segfault when compiled with depends DEBUG=1 and libc++

[maflcko]

See also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44466 and #20744 (comment)

Steps to reproduce on a fresh install of Ubuntu Focal:

export DEBIAN_FRONTEND=noninteractive && apt update && apt install curl wget htop git vim ccache -y && git clone https://github.com/bitcoin/bitcoin.git bitcoin-core && cd bitcoin-core && apt install build-essential libtool autotools-dev automake pkg-config bsdmainutils python3-zmq make automake cmake curl clang llvm libc++-dev libc++abi-dev g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch bison -y  && ( cd depends && make DEBUG=1  NO_QT=1 NO_WALLET=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 -j $(nproc)  ) && ./autogen.sh && CONFIG_SITE="$PWD/depends/x86_64-pc-linux-gnu/share/config.site" ./configure CC='clang ' CXX='clang++ -stdlib=libc++' --enable-fuzz --with-sanitizers=fuzzer && make  -j $(nproc)

$ FUZZ=tx_pool ./src/test/fuzz/fuzz 
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==52419==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f5d814ccb47 bp 0x7fff699e4ef0 sp 0x7fff699e4ea0 T52419)
==52419==The signal is caused by a READ memory access.
==52419==Hint: address points to the zero page.
    #0 0x7f5d814ccb47 in std::__1::__libcpp_db::swap(void*, void*) (/lib/x86_64-linux-gnu/libc++.so.1+0x43b47)
    #1 0x564aea7e1377 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (/bitcoin-core/src/test/fuzz/fuzz+0x577377)
    #2 0x564aea80cf94 in std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (/bitcoin-core/src/test/fuzz/fuzz+0x5a2f94)
    #3 0x564aea80bd04 in fs::path::path(std::__1::__fs::filesystem::path) (/bitcoin-core/src/test/fuzz/fuzz+0x5a1d04)
    #4 0x564aeb1f46ad in fs::absolute(fs::path const&) (/bitcoin-core/src/test/fuzz/fuzz+0xf8a6ad)
    #5 0x564aeb1f4c8b in ArgsManager::GetDataDir(bool) const (/bitcoin-core/src/test/fuzz/fuzz+0xf8ac8b)
    #6 0x564aea80bbfa in ArgsManager::GetDataDirNet() const (/bitcoin-core/src/test/fuzz/fuzz+0x5a1bfa)
    #7 0x564aeb1fa2bb in AbsPathForConfigVal(fs::path const&, bool) (/bitcoin-core/src/test/fuzz/fuzz+0xf902bb)
    #8 0x564aeb0d5074 in init::SetLoggingOptions(ArgsManager const&) (/bitcoin-core/src/test/fuzz/fuzz+0xe6b074)
    #9 0x564aeaaddd15 in InitLogging(ArgsManager const&) (/bitcoin-core/src/test/fuzz/fuzz+0x873d15)
    #10 0x564aeaa06412 in BasicTestingSetup::BasicTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79c412)
    #11 0x564aeaa073e2 in ChainTestingSetup::ChainTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79d3e2)
    #12 0x564aeaa0877f in TestingSetup::TestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79e77f)
    #13 0x564aea85508d in std::__1::__unique_if<TestingSetup const>::__unique_single std::__1::make_unique<TestingSetup const, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x5eb08d)
    #14 0x564aea852a22 in std::__1::unique_ptr<TestingSetup const, std::__1::default_delete<TestingSetup const> > MakeNoLogFileContext<TestingSetup const>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x5e8a22)
    #15 0x564aea9c5817 in (anonymous namespace)::initialize_tx_pool() (/bitcoin-core/src/test/fuzz/fuzz+0x75b817)
    #16 0x564aea7c8d20 in decltype(std::__1::forward<void (*&)()>(fp)()) std::__1::__invoke<void (*&)()>(void (*&)()) (/bitcoin-core/src/test/fuzz/fuzz+0x55ed20)
    #17 0x564aea7c8c6d in void std::__1::__invoke_void_return_wrapper<void>::__call<void (*&)()>(void (*&)()) (/bitcoin-core/src/test/fuzz/fuzz+0x55ec6d)
    #18 0x564aea7c8c0d in std::__1::__function::__alloc_func<void (*)(), std::__1::allocator<void (*)()>, void ()>::operator()() (/bitcoin-core/src/test/fuzz/fuzz+0x55ec0d)
    #19 0x564aea7c7049 in std::__1::__function::__func<void (*)(), std::__1::allocator<void (*)()>, void ()>::operator()() (/bitcoin-core/src/test/fuzz/fuzz+0x55d049)
    #20 0x564aeaab965c in std::__1::__function::__value_func<void ()>::operator()() const (/bitcoin-core/src/test/fuzz/fuzz+0x84f65c)
    #21 0x564aeaab95e5 in std::__1::function<void ()>::operator()() const (/bitcoin-core/src/test/fuzz/fuzz+0x84f5e5)
    #22 0x564aeb25ac9d in initialize() (/bitcoin-core/src/test/fuzz/fuzz+0xff0c9d)
    #23 0x564aeb25b71f in LLVMFuzzerInitialize (/bitcoin-core/src/test/fuzz/fuzz+0xff171f)
    #24 0x564aea743437 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/bitcoin-core/src/test/fuzz/fuzz+0x4d9437)
    #25 0x564aea76df22 in main (/bitcoin-core/src/test/fuzz/fuzz+0x503f22)
    #26 0x7f5d810e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #27 0x564aea719e7d in _start (/bitcoin-core/src/test/fuzz/fuzz+0x4afe7d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/lib/x86_64-linux-gnu/libc++.so.1+0x43b47) in std::__1::__libcpp_db::swap(void*, void*)
==52419==ABORTING

[maflcko]

I suspected those are the steps to reproduce the bug in the unit tests on a fresh install of Ubuntu Focal, however, I couldn't

export DEBIAN_FRONTEND=noninteractive && apt update && apt install curl wget htop git vim ccache -y && git clone https://github.com/bitcoin/bitcoin.git ./bitcoin-core && cd bitcoin-core && apt install libc++abi-dev libc++-dev clang llvm build-essential libtool autotools-dev automake pkg-config bsdmainutils python3-zmq      make automake cmake curl g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch bison        -y  && ( cd depends && make CC=clang CXX="clang++ -stdlib=libc++" DEBUG=1 NO_QT=1 NO_WALLET=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 -j $(nproc) ) &&  ./autogen.sh && CONFIG_SITE="$PWD/depends/x86_64-pc-linux-gnu/share/config.site" ./configure CC=clang CXX="clang++ -stdlib=libc++" && make -j $(nproc)

[maflcko]

Oh, nvm. I could reproduce in the unit tests. It just needs valgrind:

valgrind ./src/test/test_bitcoin 
==102942== Memcheck, a memory error detector
==102942== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==102942== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==102942== Command: ./src/test/test_bitcoin
==102942== 
Running 449 test cases...
==102942== Invalid read of size 8
==102942==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
==102942==    by 0x1D5CF7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x20702C: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x20651C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xC5247F: fs::absolute(fs::path const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xC5270A: ArgsManager::GetDataDir(bool) const (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x36341B: ArgsManager::GetDataDirNet() const (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xC558AB: AbsPathForConfigVal(fs::path const&, bool) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xB8B1A6: init::SetLoggingOptions(ArgsManager const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x7449B6: InitLogging(ArgsManager const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x6B8958: BasicTestingSetup::BasicTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x1C1ABA: addrman_tests::addrman_simple::addrman_simple() (in /bitcoin-core/src/test/test_bitcoin)
==102942==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==102942== 
==102942== Warning: client switching stacks?  SP change: 0x5540ad8 --> 0x1ffeffb760
==102942==          to suppress, use: --max-stackframe=137332763784 or greater

[maflcko]

bitcoind also affected:

# valgrind ./src/bitcoind -datadir=/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
==107287== Memcheck, a memory error detector
==107287== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==107287== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==107287== Command: ./src/bitcoind -datadir=/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
==107287== 
==107287== Invalid read of size 8
==107287==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
==107287==    by 0x15B0A7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x1AE5DC: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x180D9C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DA58F: fs::absolute(fs::path const&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DD885: CheckDataDirOption() (in /bitcoin-core/src/bitcoind)
==107287==    by 0x156201: AppInit(node::NodeContext&, int, char**) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x155E7B: main (in /bitcoin-core/src/bitcoind)
==107287==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==107287== 
==107287== 
==107287== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==107287==  Access not within mapped region at address 0x8
==107287==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
==107287==    by 0x15B0A7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x1AE5DC: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x180D9C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DA58F: fs::absolute(fs::path const&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DD885: CheckDataDirOption() (in /bitcoin-core/src/bitcoind)
==107287==    by 0x156201: AppInit(node::NodeContext&, int, char**) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x155E7B: main (in /bitcoin-core/src/bitcoind)
==107287==  If you believe this happened as a result of a stack
==107287==  overflow in your program's main thread (unlikely but
==107287==  possible), you can try to increase the size of the
==107287==  main thread stack using the --main-stacksize= flag.
==107287==  The main thread stack size used in this run was 8388608.
==107287== 
==107287== HEAP SUMMARY:
==107287==     in use at exit: 159,334 bytes in 2,276 blocks
==107287==   total heap usage: 8,251 allocs, 5,975 frees, 503,749 bytes allocated
==107287== 
==107287== LEAK SUMMARY:
==107287==    definitely lost: 0 bytes in 0 blocks
==107287==    indirectly lost: 0 bytes in 0 blocks
==107287==      possibly lost: 0 bytes in 0 blocks
==107287==    still reachable: 159,334 bytes in 2,276 blocks
==107287==         suppressed: 0 bytes in 0 blocks
==107287== Rerun with --leak-check=full to see details of leaked memory
==107287== 
==107287== For lists of detected and suppressed errors, rerun with: -s
==107287== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

[maflcko]

Closing for now as upstream bug. Feel free to continue discussion.