search

asl / llvm-bugzilla

0 stars 0 forks source link

signal-unsafe call inside of a signal (Bugzilla Bug 7) #7

Open asl opened 5 years ago

asl commented 5 years ago

This issue was created automatically with bugzilla2github

Bugzilla Bug 7

Date: 2019-10-27T09:02:11+07:00 From: @adrianimboden To: Unassigned LLVM Bugs <unassignedbugs@nondot.org> CC: llvm-bugs@lists.llvm.org

Last updated: 2019-10-27T09:02:11+07:00

asl commented 5 years ago

Comment 190265

Date: 2019-10-27 09:02:11 -0700 From: @adrianimboden

When I press CTRL+C during the execution of a fuzzer with tsan support, a signal unsafety is detected:

$ docker run -it thingdust/llvm-tsan-repro
$ cat main.cpp
#include 
#include 

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, std::size_t size) {
  return 0;
}

$ clang++-9 -glldb -O0 -fsanitize=fuzzer,thread main.cpp
$ ./a.out
==30238==Installed the sigaction for signal 11
==30238==Installed the sigaction for signal 7
==30238==Installed the sigaction for signal 8
***** Running under ThreadSanitizer v2 (pid 30238) *****
INFO: Seed: 514887584
INFO: Loaded 1 modules   (1 inline 8-bit counters): 1 [0x3a4ab8, 0x3a4ab9), 
INFO: Loaded 1 PC tables (1 PCs): 1 [0x239800,0x239810), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 1 ft: 1 corp: 1/1b exec/s: 0 rss: 96Mb
^C==30238== libFuzzer: run interrupted; exiting
==================
WARNING: ThreadSanitizer: signal-unsafe call inside of a signal (pid=30238)
    #0 malloc /home/build/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:650:5 (a.out+0x3250d4)
    #1 operator new(unsigned long)  (a.out+0x2896e7)
    #2 operator new(unsigned long)  (a.out+0x2896e7)

SUMMARY: ThreadSanitizer: signal-unsafe call inside of a signal (/home/build/workdir/fuzzer/a.out+0x2896e7) in operator new(unsigned long)
==================
MS: 1 CopyPart-

#============== hangs now =====================

$ lldb-9 -p 30238
(lldb) process attach --pid 30238
Process 30238 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSTOP
    frame #0: 0x0000000000309650 a.out`::Lock() [inlined] atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7
  thread #2, name = 'a.out', stop reason = signal SIGSTOP
    frame #0: 0x00000000003090a7 a.out`::internal_sched_yield() at sanitizer_linux.cc:419:3
  thread #3, name = 'a.out', stop reason = signal SIGSTOP
    frame #0: 0x0000000000309650 a.out`::Lock() [inlined] atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7

Executable module set to "/home/build/workdir/fuzzer/a.out".
Architecture set to: x86_64-unknown-linux-gnu.
(lldb) bt all
* thread #1, name = 'a.out', stop reason = signal SIGSTOP
  * frame #0: 0x0000000000309650 a.out`::Lock() [inlined] atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7
    frame #1: 0x0000000000309650 a.out`::Lock() at sanitizer_linux.cc:649
    frame #2: 0x000000000037a7df a.out`::SignalUnsafeCall() [inlined] Lock at sanitizer_thread_registry.h:97:22
    frame #3: 0x000000000037a7d3 a.out`::SignalUnsafeCall() [inlined] GenericScopedLock at sanitizer_mutex.h:183
    frame #4: 0x000000000037a7d3 a.out`::SignalUnsafeCall() at tsan_mman.cc:147
    frame #5: 0x000000000037a2f8 a.out`::user_alloc_internal() at tsan_mman.cc:174:5
    frame #6: 0x000000000037aa51 a.out`::user_alloc() at tsan_mman.cc:188:25
    frame #7: 0x00000000003250e3 a.out`::__interceptor_malloc() at tsan_interceptors.cc:651:9
    frame #8: 0x00000000002896e8 a.out`operator new(unsigned long) + 24
    frame #9: 0x00000000002fb783 a.out`std::Fuzzer::basic_string, std::Fuzzer::allocator >::push_back(char) + 195
    frame #10: 0x0000000000294f5b a.out`::overflow() at sstream:541:24
    frame #11: 0x00000000002d50ce a.out`std::Fuzzer::basic_streambuf >::xsputn(char const*, long) + 142
    frame #12: 0x00000000002964e4 a.out`::__pad_and_output >() [inlined] sputn at streambuf:229:14
    frame #13: 0x00000000002964d7 a.out`::__pad_and_output >() at locale:1411
    frame #14: 0x00000000002e6964 a.out`std::Fuzzer::num_put > >::do_put(std::Fuzzer::ostreambuf_iterator >, std::Fuzzer::ios_base&, char, unsigned long) const + 404
    frame #15: 0x00000000002da928 a.out`std::Fuzzer::basic_ostream >::operator<<(unsigned int) + 216
    frame #16: 0x00000000002c592b a.out`::Sha1ToString() at FuzzerSHA1.cpp:212:57
    frame #17: 0x00000000002af2fc a.out`::DumpCurrentUnit() at FuzzerLoop.cpp:180:31
    frame #18: 0x00000000002af91c a.out`::StaticDeathCallback() [inlined] DeathCallback at FuzzerLoop.cpp:192:3
    frame #19: 0x00000000002af90d a.out`::StaticDeathCallback() at FuzzerLoop.cpp:172
    frame #20: 0x000000000030f816 a.out`__sanitizer::Die() at sanitizer_termination.cc:52:5
    frame #21: 0x000000000038fbe8 a.out`::OutputReport() at tsan_rtl_report.cc:538:5
    frame #22: 0x000000000037a814 a.out`::SignalUnsafeCall() at tsan_mman.cc:150:3
    frame #23: 0x000000000037a2f8 a.out`::user_alloc_internal() at tsan_mman.cc:174:5
    frame #24: 0x000000000037aa51 a.out`::user_alloc() at tsan_mman.cc:188:25
    frame #25: 0x00000000003250e3 a.out`::__interceptor_malloc() at tsan_interceptors.cc:651:9
    frame #26: 0x00000000002896e8 a.out`operator new(unsigned long) + 24
    frame #27: 0x00000000002fb3c0 a.out`std::Fuzzer::basic_string, std::Fuzzer::allocator >::append(char const*, unsigned long) + 224
    frame #28: 0x00000000002ad355 a.out`::TempPath() [inlined] operator+, std::Fuzzer::allocator > at string:4151:30
    frame #29: 0x00000000002ad34d a.out`::TempPath() at FuzzerIO.cpp:156
    frame #30: 0x00000000002b0094 a.out`::InterruptCallback() at FuzzerLoop.cpp:268:18
    frame #31: 0x00000000002b0040 a.out`fuzzer::Fuzzer::StaticInterruptCallback() at FuzzerLoop.cpp:213:6
    frame #32: 0x000000000032d590 a.out`::CallUserSignalHandler() at tsan_interceptors.cc:1912:7
    frame #33: 0x0000000000323d09 a.out`::ProcessPendingSignals() at tsan_interceptors.cc:1959:7
    frame #34: 0x000000000032513e a.out`::__interceptor_malloc() [inlined] ~ScopedInterceptor at tsan_interceptors.cc:264:5
    frame #35: 0x00000000003250e6 a.out`::__interceptor_malloc() at tsan_interceptors.cc:652
    frame #36: 0x00000000002896e8 a.out`operator new(unsigned long) + 24
    frame #37: 0x00000000002b13f3 a.out`::ExecuteCallback() at FuzzerLoop.cpp:538:23
    frame #38: 0x00000000002b0d26 a.out`::RunOne() at FuzzerLoop.cpp:469:3
    frame #39: 0x00000000002b2fc8 a.out`::MutateAndTestOne() at FuzzerLoop.cpp:695:19
    frame #40: 0x00000000002b3ce6 a.out`::Loop() at FuzzerLoop.cpp:831:5
    frame #41: 0x00000000002a0e79 a.out`::FuzzerDriver() at FuzzerDriver.cpp:825:6
    frame #42: 0x00000000002caf13 a.out`main at FuzzerMain.cpp:19:10
    frame #43: 0x00007f362a44cb6b libc.so.6`__libc_start_main + 235
    frame #44: 0x000000000027502a a.out`_start + 42
  thread #2, name = 'a.out', stop reason = signal SIGSTOP
    frame #0: 0x00000000003090a7 a.out`::internal_sched_yield() at sanitizer_linux.cc:419:3
    frame #1: 0x000000000037d805 a.out`::Lock() [inlined] Do at tsan_mutex.cc:194:7
    frame #2: 0x000000000037d7f1 a.out`::Lock() at tsan_mutex.cc:234
    frame #3: 0x000000000038b27d a.out`::BackgroundThread() [inlined] GenericScopedLock at sanitizer_mutex.h:183:10
    frame #4: 0x000000000038b275 a.out`::BackgroundThread() at tsan_rtl.cc:216
    frame #5: 0x00007f362a63c182 libpthread.so.0`start_thread(arg=) at pthread_create.c:486:8
    frame #6: 0x00007f362a543b1f libc.so.6`clone + 63
  thread #3, name = 'a.out', stop reason = signal SIGSTOP
    frame #0: 0x0000000000309650 a.out`::Lock() [inlined] atomic_exchange<__sanitizer::atomic_uint32_t> at sanitizer_atomic_clang.h:67:7
    frame #1: 0x0000000000309650 a.out`::Lock() at sanitizer_linux.cc:649
    frame #2: 0x000000000038d71c a.out`::AfterSleep() [inlined] Lock at sanitizer_thread_registry.h:97:22
    frame #3: 0x000000000038d710 a.out`::AfterSleep() [inlined] GenericScopedLock at sanitizer_mutex.h:183
    frame #4: 0x000000000038d710 a.out`::AfterSleep() at tsan_rtl_mutex.cc:471
    frame #5: 0x0000000000323f5c a.out`::__interceptor_sleep() at tsan_interceptors.cc:349:3
    frame #6: 0x00000000002a230a a.out`fuzzer::RssThread(fuzzer::Fuzzer*, unsigned long) at FuzzerDriver.cpp:275:5
    frame #7: 0x00000000002a234b a.out`::__thread_proxy >, void (*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long> >() [inlined] __invoke at type_traits:3530:1
    frame #8: 0x00000000002a2340 a.out`::__thread_proxy >, void (*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long> >() [inlined] __thread_execute >, void (*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long, 2, 3> at thread:277
    frame #9: 0x00000000002a2340 a.out`::__thread_proxy >, void (*)(fuzzer::Fuzzer *, unsigned long), fuzzer::Fuzzer *, unsigned long> >() at thread:287
    frame #10: 0x000000000032691d a.out`::__tsan_thread_start_func() at tsan_interceptors.cc:957:15
    frame #11: 0x00007f362a63c182 libpthread.so.0`start_thread(arg=) at pthread_create.c:486:8
    frame #12: 0x00007f362a543b1f libc.so.6`clone + 63
(lldb)