Store terminating signal in a comment instead of the filename for crashes

This helps for non-reproducible crashes as it makes sure that the original
termination signal is not lost. Also fixed a bug that caused crashing samples
to not be minimized properly.

Author: Samuel Groß

Sources/Fuzzilli/Core/Events.swift

@@ -53,7 +53,7 @@ public class Events {
     public let InvalidProgramFound = Event<Program>()
 
     /// Signals that a crashing program has been found. Dispatched after the crashing program has been minimized.
-    public let CrashFound = Event<(program: Program, behaviour: CrashBehaviour, signal: Int, isUnique: Bool, origin: ProgramOrigin)>()
+    public let CrashFound = Event<(program: Program, behaviour: CrashBehaviour, isUnique: Bool, origin: ProgramOrigin)>()
 
     /// Signals that a program causing a timeout has been found.
     public let TimeOutFound = Event<Program>()

Sources/Fuzzilli/Core/ProgramOrigin.swift

@@ -15,7 +15,7 @@
 import Foundation
 
 // Enum to identify the origin of a Program.
-public enum ProgramOrigin {
+public enum ProgramOrigin: Equatable {
     // The program was generated by this instance.
     case local
 

Sources/Fuzzilli/Evaluation/ProgramCoverageEvaluator.swift

@@ -162,7 +162,7 @@ public class ProgramCoverageEvaluator: ComponentBase, ProgramEvaluator {
         }
 
     }
-    
+
     public func evaluateCrash(_ execution: Execution) -> ProgramAspects? {
         assert(execution.outcome.isCrash())
         let result = libcoverage.cov_evaluate_crash(&context)
@@ -184,6 +184,8 @@ public class ProgramCoverageEvaluator: ComponentBase, ProgramEvaluator {
         }
 
         if let edgeSet = aspects as? CovEdgeSet {
+            // We don't minimize crashes based on the coverage, only based on the crash outcome itself
+            assert(!aspects.outcome.isCrash())
             let result = libcoverage.cov_compare_equal(&context, edgeSet.edges, edgeSet.count)
             if result == -1 {
                 logger.error("Could not compare progam executions")

Sources/Fuzzilli/Fuzzer.swift

@@ -339,7 +339,7 @@ public class Fuzzer {
             processCrash(program, withSignal: termsig, withStderr: execution.stderr, origin: origin)
         } else {
             // Non-deterministic crash
-            dispatchEvent(events.CrashFound, data: (program, behaviour: .flaky, signal: 0, isUnique: true, origin: origin))
+            dispatchEvent(events.CrashFound, data: (program, behaviour: .flaky, isUnique: true, origin: origin))
         }
     }
 
@@ -597,19 +597,21 @@ public class Fuzzer {
     /// Process a program that causes a crash.
     func processCrash(_ program: Program, withSignal termsig: Int, withStderr stderr: String, origin: ProgramOrigin) {
         func processCommon(_ program: Program) {
-            let hasStderrComment = program.comments.at(.footer)?.contains("STDERR") ?? false
-            if !hasStderrComment {
-                // Append a comment containing the content of stderr the first time a crash occurred
+            let hasCrashInfo = program.comments.at(.footer)?.contains("CRASH INFO") ?? false
+            if !hasCrashInfo {
+                program.comments.add("CRASH INFO\n==========\n", at: .footer)
+                program.comments.add("TERMSIG: \(termsig)\n", at: .footer)
                 program.comments.add("STDERR:\n" + stderr, at: .footer)
             }
+            assert(program.comments.at(.footer)?.contains("CRASH INFO") ?? false)
 
             // Check for uniqueness only after minimization
             let execution = execute(program, withTimeout: self.config.timeout * 2)
             if case .crashed = execution.outcome {
                 let isUnique = evaluator.evaluateCrash(execution) != nil
-                dispatchEvent(events.CrashFound, data: (program, .deterministic, termsig, isUnique, origin))
+                dispatchEvent(events.CrashFound, data: (program, .deterministic, isUnique, origin))
             } else {
-                dispatchEvent(events.CrashFound, data: (program, .flaky, termsig, true, origin))
+                dispatchEvent(events.CrashFound, data: (program, .flaky, true, origin))
             }
         }
 

Sources/Fuzzilli/Minimization/Verifier.swift

@@ -55,9 +55,7 @@ class ReductionVerifier {
         var stillHasAspects = false
         fuzzer.sync {
             let execution = fuzzer.execute(Program(with: code), withTimeout: fuzzer.config.timeout * 2)
-            if execution.outcome == .succeeded {
-                stillHasAspects = fuzzer.evaluator.hasAspects(execution, aspects)
-            }
+            stillHasAspects = fuzzer.evaluator.hasAspects(execution, aspects)
         }
 
         if stillHasAspects {

Sources/Fuzzilli/Modules/Storage.swift

@@ -64,7 +64,7 @@ public class Storage: Module {
         }
 
         fuzzer.registerEventListener(for: fuzzer.events.CrashFound) { ev in
-            let filename = "program_\(self.formatDate())_\(ev.program.id)_\(ev.behaviour.rawValue)_\(ev.signal)"
+            let filename = "program_\(self.formatDate())_\(ev.program.id)_\(ev.behaviour.rawValue)"
             if ev.isUnique {
                 self.storeProgram(ev.program, as: filename, in: self.crashesDir)
             } else {