Closed djuricmilan closed 2 weeks ago
Hi @djuricmilan ! Thanks for the report.
Could you clarify what PoC
is about? Also could you provide the Solidity code repro that generated such seg fault?
Hi @matheusaaguiar,
PoC is the solidity code that causes the segfault when invoked with solc, version 0.8.24:
solc poc.sol
@djuricmilan , sorry, but I am confused, that is far from a valid Solidity code.
This is the result of fuzzing, so random (well mutated) code that should still retain valid compiler behaviour (as in proper errors instead of crashes or segfaults).
The curious thing here is that the segfault is in experimental analysis, which should only be invoked at all with pragma experimental solidity;
(by the way, there's no stability guarantees for that compiler mode and it will involve a lot of invalid behaviour - that's to be expected at the current stage and we're not interested in crashes, if it involves a full valid pragma experimental solidity;
at this point).
But the reproduction does not involve such a pragma, so the question is why experimental analysis runs in the first place.
However, I can't reproduce the behaviour with 0.8.24 myself.
Ok, I attached the actual PoC that caused the segfault to this comment. Apologies from my side, I was fooled by my terminal multiplexer that simply did not display all the bytes when printing the PoC... The PoC indeed starts with a valid pragma experimental solidity
statement, so you I assume the crash is not relevant.
bug2.zip
Thanks for confirming. Since this happened with experimental, we can close this issue.
Description
When fuzzing the 0.8.24 release of solc with AFL++, I encountered a NULL-pointer dereference in solidity::frontend::experimental::Analysis::annotationContainer
The segfault appears to be triggered at: https://github.com/ethereum/solidity/blob/e11b9ed9f2c254bc894d844c0a64a0eb76bbb4fd/libsolidity/experimental/analysis/Analysis.cpp#L139
Environment
Steps to Reproduce
CMake flags
-DBoost_USE_STATIC_LIBS=OFF
PoC
Full backtrace