blob: 49d731d53f8fbe832d535b546ead3559f6f73fe0 [file] [log] [blame] [view]
Minimize
========
The `minimize.py` script minimizes a program generated by `dartfuzz.dart`.
The Minimization is done in two phases:
1. Minimize statements.
2. Minimize expressions.
### Example
Generate a dart program that triggers a bug:
```
dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 test.dart
```
Examine the bug (sample crash shown below):
```
dart --optimization_counter_threshold=1 test.dart
...
===== CRASH =====
si_signo=Segmentation fault(11), si_code=1, si_addr=(nil)
version=2.6.0-edge.de7ad46797d36a25e6d2800820f61f4af3bd1135 (Wed Sep 11 18:20:46 2019 +0000) on "linux_x64"
thread=183944, isolate=main(0x559bd215cc00)
...
pc 0x0000559bd0e40a69 fp 0x00007f73d7a7de70 ../../../../sdk/out/ReleaseX64/dart+0x190ca69
-- End of DumpStackTrace
```
Pick a keyword identifying the bug in the output, e.g. "Segmentation".
This will be the `--err` parameter.
Determine whether the bug is deterministic.
If not, set the `--tries` parameter such that the number of tries triggers
the error at least once with high probability.
Minimize statements of the generated program:
#### Phase 1
```
python3 minimize.py \
--dartfuzz "dart dartfuzz.dart --no-ffi --no-fp --seed 790976770" \
--dart "dart --optimization_counter_threshold=1" \
--testfile mini.dart \
--err Segmentation \
--tries 4 \
--threads 4 \
--typ s \
--verbose
3fffffffffffffffffffffffffffffffffffffffffffffffff
error
7fffffffffffffffffffffffffffffffffffffffffffffffff
error
STOP
Best I could do is 198/198
dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 mini.dart --mini --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff --emask 0
```
We were able to eliminate all of the statements.
Taking a look at `mini.dart` we see that function parameters still remain.
These can be minimized in phase 2.
Minimize expressions of the generated program:
#### Phase 2
```
python3 minimize.py \
--dartfuzz "dart dartfuzz.dart --no-ffi --no-fp --seed 790976770" \
--dart "dart --optimization_counter_threshold=1" \
--testfile mini.dart \
--err Segmentation \
--tries 4 \
--threads 4 \
--typ e \
--verbose \
--smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff
..
STOP
Best I could do is 4626/4628
dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 mini.dart --mini --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff \
--emask 0x1ff...ff2ff...fff
```