<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Signal-unsafe calls (mallocs) in signal handlers causes deadlocks or heap corruption"

   href="https://bugs.llvm.org/show_bug.cgi?id=44369">44369</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Signal-unsafe calls (mallocs) in signal handlers causes deadlocks or heap corruption

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>fuzzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>ahmad.hazimeh@epfl.ch

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>libFuzzer registers signal handlers to intercept signals and report. In almost

all the handlers, malloc() is being implicitly called (by constructing strings,

vectors, or other objects). malloc is not a signal-safe function and should not

be called within signal handlers.

For most signals, this issue is of little concern, since it is probably

unlikely that malloc itself will crash that often. However, for the timeout

signal (SIGALRM), it is possible that the signal is received inside a malloc

call. For a multithreaded application, glibc malloc obtains the lock over the

arena during its operation. If the libFuzzer timeout occurs while the

application is inside the malloc call and the arena is locked, the signal

handler would attempt to lock it again and would deadlock.

In my tests, the deadlock occured in DumpCurrentUnit when it constructs the

uint8_t vector (Unit) from CurrentUnitData and UnitSize.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>