[llvm-bugs] [Bug 37910] New: std::piecewise_constant_distribution() might have some problem

Fri Jun 22 11:01:05 PDT 2018

https://bugs.llvm.org/show_bug.cgi?id=37910

            Bug ID: 37910
           Summary: std::piecewise_constant_distribution() *might* have
                    some problem
           Product: libc++
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: All Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: lebedev.ri at gmail.com
                CC: llvm-bugs at lists.llvm.org, mclow.lists at gmail.com

Created attachment 20461
  --> https://bugs.llvm.org/attachment.cgi?id=20461&action=edit
oss-fuzz libfuzzer failures

Or maybe something on oss-fuzz is broken.
I can not reproduce locally, but the backtrace looks strange.
Example of one of the failures:
```
=================================================================
==2119==ERROR: AddressSanitizer: container-overflow on address 0x602000000250
at pc 0x0000004896da bp 0x7ffce1dc1850 sp 0x7ffce1dc1000
READ of size 8 at 0x602000000250 thread T0
SCARINESS: 23 (8-byte-read-container-overflow)
    #0 0x4896d9 in memmove
/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:775
    #1 0x7582e9 in __copy<double, double>
/usr/local/bin/../include/c++/v1/algorithm:1760:9
    #2 0x7582e9 in copy<double *, double *>
/usr/local/bin/../include/c++/v1/algorithm:1769
    #3 0x7582e9 in
_ZNSt3__16vectorIdNS_9allocatorIdEEE6assignIPdEENS_9enable_ifIXaasr21__is_forward_iteratorIT_EE5valuesr16is_constructibleIdNS_15iterator_traitsIS7_E9referenceEEE5valueEvE4typeES7_S7_
/usr/local/bin/../include/c++/v1/vector:1438
    #4 0x7581e4 in operator= /usr/local/bin/../include/c++/v1/vector:1392:9
    #5 0x7581e4 in
std::__1::piecewise_constant_distribution<double>::param_type::operator=(std::__1::piecewise_constant_distribution<double>::param_type
const&) /usr/local/bin/../include/c++/v1/random:6230
    #6 0x756022 in operator= /usr/local/bin/../include/c++/v1/random:6081:28
    #7 0x756022 in fuzzer::InputCorpus::UpdateCorpusDistribution()
/src/libfuzzer/FuzzerCorpus.h:283
    #8 0x755139 in fuzzer::InputCorpus::AddToCorpus(std::__1::vector<unsigned
char, fuzzer::fuzzer_allocator<unsigned char> > const&, unsigned long, bool,
bool, std::__1::vector<unsigned int, fuzzer::fuzzer_allocator<unsigned int> >
const&, fuzzer::DataFlowTrace const&) /src/libfuzzer/FuzzerCorpus.h:109:5
    #9 0x752066 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long,
bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:12
    #10 0x7536d7 in
fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:715:5
    #11 0x753c82 in
fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:755:3
    #12 0x749dcd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:758:6
    #13 0x745ae0 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #14 0x7f04820e982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x46d6a8 in _start (out/address/CiffParserFuzzer-GetDecoder+0x46d6a8)

0x602000000250 is located 0 bytes inside of 8-byte region
[0x602000000250,0x602000000258)
allocated by thread T0 here:
    #0 0x579df8 in operator new(unsigned long)
/src/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:93
    #1 0x62b7a3 in std::__1::__libcpp_allocate(unsigned long, unsigned long)
/usr/local/bin/../include/c++/v1/new:259:10
    #2 0x62b7a3 in std::__1::allocator<double>::allocate(unsigned long, void
const*) /usr/local/bin/../include/c++/v1/memory:1799
    #3 0x62b7a3 in std::__1::allocator_traits<std::__1::allocator<double>
>::allocate(std::__1::allocator<double>&, unsigned long)
/usr/local/bin/../include/c++/v1/memory:1548
    #4 0x62b7a3 in std::__1::__split_buffer<double,
std::__1::allocator<double>&>::__split_buffer(unsigned long, unsigned long,
std::__1::allocator<double>&)
/usr/local/bin/../include/c++/v1/__split_buffer:311
    #5 0x62b7a3 in std::__1::vector<double, std::__1::allocator<double>
>::reserve(unsigned long) /usr/local/bin/../include/c++/v1/vector:1574
    #6 0x75747a in
std::__1::piecewise_constant_distribution<double>::param_type::param_type<std::__1::__wrap_iter<double*>,
std::__1::__wrap_iter<double*> >(std::__1::__wrap_iter<double*>,
std::__1::__wrap_iter<double*>, std::__1::__wrap_iter<double*>)
/usr/local/bin/../include/c++/v1/random:6281:22
    #7 0x756017 in piecewise_constant_distribution<std::__1::__wrap_iter<double
*>, std::__1::__wrap_iter<double *> >
/usr/local/bin/../include/c++/v1/random:6150:11
    #8 0x756017 in fuzzer::InputCorpus::UpdateCorpusDistribution()
/src/libfuzzer/FuzzerCorpus.h:283
    #9 0x755139 in fuzzer::InputCorpus::AddToCorpus(std::__1::vector<unsigned
char, fuzzer::fuzzer_allocator<unsigned char> > const&, unsigned long, bool,
bool, std::__1::vector<unsigned int, fuzzer::fuzzer_allocator<unsigned int> >
const&, fuzzer::DataFlowTrace const&) /src/libfuzzer/FuzzerCorpus.h:109:5
    #10 0x752066 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long,
bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:12
    #11 0x7536d7 in
fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:715:5
    #12 0x753c82 in
fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:755:3
    #13 0x749dcd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:758:6
    #14 0x745ae0 in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #15 0x7f04820e982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

HINT: if you don't care about these errors you may set
ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also:
https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow
/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:775
in memmove
Shadow bytes around the buggy address:
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8010: fa fa fd fa fa fa 00 00 fa fa 01 fa fa fa fd fa
  0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 01 fa
  0x0c047fff8030: fa fa 00 fa fa fa 01 fa fa fa 00 00 fa fa 00 00
=>0x0c047fff8040: fa fa 00 fa fa fa 00 00 fa fa[fc]fa fa fa 00 fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2119==ABORTING
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180622/ca7caecd/attachment-0001.html>

[llvm-bugs] [Bug 37910] New: std::piecewise_constant_distribution() *might* have some problem

[llvm-bugs] [Bug 37910] New: std::piecewise_constant_distribution() might have some problem