-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automated fuzz target filtering #185
Conversation
three types of cases are handled: - driver that has no coverage increase - false positives by crashing at INITED or first few rounds - false positives by crashing at `LLVMFuzzerTestOneInput`
JOB: https://console.cloud.google.com/kubernetes/job/us-central1-c/llm-experiment/default/ofg-pr-185-dg |
@happy-qop Started the experiment here. Several things I wanted to do before merging this to maximize the impact of your filters:
I can work on both and let you know once the experiment starts. |
Glad to hear that it helps! No, I cannot access these crash reports~
I would like to do this but not sure what is the preferred implementation way to align with your following workflow such as how your experiment scripts work with the new classification data. Besides, this classification information also highly relates with the discussed fix prompt strategies.
Have fun for your holiday! |
What's your preferred email address to access them?
I am thinking to start with a very preliminary changes:
Given you cannot see the report now, it might be quicker for me to do it.
Are there any other more sophisticated changes you'd like to propose? |
The gmail used for the meeting should be fine.
Cool! Please go ahead for this and I can learn from your changes for further implementation.
The error filtered here is of driver runtime error, identifying them and proposing corresponding fix prompts is part of the workflow of implementing error type specific fix prompts (FIX_FUZZ_XXX at here). |
Push the first version here: #191 I may adjust it a bit and will update you once it is ready : )
I see, that seems to be a big change indeed. |
Show crash type in HTML reports and JSON summary.
break | ||
|
||
else: | ||
# Another error driver case: no cov increase. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: I believe we have seen cases where the fuzz target is legitimate even when there is no cov increase. This is often when a new target fuzzes a very buggy function that has never been fuzzed before, with a very shallow bug that is instantly triggered.
@DonggeLiu to confirm if this is an issue.
We may want to think about some kind of confidence score here instead of a binary yes/no for filtering crashes/fuzz targets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I will check with old known bugs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@oliverchang @DonggeLiu Is it possible to also share the example cases with me, I'm interested in these cases and wondering if I also can contribute on improving this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Certainly! Thanks soooo much for volunteering!
These are fuzz targets and the crash logs:
- OOB access in
parse_string
DaveGamble/cJSON#800 - OOB access in
plist_from_memory
libimobiledevice/libplist#244 - Stack-buffer-overflow in AffixMgr::compound_check_morph hunspell/hunspell#996
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67497
They are documented at our README.md : )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, would it be possible to capture LeakSanitizer: detected memory leaks
?
They are usually not security-related and caused by the fuzz target, it would be useful to filter them (or give them a low confidence score). E.g.,
https://llm-exp.oss-fuzz.com/Result-reports/ofg-pr/2024-04-03-198-dg-comparison/sample/output-hiredis-rediscommand/01
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Of course! I had that idea when implementing the initial version error driver filtering, but leave it as future work since I'm not sure what is your expected way for handling LEAK cases (link). I'll handle that together.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's fantastic, much appreciated!
No description provided.