search

Quuxplusone / LLVMBugzillaTest

0 stars 0 forks source link

segfault when oss-fuzz builds libtorrent #42784

Open Quuxplusone opened 4 years ago

Quuxplusone commented 4 years ago
Bugzilla Link PR43814
Status NEW
Importance P normal
Reported by Paul Dreik (llvmbugzilla@pauldreik.se)
Reported on 2019-10-26 01:23:59 -0700
Last modified on 2020-07-29 07:37:14 -0700
Version 10.0
Hardware PC Linux
CC arvid.norberg@gmail.com, blitzrakete@gmail.com, dgregor@apple.com, erik.pilkington@gmail.com, llvm-bugs@lists.llvm.org, llvmbugzilla@pauldreik.se, richard-llvm@metafoo.co.uk, schopf.dan@gmail.com
Fixed by commit(s)
Attachments web_connection_base-8ca7e8.cpp.part1.7z (823385 bytes, application/x-7z-compressed)
web_connection_base-8ca7e8.cpp.part2.7z (742764 bytes, application/x-7z-compressed)
web_connection_base-8ca7e8.sh (5438 bytes, application/x-shellscript)
test.cpp (229 bytes, text/x-c++src)
Blocks
Blocked by
See also 
Created attachment 22732
part1 of reproducer

Oss-fuzz has reported build failure for libtorrent since 2019-09-18

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17308

I suspected it was related to boost, so I switched to boost 1.70 but the same
thing happened. The output below is using 1.70, so not identical to the oss-
fuzz build but it should be irrelevant for the crash.

Here is an excerpt of the build failure, when running the oss-fuzz docker build
locally:

(unfortunately I had to splite the huge file in two, to pass the size limit on
attachments)

...failed clang-linux.compile.c++.without-pch ../bin/clang-linux-
ossfuzz/release/asserts-on/crypto-openssl/debug-iterators-on/debug-symbols-on/export-extra-on/fuzz-external/link-static/threading-multi/src/peer_connection.o...
clang-linux.compile.c++.without-pch ../bin/clang-linux-ossfuzz/release/asserts-
on/crypto-openssl/debug-iterators-on/debug-symbols-on/export-extra-on/fuzz-external/link-static/threading-multi/src/web_connection_base.o
Stack dump:
0.  Program arguments: /usr/local/bin/clang-10 -cc1 -triple x86_64-unknown-linux-
gnu -emit-obj -disable-free -disable-llvm-verifier -discard-value-names -main-
file-name web_connection_base.cpp -mrelocation-model static -mthread-model
posix -mframe-pointer=all -fmath-errno -masm-verbose -mconstructor-aliases -
munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debug-
info-kind=line-tables-only -dwarf-version=4 -debugger-tuning=gdb -resource-dir
/usr/local/lib/clang/10.0.0 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -D
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -D BOOST_ALL_NO_LIB -D
BOOST_ASIO_ENABLE_CANCELIO -D BOOST_ASIO_HAS_STD_CHRONO -D
BOOST_MULTI_INDEX_DISABLE_SERIALIZATION -D BOOST_NO_DEPRECATED -D
BOOST_SYSTEM_NO_DEPRECATED -D BOOST_SYSTEM_STATIC_LINK=1 -D NDEBUG -D
OPENSSL_NO_SSL2 -D TORRENT_BUILDING_LIBRARY -D TORRENT_EXPORT_EXTRA -D
TORRENT_USE_ASSERTS=1 -D TORRENT_USE_I2P=1 -D TORRENT_USE_LIBCRYPTO -D
TORRENT_USE_OPENSSL -D _FILE_OFFSET_BITS=64 -D _GLIBCXX_DEBUG -D
_GLIBCXX_DEBUG_PEDANTIC -D _WIN32_WINNT=0x0600 -I ../ed25519/src -I ../include -
I ../include/libtorrent -I /src/boost_1_70_0 -I /usr/local/include -I
/usr/sfw/include -internal-isystem /usr/local/bin/../include/c++/v1 -internal-
isystem /usr/local/include -internal-isystem
/usr/local/lib/clang/10.0.0/include -internal-externc-isystem
/usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-
externc-isystem /usr/include -O1 -Wall -Wno-inline -Wno-c++98-compat-pedantic -
Weverything -Wno-documentation -Wno-exit-time-destructors -Wno-global-
constructors -Wno-padded -Wno-return-std-move-in-c++11 -Wno-unknown-warning-
option -Wno-weak-vtables -fdeprecated-macro -fdebug-compilation-dir
/src/libtorrent/fuzzers -ferror-limit 19 -fmessage-length 0 -pthread -fobjc-
runtime=gcc -fcxx-exceptions -fexceptions -fdiagnostics-show-option -faddrsig -
o ../bin/clang-linux-ossfuzz/release/asserts-on/crypto-openssl/debug-iterators-
on/debug-symbols-on/export-extra-on/fuzz-external/link-static/threading-
multi/src/web_connection_base.o -x c++ ../src/web_connection_base.cpp
1.  <eof> parser at end of file
 #0 0x000000000149d5b4 PrintStackTraceSignalHandler(void*) (/usr/local/bin/clang-10+0x149d5b4)
 #1 0x000000000149b48e llvm::sys::RunSignalHandlers() (/usr/local/bin/clang-10+0x149b48e)
 #2 0x000000000149d9a8 SignalHandler(int) (/usr/local/bin/clang-10+0x149d9a8)
 #3 0x00007f45d44e8390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
 #4 0x0000000001816ffd clang::CodeGen::CodeGenFunction::EmitEndEHSpec(clang::Decl const*) (/usr/local/bin/clang-10+0x1816ffd)
 #5 0x00000000016b4112 clang::CodeGen::CodeGenFunction::FinishFunction(clang::SourceLocation) (/usr/local/bin/clang-10+0x16b4112)
 #6 0x00000000016b0365 clang::CodeGen::CodeGenFunction::EmitMustTailThunk(clang::GlobalDecl, llvm::Value*, llvm::FunctionCallee) (/usr/local/bin/clang-10+0x16b0365)
 #7 0x00000000016b047c clang::CodeGen::CodeGenFunction::generateThunk(llvm::Function*, clang::CodeGen::CGFunctionInfo const&, clang::GlobalDecl, clang::ThunkInfo const&, bool) (/usr/local/bin/clang-10+0x16b047c)
 #8 0x00000000016b08f6 clang::CodeGen::CodeGenVTables::maybeEmitThunk(clang::GlobalDecl, clang::ThunkInfo const&, bool) (/usr/local/bin/clang-10+0x16b08f6)
 #9 0x00000000016b0c4f clang::CodeGen::CodeGenVTables::addVTableComponent(clang::CodeGen::ConstantArrayBuilder&, clang::VTableLayout const&, unsigned int, llvm::Constant*, unsigned int&) (/usr/local/bin/clang-10+0x16b0c4f)
#10 0x00000000016b1199
clang::CodeGen::CodeGenVTables::createVTableInitializer(clang::CodeGen::ConstantStructBuilder&,
clang::VTableLayout const&, llvm::Constant*) (/usr/local/bin/clang-10+0x16b1199)
#11 0x000000000172ec21 (anonymous
namespace)::ItaniumCXXABI::emitVTableDefinitions(clang::CodeGen::CodeGenVTables&,
clang::CXXRecordDecl const*) (/usr/local/bin/clang-10+0x172ec21)
#12 0x0000000002c000d9 clang::Sema::DefineUsedVTables() (/usr/local/bin/clang-
10+0x2c000d9)
#13 0x00000000029e3fee
clang::Sema::ActOnEndOfTranslationUnitFragment(clang::Sema::TUFragmentKind)
(/usr/local/bin/clang-10+0x29e3fee)
#14 0x00000000029e4284 clang::Sema::ActOnEndOfTranslationUnit()
(/usr/local/bin/clang-10+0x29e4284)
#15 0x00000000028dd47e
clang::Parser::ParseTopLevelDecl(clang::OpaquePtr<clang::DeclGroupRef>&, bool)
(/usr/local/bin/clang-10+0x28dd47e)
#16 0x00000000028d85ad clang::ParseAST(clang::Sema&, bool, bool)
(/usr/local/bin/clang-10+0x28d85ad)
#17 0x0000000001ae7c99 clang::FrontendAction::Execute() (/usr/local/bin/clang-
10+0x1ae7c99)
#18 0x0000000001a8b5a0
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/usr/local/bin/clang-10+0x1a8b5a0)
#19 0x0000000001b805bb
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/usr/local/bin/clang-10+0x1b805bb)
#20 0x000000000087d7ff cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/usr/local/bin/clang-10+0x87d7ff)
#21 0x000000000087c0cf main (/usr/local/bin/clang-10+0x87c0cf)
#22 0x00007f45d3480830 __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x20830)
#23 0x00000000008792c9 _start (/usr/local/bin/clang-10+0x8792c9)
clang-10: error: unable to execute command: Segmentation fault (core dumped)
clang-10: error: clang frontend command failed due to signal (use -v to see
invocation)
clang version 10.0.0 (trunk 373424)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
clang-10: note: diagnostic msg: PLEASE submit a bug report to
https://bugs.llvm.org/ and include the crash backtrace, preprocessed source,
and associated run script.
clang-10: note: diagnostic msg:
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-10: note: diagnostic msg: /tmp/web_connection_base-8ca7e8.cpp
clang-10: note: diagnostic msg: /tmp/web_connection_base-8ca7e8.sh
clang-10: note: diagnostic msg:

********************
Quuxplusone commented 4 years ago

Attached web_connection_base-8ca7e8.cpp.part1.7z (823385 bytes, application/x-7z-compressed): part1 of reproducer

Quuxplusone commented 4 years ago

Attached web_connection_base-8ca7e8.cpp.part2.7z (742764 bytes, application/x-7z-compressed): part 2 of reproducer

Quuxplusone commented 4 years ago

Attached web_connection_base-8ca7e8.sh (5438 bytes, application/x-shellscript): reproducer shell script

Quuxplusone commented 4 years ago

This crash is a regression since clang-9.

It is still happening on the release/10.x branch (tested from github commit aeba7ba9f3dada09e196d174e7f13b82f01300db). Using ubuntu 19.10.

I have tried to create a minimal reproducing example, but creduce itself is failing (so far).

Quuxplusone commented 3 years ago

Attached test.cpp (229 bytes, text/x-c++src): Miminal example