You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When reducing the issues found via fuzzing, I often find myself repeating certain cleanup steps, needed to much more quickly reduce a given file.
This PR automates those steps for all cases.
The saved examples use println and not hashing(when searching for bugs, hashing is still used). This is slower to run by a factor of 2, but it makes analyzing the bug samples much, much easier.
Remove most calls to dump_var. This drastically speeds up the execution of the sample(both native and in MIRI). This more than makes up for the slow-down of using println.
The remove_dup_assign step is not needed, but it exploits some properties of Rust to quickly reduce the sample by about 10-15%.
match_to_goto uses the way Rustlantis generates MIR to very quickly turn almost all condtional branching in the sample into unconditional jumps. This makes analysing the generated MIR much easier, and allows for further reduction.
block_abort attempts to replace decoy blocks with calls to abort. In code generated by rustlantis, the decoy blocks may never execute, and are there only to confuse the compiler. So, replacing them with abort is always sound. This greatly reduces the generated sample, and makes reasoning about control flow simpler.
remove_block tries to remove small blocks allotoghter. It runs after block_abort, because non-rechable blocks are still often needed(eg. they are the target of a jump).
linearize_cf tries to merge blocks, removing terminators. This, once again, makes reasoning about the control flow much easier. In some cases, it can reduce a function to a single, continuous block.
Since those reductions exploit certain properties of Rust, more general tools like creduce are often incapable of applying them. So, this set of reduction steps should both speed up the production of minimized samples, and also automate some of the steps of the process.
The resulting file still needs to be feed to a proper reducer for further processing, but, sinice it is considerably simpler already, the whole process will be quicker.
Additionally, since I know that none of the transformations here can introduce UB, and that most of them don't alter the behaviour of the program, I can avoid running MIRI & rustc + LLVM when reducing samples, which further speeds up the process.
The reason will be displayed to describe this comment to others. Learn more.
A few nitpicks.
(And sorry about all the noise for new lines between functions: I checked and rustfmt doesn't seem to support adding a new line between functions. I'll try to find another solution to check this in the CI.)
Looks good!
Thanks for your work!
I suppose we could open an issue about that. tidy enforces this(I think), why shouldn't rustfmt?
There's already a bunch of issues about this. The most up-to-date seems to be this one.
The fix apparently was made a couple years ago, but was not merged to the main branch, for some reasons.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When reducing the issues found via fuzzing, I often find myself repeating certain cleanup steps, needed to much more quickly reduce a given file.
This PR automates those steps for all cases.
printlnand not hashing(when searching for bugs, hashing is still used). This is slower to run by a factor of 2, but it makes analyzing the bug samples much, much easier.dump_var. This drastically speeds up the execution of the sample(both native and in MIRI). This more than makes up for the slow-down of using println.remove_dup_assignstep is not needed, but it exploits some properties of Rust to quickly reduce the sample by about 10-15%.match_to_gotouses the way Rustlantis generates MIR to very quickly turn almost all condtional branching in the sample into unconditional jumps. This makes analysing the generated MIR much easier, and allows for further reduction.block_abortattempts to replace decoy blocks with calls toabort. In code generated byrustlantis, the decoy blocks may never execute, and are there only to confuse the compiler. So, replacing them with abort is always sound. This greatly reduces the generated sample, and makes reasoning about control flow simpler.remove_blocktries to remove small blocks allotoghter. It runs afterblock_abort, because non-rechable blocks are still often needed(eg. they are the target of a jump).linearize_cftries to merge blocks, removing terminators. This, once again, makes reasoning about the control flow much easier. In some cases, it can reduce a function to a single, continuous block.Since those reductions exploit certain properties of Rust, more general tools like
creduceare often incapable of applying them. So, this set of reduction steps should both speed up the production of minimized samples, and also automate some of the steps of the process.The resulting file still needs to be feed to a proper reducer for further processing, but, sinice it is considerably simpler already, the whole process will be quicker.
Additionally, since I know that none of the transformations here can introduce UB, and that most of them don't alter the behaviour of the program, I can avoid running MIRI & rustc + LLVM when reducing samples, which further speeds up the process.