Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename LDFLAGS into FUZZER_LDFLAGS #31

Closed
mikea opened this issue Oct 13, 2016 · 5 comments
Closed

Rename LDFLAGS into FUZZER_LDFLAGS #31

mikea opened this issue Oct 13, 2016 · 5 comments

Comments

@mikea
Copy link
Contributor

mikea commented Oct 13, 2016

No description provided.

@mikea mikea mentioned this issue Oct 13, 2016
Closed
@mikea mikea closed this as completed in 941e47d Oct 13, 2016
@mikea
Copy link
Contributor Author

mikea commented Oct 13, 2016

Several builds had same problems after the switch: the library itself fails to build:

(harfbuzz, also boringssl)

---------------------------------------------------------------
Compiling libFuzzer into /work/libfuzzer ...Done.
CC=clang
CXX=clang++
CFLAGS=-g -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters
CXXFLAGS=-g -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters -stdlib=libc++
FUZZER_LDFLAGS=-Wl,-whole-archive /usr/local/lib/libc++.a /usr/local/lib/libc++abi.a -Wl,-no-whole-archive
---------------------------------------------------------------
  CXXLD    main
/usr/local/bin/../lib/clang/4.0.0/lib/linux/libclang_rt.asan_cxx-x86_64.a(ubsan_type_hash_itanium.cc.o): In function `isDerivedFromAtOffset(__cxxabiv1::__class_type_info const*, __cxxabiv1::__class_type_info const*, long) [clone .constprop.0]':
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:120: undefined reference to `typeinfo for __cxxabiv1::__si_class_type_info'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:120: undefined reference to `typeinfo for __cxxabiv1::__class_type_info'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:126: undefined reference to `__dynamic_cast'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:130: undefined reference to `typeinfo for __cxxabiv1::__vmi_class_type_info'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:130: undefined reference to `__dynamic_cast'
/usr/local/bin/../lib/clang/4.0.0/lib/linux/libclang_rt.asan_cxx-x86_64.a(ubsan_type_hash_itanium.cc.o): In function `isDerivedFromAtOffset':
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:126: undefined reference to `__dynamic_cast'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:130: undefined reference to `typeinfo for __cxxabiv1::__vmi_class_type_info'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:130: undefined reference to `__dynamic_cast'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:126: undefined reference to `__dynamic_cast'
/src/llvm/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:130: undefined reference to `typeinfo for __cxxabiv1::__vmi_class_type_info'

We need to do add export LDFLAGS=$FUZZER_LDFLAGS for the build to work. We don't specify any linker options at all.

@kcc @eugenis do you think this is wrong handling of sanitizer arguments in the presence of stdlib=libc++?

@kcc
Copy link
Contributor

kcc commented Oct 13, 2016

Not sure I understand you .
export LDFLAGS=$FUZZER_LDFLAGS SGTM
(or just do LDFLAGS=$FUZZER_LDFLAGS build-command)

@mikea
Copy link
Contributor Author

mikea commented Oct 13, 2016

The question is: why do I need to do this export at all?

The library is building some binary. And that binary can't be linked with -fsanitize=address -fsanitize-coverage without messing with linker arguments. I thought frontend will take care of linker arguments automagically.

@kcc
Copy link
Contributor

kcc commented Oct 14, 2016

I still don't understand the question.
In the current setup LDFLAGS adss static libc++.a, the frontend does not know about it
and will not add it automatically .

@mikea
Copy link
Contributor Author

mikea commented Nov 4, 2016

I have filed a bug for the driver: https://llvm.org/bugs/show_bug.cgi?id=30919

mhlakhani added a commit to mhlakhani/oss-fuzz that referenced this issue Sep 25, 2019
@mhlakhani
[NOT FOR COMMIT] Reproducer for mis-compiled exception handling
6ee029d 
The corresponding github issue has more detail on the problem.

This code is not in any meaningful state to be committed -- it contains a bunch of hacks I had to make to get the binary to build statically -- libunwind is linked in (via folly), and I had to make changes to include liblzma as well (which libunwind depends on) as well as fix some other unrelated cmake issues.

Reproduction instructions below.

First, build it with `python infra/helper.py build_fuzzers --sanitizer address proxygen`
Then, check the build (it will pass): `python infra/helper.py check_build proxygen`
Then, run the fuzzer: `python infra/helper.py run_fuzzer proxygen ProxygenHTTP1xFuzzer`

It will fail in about ~30 seconds with the below trace. If the fuzzer goes down another path, I've had it reproduce easily by pulling up the shell, running `base64 -d`, pushing that input to a file, and then running the fuzzer directly on that file.

```
terminating with uncaught exception of type folly::ConversionError: Non-digit character found: "OPY"
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000b (pc 0x7fc166eb7428 bp 0x000000000001 sp 0x7ffcff0a6c78 T0)
SCARINESS: 10 (signal)
    #0 0x7fc166eb7427 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35427)
    google#1 0x7fc166eb9029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
    google#2 0x9ab7fa in abort_message (/out/ProxygenHTTP1xFuzzer+0x9ab7fa)
    google#3 0x9b009d in demangling_terminate_handler() (/out/ProxygenHTTP1xFuzzer+0x9b009d)
    google#4 0x9ab282 in std::__terminate(void (*)()) (/out/ProxygenHTTP1xFuzzer+0x9ab282)
    google#5 0x9adebd in __cxxabiv1::call_terminate(bool, _Unwind_Exception*) (/out/ProxygenHTTP1xFuzzer+0x9adebd)
    google#6 0x9ade60 in __cxxabiv1::scan_eh_tab(__cxxabiv1::(anonymous namespace)::scan_results&, _Unwind_Action, bool, _Unwind_Exception*, _Unwind_Context*) (/out/ProxygenHTTP1xFuzzer+0x9ade60)
    google#7 0x9ad5c6 in __gxx_personality_v0 (/out/ProxygenHTTP1xFuzzer+0x9ad5c6)
    google#8 0x7fc16725c262 in _Unwind_RaiseException (/lib/x86_64-linux-gnu/libgcc_s.so.1+0x10262)
    google#9 0x9acfd6 in __cxa_throw (/out/ProxygenHTTP1xFuzzer+0x9acfd6)
    google#10 0x5cedab in void folly::throw_exception<folly::ConversionError>(folly::ConversionError&&) /src/proxygen/proxygen/_build/deps/include/folly/lang/Exception.h:36:3
    google#11 0x5eea03 in _ZZN5folly2toItEENSt3__19enable_ifIXntsr3std7is_sameINS_5RangeIPKcEET_EE5valueES7_E4typeES6_ENKUlNS_14ConversionCodeEE_clESA_ /src/proxygen/proxygen/_build/deps/include/folly/Conv.h:1581:26
    google#12 0x5eea03 in _ZN5folly15expected_detail30expected_detail_ExpectedHelper14ExpectedHelper12thenOrThrow_IRNS0_15ExpectedStorageINS_5RangeIPKcEENS_14ConversionCodeELNS0_11StorageTypeE1EEENS_6detail18CheckTrailingSpaceEZNS_2toItEENSt3__19enable_ifIXntsr3std7is_sameIS8_T_EE5valueESI_E4typeES8_EUlS9_E_NS_8ExpectedINS_4UnitES9_EEvLb0ELi0EEET2_OSI_OT0_OT1_ /src/proxygen/proxygen/_build/deps/include/folly/Expected.h:610:5
    google#13 0x5ed846 in _ZNR5folly8ExpectedINS_5RangeIPKcEENS_14ConversionCodeEE11thenOrThrowINS_6detail18CheckTrailingSpaceEZNS_2toItEENSt3__19enable_ifIXntsr3std7is_sameIS4_T_EE5valueESD_E4typeES4_EUlS5_E_EEDTclclsr3stdE7declvalISD_EEclL_ZNSB_7declvalIRS4_EEDTclsr3std3__1E9__declvalISD_ELi0EEEvEEEEOSD_OT0_ /src/proxygen/proxygen/_build/deps/include/folly/Expected.h:1226:16
    google#14 0x5ed846 in _ZN5folly2toItEENSt3__19enable_ifIXntsr3std7is_sameINS_5RangeIPKcEET_EE5valueES7_E4typeES6_ /src/proxygen/proxygen/_build/deps/include/folly/Conv.h:1579:8
    google#15 0x5ed445 in proxygen::ParseURL::parseAuthority() /src/proxygen/proxygen/lib/utils/ParseURL.cpp:155:15
    google#16 0x5ec5e9 in proxygen::ParseURL::parseNonFully() /src/proxygen/proxygen/lib/utils/ParseURL.cpp:140:8
    google#17 0x5ea87a in proxygen::ParseURL::parse() /src/proxygen/proxygen/lib/utils/ParseURL.cpp:96:5
    google#18 0x59a99c in proxygen::ParseURL::init(folly::Range<char const*>) /src/proxygen/proxygen/lib/utils/ParseURL.h:34:5
    google#19 0x58add1 in proxygen::ParseURL::ParseURL(folly::Range<char const*>) /src/proxygen/proxygen/lib/utils/ParseURL.h:28:5
    google#20 0x58add1 in proxygen::ParseURL proxygen::HTTPMessage::setURL<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) /src/proxygen/proxygen/lib/http/HTTPMessage.h:202:14
    google#21 0x5795f0 in proxygen::HTTP1xCodec::onHeadersComplete(unsigned long) /src/proxygen/proxygen/lib/http/codec/HTTP1xCodec.cpp:976:31
    google#22 0x58e2a3 in proxygen::HTTP1xCodec::onHeadersCompleteCB(proxygen::http_parser*, char const*, unsigned long) /src/proxygen/proxygen/lib/http/codec/HTTP1xCodec.cpp:1315:19
    google#23 0x5f2222 in proxygen::http_parser_execute(proxygen::http_parser*, proxygen::http_parser_settings const*, char const*, unsigned long) /src/proxygen/proxygen/external/http_parser/http_parser_cpp.cpp:1868:17
    google#24 0x577783 in proxygen::HTTP1xCodec::onIngress(folly::IOBuf const&) /src/proxygen/proxygen/lib/http/codec/HTTP1xCodec.cpp:200:26
    google#25 0x55b728 in unsigned long proxygen::parse<proxygen::HTTP1xCodec>(proxygen::HTTP1xCodec*, unsigned char const*, unsigned int, int, std::__1::function<bool ()>) /src/proxygen/proxygen/lib/http/codec/test/TestUtils.h:57:23
    google#26 0x55a6ef in LLVMFuzzerTestOneInput /src/proxygen/proxygen/fuzzers/ProxygenHTTP1xFuzzer.cpp:23:3
    google#27 0x460771 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554:15
    google#28 0x45fe95 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    google#29 0x462247 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:696:19
    google#30 0x462fe5 in fuzzer::Fuzzer::Loop(std::Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    google#31 0x450dd8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:825:6
    google#32 0x47b442 in main /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    google#33 0x7fc166ea282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    google#34 0x424468 in _start (/out/ProxygenHTTP1xFuzzer+0x424468)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x35427) in gsignal
==11==ABORTING
MS: 3 CrossOver-ChangeBit-EraseBytes-; base unit: 467e3fbf38770044dea566169b84c60cb269c89a
0x43,0x4f,0x50,0x59,0x20,0x43,0x3a,0x4f,0x50,0x59,0x2f,0x4f,0xff,0xa,0x43,0x4f,0x50,0x59,0x20,0x2f,0x4f,0xff,0xa,0x43,0x4f,0x50,0x59,0x20,0x2f,0x6f,0x20,0xff,0x50,0x59,0x0,0x43,0xcf,0x50,0x59,0xff,0x4f,0x50,0x33,
COPY C:OPY/O\xff\x0aCOPY /O\xff\x0aCOPY /o \xffPY\x00C\xcfPY\xffOP3
artifact_prefix='./'; Test unit written to ./crash-2cd12847d55ebf08ec2eaee4e814c52e545e7f92
Base64: Q09QWSBDOk9QWS9P/wpDT1BZIC9P/wpDT1BZIC9vIP9QWQBDz1BZ/09QMw==
```

This seems wrong to me since the code is inside a try/catch block: https://github.com/facebook/proxygen/blob/master/proxygen/lib/utils/ParseURL.cpp#L159-L164

I can confirm that the same input does not crash the fuzzer in the version being built on oss-fuzz trunk (and indeed it would have also reported this as a test-case by now given it's been running over a day)
@rlohning rlohning mentioned this issue Dec 21, 2021
Closed
DavidKorczynski pushed a commit that referenced this issue Jul 9, 2024
@DonggeLiu
Hide useless logs and add useful ones (#31)
be5191f 
Hide numerous download progress logs from `wget2` and `gsutil`.
Add logs for cloud experiments to look for anomalies.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mikea @kcc