[llvm-dev] fuzzer crash (but not the good kind)

Brian Cain via llvm-dev llvm-dev at lists.llvm.org
Tue Dec 1 17:22:04 PST 2015


Kostya,

I think I've found what looks like a reproducible bug in libFuzzer.  The
code under test is built with ASan and the first ASan CHECK failure shows
fuzzer in the stack trace.  (see below)

One of the factors that may be unique in my testing is that each iteration
can take a very long time to execute (tens or hundreds of seconds).

Let me know if you need more info, I think it shouldn't take much test time
to reproduce this.

================== Job 2 exited with exit code 256 ============
Flag: verbosity 3
Flag: use_traces 1
Flag: timeout 100
Flag: max_len 16384
Seed: 3259211893
PreferSmall: 0
#0      READ   units: 4975 exec/s: 0
#1      pulse  cov: 32410 bits: 30791 indir: 714 units: 4975 exec/s: 0
NEW0: 32410 L 13869
==31301==AddressSanitizer CHECK failed:
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467
"((n % 16)) == ((0))" (0x1, 0x0)
    #0 0x11d3b7 in __asan::AsanCheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:67:3
    #1 0x122f1f in __sanitizer::CheckFailed(char const*, int, char const*,
unsigned long long, unsigned long long)
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:159:5
    #2 0x134317 in
__sanitizer::CoverageData::Update8bitCounterBitsetAndClearCounters(unsigned
char*)
/home/brian/src/fuzzpy/llvm_src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_coverage_libcdep.cc:467:5
    #3 0x1b7b53 in fuzzer::Fuzzer::PrepareCoverageBeforeRun()
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:264:5
    #4 0x1b501b in fuzzer::Fuzzer::RunOne(std::vector<unsigned char,
std::allocator<unsigned char> > const&)
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:212:3
    #5 0x1b6be3 in fuzzer::Fuzzer::ShuffleAndMinimize()
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerLoop.cpp:195:11
    #6 0x14477b in fuzzer::FuzzerDriver(std::vector<std::string,
std::allocator<std::string> > const&, fuzzer::UserSuppliedFuzzer&)
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:303:3
    #7 0x14183f in fuzzer::FuzzerDriver(int, char**,
fuzzer::UserSuppliedFuzzer&)
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:201:10
    #8 0x141427 in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char
const*, unsigned int))
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerDriver.cpp:196:10
    #9 0x1873e3 in main
/home/brian/src/fuzzpy/llvm_src//llvm/lib/Fuzzer/FuzzerMain.cpp:19:10
    #10 0xb6c86775 in __libc_start_main
/build/buildd/glibc-2.21/csu/libc-start.c:289

DEATH:
artifact_prefix='./'; Test unit written to
./crash-ec9fa023e9db127e2589d0ab4c506055e4174611


-- 
-Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20151201/f158be40/attachment.html>


More information about the llvm-dev mailing list