Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crashes in `promql.ParseExpr()` #940

Closed
msiebuhr opened this Issue Jul 28, 2015 · 3 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@msiebuhr
@msiebuhr
Copy link
Contributor

msiebuhr commented Jul 28, 2015

After fuzzing promql.ParseExp() (see #667 (comment)), a few hundred crashing cases were found. All examined ones look like arithmetic on zeroes, ex :-0%--%-0, 0++->-0-0 and 0--% and seem to have a common stack trace:

panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x28 pc=0x3f6c6]

goroutine 1 [running]:
github.com/prometheus/prometheus/promql.(*parser).recover(0xc2080a2310, 0xc2080b3e50)
    /var/folders/sx/dbshyxqs4ks06n4f91r1qb800000gn/T/go-fuzz-build996535930/src/github.com/prometheus/prometheus/promql/parse.go:326 +0x113
github.com/prometheus/prometheus/promql.(*UnaryExpr).Type(0xc20801f0e0, 0x80dd30)
    /var/folders/sx/dbshyxqs4ks06n4f91r1qb800000gn/T/go-fuzz-build996535930/src/github.com/prometheus/prometheus/promql/ast.go:213 +0x66
github.com/prometheus/prometheus/promql.(*UnaryExpr).Type(0xc20801f100, 0x816800)
@msiebuhr

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

msiebuhr commented Jul 29, 2015

Just did a second round of fuzzing and got the following crashing statements:

"(-=)"
"+*+0+0+0-0"
"+*+0-+0+0-0-0"
"++-%-0+0-0"
"++-+*"
"++-+*+0-0-0"
"++-+*-0"
"++-++%"
"++-++%>0"
"++-++%>0>0"
"++-++-*-0-0"
"++-++-+-+-<"
"++-++--+*"
"++-++--+*-0"
"+-%-0+0-0"
"+-*"
"+-*+0"
"+-*+0-0"
"+-+*"
"+-+*-0"
"+-++%>0>0"
"+-++-+-+-<"
"+-++--+*"
"+-++--+*-0"
"-%-0+0-0"
"-*+0"
"-*+0-0"
"-+*+0+0+0-0"
"-+*+0-+0+0-0-0"
"-++%>0>0"
"-++-+*+0-0-0"
"-++--+*"
"-++--+*-0"
"-If"
"0++-**0+0"
"0++-++%"
"0++-++%>0"
"0++-++%>0>0"
"0+-%-0+0-0"
"0+-*"
"0+-**0+0+0-0"
"0+-**0>0"
"0+-*+0"
"0+-*+0-0"
"0+-+*"
"0+-+*+0-0-0"
"0+-+*-0"
"0+-++%"
"0+-++%>0"
"0+-++%>0>0"
"0+-++-+-+-<"
"0+-++--+*"
"0+-++--+*-0"
"0+0*+-*"
"0+0*+-*-0"
"0-+**0-0-0"
"0-+*+0+0+0-0"
"0-+*+0-+0+0-0-0"
"0-++%>0>0"
"0-+++*+0-0-0"
"0-++-+*+0-0-0"
"0-++-+-+-<"
"0-++--+*"
"0-++--+*-0"
"0-0*+*"
"0-0*+*+0-0"
"0-0*+*+0-0-0"
"0-0*+*-0"
"0-0*++*+0-0"
"0-0*++*+0-0-0"
"08.>-80m"
"0>-*+0+0"
"0>-+>-0"
"0>-0m-0"
"0>0*+/-0"
"0>0--0y-0>0"
"0>e*+/"
"0>e*+/-0"
"0>y--0y-0>0"
"1+2++*/(3-1)"
"A+-*"
"T++-*"
"T++--++-*"
"T+-++--++-*"
"T+--++-*"
"T-++-*"
"T-++--++-*"
"T--++-*"
"e-+=/(0)"

I'm not familiar with that piece of code, so I've included all the output in hopes someone can discern a pattern :)

@msiebuhr msiebuhr referenced this issue Jul 30, 2015

Closed

Allow fuzzing multiple functions #60

This was referenced Aug 3, 2015

Merged
Closed
@msiebuhr

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

msiebuhr commented Aug 3, 2015

Fixed by #954 (haven't tested, just that the other issues says it's the same underlying issue + it's fixed in the PR)

@msiebuhr msiebuhr closed this Aug 3, 2015

@lock

This comment has been minimized.

Sign in to view
Copy link

lock bot commented Mar 24, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Mar 24, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.