search

nyx-space / hifitime

A high fidelity time management library in Rust
Mozilla Public License 2.0
332 stars 19 forks source link

Bug Report: Identified issues with arithmetic overflow, unreachable code, unwrap errors, and array out-of-bounds and so on #244

Open xizheyin opened 1 year ago

xizheyin commented 1 year ago

Description

HI! I am using my fuzz testing tool to test this library, and so far I have found 15 different bugs. Among them, there are 5 array out-of-bounds errors, 3 string encoding errors, 1 unwrap error, 1 unreachable code bug, and 5 arithmetic overflow bugs. Below is the list of errors. Please review them and check if any modifications are needed. The replay files are all stored in this repository.

Bug List:

1. Array out-of-bounds error

error message:

thread 'main' panicked at 'begin <= end (21 <= 20) when slicing `94-11-05T08:15:34.0-:0`', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/epoch.rs:993:43

source code: image

2. Array out-of-bounds error

error message:

thread 'main' panicked at 'index out of bounds: the len is 16 but the index is 16', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:400:25

source code: image

3. Array out-of-bounds error

thread 'main' panicked at 'index out of bounds: the len is 16 but the index is 16', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:488:25

source code: image

4. Array out-of-bounds error

error message:

thread 'main' panicked at 'index out of bounds: the len is 16 but the index is 16', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:424:25

source code: image

5. String encoding error

error message:

thread 'main' panicked at 'byte index 5 is not a char boundary; it is inside '밀' (bytes 4..7) of `%%%1밀%j0%`', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:296:25

source code: image

6. String encoding error

error message:

thread 'main' panicked at 'byte index 16 is not a char boundary; it is inside '밀' (bytes 14..17) of `411-0j0%%Y
                                                                                                                밀%B`', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:228:3

source code: image

7. String encoding error

error message:

thread 'main' panicked at 'byte index 1 is not a char boundary; it is inside 'Ͽ' (bytes 0..2) of `ϿTTT`', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:186:50

source code: image

8. Unwrap error

error message:

thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:157:53

source code: image

9. Unreachable code bug

error message:

thread 'main' panicked at 'not yet implemented', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:246:25

source code: image

10. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to negate with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/duration.rs:1247:38

source code: image

11. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to subtract with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/epoch.rs:684:32

source code: image

12. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to multiply with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/epoch.rs:685:59

source code: image

13. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to subtract with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:267:66

source code: image

14. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to calculate the remainder with a divisor of zero', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/duration.rs:511:40

source code: image

15. Array out-of-bounds error

error message:

thread 'main' panicked at 'begin <= end (3 <= 2) when slicing `291@Jb0JJJJJ`', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:228:32

source code: image

ChristopherRabotin commented 1 year ago

Superb, thanks for the exhaustive report.

For the arithmetic overflows, would you happen to have the values that caused the issue? You have those values for the parser / formatter bugs, and that helps a lot.

Thanks

On Sat, Jun 17, 2023, 02:23 XizheYin_nju @.***> wrote:

Description

HI! I am using my fuzz testing tool to test this library, and so far I have found 15 different bugs. Among them, there are 5 array out-of-bounds errors, 3 string encoding errors, 1 unwrap error, 1 unreachable code bug, and 5 arithmetic overflow bugs. Below is the list of errors. Please review them and check if any modifications are needed. The replay files are all stored in this repository https://github.com/XizheYin-NJU/replay_files_hifitime. Bug List: 1. Array out-of-bounds error

error message:

thread 'main' panicked at 'begin <= end (21 <= 20) when slicing 94-11-05T08:15:34.0-:0', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/epoch.rs:993:43

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595108-4ae47f3e-cab2-4aba-8615-9359a8eb1030.png

  1. Array out-of-bounds error

error message:

thread 'main' panicked at 'index out of bounds: the len is 16 but the index is 16', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:400:25

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595148-03aebae3-6b52-4586-b52e-1ade465c9f34.png

  1. Array out-of-bounds error

thread 'main' panicked at 'index out of bounds: the len is 16 but the index is 16', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:488:25

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595161-2a6a104e-de5c-4bea-9f6c-ebf9da054e43.png

  1. Array out-of-bounds error

error message:

thread 'main' panicked at 'index out of bounds: the len is 16 but the index is 16', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:424:25

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595240-3cfa0221-67cb-431b-91c6-d5df23bc0f5c.png

  1. String encoding error

error message:

thread 'main' panicked at 'byte index 5 is not a char boundary; it is inside '밀' (bytes 4..7) of %%%1밀%j0%', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:296:25

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595252-b676ffff-9e6b-415f-a32a-da648a195d5c.png

  1. String encoding error

error message:

thread 'main' panicked at 'byte index 16 is not a char boundary; it is inside '밀' (bytes 14..17) of 411-0j0%%Y 밀%B', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:228:3

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595429-2cdcd39a-b655-4769-9225-fc5b2e30f626.png

  1. String encoding error

error message:

thread 'main' panicked at 'byte index 1 is not a char boundary; it is inside 'Ͽ' (bytes 0..2) of ϿTTT', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:186:50

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595321-8a29fb7e-2744-41ee-8f79-07af12fb0c6f.png

  1. Unwrap error

error message:

thread 'main' panicked at 'called Option::unwrap() on a None value', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:157:53

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595334-82cf23fa-df1c-4903-8973-2435e8a45aca.png

  1. Unreachable code bug

error message:

thread 'main' panicked at 'not yet implemented', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:246:25

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595354-d2cdc377-bd5a-4c9e-9241-53a5416349ac.png

  1. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to negate with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/duration.rs:1247:38

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595369-338745d9-0f27-46b0-9258-2d68eaea4d24.png

  1. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to subtract with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/epoch.rs:684:32

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595384-7bba9d19-8433-4602-b91e-fc325ef6411c.png

  1. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to multiply with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/epoch.rs:685:59

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595391-79e278d1-f270-4941-89ba-809c2e407099.png

  1. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to subtract with overflow', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:267:66

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595399-2e08259a-5645-4451-bcd3-49f581511b03.png

  1. Arithmetic overflow bug

error message:

thread 'main' panicked at 'attempt to calculate the remainder with a divisor of zero', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/duration.rs:511:40

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595415-ae92cdc4-8975-4483-a374-5712e18feb42.png

  1. Array out-of-bounds error

error message:

thread 'main' panicked at 'begin <= end (3 <= 2) when slicing @.***`', /home/yxz/.cargo/registry/src/mirrors.ustc.edu.cn-61ef6e0cd06fb9b8/hifitime-3.8.2/src/efmt/format.rs:228:32

source code: [image: image] https://user-images.githubusercontent.com/62123683/246595778-346c02c5-57e1-4b0a-8eb0-6f277d5e4501.png

— Reply to this email directly, view it on GitHub https://github.com/nyx-space/hifitime/issues/244, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEZV2GALZ5G5REFXLVVC4DXLVSRJANCNFSM6AAAAAAZKC2YAI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

xizheyin commented 1 year ago

Thank you for taking the time to review these issues! All the replay files and their corresponding inputs are in this repository, including arithmetic overflow. If you want to reproduce the exact values that caused crashes during execution, perhaps you can run the replay files while monitoring them?

ChristopherRabotin commented 1 year ago

Thanks, I hadn't seen the link to the replay files, but now I see them. This will help in fixing the bugs for sure, thank you.

What fuzz tool did you use ? It might be useful for me to add it to the CI.

xizheyin commented 1 year ago

Thank you for your recognition. I am a Ph.D. student at SATE Laboratory, Nanjing University. We are currently working on a fuzzing tool for Rust library APIs under the guidance of our advisor. This tool aims to automate the testing of Rust library APIs more effectively. Once we complete it, we will open-source the tool and welcome your suggestions and contributions at that time!

gwbres commented 7 months ago

@xizheyin,

am a Ph.D. student at SATE Laboratory, Nanjing University. We are currently working on a fuzzing tool for Rust library APIs under the guidance of our advisor. This tool aims to automate the testing of Rust library APIs more effectively. Once we complete it, we will open-source the tool and welcome your suggestions and contributions at that time!

this might be a little off topic but I'm also very interested in your stresser tool. Did you guys get a chance to make progress on this ? i'd be interested in using it in my own tools

xizheyin commented 7 months ago

@gwbres Thank you for your approval, the current version is a bit user-unfriendly, we will refactor the tool to make it more usable in the future.

gwbres commented 7 months ago

Thank you for your approval, the current version is a bit user-unfriendly, we will refactor the tool to make it more usable in the future

👍 do you have a link to this work ? is that the "llvm cov" project you contribute to ? or another repo

xizheyin commented 7 months ago

That's not it. My work hasn't been published yet, so the repo hasn't been made public yet, and with any luck it will be in a few months.

--------------原始邮件-------------- 发件人:"gwbres @.>; 发送时间:2024年3月13日(星期三) 凌晨1:21 收件人:"nyx-space/hifitime" @.>; 抄送:"xizheyin @.>;"Mention @.>; 主题:Re: [nyx-space/hifitime] Bug Report: Identified issues with arithmetic overflow, unreachable code, unwrap errors, and array out-of-bounds and so on (Issue #244)

Thank you for your approval, the current version is a bit user-unfriendly, we will refactor the tool to make it more usable in the future

👍 do you have a link to this work ? is that the "llvm cov" project you contribute to ? or another repo

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

gwbres commented 7 months ago

No worries, I'll try to keep an eye on it

ChristopherRabotin commented 2 months ago

@cardigan1008 , thank you for your contribution in #324 ! Does the PR fix all of the bugs you reported here, or is there more work needed ? If your PR fixes all of these bugs, I can close this issue.

Thanks

cardigan1008 commented 2 months ago

@cardigan1008 , thank you for your contribution in #324 ! Does the PR fix all of the bugs you reported here, or is there more work needed ? If your PR fixes all of these bugs, I can close this issue.

Thanks

For this issue, we are halfway there with 8 out of 15 bugs fixed (panic 1-4, 8, 11-12, 14). Regarding #246, the panics are almost all resolved, with 13 out of 15 fixed (panic 16-28). I'll continue working on it and hopefully, we can close these two issues soon!

ChristopherRabotin commented 3 weeks ago

Let's move the rest of this ticket to version 4.1.