Re: is that false alarm of "container-overflow"?

[Jennifer Liu]

Thanks for taking look at this.

asan should already be enabled for all libs and binaries. Here is the 
output:

==27158==ERROR: AddressSanitizer: container-overflow on address 0x6250004b8992 
at pc 0x00010f37fdf6 bp 0x7fff508fd5c0 sp 0x7fff508fd5b8
READ of size 2 at 0x6250004b8992 thread T0
    #0 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const 
RsFecHeader.h:184
    #1 0x10f3872a7 in CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&) 
MariRSRecoveryDecoder.cpp:722
    #2 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&) 
MariRSRecoveryDecoder.cpp:649
    #3 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned int, unsigned 
short, unsigned char const*, unsigned long, bool, unsigned int) 
MariRSRecoveryDecoder.cpp:876
    #4 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
    #5 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
    #6 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned 
long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553)
    #7 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne() 
(decode_fuzz_test:x86_64+0x100104200)
    #8 0x10f3ffac2 in fuzzer::Fuzzer::Loop() 
(decode_fuzz_test:x86_64+0x100104ac2)
    #9 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char 
const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a)
    #10 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
    #11 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)

0x6250004b8992 is located 4242 bytes inside of 8448-byte region 
[0x6250004b7900,0x6250004b9a00)
allocated by thread T0 here:
    #0 0x1107c7162  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63162)
    #1 0x10f3c1d05 in std::__1::__split_buffer<fecPacket, 
std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned long, 
std::__1::allocator<fecPacket>&) new:226
    #2 0x10f3bfe7b in std::__1::__split_buffer<fecPacket, 
std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned long, 
std::__1::allocator<fecPacket>&) __split_buffer:310
    #3 0x10f3beee5 in void std::__1::vector<fecPacket, 
std::__1::allocator<fecPacket> >::__push_back_slow_path<fecPacket 
const&>(fecPacket const&&&) vector:1567
    #4 0x10f392f02 in CMariRSRecoveryDecoder::receiveInd(unsigned int, unsigned 
short, unsigned char const*, unsigned long, bool, unsigned int) vector:1588
    #5 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
    #6 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
    #7 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned 
long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553)
    #8 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne() 
(decode_fuzz_test:x86_64+0x100104200)
    #9 0x10f3ffac2 in fuzzer::Fuzzer::Loop() 
(decode_fuzz_test:x86_64+0x100104ac2)
    #10 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned 
char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a)
    #11 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
    #12 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)

HINT: if you don't care about these errors you may set 
ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: 
https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow RsFecHeader.h:184 in 
CRsFecHeader::GetSourceBlockNumber() const
Shadow bytes around the buggy address:
  0x1c4a000970e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a000970f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a00097100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a00097110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4a00097120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4a00097130: fc fc[fc]fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x1c4a00097140: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x1c4a00097150: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x1c4a00097160: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x1c4a00097170: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  0x1c4a00097180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27158==ABORTING
MS: 2 ChangeBinInt-CrossOver-; base unit: 
39df3a26431dc09379d257bc172adeab21071c68
artifact_prefix='./'; Test unit written to 
./crash-96da7f498ec50184b4a59ff76016825944944534
==27158== ERROR: libFuzzer: deadly signal
    #0 0x1107c3cf7 in __sanitizer_print_stack_trace 
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5fcf7)
    #1 0x10f3f675b in fuzzer::Fuzzer::CrashCallback() 
(decode_fuzz_test:x86_64+0x1000fb75b)
    #2 0x10f3f670d in fuzzer::Fuzzer::StaticCrashSignalCallback() 
(decode_fuzz_test:x86_64+0x1000fb70d)
    #3 0x10f45bd67 in fuzzer::CrashHandler(int, __siginfo*, void*) 
(decode_fuzz_test:x86_64+0x100160d67)
    #4 0x7fffc0b39b39 in _sigtramp (libsystem_platform.dylib:x86_64+0x2b39)
    #5 0x7fff508fc41f  (<unknown module>)
    #6 0x7fffc09be41f in abort (libsystem_c.dylib:x86_64+0x5f41f)
    #7 0x1107db8e5  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x778e5)
    #8 0x1107da853  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x76853)
    #9 0x1107c0d76  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5cd76)
    #10 0x1107c07e1  (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5c7e1)
    #11 0x1107c139a in __asan_report_load2 
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d39a)
    #12 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const 
RsFecHeader.h:184
    #13 0x10f3872a7 in CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&) 
MariRSRecoveryDecoder.cpp:722
    #14 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&) 
MariRSRecoveryDecoder.cpp:649
    #15 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned int, 
unsigned short, unsigned char const*, unsigned long, bool, unsigned int) 
MariRSRecoveryDecoder.cpp:876
    #16 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
    #17 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, 
unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
    #18 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned 
long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553)
    #19 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne() 
(decode_fuzz_test:x86_64+0x100104200)
    #20 0x10f3ffac2 in fuzzer::Fuzzer::Loop() 
(decode_fuzz_test:x86_64+0x100104ac2)
    #21 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned 
char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a)
    #22 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
    #23 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash 
reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 ChangeBinInt-CrossOver-; base unit: 
39df3a26431dc09379d257bc172adeab21071c68
artifact_prefix='./'; Test unit written to 
./crash-96da7f498ec50184b4a59ff76016825944944534



On Tuesday, August 22, 2017 at 12:44:53 PM UTC-7, Evgeniy Stepanov wrote:
>
> I don't know how common this algorithm is, given that it does N^2 
> operations to remove N elements. 
>
> But I don't see any container overflow here. Could you post the actual 
> report? 
>
> Does this look relevant to your setup: 
>
> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow#false-positives
>  
>
> On Tue, Aug 22, 2017 at 11:54 AM, Jennifer Liu <lovejen...@gmail.com 
> <javascript:>> wrote: 
> > Is this false alarm of "container-overflow", it looks like very common 
> way 
> > to remove elements by iterator in while loop. 
> > 
> > 
> >     std::vector<Packet>::iterator it = m_packets.begin(); 
> > 
> >     while (it != m_packets.end()) { 
> > 
> >         if (it->header.GetSourceBlockNumber() <= 
> > rsrp.GetSourceBlockNumber()) { 
> > 
> >             if (it->repair.pData != NULL) { 
> > 
> >                 free(it->repair.pData); 
> > 
> >                 it->repair.pData = NULL; 
> > 
> >             } 
> > 
> >             it = m_packets.erase(it); 
> > 
> >         } else { 
> > 
> >             ++it; 
> > 
> >         } 
> > 
> >     } 
> > 
> > 
> > Thanks 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "address-sanitizer" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to address-saniti...@googlegroups.com <javascript:>. 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 
You received this message because you are subscribed to the Google Groups 
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to address-sanitizer+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.