| Minimize |
| ======== |
| |
| The `minimize.py` script minimizes a program generated by `dartfuzz.dart`. |
| |
| The Minimization is done in two phases: |
| |
| 1. Minimize statements. |
| 2. Minimize expressions. |
| |
| |
| ### Example |
| |
| Generate a dart program that triggers a bug: |
| |
| ``` |
| dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 test.dart |
| ``` |
| |
| Examine the bug (sample crash shown below): |
| |
| ``` |
| dart --optimization_counter_threshold=1 test.dart |
| |
| ... |
| ===== CRASH ===== |
| si_signo=Segmentation fault(11), si_code=1, si_addr=(nil) |
| version=2.6.0-edge.de7ad46797d36a25e6d2800820f61f4af3bd1135 (Wed Sep 11 18:20:46 2019 +0000) on "linux_x64" |
| thread=183944, isolate=main(0x559bd215cc00) |
| ... |
| pc 0x0000559bd0e40a69 fp 0x00007f73d7a7de70 ../../../../sdk/out/ReleaseX64/dart+0x190ca69 |
| -- End of DumpStackTrace |
| ``` |
| |
| Pick a keyword identifying the bug in the output, e.g. "Segmentation". |
| This will be the `--err` parameter. |
| Determine whether the bug is deterministic. |
| If not, set the `--tries` parameter such that the number of tries triggers |
| the error at least once with high probability. |
| |
| |
| Minimize statements of the generated program: |
| |
| #### Phase 1 |
| ``` |
| python3 minimize.py \ |
| --dartfuzz "dart dartfuzz.dart --no-ffi --no-fp --seed 790976770" \ |
| --dart "dart --optimization_counter_threshold=1" \ |
| --testfile mini.dart \ |
| --err Segmentation \ |
| --tries 4 \ |
| --threads 4 \ |
| --typ s \ |
| --verbose |
| |
| 3fffffffffffffffffffffffffffffffffffffffffffffffff |
| error |
| 7fffffffffffffffffffffffffffffffffffffffffffffffff |
| error |
| STOP |
| Best I could do is 198/198 |
| dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 mini.dart --mini --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff --emask 0 |
| ``` |
| |
| We were able to eliminate all of the statements. |
| Taking a look at `mini.dart` we see that function parameters still remain. |
| These can be minimized in phase 2. |
| |
| Minimize expressions of the generated program: |
| |
| #### Phase 2 |
| ``` |
| python3 minimize.py \ |
| --dartfuzz "dart dartfuzz.dart --no-ffi --no-fp --seed 790976770" \ |
| --dart "dart --optimization_counter_threshold=1" \ |
| --testfile mini.dart \ |
| --err Segmentation \ |
| --tries 4 \ |
| --threads 4 \ |
| --typ e \ |
| --verbose \ |
| --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff |
| .. |
| STOP |
| Best I could do is 4626/4628 |
| dart dartfuzz.dart --no-ffi --no-fp --seed 790976770 mini.dart --mini --smask 0x7fffffffffffffffffffffffffffffffffffffffffffffffff \ |
| --emask 0x1ff...ff2ff...fff |
| ``` |