On Tue, Aug 22, 2017 at 3:09 PM, Jennifer Liu <[email protected]> wrote:
> Thanks for taking look at this. > > asan should already be enabled for all libs and binaries. Here is the > output: > I remember that container-overflow was more problematic on Mac (compared to Linux) since more libs are potentially uninstrumented. In this case, try to add a printf that shows .size() and .capacity() of the vector object at the time of acccess. i.e. print 4 values: v.begin() v.begin() + v.capacity() v.begin() + v.size() ptr // the pointer that causes the crash. if ptr is less than v.begin() + v.size() it's a false positive, as explained at https://github.com/google/sanitizers/wiki/AddressSanitizerCo ntainerOverflow#false-positives > > ==27158==ERROR: AddressSanitizer: container-overflow on address > 0x6250004b8992 at pc 0x00010f37fdf6 bp 0x7fff508fd5c0 sp 0x7fff508fd5b8 > READ of size 2 at 0x6250004b8992 thread T0 > #0 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const > RsFecHeader.h:184 > #1 0x10f3872a7 in CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&) > MariRSRecoveryDecoder.cpp:722 > #2 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&) > MariRSRecoveryDecoder.cpp:649 > #3 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned int, > unsigned short, unsigned char const*, unsigned long, bool, unsigned int) > MariRSRecoveryDecoder.cpp:876 > #4 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42 > #5 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) (decode_fuzz_test:x86_64+0x1000fea61) > #6 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned > long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553) > #7 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne() > (decode_fuzz_test:x86_64+0x100104200) > #8 0x10f3ffac2 in fuzzer::Fuzzer::Loop() > (decode_fuzz_test:x86_64+0x100104ac2) > #9 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a) > #10 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f) > #11 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234) > > 0x6250004b8992 is located 4242 bytes inside of 8448-byte region > [0x6250004b7900,0x6250004b9a00) > allocated by thread T0 here: > #0 0x1107c7162 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63162) > #1 0x10f3c1d05 in std::__1::__split_buffer<fecPacket, > std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned > long, std::__1::allocator<fecPacket>&) new:226 > #2 0x10f3bfe7b in std::__1::__split_buffer<fecPacket, > std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned > long, std::__1::allocator<fecPacket>&) __split_buffer:310 > #3 0x10f3beee5 in void std::__1::vector<fecPacket, > std::__1::allocator<fecPacket> >::__push_back_slow_path<fecPacket > const&>(fecPacket const&&&) vector:1567 > #4 0x10f392f02 in CMariRSRecoveryDecoder::receiveInd(unsigned int, > unsigned short, unsigned char const*, unsigned long, bool, unsigned int) > vector:1588 > #5 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42 > #6 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) (decode_fuzz_test:x86_64+0x1000fea61) > #7 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned > long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553) > #8 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne() > (decode_fuzz_test:x86_64+0x100104200) > #9 0x10f3ffac2 in fuzzer::Fuzzer::Loop() > (decode_fuzz_test:x86_64+0x100104ac2) > #10 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a) > #11 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f) > #12 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234) > > HINT: if you don't care about these errors you may set > ASAN_OPTIONS=detect_container_overflow=0. > If you suspect a false positive see also: > https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow. > SUMMARY: AddressSanitizer: container-overflow RsFecHeader.h:184 in > CRsFecHeader::GetSourceBlockNumber() const > Shadow bytes around the buggy address: > 0x1c4a000970e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1c4a000970f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1c4a00097100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1c4a00097110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x1c4a00097120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x1c4a00097130: fc fc[fc]fc fc fc fc fc fc fc fc fc fc fc fc fc > 0x1c4a00097140: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > 0x1c4a00097150: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > 0x1c4a00097160: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > 0x1c4a00097170: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > 0x1c4a00097180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==27158==ABORTING > MS: 2 ChangeBinInt-CrossOver-; base unit: > 39df3a26431dc09379d257bc172adeab21071c68 > artifact_prefix='./'; Test unit written to > ./crash-96da7f498ec50184b4a59ff76016825944944534 > ==27158== ERROR: libFuzzer: deadly signal > #0 0x1107c3cf7 in __sanitizer_print_stack_trace > (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5fcf7) > #1 0x10f3f675b in fuzzer::Fuzzer::CrashCallback() > (decode_fuzz_test:x86_64+0x1000fb75b) > #2 0x10f3f670d in fuzzer::Fuzzer::StaticCrashSignalCallback() > (decode_fuzz_test:x86_64+0x1000fb70d) > #3 0x10f45bd67 in fuzzer::CrashHandler(int, __siginfo*, void*) > (decode_fuzz_test:x86_64+0x100160d67) > #4 0x7fffc0b39b39 in _sigtramp (libsystem_platform.dylib:x86_64+0x2b39) > #5 0x7fff508fc41f (<unknown module>) > #6 0x7fffc09be41f in abort (libsystem_c.dylib:x86_64+0x5f41f) > #7 0x1107db8e5 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x778e5) > #8 0x1107da853 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x76853) > #9 0x1107c0d76 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5cd76) > #10 0x1107c07e1 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5c7e1) > #11 0x1107c139a in __asan_report_load2 > (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d39a) > #12 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const > RsFecHeader.h:184 > #13 0x10f3872a7 in CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&) > MariRSRecoveryDecoder.cpp:722 > #14 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&) > MariRSRecoveryDecoder.cpp:649 > #15 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned int, > unsigned short, unsigned char const*, unsigned long, bool, unsigned int) > MariRSRecoveryDecoder.cpp:876 > #16 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42 > #17 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, > unsigned long) (decode_fuzz_test:x86_64+0x1000fea61) > #18 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned > long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553) > #19 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne() > (decode_fuzz_test:x86_64+0x100104200) > #20 0x10f3ffac2 in fuzzer::Fuzzer::Loop() > (decode_fuzz_test:x86_64+0x100104ac2) > #21 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned > char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a) > #22 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f) > #23 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234) > > NOTE: libFuzzer has rudimentary signal handlers. > Combine libFuzzer with AddressSanitizer or similar for better crash > reports. > SUMMARY: libFuzzer: deadly signal > MS: 2 ChangeBinInt-CrossOver-; base unit: > 39df3a26431dc09379d257bc172adeab21071c68 > artifact_prefix='./'; Test unit written to > ./crash-96da7f498ec50184b4a59ff76016825944944534 > > > > On Tuesday, August 22, 2017 at 12:44:53 PM UTC-7, Evgeniy Stepanov wrote: >> >> I don't know how common this algorithm is, given that it does N^2 >> operations to remove N elements. >> >> But I don't see any container overflow here. Could you post the actual >> report? >> >> Does this look relevant to your setup: >> https://github.com/google/sanitizers/wiki/AddressSanitizerCo >> ntainerOverflow#false-positives >> >> On Tue, Aug 22, 2017 at 11:54 AM, Jennifer Liu <[email protected]> >> wrote: >> > Is this false alarm of "container-overflow", it looks like very common >> way >> > to remove elements by iterator in while loop. >> > >> > >> > std::vector<Packet>::iterator it = m_packets.begin(); >> > >> > while (it != m_packets.end()) { >> > >> > if (it->header.GetSourceBlockNumber() <= >> > rsrp.GetSourceBlockNumber()) { >> > >> > if (it->repair.pData != NULL) { >> > >> > free(it->repair.pData); >> > >> > it->repair.pData = NULL; >> > >> > } >> > >> > it = m_packets.erase(it); >> > >> > } else { >> > >> > ++it; >> > >> > } >> > >> > } >> > >> > >> > Thanks >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "address-sanitizer" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "address-sanitizer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
