Closed Bug 1499041 Opened 6 years ago Closed 5 years ago

Investigate use of libfuzzer flags in ipc/chromium/chromium-config.mozbuild

Categories

(Core :: Fuzzing, enhancement)

Product:
Core
Component:
Fuzzing
Platform:
x86_64
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox64 --- wontfix
firefox70 --- fixed

People

(Reporter: decoder, Assigned: decoder)

Details

Attachments

(1 file)

Bug 1499041 - Remove libFuzzer flags from ipc/chromium/. r?froydnj
47 bytes, text/x-phabricator-request
Details | Review 
Currently, ipc/chromium/chromium-config.mozbuild includes the libfuzzer flags. This change was initially added for IPC fuzzing, but after discussion with Alex, it might be possible that we don't need the flags to be in there for generated code and we can add them manually to non-generated directories that we actually test.

Removing these flags from that file would be highly desirable because it is included in a lot of noisy internal code places, in particular places that run a lot of off-thread code. This makes libFuzzer coverage less deterministic and causes a lot of noise in fuzzing.


Initial needinfo for Alex so he can figure out if he needs these flags for IPC fuzzing and what changes would be required to remove them.
Flags: needinfo?(agaynor)
I did some review, and I think it can safely be removed.

I believe the place that handles the generated IPC code is |ipc/ipdl/moz.build| (I'm not positive, but I'm as sure as I'm going to get without doing a few experimental full rebuilds, heh).

I went through all the places that include that to see where we'd want to add an explicit libFuzzer include. Here's the ones I found:

- accessible/ipc/other/moz.build
- dom/payments/ipc/moz.build
- dom/file/ipc/moz.build
- dom/plugins/ipc/moz.build
- dom/media/ipc/moz.build
Flags: needinfo?(agaynor)

I'm going to move this forward now and craft a patch for removing the libFuzzer instrumentation from ipc/chromium/ altogether because it is super noisy and non-deterministic. As mentioned in comment 1, generated IPC code should be instrumented because ipc/ipdl/moz.build has the flags, I am also adding them to the other files mentioned in comment 1.

Christoph, are there any files in ipc/chromium/src/ itself that really need instrumentation or is instrumentation in the generated source files enough for IPC fuzzing?

Flags: needinfo?(cdiehl)
Assignee: nobody → choller

Doubt it, ipc/chromium/src contains only the lower-level building stones for the IPC architecture. Faulty is hooked up there at some points but wouldn't need coverage / instrumentation for it at that level.

  • ipc/chromium/src/base/pickle.cc
  • ipc/chromium/src/chrome/common/ipc_channel_posix.cc
  • ipc/chromium/src/chrome/common/ipc_channel_win.cc
Flags: needinfo?(cdiehl)

Thanks! In case it turns out that we need to instrument specific files, that is also possible. Just let me know when this is the case.

Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9f24d0c0dce2
Remove libFuzzer flags from ipc/chromium/. r=froydnj

https://hg.mozilla.org/mozilla-central/rev/9f24d0c0dce2

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: