quic-client fuzzer assertion failure

[mattcaswell]

Running the version of the fuzzer from #22592 found this issue:

quic-client: ssl/quic/quic_txp.c:2964: int txp_pkt_commit(OSSL_QUIC_TX_PACKETISER *, struct txp_pkt *, uint32_t, int *): Assertion `!ossl_quic_sstream_has_pending(stream->sstream)' failed.
==108233== ERROR: libFuzzer: deadly signal
    #0 0x55a9ad3c1031 in __sanitizer_print_stack_trace (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x128e031) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #1 0x55a9ad42a4b8 in fuzzer::PrintStackTrace() (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12f74b8) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #2 0x55a9ad40f003 in fuzzer::Fuzzer::CrashCallback() (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12dc003) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #3 0x7f6cdee4251f  (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: a43bfc8428df6623cd498c9c0caeb91aec9be4f9)
    #4 0x7f6cdee969fb in __pthread_kill_implementation nptl/./nptl/pthread_kill.c:43:17
    #5 0x7f6cdee969fb in __pthread_kill_internal nptl/./nptl/pthread_kill.c:78:10
    #6 0x7f6cdee969fb in pthread_kill nptl/./nptl/pthread_kill.c:89:10
    #7 0x7f6cdee42475 in gsignal signal/../sysdeps/posix/raise.c:26:13
    #8 0x7f6cdee287f2 in abort stdlib/./stdlib/abort.c:79:7
    #9 0x7f6cdee2871a in __assert_fail_base assert/./assert/assert.c:92:3
    #10 0x7f6cdee39e95 in __assert_fail assert/./assert/assert.c:101:3
    #11 0x55a9ad91e7e8 in txp_pkt_commit /home/matt/dev/quic-fuzzer/ssl/quic/quic_txp.c:2964:13
    #12 0x55a9ad9127d4 in ossl_quic_tx_packetiser_generate /home/matt/dev/quic-fuzzer/ssl/quic/quic_txp.c:867:14
    #13 0x55a9ad89cc9c in ch_tx /home/matt/dev/quic-fuzzer/ssl/quic/quic_channel.c:2542:15
    #14 0x55a9ad8959b1 in ch_tick /home/matt/dev/quic-fuzzer/ssl/quic/quic_channel.c:1966:9
    #15 0x55a9ad5be3b5 in ossl_quic_reactor_tick /home/matt/dev/quic-fuzzer/ssl/quic/quic_reactor.c:109:5
    #16 0x55a9ad5a86e4 in quic_post_write /home/matt/dev/quic-fuzzer/ssl/quic/quic_impl.c:2169:9
    #17 0x55a9ad5a56c9 in quic_write_nonblocking_aon /home/matt/dev/quic-fuzzer/ssl/quic/quic_impl.c:2327:5
    #18 0x55a9ad5a1f8a in ossl_quic_write /home/matt/dev/quic-fuzzer/ssl/quic/quic_impl.c:2478:15
    #19 0x55a9ad49e76e in ssl_write_internal /home/matt/dev/quic-fuzzer/ssl/ssl_lib.c:2506:16
    #20 0x55a9ad49fd65 in SSL_write /home/matt/dev/quic-fuzzer/ssl/ssl_lib.c:2628:11
    #21 0x55a9ad3f6aa9 in FuzzerTestOneInput /home/matt/dev/quic-fuzzer/fuzz/quic-client.c:172:23
    #22 0x55a9ad3f43e4 in LLVMFuzzerTestOneInput /home/matt/dev/quic-fuzzer/fuzz/driver.c:28:12
    #23 0x55a9ad410593 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12dd593) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #24 0x55a9ad40fce9 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12dcce9) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #25 0x55a9ad4114d9 in fuzzer::Fuzzer::MutateAndTestOne() (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12de4d9) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #26 0x55a9ad412055 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12df055) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #27 0x55a9ad3ffab2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12ccab2) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #28 0x55a9ad3f9592 in main (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x12c6592) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)
    #29 0x7f6cdee29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #30 0x7f6cdee29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #31 0x55a9ad334104 in _start (/home/matt/dev/quic-fuzzer/fuzz/quic-client+0x1201104) (BuildId: 7923a8a3f1ec8c7b8746d9b6a999d84c8b9c1dfb)

crash-aa3334b8dc5f3f4bc82c6ae4cdd8cd0362e0631d.gz

[hlandau]

This should be fixed by 4f6e350

[mattcaswell]

Hmmmm.....yes and no. It should fix the immediate assertion failure - but I think there may be a residual bug. Is that commit in a PR somewhere?

[t8m]

Hmmmm.....yes and no. It should fix the immediate assertion failure - but I think there may be a residual bug. Is that commit in a PR somewhere?

It was already merged. I assume you're running the fuzzer on the tree as is on the PR but master and 3.2 branches were already updated.

[mattcaswell]

Yeah - I see it now.

[mattcaswell]

See #22601. This would have been sufficient to fix this had it not been for 4f6e350. But I think it is probably worth having anyway.

[mattcaswell]

I can confirm that this is fixed in the latest master branch, so closing.