<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [Win] libFuzzer: deadly signal"

   href="https://bugs.llvm.org/show_bug.cgi?id=40084">40084</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[Win] libFuzzer: deadly signal

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Windows NT

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>fuzzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mikhail.strelnikov@gmail.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>C:\>type fuzz.cpp

struct a

{

    a * b;

    int c = 0;

    a() {

        b = this;

    }

    ~a() {

        for (auto k = c; 0 != k;) {

        }

    }

};

struct e {

};

extern "C" int LLVMFuzzerTestOneInput(unsigned char const *, size_t)

try {

    a _;

    throw e{};

}

catch (e const &) {

    return 0;

}

(compiling with

<a href="https://prereleases.llvm.org/win-snapshots/LLVM-8.0.0-r347735-win64.exe">https://prereleases.llvm.org/win-snapshots/LLVM-8.0.0-r347735-win64.exe</a>)

C:\>"C:\Program Files\LLVM\bin\clang++.exe" -O3 -fuse-ld=lld

-fsanitize=fuzzer,address fuzz.cpp -std=c++2a -o fuzz.exe   && fuzz.exe

INFO: Seed: 3469642180

INFO: Loaded 1 modules   (2 inline 8-bit counters): 2 [00007FF7603D5448,

00007FF7603D544A),

INFO: Loaded 1 PC tables (2 PCs): 2 [00007FF7603AFCA0,00007FF7603AFCC0),

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than

4096 bytes

==14168== ERROR: libFuzzer: deadly signal

    #0 0x7ff76028d424 in __sanitizer_print_stack_trace

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\asan\asan_stack.cc:38

    #1 0x7ff760235e98 in fuzzer::PrintStackTrace

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerUtil.cpp:206

    #2 0x7ff760256b61 in fuzzer::Fuzzer::CrashCallback

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:237

    #3 0x7ff760256b24 in fuzzer::Fuzzer::StaticCrashSignalCallback

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:209

    #4 0x7ff7602312a1 in fuzzer::ExceptionHandler

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerUtilWindows.cpp

    #5 0x7ff8bc7a53ab in UnhandledExceptionFilter+0x1bb

(C:\WINDOWS\System32\KERNELBASE.dll+0x1800853ab)

    #6 0x7ff8c05d80ca in memset+0x1c8a

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a80ca)

    #7 0x7ff8c05bfd25 in _C_specific_handler+0x95

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18008fd25)

    #8 0x7ff8c05d467e in _chkstk+0x11e

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a467e)

    #9 0x7ff8c0534bee in RtlWalkFrameChain+0x14be

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x180004bee)

    #10 0x7ff8c05d33ed in KiUserExceptionDispatcher+0x2d

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a33ed)

    #11 0x7ff7602aeef1 in LLVMFuzzerTestOneInput+0x181

(C:\fuzz.exe+0x14007eef1)

    #12 0x7ff760369f8f in _CallSettingFrame

d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\amd64\handlers.asm:49

    #13 0x7ff760348bbe in __FrameHandler3::FrameUnwindToState

d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\frame.cpp:1211

    #14 0x7ff76030a573 in __FrameHandler3::FrameUnwindToEmptyState

d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\risctrnsctrl.cpp:236

    #15 0x7ff760349d91 in __InternalCxxFrameHandler<__FrameHandler3>

d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\frame.cpp:312

    #16 0x7ff76030b0b8 in __CxxFrameHandler3

d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\risctrnsctrl.cpp:262

    #17 0x7ff8c05d46fe in _chkstk+0x19e

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a46fe)

    #18 0x7ff8c053600b in RtlUnwindEx+0x51b

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18000600b)

    #19 0x7ff8c05bfd68 in _C_specific_handler+0xd8

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18008fd68)

    #20 0x7ff8c05d467e in _chkstk+0x11e

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a467e)

    #21 0x7ff8c0534bee in RtlWalkFrameChain+0x14be

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x180004bee)

    #22 0x7ff8c05389e5 in RtlRaiseException+0x315

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800089e5)

    #23 0x7ff8bc775298 in RaiseException+0x68

(C:\WINDOWS\System32\KERNELBASE.dll+0x180055298)

    #24 0x7ff760309fb0 in _CxxThrowException

d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\throw.cpp:129

    #25 0x7ff7602aeeb0 in LLVMFuzzerTestOneInput+0x140

(C:\fuzz.exe+0x14007eeb0)

    #26 0x7ff76025854f in fuzzer::Fuzzer::ExecuteCallback

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:571

    #27 0x7ff760259f86 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:761

    #28 0x7ff76025a682 in fuzzer::Fuzzer::Loop

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:806

    #29 0x7ff76026b4f8 in fuzzer::FuzzerDriver

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:764

    #30 0x7ff760231022 in main

C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerMain.cpp:20

    #31 0x7ff760309c77 in __scrt_common_main_seh

d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288

    #32 0x7ff8c0307e93 in BaseThreadInitThunk+0x13

(C:\WINDOWS\System32\KERNEL32.DLL+0x180017e93)

    #33 0x7ff8c059a250 in RtlUserThreadStart+0x20

(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006a250)

NOTE: libFuzzer has rudimentary signal handlers.

      Combine libFuzzer with AddressSanitizer or similar for better crash

reports.

SUMMARY: libFuzzer: deadly signal

MS: 0 ; base unit: 0000000000000000000000000000000000000000

artifact_prefix='./'; Test unit written to

./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709

Base64:

Code example above is reduced from:

#include <deque>

int f()

try

{

    std::deque<int> s;

    throw std::exception("");

}

catch(std::exception const & e)

{

    return 0;

}

extern "C" int LLVMFuzzerTestOneInput(uint8_t const *, size_t)

{

        return f();

}

Btw, -O1 works fine, -O2 and -O3 both crash.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>