AFL engine itself. Is this on oss-fuzz's side? I am linking with clang++

/usr/local/bin/clang++ -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trac
e-pc-guard /usr/lib/libFuzzingEngine.a CMakeFiles/fuzz_ipc.dir/fuzz_ipc.c.o -o /out/fuzz_ipc  -Wl,-rpath,::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -ldl -lm sof_ep/install/lib/
libsof.a

which causes the following (truncated set) of errors.

/usr/lib/libFuzzingEngine.a(afl_driver.o): In function `~basic_ifstream':                                                                                                                      
/usr/local/bin/../include/c++/v1/iosfwd:144: undefined reference to `std::__1::basic_istream<char, std::__1::char_traits<char> >::~basic_istream()'                                            
/usr/local/bin/../include/c++/v1/iosfwd:144: undefined reference to `std::__1::basic_ios<char, std::__1::char_traits<char> >::~basic_ios()'                                                    
/usr/lib/libFuzzingEngine.a(afl_driver.o): In function `ExecuteFilesOnyByOne':

@inferno-chromium
Copy link
Contributor

inferno-chromium commented Oct 22, 2020

@inferno-chromium i took a look at the AFL failures and they all appear to be linker failures in the AFL engine itself. Is this on oss-fuzz's side? I am linking with clang++

/usr/local/bin/clang++ -O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trac
e-pc-guard /usr/lib/libFuzzingEngine.a CMakeFiles/fuzz_ipc.dir/fuzz_ipc.c.o -o /out/fuzz_ipc  -Wl,-rpath,::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -ldl -lm sof_ep/install/lib/
libsof.a

which causes the following (truncated set) of errors.

/usr/lib/libFuzzingEngine.a(afl_driver.o): In function `~basic_ifstream':                                                                                                                      
/usr/local/bin/../include/c++/v1/iosfwd:144: undefined reference to `std::__1::basic_istream<char, std::__1::char_traits<char> >::~basic_istream()'                                            
/usr/local/bin/../include/c++/v1/iosfwd:144: undefined reference to `std::__1::basic_ios<char, std::__1::char_traits<char> >::~basic_ios()'                                                    
/usr/lib/libFuzzingEngine.a(afl_driver.o): In function `ExecuteFilesOnyByOne':

please exclude afl for now, by adding fuzzing_engines field in project yaml with libfuzzer and honggfuzz. if @jonathanmetzman has cycles he can recommend what you might be doing wrong.

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Oct 22, 2020

honggfuzz

done. I am still tracing some config issues, I don't think they are legitmate bugs, more how I am setting up the fake shim. Will promote this to ready once I am confident bugs are not in host abstraction

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Oct 28, 2020

thesofproject/sof#3558 and thesofproject/sof#3559 fix both undefined and memory sanitizers which allow them to run for >20s freely. Still fixing a bug on the address sanitizer and waiting for seed corpus from kernel team.

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Nov 5, 2020

@ranj063 any update on seed corpus?

@cujomalainey cujomalainey marked this pull request as ready for review December 10, 2020 02:20
@cujomalainey
Copy link
Contributor Author

cujomalainey commented Dec 10, 2020

Added seed corpus copy to $OUT to build.sh

Need to land the following PRs first.

@ranj063
Copy link

ranj063 commented Dec 14, 2020

@ranj063 any update on seed corpus?

@cujomalainey sorry, I havent had the time to look into this at all. Im afraid I wont be able to do much before the holidays.

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Dec 14, 2020

No worries, I generated it and landed it last week in the sof repo

@cujomalainey
Copy link
Contributor Author

cujomalainey commented Dec 14, 2020

rebased to kick CI

@cujomalainey
sound-open-firmware: add build files
a7bec1c 
Initial build files for sound open firmware fuzzer
@cujomalainey
Copy link
Contributor Author

cujomalainey commented Dec 14, 2020
edited
Loading

@inferno-chromium this is ready to go actually thesofproject/sof#3612 is not needed actually as i had it part of a commit chain that opened up more code to the fuzzer that has not landed yet

@inferno-chromium inferno-chromium merged commit 6d69c3d into google:master Dec 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@inferno-chromium inferno-chromium inferno-chromium approved these changes

+1 more reviewer

@lgirdwood lgirdwood lgirdwood left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cujomalainey @inferno-chromium @ranj063 @lgirdwood