[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [csmith-dev] Using csmith for generating focussed crashes



Hi Ali,

Your guess is right, "null-ptr-deref-prob" tells Csmith what's the probability it should intentionally generate dereferences to null pointers. But keep in mind the pointer analysis many times yields may-aliases. Csmith might generate a dereference to a pointer that **might** be null according to the static analysis, but turns out to be not null at runtime. 

In essence, null-ptr-deref-prob = 100 doesn't means all your generated C programs will crash.

For OOB generation, you should look at class StatementFor. You should be able to manipulate `init`, `incr`, or `limit` to trigger OOB.

https://github.com/csmith-project/csmith/blob/72c49db757c47aeb55538aeb0d7aecd7fea85076/src/StatementFor.cpp#L71

Regards,
-Xuejun

On Tue, Dec 15, 2020 at 5:35 AM Ali Shuja Siddiqui (alissidd) <alissidd@cisco.com> wrote:

Hi John,

Thanks for the reply and for the idea. To generate index out of bounds errors through Csmith, which  class in the Csmith code would recommend I look at?

 

While going through the advanced options using the -hh flag, I noticed a --null-ptr-deref-prob flag. Many times, it results in csmith to crash and when it runs the output that is generated using flag, contains only a single function. Is this its expected behavior? From the name, I have a feeling this flag be useful for my case. Is there any way do you feel I can help improve on it?

 

Thank you,

 

Ali

 

From: John Regehr <regehr@cs.utah.edu>
Date: Friday, December 11, 2020 at 12:47 PM
To: Ali Shuja Siddiqui (alissidd) <alissidd@cisco.com>, csmith-dev@flux.utah.edu <csmith-dev@flux.utah.edu>
Cc: Ivan Baev (ibaev) <ibaev@cisco.com>
Subject: Re: [csmith-dev] Using csmith for generating focussed crashes

Hi Ali, I can think of several ways to make this happen. If Xuejun is
available to help a bit, perhaps he can direct you to the correct spot
to generate a null pointer access or OOB array use.

If he isn't available, then I would recommend just finding a spot in the
Csmith source code where an array index is generated, and then 1% of the
time (or whatever), generate -1000 instead of whatever index Csmith
wanted to generate. Of course not all such programs will crash, but some
of them will.

John


On 12/11/20 9:27 AM, Ali Shuja Siddiqui (alissidd) wrote:
> Hello,
>
> In our team at Cisco, we are looking towards making testcases for our
> crash analysis tools. Csmith is a useful tool for generating code for
> testing compilers. We are investigating different ways of generating
> binaries that would crash and result in a core dump. Csmith offers us a
> great base for this purpose.
>
> I would like your feedback to get an idea and pointers on how to modify
> Csmith. Our goal is to generate C code using csmith that when compiled
> successfully and executed may result in a crash. Please also let me know
> of any known work that you may know of, already done in this regard.
>
> Thank you,
>
> Ali Shuja Siddiqui
>