[llvm-bugs] [Bug 32890] New: Demangler aborted
via llvm-bugs
llvm-bugs at lists.llvm.org
Tue May 2 03:37:34 PDT 2017
https://bugs.llvm.org/show_bug.cgi?id=32890
Bug ID: 32890
Summary: Demangler aborted
Product: libc++abi
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P
Component: All Bugs
Assignee: unassignedbugs at nondot.org
Reporter: dungnguy at comp.nus.edu.sg
CC: llvm-bugs at lists.llvm.org, mclow.lists at gmail.com
Dear All,
This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme and Van-Thuan Pham.
First, you need to build the project
(https://github.com/llvm-mirror/libcxxabi/blob/master/fuzz/cxa_demangle_fuzzer.cpp)
to obtain the binary file.
To reproduce:
$ echo "Z1JIJ1_T_EE3o00EUlT_E0" | ./cxa_demangle_fuzzer
terminate called after throwing an instance of 'std::out_of_range'
what(): basic_string::replace: __pos (which is 7) > this->size() (which is
4)
Aborted
ASAN says:
==16916==ERROR: AddressSanitizer: negative-size-param: (size=-3)
#0 0x4beca3 in __asan_memmove
/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:463
#1 0x845f4a in std::__1::char_traits<char>::move(char*, char const*,
unsigned long) /usr/local/bin/../include/c++/v1/__string:219:48
#2 0x845f4a in
_ZNSt3__112basic_stringIcNS_11char_traitsIcEEN10__cxxabiv112_GLOBAL__N_112malloc_allocIcEEE6insertIPKcEENS_9enable_ifIXaasr21__is_forward_iteratorIT_EE5valuesr38__libcpp_string_gets_noexcept_iteratorISC_EE5valueENS_11__wrap_iterIPcEEE4typeENSD_ISA_EESC_SC_
/usr/local/bin/../include/c++/v1/string:2459
#3 0x6b169d in char const* __cxxabiv1::(anonymous
namespace)::parse_unnamed_type_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:3079:39
#4 0x6b169d in char const* __cxxabiv1::(anonymous
namespace)::parse_unqualified_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:3117
#5 0x6114bb in char const* __cxxabiv1::(anonymous
namespace)::parse_unscoped_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:3163:26
#6 0x6114bb in char const* __cxxabiv1::(anonymous
namespace)::parse_name<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&, bool*)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4241
#7 0x610bf1 in char const* __cxxabiv1::(anonymous
namespace)::parse_local_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&, bool*)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4177:38
#8 0x610bf1 in char const* __cxxabiv1::(anonymous
namespace)::parse_name<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&, bool*)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4233
#9 0x5efbf0 in char const* __cxxabiv1::(anonymous
namespace)::parse_type<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:2273:33
#10 0x516a6c in void __cxxabiv1::(anonymous
namespace)::demangle<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&, int&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4783:25
#11 0x513761 in __cxa_demangle
/src/llvm_libcxxabi/src/cxa_demangle.cpp:5014:5
#12 0x8ae5cb in LLVMFuzzerTestOneInput
/src/llvm_libcxxabi/fuzz/cxa_demangle_fuzzer.cpp:12:8
#13 0x8aed77 in main /src/libfuzzer/afl/afl_driver.cpp:287:7
#14 0x7f921af0182f in __libc_start_main
/build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#15 0x419e78 in _start
(/home/marcel/oss-fuzz/build/out/llvm_libcxxabi/master/cxa_demangle_fuzzer+0x419e78)
Address 0x7fffa2f127d8 is located in stack of thread T0 at offset 568 in frame
#0 0x510f8f in __cxa_demangle /src/llvm_libcxxabi/src/cxa_demangle.cpp:5000
This frame has 3 object(s):
[32, 4144) 'a' (line 5009) <== Memory access at offset 568 is inside this
variable
[4400, 4512) 'db' (line 5010)
[4544, 4548) 'internal_status' (line 5012)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: negative-size-param
/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:463 in
__asan_memmove
VALGRIND says:
==16845== Process terminating with default action of signal 6 (SIGABRT)
==16845== at 0x5710428: raise (raise.c:54)
==16845== by 0x5712029: abort (abort.c:89)
==16845== by 0x4EC984C: __gnu_cxx::__verbose_terminate_handler() (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EC76B5: ??? (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EC7700: std::terminate() (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EC7918: __cxa_throw (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EF03F6: std::__throw_out_of_range_fmt(char const*, ...) (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4093FD: std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
>::_M_check(unsigned long, char const*) const (basic_string.h:261)
==16845== by 0x4090DC: std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
>::replace(unsigned long, unsigned long, char const*, unsigned long)
(basic_string.h:1582)
==16845== by 0x417C04: std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
>::replace(__gnu_cxx::__normal_iterator<char const*,
std::__cxx11::basic_string<char, std::char_traits<char>, __cxxabiv1::(anonymous
namespace)::malloc_alloc<char> > >, __gnu_cxx::_
_normal_iterator<char const*, std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char> >
>, char const*, char const*) (basic_string.h:1782)
==16845== by 0x41BA95: __gnu_cxx::__normal_iterator<char*,
std::__cxx11::basic_string<char, std::char_traits<char>, __cxxabiv1::(anonymous
namespace)::malloc_alloc<char> > > std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
>::insert<char const*, void>(_
_gnu_cxx::__normal_iterator<char const*, std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char> >
>, char const*, char const*) (basic_string.h:1277)
==16845== by 0x41B5F1: char const* __cxxabiv1::(anonymous
namespace)::parse_unnamed_type_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
(cxa_demangle.cpp:3079)
Regards,
Manh-Dung Nguyen
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170502/fa32bcea/attachment-0001.html>
More information about the llvm-bugs
mailing list