-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixed fuzzing crash #6005
fixed fuzzing crash #6005
Conversation
==332324==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x5602eb271504 bp 0x7ffe7cc5b430 sp 0x7ffe7cc5b420 T0) ==332324==The signal is caused by a READ memory access. ==332324==Hint: address points to the zero page. #0 0x5602eb271504 in previous /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:867:16 #1 0x5602eb271504 in tokAtImpl<const Token, void> /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:796:20 danmar#2 0x5602eb271504 in tokAt /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:804:12 danmar#3 0x5602eb271504 in Token::strAt[abi:cxx11](int) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/token.cpp:834:30 danmar#4 0x5602ea7a2a76 in skipPointers(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7573:18 danmar#5 0x5602ea7a4555 in skipPointersAndQualifiers(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7588:11 danmar#6 0x5602ea79fc18 in Scope::isVariableDeclaration(Token const*, Token const*&, Token const*&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7639:27 danmar#7 0x5602ea704b0b in Scope::checkVariable(Token const*, AccessControl, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7520:16 danmar#8 0x5602ea79adc0 in Scope::getVariableList(Settings const&, Token const*, Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7466:15 danmar#9 0x5602ea6b687d in getVariableList /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:7358:9 danmar#10 0x5602ea6b687d in SymbolDatabase::createSymbolDatabaseVariableInfo() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:3376:15 danmar#11 0x5602ea699ec3 in SymbolDatabase::SymbolDatabase(Tokenizer&, Settings const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/symboldatabase.cpp:2616:5 danmar#12 0x5602ea4e75f7 in createSymbolDatabase /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:17214:31 danmar#13 0x5602ea4e75f7 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:10687:9 danmar#14 0x5602eae99afd in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:909:32 danmar#15 0x5602eaea4e81 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:561:12 danmar#16 0x5602eb321fa4 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:47:18 danmar#17 0x5602e9feb1e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6831e8) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) danmar#18 0x5602e9febec0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x683ec0) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) danmar#19 0x5602e9fecf51 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x684f51) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) danmar#20 0x5602e9fedd77 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x685d77) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) danmar#21 0x5602e9fce262 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x666262) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) danmar#22 0x5602e9f53f77 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5ebf77) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) danmar#23 0x7f9479558ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) danmar#24 0x7f9479558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) danmar#25 0x5602e9fb8004 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x650004) (BuildId: 0f5e574f57ecf785c77394bbb6c8fcd6e24d8c57) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:867:16 in previous
The trace is in the individual commit message. I also did not minimize the code. I was a bit too optimistic in my previous PR. This is the last one which is easy to fix. The remaining ones (which are even blocking finding further issues) are an assert and an infinite loop which cannot be simply fixed by checking for a null pointer. I will file tickets about those nonetheless. I will not pursuing this that much further for now and will file tickets about further steps. |
No description provided.