nalloc with FuzzedDataProvider

[IvanNardi]

Are there any known issues running nalloc with a (c++) fuzzer using FuzzedDataProvider.h?
https://github.com/llvm/llvm-project/blob/main/compiler-rt/include/fuzzer/FuzzedDataProvider.h
https://github.com/google/fuzzing/blob/master/docs/split-inputs.md

I am asking because I keep getting very strange errors in this scenario, in nDPI, with oss-fuzz.
Everything seems fine with "standard" c fuzzers, without FuzzedDataProvider.h

https://oss-fuzz.com/testcase-detail/4841956818878464

 	UndefinedBehaviorSanitizer:DEADLYSIGNAL
	==308==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x053900000134 (pc 0x7b5e0523700b bp 0x7ffe801644c0 sp 0x7ffe80163ec0 T308)
	UndefinedBehaviorSanitizer: CHECK failed: sanitizer_linux_libcdep.cpp:183 "((pthread_getattr_np(pthread_self(), &attr))) == ((0))" (0xc, 0x0) (tid=308)
	MS: 1 CrossOver-libc++abi: bad_alloc was thrown in -fno-exceptions mode            <-----------------------------------------------
	UndefinedBehaviorSanitizer:DEADLYSIGNAL
	UndefinedBehaviorSanitizer: nested bug in the same thread, aborting.

https://oss-fuzz-build-logs.storage.googleapis.com/log-e92a6d49-c831-4636-bd4c-96036093e612.txt

Step #5: libc++abi: terminating due to uncaught exception of type std::bad_alloc: std::bad_alloc                <--------------------------------------------------------
Step #5: ==4046== ERROR: libFuzzer: deadly signal
Step #5:     #0 0x5559ea4b91f4 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
Step #5:     #1 0x5559ea42d778 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
Step #5:     #2 0x5559ea4102c5 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
Step #5:     #3 0x7f0617ad041f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 9753720502573b97dbac595b61fd72c2df18e078)
Step #5:     #4 0x7f06178ca00a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
Step #5:     #5 0x7f06178a9858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
Step #5:     #6 0x5559ea3ee3a5 in __abort_message (out/libfuzzer-coverage-x86_64/fuzz_config+0x1293a5)
Step #5:     #7 0x5559ea5c1f98 in demangling_terminate_handler() cxa_default_handlers.cpp
Step #5:     #8 0x5559ea5bef72 in std::__terminate(void (*)()) (out/libfuzzer-coverage-x86_64/fuzz_config+0x2f9f72)
Step #5:     #9 0x5559ea5c0b65 in __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*) cxa_exception.cpp
Step #5:     #10 0x5559ea5c0b4f in __cxa_throw (out/libfuzzer-coverage-x86_64/fuzz_config+0x2fbb4f)
Step #5:     #11 0x5559ea5db3c5 in operator new(unsigned long) (out/libfuzzer-coverage-x86_64/fuzz_config+0x3163c5)
Step #5:     #12 0x5559ea4c589a in __libcpp_allocate<char> /usr/local/bin/../include/c++/v1/__new/allocate.h:43:28
Step #5:     #13 0x5559ea4c589a in allocate /usr/local/bin/../include/c++/v1/__memory/allocator.h:105:14
Step #5:     #14 0x5559ea4c589a in __allocate_at_least<std::__1::allocator<char> > /usr/local/bin/../include/c++/v1/__memory/allocate_at_least.h:41:19
Step #5:     #15 0x5559ea4c589a in __init /usr/local/bin/../include/c++/v1/string:2559:25
Step #5:     #16 0x5559ea4c589a in basic_string /usr/local/bin/../include/c++/v1/string:1071:5
Step #5:     #17 0x5559ea4c589a in ConsumeBytesAsString /usr/local/lib/clang/22/include/fuzzer/FuzzedDataProvider.h:142:15            <---------------------------------------
Step #5:     #18 0x5559ea4c589a in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_config.cpp:728:47
Step #5:     #19 0x5559ea4119ad in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
Step #5:     #20 0x5559ea41af48 in fuzzer::Fuzzer::CrashResistantMergeInternalStep(std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char>> const&, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMerge.cpp:239:5
Step #5:     #21 0x5559ea402449 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:890:8
Step #5:     #22 0x5559ea42e122 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
Step #5:     #23 0x7f06178ab082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
Step #5:     #24 0x5559ea3f580d in _start (out/libfuzzer-coverage-x86_64/fuzz_config+0x13080d)

Long shot: it seems that oss-fuzz is compiled with -fno-exceptions.
Maybe some incompatibility between nalloc and such compilation flag?

ivan@ivan-Precision-3591:~/svnrepos/oss-fuzz(master)$ git grep fno-exceptions
infra/base-images/base-builder/indexer/index_build.py:      '-fno-exceptions',
infra/base-images/base-builder/indexer/index_build.py:      '-fno-exceptions',

[catenacyber]

Do you have the output with NALLOC_VERBOSE=1 ?
It looks like FuzzedDataProvider does not support failed allocation at some point...

[IvanNardi]

Do you have the output with NALLOC_VERBOSE=1 ?

I modify oss-script to set that variable.
Sometime I don't get stack information...

failed calloc(3632) 
failed malloc(32) 
failed realloc(995) 
==37== ERROR: libFuzzer: deadly signal
failed malloc(120) 
UndefinedBehaviorSanitizer: CHECK failed: sanitizer_linux_libcdep.cpp:183 "((pthread_getattr_np(pthread_self(), &attr))) == ((0))" (0x2, 0x0) (tid=37)
MS: 0 failed malloc(48) 
libc++abi: bad_alloc was thrown in -fno-exceptions mode
Aborted (core dumped)
MERGE-OUTER: attempt 2

sometimes I got it

failed calloc(3632) 
failed malloc(40) 
failed realloc(995) 
==64== ERROR: libFuzzer: deadly signal
failed malloc(1024) 
    #0 0x56285eba61f4 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/ubsan/ubsan_diag_standalone.cpp:31:3
    #1 0x56285eb1a778 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x56285eafd2c5 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3
    #3 0x7f054977941f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 9753720502573b97dbac595b61fd72c2df18e078)
    #4 0x7f054957300a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #5 0x7f0549552858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #6 0x56285ecab9a8 in (anonymous namespace)::itanium_demangle::NameType::printLeft((anonymous namespace)::itanium_demangle::OutputBuffer&) const cxa_demangle.cpp
    #7 0x56285ecb9616 in (anonymous namespace)::itanium_demangle::NestedName::printLeft((anonymous namespace)::itanium_demangle::OutputBuffer&) const cxa_demangle.cpp
    #8 0x56285eca678d in __cxa_demangle (/out/fuzz_config+0x2ef78d)
    #9 0x56285eca5bdc in demangling_terminate_handler() cxa_default_handlers.cpp
    #10 0x56285eca2c02 in std::__terminate(void (*)()) (/out/fuzz_config+0x2ebc02)
    #11 0x56285eca47f5 in __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*) cxa_exception.cpp
    #12 0x56285eca47df in __cxa_throw (/out/fuzz_config+0x2ed7df)
    #13 0x56285ecbf055 in operator new(unsigned long) (/out/fuzz_config+0x308055)
    #14 0x56285eba960c in __libcpp_allocate<char> /usr/local/bin/../include/c++/v1/__new/allocate.h:43:28
    #15 0x56285eba960c in allocate /usr/local/bin/../include/c++/v1/__memory/allocator.h:105:14
    #16 0x56285eba960c in __allocate_at_least<std::__1::allocator<char> > /usr/local/bin/../include/c++/v1/__memory/allocate_at_least.h:41:19
    #17 0x56285eba960c in __init /usr/local/bin/../include/c++/v1/string:2559:25
    #18 0x56285eba960c in basic_string /usr/local/bin/../include/c++/v1/string:1071:5
    #19 0x56285eba960c in ConsumeBytesAsString /usr/local/lib/clang/22/include/fuzzer/FuzzedDataProvider.h:142:15
    #20 0x56285eba960c in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_config.cpp:234:47
    #21 0x56285eafe9ad in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
    #22 0x56285eb07f48 in fuzzer::Fuzzer::CrashResistantMergeInternalStep(std::__Fuzzer::basic_string<char, std::__Fuzzer::char_traits<char>, std::__Fuzzer::allocator<char>> const&, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMerge.cpp:239:5
    #23 0x56285eaef449 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:890:8
    #24 0x56285eb1b122 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #25 0x7f0549554082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 5792732f783158c66fb4f3756458ca24e46e827d)
    #26 0x56285eae280d in _start (/out/fuzz_config+0x12b80d)

DEDUP_TOKEN: __sanitizer_print_stack_trace--fuzzer::PrintStackTrace()--fuzzer::Fuzzer::CrashCallback()
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 failed malloc(48) 
libc++abi: bad_alloc was thrown in -fno-exceptions mode

but I am not sure if that is what you want...

Please note that this happen only with oss-fuzz; on my local enviroment I never got these errors (same version, same corpus)

It looks like FuzzedDataProvider does not support failed allocation at some point...

It could be, but I think that there may be something different on oss-fuzz enviroment....

[catenacyber]

Looks like you do not have the stack trace of the failed allocation as you should...
Because this is UBSAN, not ASAN...

Maybe you can patch the logic

#if defined(__clang__) && defined(__has_feature)
#if __has_feature(address_sanitizer)
#define NALLOC_ASAN 1
#endif
#endif

to include UBSAN and see if it works