toolchain/59042: libfuzzer coredumps trying to print stack trace

To: toolchain-manager%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: toolchain/59042: libfuzzer coredumps trying to print stack trace
From: christos%zoulas.com@localhost
Date: Thu, 30 Jan 2025 19:15:00 +0000 (UTC)

>Number:         59042
>Category:       toolchain
>Synopsis:       libfuzzer coredumps trying to print stack trace
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    toolchain-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 30 19:15:00 +0000 2025
>Originator:     Christos Zoulas
>Release:        NetBSD 10.99.12
>Organization:
	Warm Fuzzy Feelings, Inc.
>Environment:
System: NetBSD quasar.astron.com 10.99.12 NetBSD 10.99.12 (QUASAR) #40: Mon Jan 27 14:52:42 EST 2025 christos%quasar.astron.com@localhost:/usr/src/sys/arch/amd64/compile/QUASAR amd64
Architecture: x86_64
Machine: amd64
>Description:
	If the libfuzzer callback fails, then the system is unable to handle
	it, because the libc constructors have not been called.
	/usr/src/sys/lib/libunwind/libunwind.c:25:
	static LocalAddressSpace sThisAddressSpace(MyCFIParser::findPCRange);
	Then we die trying to dereference:
	/usr/src/sys/lib/libunwind/AddressSpace.hpp:397:
	    (*findPCRange)(
		*this, header + (int32_t)get32(n->hdr_start + (entries - 1) * 8 + 4),
		tmp, n->last_pc);


>How-To-Repeat:
[2:11pm] 374>cat x.cc
#include <sys/types.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
        return -1;
}
[2:11pm] 375>clang++ -g -fsanitize=fuzzer,address x.cc -o x
[2:11pm] 376>paxctl +a x
[2:11pm] 377>./x
INFO: Seed: 821425815
INFO: Loaded 1 modules   (1 inline 8-bit counters): 1 [0x59e008, 0x59e009), 
INFO: Loaded 1 PC tables (1 PCs): 1 [0x5764b8,0x5764c8), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
assertion "Res == 0" failed: file "/net/quasar/src-5/NetBSD/src/external/bsd/compiler_rt/lib/clang/lib/netbsd/fuzzer-m64/../../../../../../../../sys/external/bsd/compiler_rt/dist/lib/fuzzer/FuzzerLoop.cpp", line 575, function "void fuzzer::Fuzzer::ExecuteCallback(const uint8_t *, size_t)"
==18000== ERROR: libFuzzer: deadly signal
    #0 0x45a8a7 in __sanitizer_print_stack_trace /net/quasar/src-5/NetBSD/src/external/bsd/compiler_rt/lib/clang/lib/netbsd/asan-m64/../../../../../../../../sys/external/bsd/compiler_rt/dist/lib/asan/asan_stack.cc:38:3
    #1 0x4409f5 in fuzzer::PrintStackTrace() (/net/quasar/u-5/christos/src/file/src/Test_libmagic_1/./x+0x4409f5)
    #2 0x430bc3 in fuzzer::Fuzzer::CrashCallback() (/net/quasar/u-5/christos/src/file/src/Test_libmagic_1/./x+0x430bc3)
    #3 0x430b80 in fuzzer::Fuzzer::StaticCrashSignalCallback() (/net/quasar/u-5/christos/src/file/src/Test_libmagic_1/./x+0x430b80)
    #4 0x7f7ff7b0e68f  (/usr/lib/libc.so.12+0x19968f)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 

>Fix:
	Low level code that can be called very early should not require
	complex features like constructors, or something needs to make
        sure that constructors have been called.

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: install/59038 (NetBSD 10.1 - duplicate entries in src/distrib/sets/lists/comp/mi)
Next by Thread: kern/59043: thinkpad a475 xhci resume fails: resume timeout, USBSTS.RSS
Indexes:

Home | Main Index | Thread Index | Old Index