Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed fuzzing crash #6005

Merged
merged 1 commit into from
Feb 20, 2024
Merged

fixed fuzzing crash #6005

merged 1 commit into from
Feb 20, 2024

Conversation

firewave
Copy link
Collaborator

No description provided.

@firewave
fixed fuzzing crash
1f2e49e 
==332324==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x5602eb271504 bp 0x7ffe7cc5b430 sp 0x7ffe7cc5b420 T0)
==332324==The signal is caused by a READ memory access.
==332324==Hint: address points to the zero page.
    #0 0x5602eb271504 in previous /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:867:16
    #1 0x5602eb271504 in tokAtImpl<const Token, void> /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:796:20
    danmar#2 0x5602eb271504 in tokAt /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:804:12
    danmar#3 0x5602eb271504 in Token::strAt[abi:cxx11](int) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:834:30
    danmar#4 0x5602ea7a2a76 in skipPointers(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7573:18
    danmar#5 0x5602ea7a4555 in skipPointersAndQualifiers(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7588:11
    danmar#6 0x5602ea79fc18 in Scope::isVariableDeclaration(Token const*, Token const*&, Token const*&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7639:27
    danmar#7 0x5602ea704b0b in Scope::checkVariable(Token const*, AccessControl, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7520:16
    danmar#8 0x5602ea79adc0 in Scope::getVariableList(Settings const&, Token const*, Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7466:15
    danmar#9 0x5602ea6b687d in getVariableList /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7358:9
    danmar#10 0x5602ea6b687d in SymbolDatabase::createSymbolDatabaseVariableInfo() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:3376:15
    danmar#11 0x5602ea699ec3 in SymbolDatabase::SymbolDatabase(Tokenizer&, Settings const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:2616:5
    danmar#12 0x5602ea4e75f7 in createSymbolDatabase /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:17214:31
    danmar#13 0x5602ea4e75f7 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:10687:9
    danmar#14 0x5602eae99afd in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:909:32
    danmar#15 0x5602eaea4e81 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:561:12
    danmar#16 0x5602eb321fa4 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:47:18
    danmar#17 0x5602e9feb1e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6831e8) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57)
    danmar#18 0x5602e9febec0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x683ec0) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57)
    danmar#19 0x5602e9fecf51 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x684f51) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57)
    danmar#20 0x5602e9fedd77 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x685d77) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57)
    danmar#21 0x5602e9fce262 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x666262) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57)
    danmar#22 0x5602e9f53f77 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5ebf77) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57)
    danmar#23 0x7f9479558ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    danmar#24 0x7f9479558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    danmar#25 0x5602e9fb8004 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x650004) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:867:16 in previous
@firewave
Copy link
Collaborator Author

The trace is in the individual commit message. I also did not minimize the code.

I was a bit too optimistic in my previous PR. This is the last one which is easy to fix. The remaining ones (which are even blocking finding further issues) are an assert and an infinite loop which cannot be simply fixed by checking for a null pointer. I will file tickets about those nonetheless.

I will not pursuing this that much further for now and will file tickets about further steps.

@chrchr-github chrchr-github merged commit ac48167 into danmar:main Feb 20, 2024
64 checks passed
@firewave firewave deleted the fuzz-xx branch February 20, 2024 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@firewave @chrchr-github