[llvm-bugs] [Bug 37910] New: std::piecewise_constant_distribution() *might* have some problem
via llvm-bugs
llvm-bugs at lists.llvm.org
Fri Jun 22 11:01:05 PDT 2018
https://bugs.llvm.org/show_bug.cgi?id=37910
Bug ID: 37910
Summary: std::piecewise_constant_distribution() *might* have
some problem
Product: libc++
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: All Bugs
Assignee: unassignedclangbugs at nondot.org
Reporter: lebedev.ri at gmail.com
CC: llvm-bugs at lists.llvm.org, mclow.lists at gmail.com
Created attachment 20461
--> https://bugs.llvm.org/attachment.cgi?id=20461&action=edit
oss-fuzz libfuzzer failures
Or maybe something on oss-fuzz is broken.
I can not reproduce locally, but the backtrace looks strange.
Example of one of the failures:
```
=================================================================
==2119==ERROR: AddressSanitizer: container-overflow on address 0x602000000250
at pc 0x0000004896da bp 0x7ffce1dc1850 sp 0x7ffce1dc1000
READ of size 8 at 0x602000000250 thread T0
SCARINESS: 23 (8-byte-read-container-overflow)
#0 0x4896d9 in memmove
/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:775
#1 0x7582e9 in __copy<double, double>
/usr/local/bin/../include/c++/v1/algorithm:1760:9
#2 0x7582e9 in copy<double *, double *>
/usr/local/bin/../include/c++/v1/algorithm:1769
#3 0x7582e9 in
_ZNSt3__16vectorIdNS_9allocatorIdEEE6assignIPdEENS_9enable_ifIXaasr21__is_forward_iteratorIT_EE5valuesr16is_constructibleIdNS_15iterator_traitsIS7_E9referenceEEE5valueEvE4typeES7_S7_
/usr/local/bin/../include/c++/v1/vector:1438
#4 0x7581e4 in operator= /usr/local/bin/../include/c++/v1/vector:1392:9
#5 0x7581e4 in
std::__1::piecewise_constant_distribution<double>::param_type::operator=(std::__1::piecewise_constant_distribution<double>::param_type
const&) /usr/local/bin/../include/c++/v1/random:6230
#6 0x756022 in operator= /usr/local/bin/../include/c++/v1/random:6081:28
#7 0x756022 in fuzzer::InputCorpus::UpdateCorpusDistribution()
/src/libfuzzer/FuzzerCorpus.h:283
#8 0x755139 in fuzzer::InputCorpus::AddToCorpus(std::__1::vector<unsigned
char, fuzzer::fuzzer_allocator<unsigned char> > const&, unsigned long, bool,
bool, std::__1::vector<unsigned int, fuzzer::fuzzer_allocator<unsigned int> >
const&, fuzzer::DataFlowTrace const&) /src/libfuzzer/FuzzerCorpus.h:109:5
#9 0x752066 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long,
bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:12
#10 0x7536d7 in
fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:715:5
#11 0x753c82 in
fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:755:3
#12 0x749dcd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:758:6
#13 0x745ae0 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#14 0x7f04820e982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#15 0x46d6a8 in _start (out/address/CiffParserFuzzer-GetDecoder+0x46d6a8)
0x602000000250 is located 0 bytes inside of 8-byte region
[0x602000000250,0x602000000258)
allocated by thread T0 here:
#0 0x579df8 in operator new(unsigned long)
/src/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:93
#1 0x62b7a3 in std::__1::__libcpp_allocate(unsigned long, unsigned long)
/usr/local/bin/../include/c++/v1/new:259:10
#2 0x62b7a3 in std::__1::allocator<double>::allocate(unsigned long, void
const*) /usr/local/bin/../include/c++/v1/memory:1799
#3 0x62b7a3 in std::__1::allocator_traits<std::__1::allocator<double>
>::allocate(std::__1::allocator<double>&, unsigned long)
/usr/local/bin/../include/c++/v1/memory:1548
#4 0x62b7a3 in std::__1::__split_buffer<double,
std::__1::allocator<double>&>::__split_buffer(unsigned long, unsigned long,
std::__1::allocator<double>&)
/usr/local/bin/../include/c++/v1/__split_buffer:311
#5 0x62b7a3 in std::__1::vector<double, std::__1::allocator<double>
>::reserve(unsigned long) /usr/local/bin/../include/c++/v1/vector:1574
#6 0x75747a in
std::__1::piecewise_constant_distribution<double>::param_type::param_type<std::__1::__wrap_iter<double*>,
std::__1::__wrap_iter<double*> >(std::__1::__wrap_iter<double*>,
std::__1::__wrap_iter<double*>, std::__1::__wrap_iter<double*>)
/usr/local/bin/../include/c++/v1/random:6281:22
#7 0x756017 in piecewise_constant_distribution<std::__1::__wrap_iter<double
*>, std::__1::__wrap_iter<double *> >
/usr/local/bin/../include/c++/v1/random:6150:11
#8 0x756017 in fuzzer::InputCorpus::UpdateCorpusDistribution()
/src/libfuzzer/FuzzerCorpus.h:283
#9 0x755139 in fuzzer::InputCorpus::AddToCorpus(std::__1::vector<unsigned
char, fuzzer::fuzzer_allocator<unsigned char> > const&, unsigned long, bool,
bool, std::__1::vector<unsigned int, fuzzer::fuzzer_allocator<unsigned int> >
const&, fuzzer::DataFlowTrace const&) /src/libfuzzer/FuzzerCorpus.h:109:5
#10 0x752066 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long,
bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:12
#11 0x7536d7 in
fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:715:5
#12 0x753c82 in
fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> >,
fuzzer::fuzzer_allocator<std::__1::basic_string<char,
std::__1::char_traits<char>, std::__1::allocator<char> > > > const&)
/src/libfuzzer/FuzzerLoop.cpp:755:3
#13 0x749dcd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:758:6
#14 0x745ae0 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#15 0x7f04820e982f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
HINT: if you don't care about these errors you may set
ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also:
https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow
/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:775
in memmove
Shadow bytes around the buggy address:
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fff8010: fa fa fd fa fa fa 00 00 fa fa 01 fa fa fa fd fa
0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 01 fa
0x0c047fff8030: fa fa 00 fa fa fa 01 fa fa fa 00 00 fa fa 00 00
=>0x0c047fff8040: fa fa 00 fa fa fa 00 00 fa fa[fc]fa fa fa 00 fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2119==ABORTING
```
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180622/ca7caecd/attachment-0001.html>
More information about the llvm-bugs
mailing list