The minimize.py
script minimizes a program generated by dartfuzz.dart
.
The Minimization is done in two phases:
Generate a dart program that triggers a bug:
dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 test.dart
Examine the bug (sample crash shown below):
dart --optimization_counter_threshold=1 test.dart ... ===== CRASH ===== si_signo=Segmentation fault(11), si_code=1, si_addr=(nil) version=2.6.0-edge.de7ad46797d36a25e6d2800820f61f4af3bd1135 (Wed Sep 11 18:20:46 2019 +0000) on "linux_x64" thread=183944, isolate=main(0x559bd215cc00) ... pc 0x0000559bd0e40a69 fp 0x00007f73d7a7de70 ../../../../sdk/out/ReleaseX64/dart+0x190ca69 -- End of DumpStackTrace
Pick a keyword identifying the bug in the output, e.g. “Segmentation”. This will be the --err
parameter. Determine whether the bug is deterministic. If not, set the --tries
parameter such that the number of tries triggers the error at least once with high probability.
Minimize statements of the generated program:
python3 minimize.py \ --dartfuzz "dart dartfuzz.dart --no-ffi --no-fp --seed 790976770" \ --dart "dart --optimization_counter_threshold=1" \ --testfile mini.dart \ --err Segmentation \ --tries 4 \ --threads 4 \ --typ s \ --verbose 3fffffffffffffffffffffffffffffffffffffffffffffffff error 7fffffffffffffffffffffffffffffffffffffffffffffffff error STOP Best I could do is 198/198 dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 mini.dart --mini --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff --emask 0
We were able to eliminate all of the statements. Taking a look at mini.dart
we see that function parameters still remain. These can be minimized in phase 2.
Minimize expressions of the generated program:
python3 minimize.py \ --dartfuzz "dart dartfuzz.dart --no-ffi --no-fp --seed 790976770" \ --dart "dart --optimization_counter_threshold=1" \ --testfile mini.dart \ --err Segmentation \ --tries 4 \ --threads 4 \ --typ e \ --verbose \ --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff .. STOP Best I could do is 4626/4628 dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 mini.dart --mini --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff \ --emask 0x1ff...ff2ff...fff