New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fuzzer enhancement: Explicitly check output for uninitialized memory #22064
Comments
Concept ACK, obviously. Though, I am worried that this will make our code overly verbose, and hard to maintain. Maybe it would help if there was a compiler knob to adjust the aggressiveness of the memory sanitizers? For "easy" memory violations, |
@guidovranken This technique was used in #23152 (comment). Thanks! :) |
For reference As mentioned previously, I don't think there is anything that can be done here, other than adding a compiler flag upstream. In theory the wrapper code can be enforced with a clang-tidy plugin in fuzz code (cc @dergoegge), but the downsides of being incomplete and making the code overly verbose still hold. |
(maybe this is what you mean by "enforce" but) My idea was to have the clang-tidy plugin auto refactor all our code to insert the wrappers prior to running the msan/valgrind job in CI. I think this should be possible and would avoid the verbosity of having the wrappers present in the actual code. |
So every statement in the source code is wrapped and the memory is read by msan? Probably fine, but I'd suspect a massive slow-down. I guess doing this once per release can't hurt. |
There's also What's suggested in this issue, i.e., reporting every read of an uninitialized value, may just be too much. The Valgrind FAQ says this:
But starting with clang 16, at least MSan gets us closer to this. Returning an uninitialized variables from a function, or passing uninitialized values to a function as a parameter is now considered a "use" of uninitialized memory, and MSan will report it by default. See the Clang 16.0.09 Release Notes:
|
Is your feature request related to a problem? Please describe.
Both MemorySanitizer and Valgrind will only detect uninitialized memory if it is used for branching or IO.
E.g. the following program performs a computation using an uninitialized variable (
a
) but this won't trigger MSAN/Valgrind:Describe the solution you'd like
Call
on the data to make MSAN evaluate it.
Describe alternatives you've considered
Alternative solution that also works with Valgrind: write the data to
/dev/null
:Additional context
Proposal: Create a wrapper for
__msan_check_mem_is_initialized
(as a C++ method), e.g.:And use overloaded methods for special types, e.g.
Then edit all fuzzer harnesses and call
TestMsan
with the output of each non-void method.E.g. the parse_script harness would become:
The same concept can be applied to the unit tests.
The text was updated successfully, but these errors were encountered: