[llvm-bugs] [Bug 43825] New: signal-unsafe call inside of a signal
via llvm-bugs
llvm-bugs at lists.llvm.org
Sun Oct 27 09:02:11 PDT 2019
https://bugs.llvm.org/show_bug.cgi?id=43825
Bug ID: 43825
Summary: signal-unsafe call inside of a signal
Product: compiler-rt
Version: 9.0
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P
Component: fuzzer
Assignee: unassignedbugs at nondot.org
Reporter: adi at thingdust.com
CC: llvm-bugs at lists.llvm.org
When I press CTRL+C during the execution of a fuzzer with tsan support, a
signal unsafety is detected:
$ docker run -it thingdust/llvm-tsan-repro
$ cat main.cpp
#include <cstddef>
#include <cstdint>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, std::size_t size) {
return 0;
}
$ clang++-9 -glldb -O0 -fsanitize=fuzzer,thread main.cpp
$ ./a.out
==30238==Installed the sigaction for signal 11
==30238==Installed the sigaction for signal 7
==30238==Installed the sigaction for signal 8
***** Running under ThreadSanitizer v2 (pid 30238) *****
INFO: Seed: 514887584
INFO: Loaded 1 modules (1 inline 8-bit counters): 1 [0x3a4ab8, 0x3a4ab9),
INFO: Loaded 1 PC tables (1 PCs): 1 [0x239800,0x239810),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than
4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 1 ft: 1 corp: 1/1b exec/s: 0 rss: 96Mb
^C==30238== libFuzzer: run interrupted; exiting
==================
WARNING: ThreadSanitizer: signal-unsafe call inside of a signal (pid=30238)
#0 malloc
/home/build/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:650:5
(a.out+0x3250d4)
#1 operator new(unsigned long) <null> (a.out+0x2896e7)
#2 operator new(unsigned long) <null> (a.out+0x2896e7)
SUMMARY: ThreadSanitizer: signal-unsafe call inside of a signal
(/home/build/workdir/fuzzer/a.out+0x2896e7) in operator new(unsigned long)
==================
MS: 1 CopyPart-
#============== hangs now =====================
$ lldb-9 -p 30238
(lldb) process attach --pid 30238
Process 30238 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSTOP
frame #0: 0x0000000000309650 a.out`::Lock() [inlined]
atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7
thread #2, name = 'a.out', stop reason = signal SIGSTOP
frame #0: 0x00000000003090a7 a.out`::internal_sched_yield() at
sanitizer_linux.cc:419:3
thread #3, name = 'a.out', stop reason = signal SIGSTOP
frame #0: 0x0000000000309650 a.out`::Lock() [inlined]
atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7
Executable module set to "/home/build/workdir/fuzzer/a.out".
Architecture set to: x86_64-unknown-linux-gnu.
(lldb) bt all
* thread #1, name = 'a.out', stop reason = signal SIGSTOP
* frame #0: 0x0000000000309650 a.out`::Lock() [inlined]
atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7
frame #1: 0x0000000000309650 a.out`::Lock() at sanitizer_linux.cc:649
frame #2: 0x000000000037a7df a.out`::SignalUnsafeCall() [inlined] Lock at
sanitizer_thread_registry.h:97:22
frame #3: 0x000000000037a7d3 a.out`::SignalUnsafeCall() [inlined]
GenericScopedLock at sanitizer_mutex.h:183
frame #4: 0x000000000037a7d3 a.out`::SignalUnsafeCall() at tsan_mman.cc:147
frame #5: 0x000000000037a2f8 a.out`::user_alloc_internal() at
tsan_mman.cc:174:5
frame #6: 0x000000000037aa51 a.out`::user_alloc() at tsan_mman.cc:188:25
frame #7: 0x00000000003250e3 a.out`::__interceptor_malloc() at
tsan_interceptors.cc:651:9
frame #8: 0x00000000002896e8 a.out`operator new(unsigned long) + 24
frame #9: 0x00000000002fb783 a.out`std::Fuzzer::basic_string<char,
std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> >::push_back(char)
+ 195
frame #10: 0x0000000000294f5b a.out`::overflow() at sstream:541:24
frame #11: 0x00000000002d50ce a.out`std::Fuzzer::basic_streambuf<char,
std::Fuzzer::char_traits<char> >::xsputn(char const*, long) + 142
frame #12: 0x00000000002964e4 a.out`::__pad_and_output<char,
std::Fuzzer::char_traits<char> >() [inlined] sputn at streambuf:229:14
frame #13: 0x00000000002964d7 a.out`::__pad_and_output<char,
std::Fuzzer::char_traits<char> >() at locale:1411
frame #14: 0x00000000002e6964 a.out`std::Fuzzer::num_put<char,
std::Fuzzer::ostreambuf_iterator<char, std::Fuzzer::char_traits<char> >
>::do_put(std::Fuzzer::ostreambuf_iterator<char, std::Fuzzer::char_traits<char>
>, std::Fuzzer::ios_base&, char, unsigned long) const + 404
frame #15: 0x00000000002da928 a.out`std::Fuzzer::basic_ostream<char,
std::Fuzzer::char_traits<char> >::operator<<(unsigned int) + 216
frame #16: 0x00000000002c592b a.out`::Sha1ToString() at
FuzzerSHA1.cpp:212:57
frame #17: 0x00000000002af2fc a.out`::DumpCurrentUnit() at
FuzzerLoop.cpp:180:31
frame #18: 0x00000000002af91c a.out`::StaticDeathCallback() [inlined]
DeathCallback at FuzzerLoop.cpp:192:3
frame #19: 0x00000000002af90d a.out`::StaticDeathCallback() at
FuzzerLoop.cpp:172
frame #20: 0x000000000030f816 a.out`__sanitizer::Die() at
sanitizer_termination.cc:52:5
frame #21: 0x000000000038fbe8 a.out`::OutputReport() at
tsan_rtl_report.cc:538:5
frame #22: 0x000000000037a814 a.out`::SignalUnsafeCall() at
tsan_mman.cc:150:3
frame #23: 0x000000000037a2f8 a.out`::user_alloc_internal() at
tsan_mman.cc:174:5
frame #24: 0x000000000037aa51 a.out`::user_alloc() at tsan_mman.cc:188:25
frame #25: 0x00000000003250e3 a.out`::__interceptor_malloc() at
tsan_interceptors.cc:651:9
frame #26: 0x00000000002896e8 a.out`operator new(unsigned long) + 24
frame #27: 0x00000000002fb3c0 a.out`std::Fuzzer::basic_string<char,
std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> >::append(char
const*, unsigned long) + 224
frame #28: 0x00000000002ad355 a.out`::TempPath() [inlined] operator+<char,
std::Fuzzer::char_traits<char>, std::Fuzzer::allocator<char> > at
string:4151:30
frame #29: 0x00000000002ad34d a.out`::TempPath() at FuzzerIO.cpp:156
frame #30: 0x00000000002b0094 a.out`::InterruptCallback() at
FuzzerLoop.cpp:268:18
frame #31: 0x00000000002b0040
a.out`fuzzer::Fuzzer::StaticInterruptCallback() at FuzzerLoop.cpp:213:6
frame #32: 0x000000000032d590 a.out`::CallUserSignalHandler() at
tsan_interceptors.cc:1912:7
frame #33: 0x0000000000323d09 a.out`::ProcessPendingSignals() at
tsan_interceptors.cc:1959:7
frame #34: 0x000000000032513e a.out`::__interceptor_malloc() [inlined]
~ScopedInterceptor at tsan_interceptors.cc:264:5
frame #35: 0x00000000003250e6 a.out`::__interceptor_malloc() at
tsan_interceptors.cc:652
frame #36: 0x00000000002896e8 a.out`operator new(unsigned long) + 24
frame #37: 0x00000000002b13f3 a.out`::ExecuteCallback() at
FuzzerLoop.cpp:538:23
frame #38: 0x00000000002b0d26 a.out`::RunOne() at FuzzerLoop.cpp:469:3
frame #39: 0x00000000002b2fc8 a.out`::MutateAndTestOne() at
FuzzerLoop.cpp:695:19
frame #40: 0x00000000002b3ce6 a.out`::Loop() at FuzzerLoop.cpp:831:5
frame #41: 0x00000000002a0e79 a.out`::FuzzerDriver() at
FuzzerDriver.cpp:825:6
frame #42: 0x00000000002caf13 a.out`main at FuzzerMain.cpp:19:10
frame #43: 0x00007f362a44cb6b libc.so.6`__libc_start_main + 235
frame #44: 0x000000000027502a a.out`_start + 42
thread #2, name = 'a.out', stop reason = signal SIGSTOP
frame #0: 0x00000000003090a7 a.out`::internal_sched_yield() at
sanitizer_linux.cc:419:3
frame #1: 0x000000000037d805 a.out`::Lock() [inlined] Do at
tsan_mutex.cc:194:7
frame #2: 0x000000000037d7f1 a.out`::Lock() at tsan_mutex.cc:234
frame #3: 0x000000000038b27d a.out`::BackgroundThread() [inlined]
GenericScopedLock at sanitizer_mutex.h:183:10
frame #4: 0x000000000038b275 a.out`::BackgroundThread() at tsan_rtl.cc:216
frame #5: 0x00007f362a63c182
libpthread.so.0`start_thread(arg=<unavailable>) at pthread_create.c:486:8
frame #6: 0x00007f362a543b1f libc.so.6`clone + 63
thread #3, name = 'a.out', stop reason = signal SIGSTOP
frame #0: 0x0000000000309650 a.out`::Lock() [inlined]
atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7
frame #1: 0x0000000000309650 a.out`::Lock() at sanitizer_linux.cc:649
frame #2: 0x000000000038d71c a.out`::AfterSleep() [inlined] Lock at
sanitizer_thread_registry.h:97:22
frame #3: 0x000000000038d710 a.out`::AfterSleep() [inlined]
GenericScopedLock at sanitizer_mutex.h:183
frame #4: 0x000000000038d710 a.out`::AfterSleep() at tsan_rtl_mutex.cc:471
frame #5: 0x0000000000323f5c a.out`::__interceptor_sleep() at
tsan_interceptors.cc:349:3
frame #6: 0x00000000002a230a a.out`fuzzer::RssThread(fuzzer::Fuzzer*,
unsigned long) at FuzzerDriver.cpp:275:5
frame #7: 0x00000000002a234b
a.out`::__thread_proxy<std::Fuzzer::tuple<std::Fuzzer::unique_ptr<std::Fuzzer::__thread_struct,
std::Fuzzer::default_delete<std::Fuzzer::__thread_struct> >, void
(*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long> >()
[inlined] __invoke<void (*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *,
unsigned long> at type_traits:3530:1
frame #8: 0x00000000002a2340
a.out`::__thread_proxy<std::Fuzzer::tuple<std::Fuzzer::unique_ptr<std::Fuzzer::__thread_struct,
std::Fuzzer::default_delete<std::Fuzzer::__thread_struct> >, void
(*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long> >()
[inlined]
__thread_execute<std::Fuzzer::unique_ptr<std::Fuzzer::__thread_struct,
std::Fuzzer::default_delete<std::Fuzzer::__thread_struct> >, void
(*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long, 2, 3> at
thread:277
frame #9: 0x00000000002a2340
a.out`::__thread_proxy<std::Fuzzer::tuple<std::Fuzzer::unique_ptr<std::Fuzzer::__thread_struct,
std::Fuzzer::default_delete<std::Fuzzer::__thread_struct> >, void
(*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long> >() at
thread:287
frame #10: 0x000000000032691d a.out`::__tsan_thread_start_func() at
tsan_interceptors.cc:957:15
frame #11: 0x00007f362a63c182
libpthread.so.0`start_thread(arg=<unavailable>) at pthread_create.c:486:8
frame #12: 0x00007f362a543b1f libc.so.6`clone + 63
(lldb)
--
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191027/1c6376a4/attachment-0001.html>
More information about the llvm-bugs
mailing list