Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial crash triaging support for DeepState harnesses #288

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

ex0dus-0x
Copy link

@ex0dus-0x ex0dus-0x commented Dec 18, 2019

Adds initial support for emitting out a backtrace after a forked DeepState test throws some type of signal using --verbose_crash_trace. The output for a buffer overflow/memory corruption example looks as so:

$ ./a.out --verbose_crash_trace --input_test_file input/test
WARNING: No test specified, defaulting to first test defined (Test_Crashing)
TRACE: Initialized test input buffer with data from `input/test`
TRACE: Running: Test_Crashing from test.cpp(6)
INFO: Test crashed with: Bus error
TRACE: ./a.out() [0x409a8c]
TRACE: /lib/x86_64-linux-gnu/libc.so.6(+0x41100) [0x7f3f2ff1e100]
TRACE: /lib/x86_64-linux-gnu/libc.so.6(waitpid+0x17) [0x7f3f2ffbb3b7]
TRACE: ./a.out() [0x408bf1]
TRACE: ./a.out() [0x409d83]
TRACE: ./a.out(main+0x460) [0x409600]
TRACE: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7f3f2ff0109b]
TRACE: ./a.out(_start+0x2a) [0x40438a]

This is made possible by handling the SIGCHLD signal, and getting information from the siginfo_t * struct regarding the child's termination.

TODO

  • Stack trace into remote child
  • Resolve symbol names
  • Validate platform-independent compatibility for execinfo
  • Emit line number from backtrace addresses

@ex0dus-0x ex0dus-0x changed the title [WIP] Initial crash triaging support for DeepState harnesses Initial crash triaging support for DeepState harnesses Jan 9, 2020
@ex0dus-0x
Copy link
Author

Stack unwinding and backtrace becomes tricky and a little intrusive / not super security conscious when involving forked processes during execution, since it involves using ptrace, most likely through libunwind's interface. libunwind doesn't work well as a static library, so we stick with the de facto glibc backtrace functionality, and extend it to support backtracing local single-process test runs (--fork=0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant