AddressSanitizer: SEGV on unknown address 0x000000000000

[elManto]

I found an input that results in a null pointer deref. In my current setup, I compiled faust with clang-13 and asan. To reproduce:

./faust -o /tmp/out

where input is the file that I'm attaching here
crash.tar.gz

Here you can find the stack trace along with the asan report:

AddressSanitizer:DEADLYSIGNAL

==2408450==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000119f9ea bp 0x7fffffff6970 sp 0x7fffffff66e0 T0)
==2408450==The signal is caused by a READ memory access.
==2408450==Hint: address points to the zero page.
#0 0x119f9ea in isNum(CTree* const&, num&) /home/elmanto/mnt/output/faust-ddg/compiler/signals/signals.hh:266:18
#1 0x119f9ea in SinPrim::computeSigOutput(std::vector<CTree*, std::allocator<CTree*> > const&) /home/elmanto/mnt/output/faust-ddg/compiler/extended/sinprim.hh:49:13
#2 0x12be141 in simplification(CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:98:24
#3 0x12b95b5 in traced_simplification(CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:59:14
#4 0x12b95b5 in sigMap(CTree*, CTree* ()(CTree), CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:235:19
#5 0x12b8de3 in sigMap(CTree*, CTree* ()(CTree), CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:230:26
#6 0x12b8de3 in sigMap(CTree*, CTree* ()(CTree), CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:230:26
#7 0x12b8de3 in sigMap(CTree*, CTree* ()(CTree), CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:230:26
#8 0x12b8de3 in sigMap(CTree*, CTree* ()(CTree), CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:230:26
#9 0x12b8de3 in sigMap(CTree*, CTree* ()(CTree), CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/normalize/simplify.cpp:230:26
#10 0xff4a71 in InstructionsCompiler::prepare(CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/generator/instructions_compiler.cpp:251:15
#11 0xffd09d in InstructionsCompiler::compileMultiSignal(CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/generator/instructions_compiler.cpp:488:9
#12 0x12757c4 in generateCode(CTree*, int, int, bool) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:1590:23
#13 0x121a377 in compileFaustFactoryAux(int, char const**, char const*, char const*, bool) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:2028:5
#14 0x1216183 in compileFaustFactory(int, char const**, char const*, char const*, std::__cxx11::basic_string<char, std::char_traits, std::allocator >&, bool) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:2048:9
#15 0x128fc8e in main /home/elmanto/mnt/output/faust-ddg/compiler/main.cpp:45:33
#16 0x7ffff7a6b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#17 0x9fb6ad in _start (/home/elmanto/mnt/output/faust-ddg/build/bin/faust+0x9fb6ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/elmanto/mnt/output/faust-ddg/compiler/signals/signals.hh:266:18 in isNum(CTree* const&, num&)

[sletz]

Known problem see #482, @orlarey how complex would it be to fix this one?

[elManto]

BTW, I found another segmentation fault. It seems unreported so I attach it here. Sorry if it was already reported by anyone else before. Same steps as before. I attach the triggering input
crash_2.tar.gz
crash_2.tar.gz

==2437628==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000c98eef bp 0x7ffff43f13b0 sp 0x7ffff43f12a0 T1)
==2437628==The signal is caused by a READ memory access.
==2437628==Hint: address points to the zero page.
#0 0xc98eef in CTree::branch(int) const /home/elmanto/mnt/output/faust-ddg/compiler/tlib/tree.hh:146:46
#1 0xc98eef in searchIdDef(CTree*, CTree*&, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/environment.cpp:155:22
#2 0x1340518 in apply_pattern_matcher(Automaton*, int, CTree*, CTree*&, std::vector<CTree*, std::allocator<CTree*> >&) /home/elmanto/mnt/output/faust-ddg/compiler/patternmatcher/patternmatcher.cpp:709:21
#3 0xca48ab in applyList(CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:1079:18
#4 0xca63c2 in applyList(CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:1083:20
#5 0xca63c2 in applyList(CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:1083:20
#6 0xcb4be0 in realeval(CTree*, CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:529:16
#7 0xc9c457 in eval(CTree*, CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:294:18
#8 0xcaf19b in realeval(CTree*, CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp
#9 0xc9c457 in eval(CTree*, CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:294:18
#10 0xcb4431 in evalIdDef(CTree*, CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:1272:12
#11 0xcb4431 in realeval(CTree*, CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:522:16
#12 0xc9c457 in eval(CTree*, CTree*, CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:294:18
#13 0xc9b4a2 in evalprocess(CTree*) /home/elmanto/mnt/output/faust-ddg/compiler/evaluate/eval.cpp:98:19
#14 0x126783d in evaluateBlockDiagram(CTree*, int&, int&) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:1190:20
#15 0x126783d in threadEvaluateBlockDiagram(void*) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:218:13
#16 0x7ffff7f9e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#17 0x7ffff7b66292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/elmanto/mnt/output/faust-ddg/compiler/tlib/tree.hh:146:46 in CTree::branch(int) const
Thread T1 created by T0 here:
#0 0xa635bc in __interceptor_pthread_create (/home/elmanto/mnt/output/faust-ddg/build/bin/faust+0xa635bc)
#1 0x1266546 in callFun(void* ()(void)) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:207:5
#2 0x12194c3 in compileFaustFactoryAux(int, char const**, char const*, char const*, bool) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:1975:5
#3 0x1216183 in compileFaustFactory(int, char const**, char const*, char const*, std::__cxx11::basic_string<char, std::char_traits, std::allocator >&, bool) /home/elmanto/mnt/output/faust-ddg/compiler/libcode.cpp:2048:9
#4 0x128fc8e in main /home/elmanto/mnt/output/faust-ddg/compiler/main.cpp:45:33
#5 0x7ffff7a6b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

[sletz]

Thanks for reporting. This one is new AFAICS. I've just added a faustassert to prevent the crash here a80faae. @orlarey any idea on how to fix this one?

[elManto]

No worries, thanks for the prompt reaction