[llvm-bugs] [Bug 47738] New: libfuzzer fails to print stack trace for invalid pcs

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Oct 5 19:05:22 PDT 2020 

https://bugs.llvm.org/show_bug.cgi?id=47738

            Bug ID: 47738
           Summary: libfuzzer fails to print stack trace for invalid pcs
           Product: compiler-rt
           Version: 11.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: fuzzer
          Assignee: unassignedbugs at nondot.org
          Reporter: mvanotti at google.com
                CC: llvm-bugs at lists.llvm.org

It looks like libfuzzer's libunwind fail to print stack traces if the failing
PC is invalid (for example, the NULL pointer).

Here's an example:

```c++
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>

static void bar(void) {
        void (*foo)() = reinterpret_cast<void (*)()>(0x123000);
        foo();
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
        bar();
        return 0;
}
```

Compiling it with: clang++ -fsanitize=fuzzer,address fuzzer.cc -o fuzzer

Gives the following output:

```
$ ./fuzzer 
INFO: Seed: 4199019790
INFO: Loaded 1 modules   (2 inline 8-bit counters): 2 [0x5abe80, 0x5abe82), 
INFO: Loaded 1 PC tables (2 PCs): 2 [0x56fcc8,0x56fce8), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than
4096 bytes
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3940891==ERROR: AddressSanitizer: SEGV on unknown address 0x000000123000 (pc
0x000000123000 bp 0x7fff64977760 sp 0x7fff64977738 T0)
==3940891==The signal is caused by a READ memory access.
Segmentation fault
```

When we call it with ASAN_OPTIONS="fast_unwind_on_fatal=1", we see more of the
backtrace, but it is missing one function call level.

```
=================================================================
==3942650==ERROR: AddressSanitizer: SEGV on unknown address 0x000000123000 (pc
0x000000123000 bp 0x7ffce19deea0 sp 0x7ffce19dee78 T0)
==3942650==The signal is caused by a READ memory access.
    #0 0x122fff  (<unknown module>)
    #1 0x555acc in LLVMFuzzerTestOneInput (/data/test/fuzzer+0x555acc)
    #2 0x45d621 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (/data/test/fuzzer+0x45d621)
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20201006/182e210c/attachment-0001.html>

More information about the llvm-bugs mailing list