Re: [csmith-dev] Using csmith for generating focussed crashes

To: John Regehr <regehr@cs.utah.edu>, "csmith-dev@flux.utah.edu" <csmith-dev@flux.utah.edu>

Subject: Re: [csmith-dev] Using csmith for generating focussed crashes

From: "Ali Shuja Siddiqui (alissidd)" <alissidd@cisco.com>

Date: Tue, 15 Dec 2020 13:31:08 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LomU1jdA+IEpudLmRzGA+kW1GNFYHcwE1zTkVCGayIg=; b=FO0D5bRcS14A9b9360HLrVICKSjLlOHZ3PQtzVnvAv4JucTjLVsRDvxFOjhnc2kvrg8h9lXXvnrgnxlUe3g9tUCMK4vma+P3bewWKX8GJODzFeie1oOpJfQvkih7/cqLc1s/M4hiJWVVXK8DnWYqSoaZaPoEI+pvFE3KLG+9rR/P1WN1pR/HVNBFmeKuzVFdfHo3cCbx/XoaeW460a+E2/fVyH3dJWAJm1NXWjZoczkF8o8Jp6se0WmIeduFF+P2Pfmmxc2Gfri/fC9pxDHA8lb7BpeSa2gCUHA0dUB4+6g9FzMk+8XTlqHiPv/ulX0ucQJkNoe7+vZp4kmh1dDVyA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mbgjIGSw5uqw30L86nU7wknv/BjP5I1my2+odhENHhan+rTd1+zPW7oxmcShEkmu8dYRpj1Ivxilu99Cqi1EUmVYWUaOxs35TStT3om0EOOI5NHjHOnAxvXO+OxhGFYoc10mV/+urs6IIT9CSFUdzYIHDUDgk3k3OrBm040UcKY3XjIpsN87pMi5sXBk19RBoqnD1aug3cuNH9rRZ0JLgKmjwbpgexnWtTjGx7ZpiZmiXpJjZWOYV4fbFDLKsjhHDJn/mlV3mPfIu4vYnwwc9ht7mpHae9YyDcviHQjn2JJqnoLGBPZKaaRQKTNJtk2vn04QTPuj0iCcaWo2Jl8U6w==

Authentication-results: cs.utah.edu; dkim=none (message not signed) header.d=none; cs.utah.edu; dmarc=none action=none header.from=cisco.com;

Cc: "Ivan Baev \(ibaev\)" <ibaev@cisco.com>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6782; q=dns/txt; s=iport; t=1608039076; x=1609248676; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=y6n4cfUTuJVJtPKZUxebiPa5QVw/ciIQiH56YTXU/m8=; b=QQtGkdPJiEF5kStRs9osDfJXePqH0UuupDK+xEv9UTs3+WnTH5r57riJ g60JHpDzMrZApBqVE6TeTtMmwEBHPSL/BTpf7pNFwAa1Qy+b+FCEleWQ0 4fAezB8u2clGgEORyr1dxj6XhVIJkEa1UHet951O2qgpGURJQuxaZg6cY c=;

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LomU1jdA+IEpudLmRzGA+kW1GNFYHcwE1zTkVCGayIg=; b=uRJG1WSviKzghBjuenCKsA7qFRG4IoMDvyuLmJvh3wgMVfTXqoi0M2UprJ3nDG2BVXccvUOO683TNClhgRJYtdx7QnJmcP3SFhvVJxUudJpHY2HEZcM3AD+h4Q2gOpeg8s7Bhta29TSdIGR2O66O4Ye7kM49e5Oku9gjIRfUG7M=

In-reply-to: <9ba7ee88-abec-aa53-f28d-0cb5cc8e086f@cs.utah.edu>

Ironport-phdr: 9a23:txIHnB9oQEKsZP9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+7ZRyN7u4rkUPAXcPW5+8Xw+bVsqW1X2sG7N7BtX0Za5VDWlcDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoOlMTBdr3ZxvfrmDhpTIXEw/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=

List-archive: </listarchives/csmith-dev>

List-help: <mailto:csmith-dev-request@flux.utah.edu?subject=help>

List-id: Csmith Development Mailing List <csmith-dev.flux.utah.edu>

List-post: <mailto:csmith-dev@flux.utah.edu>

List-subscribe: <http://www.flux.utah.edu/mailman/listinfo/csmith-dev>, <mailto:csmith-dev-request@flux.utah.edu?subject=subscribe>

List-unsubscribe: <http://www.flux.utah.edu/mailman/options/csmith-dev>, <mailto:csmith-dev-request@flux.utah.edu?subject=unsubscribe>

References: <BN8PR11MB365293C833BAF776996EB232CDCB0@BN8PR11MB3652.namprd11.prod.outlook.com> <BN8PR11MB365230487D76756D0E377560CDCA0@BN8PR11MB3652.namprd11.prod.outlook.com>, <9ba7ee88-abec-aa53-f28d-0cb5cc8e086f@cs.utah.edu>

Thread-index: AQHWzw48t4H8I/ef20u0iRVAdseX1KnyFrzbgAAWWgCABfOUgw==

Thread-topic: [csmith-dev] Using csmith for generating focussed crashes

Hi John,

Thanks for the reply and for the idea. To generate index out of bounds errors through Csmith, which class in the Csmith code would recommend I look at?

While going through the advanced options using the -hh flag, I noticed a --null-ptr-deref-prob flag. Many times, it results in csmith to crash and when it runs the output that is generated using flag, contains only a single function. Is this its expected behavior? From the name, I have a feeling this flag be useful for my case. Is there any way do you feel I can help improve on it?

Thank you,

Ali

From: John Regehr <regehr@cs.utah.edu>
Date: Friday, December 11, 2020 at 12:47 PM
To: Ali Shuja Siddiqui (alissidd) <alissidd@cisco.com>, csmith-dev@flux.utah.edu <csmith-dev@flux.utah.edu>
Cc: Ivan Baev (ibaev) <ibaev@cisco.com>
Subject: Re: [csmith-dev] Using csmith for generating focussed crashes

Hi Ali, I can think of several ways to make this happen. If Xuejun is
available to help a bit, perhaps he can direct you to the correct spot
to generate a null pointer access or OOB array use.

If he isn't available, then I would recommend just finding a spot in the
Csmith source code where an array index is generated, and then 1% of the
time (or whatever), generate -1000 instead of whatever index Csmith
wanted to generate. Of course not all such programs will crash, but some
of them will.

John

On 12/11/20 9:27 AM, Ali Shuja Siddiqui (alissidd) wrote:
> Hello,
>
> In our team at Cisco, we are looking towards making testcases for our
> crash analysis tools. Csmith is a useful tool for generating code for
> testing compilers. We are investigating different ways of generating
> binaries that would crash and result in a core dump. Csmith offers us a
> great base for this purpose.
>
> I would like your feedback to get an idea and pointers on how to modify
> Csmith. Our goal is to generate C code using csmith that when compiled
> successfully and executed may result in a crash. Please also let me know
> of any known work that you may know of, already done in this regard.
>
> Thank you,
>
> Ali Shuja Siddiqui
>