X Tutup
Skip to content

fixed fuzzing crashes#6089

Merged
chrchr-github merged 4 commits intodanmar:mainfrom
firewave:fuzz-crash
Mar 11, 2024
Merged

fixed fuzzing crashes#6089
chrchr-github merged 4 commits intodanmar:mainfrom
firewave:fuzz-crash

Conversation

@firewave
Copy link
Copy Markdown
Collaborator

@firewave firewave commented Mar 6, 2024

No description provided.

chrchr-github
chrchr-github reviewed Mar 6, 2024
View reviewed changes
lib/checkautovariables.cpp Outdated
{
const Variable *var = tok->variable();
return (var && var->isArgument() && var->isArray() && !settings->library.isentrypoint(var->scope()->className));
return (var && var->isArgument() && var->isArray() && var->scope() && !settings->library.isentrypoint(var->scope()->className));
Copy link
Copy Markdown
Collaborator

@chrchr-github chrchr-github Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we even create a variable without a scope?

Copy link
Copy Markdown
Collaborator Author

@firewave firewave Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That question sounds quite rhetorical.

Copy link
Copy Markdown
Collaborator

@chrchr-github chrchr-github Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should catch this where it happens, since it it sort of an invariant that we probably rely on elsewhere.

Copy link
Copy Markdown
Collaborator Author

@firewave firewave Mar 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am all for that if it makes more sense. It seems similar to https://trac.cppcheck.net/ticket/12494 which I did not try to fix.

Copy link
Copy Markdown
Collaborator Author

@firewave firewave Mar 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this needs a different approach but the others are fine I will drop this from the PR and a file a ticket about it instead. That way this could be merged.

Copy link
Copy Markdown
Collaborator Author

@firewave firewave Mar 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems we started to hit this in daca:

Packages: [trilinos](http://cppcheck1.osuosl.org:8000/trilinos)
0x00007ffff7d4eba4 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const () from /lib/x86_64-linux-gnu/libstdc++.so.6

#0 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(char const*) const (...) from /lib/x86_64-linux-gnu/libstdc++.so.6
#1 std::operator==<char, std::char_traits<char>, std::allocator<char> >(...) at /usr/include/c++/11/bits/basic_string.h:6248
#2  Library::isentrypoint (...) at lib/library.h:427
#3  isArrayArg (...) at build/checkautovariables.cpp:432
#4  CheckAutoVariables::autoVariables (...) at build/checkautovariables.cpp:664
#5 CheckAutoVariables::runChecks(...) at lib/checkautovariables.h:62
#6 CppCheck::checkNormalTokens(...) at build/cppcheck.cpp:1133
#7 CppCheck::checkFile(...) at build/cppcheck.cpp:966
#8 CppCheck::check(...) at build/cppcheck.cpp:567
#9 SingleExecutor::check(...) at cli/singleexecutor.cpp:53
#10 CppCheckExecutor::check_internal(...) at cli/cppcheckexecutor.cpp:278
#11 CppCheckExecutor::check_wrapper(...) at cli/cppcheckexecutor.cpp:217
#12 CppCheckExecutor::check (...) at cli/cppcheckexecutor.cpp:203
#13 main(...) at cli/main.cpp:91

Copy link
Copy Markdown
Collaborator

@chrchr-github chrchr-github Mar 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think https://trac.cppcheck.net/ticket/12501 has a different root cause though.
Can we add a nullptr check + debug message?

Copy link
Copy Markdown
Collaborator Author

@firewave firewave Mar 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will look into it.

Are the remaining fixes fine? I would pull it out into a different PR then and merge the rest.

Copy link
Copy Markdown
Collaborator

@chrchr-github chrchr-github Mar 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good to me.

Copy link
Copy Markdown
Collaborator Author

@firewave firewave Mar 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done: #6116.

@firewave firewave marked this pull request as draft March 6, 2024 19:25
firewave added 4 commits March 12, 2024 00:11
@firewave
fixed fuzzing crash
99da497 
==77069==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5818456d58e8 bp 0x7ffefda33930 sp 0x7ffefda32ec0 T0)
==77069==The signal is caused by a READ memory access.
==77069==Hint: address points to the zero page.
    #0 0x5818456d58e8 in _M_data /sbin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/basic_string.h:223:28
    #1 0x5818456d58e8 in c_str /sbin/../lib64/gcc/x86_64-pc-linux-gnu/13.2.1/../../../../include/c++/13.2.1/bits/basic_string.h:2584:16
    danmar#2 0x5818456d58e8 in operator==<2U> /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/matchcompiler.h:57:29
    danmar#3 0x5818456d58e8 in operator!=<2U> /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/matchcompiler.h:63:17
    danmar#4 0x5818456d58e8 in Tokenizer::simplifyTypedefCpp() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:9257:63
    danmar#5 0x5818456b6a4e in Tokenizer::simplifyTypedef() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:8440:5
    danmar#6 0x581845728947 in Tokenizer::simplifyTokenList1(char const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:12966:9
    danmar#7 0x581845721160 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:10670:14
    danmar#8 0x5818460d580d in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:907:32
    danmar#9 0x5818460e19f1 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:561:12
    danmar#10 0x58184655ea64 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:47:18
    danmar#11 0x5818452261e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6831e8) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    danmar#12 0x5818452268e6 in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, std::allocator<unsigned char>> const&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6838e6) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    danmar#13 0x5818451fcb0b in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x659b0b) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    danmar#14 0x581845209218 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x666218) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    danmar#15 0x58184518ef77 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5ebf77) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
    danmar#16 0x7cd168c43ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#17 0x7cd168c43d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#18 0x5818451f3004 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x650004) (BuildId: e178119f6c3ed0061522391da23885513ce32cf8)
@firewave
fixed fuzzing crash
e991723 
==149528==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x5d6ad25b3594 bp 0x7fffe27af570 sp 0x7fffe27af460 T0)
==149528==The signal is caused by a READ memory access.
==149528==Hint: address points to the zero page.
    #0 0x5d6ad25b3594 in next /home/user/CLionProjects/cppcheck-rider/oss-fuzz/../lib/token.h:831:16
    #1 0x5d6ad25b3594 in Tokenizer::simplifyNamespaceAliases() /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:17826:40
    danmar#2 0x5d6ad24f6ac2 in Tokenizer::simplifyTokenList1(char const*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:12822:5
    danmar#3 0x5d6ad24f1190 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/tokenize.cpp:10670:14
    danmar#4 0x5d6ad2ea58cd in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:907:32
    danmar#5 0x5d6ad2eb1ab1 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/oss-fuzz/build/cppcheck.cpp:561:12
    danmar#6 0x5d6ad332eb24 in LLVMFuzzerTestOneInput /home/user/CLionProjects/cppcheck-rider/oss-fuzz/main.cpp:47:18
    danmar#7 0x5d6ad1ff61e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6831e8) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    danmar#8 0x5d6ad1ff68e6 in fuzzer::Fuzzer::MinimizeCrashLoop(std::vector<unsigned char, std::allocator<unsigned char>> const&) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x6838e6) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    danmar#9 0x5d6ad1fccb0b in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x659b0b) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    danmar#10 0x5d6ad1fd9218 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x666218) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    danmar#11 0x5d6ad1f5ef77 in main (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x5ebf77) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
    danmar#12 0x7bb3d5955ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#13 0x7bb3d5955d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#14 0x5d6ad1fc3004 in _start (/home/user/CLionProjects/cppcheck-rider/oss-fuzz/oss-fuzz-client+0x650004) (BuildId: ccbc3e894f14691449044410c9da42fa3a09557b)
@firewave
fixed fuzzing crash
9819dea 
/home/user/CLionProjects/cppcheck-rider/lib/checksizeof.cpp:239:37: runtime error: member call on null pointer of type 'Token'
    #0 0x637fa171b539 in CheckSizeof::checkSizeofForPointerSize() /home/user/CLionProjects/cppcheck-rider/lib/checksizeof.cpp:239:37
    #1 0x637fa1727816 in CheckSizeof::runChecks(Tokenizer const&, ErrorLogger*) /home/user/CLionProjects/cppcheck-rider/lib/checksizeof.h:61:21
    danmar#2 0x637fa197f5bd in CppCheck::checkNormalTokens(Tokenizer const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:1122:20
    danmar#3 0x637fa1998334 in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:955:17
    danmar#4 0x637fa1985a87 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:556:12
    danmar#5 0x637fa0a83f2b in SingleExecutor::check() /home/user/CLionProjects/cppcheck-rider/cli/singleexecutor.cpp:53:29
    danmar#6 0x637fa09be8dc in CppCheckExecutor::check_internal(Settings const&) const /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:277:32
    danmar#7 0x637fa09bd73d in CppCheckExecutor::check_wrapper(Settings const&) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:216:12
    danmar#8 0x637fa09bc67a in CppCheckExecutor::check(int, char const* const*) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:202:21
    danmar#9 0x637fa20cd247 in main /home/user/CLionProjects/cppcheck-rider/cli/main.cpp:91:21
    danmar#10 0x7c50f5c0dccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#11 0x7c50f5c0dd89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#12 0x637fa07f79f4 in _start (/home/user/CLionProjects/cppcheck-rider/cmake-build-debug-clang-asan-ubsan/bin/cppcheck+0xf6c9f4) (BuildId: 780ff4c602598cd16715ae4e639db79b0c18f29d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/user/CLionProjects/cppcheck-rider/lib/checksizeof.cpp:239:37 in
@firewave
fixed fuzzing crash
6933e53 
/home/user/CLionProjects/cppcheck-rider/lib/tokenlist.cpp:1584:57: runtime error: member call on null pointer of type 'Token'
    #0 0x567b09ca144a in createAstAtToken(Token*, bool) /home/user/CLionProjects/cppcheck-rider/lib/tokenlist.cpp:1584:57
    #1 0x567b09c9f318 in TokenList::createAst() const /home/user/CLionProjects/cppcheck-rider/lib/tokenlist.cpp:1757:15
    danmar#2 0x567b08bffc19 in Tokenizer::simplifyTokens1(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/tokenize.cpp:3380:14
    danmar#3 0x567b096e08ea in CppCheck::checkFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&, std::istream*) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:925:32
    danmar#4 0x567b096cfbb7 in CppCheck::check(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /home/user/CLionProjects/cppcheck-rider/lib/cppcheck.cpp:556:12
    danmar#5 0x567b087cdf2b in SingleExecutor::check() /home/user/CLionProjects/cppcheck-rider/cli/singleexecutor.cpp:53:29
    danmar#6 0x567b087088dc in CppCheckExecutor::check_internal(Settings const&) const /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:277:32
    danmar#7 0x567b0870773d in CppCheckExecutor::check_wrapper(Settings const&) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:216:12
    danmar#8 0x567b0870667a in CppCheckExecutor::check(int, char const* const*) /home/user/CLionProjects/cppcheck-rider/cli/cppcheckexecutor.cpp:202:21
    danmar#9 0x567b09e173a7 in main /home/user/CLionProjects/cppcheck-rider/cli/main.cpp:91:21
    danmar#10 0x7a285fb55ccf  (/usr/lib/libc.so.6+0x29ccf) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#11 0x7a285fb55d89 in __libc_start_main (/usr/lib/libc.so.6+0x29d89) (BuildId: 0865c4b9ba13e0094e8b45b78dfc7a2971f536d2)
    danmar#12 0x567b085419f4 in _start (/home/user/CLionProjects/cppcheck-rider/cmake-build-debug-clang-asan-ubsan/bin/cppcheck+0xf6d9f4) (BuildId: 0c5083349039fc85dc8c8bb587f97bea024306ef)
@firewave firewave mentioned this pull request Mar 11, 2024
Closed
@firewave firewave marked this pull request as ready for review March 11, 2024 23:14
@chrchr-github chrchr-github merged commit d49fd82 into danmar:main Mar 11, 2024
@firewave firewave deleted the fuzz-crash branch March 12, 2024 00:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrchr-github chrchr-github chrchr-github left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@firewave @chrchr-github
X Tutup