Crash while trying to read LLVM covmap

[teymour-aldridge]

I encountered this crash while trying to run cargo-fuzzcheck.

This is using the nightly-x86_64-apple-darwin toolchain (rustc 1.56.0-nightly (b70888601 2021-07-28))

I'm currently experimenting with different rustc versions to see if that makes a difference.

I'm using the latest version of both fuzzcheck and cargo-fuzzcheck (0.7.0)

The command I'm using is cargo fuzzcheck leaderboard::test::fuzz_id_encoding fuzz --artifacts fuzz/artifacts (leaderboard::test::fuzz_id_encoding is the path to the test)

running 1 test
test leaderboard::test::fuzz_id_encoding ... thread 'main' panicked at 'assertion failed: `(left == right)`
  left: `156`,
 right: `0`', /Users/teymouraldridge/.cargo/registry/src/github.com-1ecc6299db9ec823/fuzzcheck-0.7.0/src/code_coverage_sensor/llvm_coverage.rs:306:5
stack backtrace:
   0:        0x1031b3df4 - std::backtrace_rs::backtrace::libunwind::trace::h32ef383823110ea5
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/../../backtrace/src/backtrace/libunwind.rs:90:5
   1:        0x1031b3df4 - std::backtrace_rs::backtrace::trace_unsynchronized::h39cafb439612ba84
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:        0x1031b3df4 - std::sys_common::backtrace::_print_fmt::h57709926472a5d5c
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/sys_common/backtrace.rs:67:5
   3:        0x1031b3df4 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hbf0f7aeb2a01393a
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/sys_common/backtrace.rs:46:22
   4:        0x1031d7ffc - core::fmt::write::h8160330c41daaf61
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/core/src/fmt/mod.rs:1115:17
   5:        0x1031ab8da - std::io::Write::write_fmt::haa5623a2a8d2ec9f
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/io/mod.rs:1665:15
   6:        0x1031b620f - std::sys_common::backtrace::_print::ha01b9c824fd26115
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/sys_common/backtrace.rs:49:5
   7:        0x1031b620f - std::sys_common::backtrace::print::hd6de520bd6e67ce7
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/sys_common/backtrace.rs:36:9
   8:        0x1031b620f - std::panicking::default_hook::{{closure}}::h5fe994d86d862da0
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:208:50
   9:        0x1031b5d0d - std::panicking::default_hook::hba89cfe1e23145fb
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:225:9
  10:        0x1031b6910 - std::panicking::rust_panic_with_hook::h674e3a191f056728
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:622:17
  11:        0x1031b63b5 - std::panicking::begin_panic_handler::{{closure}}::hc97521b9fa6c7ab0
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:519:13
  12:        0x1031b4298 - std::sys_common::backtrace::__rust_end_short_backtrace::h9a967faa138ad029
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/sys_common/backtrace.rs:141:18
  13:        0x1031b631a - rust_begin_unwind
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:515:5
  14:        0x10321e58f - core::panicking::panic_fmt::h2e3306ce37bd7247
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/core/src/panicking.rs:92:14
  15:        0x1031d5697 - core::panicking::assert_failed_inner::h4e794867b3d5f849
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/core/src/panicking.rs:160:17
  16:        0x1031f090e - core[1037ddd5376118b]::panicking::assert_failed::<usize, usize>
  17:        0x102a4abed - fuzzcheck[8eebe5071d6b1a76]::code_coverage_sensor::llvm_coverage::read_covmap
  18:        0x1028c8dde - <fuzzcheck[8eebe5071d6b1a76]::code_coverage_sensor::CodeCoverageSensor>::new::<<fuzzcheck[8eebe5071d6b1a76]::builder::FuzzerBuilder4<[i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, alloc[7bd5eaea06473e33]::vec::Vec<i32>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>>>::observe_only_files_from_current_dir::{closure#0}, <fuzzcheck[8eebe5071d6b1a76]::builder::FuzzerBuilder4<[i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, alloc[7bd5eaea06473e33]::vec::Vec<i32>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>>>::observe_only_files_from_current_dir::{closure#1}>
  19:        0x10268ff3c - fuzzcheck[8eebe5071d6b1a76]::fuzzer::launch::<alloc[7bd5eaea06473e33]::vec::Vec<i32>, [i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>, <fuzzcheck[8eebe5071d6b1a76]::builder::FuzzerBuilder4<[i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, alloc[7bd5eaea06473e33]::vec::Vec<i32>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>>>::observe_only_files_from_current_dir::{closure#0}, <fuzzcheck[8eebe5071d6b1a76]::builder::FuzzerBuilder4<[i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, alloc[7bd5eaea06473e33]::vec::Vec<i32>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>>>::observe_only_files_from_current_dir::{closure#1}>
  20:        0x1026eaba5 - <fuzzcheck[8eebe5071d6b1a76]::builder::FuzzerBuilder5<[i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, alloc[7bd5eaea06473e33]::vec::Vec<i32>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>, <fuzzcheck[8eebe5071d6b1a76]::builder::FuzzerBuilder4<[i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, alloc[7bd5eaea06473e33]::vec::Vec<i32>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>>>::observe_only_files_from_current_dir::{closure#0}, <fuzzcheck[8eebe5071d6b1a76]::builder::FuzzerBuilder4<[i32], main[4da33c02eb1296a4]::leaderboard::test::predicate, fuzzcheck[8eebe5071d6b1a76]::mutators::vector::VecMutator<i32, fuzzcheck[8eebe5071d6b1a76]::mutators::integer::I32Mutator>, alloc[7bd5eaea06473e33]::vec::Vec<i32>, fuzzcheck[8eebe5071d6b1a76]::serializers::serde_serializer::SerdeSerializer<alloc[7bd5eaea06473e33]::vec::Vec<i32>>>>::observe_only_files_from_current_dir::{closure#1}>>::launch
  21:        0x1027555a9 - main[4da33c02eb1296a4]::leaderboard::test::fuzz_id_encoding
  22:        0x102a39cba - core::ops::function::FnOnce::call_once::h864fb8cb65c82ad0
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/core/src/ops/function.rs:227:5
  23:        0x102a39cba - test::__rust_begin_short_backtrace::h7ec90dbafd078692
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:578:5
  24:        0x102a38974 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h22c35b1fd1591729
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/alloc/src/boxed.rs:1572:9
  25:        0x102a38974 - <std::panic::AssertUnwindSafe<F> as core::ops::function::FnOnce<()>>::call_once::he01aa01c6784e37c
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panic.rs:347:9
  26:        0x102a38974 - std::panicking::try::do_call::hc677fc05d38b16ff
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:401:40
  27:        0x102a38974 - std::panicking::try::h506c53c09d46da41
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:365:19
  28:        0x102a38974 - std::panic::catch_unwind::h9a8b52d6ea7a527e
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panic.rs:434:14
  29:        0x102a38974 - test::run_test_in_process::hcd24ff6bb028ff0a
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:601:18
  30:        0x102a38974 - test::run_test::run_test_inner::{{closure}}::hf60c537148a26f88
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:493:39
  31:        0x102a37e2d - test::run_test::run_test_inner::h0aa267bb56c93a74
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:531:13
  32:        0x102a36c1b - test::run_test::hbe8950e7a5e1d1f2
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:565:28
  33:        0x102a31bc7 - test::run_tests::ha378b857ae47dc9b
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:306:17
  34:        0x102a1a997 - test::console::run_tests_console::h2b48bcd5822b3fee
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/console.rs:290:5
  35:        0x102a2fdd5 - test::test_main::hff95eeeba4a6e4b1
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:123:15
  36:        0x102a30f5f - test::test_main_static::h6e9cc4a43b2aa36a
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/test/src/lib.rs:142:5
  37:        0x10288a22a - std[4656eb4d6ec895b4]::sys_common::backtrace::__rust_begin_short_backtrace::<fn(), ()>
  38:        0x10258d39c - std[4656eb4d6ec895b4]::rt::lang_start::<()>::{closure#0}
  39:        0x1031b6e39 - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::he18e274b8ec42070
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/core/src/ops/function.rs:259:13
  40:        0x1031b6e39 - std::panicking::try::do_call::hea026a8f5852112e
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:401:40
  41:        0x1031b6e39 - std::panicking::try::h5a1bca372ac4c528
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:365:19
  42:        0x1031b6e39 - std::panic::catch_unwind::h4245da8e2d8cbf9a
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panic.rs:434:14
  43:        0x1031b6e39 - std::rt::lang_start_internal::{{closure}}::h64dd899fdea61a58
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/rt.rs:45:48
  44:        0x1031b6e39 - std::panicking::try::do_call::h25d01982e49ebd9a
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:401:40
  45:        0x1031b6e39 - std::panicking::try::hb40c0d004f245d35
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panicking.rs:365:19
  46:        0x1031b6e39 - std::panic::catch_unwind::hc4bddc94710aa7ee
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/panic.rs:434:14
  47:        0x1031b6e39 - std::rt::lang_start_internal::hdfe6c30fb8c47cc9
                               at /rustc/b70888601af92f6cdc0364abab3446e418b91d36/library/std/src/rt.rs:45:20
  48:        0x10266a639 - _main
FAILED

failures:

failures:
    leaderboard::test::fuzz_id_encoding

[loiclec]

Thanks for filing this issue! I think I know what's happening (and unfortunately there is not much you can do to fix it as a user). Do you have a public repo I can use to reproduce it? If not, don't worry.

(If you're comfortable with that, you can also email me the code so that it stays private)

[teymour-aldridge]

I was originally experimenting in a private project, but I also have a public one where the same error occurs: https://github.com/bailion/compiler/blob/main/logic/src/fuzzcheck/parse.rs.

[loiclec]

Thanks a lot. I will publish an update with the fix by the end of next week at the latest.

[loiclec]

I have just published fuzzcheck 0.7.1. Could you let me know if it resolves the issue or if you encounter other problems? Thanks.

[teymour-aldridge]

It fixes this issue (yay!) but I'm now getting a different error: ``` thread 'main' panicked at 'failed to properly link the different LLVM coverage sections: CannotFindFunctionRecordAssociatedWithPrfData', /Users/teymouraldridge/.cargo/registry/src/github.com-1ecc6299db9ec823/fuzzcheck-0.7.1/src/code_coverage_sensor/mod.rs:49:14 ```

…

On 09/08/2021 11:22, Loïc Lecrenier wrote: I have just published fuzzcheck 0.7.1. Could you let me know if it resolves the issue or if you encounter other problems? Thanks. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#10 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKFSTPIPXGVVMLM4BCOJDYLT36T5HANCNFSM5BWHQE7Q>.

[loiclec]

argh, that's annoying. I thought that might happen, but I don't really understand it, so it might take longer to fix.
In the meantime, can you try it again, but this time adding:

[profile.release]
codegen-units = 1
lto = "thin" # maybe not necessary

to your Cargo.toml? (if you use a workspace, it must be in the Cargo.toml at the root of the workspace)

[teymour-aldridge]

That got rid of that error, but another one has appeared

thread 'main' panicked at 'failed to parse LLVM prf_data: InconsistentCounterPointersAndLengths', /Users/teymouraldridge/.cargo/registry/src/github.com-1ecc6299db9ec823/fuzzcheck-0.7.1/src/code_coverage_sensor/mod.rs:46:71

[loiclec]

hm, that one is surprising. Thanks a lot for your help, I'll try and figure it out.

I couldn't reproduce the issue on https://github.com/bailion/compiler/blob/main/logic/src/fuzzcheck/parse.rs . Does it also fail for you on that project? If not, do you have a public repo where the same error happens?

[loiclec]

Has that ever happened again? A few things have changed since then. I am going to close the issue in ~a week otherwise.

[teymour-aldridge]

I haven't encountered the issue since, although sometimes it crops up when calling cargo test rather than cargo fuzzcheck (which makes sense, but it might be helpful to also report an error message suggesting calling cargo fuzzcheck)

[loiclec]

right! I need to think about what should happen when cargo test is run. Right now, it's supposed to do nothing but I've implemented that badly and it just doesn't work.

Since fuzzcheck is kind of a heavy dependency, I am wondering whether I should recommend gating all its uses under cfg(fuzzing) (which is set by cargo-fuzzcheck). In that case, the test wouldn't exist in the first place.

[teymour-aldridge]

That would make sense to me (example-based tests are definitely different to fuzzers in my mind) – Tarpaulin (xd009642/tarpaulin) also does something similar.