[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [csmith-dev] Using csmith for generating focussed crashes

Hi Ali,

Your guess is right, "null-ptr-deref-prob" tells Csmith what's the probability it should intentionally generate dereferences to null pointers. But keep in mind the pointer analysis many times yields may-aliases. Csmith might generate a dereference to a pointer that **might** be null according to the static analysis, but turns out to be not null at runtime. 

In essence, null-ptr-deref-prob = 100 doesn't means all your generated C programs will crash.

For OOB generation, you should look at class StatementFor. You should be able to manipulate `init`, `incr`, or `limit` to trigger OOB.



On Tue, Dec 15, 2020 at 5:35 AM Ali Shuja Siddiqui (alissidd) <alissidd@cisco.com> wrote:

Hi John,

Thanks for the reply and for the idea. To generate index out of bounds errors through Csmith, which  class in the Csmith code would recommend I look at?


While going through the advanced options using the -hh flag, I noticed a --null-ptr-deref-prob flag. Many times, it results in csmith to crash and when it runs the output that is generated using flag, contains only a single function. Is this its expected behavior? From the name, I have a feeling this flag be useful for my case. Is there any way do you feel I can help improve on it?


Thank you,




From: John Regehr <regehr@cs.utah.edu>
Date: Friday, December 11, 2020 at 12:47 PM
To: Ali Shuja Siddiqui (alissidd) <alissidd@cisco.com>, csmith-dev@flux.utah.edu <csmith-dev@flux.utah.edu>
Cc: Ivan Baev (ibaev) <ibaev@cisco.com>
Subject: Re: [csmith-dev] Using csmith for generating focussed crashes

Hi Ali, I can think of several ways to make this happen. If Xuejun is
available to help a bit, perhaps he can direct you to the correct spot
to generate a null pointer access or OOB array use.

If he isn't available, then I would recommend just finding a spot in the
Csmith source code where an array index is generated, and then 1% of the
time (or whatever), generate -1000 instead of whatever index Csmith
wanted to generate. Of course not all such programs will crash, but some
of them will.


On 12/11/20 9:27 AM, Ali Shuja Siddiqui (alissidd) wrote:
> Hello,
> In our team at Cisco, we are looking towards making testcases for our
> crash analysis tools. Csmith is a useful tool for generating code for
> testing compilers. We are investigating different ways of generating
> binaries that would crash and result in a core dump. Csmith offers us a
> great base for this purpose.
> I would like your feedback to get an idea and pointers on how to modify
> Csmith. Our goal is to generate C code using csmith that when compiled
> successfully and executed may result in a crash. Please also let me know
> of any known work that you may know of, already done in this regard.
> Thank you,
> Ali Shuja Siddiqui