<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Demangler aborted"
href="https://bugs.llvm.org/show_bug.cgi?id=32890">32890</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Demangler aborted
</td>
</tr>
<tr>
<th>Product</th>
<td>libc++abi
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>All Bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>dungnguy@comp.nus.edu.sg
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org, mclow.lists@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>Dear All,
This bug was found with AFLGo, a directed version of AFL/AFLFast. Thanks also
to Marcel Böhme and Van-Thuan Pham.
First, you need to build the project
(<a href="https://github.com/llvm-mirror/libcxxabi/blob/master/fuzz/cxa_demangle_fuzzer.cpp">https://github.com/llvm-mirror/libcxxabi/blob/master/fuzz/cxa_demangle_fuzzer.cpp</a>)
to obtain the binary file.
To reproduce:
$ echo "Z1JIJ1_T_EE3o00EUlT_E0" | ./cxa_demangle_fuzzer
terminate called after throwing an instance of 'std::out_of_range'
what(): basic_string::replace: __pos (which is 7) > this->size() (which is
4)
Aborted
ASAN says:
==16916==ERROR: AddressSanitizer: negative-size-param: (size=-3)
#0 0x4beca3 in __asan_memmove
/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:463
#1 0x845f4a in std::__1::char_traits<char>::move(char*, char const*,
unsigned long) /usr/local/bin/../include/c++/v1/__string:219:48
#2 0x845f4a in
_ZNSt3__112basic_stringIcNS_11char_traitsIcEEN10__cxxabiv112_GLOBAL__N_112malloc_allocIcEEE6insertIPKcEENS_9enable_ifIXaasr21__is_forward_iteratorIT_EE5valuesr38__libcpp_string_gets_noexcept_iteratorISC_EE5valueENS_11__wrap_iterIPcEEE4typeENSD_ISA_EESC_SC_
/usr/local/bin/../include/c++/v1/string:2459
#3 0x6b169d in char const* __cxxabiv1::(anonymous
namespace)::parse_unnamed_type_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:3079:39
#4 0x6b169d in char const* __cxxabiv1::(anonymous
namespace)::parse_unqualified_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:3117
#5 0x6114bb in char const* __cxxabiv1::(anonymous
namespace)::parse_unscoped_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:3163:26
#6 0x6114bb in char const* __cxxabiv1::(anonymous
namespace)::parse_name<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&, bool*)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4241
#7 0x610bf1 in char const* __cxxabiv1::(anonymous
namespace)::parse_local_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&, bool*)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4177:38
#8 0x610bf1 in char const* __cxxabiv1::(anonymous
namespace)::parse_name<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&, bool*)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4233
#9 0x5efbf0 in char const* __cxxabiv1::(anonymous
namespace)::parse_type<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:2273:33
#10 0x516a6c in void __cxxabiv1::(anonymous
namespace)::demangle<__cxxabiv1::(anonymous namespace)::Db>(char const*, char
const*, __cxxabiv1::(anonymous namespace)::Db&, int&)
/src/llvm_libcxxabi/src/cxa_demangle.cpp:4783:25
#11 0x513761 in __cxa_demangle
/src/llvm_libcxxabi/src/cxa_demangle.cpp:5014:5
#12 0x8ae5cb in LLVMFuzzerTestOneInput
/src/llvm_libcxxabi/fuzz/cxa_demangle_fuzzer.cpp:12:8
#13 0x8aed77 in main /src/libfuzzer/afl/afl_driver.cpp:287:7
#14 0x7f921af0182f in __libc_start_main
/build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#15 0x419e78 in _start
(/home/marcel/oss-fuzz/build/out/llvm_libcxxabi/master/cxa_demangle_fuzzer+0x419e78)
Address 0x7fffa2f127d8 is located in stack of thread T0 at offset 568 in frame
#0 0x510f8f in __cxa_demangle /src/llvm_libcxxabi/src/cxa_demangle.cpp:5000
This frame has 3 object(s):
[32, 4144) 'a' (line 5009) <== Memory access at offset 568 is inside this
variable
[4400, 4512) 'db' (line 5010)
[4544, 4548) 'internal_status' (line 5012)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: negative-size-param
/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:463 in
__asan_memmove
VALGRIND says:
==16845== Process terminating with default action of signal 6 (SIGABRT)
==16845== at 0x5710428: raise (raise.c:54)
==16845== by 0x5712029: abort (abort.c:89)
==16845== by 0x4EC984C: __gnu_cxx::__verbose_terminate_handler() (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EC76B5: ??? (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EC7700: std::terminate() (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EC7918: __cxa_throw (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4EF03F6: std::__throw_out_of_range_fmt(char const*, ...) (in
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)
==16845== by 0x4093FD: std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
<span class="quote">>::_M_check(unsigned long, char const*) const (basic_string.h:261)</span >
==16845== by 0x4090DC: std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
<span class="quote">>::replace(unsigned long, unsigned long, char const*, unsigned long)</span >
(basic_string.h:1582)
==16845== by 0x417C04: std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
<span class="quote">>::replace(__gnu_cxx::__normal_iterator<char const*,</span >
std::__cxx11::basic_string<char, std::char_traits<char>, __cxxabiv1::(anonymous
namespace)::malloc_alloc<char> > >, __gnu_cxx::_
_normal_iterator<char const*, std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char> >
<span class="quote">>, char const*, char const*) (basic_string.h:1782)</span >
==16845== by 0x41BA95: __gnu_cxx::__normal_iterator<char*,
std::__cxx11::basic_string<char, std::char_traits<char>, __cxxabiv1::(anonymous
namespace)::malloc_alloc<char> > > std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char>
<span class="quote">>::insert<char const*, void>(_</span >
_gnu_cxx::__normal_iterator<char const*, std::__cxx11::basic_string<char,
std::char_traits<char>, __cxxabiv1::(anonymous namespace)::malloc_alloc<char> >
<span class="quote">>, char const*, char const*) (basic_string.h:1277)</span >
==16845== by 0x41B5F1: char const* __cxxabiv1::(anonymous
namespace)::parse_unnamed_type_name<__cxxabiv1::(anonymous namespace)::Db>(char
const*, char const*, __cxxabiv1::(anonymous namespace)::Db&)
(cxa_demangle.cpp:3079)
Regards,
Manh-Dung Nguyen</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>