add script and instructions for minimizing and cleansing fuzz crashes (#1305)
This commit is contained in:
Paul Dreik
GitHub
parent
b632107a7a
commit
5202d07a77
|
|
@ -83,3 +83,18 @@ build-sanitizers/fuzz/fuzz_parser my_testcase.json
|
|||
```
|
||||
In case this does not reproduce the bug, you may want to proceed with reproducing using the oss-fuzz tools. See the instructions [here](https://google.github.io/oss-fuzz/advanced-topics/reproducing/).
|
||||
|
||||
# Minimizing and cleansing crashes
|
||||
If a crashing case is found, it is useful to minimize it and cleanse it (replace irrelevant bytes with spaces).
|
||||
|
||||
```shell
|
||||
build-sanitizers-O0/fuzz/fuzz_ndjson out/ndjson
|
||||
# ...crashes and writes the crash-... file
|
||||
# minimize it:
|
||||
build-sanitizers-O0/fuzz/fuzz_ndjson crash-xxxxxxx -minimize_crash=1 -exact_artifact_path=minimized_crash -max_total_time=100
|
||||
|
||||
# replace irrelevant parts with space:
|
||||
build-sanitizers-O0/fuzz/fuzz_ndjson minimized_crash -cleanse_crash=1 -exact_artifact_path=cleansed_crash
|
||||
|
||||
# use/share cleansed_crash
|
||||
|
||||
```
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
#!/bin/sh
|
||||
|
||||
# usage: fuzzer crash
|
||||
|
||||
|
||||
fuzzer=$1
|
||||
|
||||
if [ ! -x $fuzzer ] ; then
|
||||
echo "arg 1 should be a fuzzer executable"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
crash=$2
|
||||
if [ ! -e $crash ] ; then
|
||||
echo "arg2 should be a crashing test case"
|
||||
exit 1
|
||||
fi
|
||||
if [ -d $crash ] ; then
|
||||
echo "crash should be a file, not a dir"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "checking that the crash crashes..."
|
||||
origreport=$(mktemp --tmpdir orig_crash_report.XXXXXXXXX)
|
||||
if $fuzzer $crash >$origreport 2>&1; then
|
||||
echo "your crash does not crash."
|
||||
exit 1
|
||||
else
|
||||
echo "...it does."
|
||||
fi
|
||||
|
||||
sizeofcrash=$(stat --format=%s $crash)
|
||||
echo "starting to minimize crash of size $sizeofcrash..."
|
||||
minimized=$(mktemp --tmpdir minimized_crash.XXXXXXXXX)
|
||||
$fuzzer -minimize_crash=1 -exact_artifact_path=$minimized -max_total_time=5 $crash >/dev/null 2>&1
|
||||
|
||||
sizeofminimized=$(stat --format=%s $minimized)
|
||||
echo "got it down to $sizeofminimized"
|
||||
|
||||
echo "checking that the minimized crash crashes..."
|
||||
report=$(mktemp --tmpdir minimized_crash_report.XXXXXXXXX)
|
||||
if $fuzzer $minimized >$report 2>&1; then
|
||||
echo "your minimized crash does not crash."
|
||||
exit 1
|
||||
else
|
||||
echo "...it does."
|
||||
fi
|
||||
|
||||
echo "starting cleansing..."
|
||||
cleansed=$(mktemp --tmpdir cleansed_crash.XXXXXXXXX)
|
||||
cleansingreport=$(mktemp --tmpdir cleansing_output.XXXXXXXXX)
|
||||
$fuzzer $minimized -cleanse_crash=1 -exact_artifact_path=$cleansed >$cleansingreport 2>&1
|
||||
|
||||
echo "checking that the cleansed crash crashes..."
|
||||
report=$(mktemp --tmpdir cleansed_crash_report.XXXXXXXXX)
|
||||
if $fuzzer $cleansed >$report 2>&1; then
|
||||
echo "your cleansed crash $cleansed does not crash. see cleansing report: $cleansingreport"
|
||||
exit 1
|
||||
else
|
||||
echo "....it does."
|
||||
fi
|
||||
|
||||
echo "your minimized and cleansed crash (report $origreport) is here: $cleansed and the report for the cleansed crash is here: $report"
|
||||
|
||||
Loading…
Reference in New Issue