[v25.3.x] Add comparison operators to iobuf fuzz test (and other enchancements) #29280
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Before this commit if a UB error occured it would be printed like: ``` src/v/bytes/iobuf.cc:192:52: runtime error: null pointer passed as argument 2, which is declared to never be null external/+non_module_dependencies+x86_64_sysroot/usr/include/string.h:65:33: note: nonnull attribute specified here SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/v/bytes/iobuf.cc:192:52 ``` without actually causing the fuzz test to stop or fail. Now it will cause the test to fail and print a backtrace of where it failed. (cherry picked from commit 580e092)
This test replicates known issues with the `<=>` operator and hopefully
will prevent other issues from going unnoticed.
An example of the new test reproducing known issues;
```
$ bazel test //src/v/bytes/tests:iobuf_fuzz --config=sanitizer --runs_per_test=100 00:17:56 [8/1855]
INFO: Invocation ID: ed80b7dc-a90c-495f-a647-22d11fc5c38c
INFO: Analyzed target //src/v/bytes/tests:iobuf_fuzz (0 packages loaded, 0 targets configured).
FAIL: //src/v/bytes/tests:iobuf_fuzz (run 18 of 100) (Exit 1) (see /home/brandonallard/data/.cache/bazel/_bazel_brandonallard/50acd7c106e570e66c6351a7103182f1/execroot/_main/bazel-out/k8-dbg/testlogs/src/v/bytes/tests/iobuf_fuzz/run_18_of_100/test.log)
INFO: From Testing //src/v/bytes/tests:iobuf_fuzz (run 18 of 100):
==================== Test output for //src/v/bytes/tests:iobuf_fuzz (run 18 of 100):
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2773365366
INFO: A corpus is not provided, starting from an empty corpus
WARNING: no interesting inputs were found so far. Is the code instrumented for coverage?
This may also happen if the target rejected all inputs we tried so far
src/v/bytes/iobuf.cc:192:52: runtime error: null pointer passed as argument 2, which is declared to never be null
external/+non_module_dependencies+x86_64_sysroot/usr/include/string.h:65:33: note: nonnull attribute specified here
#0 0x7ff296ec461d in iobuf::operator<=>(iobuf const&) const src/v/bytes/iobuf.cc:192:28
redpanda-data#1 0x55d29d4a27b4 in iobuf_ops::compare_iobufs(std::__1::basic_string_view<char, std::__1::char_traits<char>>, bool) src/v/bytes/tests/iobuf_fuzz.cc:281:31
redpanda-data#2 0x55d29d49e171 in driver::handle_op(driver::op_spec) src/v/bytes/tests/iobuf_fuzz.cc:576:16
redpanda-data#3 0x55d29d49abbb in driver::operator()() src/v/bytes/tests/iobuf_fuzz.cc:513:13
redpanda-data#4 0x55d29d49abbb in LLVMFuzzerTestOneInput src/v/bytes/tests/iobuf_fuzz.cc:719:16
redpanda-data#5 0x55d29d3385db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
redpanda-data#6 0x55d29d337c05 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
redpanda-data#7 0x55d29d339935 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:765:19
redpanda-data#8 0x55d29d33a595 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:910:5
redpanda-data#9 0x55d29d327ff5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:915:6
redpanda-data#10 0x55d29d354bb2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
redpanda-data#11 0x7ff28d010247 in __libc_start_call_main (/lib64/libc.so.6+0x3247) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#12 0x7ff28d01030a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x330a) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#13 0x55d29d31a704 in _start (/home/brandonallard/data/.cache/bazel/_bazel_brandonallard/50acd7c106e570e66c6351a7103182f1/execroot/_main/bazel-out/k8-dbg/bin/src/v/bytes/tests/iobuf_fuzz+0x2f0704) (BuildId: 4de8a27cc512a4a32db2efcd62d94228)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/v/bytes/iobuf.cc:192:52
MS: 5 CMP-CrossOver-InsertRepeatedBytes-ChangeBit-InsertByte- DE: "\000\000\000\000"-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x23,0xa,0x0,0x0,0x0,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0xa,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8
,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0x8,0xa,0x0,
0\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\010\012\000
artifact_prefix='./'; Test unit written to ./crash-87234361ff2513f61e8eba73f82676d022d60e42
Base64: IwoAAAAICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKAA==
================================================================================
FAIL: //src/v/bytes/tests:iobuf_fuzz (run 76 of 100) (Exit 77) (see /home/brandonallard/data/.cache/bazel/_bazel_brandonallard/50acd7c106e570e66c6351a7103182f1/execroot/_main/bazel-out/k8-dbg/testlogs/src/v/bytes/tests/iobuf_fuzz/run_76_of_100/test.log)
INFO: From Testing //src/v/bytes/tests:iobuf_fuzz (run 76 of 100):
==================== Test output for //src/v/bytes/tests:iobuf_fuzz (run 76 of 100):
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2867371789
INFO: A corpus is not provided, starting from an empty corpus
WARNING: no interesting inputs were found so far. Is the code instrumented for coverage?
This may also happen if the target rejected all inputs we tried so far
libc++abi: terminating due to uncaught exception of type std::runtime_error: (buf <=> o_buf) != (ref <=> o_ref)
==12== ERROR: libFuzzer: deadly signal
#0 0x55a6e61329f1 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
redpanda-data#1 0x55a6e6027228 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
redpanda-data#2 0x55a6e6009e73 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
redpanda-data#3 0x7f980b02704f (/lib64/libc.so.6+0x1a04f) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#4 0x7f980b080113 in __pthread_kill_implementation (/lib64/libc.so.6+0x73113) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#5 0x7f980b026f9d in gsignal (/lib64/libc.so.6+0x19f9d) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#6 0x7f980b00e941 in abort (/lib64/libc.so.6+0x1941) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#7 0x55a6e616d985 in __abort_message abort_message.cpp
redpanda-data#8 0x55a6e61d3288 in demangling_terminate_handler() cxa_default_handlers.cpp
redpanda-data#9 0x55a6e61d3172 in std::__terminate(void (*)()) cxa_handlers.cpp
redpanda-data#10 0x55a6e61d1d98 in __cxa_rethrow (/home/brandonallard/data/.cache/bazel/_bazel_brandonallard/50acd7c106e570e66c6351a7103182f1/execroot/_main/bazel-out/k8-dbg/bin/src/v/bytes/tests/iobuf_fuzz+0x4d4d98) (BuildId: 4de8a27cc512a4a32db2efcd62d94228)
redpanda-data#11 0x55a6e616dd28 in LLVMFuzzerTestOneInput src/v/bytes/tests/iobuf_fuzz.cc:724:9
redpanda-data#12 0x55a6e600b5db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
redpanda-data#13 0x55a6e600ac05 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
redpanda-data#14 0x55a6e600c935 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:765:19
redpanda-data#15 0x55a6e600d595 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:910:5
redpanda-data#16 0x55a6e5ffaff5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:915:6
redpanda-data#17 0x55a6e6027bb2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
redpanda-data#18 0x7f980b010247 in __libc_start_call_main (/lib64/libc.so.6+0x3247) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#19 0x7f980b01030a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x330a) (BuildId: 515c33a35f41020661fea8ac4eb995e26ccd6b00)
redpanda-data#20 0x55a6e5fed704 in _start (/home/brandonallard/data/.cache/bazel/_bazel_brandonallard/50acd7c106e570e66c6351a7103182f1/execroot/_main/bazel-out/k8-dbg/bin/src/v/bytes/tests/iobuf_fuzz+0x2f0704) (BuildId: 4de8a27cc512a4a32db2efcd62d94228)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 4 CopyPart-ChangeBit-CMP-CMP- DE: "\000\000\000\000\000\000\000\000"-"\377\377\377\377\377\377\377\377\377\377?\377\377\377\377\377\377\377\377\377\377\377\012\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\011\377\377\
377\377\377\377\377\377\377"-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x4a,0xa,0x0,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x3f,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xa,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x9,0xff,0xff,0xf
f,0xff,0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x0,
J\012\000\000\000\377\377\377\377\377\377\377\377\377\377?\377\377\377\377\377\377\377\377\377\377\377\012\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\011\377\377\377\377\377\377\377\377\377\000\000\000\000\000
artifact_prefix='./'; Test unit written to ./crash-b93c506ce3bec14322fc8cabc8898af768226160
Base64: SgoAAAD/////////////P///////////////Cv///////////////////////////////wAAAAAAAAAJ////////////AAAAAAA=
================================================================================
```
(cherry picked from commit 56343d6)
This commit increases the max input length from 8KiB to 1MiB and decreases the time the fuzzer takes to reach the max input length. This allows for larger iobufs with more diverse fragment sizes to be fuzz tested. It also made some known issues in the `<=>` operator occur more frequently. (cherry picked from commit 1197136)
(cherry picked from commit ff3e2e6)
(cherry picked from commit 2de0aaa)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of PR #29200