[llvm-dev] fuzzer crash (but not the good kind)

Kostya Serebryany via llvm-dev llvm-dev at lists.llvm.org
Tue Dec 1 17:26:32 PST 2015 

Hi Brian,
Yes, looks like a bug in sanitizer coverage, please send the reproducer.

On Tue, Dec 1, 2015 at 5:22 PM, Brian Cain <brian.cain at gmail.com> wrote:

>
> Kostya,
>
> I think I've found what looks like a reproducible bug in libFuzzer.  The
> code under test is built with ASan and the first ASan CHECK failure shows
> fuzzer in the stack trace.  (see below)
>
> One of the factors that may be unique in my testing is that each iteration
> can take a very long time to execute (tens or hundreds of seconds).
>
> Let me know if you need more info, I think it shouldn't take much test
> time to reproduce this.
>
> ================== Job 2 exited with exit code 256 ============
> Flag: verbosity 3
> Flag: use_traces 1
> Flag: timeout 100
> Flag: max_len 16384
> Seed: 3259211893
> PreferSmall: 0
> #0      READ   units: 4975 exec/s: 0
> #1      pulse  cov: 32410 bits: 30791 indir: 714 units: 4975 exec/s: 0
> NEW0: 32410 L 13869
> ==31301==AddressSanitizer CHECK failed:
> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467
> "((n % 16)) == ((0))" (0x1, 0x0)
>     #0 0x11d3b7 in __asan::AsanCheckFailed(char const*, int, char const*,
> unsigned long long, unsigned long long)
> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:67:3
>     #1 0x122f1f in __sanitizer::CheckFailed(char const*, int, char const*,
> unsigned long long, unsigned long long)
> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159:5
>     #2 0x134317 in
> __sanitizer::CoverageData::Update8bitCounterBitsetAndClearCounters(unsigned
> char*)
> /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5
>     #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun()
> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5
>     #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char,
> std::allocator<unsigned char> > const&)
> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3
>     #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize()
> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:195:11
>     #6 0x14477b in fuzzer::FuzzerDriver(std::vector<std::string,
> std::allocator<std::string> > const&, fuzzer::UserSuppliedFuzzer&)
> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:303:3
>     #7 0x14183f in fuzzer::FuzzerDriver(int, char**,
> fuzzer::UserSuppliedFuzzer&)
> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:201:10
>     #8 0x141427 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char
> const*, unsigned int))
> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:196:10
>     #9 0x1873e3 in main
> /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerMain.cpp:19:10
>     #10 0xb6c86775 in __libc_start_main
> /build/buildd/glibc-2.21/csu/libc-start.c:289
>
> DEATH:
> artifact_prefix='./'; Test unit written to
> ./crash-ec9fa023e9db127e2589d0ab4c506055e4174611
>
>
> --
> -Brian
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20151201/4accb038/attachment.html>

More information about the llvm-dev mailing list