thanks a lot, looks like false positive, here is the output:
./fuzz/decode_fuzz_test crash-96da7f498ec50184b4a59ff76016825944944534
INFO: Seed: 3163772972
INFO: Loaded 1 modules (4395 guards): 4395 [0x1042ffcf0, 0x10430419c),
./fuzz/decode_fuzz_test: Running 1 inputs 1 time(s) each.
Running: crash-96da7f498ec50184b4a59ff76016825944944534
it - begin = 0, capacity = 4, size = 3
it - begin = 0, capacity = 4, size = 2
=================================================================
==19407==ERROR: AddressSanitizer: container-overflow on address
0x625000003992 at pc 0x0001042011e6 bp 0x7fff5ba7c000 sp 0x7fff5ba7bff8
READ of size 2 at 0x625000003992 thread T0
#0 0x1042011e5 in CRsFecHeader::GetSourceBlockNumber() const
RsFecHeader.h:184
#1 0x104208fe1 in
CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
MariRSRecoveryDecoder.cpp:726
#2 0x10421011c in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
MariRSRecoveryDecoder.cpp:650
#3 0x1042175cd in CMariRSRecoveryDecoder::receiveInd(unsigned int,
unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
MariRSRecoveryDecoder.cpp:890
#4 0x10417e192 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
#5 0x10427e4d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (decode_fuzz_test:x86_64+0x1001024d1)
#6 0x104255a5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) (decode_fuzz_test:x86_64+0x1000d9a5c)
#7 0x1042610fd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50fd)
#8 0x104254c9f in main (decode_fuzz_test:x86_64+0x1000d8c9f)
#9 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
0x625000003992 is located 4242 bytes inside of 8448-byte region
[0x625000002900,0x625000004a00)
allocated by thread T0 here:
#0 0x106414162 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63162)
#1 0x104246775 in std::__1::__split_buffer<fecPacket,
std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
long, std::__1::allocator<fecPacket>&) new:226
#2 0x1042448eb in std::__1::__split_buffer<fecPacket,
std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
long, std::__1::allocator<fecPacket>&) __split_buffer:310
#3 0x104243955 in void std::__1::vector<fecPacket,
std::__1::allocator<fecPacket> >::__push_back_slow_path<fecPacket
const&>(fecPacket const&&&) vector:1567
#4 0x104217167 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
vector:1588
#5 0x10417e192 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
#6 0x10427e4d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) (decode_fuzz_test:x86_64+0x1001024d1)
#7 0x104255a5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) (decode_fuzz_test:x86_64+0x1000d9a5c)
#8 0x1042610fd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50fd)
#9 0x104254c9f in main (decode_fuzz_test:x86_64+0x1000d8c9f)
#10 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
HINT: if you don't care about these errors you may set
ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also:
https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow RsFecHeader.h:184 in
CRsFecHeader::GetSourceBlockNumber() const
Shadow bytes around the buggy address:
0x1c4a000006e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a000006f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00000700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00000710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c4a00000720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4a00000730: fc fc[fc]fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000740: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000750: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000760: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000770: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c4a00000780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19407==ABORTING
==19407== ERROR: libFuzzer: deadly signal
#0 0x106410cf7 in __sanitizer_print_stack_trace
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5fcf7)
#1 0x10427b1cb in fuzzer::Fuzzer::CrashCallback()
(decode_fuzz_test:x86_64+0x1000ff1cb)
#2 0x10427b17d in fuzzer::Fuzzer::StaticCrashSignalCallback()
(decode_fuzz_test:x86_64+0x1000ff17d)
#3 0x1042e07d7 in fuzzer::CrashHandler(int, __siginfo*, void*)
(decode_fuzz_test:x86_64+0x1001647d7)
#4 0x7fffc0b39b39 in _sigtramp (libsystem_platform.dylib:x86_64+0x2b39)
#5 0x7fff5ba7ae5f (<unknown module>)
#6 0x7fffc09be41f in abort (libsystem_c.dylib:x86_64+0x5f41f)
#7 0x1064288e5 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x778e5)
#8 0x106427853 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x76853)
#9 0x10640dd76 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5cd76)
#10 0x10640d7e1 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5c7e1)
#11 0x10640e39a in __asan_report_load2
(libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d39a)
#12 0x1042011e5 in CRsFecHeader::GetSourceBlockNumber() const
RsFecHeader.h:184
#13 0x104208fe1 in
CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
MariRSRecoveryDecoder.cpp:726
#14 0x10421011c in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
MariRSRecoveryDecoder.cpp:650
#15 0x1042175cd in CMariRSRecoveryDecoder::receiveInd(unsigned int,
unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
MariRSRecoveryDecoder.cpp:890
#16 0x10417e192 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
#17 0x10427e4d1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char
const*, unsigned long) (decode_fuzz_test:x86_64+0x1001024d1)
#18 0x104255a5c in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*,
unsigned long) (decode_fuzz_test:x86_64+0x1000d9a5c)
#19 0x1042610fd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e50fd)
#20 0x104254c9f in main (decode_fuzz_test:x86_64+0x1000d8c9f)
#21 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash
reports.
SUMMARY: libFuzzer: deadly signal
On Tuesday, August 22, 2017 at 3:22:04 PM UTC-7, kcc wrote:
>
>
>
> On Tue, Aug 22, 2017 at 3:09 PM, Jennifer Liu <[email protected]
> <javascript:>> wrote:
>
>> Thanks for taking look at this.
>>
>> asan should already be enabled for all libs and binaries. Here is the
>> output:
>>
>
> I remember that container-overflow was more problematic on Mac (compared
> to Linux) since more libs are potentially uninstrumented.
>
> In this case, try to add a printf that shows .size() and .capacity() of
> the vector object at the time of acccess.
> i.e. print 4 values:
> v.begin()
> v.begin() + v.capacity()
> v.begin() + v.size()
> ptr // the pointer that causes the crash.
>
> if ptr is less than v.begin() + v.size() it's a false positive, as
> explained at
> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow#false-positives
>
>
>
>>
>> ==27158==ERROR: AddressSanitizer: container-overflow on address
>> 0x6250004b8992 at pc 0x00010f37fdf6 bp 0x7fff508fd5c0 sp 0x7fff508fd5b8
>> READ of size 2 at 0x6250004b8992 thread T0
>> #0 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const
>> RsFecHeader.h:184
>> #1 0x10f3872a7 in CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
>> MariRSRecoveryDecoder.cpp:722
>> #2 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
>> MariRSRecoveryDecoder.cpp:649
>> #3 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
>> unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
>> MariRSRecoveryDecoder.cpp:876
>> #4 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
>> #5 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
>> unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
>> #6 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned
>> long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553)
>> #7 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne()
>> (decode_fuzz_test:x86_64+0x100104200)
>> #8 0x10f3ffac2 in fuzzer::Fuzzer::Loop()
>> (decode_fuzz_test:x86_64+0x100104ac2)
>> #9 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
>> char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a)
>> #10 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
>> #11 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
>>
>> 0x6250004b8992 is located 4242 bytes inside of 8448-byte region
>> [0x6250004b7900,0x6250004b9a00)
>> allocated by thread T0 here:
>> #0 0x1107c7162 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x63162)
>> #1 0x10f3c1d05 in std::__1::__split_buffer<fecPacket,
>> std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
>> long, std::__1::allocator<fecPacket>&) new:226
>> #2 0x10f3bfe7b in std::__1::__split_buffer<fecPacket,
>> std::__1::allocator<fecPacket>&>::__split_buffer(unsigned long, unsigned
>> long, std::__1::allocator<fecPacket>&) __split_buffer:310
>> #3 0x10f3beee5 in void std::__1::vector<fecPacket,
>> std::__1::allocator<fecPacket> >::__push_back_slow_path<fecPacket
>> const&>(fecPacket const&&&) vector:1567
>> #4 0x10f392f02 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
>> unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
>> vector:1588
>> #5 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
>> #6 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
>> unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
>> #7 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned
>> long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553)
>> #8 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne()
>> (decode_fuzz_test:x86_64+0x100104200)
>> #9 0x10f3ffac2 in fuzzer::Fuzzer::Loop()
>> (decode_fuzz_test:x86_64+0x100104ac2)
>> #10 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
>> char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a)
>> #11 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
>> #12 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
>>
>> HINT: if you don't care about these errors you may set
>> ASAN_OPTIONS=detect_container_overflow=0.
>> If you suspect a false positive see also:
>> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
>> SUMMARY: AddressSanitizer: container-overflow RsFecHeader.h:184 in
>> CRsFecHeader::GetSourceBlockNumber() const
>> Shadow bytes around the buggy address:
>> 0x1c4a000970e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x1c4a000970f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x1c4a00097100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x1c4a00097110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x1c4a00097120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> =>0x1c4a00097130: fc fc[fc]fc fc fc fc fc fc fc fc fc fc fc fc fc
>> 0x1c4a00097140: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> 0x1c4a00097150: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> 0x1c4a00097160: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> 0x1c4a00097170: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> 0x1c4a00097180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> Shadow byte legend (one shadow byte represents 8 application bytes):
>> Addressable: 00
>> Partially addressable: 01 02 03 04 05 06 07
>> Heap left redzone: fa
>> Freed heap region: fd
>> Stack left redzone: f1
>> Stack mid redzone: f2
>> Stack right redzone: f3
>> Stack after return: f5
>> Stack use after scope: f8
>> Global redzone: f9
>> Global init order: f6
>> Poisoned by user: f7
>> Container overflow: fc
>> Array cookie: ac
>> Intra object redzone: bb
>> ASan internal: fe
>> Left alloca redzone: ca
>> Right alloca redzone: cb
>> ==27158==ABORTING
>> MS: 2 ChangeBinInt-CrossOver-; base unit:
>> 39df3a26431dc09379d257bc172adeab21071c68
>> artifact_prefix='./'; Test unit written to
>> ./crash-96da7f498ec50184b4a59ff76016825944944534
>> ==27158== ERROR: libFuzzer: deadly signal
>> #0 0x1107c3cf7 in __sanitizer_print_stack_trace
>> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5fcf7)
>> #1 0x10f3f675b in fuzzer::Fuzzer::CrashCallback()
>> (decode_fuzz_test:x86_64+0x1000fb75b)
>> #2 0x10f3f670d in fuzzer::Fuzzer::StaticCrashSignalCallback()
>> (decode_fuzz_test:x86_64+0x1000fb70d)
>> #3 0x10f45bd67 in fuzzer::CrashHandler(int, __siginfo*, void*)
>> (decode_fuzz_test:x86_64+0x100160d67)
>> #4 0x7fffc0b39b39 in _sigtramp (libsystem_platform.dylib:x86_64+0x2b39)
>> #5 0x7fff508fc41f (<unknown module>)
>> #6 0x7fffc09be41f in abort (libsystem_c.dylib:x86_64+0x5f41f)
>> #7 0x1107db8e5 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x778e5)
>> #8 0x1107da853 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x76853)
>> #9 0x1107c0d76 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5cd76)
>> #10 0x1107c07e1 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5c7e1)
>> #11 0x1107c139a in __asan_report_load2
>> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5d39a)
>> #12 0x10f37fdf5 in CRsFecHeader::GetSourceBlockNumber() const
>> RsFecHeader.h:184
>> #13 0x10f3872a7 in
>> CMariRSRecoveryDecoder::flushSrcPackets(CRsFecHeader&)
>> MariRSRecoveryDecoder.cpp:722
>> #14 0x10f38e3ee in CMariRSRecoveryDecoder::recover(CRsFecHeader&)
>> MariRSRecoveryDecoder.cpp:649
>> #15 0x10f393365 in CMariRSRecoveryDecoder::receiveInd(unsigned int,
>> unsigned short, unsigned char const*, unsigned long, bool, unsigned int)
>> MariRSRecoveryDecoder.cpp:876
>> #16 0x10f2fd206 in LLVMFuzzerTestOneInput fec_decode_fuzz.cpp:42
>> #17 0x10f3f9a61 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
>> unsigned long) (decode_fuzz_test:x86_64+0x1000fea61)
>> #18 0x10f3f8553 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned
>> long, bool, fuzzer::InputInfo*) (decode_fuzz_test:x86_64+0x1000fd553)
>> #19 0x10f3ff200 in fuzzer::Fuzzer::MutateAndTestOne()
>> (decode_fuzz_test:x86_64+0x100104200)
>> #20 0x10f3ffac2 in fuzzer::Fuzzer::Loop()
>> (decode_fuzz_test:x86_64+0x100104ac2)
>> #21 0x10f3de11a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned
>> char const*, unsigned long)) (decode_fuzz_test:x86_64+0x1000e311a)
>> #22 0x10f3d022f in main (decode_fuzz_test:x86_64+0x1000d522f)
>> #23 0x7fffc092a234 in start (libdyld.dylib:x86_64+0x5234)
>>
>> NOTE: libFuzzer has rudimentary signal handlers.
>> Combine libFuzzer with AddressSanitizer or similar for better crash
>> reports.
>> SUMMARY: libFuzzer: deadly signal
>> MS: 2 ChangeBinInt-CrossOver-; base unit:
>> 39df3a26431dc09379d257bc172adeab21071c68
>> artifact_prefix='./'; Test unit written to
>> ./crash-96da7f498ec50184b4a59ff76016825944944534
>>
>>
>>
>> On Tuesday, August 22, 2017 at 12:44:53 PM UTC-7, Evgeniy Stepanov wrote:
>>>
>>> I don't know how common this algorithm is, given that it does N^2
>>> operations to remove N elements.
>>>
>>> But I don't see any container overflow here. Could you post the actual
>>> report?
>>>
>>> Does this look relevant to your setup:
>>>
>>> https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow#false-positives
>>>
>>>
>>> On Tue, Aug 22, 2017 at 11:54 AM, Jennifer Liu <[email protected]>
>>> wrote:
>>> > Is this false alarm of "container-overflow", it looks like very common
>>> way
>>> > to remove elements by iterator in while loop.
>>> >
>>> >
>>> > std::vector<Packet>::iterator it = m_packets.begin();
>>> >
>>> > while (it != m_packets.end()) {
>>> >
>>> > if (it->header.GetSourceBlockNumber() <=
>>> > rsrp.GetSourceBlockNumber()) {
>>> >
>>> > if (it->repair.pData != NULL) {
>>> >
>>> > free(it->repair.pData);
>>> >
>>> > it->repair.pData = NULL;
>>> >
>>> > }
>>> >
>>> > it = m_packets.erase(it);
>>> >
>>> > } else {
>>> >
>>> > ++it;
>>> >
>>> > }
>>> >
>>> > }
>>> >
>>> >
>>> > Thanks
>>> >
>>> >
>>> > --
>>> > You received this message because you are subscribed to the Google
>>> Groups
>>> > "address-sanitizer" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an
>>> > email to [email protected].
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "address-sanitizer" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
