Closed
Bug 329066
(lithium)
Opened 18 years ago
Closed 17 years ago
Lithium, a testcase reduction tool (delta debugger)
Categories
(Core Graveyard :: Tracking, enhancement)
Core Graveyard
Tracking
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: jruderman)
Details
(Keywords: meta, Whiteboard: [sg:nse meta])
Attachments
(1 file, 7 obsolete files)
19.13 KB,
application/zip
|
Details |
I wrote a testcase reduction tool that I'm calling Lithium. I'm about to attach an alpha version to this bug. I've already used it to reduce two Stir DOM assertions, bug 328944 and bug 328946. This alpha should also work with other line-based fuzzers such as Random Styles, Random JS, and CSSGen. A future version will work with other fuzzers whose output has more fragile structure (e.g. xangle, stirdom-during-mutation-events). It's extensible to types of bugs other than assertions, hangs, and crashes. If you want to reduce a testcase that leaks, triggers valgrind warnings, makes Firefox stop painting, or even creates a different DOM two versions of Firefox, you just have to create a program or script whose return value indicates whether the bug was triggered. Bob Clary expressed concern that releasing this tool would make it easier for blackhats with fuzz-testing tools to create reliable exploits. Fuzz testing is certainly not unknown outside of the Mozilla security group (see e.g. bug 328937 comment 7 and bug 264944). On the other hand, releasing it would have some benefits: easier reductions for bug reporters and Gecko hackers outside of the security group (automated testcase reduction is useful even with non-fuzz testcases), and feedback on the tool itself. I'm making Lithium live in this security-sensitive bug for now. Even if we released Lithium before we release our fuzzers, this bug would remain security-sensitive because it mentions our fuzzers.
Assignee | ||
Comment 1•18 years ago
|
||
Updated•18 years ago
|
Assignee: nobody → jruderman
Whiteboard: [sg:nse]
Assignee | ||
Updated•18 years ago
|
Alias: lithium
Assignee | ||
Comment 2•18 years ago
|
||
Now lets you choose whether to treat the testcase as consisting of characters, lines, or a tree of open-close pairs whose structure is guessed from indentation. I've used this to reduce bugs found with Stir DOM, Random JS, and Xangle. These have included assertions, leaks, and a crash. Other than the horrible UI, it works pretty well: it seems to reduce testcases a bit faster than I can by hand. (I usually reduce the testcase further by hand, but I'd have to do that anyway.)
Attachment #213730 -
Attachment is obsolete: true
Assignee | ||
Comment 3•18 years ago
|
||
Much more user-friendly than the previous version. Example invocation: ./lithium L myhang.html firefox hangs 10
Attachment #214301 -
Attachment is obsolete: true
Assignee | ||
Comment 4•18 years ago
|
||
Now works on Windows (in addition to Mac). Several minor bug fixes.
Attachment #215103 -
Attachment is obsolete: true
Assignee | ||
Comment 5•18 years ago
|
||
* You can now put e.g. "-c 2" before the other arguments to make Lithium only do a single run through the file, with a given chunk size. * Visual round summaries, e.g. "SS -S" means the first, second, and fourth chunks survived and the third chunk was removed. There are spaces between each pair of characters to indicate which chunks were grouped together in the previous round. If you see "--" in a round summary, that means something weird is happening.
Assignee | ||
Updated•18 years ago
|
Attachment #215172 -
Attachment is obsolete: true
Assignee | ||
Comment 6•18 years ago
|
||
The session restore feature in Firefox trunk nightlies can interfere with Lithium. To turn it off, use: user_pref("browser.sessionstore.resume_from_crash", false);
Assignee | ||
Comment 7•18 years ago
|
||
Martijn says this doesn't work with mingw gcc -- it says something about not finding sys/wait.h. I don't know how to fix that in Lithium, so the workaround for now is to use cygwin gcc.
Assignee | ||
Comment 8•18 years ago
|
||
* Progress and summary information is now put in lith.log in addition to being output to the console. This is useful if you're running debug builds and their spew drowns out Lithium's information. Use tail -f lith.log if you want to keep an eye on lith.log, I guess. * Made it write a file called most-reduced-testcase every time it successfully takes out a chunk. This usually happens more frequently than end-of-round, so it can be useful if you want to break in the middle of a round. * Fixed a bug Martijn found: in C mode, Lithium can remove the line break just before e.g. "<!-- DDEND -->", causing a subsequent run of Lithium to think some more stuff is part of the DDEND line. (The fix was a bit of a hack: always add an extra line break when in C mode.)
Attachment #219720 -
Attachment is obsolete: true
Assignee | ||
Comment 9•17 years ago
|
||
msg@matasano.com, you might find this useful for reducing some of your fuzz testcases, such as the one in bug 377741.
Assignee | ||
Comment 10•17 years ago
|
||
* Rewritten in Python. * New command-line structure. * More options for tweaking the algorithm and for using different algorithms (e.g. "try to remove a pair of lines from the file"). * No more "guessing tree structure based on indentation".
Attachment #227487 -
Attachment is obsolete: true
Assignee | ||
Comment 11•17 years ago
|
||
This version has improved documentation.
Attachment #280404 -
Attachment is obsolete: true
Assignee | ||
Comment 12•17 years ago
|
||
Colin suggested changing the 'interestingness tests' API to be less of a hack. Currently, an 'interestingness test' is a program that takes command-line arguments and uses return codes. Maybe they should be Python files instead. (I'm guessing Lithium would use __import__ or execfile to load a file that would supply a function or a class with a method.)
Assignee | ||
Comment 13•17 years ago
|
||
http://www.squarefree.com/2007/09/15/introducing-lithium-a-testcase-reduction-tool/
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Comment 14•10 years ago
|
||
Jesse: can we unhide this bug? Lithium is long public, and people know we fuzz test so the mere names of our fuzzers shouldn't be sensitive
Flags: needinfo?(jruderman)
Assignee | ||
Updated•9 years ago
|
Group: core-security
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(jruderman)
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•