Skip to content

Commit

Permalink
fixed fuzzing crash exposed by minimized `crash-9ef938bba7d752386e24f…
Browse files Browse the repository at this point in the history 
…2438c73cec66f6b972b`

==58998==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x57edaa7f0739 bp 0x7ca98cedfa40 sp 0x7ffc632b1e20 T0)
==58998==The signal is caused by a READ memory access.
==58998==Hint: address points to the zero page.
    #0 0x57edaa7f0739 in Token::exprId() const lib/token.h:884
    #1 0x57edaa7f0739 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) build/programmemory.cpp:523
    #2 0x57edaa7f0e77 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) build/programmemory.cpp:507
    #3 0x57edaa7f2f44 in fillProgramMemoryFromConditions build/programmemory.cpp:550
    #4 0x57edaa7f7e18 in fillProgramMemoryFromConditions build/programmemory.cpp:556
    #5 0x57edaa7f7e18 in ProgramMemoryState::addState(Token const*, std::unordered_map<ExprIdToken, ValueFlow::Value, ExprIdToken::Hash, std::equal_to<ExprIdToken>, std::allocator<std::pair<ExprIdToken const, ValueFlow::Value> > > const&) build/programmemory.cpp:671
    #6 0x57eda9b5575a in ValueFlowAnalyzer::updateState(Token const*) build/valueflow.cpp:4718
    #7 0x57edaa62ee68 in valueFlowGenericForward(Token*, Token const*, ValuePtr<Analyzer> const&, TokenList const&, ErrorLogger*, Settings const&) build/forwardanalyzer.cpp:1174
    #8 0x57eda9a127cc in valueFlowForward build/valueflow.cpp:3791
    #9 0x57eda9a29d40 in valueFlowSymbolic build/valueflow.cpp:7185
    #10 0x57eda9b53bbb in ValueFlowPassRunner::run(ValuePtr<ValueFlowPass> const&) const build/valueflow.cpp:11100
    #11 0x57eda99db80b in ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}::operator()(ValuePtr<ValueFlowPass> const&) const build/valueflow.cpp:11057
    #12 0x57eda99db80b in bool __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}>::operator()<ValuePtr<ValueFlowPass> const*>(ValuePtr<ValueFlowPass> const*) /usr/include/c++/13.2.1/bits/predefined_ops.h:318
    #13 0x57eda99db80b in ValuePtr<ValueFlowPass> const* std::__find_if<ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}> >(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}>, std::random_access_iterator_tag) /usr/include/c++/13.2.1/bits/stl_algobase.h:2080
    #14 0x57eda9a456ad in ValuePtr<ValueFlowPass> const* std::__find_if<ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}> >(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}>) /usr/include/c++/13.2.1/bits/stl_algobase.h:2117
    #15 0x57eda9a456ad in ValuePtr<ValueFlowPass> const* std::find_if<ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}) /usr/include/c++/13.2.1/bits/stl_algo.h:3923
    #16 0x57eda9a456ad in bool std::none_of<ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}) /usr/include/c++/13.2.1/bits/stl_algo.h:477
    #17 0x57eda9a456ad in bool std::any_of<ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const::{lambda(ValuePtr<ValueFlowPass> const&)#1}) /usr/include/c++/13.2.1/bits/stl_algo.h:496
    #18 0x57eda9a456ad in ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass> >) const build/valueflow.cpp:11056
    #19 0x57eda9a456ad in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*) build/valueflow.cpp:11226
    #20 0x57eda9de4bf7 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) build/tokenize.cpp:10711
    #21 0x57edaa593646 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::istream*) build/cppcheck.cpp:909
    #22 0x57edaa5979c2 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) build/cppcheck.cpp:555
    #23 0x57edaaa60c73 in SingleExecutor::check() cli/singleexecutor.cpp:53
    #24 0x57edaaa28191 in CppCheckExecutor::check_internal(CppCheck&) const cli/cppcheckexecutor.cpp:275
    #25 0x57edaaa33f7d in CppCheckExecutor::check_wrapper(CppCheck&) cli/cppcheckexecutor.cpp:217
    #26 0x57edaaa33f7d in CppCheckExecutor::check(int, char const* const*) cli/cppcheckexecutor.cpp:201
    #27 0x57eda9928926 in main cli/main.cpp:91
    #28 0x7ca98f643ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #29 0x7ca98f643d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    #30 0x57eda9929344 in _start (/home/user/CLionProjects/cppcheck-rider/cppcheck+0x1f9344) (BuildId: f47a6a1e6b1bf052078202ec15cb5a1444d5c459)
  • Loading branch information
@firewave
firewave committed Feb 21, 2024
1 parent a9d72ac commit 1557700
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions lib/programmemory.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,8 @@ static bool isBasicForLoop(const Token* tok)
void programMemoryParseCondition(ProgramMemory& pm, const Token* tok, const Token* endTok, const Settings* settings, bool then)
{
auto eval = [&](const Token* t) -> std::vector<MathLib::bigint> {
if (!t)
return std::vector<MathLib::bigint>{};
if (t->hasKnownIntValue())
return {t->values().front().intvalue};
MathLib::bigint result = 0;
Expand Down

0 comments on commit 1557700

Please sign in to comment.