[llvm-bugs] [Bug 40084] New: [Win] libFuzzer: deadly signal
via llvm-bugs
llvm-bugs at lists.llvm.org
Tue Dec 18 07:41:12 PST 2018
https://bugs.llvm.org/show_bug.cgi?id=40084
Bug ID: 40084
Summary: [Win] libFuzzer: deadly signal
Product: compiler-rt
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P
Component: fuzzer
Assignee: unassignedbugs at nondot.org
Reporter: mikhail.strelnikov at gmail.com
CC: llvm-bugs at lists.llvm.org
C:\>type fuzz.cpp
struct a
{
a * b;
int c = 0;
a() {
b = this;
}
~a() {
for (auto k = c; 0 != k;) {
}
}
};
struct e {
};
extern "C" int LLVMFuzzerTestOneInput(unsigned char const *, size_t)
try {
a _;
throw e{};
}
catch (e const &) {
return 0;
}
(compiling with
https://prereleases.llvm.org/win-snapshots/LLVM-8.0.0-r347735-win64.exe)
C:\>"C:\Program Files\LLVM\bin\clang++.exe" -O3 -fuse-ld=lld
-fsanitize=fuzzer,address fuzz.cpp -std=c++2a -o fuzz.exe && fuzz.exe
INFO: Seed: 3469642180
INFO: Loaded 1 modules (2 inline 8-bit counters): 2 [00007FF7603D5448,
00007FF7603D544A),
INFO: Loaded 1 PC tables (2 PCs): 2 [00007FF7603AFCA0,00007FF7603AFCC0),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than
4096 bytes
==14168== ERROR: libFuzzer: deadly signal
#0 0x7ff76028d424 in __sanitizer_print_stack_trace
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\asan\asan_stack.cc:38
#1 0x7ff760235e98 in fuzzer::PrintStackTrace
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerUtil.cpp:206
#2 0x7ff760256b61 in fuzzer::Fuzzer::CrashCallback
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:237
#3 0x7ff760256b24 in fuzzer::Fuzzer::StaticCrashSignalCallback
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:209
#4 0x7ff7602312a1 in fuzzer::ExceptionHandler
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerUtilWindows.cpp
#5 0x7ff8bc7a53ab in UnhandledExceptionFilter+0x1bb
(C:\WINDOWS\System32\KERNELBASE.dll+0x1800853ab)
#6 0x7ff8c05d80ca in memset+0x1c8a
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a80ca)
#7 0x7ff8c05bfd25 in _C_specific_handler+0x95
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18008fd25)
#8 0x7ff8c05d467e in _chkstk+0x11e
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a467e)
#9 0x7ff8c0534bee in RtlWalkFrameChain+0x14be
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x180004bee)
#10 0x7ff8c05d33ed in KiUserExceptionDispatcher+0x2d
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a33ed)
#11 0x7ff7602aeef1 in LLVMFuzzerTestOneInput+0x181
(C:\fuzz.exe+0x14007eef1)
#12 0x7ff760369f8f in _CallSettingFrame
d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\amd64\handlers.asm:49
#13 0x7ff760348bbe in __FrameHandler3::FrameUnwindToState
d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\frame.cpp:1211
#14 0x7ff76030a573 in __FrameHandler3::FrameUnwindToEmptyState
d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\risctrnsctrl.cpp:236
#15 0x7ff760349d91 in __InternalCxxFrameHandler<__FrameHandler3>
d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\frame.cpp:312
#16 0x7ff76030b0b8 in __CxxFrameHandler3
d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\risctrnsctrl.cpp:262
#17 0x7ff8c05d46fe in _chkstk+0x19e
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a46fe)
#18 0x7ff8c053600b in RtlUnwindEx+0x51b
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18000600b)
#19 0x7ff8c05bfd68 in _C_specific_handler+0xd8
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18008fd68)
#20 0x7ff8c05d467e in _chkstk+0x11e
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800a467e)
#21 0x7ff8c0534bee in RtlWalkFrameChain+0x14be
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x180004bee)
#22 0x7ff8c05389e5 in RtlRaiseException+0x315
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800089e5)
#23 0x7ff8bc775298 in RaiseException+0x68
(C:\WINDOWS\System32\KERNELBASE.dll+0x180055298)
#24 0x7ff760309fb0 in _CxxThrowException
d:\agent\_work\3\s\src\vctools\crt\vcruntime\src\eh\throw.cpp:129
#25 0x7ff7602aeeb0 in LLVMFuzzerTestOneInput+0x140
(C:\fuzz.exe+0x14007eeb0)
#26 0x7ff76025854f in fuzzer::Fuzzer::ExecuteCallback
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:571
#27 0x7ff760259f86 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:761
#28 0x7ff76025a682 in fuzzer::Fuzzer::Loop
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerLoop.cpp:806
#29 0x7ff76026b4f8 in fuzzer::FuzzerDriver
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerDriver.cpp:764
#30 0x7ff760231022 in main
C:\src\llvm_package_347735\llvm\projects\compiler-rt\lib\fuzzer\FuzzerMain.cpp:20
#31 0x7ff760309c77 in __scrt_common_main_seh
d:\agent\_work\3\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#32 0x7ff8c0307e93 in BaseThreadInitThunk+0x13
(C:\WINDOWS\System32\KERNEL32.DLL+0x180017e93)
#33 0x7ff8c059a250 in RtlUserThreadStart+0x20
(C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006a250)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash
reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
artifact_prefix='./'; Test unit written to
./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64:
Code example above is reduced from:
#include <deque>
int f()
try
{
std::deque<int> s;
throw std::exception("");
}
catch(std::exception const & e)
{
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(uint8_t const *, size_t)
{
return f();
}
Btw, -O1 works fine, -O2 and -O3 both crash.
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20181218/64b3ee64/attachment-0001.html>
More information about the llvm-bugs
mailing list