Fix bug in triaging stack func

[ghost]

This PR fixes the bug in using heuristic methods to determine whether the fuzz driver has a problem. This sub-rule was originally intended to traverse each stack frame in the first crash stack until it finds a stack frame containing the "LLVMFuzzerTestOneInput" function, and other stack frames before this stack frame do not contain functions of testing proj. For the task of determining whether the function in the stack frame belongs to testing proj (i.e. function "_stack_func_is_of_testing_project"), we originally planned to let LLM make the judgment. Since adding this part of logic to the original framework makes the code redundant and complicated, we will implement this logic in the agent framework. The agent code will be submitted in the next few days.

[DavidKorczynski]

At this point the check will be triggered if LLVMFuzzerTestOneInput is in any of the frames, which I assume is more or less every crash? (Exceptions include e.g. multi-threaded programs where the crash occurs in a child)

[ghost]

Thank you for your review.

You are right. “LLVMFuzzerTestOneInput” will appear in almost all crash stacks. However, this part of the code is to determine whether the function belonging to the project to be tested is executed after executing “LLVMFuszzerTestOneInput”.

Let me show you two examples,

SCARINESS: 10 (signal)
    #0 0x7fef987a100b in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #1 0x7fef98780858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #2 0x55c385f39bdf in ConsumeIntegralInRange<unsigned long> /usr/local/lib/clang/18/include/fuzzer/FuzzedDataProvider.h:209:5
    #3 0x55c385f39bdf in LLVMFuzzerTestOneInput /work/build/../../src/fribidi/bin/fribidi-fuzzer.cpp:15:34
    #4 0x55c385dee470 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #5 0x55c385def971 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:807:3
    #6 0x55c385deff57 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
    #7 0x55c385dde566 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #8 0x55c385e0aa92 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #9 0x7fef98782082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #10 0x55c385dcf6dd in _start (out/libfuzzer-address-x86_64/fribidi-fuzzer+0x436dd)

DEDUP_TOKEN: raise--abort--ConsumeIntegralInRange<unsigned long>
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) in raise

In the crash stack above, the stack frame above "LLVMFuzzerTestOneInput" does not contain the function of the project under test, so it is considered to be a driver problem. As for the crash stack below, the stack frames above “LLVMFuzzerTestOneInput” contain the functions of the project to be tested, so the driver is not considered to have any problems for the time being.

SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
    #0 0x559a436a3456 in fribidi_get_bidi_types /work/build/../../src/fribidi/lib/fribidi-bidi-types.c:72:44
    #1 0x559a43699653 in fribidi_log2vis /work/build/../../src/fribidi/lib/fribidi.c:185:3
    #2 0x559a43697a3c in LLVMFuzzerTestOneInput /work/build/../../src/fribidi/bin/fribidi-fuzzer.cpp:29:3
    #3 0x559a4354c500 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #4 0x559a4354bd25 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #5 0x559a4354dcb2 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
    #6 0x559a4354dfe7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
    #7 0x559a4353c5f6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #8 0x559a43568b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #9 0x7f9b9f019082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #10 0x559a4352d76d in _start (out/libfuzzer-address-x86_64/fribidi-fuzzer+0x4476d)

DEDUP_TOKEN: fribidi_get_bidi_types--fribidi_log2vis--LLVMFuzzerTestOneInput
0x5020000000b1 is located 0 bytes after 1-byte region [0x5020000000b0,0x5020000000b1)
allocated by thread T0 here:
    #0 0x559a4365aa9e in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f9b9f44cb28 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xaab28) (BuildId: fcd5414020056f1d95855868e00f3a7d479630fd)
    #2 0x559a4369797a in ConsumeBytes<unsigned char> /usr/local/lib/clang/18/include/fuzzer/FuzzedDataProvider.h:361:18
    #3 0x559a4369797a in ConsumeBytes<unsigned char> /usr/local/lib/clang/18/include/fuzzer/FuzzedDataProvider.h:110:10
    #4 0x559a4369797a in LLVMFuzzerTestOneInput /work/build/../../src/fribidi/bin/fribidi-fuzzer.cpp:20:35
    #5 0x559a4354c500 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #6 0x559a4354bd25 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #7 0x559a4354dcb2 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:829:7
    #8 0x559a4354dfe7 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:867:3
    #9 0x559a4353c5f6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:914:6
    #10 0x559a43568b22 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7f9b9f019082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: __interceptor_malloc--operator new(unsigned long)--ConsumeBytes<unsigned char>
SUMMARY: AddressSanitizer: heap-buffer-overflow /work/build/../../src/fribidi/lib/fribidi-bidi-types.c:72:44 in fribidi_get_bidi_types

[DavidKorczynski]

LGTM -- Thanks for the example!

[DavidKorczynski]

/gcbrun skip

[DonggeLiu]

Yep thanks.
Look forward to seeing you integrate this into agents.