[cfe-dev] fixing bugs fuzzed out of clang

Kostya Serebryany via cfe-dev cfe-dev at lists.llvm.org
Mon Jan 4 10:20:30 PST 2016 

Hi Clang devs,

In the new year I would like to ask you all to consider fixing clang bugs
found by fuzzing (that includes, but is not limited to,
https://llvm.org/bugs/show_bug.cgi?id=23057)

The existing fuzzer bot is reporting known bugs that are not being fixed
for months.
E.g.
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/5328/steps/stage2%2Fasan%2Bassertions%20run%20clang-fuzzer/logs/stdio
This precludes us from treating these bugs as errors and make the bot red
on regressions.

Also, these shallow bugs prevent us from finding deeper bugs with potential
security implications, and there are some such.
E.g. the bug below means that no one can safely host clang as a web service.

echo "* a ((int () (o W, *&])) 0" | ./bin/clang -x c++ -

==13059==ERROR: AddressSanitizer: heap-use-after-free on address
0x61500000e538 at pc 0x00000081df99 bp 0x7ffdbdcb3630 sp
0x7ffdbdcb2de8

READ of size 20 at 0x61500000e538 thread T0
    #0 0x81df98 in __asan_memcpy
    #1 0xedcd28f in clang::TokenLexer::Lex(clang::Token&)
tools/clang/lib/Lex/TokenLexer.cpp:441:7
    #2 0xedb3c47 in clang::Preprocessor::Lex(clang::Token&)
tools/clang/lib/Lex/Preprocessor.cpp:731:23
    #3 0xa5ad93a in ConsumeParen tools/clang/include/clang/Parse/Parser.h:383:5
    #4 0xa5ad93a in
clang::Parser::SkipUntil(llvm::ArrayRef<clang::tok::TokenKind>,
clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:3
    #5 0xa78bdb8 in SkipUntil tools/clang/include/clang/Parse/Parser.h:864:12

0x61500000e538 is located 312 bytes inside of 456-byte region
[0x61500000e400,0x61500000e5c8)
freed by thread T0 here:
    #0 0x8350db in __interceptor_free
    #1 0xa838c02 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:374:7
    #2 0xa838c02 in
clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&,
clang::OpaquePtr<clang::QualType>&, clang::Bala
    #3 0xa7ac905 in
clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&,
bool, bool, clang::OpaquePtr<clang::QualType>&, clang::Sour
    #4 0xa794e83 in clang::Parser::ParseCastExpression(bool, bool,
bool&, clang::Parser::TypeCastState)
tools/clang/lib/Parse/ParseExpr.cpp:709:11
    #5 0xa77c21c in ParseCastExpression
tools/clang/lib/Parse/ParseExpr.cpp:465:20


--kcc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20160104/490f070b/attachment.html>

More information about the cfe-dev mailing list