From 05a33570af393b364e474c2410a3d4e3a5a2584c Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Wed, 3 Jul 2024 15:39:53 +0200 Subject: pkg/fuzzer: fix races in test Currently we can get either: WARNING: DATA RACE Read at 0x00c0018fe1e0 by goroutine 11: github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).run() pkg/fuzzer/fuzzer_test.go:183 +0x62a github.com/google/syzkaller/pkg/fuzzer.TestFuzz() pkg/fuzzer/fuzzer_test.go:86 +0xa96 testing.tRunner() testing/testing.go:1595 +0x238 testing.(*T).Run.func1() testing/testing.go:1648 +0x44 Previous write at 0x00c0018fe1e0 by goroutine 36: runtime.mapassign_faststr() runtime/map_faststr.go:203 +0x0 github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).OnDone() pkg/fuzzer/fuzzer_test.go:210 +0x404 github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).OnDone-fm() :1 +0x47 github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).Next.(*Request).OnDone.func1() pkg/fuzzer/queue/queue.go:62 +0xa1 github.com/google/syzkaller/pkg/fuzzer/queue.(*retryer).Next.(*Request).OnDone.func1() pkg/fuzzer/queue/queue.go:68 +0xbe github.com/google/syzkaller/pkg/fuzzer/queue.(*Request).Done() pkg/fuzzer/queue/queue.go:74 +0x66 github.com/google/syzkaller/pkg/rpcserver.(*Runner).handleExecResult() pkg/rpcserver/runner.go:262 +0x554 github.com/google/syzkaller/pkg/rpcserver.(*Runner).connectionLoop() pkg/rpcserver/runner.go:103 +0x495 github.com/google/syzkaller/pkg/rpcserver.(*Server).connectionLoop() pkg/rpcserver/rpcserver.go:371 +0x18a github.com/google/syzkaller/pkg/rpcserver.(*Server).handleConn() pkg/rpcserver/rpcserver.go:261 +0x6ac github.com/google/syzkaller/pkg/rpcserver.(*Server).handleConn-fm() :1 +0x3d github.com/google/syzkaller/pkg/flatrpc.ListenAndServe.func1.1() pkg/flatrpc/conn.go:54 +0x2ac Or: panic: Log in goroutine after TestFuzz has completed: CRASH: second bug goroutine 69 [running]: testing.(*common).logDepth(0xc0017c24e0, {0xc00070c0d8, 0x11}, 0x3) testing/testing.go:1029 +0x6d4 testing.(*common).log(...) testing/testing.go:1011 testing.(*common).Logf(0xc0017c24e0, {0x1365b2d, 0x9}, {0xc001aac930, 0x1, 0x1}) testing/testing.go:1062 +0xa5 github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).OnDone(0xc001a222a0, 0x10ace5d?, 0xc00073c870) pkg/fuzzer/fuzzer_test.go:205 +0x23a github.com/google/syzkaller/pkg/fuzzer.(*testFuzzer).Next.(*Request).OnDone.func1(0xc004745080, 0xc00073c870) pkg/fuzzer/queue/queue.go:72 +0xa8 github.com/google/syzkaller/pkg/fuzzer/queue.(*retryer).Next.(*Request).OnDone.func1(0xc004745080, 0xc00073c870) pkg/fuzzer/queue/queue.go:78 +0xc5 github.com/google/syzkaller/pkg/fuzzer/queue.(*Request).Done(0xc004745080, 0xc00073c870) pkg/fuzzer/queue/queue.go:84 +0x74 github.com/google/syzkaller/pkg/rpcserver.(*Runner).handleExecResult(0xc0019ec000, 0xc00072bbc0) pkg/rpcserver/runner.go:265 +0x5b5 github.com/google/syzkaller/pkg/rpcserver.(*Runner).connectionLoop(0xc0019ec000) /home/dvyukov/go/src/github --- pkg/fuzzer/fuzzer_test.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'pkg/fuzzer') diff --git a/pkg/fuzzer/fuzzer_test.go b/pkg/fuzzer/fuzzer_test.go index d8c532e1a..6049ac615 100644 --- a/pkg/fuzzer/fuzzer_test.go +++ b/pkg/fuzzer/fuzzer_test.go @@ -200,6 +200,11 @@ func (f *testFuzzer) OnDone(req *queue.Request, res *queue.Result) bool { match := crashRe.FindSubmatch(res.Output) f.mu.Lock() defer f.mu.Unlock() + if f.finished.Load() { + // Don't touch f.crashes in this case b/c it can cause races with the main goroutine, + // and logging can cause "Log in goroutine after TestFuzz has completed" panic. + return true + } if match != nil { crash := string(match[1]) f.t.Logf("CRASH: %s", crash) @@ -215,7 +220,7 @@ func (f *testFuzzer) OnDone(req *queue.Request, res *queue.Result) bool { f.iter, f.fuzzer.Config.Corpus.StatProgs.Val(), f.fuzzer.Config.Corpus.StatSignal.Val(), len(f.fuzzer.Cover.maxSignal), len(f.crashes), f.fuzzer.statJobs.Val()) } - if !f.finished.Load() && (f.iter > f.iterLimit || len(f.crashes) == len(f.expectedCrashes)) { + if f.iter > f.iterLimit || len(f.crashes) == len(f.expectedCrashes) { f.done() f.finished.Store(true) } -- cgit mrf-deployment