Skip to content

nalloc with FuzzedDataProvider #4

@IvanNardi

Description

@IvanNardi

Are there any known issues running nalloc with a (c++) fuzzer using FuzzedDataProvider.h?
https://github.com/llvm/llvm-project/blob/main/compiler-rt/include/fuzzer/FuzzedDataProvider.h
https://github.com/google/fuzzing/blob/master/docs/split-inputs.md

I am asking because I keep getting very strange errors in this scenario, in nDPI, with oss-fuzz.
Everything seems fine with "standard" c fuzzers, without FuzzedDataProvider.h

https://oss-fuzz.com/testcase-detail/4841956818878464

 	UndefinedBehaviorSanitizer:DEADLYSIGNAL
	==308==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x053900000134 (pc 0x7b5e0523700b bp 0x7ffe801644c0 sp 0x7ffe80163ec0 T308)
	UndefinedBehaviorSanitizer: CHECK failed: sanitizer_linux_libcdep.cpp:183 "((pthread_getattr_np(pthread_self(), &attr))) == ((0))" (0xc, 0x0) (tid=308)
	MS: 1 CrossOver-libc++abi: bad_alloc was thrown in -fno-exceptions mode            <-----------------------------------------------
	UndefinedBehaviorSanitizer:DEADLYSIGNAL
	UndefinedBehaviorSanitizer: nested bug in the same thread, aborting.

https://oss-fuzz-build-logs.storage.googleapis.com/log-e92a6d49-c831-4636-bd4c-96036093e612.txt

Step #5: libc++abi: terminating due to uncaught exception of type std::bad_alloc: std::bad_alloc                <--------------------------------------------------------
Step #5: ==4046== ERROR: libFuzzer: deadly signal
Step #5:     #0 0x5559ea4b91f4 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
Step #5:     #1 0x5559ea42d778 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
Step #5:     #2 0x5559ea4102c5 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
Step #5:     #3 0x7f0617ad041f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 9753720502573b97dbac595b61fd72c2df18e078)
Step #5:     #4 0x7f06178ca00a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
Step #5:     #5 0x7f06178a9858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
Step #5:     #6 0x5559ea3ee3a5 in __abort_message (out/libfuzzer-coverage-x86_64/fuzz_config+0x1293a5)
Step #5:     #7 0x5559ea5c1f98 in demangling_terminate_handler() cxa_default_handlers.cpp
Step #5:     #8 0x5559ea5bef72 in std::__terminate(void (*)()) (out/libfuzzer-coverage-x86_64/fuzz_config+0x2f9f72)
Step #5:     #9 0x5559ea5c0b65 in __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*) cxa_exception.cpp
Step #5:     #10 0x5559ea5c0b4f in __cxa_throw (out/libfuzzer-coverage-x86_64/fuzz_config+0x2fbb4f)
Step #5:     #11 0x5559ea5db3c5 in operator new(unsigned long) (out/libfuzzer-coverage-x86_64/fuzz_config+0x3163c5)
Step #5:     #12 0x5559ea4c589a in __libcpp_allocate<char> /usr/local/bin/../include/c++/v1/__new/allocate.h:43:28
Step #5:     #13 0x5559ea4c589a in allocate /usr/local/bin/../include/c++/v1/__memory/allocator.h:105:14
Step #5:     #14 0x5559ea4c589a in __allocate_at_least<std::__1::allocator<char> > /usr/local/bin/../include/c++/v1/__memory/allocate_at_least.h:41:19
Step #5:     #15 0x5559ea4c589a in __init /usr/local/bin/../include/c++/v1/string:2559:25
Step #5:     #16 0x5559ea4c589a in basic_string /usr/local/bin/../include/c++/v1/string:1071:5
Step #5:     #17 0x5559ea4c589a in ConsumeBytesAsString /usr/local/lib/clang/22/include/fuzzer/FuzzedDataProvider.h:142:15            <---------------------------------------
Step #5:     #18 0x5559ea4c589a in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_config.cpp:728:47
Step #5:     #19 0x5559ea4119ad in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
Step #5:     #20 0x5559ea41af48 in fuzzer::Fuzzer::CrashResistantMergeInternalStep(std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char>> const&, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMerge.cpp:239:5
Step #5:     #21 0x5559ea402449 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:890:8
Step #5:     #22 0x5559ea42e122 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
Step #5:     #23 0x7f06178ab082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
Step #5:     #24 0x5559ea3f580d in _start (out/libfuzzer-coverage-x86_64/fuzz_config+0x13080d)

Long shot: it seems that oss-fuzz is compiled with -fno-exceptions.
Maybe some incompatibility between nalloc and such compilation flag?

ivan@ivan-Precision-3591:~/svnrepos/oss-fuzz(master)$ git grep fno-exceptions
infra/base-images/base-builder/indexer/index_build.py:      '-fno-exceptions',
infra/base-images/base-builder/indexer/index_build.py:      '-fno-exceptions',

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions