Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuzz clang #23431

Open
kcc opened this issue Mar 28, 2015 · 41 comments
Open

fuzz clang #23431

kcc opened this issue Mar 28, 2015 · 41 comments
Labels
bugzilla

Comments

@kcc
Copy link
Contributor

@kcc kcc commented Mar 28, 2015

Bugzilla Link 23057
Version unspecified
OS Linux
Depends On #22200 #22203 #22204 #22217 #22228 #22239 #22245 #22322 #22324 #22325 #22326 #22327 #22328 #22329 #22332 #22334 #22344 #22346 #22190 #22192 #22193 #22195 #22198 #22202 #22205 #22206 #22207 #22208 #22211 #22212 #22216 #22218 #22220 #22223 #22226 #22229 #22230 #22234 #22236 #22237 #22240 #22241 #22242 #22243 #22244 #22331 #22333 #22335 #22347
CC @d0k,@bcardosolopes,@majnemer,@dmpolukhin,@nico,@zygoloid,@silvasean,@zhendongsu

Extended Description

As of r233459 we have a clang fuzzer in the source tree.
Details: llvm/lib/Fuzzer/README.txt

We also have a build bot that runs the fuzzer 24/7
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
(See also bug 23052 for the clang-format fuzzer).

I propose to track all activities related to fuzzing clang here.
(There was a significant volume of bugs detected by AFL,
if someone has the list of revisions/bugs, please attach here).

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 28, 2015

echo -n "#if 0" | clang -x c++ -

==23545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000006b76 at pc 0x00000bb7006e bp 0x7fffa7ced0f0 sp 0x7fffa7ced0e8
READ of size 1 at 0x604000006b76 thread T0
#​0 0xbb7006d in clang::NumericLiteralParser::ParseNumberStartingWithZero(clang::SourceLocation) tools/clang/lib/Lex/LiteralSupport.cpp:759:12
#​1 0xbb63964 in clang::NumericLiteralParser::NumericLiteralParser(llvm::StringRef, clang::SourceLocation, clang::Preprocessor&) tools/clang/lib/Lex/LiteralSupport.cpp:531:
#​2 0xbc9ced8 in EvaluateValue((anonymous namespace)::PPValue&, clang::Token&, DefinedTracker&, bool, clang::Preprocessor&) tools/clang/lib/Lex/PPExpressions.cpp:220:26
#​3 0xbc9980e in clang::Preprocessor::EvaluateDirectiveExpression(clang::IdentifierInfo*&) tools/clang/lib/Lex/PPExpressions.cpp:758:7
#​4 0xbc59a89 in clang::Preprocessor::HandleIfDirective(clang::Token&, bool) tools/clang/lib/Lex/PPDirectives.cpp:2396:32
#​5 0xbc50c98 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:838:14
#​6 0xbb5e82e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
#​7 0xbd738ef in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
#​8 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
#​9 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#​10 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#​11 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#​12 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#​13 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#​14 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#​15 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#​16 0x82473f in main tools/clang/tools/driver/driver.cpp:415
0x604000006b76 is located 0 bytes to the right of 38-byte region [0x604000006b50,0x604000006b76)
allocated by thread T0 here:
#​0 0x81955b in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
#​1 0x4e4741b in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
#​2 0x4e4b200 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
#​3 0x4e4b200 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
#​4 0x4e48947 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
#​5 0x56df240 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceManager&, cl
#​6 0x57d3347 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:308:8
#​7 0x56e3e40 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
#​8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#​9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#​10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#​11 0x82473f in main tools/clang/tools/driver/driver.cpp:415

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 28, 2015

echo -n '~a::{' | clang -x c++

==23855==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000b7c91c6 bp 0x7fffe68c9dd0 sp 0x7fffe68c9dc0 T0)
#​0 0xb7c91c5 in clang::NestedNameSpecifier::getKind() const tools/clang/lib/AST/NestedNameSpecifier.cpp:132:8
#​1 0x88ec340 in clang::Sema::ShouldEnterDeclaratorScope(clang::Scope*, clang::CXXScopeSpec const&) tools/clang/lib/Sema/SemaCXXScopeSpec.cpp:999:11
#​2 0x7ff9f0e in clang::Parser::ParseUnqualifiedId(clang::CXXScopeSpec&, bool, bool, bool, clang::OpaquePtrclang::QualType, clang::SourceLocation&, clang::UnqualifiedId&) tools/clang/lib/Parse/ParseExprCXX.cpp:2549:11
#​3 0x7ee34db in clang::Parser::ParseDirectDeclarator(clang::Declarator&) tools/clang/lib/Parse/ParseDecl.cpp:4982:11
#​4 0x7ede076 in clang::Parser::ParseDeclaratorInternal(clang::Declarator&, void (clang::Parser::)(clang::Declarator&)) tools/clang/lib/Parse/ParseDecl.cpp:4756:7
#​5 0x7e97c3d in ParseDeclarator tools/clang/lib/Parse/ParseDecl.cpp:4651:3
#​6 0x7e97c3d in clang::Parser::ParseDeclGroup(clang::ParsingDeclSpec&, unsigned int, clang::SourceLocation
, clang::Parser::ForRangeInit*) tools/clang/lib/Parse/ParseDecl.cpp:1633
#​7 0x7e24f9d in clang::Parser::ParseDeclOrFunctionDefInternal(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec&, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:893:10
#​8 0x7e22340 in clang::Parser::ParseDeclarationOrFunctionDefinition(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*, clang::AccessSpecifier) tools/clang/lib/Parse/Parser.cpp:909:12
#​9 0x7e1873e in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:767:12
#​10 0x7e157c2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtrclang::DeclGroupRef&) tools/clang/lib/Parse/Parser.cpp:569:12
#​11 0x7dfc2e8 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:134:7
#​12 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#​13 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#​14 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#​15 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#​16 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#​17 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#​18 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#​19 0x82473f in main tools/clang/tools/driver/driver.cpp:415

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 28, 2015

Not sure if leaks in clang on invalid inputs are worth fixing.
If not, we can disable leak detection on the fuzzer bot.
Here is one leak example:

echo "::(&C" | clang -x c++ -

Direct leak of 432 byte(s) in 1 object(s) allocated from:
#​0 0x81927b in operator new(unsigned long) projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
#​1 0x7e13b19 in EnterScope tools/clang/lib/Parse/Parser.cpp:358:24
#​2 0x7e13b19 in clang::Parser::Initialize() tools/clang/lib/Parse/Parser.cpp:425
#​3 0x7dfc1e5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
#​4 0x57daace in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#​5 0x639676a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#​6 0x57d9122 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#​7 0x56e3e60 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#​8 0x5a5d49d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#​9 0x82971d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#​10 0x82473f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#​11 0x82473f in main tools/clang/tools/driver/driver.cpp:415

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 29, 2015

The bot is currently running w/o assertions because there are quite a few of them

printf '\n;::(&C' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2166: void clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion
`!EnteredScope && "Already entered the scope!"' failed.

printf 'x(a::(b)' | clang -x c++ -
tools/clang/lib/Lex/PPCaching.cpp:101: void clang::Preprocessor::AnnotatePreviousCachedTokens(const clang::Token &): Assertion `CachedTokens[CachedLexPos-1].getLastLoc() == Tok.getAnnotationEndLoc() && "The annotation should be until the most recent cached token"' failed.

echo ClMKWyK/APABWOsiTD1rW9hs | base64 --decode | clang -x c++ -
tools/clang/lib/Frontend/TextDiagnostic.cpp:973: void highlightRange(const clang::CharSourceRange &, unsigned int, clang::FileID, const (anonymous namespace)::SourceColumnMap &, std::string &, const clang::SourceManager &, const clang::LangOptions &): Assertion `StartColNo <= map.getSourceLine().size() && "Invalid range!"' failed.

printf 'k80x&::((**\ne::' | clang -x c++ -
tools/clang/include/clang/Parse/Parser.h:2178: clang::Parser::DeclaratorScopeObj::~DeclaratorScopeObj(): Assertion `SS.isSet() && "C++ scope was cleared ?"' failed.

@d0k
Copy link
Member

@d0k d0k commented Mar 29, 2015

echo -n "#if 0" | clang -x c++ - fixed in r233491.
echo -n '~a::{' | clang -x c++ - fixed in r233492.

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 30, 2015

echo I1zqGiMAXAoAI7JrCiPR | base64 --decode | clang -x c++ -
tools/clang/lib/Lex/PPDirectives.cpp:99: void clang::Preprocessor::DiscardUntilEndOfDirective(): Assertion `Tmp.isNot(tok::eof) && "EOF seen while discarding directive tokens"' failed.

W/o asserts causes null deref.

Thanks Benjamin for the fixes!

@silvasean
Copy link
Contributor

@silvasean silvasean commented Mar 31, 2015

I added the still-open AFL bugs found by Sami Liedes

@silvasean
Copy link
Contributor

@silvasean silvasean commented Mar 31, 2015

Not sure if leaks in clang on invalid inputs are worth fixing.
If not, we can disable leak detection on the fuzzer bot.

I think they are worth fixing. They would adversely affect the stability of long-lived processes that use clang as a library, such as IDE's.

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 31, 2015

echo zWsoIi+qACrc8o25aFlrW7YkImJL | base64 --decode | clang -x c++ - -c

==4839==ERROR: AddressSanitizer: negative-size-param: (size=-264)
#​0 0x7e031f in __asan_memset projects/compiler-rt/lib/asan/asan_interceptors.cc:420:3
#​1 0x5a474df in __fill_a /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:703:7
#​2 0x5a474df in fill<__gnu_cxx::__normal_iterator<char *, std::basic_string >, char> /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../include/c++/4.8/bits/stl_algobase.h:728
#​3 0x5a474df in highlightRange tools/clang/lib/Frontend/TextDiagnostic.cpp:983
#​4 0x5a474df in clang::TextDiagnostic::emitSnippetAndCaret(clang::SourceLocation, clang::DiagnosticsEngine::Level, llvm::SmallVectorImplclang::CharSourceRange&, llvm::ArrayRefclang::FixItHint, clang::SourceManager const&) tools/clang/lib/Frontend/TextDiagnostic.cpp:1125
#​5 0x5a2c599 in emitCaret tools/clang/lib/Frontend/DiagnosticRenderer.cpp:394:3

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 31, 2015

echo -n "#include<\" | clang -x c++ -c -

==24291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000006bbb at pc 0x00000bb382d1 bp 0x7fff54ea18d0 sp 0x7fff54ea18c8
READ of size 1 at 0x604000006bbb thread T0
#​0 0xbb382d0 in getAndAdvanceChar tools/clang/include/clang/Lex/Lexer.h:529:36
#​1 0xbb382d0 in clang::Lexer::LexAngledStringLiteral(clang::Token&, char const*) tools/clang/lib/Lex/Lexer.cpp:1870
#​2 0xbb56361 in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3387:14
#​3 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
#​4 0xbd798e5 in clang::PreprocessorLexer::LexIncludeFilename(clang::Token&) tools/clang/lib/Lex/PreprocessorLexer.cpp:44:5
#​5 0xbc5e998 in clang::Preprocessor::HandleIncludeDirective(clang::SourceLocation, clang::Token&, clang::DirectoryLookup const*, clang::FileEntry const*, bool)
#​6 0xbc51b36 in clang::Preprocessor::HandleDirective(clang::Token&) tools/clang/lib/Lex/PPDirectives.cpp:853:14
#​7 0xbb5d63e in clang::Lexer::LexTokenInternal(clang::Token&, bool) tools/clang/lib/Lex/Lexer.cpp:3633:3
#​8 0xbd7318f in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:692:23
#​9 0x7dfa8f5 in clang::ParseAST(clang::Sema&, bool, bool) tools/clang/lib/Parse/ParseAST.cpp:123:3
#​10 0x57d763e in clang::ASTFrontendAction::ExecuteAction() tools/clang/lib/Frontend/FrontendAction.cpp:537:3
#​11 0x639214a in clang::CodeGenAction::ExecuteAction() tools/clang/lib/CodeGen/CodeGenAction.cpp:733:3
#​12 0x57d5c92 in clang::FrontendAction::Execute() tools/clang/lib/Frontend/FrontendAction.cpp:439:8
#​13 0x56e09d0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:807:7
#​14 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#​15 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#​16 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#​17 0x824a9f in main tools/clang/tools/driver/driver.cpp:415
#​18 0x7f21b4643ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

0x604000006bbb is located 0 bytes to the right of 43-byte region [0x604000006b90,0x604000006bbb)

allocated by thread T0 here:
#​0 0x8198bb in operator new(unsigned long, std::nothrow_t const&) projects/compiler-rt/lib/asan/asan_new_delete.cc:67:3
#​1 0x4e42fcb in llvm::MemoryBuffer::getNewUninitMemBuffer(unsigned long, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:139:34
#​2 0x4e46db0 in getMemBufferCopy lib/Support/MemoryBuffer.cpp:120:7
#​3 0x4e46db0 in getMemoryBufferForStream(int, llvm::Twine const&) lib/Support/MemoryBuffer.cpp:241
#​4 0x4e444f7 in llvm::MemoryBuffer::getSTDIN() lib/Support/MemoryBuffer.cpp:428:10
#​5 0x56dbdb0 in clang::CompilerInstance::InitializeSourceManager(clang::FrontendInputFile const&, clang::DiagnosticsEngine&, clang::FileManager&, clang::SourceM
#​6 0x57cfeb7 in clang::FrontendAction::BeginSourceFile(clang::CompilerInstance&, clang::FrontendInputFile const&) tools/clang/lib/Frontend/FrontendAction.cpp:30
#​7 0x56e09b0 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) tools/clang/lib/Frontend/CompilerInstance.cpp:806:9
#​8 0x5a5a00d in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:222:18
#​9 0x829a7d in cc1_main(llvm::ArrayRef<char const*>, char const*, void*) tools/clang/tools/driver/cc1_main.cpp:110:13
#​10 0x824a9f in ExecuteCC1Tool tools/clang/tools/driver/driver.cpp:369:12
#​11 0x824a9f in main tools/clang/tools/driver/driver.cpp:415

@llvmbot
Copy link
Collaborator

@llvmbot llvmbot commented Mar 31, 2015

There are probably quite a few unreported ones at http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml . I just added a few new test cases there that bumped the number of distinct crashes from 68 to 88. My bot doesn't automatically fuzz; the fuzzing part is manual, but it runs clang trunk against a generated corpus of (currently ~14k, but probably only 5-6k exercise distinct paths) inputs that have at some point crashed clang.

Anyway, glad to hear that there's more advanced fuzzing infrastructure in place now.

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 31, 2015

I think they [leaks] are worth fixing.

Interestingly, all the cases of leaks I observe also fail assertions in a debug build, see #​4. So, if we fix those assertions the leaks may disappear as well.

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 31, 2015

There are probably quite a few unreported ones at
http://sli.dy.fi/~sliedes/clang-triage/triage_report.xhtml

This is the reason why the fuzzer bot runs the in-process fuzzer w/o assertions.
With assertions it would be crashing too quickly.
Your list contains my four assertion failures from c#4 and many more.
Neat.

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 31, 2015

Infinite recursion:

echo "inlineJ33 y8(struct include; " | clang -x c++ -c -

#&#8203;0 0xb2f7e33 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1220
#&#8203;1 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
#&#8203;2 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
#&#8203;3 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198
#&#8203;4 0xb2fb560 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1299
#&#8203;5 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
#&#8203;6 0xb300b9a in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
#&#8203;7 0xb300b9a in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1024
#&#8203;8 0xb94b1cb in computeCachedProperties tools/clang/lib/AST/Type.cpp:2185:17
#&#8203;9 0xb94b1cb in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
#&#8203;10 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2116:5
#&#8203;11 0xb94a711 in get tools/clang/lib/AST/Type.cpp:2112
#&#8203;12 0xb94a711 in computeCachedProperties tools/clang/lib/AST/Type.cpp:2222
#&#8203;13 0xb94a711 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2137
#&#8203;14 0xb949d40 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:2129:7
#&#8203;15 0xb949b80 in clang::Type::getLinkage() const tools/clang/lib/AST/Type.cpp:2242:3
#&#8203;16 0xb34f6c4 in getLVForNamespaceScopeDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:764:11
#&#8203;17 0xb2f80b7 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1275:12
#&#8203;18 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1314:22
#&#8203;19 0xb2fb560 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1351
#&#8203;20 0xb2fb560 in getLVForLocalDecl tools/clang/lib/AST/Decl.cpp:1198

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 31, 2015

r233726 disables leak detection for clang-fuzzer until c#4 is fixed.

@kcc
Copy link
Contributor Author

@kcc kcc commented Mar 31, 2015

use-after-free.log
echo "B& ifndef[(double(void} ,&&))nullptr|" | clang -x c++ -c -

==10808==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000088e0 at pc 0x0000007dfd49 bp 0x7fff87de5a90 sp 0x7fff87de5248
READ of size 20 at 0x6110000088e0 thread T0
#​0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
#​1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
#​2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
#​3 0x7e0c357 in ConsumeParen tools/clang/include/clang/Parse/Parser.h:373:5
#​4 0x7e0c357 in clang::Parser::SkipUntil(llvm::ArrayRefclang::tok::TokenKind, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:313

@kcc
Copy link
Contributor Author

@kcc kcc commented Apr 1, 2015

echo "g34( struct Yunsignedp char32_t=char32_t_35==ZcregisterZtypename&&S=4autobitand8 &&or* xor{static_cast&char32_t&welseconst auto" | clang -x c++ -

tools/clang/include/clang/AST/DeclCXX.h:592: struct DefinitionData &clang::CXXRecordDecl::data() const: Assertion `DD && "queried property of class with no definition"' failed.

Leads to a null deref w/o assertions.
Also present in Sami Liedes's set from c#11

@kcc
Copy link
Contributor Author

@kcc kcc commented Apr 1, 2015

echo "f(){for(a operator==:" | clang -x c++ -c -

Assertion `Val && "isa<> used on a null pointer"' failed.

Sami has this one too. W/o assertions this is another NULL deref.

@kcc
Copy link
Contributor Author

@kcc kcc commented Apr 1, 2015

These two might be variations of c#16 or separate use-after-free bugs.

echo 'lshort typedef s4;bool Kt={3LbreaklinethisQ&namespaceifndef[(double(struct{private:}~A/=void ifdef))nullptrchar32_t|$( tnewspublic -=--<' | clang -x c++ -c -

==17685==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e740 at pc 0x0000007dfd49 bp 0x7fff53379ef0 sp 0x7fff533796a8
READ of size 20 at 0x61500000e740 thread T0
#​0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
#​1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
#​2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
#​3 0xbc2fdc1 in clang::Preprocessor::CachingLex(clang::Token&) tools/clang/lib/Lex/PPCaching.cpp:58:3
#​4 0xbd732f6 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:701:7
#​5 0x7e0c23e in ConsumeToken tools/clang/include/clang/Parse/Parser.h:285:5
#​6 0x7e0c23e in clang::Parser::SkipUntil(llvm::ArrayRefclang::tok::TokenKind, clang::Parser::SkipUntilFlags) tools/clang/lib/Parse/Parser.cpp:340
#​7 0x8039d37 in SkipUntil tools/clang/include/clang/Parse/Parser.h:842:12
#​8 0x8039d37 in clang::Parser::ParseBraceInitializer() tools/clang/lib/Parse/ParseInit.cpp:444

0x61500000e740 is located 192 bytes inside of 456-byte region [0x61500000e680,0x61500000e848)
freed by thread T0 here:
#​0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
#​1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7
#​2 0x802dfa9 in clang::Parser::ParseCXXAmbiguousParenExpression(clang::Parser::ParenParseOption&, clang::OpaquePtrclang::QualType&, clang::BalancedDelimiterTracker&, clang::ColonProtectionRA
#​3 0x7fad534 in clang::Parser::ParseParenExpression(clang::Parser::ParenParseOption&, bool, bool, clang::OpaquePtrclang::QualType&, clang::SourceLocation&) tools/clang/lib/Parse/ParseExpr.cp
#​4 0x7f9886c in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:681:11
#​5 0x7f83045 in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:437:20
#​6 0x7f83045 in clang::Parser::ParseAssignmentExpression(clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:167
#​7 0x7f8fe6a in ParseExpression tools/clang/lib/Parse/ParseExpr.cpp:121:18

echo '=registerforthisclassxor^u ;conceptBchar32_t=breaku:OB& ifndef[(double(wchar_t nI[3u/23;p= ,signed))nullptr error(Rl' | clang -x c++ -c -

==17945==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e758 at pc 0x0000007dfd49 bp 0x7fffc5bc49b0 sp 0x7fffc5bc4168
READ of size 20 at 0x61500000e758 thread T0
#​0 0x7dfd48 in __asan_memcpy projects/compiler-rt/lib/asan/asan_interceptors.cc:403:3
#​1 0xbd8aa27 in clang::TokenLexer::Lex(clang::Token&) tools/clang/lib/Lex/TokenLexer.cpp:441:7
#​2 0xbd73201 in clang::Preprocessor::Lex(clang::Token&) tools/clang/lib/Lex/Preprocessor.cpp:698:23
#​3 0x7e05bbf in TryConsumeToken tools/clang/include/clang/Parse/Parser.h:295:5

...
0x61500000e758 is located 216 bytes inside of 456-byte region [0x61500000e680,0x61500000e848)
freed by thread T0 here:
#​0 0x7f6fdb in __interceptor_free projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
#​1 0x802dfa9 in ~SmallVectorImpl include/llvm/ADT/SmallVector.h:365:7

@kcc
Copy link
Contributor Author

@kcc kcc commented Apr 18, 2015

As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395

@kcc
Copy link
Contributor Author

@kcc kcc commented Apr 18, 2015

As of today, issue 22407 is the only one seen on the clang fuzzer bot:a
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer/builds/1395

(the bot uses no-assertions build)

@kcc
Copy link
Contributor Author

@kcc kcc commented May 6, 2015

the clang/clang-format fuzzer bot
lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fuzzer
has been extended to run both with and w/o assertions.
whenever a bug is found, the fuzzer will print the base64-encoded reproducer
so that one can copy-paste it from the buildbot logs:
E.g. from the bot logs:

SUMMARY: AddressSanitizer: ...
CRASHED; file written to crash-80193815206841682354717562770799349303
Base64: OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs=

Just do this:
echo OiDgO3gKUyYhU0Z4KhFoEztFKGV1bZNTe5Hsk1MmKUMheCoTIWgTO0VTKMFldW2TUzs= | base64 -d | clang -x c++ -

@kcc
Copy link
Contributor Author

@kcc kcc commented Aug 11, 2015

Still seen by the fuzzer bot:

echo w5sKZTtTk1LJKHbBDckJUgksZCg7Kjo6KCooZckokztyyWWROyjJKIM6OsllwSgmQkFyPDooOi87 | base64 --decode | clang++ -x c++ -
tools/clang/include/clang/Parse/Parser.h:2253: void clang::Parser::DeclaratorScopeObj::EnterDeclaratorScope(): Assertion `!EnteredScope && "Already entered the scope!"' failed.

@kcc
Copy link
Contributor Author

@kcc kcc commented Dec 22, 2015

some more
echo KAljQyggbCA9ZG8sdXNqb3J0fGI+bGU6eUJwOygJKipDKGxnKGtpID1jQyg5KWRlZmluZSggKkkpMyg= | base64 --decode | clang -x c++ -

llvm/include/llvm/Support/Casting.h:95: static bool llvm::isa_impl_cl<clang::ExprWithCleanups, const clang::Expr *>::doit(const From *) [To = clang::ExprWithCleanups, From = const clang::Expr *]: Assertion `Val && "isa<> used on a null pointer"' failed.

(null deref follows)

@kcc
Copy link
Contributor Author

@kcc kcc commented Dec 22, 2015

echo O2lubGluZSB0ZW1wbGEoCWNDKSgJIGVudW0gbDY7KHRlIG8= | base64 --decode | clang -x c++ -

==38911==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdfb8a2f00 (pc 0x00000cb04169 bp 0x7ffdfb8a30a0 sp 0x7ffdfb8a2f00 T0)
#​0 0xcb04168 in computeLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1226
#​1 0xcb5b855 in clang::LinkageComputer::getLVForDecl(clang::NamedDecl const*, LVComputationKind) tools/clang/lib/AST/Decl.cpp:1320:22
#​2 0xcb0b5b5 in getLVForDecl tools/clang/lib/AST/Decl.cpp:1357:10
#​3 0xcb0b5b5 in clang::NamedDecl::getLinkageInternal() const tools/clang/lib/AST/Decl.cpp:1030
#​4 0xd1d98f9 in computeCachedProperties tools/clang/lib/AST/Type.cpp:3163:17
#​5 0xd1d98f9 in clang::TypePropertyCache<(anonymous namespace)::Private>::ensure(clang::Type const*) tools/clang/lib/AST/Type.cpp:3115
#​6 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3094:5
#​7 0xd1d871c in get tools/clang/lib/AST/Type.cpp:3090
#​8 0xd1d871c in computeCachedProperties tools/clang/lib/AST/Type.cpp:3200

@kcc
Copy link
Contributor Author

@kcc kcc commented Dec 22, 2015

stack trace for #​24
==14981==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000acf5492 bp 0x7ffde0a49d30 sp 0x7ffde0a48340 T0)
#​0 0xacf5491 in getInit tools/clang/include/clang/AST/Decl.h:1089:17
#​1 0xacf5491 in clang::Sema::BuildCXXDefaultArgExpr(clang::SourceLocation, clang::FunctionDecl*, clang::ParmVarDecl*) tools/clang/lib/Sema/SemaExpr.cpp:4330
#​2 0xad02439 in clang::Sema::GatherArgumentsForCall(clang::SourceLocation, clang::FunctionDecl*, clang::FunctionProtoType const*, unsigned int, llvm::ArrayRef<clang::Expr*
#​3 0xacfa0e5 in clang::Sema::ConvertArgumentsForCall(clang::CallExpr*, clang::Expr*, clang::FunctionDecl*, clang::FunctionProtoType const*, llvm::ArrayRefclang::Expr*, c
#​4 0xad0a38d in clang::Sema::BuildResolvedCallExpr(clang::Expr*, clang::NamedDecl*, clang::SourceLocation, llvm::ArrayRefclang::Expr*, clang::SourceLocation, clang::Expr
#​5 0xb6b5f0a in FinishOverloadedCallExpr(clang::Sema&, clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRef<clang::Expr*
#​6 0xb6b4281 in clang::Sema::BuildOverloadedCallExpr(clang::Scope*, clang::Expr*, clang::UnresolvedLookupExpr*, clang::SourceLocation, llvm::MutableArrayRefclang::Expr*,
#​7 0xac857a7 in clang::Sema::ActOnCallExpr(clang::Scope*, clang::Expr*, clang::SourceLocation, llvm::MutableArrayRefclang::Expr*, clang::SourceLocation, clang::Expr*, bo
#​8 0x9828350 in clang::Parser::ParsePostfixExpressionSuffix(clang::ActionResult<clang::Expr*, true>) tools/clang/lib/Parse/ParseExpr.cpp:1554:15
#​9 0x9830cb8 in clang::Parser::ParseCastExpression(bool, bool, bool&, clang::Parser::TypeCastState) tools/clang/lib/Parse/ParseExpr.cpp:1338:10
#​10 0x9819a6c in ParseCastExpression tools/clang/lib/Parse/ParseExpr.cpp:465:20

@kcc
Copy link
Contributor Author

@kcc kcc commented Dec 22, 2015

one more:

echo dGVtcGxhdGUgPCF2PmNsYXNzJAlle25tdGwgZSAoIGRvdWxlMipDKXRocm93CyAoKXsgIGUgZDpkKCkhPA== | base64 --decode | clang -x c++ -

==15086==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x0000096ce636 bp 0x7ffd5d700ee0 sp 0x7ffd5d700ac0 T0)
#​0 0x96ce635 in getKind tools/clang/include/clang/AST/DeclBase.h:382:51
#​1 0x96ce635 in classof tools/clang/include/clang/AST/DeclTemplate.h:980
#​2 0x96ce635 in doit include/llvm/Support/Casting.h:56
#​3 0x96ce635 in doit include/llvm/Support/Casting.h:96
#​4 0x96ce635 in doit include/llvm/Support/Casting.h:122
#​5 0x96ce635 in doit include/llvm/Support/Casting.h:112
#​6 0x96ce635 in isa<clang::FunctionTemplateDecl, clang::Decl > include/llvm/Support/Casting.h:133
#​7 0x96ce635 in dyn_cast<clang::FunctionTemplateDecl, clang::Decl> include/llvm/Support/Casting.h:298
#​8 0x96ce635 in clang::Parser::ParseLexedMethodDeclaration(clang::Parser::LateParsedMethodDeclaration&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:415
#​9 0x96ca645 in clang::Parser::ParseLexedMethodDeclarations(clang::Parser::ParsingClass&) tools/clang/lib/Parse/ParseCXXInlineMethods.cpp:287:5
#​10 0x97d7d45 in clang::Parser::ParseCXXMemberSpecification(clang::SourceLocation, clang::SourceLocation, clang::Parser::ParsedAttributesWithRange&, unsigned int, clang::D
#​11 0x97ce06e in clang::Parser::ParseClassSpecifier(clang::tok::TokenKind, clang::SourceLocation, clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::Access
#​12 0x971b6c1 in clang::Parser::ParseDeclarationSpecifiers(clang::DeclSpec&, clang::Parser::ParsedTemplateInfo const&, clang::AccessSpecifier, clang::Parser::DeclSpecConte
#​13 0x99fecea in clang::Parser::ParseSingleDeclarationAfterTemplate(unsigned int, clang::Parser::ParsedTemplateInfo const&, clang::ParsingDeclRAIIObject&, clang::SourceLoc
#​14 0x99fc432 in clang::Parser::ParseTemplateDeclarationOrSpecialization(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList
) tools/clang/l
#​15 0x99fa1b6 in clang::Parser::ParseDeclarationStartingWithTemplate(unsigned int, clang::SourceLocation&, clang::AccessSpecifier, clang::AttributeList*) tools/clang/lib/P
#​16 0x9715090 in clang::Parser::ParseDeclaration(unsigned int, clang::SourceLocation&, clang::Parser::ParsedAttributesWithRange&) tools/clang/lib/Parse/ParseDecl.cpp:1461:
#​17 0x9686c55 in clang::Parser::ParseExternalDeclaration(clang::Parser::ParsedAttributesWithRange&, clang::ParsingDeclSpec*) tools/clang/lib/Parse/Parser.cpp:743:14
#​18 0x96845e2 in clang::Parser::ParseTopLevelDecl(clang::OpaquePtrclang::DeclGroupRef&) tools/clang/lib/Parse/Parser.cpp:593:12

@kcc
Copy link
Contributor Author

@kcc kcc commented Dec 22, 2015

tools/clang/lib/AST/DeclBase.cpp:762: bool clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none && "Access specifier is AS_none inside a record decl"' failed.

echo IChkb3dsKiYmQykLKChsYXNzeyAgZmxvZXR1dCgJXkMpKAkgZW51bWwgb21wbDtjPDp4b3JfZXEnOiEpOyc | base64 --decode | clang -x c++ -

@kcc
Copy link
Contributor Author

@kcc kcc commented Dec 22, 2015

tools/clang/lib/AST/DeclBase.cpp:762: bool
clang::Decl::AccessDeclContextSanity() const: Assertion `Access != AS_none
&& "Access specifier is AS_none inside a record decl"' failed.

In an non-assert build causes this:
==16615==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x00000a239d45 bp 0x7ffd4aa874b0 sp 0x7ffd4aa87480 T0)
#​0 0xa239d44 in getCanonicalDecl tools/clang/include/clang/AST/DeclCXX.h:655:12
#​1 0xa239d44 in (anonymous namespace)::AccessTarget::initialize() tools/clang/lib/Sema/SemaAccess.cpp:247
#​2 0xa223796 in AccessTarget tools/clang/lib/Sema/SemaAccess.cpp:152:5
#​3 0xa223796 in clang::Sema::HandleDelayedAccessCheck(clang::sema::DelayedDiagnostic&, clang::Decl*) tools/clang/lib/Sema/SemaAccess.cpp:1490
#​4 0xa897de4 in clang::Sema::PopParsingDeclaration(clang::Sema::DelayedDiagnosticsState, clang::Decl*) tools/clang/lib/Sema/SemaDeclAttr.cpp:5913:9
#​5 0x97f1a64 in pop tools/clang/lib/Parse/RAIIObjectsForParser.h:168:9
#​6 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:151
#​7 0x97f1a64 in complete tools/clang/lib/Parse/RAIIObjectsForParser.h:222

@kcc
Copy link
Contributor Author

@kcc kcc commented Dec 22, 2015

Input (base64): bmFtZXNwYWNlICB7YXV0byBsIChedm9sYXRpbGV7b2lubGF1byBsKT1ee2ZhOiBsIG5hfWUmJmwocyggKGho

llvm/tools/clang/lib/AST/Decl.cpp:2136: clang::APValue *clang::VarDecl::evaluateValue(SmallVectorImpl &) const: Asse
rtion `!Init->isValueDependent()' failed.

==17999==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000d2b0a79 bp 0x7ffee1d343b0 sp 0x7ffee1d33e40 T0)
#​0 0xd2b0a78 in getTypePtr tools/clang/include/clang/AST/Type.h:5054:26
#​1 0xd2b0a78 in operator-> tools/clang/include/clang/AST/Type.h:635
#​2 0xd2b0a78 in clang::Expr::EvaluateAsInitializer(clang::APValue&, clang::ASTContext const&, clang::VarDecl const*, llvm::SmallVectorImpl<std::pair<clang::SourceLocation,
#​3 0xd096cf4 in clang::VarDecl::evaluateValue(llvm::SmallVectorImpl<std::pair<clang::SourceLocation, clang::PartialDiagnostic> >&) const tools/clang/lib/AST/Decl.cpp:2147:
#​4 0xd0966e8 in clang::VarDecl::evaluateValue() const tools/clang/lib/AST/Decl.cpp:2115:10
#​5 0xcd5e4fd in clang::ASTContext::DeclMustBeEmitted(clang::Decl const*) tools/clang/lib/AST/ASTContext.cpp:8472:8
#​6 0xa596825 in clang::Sema::ShouldWarnIfUnusedFileScopedDecl(clang::DeclaratorDecl const*) const tools/clang/lib/Sema/SemaDecl.cpp:1414:9
#​7 0xa597ebb in clang::Sema::MarkUnusedFileScopedDecl(clang::DeclaratorDecl const*) tools/clang/lib/Sema/SemaDecl.cpp:1446:7
#​8 0xa6ebef8 in clang::Sema::FinalizeDeclaration(clang::Decl*) tools/clang/lib/Sema/SemaDecl.cpp:10222:5

@llvmbot llvmbot transferred this issue from llvm/llvm-bugzilla-archive Dec 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bugzilla
Projects
None yet
Development

No branches or pull requests

5 participants