Dr. Memory's fuzz testing Windows with .exe
563 views
Skip to first unread message
Mateusz Łoskot
May 10, 2017, 4:17:22 AM5/10/17
to Dr. Memory Users
Hi,
I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
I'm following the Fuzz Testing Mode [1] docs
with minimal fuzz testing sample based on [2]
with DrMemFuzzFunc function, code pasted below.
I'm not quite getting the idea of using .exe module with -fuzz_module
and pointing to a fuzz function with -fuzz_function parameter.
Basically, I've been unable to make Dr. Memory call my DrMemFuzzFunc.
I've tried number of ways to run "c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe":
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
-fuzz_target "<main>!DrMemFuzzFunc|2|0|1|100" -- DrFuzzTest.exe
also including varous calling conventions.
I also tried to inspect .exe with symquery.exe --searchall
and search for my DrMemFuzzFunc,
but nothing is being found. So, I can't figure out what offset should
I used to try -fuzz_offset insted of -fuzz_function.
Could anyone point out what am I missing, what doing wrong?
I expect that hooking an exported function, eg. from .lib/.dll
will work, obviously, but how that is supposed to work with .exe?
Other Dr. Memory/Fuzz usage examples [3] I found seem to be focused on Linux,
not Windows. Obviously, module exports work differently with Linux binaries.
Is it necessary to __declspec(dllexport) the DrMemFuzzFunc?
[1] http://drmemory.org/docs/page_fuzzer.html
[2] https://github.com/google/fuzzer-test-suite/blob/master/tutorial/fuzz_me.cc
[3] https://www.chromium.org/developers/testing/dr-fuzz
/*** sample ******************************/
/* Built in Debug, w/o optimisation */
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
bool FuzzMe(const uint8_t *Data, size_t DataSize)
{
return DataSize >= 3 &&
Data[0] == 'F' &&
Data[1] == 'U' &&
Data[2] == 'Z' &&
Data[3] == 'Z'; // :‑<
}
extern "C" int DrMemFuzzFunc(const uint8_t *Data, size_t Size)
{
FuzzMe(Data, Size);
return 0;
}
int main()
{
return 0;
}
/*** end of sample ******************************/
Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net
I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
I'm following the Fuzz Testing Mode [1] docs
with minimal fuzz testing sample based on [2]
with DrMemFuzzFunc function, code pasted below.
I'm not quite getting the idea of using .exe module with -fuzz_module
and pointing to a fuzz function with -fuzz_function parameter.
Basically, I've been unable to make Dr. Memory call my DrMemFuzzFunc.
I've tried number of ways to run "c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe":
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
-fuzz_target "<main>!DrMemFuzzFunc|2|0|1|100" -- DrFuzzTest.exe
also including varous calling conventions.
I also tried to inspect .exe with symquery.exe --searchall
and search for my DrMemFuzzFunc,
but nothing is being found. So, I can't figure out what offset should
I used to try -fuzz_offset insted of -fuzz_function.
Could anyone point out what am I missing, what doing wrong?
I expect that hooking an exported function, eg. from .lib/.dll
will work, obviously, but how that is supposed to work with .exe?
Other Dr. Memory/Fuzz usage examples [3] I found seem to be focused on Linux,
not Windows. Obviously, module exports work differently with Linux binaries.
Is it necessary to __declspec(dllexport) the DrMemFuzzFunc?
[1] http://drmemory.org/docs/page_fuzzer.html
[2] https://github.com/google/fuzzer-test-suite/blob/master/tutorial/fuzz_me.cc
[3] https://www.chromium.org/developers/testing/dr-fuzz
/*** sample ******************************/
/* Built in Debug, w/o optimisation */
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
bool FuzzMe(const uint8_t *Data, size_t DataSize)
{
return DataSize >= 3 &&
Data[0] == 'F' &&
Data[1] == 'U' &&
Data[2] == 'Z' &&
Data[3] == 'Z'; // :‑<
}
extern "C" int DrMemFuzzFunc(const uint8_t *Data, size_t Size)
{
FuzzMe(Data, Size);
return 0;
}
int main()
{
return 0;
}
/*** end of sample ******************************/
Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net
Qin Zhao
May 10, 2017, 7:15:11 AM5/10/17
to drmemor...@googlegroups.com
On Wed, May 10, 2017 at 4:17 AM, Mateusz Łoskot <mat...@loskot.net> wrote:
Hi,
I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
I'm following the Fuzz Testing Mode [1] docs
with minimal fuzz testing sample based on [2]
with DrMemFuzzFunc function, code pasted below.
I'm not quite getting the idea of using .exe module with -fuzz_module
and pointing to a fuzz function with -fuzz_function parameter.
Basically, I've been unable to make Dr. Memory call my DrMemFuzzFunc.
I've tried number of ways to run "c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe":
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
-fuzz_target "<main>!DrMemFuzzFunc|2|0|1|100" -- DrFuzzTest.exe
Xref [1], you do not need use -fuzz_function and -fuzz_target at the same time.
Only -fuzz_function si good enough, or even just -fuzz.
also including varous calling conventions.
I also tried to inspect .exe with symquery.exe --searchall
and search for my DrMemFuzzFunc,
but nothing is being found. So, I can't figure out what offset should
I used to try -fuzz_offset insted of -fuzz_function.
Are you sure the function is not optimized away by the compiler, since that function is not called anywhere.
Could anyone point out what am I missing, what doing wrong?
You should let your code to call the DrMemFuzzFunc somewhere, once DrMemory see the function being called, it will be fuzzed there.
I expect that hooking an exported function, eg. from .lib/.dll
will work, obviously, but how that is supposed to work with .exe?
There is not much difference between .dll and .exe.
Other Dr. Memory/Fuzz usage examples [3] I found seem to be focused on Linux,
not Windows. Obviously, module exports work differently with Linux binaries.
Is it necessary to __declspec(dllexport) the DrMemFuzzFunc?
Yes, we need the find the function in the binary. Or you could specify the address instead.
[1] http://drmemory.org/docs/page_fuzzer.html
[2] https://github.com/google/fuzzer-test-suite/blob/master/tutorial/fuzz_me.cc
[3] https://www.chromium.org/developers/testing/dr-fuzz
/*** sample ******************************/
/* Built in Debug, w/o optimisation */
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
bool FuzzMe(const uint8_t *Data, size_t DataSize)
{
return DataSize >= 3 &&
Data[0] == 'F' &&
Data[1] == 'U' &&
Data[2] == 'Z' &&
Data[3] == 'Z'; // :‑<
}
extern "C" int DrMemFuzzFunc(const uint8_t *Data, size_t Size)
{
FuzzMe(Data, Size);
return 0;
}
int main()
{
Did you miss DrMemFuzzFunc(data, 4) or something here?
DrFuzz can only fuzz the function being called somewhere in the app. Otherwise, it has no idea the proper place to fuzz the function.
Same thing as [2].
return 0;
}
/*** end of sample ******************************/
Best regards,
--
Mateusz Loskot, http://mateusz.loskot.net
--
---
You received this message because you are subscribed to the Google Groups "Dr. Memory Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to drmemory-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Mateusz Loskot
May 10, 2017, 10:47:50 AM5/10/17
to drmemor...@googlegroups.com
On 10 May 2017 at 13:15, 'Qin Zhao' via Dr. Memory Users
The two lines above indicate two separate command lines I used to run
drmemory.exe.
Sorry for confusion.
>> I also tried to inspect .exe with symquery.exe --searchall
>> and search for my DrMemFuzzFunc,
>> but nothing is being found. So, I can't figure out what offset should
>> I used to try -fuzz_offset insted of -fuzz_function.
>
>
> Are you sure the function is not optimized away by the compiler, since that
> function is not called anywhere.
>> Could anyone point out what am I missing, what doing wrong?
>
>
> You should let your code to call the DrMemFuzzFunc somewhere, once DrMemory
> see the function being called, it will be fuzzed there.
Right, even if I build non-optimised configuration, I have modified
my sample according to your suggestion.
/***************************************************************/
#include <stddef.h>
#include <stdio.h>
bool FuzzMe(unsigned char *data, size_t dataSize)
{
return dataSize > 0 &&
data[0] == 'F' &&
data[1] == 'U' &&
data[2] == 'Z' &&
data[3] == 'Z'; // :‑<
}
extern "C"
void DrMemFuzzFunc(unsigned char *data, size_t dataSize)
{
FuzzMe(data, dataSize);
}
int main()
{
unsigned char data[] = "FUZZ";
DrMemFuzzFunc(data, 3);
return 0;
}
/***************************************************************/
Unfortunately, I'm still getting "NO ERRORS FOUND" report.
Also, symquery does not find any functions like DrMemFuzzFunc
=============================================================
cl.exe /Zi /W4 /Ob0 /Oy- /EHsc /MDd /D"_DEBUG" DrFuzzTest.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.10.25019 for x86
.\DrFuzzTest.exe
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -fuzz
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
~~Dr.M~~ Dr. Memory version 1.11.0
~~Dr.M~~ Running "DrFuzzTest.exe -fuzz_function DrMemFuzzFunc"
~~Dr.M~~
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total GDI usage error(s)
~~Dr.M~~ 0 unique, 0 total handle leak(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 6 potential error(s) (suspected false positives)
~~Dr.M~~ (details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.19568.000\potential_errors.txt)
~~Dr.M~~ 17 unique, 29 total, 15438 byte(s) of
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.19568.000\results.txt
=============================================================
>> Other Dr. Memory/Fuzz usage examples [3] I found seem to be focused on
>> Linux,
>> not Windows. Obviously, module exports work differently with Linux
>> binaries.
>> Is it necessary to __declspec(dllexport) the DrMemFuzzFunc?
>
>
> Yes, we need the find the function in the binary. Or you could specify the
> address instead.
So, does it mean __declspec(dllexport) is required for look-up by name?
For the updated sample above and CL.EXE command line specified above,
now symquery can find my DrMemFuzzFunc
"c:\Program Files (x86)\Dr. Memory\bin\symquery.exe" -e DrFuzzTest.exe
-v --searchall -s DrMemFuzzFunc
<debug info: type=PDB, has symbols, has line numbers>
DrMemFuzzFunc +0x1410-0x1425
DrMemFuzzFunc +0x1410-0x1410
and addr2line-like look-up seems working:
"c:\Program Files (x86)\Dr. Memory\bin\symquery.exe" -e DrFuzzTest.exe
-v -a 0x1410
<debug info: type=PDB, has symbols, has line numbers>
d:\workshop\drfuzztest\drfuzztest.cpp:19+0x0
However, -fuzz_offset also gives no errors like DrMemFuzzFunc would
have not been fuzzed at all
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -fuzz
-fuzz_module DrFuzzTest.exe -fuzz_offset 0x1410
To summary:
- the sample program is fixed
- CL.exe command line is right (follows [1])
and seems I'm getting closer to successful run but still missing
something important.
May I ask for help?
[1] http://drmemory.org/docs/page_prep.html
<drmemor...@googlegroups.com> wrote:
> On Wed, May 10, 2017 at 4:17 AM, Mateusz Łoskot <mat...@loskot.net> wrote:
>>
>> Basically, I've been unable to make Dr. Memory call my DrMemFuzzFunc.
>> I've tried number of ways to run "c:\Program Files (x86)\Dr.
>> Memory\bin\drmemory.exe":
>>
>> -fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
>> -fuzz_target "<main>!DrMemFuzzFunc|2|0|1|100" -- DrFuzzTest.exe
>
>
> Xref [1], you do not need use -fuzz_function and -fuzz_target at the same
> time.
Yes, that is clear to me.
> On Wed, May 10, 2017 at 4:17 AM, Mateusz Łoskot <mat...@loskot.net> wrote:
>>
>> Basically, I've been unable to make Dr. Memory call my DrMemFuzzFunc.
>> I've tried number of ways to run "c:\Program Files (x86)\Dr.
>> Memory\bin\drmemory.exe":
>>
>> -fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
>> -fuzz_target "<main>!DrMemFuzzFunc|2|0|1|100" -- DrFuzzTest.exe
>
>
> Xref [1], you do not need use -fuzz_function and -fuzz_target at the same
> time.
The two lines above indicate two separate command lines I used to run
drmemory.exe.
Sorry for confusion.
>> I also tried to inspect .exe with symquery.exe --searchall
>> and search for my DrMemFuzzFunc,
>> but nothing is being found. So, I can't figure out what offset should
>> I used to try -fuzz_offset insted of -fuzz_function.
>
>
> Are you sure the function is not optimized away by the compiler, since that
> function is not called anywhere.
>> Could anyone point out what am I missing, what doing wrong?
>
>
> You should let your code to call the DrMemFuzzFunc somewhere, once DrMemory
> see the function being called, it will be fuzzed there.
my sample according to your suggestion.
/***************************************************************/
#include <stddef.h>
#include <stdio.h>
bool FuzzMe(unsigned char *data, size_t dataSize)
{
return dataSize > 0 &&
data[0] == 'F' &&
data[1] == 'U' &&
data[2] == 'Z' &&
data[3] == 'Z'; // :‑<
}
extern "C"
void DrMemFuzzFunc(unsigned char *data, size_t dataSize)
{
FuzzMe(data, dataSize);
}
int main()
{
unsigned char data[] = "FUZZ";
DrMemFuzzFunc(data, 3);
return 0;
}
/***************************************************************/
Unfortunately, I'm still getting "NO ERRORS FOUND" report.
Also, symquery does not find any functions like DrMemFuzzFunc
=============================================================
cl.exe /Zi /W4 /Ob0 /Oy- /EHsc /MDd /D"_DEBUG" DrFuzzTest.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.10.25019 for x86
.\DrFuzzTest.exe
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -fuzz
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
~~Dr.M~~ Dr. Memory version 1.11.0
~~Dr.M~~ Running "DrFuzzTest.exe -fuzz_function DrMemFuzzFunc"
~~Dr.M~~
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total GDI usage error(s)
~~Dr.M~~ 0 unique, 0 total handle leak(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 6 potential error(s) (suspected false positives)
~~Dr.M~~ (details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.19568.000\potential_errors.txt)
~~Dr.M~~ 17 unique, 29 total, 15438 byte(s) of
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.19568.000\results.txt
=============================================================
>> Other Dr. Memory/Fuzz usage examples [3] I found seem to be focused on
>> Linux,
>> not Windows. Obviously, module exports work differently with Linux
>> binaries.
>> Is it necessary to __declspec(dllexport) the DrMemFuzzFunc?
>
>
> Yes, we need the find the function in the binary. Or you could specify the
> address instead.
For the updated sample above and CL.EXE command line specified above,
now symquery can find my DrMemFuzzFunc
"c:\Program Files (x86)\Dr. Memory\bin\symquery.exe" -e DrFuzzTest.exe
-v --searchall -s DrMemFuzzFunc
<debug info: type=PDB, has symbols, has line numbers>
DrMemFuzzFunc +0x1410-0x1425
DrMemFuzzFunc +0x1410-0x1410
and addr2line-like look-up seems working:
"c:\Program Files (x86)\Dr. Memory\bin\symquery.exe" -e DrFuzzTest.exe
-v -a 0x1410
<debug info: type=PDB, has symbols, has line numbers>
d:\workshop\drfuzztest\drfuzztest.cpp:19+0x0
However, -fuzz_offset also gives no errors like DrMemFuzzFunc would
have not been fuzzed at all
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -fuzz
-fuzz_module DrFuzzTest.exe -fuzz_offset 0x1410
To summary:
- the sample program is fixed
- CL.exe command line is right (follows [1])
and seems I'm getting closer to successful run but still missing
something important.
May I ask for help?
[1] http://drmemory.org/docs/page_prep.html
Qin Zhao
May 10, 2017, 11:33:06 AM5/10/17
to drmemor...@googlegroups.com
Both DrFuzz and symquery use drsym to find the target function,
So it should find the fuzz target function.
You can tune up the logging to and check if the log file has lines like "Successfully resolved module ..."
Just curious, how do you know if it is being fuzzed or not. I cannot see any way from your code.
Can you add some printing in the FuzzMe or DrMemFuzzFunc function to see if they are executed?
On Wed, May 10, 2017 at 10:47 AM, Mateusz Loskot <mat...@loskot.net> wrote:
On 10 May 2017 at 13:15, 'Qin Zhao' via Dr. Memory Users
Mateusz Loskot
May 10, 2017, 12:38:46 PM5/10/17
to drmemor...@googlegroups.com
On 10 May 2017 at 17:33, 'Qin Zhao' via Dr. Memory Users
> Just curious, how do you know if it is being fuzzed or not. I cannot see any
> way from your code.
Good question
> Can you add some printing in the FuzzMe or DrMemFuzzFunc function to see if
> they are executed?
I've added this printf as first line in FuzzMe:
printf("XXX dataSize=%u\n", dataSize);
and rebuilt the sample
cl.exe /Zi /W4 /Ob0 /Oy- /EHsc /MDd /D"_DEBUG" DrFuzzTest.cpp
.\DrFuzzTest.exe
XXX dataSize=3
I see that -verbosity option corresponds to level used by LOG macro
https://github.com/DynamoRIO/drmemory/blob/master/common/utils.h#L508
which is used in the fuzzer.c.
I mean, I think I set the logging right.
Trying to fuzz with maximum verbosity (-verbose 32 as per
http://drmemory.org/docs/page_options.html)
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -verbose 32 -fuzz
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory` -symcache_dir
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist
`C:\WINDOWS*.d??,C:\Program Files (x86)\Common Files\Microsoft
Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??`
-resfile 12952 "
~~Dr.M~~ log dir is C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.12952.000
XXX dataSize=3
No traces of attempt to locate my DrMemFuzzFunc :-(
Thanks for your help!
<drmemor...@googlegroups.com> wrote:
> You can tune up the logging to and check if the log file has lines like
> "Successfully resolved module ..."
I'm trying your suggestion below
> You can tune up the logging to and check if the log file has lines like
> "Successfully resolved module ..."
> Just curious, how do you know if it is being fuzzed or not. I cannot see any
> way from your code.
> Can you add some printing in the FuzzMe or DrMemFuzzFunc function to see if
> they are executed?
printf("XXX dataSize=%u\n", dataSize);
and rebuilt the sample
cl.exe /Zi /W4 /Ob0 /Oy- /EHsc /MDd /D"_DEBUG" DrFuzzTest.cpp
XXX dataSize=3
I see that -verbosity option corresponds to level used by LOG macro
https://github.com/DynamoRIO/drmemory/blob/master/common/utils.h#L508
which is used in the fuzzer.c.
I mean, I think I set the logging right.
Trying to fuzz with maximum verbosity (-verbose 32 as per
http://drmemory.org/docs/page_options.html)
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -verbose 32 -fuzz
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
~~Dr.M~~ Dr. Memory version 1.11.0
~~Dr.M~~ Running "DrFuzzTest.exe -fuzz_function DrMemFuzzFunc"
~~Dr.M~~ options are "`-verbose` `32` `-fuzz` `-fuzz_module` -logdir
~~Dr.M~~ Dr. Memory version 1.11.0
~~Dr.M~~ Running "DrFuzzTest.exe -fuzz_function DrMemFuzzFunc"
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory` -symcache_dir
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist
`C:\WINDOWS*.d??,C:\Program Files (x86)\Common Files\Microsoft
Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??`
-resfile 12952 "
~~Dr.M~~ log dir is C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.12952.000
XXX dataSize=3
~~Dr.M~~
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total GDI usage error(s)
~~Dr.M~~ 0 unique, 0 total handle leak(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 6 potential error(s) (suspected false positives)
~~Dr.M~~ (details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.12952.000\potential_errors.txt)
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total GDI usage error(s)
~~Dr.M~~ 0 unique, 0 total handle leak(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 6 potential error(s) (suspected false positives)
~~Dr.M~~ (details: C:\Users\mateuszl\AppData\Roaming\Dr.
~~Dr.M~~ 17 unique, 29 total, 15438 byte(s) of
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.12952.000\results.txt
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: C:\Users\mateuszl\AppData\Roaming\Dr.
No traces of attempt to locate my DrMemFuzzFunc :-(
Thanks for your help!
Mateusz Loskot
May 10, 2017, 5:22:55 PM5/10/17
to drmemor...@googlegroups.com
On 10 May 2017 at 18:38, Mateusz Loskot <mat...@loskot.net> wrote:
> On 10 May 2017 at 17:33, 'Qin Zhao' via Dr. Memory Users
> <drmemor...@googlegroups.com> wrote:
>
> cl.exe /Zi /W4 /Ob0 /Oy- /EHsc /MDd /D"_DEBUG" DrFuzzTest.cpp
>
> On 10 May 2017 at 17:33, 'Qin Zhao' via Dr. Memory Users
> <drmemor...@googlegroups.com> wrote:
>
> cl.exe /Zi /W4 /Ob0 /Oy- /EHsc /MDd /D"_DEBUG" DrFuzzTest.cpp
>
2017 (Preview), 2017 , 2015, 2012
and there is no difference, no fuzzing in all cases.
Qin Zhao
May 10, 2017, 5:28:13 PM5/10/17
to drmemor...@googlegroups.com
Can you please provide the log file, which might be easier to identify the problem?
On Wed, May 10, 2017 at 5:22 PM, Mateusz Loskot <mat...@loskot.net> wrote:
On 10 May 2017 at 18:38, Mateusz Loskot <mat...@loskot.net> wrote:
> On 10 May 2017 at 17:33, 'Qin Zhao' via Dr. Memory Users
> <drmemory-users@googlegroups.com> wrote:
>
Mateusz Loskot
May 10, 2017, 5:53:42 PM5/10/17
to drmemor...@googlegroups.com
On 10 May 2017 at 23:28, 'Qin Zhao' via Dr. Memory Users
So, I re-run my trial using VS2012 and this time I get one error in
the console print-out, pasted below.
Attached is the complete global.1560.log
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -verbose 32 -fuzz
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
~~Dr.M~~ Dr. Memory version 1.11.0
~~Dr.M~~ Running "DrFuzzTest.exe -fuzz_function DrMemFuzzFunc"
~~Dr.M~~ options are "`-verbose` `32` `-fuzz` `-fuzz_module` -logdir
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory` -symcache_dir
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist
`C:\WINDOWS*.d??,C:\Program Files (x86)\Common Files\Microsoft
Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??`
-resfile 1560 "
XXX dataSize=3
~~Dr.M~~
~~Dr.M~~ Error #1: UNINITIALIZED READ: reading 0x00aff93c-0x00aff940 4 byte(s)
~~Dr.M~~ # 0 ConEmuHk.dll!RequestDefTermShutdown +0x592b (0x7e1272fb
<ConEmuHk.dll+0x172fb>)
~~Dr.M~~ # 1 ConEmuHk.dll!RequestDefTermShutdown +0x5be4 (0x7e1275b5
<ConEmuHk.dll+0x175b5>)
~~Dr.M~~ # 2 ConEmuHk.dll!RequestDefTermShutdown +0x707c (0x7e128a4d
<ConEmuHk.dll+0x18a4d>)
~~Dr.M~~ # 3 ConEmuHk.dll!RequestDefTermShutdown +0x7106 (0x7e128ad7
<ConEmuHk.dll+0x18ad7>)
~~Dr.M~~ # 4 ConEmuHk.dll!SetHookCallbacks +0x12deb (0x7e15a79c
<ConEmuHk.dll+0x4a79c>)
~~Dr.M~~ # 5 ConEmuHk.dll!SetHookCallbacks +0x12e93 (0x7e15a844
<ConEmuHk.dll+0x4a844>)
~~Dr.M~~ # 6 ntdll.dll!RtlDecompressBuffer +0xed (0x7724e58e
<ntdll.dll+0x6e58e>)
~~Dr.M~~ # 7 ntdll.dll!LdrShutdownThread +0x385 (0x77220e46
<ntdll.dll+0x40e46>)
~~Dr.M~~ # 8 ntdll.dll!LdrShutdownProcess +0x111 (0x7720a862
<ntdll.dll+0x2a862>)
~~Dr.M~~ # 9 ntdll.dll!RtlExitUserProcess +0x95 (0x7720a416
<ntdll.dll+0x2a416>)
~~Dr.M~~ #10 KERNEL32.dll!ExitProcess +0x12 (0x758fadc3
<KERNEL32.dll+0x2adc3>)
~~Dr.M~~ #11 ConEmuHk.dll!RequestLocalServer +0xf6d8 (0x7e139f49
<ConEmuHk.dll+0x29f49>)
~~Dr.M~~ #12 MSVCR110D.dll!__crtExitProcess
~~Dr.M~~ #13 MSVCR110D.dll!_unlockexit
~~Dr.M~~ #14 MSVCR110D.dll!exit
~~Dr.M~~ #15 __tmainCRTStartup
[f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c:547]
~~Dr.M~~ #16 mainCRTStartup
[f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c:376]
~~Dr.M~~ #17 KERNEL32.dll!BaseThreadInitThunk +0x23 (0x758e62c4
<KERNEL32.dll+0x162c4>)
~~Dr.M~~ Note: @0:00:01.901 in thread 16040
~~Dr.M~~ Note: instruction: cmp 0xfffffff8(%ebp) $0x00000000
~~Dr.M~~
~~Dr.M~~ ERRORS FOUND:
~~Dr.M~~ 35 unique, 134 total, 21646 byte(s) of
<drmemor...@googlegroups.com> wrote:
> Can you please provide the log file, which might be easier to identify the
> problem?
Yes, of course.
> Can you please provide the log file, which might be easier to identify the
> problem?
So, I re-run my trial using VS2012 and this time I get one error in
the console print-out, pasted below.
Attached is the complete global.1560.log
"c:\Program Files (x86)\Dr. Memory\bin\drmemory.exe" -verbose 32 -fuzz
-fuzz_module DrFuzzTest.exe -fuzz_function DrMemFuzzFunc
~~Dr.M~~ Dr. Memory version 1.11.0
~~Dr.M~~ Running "DrFuzzTest.exe -fuzz_function DrMemFuzzFunc"
~~Dr.M~~ options are "`-verbose` `32` `-fuzz` `-fuzz_module` -logdir
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory` -symcache_dir
`C:\Users\mateuszl\AppData\Roaming\Dr. Memory\symcache` -lib_blacklist
`C:\WINDOWS*.d??,C:\Program Files (x86)\Common Files\Microsoft
Shared*.d??,C:\Program Files (x86)\Common Files\Microsoft Shared*.d??`
~~Dr.M~~ log dir is C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.1560.000
XXX dataSize=3
~~Dr.M~~
~~Dr.M~~ Error #1: UNINITIALIZED READ: reading 0x00aff93c-0x00aff940 4 byte(s)
~~Dr.M~~ # 0 ConEmuHk.dll!RequestDefTermShutdown +0x592b (0x7e1272fb
<ConEmuHk.dll+0x172fb>)
~~Dr.M~~ # 1 ConEmuHk.dll!RequestDefTermShutdown +0x5be4 (0x7e1275b5
<ConEmuHk.dll+0x175b5>)
~~Dr.M~~ # 2 ConEmuHk.dll!RequestDefTermShutdown +0x707c (0x7e128a4d
<ConEmuHk.dll+0x18a4d>)
~~Dr.M~~ # 3 ConEmuHk.dll!RequestDefTermShutdown +0x7106 (0x7e128ad7
<ConEmuHk.dll+0x18ad7>)
~~Dr.M~~ # 4 ConEmuHk.dll!SetHookCallbacks +0x12deb (0x7e15a79c
<ConEmuHk.dll+0x4a79c>)
~~Dr.M~~ # 5 ConEmuHk.dll!SetHookCallbacks +0x12e93 (0x7e15a844
<ConEmuHk.dll+0x4a844>)
~~Dr.M~~ # 6 ntdll.dll!RtlDecompressBuffer +0xed (0x7724e58e
<ntdll.dll+0x6e58e>)
~~Dr.M~~ # 7 ntdll.dll!LdrShutdownThread +0x385 (0x77220e46
<ntdll.dll+0x40e46>)
~~Dr.M~~ # 8 ntdll.dll!LdrShutdownProcess +0x111 (0x7720a862
<ntdll.dll+0x2a862>)
~~Dr.M~~ # 9 ntdll.dll!RtlExitUserProcess +0x95 (0x7720a416
<ntdll.dll+0x2a416>)
~~Dr.M~~ #10 KERNEL32.dll!ExitProcess +0x12 (0x758fadc3
<KERNEL32.dll+0x2adc3>)
~~Dr.M~~ #11 ConEmuHk.dll!RequestLocalServer +0xf6d8 (0x7e139f49
<ConEmuHk.dll+0x29f49>)
~~Dr.M~~ #12 MSVCR110D.dll!__crtExitProcess
~~Dr.M~~ #13 MSVCR110D.dll!_unlockexit
~~Dr.M~~ #14 MSVCR110D.dll!exit
~~Dr.M~~ #15 __tmainCRTStartup
[f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c:547]
~~Dr.M~~ #16 mainCRTStartup
[f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c:376]
~~Dr.M~~ #17 KERNEL32.dll!BaseThreadInitThunk +0x23 (0x758e62c4
<KERNEL32.dll+0x162c4>)
~~Dr.M~~ Note: @0:00:01.901 in thread 16040
~~Dr.M~~ Note: instruction: cmp 0xfffffff8(%ebp) $0x00000000
~~Dr.M~~
~~Dr.M~~ ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 1 unique, 1 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total GDI usage error(s)
~~Dr.M~~ 0 unique, 0 total handle leak(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 11 potential error(s) (suspected false positives)
~~Dr.M~~ 0 unique, 0 total GDI usage error(s)
~~Dr.M~~ 0 unique, 0 total handle leak(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ (details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.1560.000\potential_errors.txt)
~~Dr.M~~ 35 unique, 134 total, 21646 byte(s) of
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: C:\Users\mateuszl\AppData\Roaming\Dr.
Memory\DrMemory-DrFuzzTest.exe.1560.000\results.txt
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: C:\Users\mateuszl\AppData\Roaming\Dr.
Derek Bruening
May 10, 2017, 10:18:10 PM5/10/17
to drmemor...@googlegroups.com
From "ConEmuHk.dll" it looks like you're running in ConEmu, which does a lot of hooking in every process run inside it. It has caused us trouble in the past (e.g., https://github.com/DynamoRIO/dynamorio/issues/1597) and while we think we've fixed things to work well with it and the problems it causes are unlikely to explain the fuzzing issues here, it may be worth trying it in a different console just to make sure.
On Wed, May 10, 2017 at 5:53 PM, Mateusz Loskot <mat...@loskot.net> wrote:
On 10 May 2017 at 23:28, 'Qin Zhao' via Dr. Memory Users
Mateusz Loskot
May 11, 2017, 3:39:28 AM5/11/17
to drmemor...@googlegroups.com
On 11 May 2017 at 04:18, 'Derek Bruening' via Dr. Memory Users
Thanks for the pointer. I had no idea.
> and while we
> think we've fixed things to work well with it and the problems it causes are
> unlikely to explain the fuzzing issues here, it may be worth trying it in a
> different console just to make sure.
I have tried with
VS2012 x86 Native Tools Command Prompt
VS2015 x86 Native Tools Command Prompt
I see no difference indeed.
The .log and results.txt files attached.
Best regards,
<drmemor...@googlegroups.com> wrote:
> From "ConEmuHk.dll" it looks like you're running in ConEmu, which does a lot
> of hooking in every process run inside it. It has caused us trouble in the
> past (e.g., https://github.com/DynamoRIO/dynamorio/issues/1597)
Yes, I do use ConEmu, namely http://cmder.net/
> From "ConEmuHk.dll" it looks like you're running in ConEmu, which does a lot
> of hooking in every process run inside it. It has caused us trouble in the
> past (e.g., https://github.com/DynamoRIO/dynamorio/issues/1597)
Thanks for the pointer. I had no idea.
> and while we
> think we've fixed things to work well with it and the problems it causes are
> unlikely to explain the fuzzing issues here, it may be worth trying it in a
> different console just to make sure.
VS2012 x86 Native Tools Command Prompt
VS2015 x86 Native Tools Command Prompt
I see no difference indeed.
The .log and results.txt files attached.
Best regards,
Mateusz Loskot
May 11, 2017, 5:08:32 AM5/11/17
to drmemor...@googlegroups.com
On 10 May 2017 at 10:17, Mateusz Łoskot <mat...@loskot.net> wrote:
>
> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
> [...]
>
> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
FYI, I have created a repo on GitHub with my test project
https://github.com/mloskot/drmemory-fuzzer-test
Mateusz Loskot
May 11, 2017, 7:59:01 AM5/11/17
to drmemor...@googlegroups.com
On 11 May 2017 at 11:07, Mateusz Loskot <mat...@loskot.net> wrote:
> On 10 May 2017 at 10:17, Mateusz Łoskot <mat...@loskot.net> wrote:
>>
>> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
>> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
>> [...]
>
>
> FYI, I have created a repo on GitHub with my test project
>
> https://github.com/mloskot/drmemory-fuzzer-test
I've just added AppVeyor CI build for the test project.
> On 10 May 2017 at 10:17, Mateusz Łoskot <mat...@loskot.net> wrote:
>>
>> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
>> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
>> [...]
>
>
> FYI, I have created a repo on GitHub with my test project
>
> https://github.com/mloskot/drmemory-fuzzer-test
The build does:
- install Dr Memory 1.11
- builds fuzz_me.exe module
- runs symquery
- runs drmemory -fuzz
https://ci.appveyor.com/project/mloskot/drmemory-fuzzer-test
The result is quite the same as the one I'm getting locally.
I am going to add dumping of the .txt and .log files generated
in C:\Users\appveyor\AppData\Roaming\Dr. Memory\DrMemory-fuzz_me.exe.XXX
which might include helpful details indeed.
Mateusz Loskot
May 11, 2017, 8:46:50 AM5/11/17
to drmemor...@googlegroups.com
On 11 May 2017 at 13:58, Mateusz Loskot <mat...@loskot.net> wrote:
> On 11 May 2017 at 11:07, Mateusz Loskot <mat...@loskot.net> wrote:
>> On 10 May 2017 at 10:17, Mateusz Łoskot <mat...@loskot.net> wrote:
>>>
>>> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
>>> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
>>> [...]
>>
>>
>> FYI, I have created a repo on GitHub with my test project
>>
>> https://github.com/mloskot/drmemory-fuzzer-test
>
>
> On 11 May 2017 at 11:07, Mateusz Loskot <mat...@loskot.net> wrote:
>> On 10 May 2017 at 10:17, Mateusz Łoskot <mat...@loskot.net> wrote:
>>>
>>> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
>>> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
>>> [...]
>>
>>
>> FYI, I have created a repo on GitHub with my test project
>>
>> https://github.com/mloskot/drmemory-fuzzer-test
>
>
> I am going to add dumping of the .txt and .log files generated
> in C:\Users\appveyor\AppData\Roaming\Dr. Memory\DrMemory-fuzz_me.exe.XXX
> which might include helpful details indeed.
FYI, all drmemory.exe generated logs are now included to the build log
> in C:\Users\appveyor\AppData\Roaming\Dr. Memory\DrMemory-fuzz_me.exe.XXX
> which might include helpful details indeed.
For instance, https://ci.appveyor.com/project/mloskot/drmemory-fuzzer-test/build/1.0.16
Mateusz Loskot
May 12, 2017, 6:40:51 AM5/12/17
to drmemor...@googlegroups.com
On 11 May 2017 at 11:07, Mateusz Loskot <mat...@loskot.net> wrote:
> On 10 May 2017 at 10:17, Mateusz Łoskot <mat...@loskot.net> wrote:
>>
>> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
>> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
>> [...]
>
>
> FYI, I have created a repo on GitHub with my test project
>
> https://github.com/mloskot/drmemory-fuzzer-test
I've run this test on Ubuntu 16.04, compiling fuzz_me.cpp
>>
>> I'm trying out Dr. Memory's fuzz testing capabilities on Windows 10
>> using the latest Dr. Memory 1.11.0 and Visual Studio 2017.
>> [...]
>
>
> FYI, I have created a repo on GitHub with my test project
>
> https://github.com/mloskot/drmemory-fuzzer-test
using the suggested flags (http://drmemory.org/docs/page_prep.html)
g++ -m32 -g -fno-inline -fno-omit-frame-pointer
and here no errors found too, same result as on Windows.
I don't quite understand how to interpret the result.
Has the fuzzer hit my fuzz target or not?
Has it hit but no errors found (fuzz_me.cpp is buggy though)?
Or, I'm simply not using Dr. Memory correctly, am I?
I'm confused.
Screenshot with details attached.
Qin Zhao
May 12, 2017, 2:30:30 PM5/12/17
to drmemor...@googlegroups.com
hmm, I tried the code, seems some other DR's internal error.
Can you try to run with -debug and -dr_debug to see if any output and log?
Qin
Qin Zhao
May 12, 2017, 2:35:43 PM5/12/17
to drmemor...@googlegroups.com
Correction, that internal error was due to too high verbose. I just tried:
> ./bin/drmemory -fuzz -fuzz_function DrMemoryFuzzerTest -- ./fuzz_me
WARNING: using debug DynamoRIO since release not found
<Starting application /usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/fuzz_me (16496)>
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/bin/debug/libdrmemorylib.so' 0x73813000
add-symbol-file '/usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/dynamorio/lib32/debug/libdynamorio.so' 0x565a5dbc
add-symbol-file '/usr/lib32/libgcc_s.so.1' 0xe76ff0a0
add-symbol-file '/lib32/libc.so.6' 0xe7566490
add-symbol-file '/lib/ld-linux.so.2' 0xe752c860
>
<Initial options = -no_dynamic_options -logdir '/usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/logs/dynamorio' -client_lib '/usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/bin/debug/libdrmemorylib.so;0;`-fuzz` `-fuzz_function` `DrMemoryFuzzerTest` -logdir `/usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/logs` -symcache_dir `/usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/logs/symcache` -resfile 16496 ' -code_api -stack_size 56K -disable_traces -no_enable_traces -max_elide_jmp 0 -max_elide_call 0 -no_shared_traces -bb_ibl_targets -bb_single_restore_prefix -no_shared_trace_ibl_routine -no_enable_reset -no_reset_at_switch_to_os_at_vmm_limit -reset_at_vmm_percent_free_limit 0 -no_reset_at_vmm_full -reset_at_commit_free_limit 0K -reset_every_nth_pending 0 -vm_size 262144K -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
~~Dr.M~~ Dr. Memory version 1.11.17298
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
...
FuzzMe: dataSize=3
FuzzMe: dataSize=3
FuzzMe: dataSize=3
<Stopping application /usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/fuzz_me (16496)>
~~Dr.M~~
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 13 unique, 16 total, 9880 byte(s) of still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: /usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/logs/DrMemory-fuzz_me.16496.000/results.txt
> nm ./fuzz_me
0804a024 B __bss_start
0804a024 b completed.6591
0804a01c D __data_start
0804a01c W data_start
080483b0 t deregister_tm_clones
08048420 t __do_global_dtors_aux
08049f0c t __do_global_dtors_aux_fini_array_entry
080484d3 T DrMemoryFuzzerTest
0804a020 D __dso_handle
If I run with -verbose 3, in the global.pid.log file, I saw:
...
[fuzzer] Successfully resolved symbol DrMemoryFuzzerTest in module /usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/fuzz_me to 0x80484d3
[fuzzer] Attempting to register fuzz target at pc 0x80484d3 with 2 args
[fuzzer] Successfully registered fuzz target at pc 0x80484d3
...
[fuzzer] executing post-fuzz for 0x80484d3
[drfuzz] post_fuzz() for target 0x080484d3 (repeat)
[drfuzz] pre_fuzz() for target 0x080484d3 with 2 args
[fuzzer] executing pre-fuzz (repeat=1) for 0x80484d3
[fuzzer] Executing target with mutated buffer:
54555a
...
Qin
Mateusz Loskot
May 12, 2017, 4:18:03 PM5/12/17
to drmemor...@googlegroups.com
On 12 May 2017 at 20:35, 'Qin Zhao' via Dr. Memory Users
I tried -verbose 3 but still the global.pid.log is quiet.
I noticed you are using Dr. Memory version 1.11.17298
while I'm at version 1.11.0 build 2 built on Aug 29 2016.
Shall I grab Dr. from GitHub master and build myself?
<drmemor...@googlegroups.com> wrote:
> Correction, that internal error was due to too high verbose. I just tried:
> [...]
> Correction, that internal error was due to too high verbose. I just tried:
> If I run with -verbose 3, in the global.pid.log file, I saw:
> ...
> [fuzzer] Successfully resolved symbol DrMemoryFuzzerTest in module
> /usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/fuzz_me
> to 0x80484d3
> [fuzzer] Attempting to register fuzz target at pc 0x80484d3 with 2 args
> [fuzzer] Successfully registered fuzz target at pc 0x80484d3
> ...
> [fuzzer] executing post-fuzz for 0x80484d3
> [drfuzz] post_fuzz() for target 0x080484d3 (repeat)
> [drfuzz] pre_fuzz() for target 0x080484d3 with 2 args
> [fuzzer] executing pre-fuzz (repeat=1) for 0x80484d3
>
> [fuzzer] Executing target with mutated buffer:
This looks good.
> ...
> [fuzzer] Successfully resolved symbol DrMemoryFuzzerTest in module
> /usr/local/google/home/zhaoqin/Workspace/DrMemory/builds/build_x86_drm_dbg.git/fuzz_me
> to 0x80484d3
> [fuzzer] Attempting to register fuzz target at pc 0x80484d3 with 2 args
> [fuzzer] Successfully registered fuzz target at pc 0x80484d3
> ...
> [fuzzer] executing post-fuzz for 0x80484d3
> [drfuzz] post_fuzz() for target 0x080484d3 (repeat)
> [drfuzz] pre_fuzz() for target 0x080484d3 with 2 args
> [fuzzer] executing pre-fuzz (repeat=1) for 0x80484d3
>
> [fuzzer] Executing target with mutated buffer:
I tried -verbose 3 but still the global.pid.log is quiet.
I noticed you are using Dr. Memory version 1.11.17298
while I'm at version 1.11.0 build 2 built on Aug 29 2016.
Shall I grab Dr. from GitHub master and build myself?
Qin Zhao
May 12, 2017, 4:54:44 PM5/12/17
to drmemor...@googlegroups.com
If you can test the latest, it would be good, so we can know if it is a regression or something.
Meanwhile, I would still suggest you to use -debug and -dr_debug to see if more information is printed out.
On Fri, May 12, 2017 at 4:17 PM, Mateusz Loskot <mat...@loskot.net> wrote:
On 12 May 2017 at 20:35, 'Qin Zhao' via Dr. Memory Users
Mateusz Loskot
May 12, 2017, 5:22:33 PM5/12/17
to drmemor...@googlegroups.com
On 12 May 2017 at 22:54, 'Qin Zhao' via Dr. Memory Users
Here is one attempt on Linux
$ drmemory -dr_debug -debug -verbose 3 -fuzz -fuzz_module ./a.out
-fuzz_function DrMemoryFuzzerTest -- ./a.out
<Starting application /home/mloskot/dev/drmemory-fuzzer-test/a.out (31896)>
add-symbol-file
'/opt/DrMemory-Linux-1.11.0-2/dynamorio/lib32/debug/libdynamorio.so'
0x7101410c
add-symbol-file '/usr/lib32/libstdc++.so.6' 0xe75df360
add-symbol-file '/lib32/libm.so.6' 0xe7521590
add-symbol-file '/lib32/libc.so.6' 0xe737f750
add-symbol-file '/lib/ld-linux.so.2' 0xe7342860
add-symbol-file '/usr/lib32/libgcc_s.so.1' 0xe7326080
'/opt/DrMemory-Linux-1.11.0-2/bin/debug/libdrmemorylib.so;0;`-verbose`
`3` `-fuzz` `-fuzz_module` `./a.out` `-fuzz_function`
`DrMemoryFuzzerTest` -logdir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs` -symcache_dir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/symcache` -resfile 31896 '
~~Dr.M~~ options are "`-verbose` `3` `-fuzz` `-fuzz_module` `./a.out`
`-fuzz_function` `DrMemoryFuzzerTest` -logdir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs` -symcache_dir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/symcache` -resfile 31896 "
~~Dr.M~~ log dir is
/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/DrMemory-a.out.31896.000
FuzzMe: dataSize=3
<Stopping application /home/mloskot/dev/drmemory-fuzzer-test/a.out (31896)>
In global.pid.log, the only invocation of DrMemoryFuzzerTest target
comes from main() itself
# 3 FuzzMe+0x1a
[/home/mloskot/dev/drmemory-fuzzer-test/fuzz_me.cpp:8+0x14]
(0x08048486 <a.out+0x486>) modid:0
# 4 DrMemoryFuzzerTest+0x13
[/home/mloskot/dev/drmemory-fuzzer-test/fuzz_me.cpp:19+0xd]
(0x080484e2 <a.out+0x4e2>) modid:0
# 5 main +0x34
[/home/mloskot/dev/drmemory-fuzzer-test/fuzz_me.cpp:25+0xd]
(0x0804851d <a.out+0x51d>) modid:0
<drmemor...@googlegroups.com> wrote:
> Meanwhile, I would still suggest you to use -debug and -dr_debug to see if
> more information is printed out.
>
Right. I just notied your output was not generated with -debug or -dr_debug.
> Meanwhile, I would still suggest you to use -debug and -dr_debug to see if
> more information is printed out.
>
Here is one attempt on Linux
$ drmemory -dr_debug -debug -verbose 3 -fuzz -fuzz_module ./a.out
-fuzz_function DrMemoryFuzzerTest -- ./a.out
<Starting application /home/mloskot/dev/drmemory-fuzzer-test/a.out (31896)>
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file
'/opt/DrMemory-Linux-1.11.0-2/bin/debug/libdrmemorylib.so' 0x73813000
set confirm off
add-symbol-file
add-symbol-file
'/opt/DrMemory-Linux-1.11.0-2/dynamorio/lib32/debug/libdynamorio.so'
0x7101410c
add-symbol-file '/usr/lib32/libstdc++.so.6' 0xe75df360
add-symbol-file '/lib32/libm.so.6' 0xe7521590
add-symbol-file '/lib32/libc.so.6' 0xe737f750
add-symbol-file '/lib/ld-linux.so.2' 0xe7342860
add-symbol-file '/usr/lib32/libgcc_s.so.1' 0xe7326080
>
<Initial options = -no_dynamic_options -logdir
'/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/dynamorio' -client_lib
<Initial options = -no_dynamic_options -logdir
'/opt/DrMemory-Linux-1.11.0-2/bin/debug/libdrmemorylib.so;0;`-verbose`
`3` `-fuzz` `-fuzz_module` `./a.out` `-fuzz_function`
`DrMemoryFuzzerTest` -logdir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs` -symcache_dir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/symcache` -resfile 31896 '
-code_api -stack_size 56K -disable_traces -no_enable_traces
-max_elide_jmp 0 -max_elide_call 0 -max_bb_instrs 256
-no_shared_traces -bb_ibl_targets -bb_single_restore_prefix
-no_shared_trace_ibl_routine -no_enable_reset
-no_reset_at_switch_to_os_at_vmm_limit
-reset_at_vmm_percent_free_limit 0 -no_reset_at_vmm_full
-reset_at_commit_free_limit 0K -reset_every_nth_pending 0 -vm_size
262144K -early_inject -emulate_brk -no_inline_ignored_syscalls
-native_exec_default_list '' -no_native_exec_managed_code
-no_indcall2direct >
~~Dr.M~~ Dr. Memory version 1.11.0
-no_shared_trace_ibl_routine -no_enable_reset
-no_reset_at_switch_to_os_at_vmm_limit
-reset_at_vmm_percent_free_limit 0 -no_reset_at_vmm_full
-reset_at_commit_free_limit 0K -reset_every_nth_pending 0 -vm_size
262144K -early_inject -emulate_brk -no_inline_ignored_syscalls
-native_exec_default_list '' -no_native_exec_managed_code
-no_indcall2direct >
~~Dr.M~~ options are "`-verbose` `3` `-fuzz` `-fuzz_module` `./a.out`
`-fuzz_function` `DrMemoryFuzzerTest` -logdir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs` -symcache_dir
`/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/symcache` -resfile 31896 "
~~Dr.M~~ log dir is
/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/DrMemory-a.out.31896.000
FuzzMe: dataSize=3
<Stopping application /home/mloskot/dev/drmemory-fuzzer-test/a.out (31896)>
~~Dr.M~~
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 14 unique, 17 total, 8310 byte(s) of
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details:
/opt/DrMemory-Linux-1.11.0-2/drmemory/logs/DrMemory-a.out.31896.000/results.txt
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details:
In global.pid.log, the only invocation of DrMemoryFuzzerTest target
comes from main() itself
# 3 FuzzMe+0x1a
[/home/mloskot/dev/drmemory-fuzzer-test/fuzz_me.cpp:8+0x14]
(0x08048486 <a.out+0x486>) modid:0
# 4 DrMemoryFuzzerTest+0x13
[/home/mloskot/dev/drmemory-fuzzer-test/fuzz_me.cpp:19+0xd]
(0x080484e2 <a.out+0x4e2>) modid:0
# 5 main +0x34
[/home/mloskot/dev/drmemory-fuzzer-test/fuzz_me.cpp:25+0xd]
(0x0804851d <a.out+0x51d>) modid:0
Mateusz Loskot
May 12, 2017, 7:08:39 PM5/12/17
to drmemor...@googlegroups.com
On 12 May 2017 at 22:54, 'Qin Zhao' via Dr. Memory Users
I can't say I'm moving anywhere forward:
$ ~/dev/drmemory/build/bin/drmemory -verbose 3 -fuzz -fuzz_module
`/home/mloskot/dev/drmemory/build/logs/symcache` -resfile 5747 "
~~Dr.M~~ log dir is
/home/mloskot/dev/drmemory/build/logs/DrMemory-a.out.5747.000
FuzzMe: dataSize=3
I see neither any [fuzzer] messages
nor Successfully resolved symbol DrMemoryFuzzerTest in module
in global.pid.log.
The debug runs fail for me with this
$ ~/dev/drmemory/build/bin/drmemory -debug -verbose 3 -fuzz
Unable to load client library:
/home/mloskot/dev/drmemory/build/bin/debug/libdrmemorylib.so
Unable to locate library! Try adding path to LD_LIBRARY_PATH.>
<Application /home/mloskot/dev/drmemory-fuzzer-test/a.out (6233).
Unable to load client library:
/home/mloskot/dev/drmemory/build/bin/debug/libdrmemorylib.so.
Error opening instrumentation library
/home/mloskot/dev/drmemory/build/bin/debug/libdrmemorylib.so:
error in private loader.>
FuzzMe: dataSize=3
$ ~/dev/drmemory/build/bin/drmemory -dr_debug -verbose 3 -fuzz
I will try to build with CMAKE_BUILD_TYPE=Debug
<drmemor...@googlegroups.com> wrote:
> If you can test the latest, it would be good, so we can know if it is a
> regression or something.
I've built the latest master on Linux, with Release build type.
> If you can test the latest, it would be good, so we can know if it is a
> regression or something.
I can't say I'm moving anywhere forward:
$ ~/dev/drmemory/build/bin/drmemory -verbose 3 -fuzz -fuzz_module
./a.out -fuzz_function DrMemoryFuzzerTest -- ./a.out
~~Dr.M~~ Dr. Memory version 1.11.17298
~~Dr.M~~ options are "`-verbose` `3` `-fuzz` `-fuzz_module` `./a.out`
`-fuzz_function` `DrMemoryFuzzerTest` -logdir
`/home/mloskot/dev/drmemory/build/logs` -symcache_dir
`-fuzz_function` `DrMemoryFuzzerTest` -logdir
`/home/mloskot/dev/drmemory/build/logs/symcache` -resfile 5747 "
~~Dr.M~~ log dir is
/home/mloskot/dev/drmemory/build/logs/DrMemory-a.out.5747.000
FuzzMe: dataSize=3
~~Dr.M~~
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 14 unique, 17 total, 8310 byte(s) of
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details:
/home/mloskot/dev/drmemory/build/logs/DrMemory-a.out.5747.000/results.txt
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details:
I see neither any [fuzzer] messages
nor Successfully resolved symbol DrMemoryFuzzerTest in module
in global.pid.log.
The debug runs fail for me with this
$ ~/dev/drmemory/build/bin/drmemory -debug -verbose 3 -fuzz
-fuzz_module ./a.out -fuzz_function DrMemoryFuzzerTest -- ./a.out
<Application /home/mloskot/dev/drmemory-fuzzer-test/a.out (6233).
Unable to load client library:
/home/mloskot/dev/drmemory/build/bin/debug/libdrmemorylib.so
Unable to locate library! Try adding path to LD_LIBRARY_PATH.>
<Application /home/mloskot/dev/drmemory-fuzzer-test/a.out (6233).
Unable to load client library:
/home/mloskot/dev/drmemory/build/bin/debug/libdrmemorylib.so.
Error opening instrumentation library
/home/mloskot/dev/drmemory/build/bin/debug/libdrmemorylib.so:
error in private loader.>
FuzzMe: dataSize=3
$ ~/dev/drmemory/build/bin/drmemory -dr_debug -verbose 3 -fuzz
-fuzz_module ./a.out -fuzz_function DrMemoryFuzzerTest -- ./a.out
ERROR: unable to inject
I will try to build with CMAKE_BUILD_TYPE=Debug
Qin Zhao
May 12, 2017, 11:11:50 PM5/12/17
to drmemor...@googlegroups.com
Mine was a debug build only version, so no need to specify -debug or -dr_debug.
I just had a theory. Could pleas try to run it without "-fuzz_module
./a.out" . I suspect it is the ./ made the compare failed.
You can try just a.out without ./
On May 12, 2017 7:08 PM, "Mateusz Loskot" <mat...@loskot.net> wrote:
On 12 May 2017 at 22:54, 'Qin Zhao' via Dr. Memory Users
Mateusz Loskot
May 14, 2017, 5:35:33 PM5/14/17
to drmemor...@googlegroups.com
On 13 May 2017 at 05:11, 'Qin Zhao' via Dr. Memory Users
On Linux, I tried the following command
$ ~/dev/drmemory/build.debug/bin/drmemory -verbose 3 -fuzz
-fuzz_function DrMemoryFuzzerTest -- ./a.out
0x73811000
add-symbol-file
'/home/mloskot/dev/drmemory/build.debug/dynamorio/lib32/debug/libdynamorio.so'
0x56599dbc
add-symbol-file '/usr/lib32/libgcc_s.so.1' 0xe770a080
add-symbol-file '/lib32/libc.so.6' 0xe756a750
add-symbol-file '/lib/ld-linux.so.2' 0xe752d860
>
<Initial options = -no_dynamic_options -logdir '/tmp/Dr.
Memory/dynamorio' -client_lib
'/home/mloskot/dev/drmemory/build.debug/bin/debug/libdrmemorylib.so;0;`-verbose`
`3` `-fuzz` `-fuzz_function` `DrMemoryFuzzerTest` -logdir `/tmp/Dr.
Memory` -symcache_dir `/tmp/Dr. Memory/symcache` -resfile 26133 '
`DrMemoryFuzzerTest` -logdir `/tmp/Dr. Memory` -symcache_dir `/tmp/Dr.
Memory/symcache` -resfile 26133 "
~~Dr.M~~ log dir is /tmp/Dr. Memory/DrMemory-a.out.26133.000
FuzzMe: dataSize=3
[... 98 same lines]
FuzzMe: dataSize=3
<Stopping application /home/mloskot/dev/drmemory-fuzzer-test/a.out (26133)>
Now, in global.pid.log I now see
[fuzzer] Successfully resolved symbol DrMemoryFuzzerTest in module
/home/mloskot/dev/drmemory-fuzzer-test/a.out to 0x80484ce
[fuzzer] Attempting to register fuzz target at pc 0x80484ce with 2 args
[fuzzer] Successfully registered fuzz target at pc 0x80484ce
On Windows, my test project uses Dr. Memory 1.11
and removeing -fuzz_module from the command line works too
drmemory.exe -quiet -batch -verbose 3 -logdir logs -fuzz
-fuzz_function DrMemoryFuzzerTest -- fuzz_me.exe
Here is complete log
https://ci.appveyor.com/project/mloskot/drmemory-fuzzer-test/build/1.0.20
Thanks for your help!
<drmemor...@googlegroups.com> wrote:
>
> I just had a theory. Could pleas try to run it without "-fuzz_module
> ./a.out" . I suspect it is the ./ made the compare failed.
> You can try just a.out without ./
Your theory seems to play out.
>
> I just had a theory. Could pleas try to run it without "-fuzz_module
> ./a.out" . I suspect it is the ./ made the compare failed.
> You can try just a.out without ./
On Linux, I tried the following command
$ ~/dev/drmemory/build.debug/bin/drmemory -verbose 3 -fuzz
-fuzz_function DrMemoryFuzzerTest -- ./a.out
WARNING: using debug DynamoRIO since release not found
<Starting application /home/mloskot/dev/drmemory-fuzzer-test/a.out (26133)>
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file
'/home/mloskot/dev/drmemory/build.debug/bin/debug/libdrmemorylib.so'
set confirm off
add-symbol-file
0x73811000
add-symbol-file
'/home/mloskot/dev/drmemory/build.debug/dynamorio/lib32/debug/libdynamorio.so'
0x56599dbc
add-symbol-file '/usr/lib32/libgcc_s.so.1' 0xe770a080
add-symbol-file '/lib32/libc.so.6' 0xe756a750
add-symbol-file '/lib/ld-linux.so.2' 0xe752d860
>
<Initial options = -no_dynamic_options -logdir '/tmp/Dr.
Memory/dynamorio' -client_lib
'/home/mloskot/dev/drmemory/build.debug/bin/debug/libdrmemorylib.so;0;`-verbose`
`3` `-fuzz` `-fuzz_function` `DrMemoryFuzzerTest` -logdir `/tmp/Dr.
Memory` -symcache_dir `/tmp/Dr. Memory/symcache` -resfile 26133 '
-code_api -stack_size 56K -disable_traces -no_enable_traces
-max_elide_jmp 0 -max_elide_call 0 -no_shared_traces -bb_ibl_targets
-bb_single_restore_prefix -no_shared_trace_ibl_routine
-no_enable_reset -no_reset_at_switch_to_os_at_vmm_limit
-reset_at_vmm_percent_free_limit 0 -no_reset_at_vmm_full
-reset_at_commit_free_limit 0K -reset_every_nth_pending 0 -vm_size
262144K -early_inject -emulate_brk -no_inline_ignored_syscalls
-native_exec_default_list '' -no_native_exec_managed_code
-no_indcall2direct >
-max_elide_jmp 0 -max_elide_call 0 -no_shared_traces -bb_ibl_targets
-bb_single_restore_prefix -no_shared_trace_ibl_routine
-no_enable_reset -no_reset_at_switch_to_os_at_vmm_limit
-reset_at_vmm_percent_free_limit 0 -no_reset_at_vmm_full
-reset_at_commit_free_limit 0K -reset_every_nth_pending 0 -vm_size
262144K -early_inject -emulate_brk -no_inline_ignored_syscalls
-native_exec_default_list '' -no_native_exec_managed_code
-no_indcall2direct >
~~Dr.M~~ Dr. Memory version 1.11.17298
~~Dr.M~~ options are "`-verbose` `3` `-fuzz` `-fuzz_function`
`DrMemoryFuzzerTest` -logdir `/tmp/Dr. Memory` -symcache_dir `/tmp/Dr.
Memory/symcache` -resfile 26133 "
~~Dr.M~~ log dir is /tmp/Dr. Memory/DrMemory-a.out.26133.000
FuzzMe: dataSize=3
[... 98 same lines]
FuzzMe: dataSize=3
<Stopping application /home/mloskot/dev/drmemory-fuzzer-test/a.out (26133)>
~~Dr.M~~
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 14 unique, 17 total, 8310 byte(s) of
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
~~Dr.M~~ Details: /tmp/Dr. Memory/DrMemory-a.out.26133.000/results.txt
~~Dr.M~~ NO ERRORS FOUND:
~~Dr.M~~ 0 unique, 0 total unaddressable access(es)
~~Dr.M~~ 0 unique, 0 total uninitialized access(es)
~~Dr.M~~ 0 unique, 0 total invalid heap argument(s)
~~Dr.M~~ 0 unique, 0 total warning(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of leak(s)
~~Dr.M~~ 0 unique, 0 total, 0 byte(s) of possible leak(s)
~~Dr.M~~ ERRORS IGNORED:
~~Dr.M~~ 14 unique, 17 total, 8310 byte(s) of
still-reachable allocation(s)
~~Dr.M~~ (re-run with "-show_reachable" for details)
Now, in global.pid.log I now see
[fuzzer] Successfully resolved symbol DrMemoryFuzzerTest in module
/home/mloskot/dev/drmemory-fuzzer-test/a.out to 0x80484ce
[fuzzer] Attempting to register fuzz target at pc 0x80484ce with 2 args
[fuzzer] Successfully registered fuzz target at pc 0x80484ce
On Windows, my test project uses Dr. Memory 1.11
and removeing -fuzz_module from the command line works too
drmemory.exe -quiet -batch -verbose 3 -logdir logs -fuzz
-fuzz_function DrMemoryFuzzerTest -- fuzz_me.exe
Here is complete log
https://ci.appveyor.com/project/mloskot/drmemory-fuzzer-test/build/1.0.20
Thanks for your help!
Qin Zhao
May 14, 2017, 8:33:02 PM5/14/17
to drmemor...@googlegroups.com
Glad to know it works.
Any feedback, suggestion, or even better contributions are welcome ^_^.
On Sun, May 14, 2017 at 5:35 PM, Mateusz Loskot <mat...@loskot.net> wrote:
On 13 May 2017 at 05:11, 'Qin Zhao' via Dr. Memory Users
Mateusz Loskot
May 15, 2017, 3:58:02 AM5/15/17
to drmemor...@googlegroups.com
On 15 May 2017 at 02:33, 'Qin Zhao' via Dr. Memory Users
I'll now have to learn how Dr. Fuzz generates input for fuzz target
Current version of my test program is
#include <stdio.h>
bool FuzzMe(unsigned char *data, size_t dataSize)
{
if (dataSize > 0)
{
printf("%s: dataSize=%u, data=%.50s\n", __func__, dataSize, data);
{
printf("%s: no data\n", __func__);
}
}
extern "C"
void DrMemoryFuzzerTest(unsigned char *data, size_t dataSize)
{
FuzzMe(data, dataSize);
}
int main()
{
unsigned char data[] = {'F', 'U', 'Z', 'Z', 'M', 'E', 0};
DrMemoryFuzzerTest(data, 3);
return 0;
}
Interestingly, somehow input seems to be generated permuting
first three characters of the `data` array used in
dummy of the DrMemoryFuzzerTest
...
FuzzMe: dataSize=3, data=DWZZME
FuzzMe: dataSize=3, data=DUXZME
FuzzMe: dataSize=3, data=DQZZME
FuzzMe: dataSize=3, data=LUZZME
FuzzMe: dataSize=3, data=D]ZZME
FuzzMe: dataSize=3, data=DURZME
FuzzMe: dataSize=3, data=TUZZME
FuzzMe: dataSize=3, data=DEZZME
...
Complete log at
https://ci.appveyor.com/project/mloskot/drmemory-fuzzer-test/build/1.0.28
> Any feedback, suggestion, or even better contributions are welcome ^_^.
So far I'm just a troublemaker (reported one compilation issue too),
but if I'm capable to shoot troubles too, I will.
I'll now have to learn how Dr. Fuzz generates input for fuzz target
Current version of my test program is
#include <stdio.h>
bool FuzzMe(unsigned char *data, size_t dataSize)
{
{
printf("%s: dataSize=%u, data=%.50s\n", __func__, dataSize, data);
return dataSize > 0 &&
data[0] == 'F' &&
data[1] == 'U' &&
data[2] == 'Z' &&
data[3] == 'Z'; // :‑<
}
else
data[0] == 'F' &&
data[1] == 'U' &&
data[2] == 'Z' &&
data[3] == 'Z'; // :‑<
}
{
printf("%s: no data\n", __func__);
}
}
extern "C"
void DrMemoryFuzzerTest(unsigned char *data, size_t dataSize)
{
FuzzMe(data, dataSize);
}
int main()
{
unsigned char data[] = {'F', 'U', 'Z', 'Z', 'M', 'E', 0};
DrMemoryFuzzerTest(data, 3);
return 0;
}
Interestingly, somehow input seems to be generated permuting
first three characters of the `data` array used in
dummy of the DrMemoryFuzzerTest
...
FuzzMe: dataSize=3, data=DWZZME
FuzzMe: dataSize=3, data=DUXZME
FuzzMe: dataSize=3, data=DQZZME
FuzzMe: dataSize=3, data=LUZZME
FuzzMe: dataSize=3, data=D]ZZME
FuzzMe: dataSize=3, data=DURZME
FuzzMe: dataSize=3, data=TUZZME
FuzzMe: dataSize=3, data=DEZZME
...
Complete log at
https://ci.appveyor.com/project/mloskot/drmemory-fuzzer-test/build/1.0.28
> Any feedback, suggestion, or even better contributions are welcome ^_^.
but if I'm capable to shoot troubles too, I will.
Qin Zhao
May 15, 2017, 7:30:50 AM5/15/17
to drmemor...@googlegroups.com
On Mon, May 15, 2017 at 3:57 AM, Mateusz Loskot <mat...@loskot.net> wrote:
On 15 May 2017 at 02:33, 'Qin Zhao' via Dr. Memory Users
Yes, that's because the dataSize you passed in is 3, Dr.Fuzz would only perform permutation within that range.
By default, Dr.Fuzz only permute data in memory within the size range, because we do not know the actual passed in buffer size and we do not want to buffer overflow the input data buffer.
Dr.Fuzz does support replacing the buffer and change the buffer size, or using corpus input for fuzzing, or dictionary based fuzzing.
and
are places you can find more details.
Qin
...
FuzzMe: dataSize=3, data=DWZZME
FuzzMe: dataSize=3, data=DUXZME
FuzzMe: dataSize=3, data=DQZZME
FuzzMe: dataSize=3, data=LUZZME
FuzzMe: dataSize=3, data=D]ZZME
FuzzMe: dataSize=3, data=DURZME
FuzzMe: dataSize=3, data=TUZZME
FuzzMe: dataSize=3, data=DEZZME
...
Complete log at
https://ci.appveyor.com/project/mloskot/drmemory-fuzzer-test/build/1.0.28
> Any feedback, suggestion, or even better contributions are welcome ^_^.
So far I'm just a troublemaker (reported one compilation issue too),
but if I'm capable to shoot troubles too, I will.
It seems fixing the compilation error is a good first bug fix, ^_^.
Mateusz Loskot
May 15, 2017, 7:36:21 AM5/15/17
to drmemor...@googlegroups.com
On 15 May 2017 at 13:30, 'Qin Zhao' via Dr. Memory Users
I see. It makes perfect sense.
> Dr.Fuzz does support replacing the buffer and change the buffer size, or
> using corpus input for fuzzing, or dictionary based fuzzing.
I've just read about the fuzz testing mutators feature.
All looks much clearer now.
Thanks for your great help!
<drmemor...@googlegroups.com> wrote:
> On Mon, May 15, 2017 at 3:57 AM, Mateusz Loskot <mat...@loskot.net> wrote:
>>
>> On 15 May 2017 at 02:33, 'Qin Zhao' via Dr. Memory Users
> On Mon, May 15, 2017 at 3:57 AM, Mateusz Loskot <mat...@loskot.net> wrote:
>>
>> On 15 May 2017 at 02:33, 'Qin Zhao' via Dr. Memory Users
> Dr.Fuzz does support replacing the buffer and change the buffer size, or
> using corpus input for fuzzing, or dictionary based fuzzing.
All looks much clearer now.
Thanks for your great help!
Mateusz Loskot
May 17, 2017, 6:27:52 AM5/17/17
to drmemor...@googlegroups.com
On 15 May 2017 at 13:30, 'Qin Zhao' via Dr. Memory Users
https://github.com/DynamoRIO/drmemory/pull/1991
<drmemor...@googlegroups.com> wrote:
> On Mon, May 15, 2017 at 3:57 AM, Mateusz Loskot <mat...@loskot.net> wrote:
>>
>> So far I'm just a troublemaker (reported one compilation issue too),
>> but if I'm capable to shoot troubles too, I will.
>
> It seems fixing the compilation error is a good first bug fix, ^_^.
>
Done :)
> On Mon, May 15, 2017 at 3:57 AM, Mateusz Loskot <mat...@loskot.net> wrote:
>>
>> So far I'm just a troublemaker (reported one compilation issue too),
>> but if I'm capable to shoot troubles too, I will.
>
> It seems fixing the compilation error is a good first bug fix, ^_^.
>
https://github.com/DynamoRIO/drmemory/pull/1991
Reply all
Reply to author
Forward
0 new messages