<div dir="ltr"><div><br></div>Kostya,<div><br></div><div>I think I've found what looks like a reproducible bug in libFuzzer. The code under test is built with ASan and the first ASan CHECK failure shows fuzzer in the stack trace. (see below)</div><div><br></div><div>One of the factors that may be unique in my testing is that each iteration can take a very long time to execute (tens or hundreds of seconds).</div><div><br></div><div>Let me know if you need more info, I think it shouldn't take much test time to reproduce this.</div><div><br></div><div><div>================== Job 2 exited with exit code 256 ============</div><div>Flag: verbosity 3</div><div>Flag: use_traces 1</div><div>Flag: timeout 100</div><div>Flag: max_len 16384</div><div>Seed: 3259211893</div><div>PreferSmall: 0</div><div>#0 READ units: 4975 exec/s: 0</div><div>#1 pulse cov: 32410 bits: 30791 indir: 714 units: 4975 exec/s: 0</div><div>NEW0: 32410 L 13869</div><div>==31301==AddressSanitizer CHECK failed: /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467 "((n % 16)) == ((0))" (0x1, 0x0)</div><div> #0 0x11d3b7 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:67:3</div><div> #1 0x122f1f in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159:5</div><div> #2 0x134317 in __sanitizer::CoverageData::Update8bitCounterBitsetAndClearCounters(unsigned char*) /home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5</div><div> #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun() /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5</div><div> #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char, std::allocator<unsigned char> > const&) /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3</div><div> #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize() /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:195:11</div><div> #6 0x14477b in fuzzer::FuzzerDriver(std::vector<std::string, std::allocator<std::string> > const&, fuzzer::UserSuppliedFuzzer&) /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:303:3</div><div> #7 0x14183f in fuzzer::FuzzerDriver(int, char**, fuzzer::UserSuppliedFuzzer&) /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:201:10</div><div> #8 0x141427 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned int)) /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:196:10 </div><div> #9 0x1873e3 in main /home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerMain.cpp:19:10</div><div> #10 0xb6c86775 in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289</div><div><br></div><div>DEATH:</div><div>artifact_prefix='./'; Test unit written to ./crash-ec9fa023e9db127e2589d0ab4c506055e4174611</div><div><br></div><div><br></div>-- <br><div class="gmail_signature">-Brian</div>
</div></div>