From 1e2d3166c959d8bdc28eeed2338ae4dbfd1d8579 Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 14 Feb 2024 09:39:35 +0100 Subject: [PATCH 1/6] added `fuzz_test.py` --- test/cli/fuzz_test.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 test/cli/fuzz_test.py diff --git a/test/cli/fuzz_test.py b/test/cli/fuzz_test.py new file mode 100644 index 00000000000..91f1dc84a9f --- /dev/null +++ b/test/cli/fuzz_test.py @@ -0,0 +1,16 @@ +import os +from testutils import cppcheck + +__script_dir = os.path.dirname(os.path.abspath(__file__)) + + +def test_fuzz_crash(): + failures = {} + + fuzz_crash_dir = os.path.join(__script_dir, 'fuzz-crash') + for f in os.listdir(fuzz_crash_dir): + ret, stdout, _ = cppcheck(['-q', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir) + if ret != 0: + failures[f] = stdout + + assert failures == {} From 43310166eda2bd43439543ca9c884136df3b2ab1 Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 14 Feb 2024 09:41:22 +0100 Subject: [PATCH 2/6] fixed fuzzing crash AddressSanitizer:DEADLYSIGNAL ================================================================= ==232899==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x55abb8090d86 bp 0x7ffcbc7b97b0 sp 0x7ffcbc7b96a0 T0) ==232899==The signal is caused by a READ memory access. ==232899==Hint: address points to the zero page. #0 0x55abb8090d86 in Token::varId() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:871:16 #1 0x55abb8090d86 in CheckFunctions::useStandardLibrary() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkfunctions.cpp:769:80 #2 0x55abb80926ed in CheckFunctions::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkfunctions.h:77:24 #3 0x55abb8355804 in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:1103:20 #4 0x55abb8369c2d in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:936:17 #5 0x55abb83754f1 in CppCheck::check(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12 #6 0x55abb7d7ed03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18 #7 0x55abb7c25538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c) #8 0x55abb7c26210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c) #9 0x55abb7c272a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c) #10 0x55abb7c280c7 in fuzzer::Fuzzer::Loop(std::vector>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c) #11 0x55abb7c085b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c) #12 0x55abb7b8cfa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c) #13 0x7f5b5e558ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #14 0x7f5b5e558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #15 0x55abb7bf2354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:871:16 in Token::varId() const ==232899==ABORTING --- lib/checkfunctions.cpp | 2 +- ...crash-3ea64296c8518edb538e0047c3eba0792d5deeba | Bin 0 -> 103 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash/crash-3ea64296c8518edb538e0047c3eba0792d5deeba diff --git a/lib/checkfunctions.cpp b/lib/checkfunctions.cpp index 7ce557bfc92..5aa979b0bcf 100644 --- a/lib/checkfunctions.cpp +++ b/lib/checkfunctions.cpp @@ -766,7 +766,7 @@ void CheckFunctions::useStandardLibrary() continue; // 3. we expect idx incrementing by 1 - const bool inc = stepToken->str() == "++" && stepToken->astOperand1()->varId() == idxVarId; + const bool inc = stepToken->str() == "++" && stepToken->astOperand1() && stepToken->astOperand1()->varId() == idxVarId; const bool plusOne = stepToken->isBinaryOp() && stepToken->str() == "+=" && stepToken->astOperand1()->varId() == idxVarId && stepToken->astOperand2()->str() == "1"; diff --git a/test/cli/fuzz-crash/crash-3ea64296c8518edb538e0047c3eba0792d5deeba b/test/cli/fuzz-crash/crash-3ea64296c8518edb538e0047c3eba0792d5deeba new file mode 100644 index 0000000000000000000000000000000000000000..f096de3bf78f2d3cfd6f9fdd8db97552501f0059 GIT binary patch literal 103 zcmc~S%Tvfr%*@l!k{00sXR-T(jq literal 0 HcmV?d00001 From fc146ec56b3fbdc79d4a5aae0958578129bdcc4c Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 14 Feb 2024 09:45:58 +0100 Subject: [PATCH 3/6] fixed fuzzing crash ==237109==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x559a429ab30d bp 0x7ffdfaee8450 sp 0x7ffdfaee8320 T0) ==237109==The signal is caused by a READ memory access. ==237109==Hint: address points to the zero page. #0 0x559a429ab30d in Token::valueType() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:332:16 #1 0x559a429ab30d in CheckOther::checkIncompleteStatement() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkother.cpp:1941:79 #2 0x559a42a05e0c in CheckOther::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkother.h:102:20 #3 0x559a42b9e824 in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:1103:20 #4 0x559a42bb2c4d in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:936:17 #5 0x559a42bbe511 in CppCheck::check(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12 #6 0x559a425c7d03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18 #7 0x559a4246e538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a) #8 0x559a4246f210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a) #9 0x559a424702a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a) #10 0x559a424710c7 in fuzzer::Fuzzer::Loop(std::vector>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a) #11 0x559a424515b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a) #12 0x559a423d5fa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a) #13 0x7f0546b58ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #14 0x7f0546b58d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #15 0x559a4243b354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:332:16 in Token::valueType() const ==237109==ABORTING --- lib/checkother.cpp | 2 +- ...crash-e4a26f2d7d0a73836bf086f54e48204d8914b95a | Bin 0 -> 159 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash/crash-e4a26f2d7d0a73836bf086f54e48204d8914b95a diff --git a/lib/checkother.cpp b/lib/checkother.cpp index af2ca4ea432..35e514dc0f2 100644 --- a/lib/checkother.cpp +++ b/lib/checkother.cpp @@ -1938,7 +1938,7 @@ void CheckOther::checkIncompleteStatement() continue; if (isVoidStmt(tok)) continue; - if (mTokenizer->isCPP() && tok->str() == "&" && !(tok->astOperand1()->valueType() && tok->astOperand1()->valueType()->isIntegral())) + if (mTokenizer->isCPP() && tok->str() == "&" && !(tok->astOperand1() && tok->astOperand1()->valueType() && tok->astOperand1()->valueType()->isIntegral())) // Possible archive continue; const bool inconclusive = tok->isConstOp(); diff --git a/test/cli/fuzz-crash/crash-e4a26f2d7d0a73836bf086f54e48204d8914b95a b/test/cli/fuzz-crash/crash-e4a26f2d7d0a73836bf086f54e48204d8914b95a new file mode 100644 index 0000000000000000000000000000000000000000..89b9bf0f48b6c7dbef2981c39f35a120410c64ba GIT binary patch literal 159 zcmd1gXJBAp1mcpS%DfVV+{Da0jhy^+O|EJ#1t7=-iX}!H$6AAw00EmqrZre1Ex$-X zBU8av!N6J}Q^7{T*jgbwO-)-{6D$kTni#E}84FfW;usuk9~4r80D=gn6`TpyS(I8* LT2unHrIrf-yLu`4 literal 0 HcmV?d00001 From 795d53842d2c18c39e2e8c61436cbc86ec5b8a2b Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 14 Feb 2024 09:49:32 +0100 Subject: [PATCH 4/6] fixed fuzzing crash AddressSanitizer:DEADLYSIGNAL ================================================================= ==239799==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x559dd20fb7f0 bp 0x7fff65cb9cf0 sp 0x7fff65cb96e0 T0) ==239799==The signal is caused by a READ memory access. ==239799==Hint: address points to the zero page. #0 0x559dd20fb7f0 in Token::exprId() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:884:13 #1 0x559dd20fb7f0 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:323:21 #2 0x559dd20fb3b5 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:307:9 #3 0x559dd20fb3b5 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:307:9 #4 0x559dd210c712 in fillProgramMemoryFromConditions(ProgramMemory&, Scope const*, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:350:13 #5 0x559dd210c58c in fillProgramMemoryFromConditions(ProgramMemory&, Scope const*, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:341:5 #6 0x559dd20fec3d in fillProgramMemoryFromConditions(ProgramMemory&, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:356:5 #7 0x559dd20fec3d in ProgramMemoryState::addState(Token const*, std::unordered_map, std::allocator>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:471:5 #8 0x559dd2538e25 in ValueFlowAnalyzer::updateState(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:3046:13 #9 0x559dd1fa7380 in valueFlowGenericForward(Token*, Token const*, ValuePtr const&, TokenList const&, ErrorLogger*, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/forwardanalyzer.cpp:913:22 #10 0x559dd252f52a in valueFlowForward(Token*, Token const*, Token const*, ValueFlow::Value, TokenList const&, ErrorLogger*, Settings const&, SourceLocation) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:2119:12 #11 0x559dd2579491 in valueFlowSymbolic(TokenList const&, SymbolDatabase const&, ErrorLogger*, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:5513:13 #12 0x559dd2579491 in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*)::$_10::operator()(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, std::set, std::allocator> const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9565:9 #13 0x559dd2579491 in ValueFlowPassAdaptor::run(ValueFlowState const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9500:9 #14 0x559dd24dfda4 in ValueFlowPassRunner::run(ValuePtr const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9428:19 #15 0x559dd24df868 in ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)::operator()(ValuePtr const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9385:20 #16 0x559dd24df868 in bool __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>::operator() const*>(ValuePtr const*) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/predefined_ops.h:318:16 #17 0x559dd24df868 in ValuePtr const* std::__find_if const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>>(ValuePtr const*, ValuePtr const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>, std::random_access_iterator_tag) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algobase.h:2080:8 #18 0x559dd24ac9b3 in ValuePtr const* std::__find_if const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>>(ValuePtr const*, ValuePtr const*, __gnu_cxx::__ops::_Iter_pred>) const::'lambda'(ValuePtr const&)>) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algobase.h:2117:14 #19 0x559dd24ac9b3 in ValuePtr const* std::find_if const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:3923:14 #20 0x559dd24ac9b3 in bool std::none_of const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:477:24 #21 0x559dd24ac9b3 in bool std::any_of const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)>(ValuePtr const*, ValuePtr const*, ValueFlowPassRunner::run_once(std::initializer_list>) const::'lambda'(ValuePtr const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:496:15 #22 0x559dd24ac9b3 in ValueFlowPassRunner::run_once(std::initializer_list>) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9384:16 #23 0x559dd24ac9b3 in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9554:12 #24 0x559dd2392276 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenize.cpp:3395:13 #25 0x559dd1ed4304 in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:906:32 #26 0x559dd1ee0521 in CppCheck::check(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12 #27 0x559dd18e9d03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18 #28 0x559dd1790538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #29 0x559dd1791210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #30 0x559dd17922a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #31 0x559dd17930c7 in fuzzer::Fuzzer::Loop(std::vector>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #32 0x559dd17735b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #33 0x559dd16f7fa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) #34 0x7feca7a45ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #35 0x7feca7a45d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #36 0x559dd175d354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:884:13 in Token::exprId() const ==239799==ABORTING --- lib/programmemory.cpp | 2 +- .../crash-9ef938bba7d752386e24f2438c73cec66f6b972b | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b diff --git a/lib/programmemory.cpp b/lib/programmemory.cpp index 6b082514f14..b5558233206 100644 --- a/lib/programmemory.cpp +++ b/lib/programmemory.cpp @@ -320,7 +320,7 @@ void programMemoryParseCondition(ProgramMemory& pm, const Token* tok, const Toke else pm.setIntValue(tok, 0, then); } - } else if (tok->exprId() > 0) { + } else if (tok && tok->exprId() > 0) { if (endTok && findExpressionChanged(tok, tok->next(), endTok, settings, true)) return; pm.setIntValue(tok, 0, then); diff --git a/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b b/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b new file mode 100644 index 00000000000..cf4921c19c7 --- /dev/null +++ b/test/cli/fuzz-crash/crash-9ef938bba7d752386e24f2438c73cec66f6b972b @@ -0,0 +1,12 @@ +#include +sho main() +{ + std::veCtor items(2); + stdtryector::iterator iter; + for (iter -= items.begin(); i&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&ter != items.end();) { + if (*iter == 2) { + iter = items.erase//(iter); + } else { + } + } +} From c36e172ac3741c8408dca8a3fa98eabb11352b53 Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 14 Feb 2024 10:17:18 +0100 Subject: [PATCH 5/6] fixed fuzzing crash AddressSanitizer:DEADLYSIGNAL ================================================================= ==247105==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x55dd2f3cde37 bp 0x7ffcb1f26ad0 sp 0x7ffcb1f269a0 T0) ==247105==The signal is caused by a READ memory access. ==247105==Hint: address points to the zero page. #0 0x55dd2f3cde37 in Token::variable() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:1082:16 #1 0x55dd2f3cde37 in CheckUninitVar::isVariableUsage(Token const*, Library const&, bool, CheckUninitVar::Alloc, int) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1290:42 #2 0x55dd2f3c9322 in CheckUninitVar::isVariableUsage(Token const*, bool, CheckUninitVar::Alloc, int) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1343:12 #3 0x55dd2f3c9322 in CheckUninitVar::checkLoopBodyRecursive(Token const*, Variable const&, CheckUninitVar::Alloc, std::__cxx11::basic_string, std::allocator> const&, bool&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1037:39 #4 0x55dd2f3b5995 in CheckUninitVar::checkLoopBody(Token const*, Variable const&, CheckUninitVar::Alloc, std::__cxx11::basic_string, std::allocator> const&, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1072:31 #5 0x55dd2f3bbf99 in CheckUninitVar::checkScopeForVariable(Token const*, Variable const&, bool*, bool*, CheckUninitVar::Alloc*, std::__cxx11::basic_string, std::allocator> const&, std::map, std::allocator>>&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:637:35 #6 0x55dd2f3b3850 in CheckUninitVar::checkScope(Scope const*, std::set, std::allocator>, std::less, std::allocator>>, std::allocator, std::allocator>>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:201:17 #7 0x55dd2f3b258a in CheckUninitVar::check() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:131:13 #8 0x55dd2f3d9d64 in CheckUninitVar::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.h:86:24 #9 0x55dd2f485834 in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:1103:20 #10 0x55dd2f499c5d in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:936:17 #11 0x55dd2f4a5521 in CppCheck::check(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12 #12 0x55dd2eeaed03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18 #13 0x55dd2ed55538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #14 0x55dd2ed56210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #15 0x55dd2ed572a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #16 0x55dd2ed580c7 in fuzzer::Fuzzer::Loop(std::vector>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #17 0x55dd2ed385b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #18 0x55dd2ecbcfa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #19 0x7f09f9558ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #20 0x7f09f9558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #21 0x55dd2ed22354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:1082:16 in Token::variable() const ==247105==ABORTING --- lib/checkuninitvar.cpp | 2 +- ...crash-7ead2ccf9be8b03b2d9c8c82891f58081390a560 | Bin 0 -> 106 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash/crash-7ead2ccf9be8b03b2d9c8c82891f58081390a560 diff --git a/lib/checkuninitvar.cpp b/lib/checkuninitvar.cpp index 8458ffe4d5c..e4038adfbf9 100644 --- a/lib/checkuninitvar.cpp +++ b/lib/checkuninitvar.cpp @@ -1287,7 +1287,7 @@ const Token* CheckUninitVar::isVariableUsage(const Token *vartok, const Library& if (Token::Match((derefValue ? derefValue : vartok)->astParent(), "(|=") && astIsRhs(derefValue ? derefValue : vartok)) { const Token *rhstok = derefValue ? derefValue : vartok; const Token *lhstok = rhstok->astParent()->astOperand1(); - const Variable *lhsvar = lhstok->variable(); + const Variable *lhsvar = lhstok ? lhstok->variable() : nullptr; if (lhsvar && lhsvar->isReference() && lhsvar->nameToken() == lhstok) return nullptr; } diff --git a/test/cli/fuzz-crash/crash-7ead2ccf9be8b03b2d9c8c82891f58081390a560 b/test/cli/fuzz-crash/crash-7ead2ccf9be8b03b2d9c8c82891f58081390a560 new file mode 100644 index 0000000000000000000000000000000000000000..80a938891ac6ecaf058992612cecd407a43a606d GIT binary patch literal 106 zcmW-ZI|_g>6a-V}6l)i;@q<;&NkWPgDo-$i#5CgFUEOZjVWcGNQ8rWSTZ5C75q%#l sX;n&*Gvp&+IZhaXqXpYe7%Ze|>i^>%9lQjfqg?@I&exe38yS1_3u%iPR{#J2 literal 0 HcmV?d00001 From 653b2a0109c4e181d1589606938c4003d401ee49 Mon Sep 17 00:00:00 2001 From: firewave Date: Wed, 14 Feb 2024 10:20:38 +0100 Subject: [PATCH 6/6] fixed fuzzing crash AddressSanitizer:DEADLYSIGNAL ================================================================= ==247108==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x55e3348f5ccd bp 0x7ffc2c750a70 sp 0x7ffc2c7508a0 T0) ==247108==The signal is caused by a READ memory access. ==247108==Hint: address points to the zero page. #0 0x55e3348f5ccd in compilePrecedence2(Token*&, (anonymous namespace)::AST_state&) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_deque.h #1 0x55e3348f1a17 in compilePrecedence3(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1038:5 #2 0x55e3348f13b5 in compilePointerToElem(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1137:5 #3 0x55e3348f13b5 in compileMulDiv(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1147:5 #4 0x55e3348f1095 in compileAddSub(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1166:5 #5 0x55e3348f1095 in compileShift(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1176:5 #6 0x55e3348f0d15 in compileThreewayComp(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1186:5 #7 0x55e3348f0d15 in compileRelComp(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1196:5 #8 0x55e3348f07b5 in compileEqComp(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1206:5 #9 0x55e3348f07b5 in compileAnd(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1216:5 #10 0x55e3348efe9a in compileXor(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1235:5 #11 0x55e3348efe9a in compileOr(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1245:5 #12 0x55e3348efe9a in compileLogicAnd(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1255:5 #13 0x55e3348ee8d9 in compileLogicOr(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1274:5 #14 0x55e3348ee8d9 in compileAssignTernary(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1284:5 #15 0x55e3348eb768 in compileComma(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1325:5 #16 0x55e3348eb768 in compileExpression(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1343:9 #17 0x55e3348e0f49 in createAstAtToken(Token*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1689:9 #18 0x55e3348dd43e in TokenList::createAst() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1717:15 #19 0x55e334811894 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenize.cpp:3363:14 #20 0x55e334354304 in CppCheck::checkFile(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:906:32 #21 0x55e334360521 in CppCheck::check(std::__cxx11::basic_string, std::allocator> const&, std::__cxx11::basic_string, std::allocator> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12 #22 0x55e333d69d03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18 #23 0x55e333c10538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #24 0x55e333c11210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #25 0x55e333c122a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #26 0x55e333c130c7 in fuzzer::Fuzzer::Loop(std::vector>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #27 0x55e333bf35b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #28 0x55e333b77fa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) #29 0x7fcdfb758ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #30 0x7fcdfb758d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658) #31 0x55e333bdd354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_deque.h in compilePrecedence2(Token*&, (anonymous namespace)::AST_state&) ==247108==ABORTING --- lib/tokenlist.cpp | 2 +- .../crash-26edfe9761d3b681c841dfe80398847dee332f83 | Bin 0 -> 18 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 test/cli/fuzz-crash/crash-26edfe9761d3b681c841dfe80398847dee332f83 diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp index a0706491dac..b6e312625d9 100644 --- a/lib/tokenlist.cpp +++ b/lib/tokenlist.cpp @@ -960,7 +960,7 @@ static void compilePrecedence2(Token *&tok, AST_state& state) Token* const curlyBracket = squareBracket->link()->next(); squareBracket->astOperand1(curlyBracket); state.op.push(squareBracket); - tok = curlyBracket->link()->next(); + tok = curlyBracket->link() ? curlyBracket->link()->next() : nullptr; continue; } } diff --git a/test/cli/fuzz-crash/crash-26edfe9761d3b681c841dfe80398847dee332f83 b/test/cli/fuzz-crash/crash-26edfe9761d3b681c841dfe80398847dee332f83 new file mode 100644 index 0000000000000000000000000000000000000000..37965deed0be75554c596307860cf4987f3c8b3a GIT binary patch literal 18 Zcma#%W-y3lU{J6rF3C*N%izjW001LL1TX*q literal 0 HcmV?d00001