Can ASAN_OPTIONS be configured when running fuzzers?

[alexcrichton]

We've recently added the wasmtime project to oss-fuzz. The wasmtime project is a WebAssembly JIT compiler and runtime for a bit of background, and we've been getting some interesting fuzz bug reports which I think may be related to ASAN_OPTIONS a bit.

It looks like ASAN_OPTIONS for our runs has configuration like allow_user_segv_handler=0 or handle_sigill=1. The JIT, however, uses segfaults to detect out-of-bounds memory reads/writes and we use ud2/SIGILL to implement the unreachable WebAssembly instruction. In other words we install SIGSEGV and SIGILL signal handlers and end up handling any signals coming from wasm. (although we try to forward any non-wasm-originating signals to the previous handler or the OS)

Is it possible to configure ASAN_OPTIONS when the fuzzers are running to tweak these options? I'm not entirely well-versed on the internals of libfuzzer here and what's going on. We've been unable to reproduce any of the fuzz bugs found locally, but as soon as I set the same ASAN_OPTIONS as we found in the build logs the bugs reproduced very quickly. I believe that means that if we remove ASAN_OPTIONS entirely we should be able to work just fine.

In any case I wanted to ask here to see what our various options were (if any) for handling these issues!

[alexcrichton]

This may also just boil down to #675, although I wasn't certain about the current state of that bug since removing ASAN_OPTIONS locally causes the test cases to pass.

[Dor1s]

I think it's doable via .options file, but might be not documented. //cc @jonathanmetzman who would likely remember how that can be done

[Dor1s]

Also, need to evaluate whether this might be a general issue for Rust fuzzing. In that case google/clusterfuzz#1407 would be a good place to discuss / track it.

[alexcrichton]

Thanks for the info @Dor1s! Digging in it looks like that file is used to pass options to the sanitizer (e.g. -foo=bar), but running locally I'm unfortunately not sure that they'll work for us. I checked out our SIGILL and SIGSEGV crashes and was able to reproduce locally, but wasn't able to pass any flags to the binary to get the binary working again.

I may be a bit confused though because the CLI flags seem like they're a bit different from ASAN_OPTIONS as an env var. According to this though it may not be possible to override the env var though?

Also FWIW this is unlikely to be Rust-specific but rather JIT/wasm specific which use signals for these things, although I could be wrong!

[Dor1s]

I was checking the code yesterday, I think this can be achieved by adding <fuzzer_binary_name>.options file in the $OUT/ directory with the following contents:

[asan]
allow_user_segv_handler=0
handle_sigill=1

Thanks for claryfing that this is not Rust specific in general -- that's good :)

[alexcrichton]

Ok thanks again for your help @Dor1s! Looks like everything is ship shape now and this is taken care of!