Skip to content

[libFuzzer] always install signal handler with SA_ONSTACK #147422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 9, 2025
Merged

[libFuzzer] always install signal handler with SA_ONSTACK #147422

merged 1 commit into from
Aug 9, 2025

Conversation

randall77
Copy link
Contributor

SA_ONSTACK is required for certain runtimes that use small stacks, for instance the Go runtime.
See golang/go#49075
SA_ONSTACK is a no-op unless someone also calls sigaltstack.

@randall77
[libFuzzer] always install signal handler with SA_ONSTACK
c265d98 
SA_ONSTACK is required for certain runtimes that use small stacks, for instance the Go runtime.
See golang/go#49075
SA_ONSTACK is a no-op unless someone also calls sigaltstack.
@llvmbot
Copy link
Member

llvmbot commented Jul 7, 2025

@llvm/pr-subscribers-compiler-rt-sanitizer

Author: Keith Randall (randall77)

Changes

SA_ONSTACK is required for certain runtimes that use small stacks, for instance the Go runtime.
See golang/go#49075
SA_ONSTACK is a no-op unless someone also calls sigaltstack.

Full diff: https://github.com/llvm/llvm-project/pull/147422.diff

1 Files Affected:

  • (modified) compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp (+8-4)
diff --git a/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp b/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp
index 392c1e5be4eea..b6cc3bcf8a3f3 100644
--- a/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp
+++ b/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp
@@ -78,10 +78,14 @@ static void SetSigaction(int signum,
   }
 
   struct sigaction new_sigact = {};
-  // Address sanitizer needs SA_ONSTACK (causing the signal handler to run on a
-  // dedicated stack) in order to be able to detect stack overflows; keep the
-  // flag if it's set.
-  new_sigact.sa_flags = SA_SIGINFO | (sigact.sa_flags & SA_ONSTACK);
+  // SA_ONSTACK is required for certain runtimes that use small stacks, for
+  // instance the Go runtime.
+  // See https://github.com/golang/go/issues/49075
+  // Address sanitizer also wants SA_ONSTACK, and the fuzzer and sanitizer
+  // often run together.
+  // SA_ONSTACK is a no-op unless someone also calls sigaltstack. That is left
+  // up to code that needs it.
+  new_sigact.sa_flags = SA_SIGINFO | SA_ONSTACK;
   new_sigact.sa_sigaction = callback;
   if (sigaction(signum, &new_sigact, nullptr)) {
     Printf("libFuzzer: sigaction failed with %d\n", errno);

@randall77
Copy link
Contributor Author

Previous patch and discussion on Phabricator. It's been a few years, trying to get this landed.

https://reviews.llvm.org/D150231

Why this matters: it causes random stack corruption in Go when running with libFuzzer. See golang/go#49075 (comment) and subsequent comments.

@dvyukov @sebastianpoeplau @vitalybuka @ramosian-glider

@sebastianpoeplau
Copy link
Contributor

Like I said on the old Phabricator discussion, I think this is good to go in. However, I don't have rights to formally approve or merge 🤷‍♂️

@randall77
Copy link
Contributor Author

Ping.

@vitalybuka vitalybuka merged commit aee4f2b into llvm:main Aug 9, 2025
13 checks passed
@wrotki
Copy link
Contributor

wrotki commented Aug 11, 2025

It looks like it breaks fuzzer-timeout test on our bot : https://green.lab.llvm.org/job/llvm.org/job/clang-stage1-cmake-RA-expensive/4903/

@wrotki
Copy link
Contributor

wrotki commented Aug 12, 2025
edited
Loading

With this change the test fails to walk the stack:

llvm.org/llvm-project/build/projects/compiler-rt/test/fuzzer/ARM64DefaultDarwinConfig/Output/fuzzer-timeout.test.tmp-TimeoutTest -timeout=1
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 221423546
INFO: Loaded 1 modules   (9 inline 8-bit counters): 9 [0x100bd4468, 0x100bd4471),
INFO: Loaded 1 PC tables (9 PCs): 9 [0x100bd4478,0x100bd4508),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2	INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 34Mb
#586	NEW    cov: 3 ft: 3 corp: 2/2b lim: 8 exec/s: 0 rss: 35Mb L: 1/1 MS: 4 ChangeBit-InsertByte-ChangeBit-EraseBytes-
#628	NEW    cov: 4 ft: 4 corp: 3/4b lim: 8 exec/s: 0 rss: 35Mb L: 2/2 MS: 2 CopyPart-CrossOver-
#914	NEW    cov: 5 ft: 5 corp: 4/10b lim: 8 exec/s: 0 rss: 35Mb L: 6/6 MS: 1 InsertRepeatedBytes-
#942	REDUCE cov: 5 ft: 5 corp: 4/9b lim: 8 exec/s: 0 rss: 35Mb L: 5/5 MS: 3 InsertByte-InsertByte-EraseBytes-
#1037	REDUCE cov: 5 ft: 5 corp: 4/7b lim: 8 exec/s: 0 rss: 35Mb L: 3/3 MS: 5 CopyPart-InsertByte-EraseBytes-CopyPart-CrossOver-
#1053	REDUCE cov: 6 ft: 6 corp: 5/9b lim: 8 exec/s: 0 rss: 35Mb L: 2/3 MS: 1 EraseBytes-
ALARM: working on the last Unit for 1 seconds
       and the timeout value is 1 (use -timeout=N to change)
MS: 1 InsertByte-; base unit: bf397014ecbce0b1be8d9011c77f6181927a357f
0x48,0x69,0x21,0x48,
Hi!H
artifact_prefix='./'; Test unit written to ./timeout-c9f7ef19d5ac7565f3dcaf7a3221ae711a187db5
Base64: SGkhSA==
==35961== ERROR: libFuzzer: timeout after 1 seconds
    #0 0x000101149a88 in __sanitizer_print_stack_trace asan_stack.cpp:87

SUMMARY: libFuzzer: timeout

Can I suggest reverting and investigating?

@wrotki wrotki self-requested a review August 12, 2025 00:37
@randall77
Copy link
Contributor Author

Sorry about that. What is the workflow for a revert?

@wrotki
Copy link
Contributor

wrotki commented Aug 12, 2025

On Vitaly's merge line above there's a 'revert' button. Or not, if you don't have merge permissions - in which case I can do it for you. If you can revert, add a short 'why' comment to it.

@randall77 randall77 mentioned this pull request Aug 12, 2025
Merged
wrotki pushed a commit that referenced this pull request Aug 12, 2025
@randall77
Revert "[libFuzzer] always install signal handler with SA_ONSTACK" (#…
03372c7 
…153114)

Reverts #147422

Seems to be causing problems with tracebacks. Probably the trackback
code doesn't know how to switch back to the regular stack after it gets
to the top of the signal stack.
llvm-sync bot pushed a commit to arm/arm-toolchain that referenced this pull request Aug 12, 2025
@randall77 @github-actions
Automerge: Revert "[libFuzzer] always install signal handler with SA_…
c6d183c 
…ONSTACK" (#153114)

Reverts llvm/llvm-project#147422

Seems to be causing problems with tracebacks. Probably the trackback
code doesn't know how to switch back to the regular stack after it gets
to the top of the signal stack.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vitalybuka vitalybuka vitalybuka approved these changes

@dvyukov dvyukov Awaiting requested review from dvyukov

@ramosian-glider ramosian-glider Awaiting requested review from ramosian-glider

@wrotki wrotki Awaiting requested review from wrotki

Assignees
No one assigned
Labels
compiler-rt:fuzzer compiler-rt:sanitizer compiler-rt
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@randall77 @llvmbot @sebastianpoeplau @wrotki @vitalybuka