search

trailofbits / sienna-locomotive

A user-friendly fuzzing and crash triage tool for Windows
https://blog.trailofbits.com/user-friendly-fuzzing-with-sienna-locomotive
GNU Affero General Public License v3.0
131 stars 24 forks source link

Handle crashes in multiple children #223

Closed woodruffw closed 6 years ago

woodruffw commented 6 years ago

We handle multiple children correctly as of #176, but we don't handle the following case:

  1. A spawns B
  2. We fuzz targets within both A and B
  3. B crashes
  4. A crashes because it was relying on B

Currently, B's initial.dmp will be clobbered by A's initial.dmp, likely leading to nonsensical tracer results. As such, we probably need to distinguish dumps and other crash-related files by PID, e.g. initial.XXXX.dmp, crash.XXXX.json, etc. This will make the task of enumerating crash files a little more tedious, of course.

woodruffw commented 6 years ago

Multiple children also have consequences for index-based function targeting: each child has their own copy of call_counts in the Wizard, so our indexes are almost certainly incorrect when dealing with multiple children (this would explain the inconsistency with LibreOffice).

Might be a good reason to switch the default away from index-based targeting for the beta.