<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - libfuzzer fails to print stack trace for invalid pcs"

   href="https://bugs.llvm.org/show_bug.cgi?id=47738">47738</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>libfuzzer fails to print stack trace for invalid pcs

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>11.0

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>fuzzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>mvanotti@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>It looks like libfuzzer's libunwind fail to print stack traces if the failing

PC is invalid (for example, the NULL pointer).

Here's an example:

```c++

#include <stddef.h>

#include <stdint.h>

#include <stdlib.h>

static void bar(void) {

        void (*foo)() = reinterpret_cast<void (*)()>(0x123000);

        foo();

}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

        bar();

        return 0;

}

```

Compiling it with: clang++ -fsanitize=fuzzer,address fuzzer.cc -o fuzzer

Gives the following output:

```

$ ./fuzzer 

INFO: Seed: 4199019790

INFO: Loaded 1 modules   (2 inline 8-bit counters): 2 [0x5abe80, 0x5abe82), 

INFO: Loaded 1 PC tables (2 PCs): 2 [0x56fcc8,0x56fce8), 

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than

4096 bytes

AddressSanitizer:DEADLYSIGNAL

=================================================================

==3940891==ERROR: AddressSanitizer: SEGV on unknown address 0x000000123000 (pc

0x000000123000 bp 0x7fff64977760 sp 0x7fff64977738 T0)

==3940891==The signal is caused by a READ memory access.

Segmentation fault

```

When we call it with ASAN_OPTIONS="fast_unwind_on_fatal=1", we see more of the

backtrace, but it is missing one function call level.

```

=================================================================

==3942650==ERROR: AddressSanitizer: SEGV on unknown address 0x000000123000 (pc

0x000000123000 bp 0x7ffce19deea0 sp 0x7ffce19dee78 T0)

==3942650==The signal is caused by a READ memory access.

    #0 0x122fff  (<unknown module>)

    #1 0x555acc in LLVMFuzzerTestOneInput (/data/test/fuzzer+0x555acc)

    #2 0x45d621 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,

unsigned long) (/data/test/fuzzer+0x45d621)

```</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>