libFuzzer minimizer needs to do basic stack comparison

[inferno-chromium]

As i talked with @mbarbella, libFuzzer minimizer currently does not check for stack before trying to minimize. This fails on several targets which get engulfed with timeouts or other crash types. It is important to compare crash type and minimal stack frames comparison (like top 10) before minimizing further. This is needed to enable #250.

[kcc]

I understand the problem in principle, but could you please provide some examples (logs or reproducers)?
libFuzzer know little about the type of crash: it can distinguish timeouts from OOM from asan-ish bugs
but can not currently distinguish different stack traces. It can be enhanced, but I'm not sure if it's the right place to do so.

[inferno-chromium]

atleast one example i saw was #250 (comment). @mbarbella - can you provide more examples, since you are already testing this with several testcases.

[kcc]

quick check: do you still need this, and is this on critical path for #250, or just good to have?

[oliverchang]

It's definitely good to have, but might be a bit too early to say whether if this is still critical to #250.

We'll need to do another pass on current CF testcases once we pick up the new builds to see how many of them are still failing minimization. We'll probably know early next week.

[inferno-chromium]

@kcc - It is definitely important since many targets till timeouts, and i saw this across multiple testcases previously. So, it is not blocking since we will just keep unminimized testcase, but sometime needs fixing when you get time.

[kcc]

This requires ASAN_OPTIONS=dedup_token_length=3 (or other value).
When DEDUP_TOKEN: something is present in the crash log,
libFuzzer will compare the contents of this string before and after minimization.
If the values don't match, the minimizer will stop and report the input from before the last attempt.

[oliverchang]

Thanks Kostya!

This is an unrelated note, but it looks like reports are broken (truncated) if symbolize=0 and dedup_token_length=3.

==55==ERROR: AddressSanitizer: crash-type on address 0x61500000e180 at pc 0x000001518cb5 bp 0x7ffee33391f0 sp 0x7ffee33391e8
READ of size 8 at 0x61500000e180 thread T0
    #0 0x1518cb4  (/out/libreoffice/pptfuzzer+address)

We'll force on symbolize=1 and dedup_token_length=3 during minimization, but our default is symbolize=0. Just a head's up in case you were ever planning to turn on dedup_token_length=3 by default.

[kcc]

Why do we have symbolize=0 on oss-fuzz?

[oliverchang]

We want to symbolize with llvm-symbolizer -inlining=false for de-dupping purposes.

[oliverchang]

I'm guessing there's nothing left to do here?