member call on null pointer of type 'Diags'

[0x34d]

PR : #10151

Flags:

export CC=clang
export CXX=clang++
export CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -fsanitize=fuzzer-no-link"
export CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -fsanitize=fuzzer-no-link"
export LIB_FUZZING_ENGINE=-fsanitize=fuzzer

Compile

mkdir -p build && cd build/
cmake -DENABLE_POSIX_CAP=OFF -DENABLE_FUZZING=ON -DYAML_BUILD_SHARED_LIBS=OFF ../.
make -j$(nproc)

Reproduce bug

fuzz_http.cc

#include "HTTP.h"
#include "HttpCompat.h"
#include "tscore/Diags.h"

#define kMinInputLength 10
#define kMaxInputLength 1024

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *input_data, size_t size_data)
{
  if (size_data < kMinInputLength || size_data > kMaxInputLength) {
    return 0;
  }

  DiagsPtr::set(new Diags("fuzzing", "", "", nullptr));

  http_init(); //This call the bug

  delete diags();

  return 0;
}

Calling http_init(); or any other function trigger the bug.

Root Cause:

Any call to Debug symbol cause this error.

  Debug(DEBUG_TAG "_init", "<%s> Alignment request/actual (%" PRIu32 "/%" PRIu32 ")", name, alignment, f->alignment);
  Debug(DEBUG_TAG "_init", "<%s> Type Size request/actual (%" PRIu32 "/%" PRIu32 ")", name, type_size, f->type_size);

NOTE:

• I did try some hacks but they are not working.
• This is only happing with fuzz_http.cc and fuzz_hpack.cc, fuzz_proxy_protocol.cc and fuzz_rec_http.cc is working fine.

error:

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/0x34d/project/trafficserver.upload/lib/swoc/include/swoc/ext/HashFNV.h:181:53 in 
/home/0x34d/project/trafficserver.upload/src/tscore/ink_queue.cc:165:3: runtime error: member call on null pointer of type 'Diags'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/0x34d/project/trafficserver.upload/src/tscore/ink_queue.cc:165:3 in 

[0x34d]

@shukitchan did you find anything.

[shukitchan]

I have not been able to spend too much time on this. I think we can merge #10151 and investigate this afterwards.