Skip to content

add test/cli/fuzz_test.py to easily integrate oss-fuzz findings into tests#5985

Merged
chrchr-github merged 6 commits into
cppcheck-opensource:mainfrom
firewave:fuzz-x
Feb 16, 2024
Merged

add test/cli/fuzz_test.py to easily integrate oss-fuzz findings into tests#5985
chrchr-github merged 6 commits into
cppcheck-opensource:mainfrom
firewave:fuzz-x

Conversation

@firewave
Copy link
Copy Markdown
Collaborator

@firewave firewave commented Feb 14, 2024
edited
Loading

This adds a Python test which processes input files from a folder and checks that they do not cause any crashes. This will later be extended to include timeouts as well.

@firewave
added fuzz_test.py
1e2d316
@firewave
fixed fuzzing crash
4331016 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==232899==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x55abb8090d86 bp 0x7ffcbc7b97b0 sp 0x7ffcbc7b96a0 T0)
==232899==The signal is caused by a READ memory access.
==232899==Hint: address points to the zero page.
    #0 0x55abb8090d86 in Token::varId() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:871:16
    #1 0x55abb8090d86 in CheckFunctions::useStandardLibrary() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkfunctions.cpp:769:80
    cppcheck-opensource#2 0x55abb80926ed in CheckFunctions::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkfunctions.h:77:24
    cppcheck-opensource#3 0x55abb8355804 in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:1103:20
    cppcheck-opensource#4 0x55abb8369c2d in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:936:17
    cppcheck-opensource#5 0x55abb83754f1 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12
    cppcheck-opensource#6 0x55abb7d7ed03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18
    cppcheck-opensource#7 0x55abb7c25538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c)
    cppcheck-opensource#8 0x55abb7c26210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c)
    cppcheck-opensource#9 0x55abb7c272a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c)
    cppcheck-opensource#10 0x55abb7c280c7 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c)
    cppcheck-opensource#11 0x55abb7c085b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c)
    cppcheck-opensource#12 0x55abb7b8cfa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c)
    cppcheck-opensource#13 0x7f5b5e558ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#14 0x7f5b5e558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#15 0x55abb7bf2354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: 9b6f489166c86142b87bd650e508e6d1ecb4ca9c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:871:16 in Token::varId() const
==232899==ABORTING
@firewave
fixed fuzzing crash
fc146ec 
==237109==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x559a429ab30d bp 0x7ffdfaee8450 sp 0x7ffdfaee8320 T0)
==237109==The signal is caused by a READ memory access.
==237109==Hint: address points to the zero page.
    #0 0x559a429ab30d in Token::valueType() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:332:16
    #1 0x559a429ab30d in CheckOther::checkIncompleteStatement() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkother.cpp:1941:79
    cppcheck-opensource#2 0x559a42a05e0c in CheckOther::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkother.h:102:20
    cppcheck-opensource#3 0x559a42b9e824 in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:1103:20
    cppcheck-opensource#4 0x559a42bb2c4d in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:936:17
    cppcheck-opensource#5 0x559a42bbe511 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12
    cppcheck-opensource#6 0x559a425c7d03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18
    cppcheck-opensource#7 0x559a4246e538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a)
    cppcheck-opensource#8 0x559a4246f210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a)
    cppcheck-opensource#9 0x559a424702a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a)
    cppcheck-opensource#10 0x559a424710c7 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a)
    cppcheck-opensource#11 0x559a424515b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a)
    cppcheck-opensource#12 0x559a423d5fa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a)
    cppcheck-opensource#13 0x7f0546b58ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#14 0x7f0546b58d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#15 0x559a4243b354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: fb3fc26fe0a2374418e90abefc930d3bf5ef711a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:332:16 in Token::valueType() const
==237109==ABORTING
@firewave
fixed fuzzing crash
795d538 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==239799==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000050 (pc 0x559dd20fb7f0 bp 0x7fff65cb9cf0 sp 0x7fff65cb96e0 T0)
==239799==The signal is caused by a READ memory access.
==239799==Hint: address points to the zero page.
    #0 0x559dd20fb7f0 in Token::exprId() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:884:13
    #1 0x559dd20fb7f0 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:323:21
    cppcheck-opensource#2 0x559dd20fb3b5 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:307:9
    cppcheck-opensource#3 0x559dd20fb3b5 in programMemoryParseCondition(ProgramMemory&, Token const*, Token const*, Settings const*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:307:9
    cppcheck-opensource#4 0x559dd210c712 in fillProgramMemoryFromConditions(ProgramMemory&, Scope const*, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:350:13
    cppcheck-opensource#5 0x559dd210c58c in fillProgramMemoryFromConditions(ProgramMemory&, Scope const*, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:341:5
    cppcheck-opensource#6 0x559dd20fec3d in fillProgramMemoryFromConditions(ProgramMemory&, Token const*, Settings const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:356:5
    cppcheck-opensource#7 0x559dd20fec3d in ProgramMemoryState::addState(Token const*, std::unordered_map<ExprIdToken, ValueFlow::Value, ExprIdToken::Hash, std::equal_to<ExprIdToken>, std::allocator<std::pair<ExprIdToken const, ValueFlow::Value>>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/programmemory.cpp:471:5
    cppcheck-opensource#8 0x559dd2538e25 in ValueFlowAnalyzer::updateState(Token const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:3046:13
    cppcheck-opensource#9 0x559dd1fa7380 in valueFlowGenericForward(Token*, Token const*, ValuePtr<Analyzer> const&, TokenList const&, ErrorLogger*, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/forwardanalyzer.cpp:913:22
    cppcheck-opensource#10 0x559dd252f52a in valueFlowForward(Token*, Token const*, Token const*, ValueFlow::Value, TokenList const&, ErrorLogger*, Settings const&, SourceLocation) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:2119:12
    cppcheck-opensource#11 0x559dd2579491 in valueFlowSymbolic(TokenList const&, SymbolDatabase const&, ErrorLogger*, Settings const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:5513:13
    cppcheck-opensource#12 0x559dd2579491 in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*)::$_10::operator()(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, std::set<Scope const*, std::less<Scope const*>, std::allocator<Scope const*>> const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9565:9
    cppcheck-opensource#13 0x559dd2579491 in ValueFlowPassAdaptor<ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*)::$_10>::run(ValueFlowState const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9500:9
    cppcheck-opensource#14 0x559dd24dfda4 in ValueFlowPassRunner::run(ValuePtr<ValueFlowPass> const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9428:19
    cppcheck-opensource#15 0x559dd24df868 in ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)::operator()(ValuePtr<ValueFlowPass> const&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9385:20
    cppcheck-opensource#16 0x559dd24df868 in bool __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>::operator()<ValuePtr<ValueFlowPass> const*>(ValuePtr<ValueFlowPass> const*) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/predefined_ops.h:318:16
    cppcheck-opensource#17 0x559dd24df868 in ValuePtr<ValueFlowPass> const* std::__find_if<ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>, std::random_access_iterator_tag) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algobase.h:2080:8
    cppcheck-opensource#18 0x559dd24ac9b3 in ValuePtr<ValueFlowPass> const* std::__find_if<ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, __gnu_cxx::__ops::_Iter_pred<ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algobase.h:2117:14
    cppcheck-opensource#19 0x559dd24ac9b3 in ValuePtr<ValueFlowPass> const* std::find_if<ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:3923:14
    cppcheck-opensource#20 0x559dd24ac9b3 in bool std::none_of<ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:477:24
    cppcheck-opensource#21 0x559dd24ac9b3 in bool std::any_of<ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)>(ValuePtr<ValueFlowPass> const*, ValuePtr<ValueFlowPass> const*, ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const::'lambda'(ValuePtr<ValueFlowPass> const&)) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_algo.h:496:15
    cppcheck-opensource#22 0x559dd24ac9b3 in ValueFlowPassRunner::run_once(std::initializer_list<ValuePtr<ValueFlowPass>>) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9384:16
    cppcheck-opensource#23 0x559dd24ac9b3 in ValueFlow::setValues(TokenList&, SymbolDatabase&, ErrorLogger*, Settings const&, TimerResultsIntf*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/valueflow.cpp:9554:12
    cppcheck-opensource#24 0x559dd2392276 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenize.cpp:3395:13
    cppcheck-opensource#25 0x559dd1ed4304 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:906:32
    cppcheck-opensource#26 0x559dd1ee0521 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12
    cppcheck-opensource#27 0x559dd18e9d03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18
    cppcheck-opensource#28 0x559dd1790538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2)
    cppcheck-opensource#29 0x559dd1791210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2)
    cppcheck-opensource#30 0x559dd17922a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2)
    cppcheck-opensource#31 0x559dd17930c7 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2)
    cppcheck-opensource#32 0x559dd17735b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2)
    cppcheck-opensource#33 0x559dd16f7fa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2)
    cppcheck-opensource#34 0x7feca7a45ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#35 0x7feca7a45d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#36 0x559dd175d354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: c702153d07ad5f19357ff1899a39d599da20f3e2)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:884:13 in Token::exprId() const
==239799==ABORTING
@firewave
fixed fuzzing crash
c36e172 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==247105==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x55dd2f3cde37 bp 0x7ffcb1f26ad0 sp 0x7ffcb1f269a0 T0)
==247105==The signal is caused by a READ memory access.
==247105==Hint: address points to the zero page.
    #0 0x55dd2f3cde37 in Token::variable() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:1082:16
    #1 0x55dd2f3cde37 in CheckUninitVar::isVariableUsage(Token const*, Library const&, bool, CheckUninitVar::Alloc, int) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1290:42
    cppcheck-opensource#2 0x55dd2f3c9322 in CheckUninitVar::isVariableUsage(Token const*, bool, CheckUninitVar::Alloc, int) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1343:12
    cppcheck-opensource#3 0x55dd2f3c9322 in CheckUninitVar::checkLoopBodyRecursive(Token const*, Variable const&, CheckUninitVar::Alloc, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool&) const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1037:39
    cppcheck-opensource#4 0x55dd2f3b5995 in CheckUninitVar::checkLoopBody(Token const*, Variable const&, CheckUninitVar::Alloc, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:1072:31
    cppcheck-opensource#5 0x55dd2f3bbf99 in CheckUninitVar::checkScopeForVariable(Token const*, Variable const&, bool*, bool*, CheckUninitVar::Alloc*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::map<int, VariableValue, std::less<int>, std::allocator<std::pair<int const, VariableValue>>>&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:637:35
    cppcheck-opensource#6 0x55dd2f3b3850 in CheckUninitVar::checkScope(Scope const*, std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>>>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:201:17
    cppcheck-opensource#7 0x55dd2f3b258a in CheckUninitVar::check() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.cpp:131:13
    cppcheck-opensource#8 0x55dd2f3d9d64 in CheckUninitVar::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/checkuninitvar.h:86:24
    cppcheck-opensource#9 0x55dd2f485834 in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:1103:20
    cppcheck-opensource#10 0x55dd2f499c5d in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:936:17
    cppcheck-opensource#11 0x55dd2f4a5521 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12
    cppcheck-opensource#12 0x55dd2eeaed03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18
    cppcheck-opensource#13 0x55dd2ed55538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#14 0x55dd2ed56210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#15 0x55dd2ed572a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#16 0x55dd2ed580c7 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#17 0x55dd2ed385b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#18 0x55dd2ecbcfa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#19 0x7f09f9558ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#20 0x7f09f9558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#21 0x55dd2ed22354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:1082:16 in Token::variable() const
==247105==ABORTING
@firewave
fixed fuzzing crash
653b2a0 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==247108==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x55e3348f5ccd bp 0x7ffc2c750a70 sp 0x7ffc2c7508a0 T0)
==247108==The signal is caused by a READ memory access.
==247108==Hint: address points to the zero page.
    #0 0x55e3348f5ccd in compilePrecedence2(Token*&, (anonymous namespace)::AST_state&) /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_deque.h
    #1 0x55e3348f1a17 in compilePrecedence3(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1038:5
    cppcheck-opensource#2 0x55e3348f13b5 in compilePointerToElem(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1137:5
    cppcheck-opensource#3 0x55e3348f13b5 in compileMulDiv(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1147:5
    cppcheck-opensource#4 0x55e3348f1095 in compileAddSub(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1166:5
    cppcheck-opensource#5 0x55e3348f1095 in compileShift(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1176:5
    cppcheck-opensource#6 0x55e3348f0d15 in compileThreewayComp(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1186:5
    cppcheck-opensource#7 0x55e3348f0d15 in compileRelComp(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1196:5
    cppcheck-opensource#8 0x55e3348f07b5 in compileEqComp(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1206:5
    cppcheck-opensource#9 0x55e3348f07b5 in compileAnd(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1216:5
    cppcheck-opensource#10 0x55e3348efe9a in compileXor(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1235:5
    cppcheck-opensource#11 0x55e3348efe9a in compileOr(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1245:5
    cppcheck-opensource#12 0x55e3348efe9a in compileLogicAnd(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1255:5
    cppcheck-opensource#13 0x55e3348ee8d9 in compileLogicOr(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1274:5
    cppcheck-opensource#14 0x55e3348ee8d9 in compileAssignTernary(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1284:5
    cppcheck-opensource#15 0x55e3348eb768 in compileComma(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1325:5
    cppcheck-opensource#16 0x55e3348eb768 in compileExpression(Token*&, (anonymous namespace)::AST_state&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1343:9
    cppcheck-opensource#17 0x55e3348e0f49 in createAstAtToken(Token*, bool) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1689:9
    cppcheck-opensource#18 0x55e3348dd43e in TokenList::createAst() const /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenlist.cpp:1717:15
    cppcheck-opensource#19 0x55e334811894 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/tokenize.cpp:3363:14
    cppcheck-opensource#20 0x55e334354304 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:906:32
    cppcheck-opensource#21 0x55e334360521 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/cppcheck.cpp:558:12
    cppcheck-opensource#22 0x55e333d69d03 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:45:18
    cppcheck-opensource#23 0x55e333c10538 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x573538) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#24 0x55e333c11210 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x574210) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#25 0x55e333c122a1 in fuzzer::Fuzzer::MutateAndTestOne() (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5752a1) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#26 0x55e333c130c7 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5760c7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#27 0x55e333bf35b2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5565b2) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#28 0x55e333b77fa7 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x4dafa7) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)
    cppcheck-opensource#29 0x7fcdfb758ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#30 0x7fcdfb758d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    cppcheck-opensource#31 0x55e333bdd354 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x540354) (BuildId: a183bbe392f62ddef4ec71808dcbc702acf3775d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/stl_deque.h in compilePrecedence2(Token*&, (anonymous namespace)::AST_state&)
==247108==ABORTING
@firewave
Copy link
Copy Markdown
Collaborator Author

firewave commented Feb 14, 2024
edited
Loading

This is the result of understanding how our fuzzing actually works. It turns out the code we currently generate for the integration is extremely flawed and possibly useless: https://trac.cppcheck.net/ticket/12442. So this is based on running a modified version (will provide the changes later on) of oss-fuzz on the samples folder as corpus.

I know we discussed not sinking too much time into this but let me add some context.

This code is obvious not valid and not what we encounter in the wild. And it appears it just tries to throw as much garbage at the code to find issues but that is not what it is doing. The fuzzing is coverage based so it uses the given input generates the coverage information for that. Afterwards it starts creating mutations to increase the coverage and execute all the possible branches. This is the actual goal of the fuzzing - to be able to execute hard to reach branches which might contain issues. It was very unlikely that there are such issues in our code. But we still need to fix these issues to allow the fuzzing to continue.

This can obviously be improved upon which I also touched upon in the aforementioned ticket. It seems these few fixes already offer a good baseline as it only took few minutes for those to appear but afterwards it took much, much longer until I hit the next issue. Also the crashes are usually not much of a timesink as it so far just boiled down to missing pointer checks which are basically no work at all.

What is actually interesting are potential timeouts aka hangs in the fuzzing (I encountered such in my latest run - no fix yet). This actually has a major impact as if someone would maliciously throw code at systems which utilize Cppcheck it would lead to degraded performance and might even result in DoS and also incur additional costs in case you are being billed for the affected systems. We mitigate this in daca but we do not offer a way to do this within Cppcheck itself (yet - see https://trac.cppcheck.net/ticket/11248). So it is up to the user or the integration of the tool to make sure it will not run indefinitely.

@chrchr-github chrchr-github merged commit 95235ca into cppcheck-opensource:main Feb 16, 2024
@firewave firewave deleted the fuzz-x branch February 16, 2024 17:10
@firewave
Copy link
Copy Markdown
Collaborator Author

firewave commented Feb 16, 2024

We could also use this approach for test cases which only check that we do not encounter a crash.

@firewave
Copy link
Copy Markdown
Collaborator Author

firewave commented Feb 17, 2024

FYI I did not process these crashes with -minimize_crash=1 so the cases might be bigger than necessary. I will try to remember that if there are future additions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@firewave @chrchr-github