| Issue |
173727
|
| Summary |
[clang-fuzzer] Crash in clang::QualType::hasQualifiers
|
| Labels |
clang
|
| Assignees |
|
| Reporter |
zczc66
|
Hi, while testing clang by AFL++, it found a crashing case:
version : llvmorg-21.1.8
Flags:
```
export LLVM_CC_NAME=/home/user/hlpfuzz_aflpp/afl-clang-fast LLVM_CXX_NAME=/home/user/hlpfuzz_aflpp/afl-clang-fast++ CC=gclang CXX=gclang++
cmake -DLLVM_ENABLE_PROJECTS=clang -DCMAKE_BUILD_TYPE=Release -DLLVM_USE_SANITIZE_COVERAGE=On -DLLVM_BUILD_RUNTIME=Off -G "Unix Makefiles" ../llvm
make clang-fuzzer
```
PoC:
```
int main ( ) { int a = "hello" ; auto ( * * f2 ) ( float ( * f2 ) ( const char * state_t [ 11 ] [ 1 / ( ( ( 1 / ( ( ( 1 + ( ( ( 1.234567e10 / ( ! ( ( 0.0 / ( ( __builtin_expect ( ( ( 1 + ( ( 1 + ( - - ( * "\n Enter values of x0,xn,h:\n" ) ) >> 10 ) - ( 1 / ( ( ( ( ( 0x52 >> 0x5b ) & 1 ) / ( ( ( 0x52 >> ( ( 0x52 >> 7 ) & ! ( 0x1c ^ ( ! 1 < 10000 ) ) ) ) > 0 ? 0 : ( * "Setup" + "\nfinal integration is %f" ) ) [ 10 ] ) ) ) ) + ( 1 / ( - - ( * "\n Enter values of x0,xn,h:\n" ) ) ) ) ) * 0x1b ) + ( 0.0 ) ) , 0 ) ) * 0x1b ) ) ) + ( 0.0 ) ) ) * 4 ) * ( ( 1 + - ( 1 + - ( ( ( 1 / ( 1 + ( 1 / ( ( ( ( 1 + ( 1 / ( ( ( 0.0 ) ) - 1 ) ) ) / ( 0x97 + ( 0.0 ) ) ) ) - 1 ) ) ) ) ) * ( 0 ) ) ) ) ) ) ) < 10000 ) ) ) + ( 1 / ( ( 0 ) ) ) >> 4 ) ) ] , volatile char * thousands , int thousands_len ) ( ) ( char * sbox [ sizeof ( ( 0x52 >> 7 ) & 1 / ( 1 + ( ( int ) ( 0x74 ) ) ) ) ] ) ) = 3.14 ; char * c = "literal" ; __builtin_printf ( "%d" , c ) ; int unused ; return a ; }
```
Reproduction(Since make with ASan causes errors, I use gdb.):
```
gdb -q --batch \
-x gdb_bt.cmd \
--args /home/user/repo/llvm-project/gllvm_build/bin/clang-fuzzer poc
```
gdb_bt.cmd:
```
set pagination off
set confirm off
set print thread-events off
handle SIGSTOP nostop noprint pass
handle SIGUSR1 nostop noprint pass
run
bt
quit
```
Crashing thread backtrace:
```
Program received signal SIGSEGV, Segmentation fault.
clang::QualType::hasQualifiers (this=<optimized out>) at /home/user/repo/llvm-project/clang/include/clang/AST/Type.h:7837
7837 getCommonPtr()->CanonicalType.hasLocalQualifiers();
#0 clang::QualType::hasQualifiers (this=<optimized out>) at /home/user/repo/llvm-project/clang/include/clang/AST/Type.h:7837
#1 AdjustFunctionParmAndArgTypesForDeduction (Arg=<optimized out>, FailedTSC=<optimized out>, S=..., TemplateParams=<optimized out>, FirstInnerIndex=<optimized out>, ParamType=..., ArgType=..., ArgClassification=..., TDF=<optimized out>) at /home/user/repo/llvm-project/clang/lib/Sema/SemaTemplateDeduction.cpp:4154
#2 DeduceTemplateArgumentsFromCallArgument (S=..., TemplateParams=TemplateParams@entry=0x7fffffff6de0, FirstInnerIndex=FirstInnerIndex@entry=0, ParamType=..., ArgType=..., ArgClassification=..., Arg=0x55555e37dd58, Info=..., Deduced=..., OriginalCallArgs=..., DecomposedParam=<optimized out>, ArgIdx=0, TDF=0, FailedTSC=0x0) at /home/user/repo/llvm-project/clang/lib/Sema/SemaTemplateDeduction.cpp:4340
#3 0x0000555558fb6c4c in clang::Sema::DeduceAutoType (this=0x55555e349790, Type=..., Init=<optimized out>, Result=..., Info=..., DependentDeduction=<optimized out>, IgnoreConstraints=<optimized out>, FailedTSC=<optimized out>) at /home/user/repo/llvm-project/clang/lib/Sema/SemaTemplateDeduction.cpp:5178
#4 0x000055555845b2fd in clang::Sema::deduceVarTypeFromInitializer (this=this@entry=0x55555e349790, VDecl=<optimized out>, VDecl@entry=0x55555e37dcf0, Name=..., Name@entry=..., Type=..., TSI=0x0, TSI@entry=0x55555e37dcb0, Range=..., DirectInit=false, Init=<optimized out>) at /home/user/repo/llvm-project/clang/lib/Sema/SemaDecl.cpp:12904
#5 0x000055555845bc01 in clang::Sema::DeduceVariableDeclarationType (this=this@entry=0x55555e349790, VDecl=VDecl@entry=0x55555e37dcf0, DirectInit=<optimized out>, Init=<optimized out>, Init@entry=0x55555e37dd58) at /home/user/repo/llvm-project/clang/lib/Sema/SemaDecl.cpp:12941
#6 0x000055555845c990 in clang::Sema::AddInitializerToDecl (this=0x55555e349790, RealDecl=0x55555e37dcf0, Init=0x55555e37dd58, DirectInit=164) at /home/user/repo/llvm-project/clang/lib/Sema/SemaDecl.cpp:13311
#7 0x0000555557d358e7 in clang::Parser::ParseDeclarationAfterDeclaratorAndAttributes (this=this@entry=0x55555e356b60, D=..., TemplateInfo=..., FRI=FRI@entry=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseDecl.cpp:2823
#8 0x0000555557d30890 in clang::Parser::ParseDeclGroup (this=this@entry=0x55555e356b60, DS=..., Context=Context@entry=clang::DeclaratorContext::Block, Attrs=..., TemplateInfo=..., DeclEnd=0x7fffffffb020, FRI=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseDecl.cpp:2516
#9 0x0000555557d2e5d0 in clang::Parser::ParseSimpleDeclaration (this=this@entry=0x55555e356b60, Context=clang::DeclaratorContext::Block, Context@entry=clang::DeclaratorContext::File, DeclEnd=..., DeclAttrs=..., DeclSpecAttrs=..., RequireSemi=52, FRI=0x0, DeclSpecStart=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseDecl.cpp:2135
#10 0x0000555557d2dabc in clang::Parser::ParseDeclaration (this=0x55555e356b60, Context=4294929888, DeclEnd=..., DeclAttrs=..., DeclSpecAttrs=..., DeclSpecStart=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseDecl.cpp:2028
#11 0x0000555557e50a55 in clang::Parser::ParseStatementOrDeclarationAfterAttributes (this=this@entry=0x55555e356b60, Stmts=..., StmtCtx=StmtCtx@entry=clang::Parser::ParsedStmtContext::Compound, TrailingElseLoc=TrailingElseLoc@entry=0x0, CXX11Attrs=..., GNUAttrs=...) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:259
#12 0x0000555557e4e4f5 in clang::Parser::ParseStatementOrDeclaration (this=this@entry=0x55555e356b60, Stmts=..., StmtCtx=clang::Parser::ParsedStmtContext::SubStmt, StmtCtx@entry=clang::Parser::ParsedStmtContext::Compound, TrailingElseLoc=TrailingElseLoc@entry=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:124
#13 0x0000555557e5f14c in clang::Parser::ParseCompoundStatementBody (this=this@entry=0x55555e356b60, isStmtExpr=96) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:1248
#14 0x0000555557e612da in clang::Parser::ParseFunctionStatementBody (this=0x55555e356b60, Decl=0x55555e35d198, BodyScope=...) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:2526
#15 0x0000555557cf1009 in clang::Parser::ParseFunctionDefinition (this=0x55555e356b60, D=..., TemplateInfo=..., LateParsedAttrs=0x7fffffffba80) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1525
#16 0x0000555557d31fe5 in clang::Parser::ParseDeclGroup (this=0x55555e356b60, DS=..., Context=clang::DeclaratorContext::File, Attrs=..., TemplateInfo=..., DeclEnd=0x0, FRI=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseDecl.cpp:2402
#17 0x0000555557ceed0b in clang::Parser::ParseDeclOrFunctionDefInternal (this=this@entry=0x55555e356b60, Attrs=..., DeclSpecAttrs=..., DS=..., AS=AS@entry=clang::AS_none) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1249
#18 0x0000555557cedee1 in clang::Parser::ParseDeclarationOrFunctionDefinition (this=this@entry=0x55555e356b60, Attrs=..., DeclSpecAttrs=..., DS=DS@entry=0x55555e356b60, AS=1580191984, AS@entry=clang::AS_none) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1271
#19 0x0000555557cec26d in clang::Parser::ParseExternalDeclaration (this=this@entry=0x55555e356b60, Attrs=..., DeclSpecAttrs=..., DS=DS@entry=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1074
#20 0x0000555557ce8f6b in clang::Parser::ParseTopLevelDecl (this=this@entry=0x55555e356b60, Result=..., ImportState=@0x7fffffffd724: clang::Sema::ModuleImportState::FirstDecl) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:763
#21 0x0000555557ce824f in clang::Parser::ParseFirstTopLevelDecl (this=0x55555e356b60, Result=..., ImportState=@0x7fffffffd724: clang::Sema::ModuleImportState::FirstDecl) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:608
#22 0x0000555557cdff8d in clang::ParseAST (S=..., PrintStats=false, SkipFunctionBodies=<optimized out>) at /home/user/repo/llvm-project/clang/lib/Parse/ParseAST.cpp:170
#23 0x0000555557b850e6 in clang::FrontendAction::Execute (this=0x55555e2c9a90) at /home/user/repo/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1078
#24 0x0000555557a4ae01 in clang::CompilerInstance::ExecuteAction (this=0x7fffffffd8d8, Act=...) at /home/user/repo/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1061
#25 0x0000555557a02502 in clang::tooling::FrontendActionFactory::runInvocation (this=0x55555e2c1ef0, Invocation=..., Files=0x55555e2c6920, PCHContainerOps=..., DiagConsumer=0x7fffffffdaa0) at /home/user/repo/llvm-project/clang/lib/Tooling/Tooling.cpp:465
#26 0x0000555555acd136 in clang_fuzzer::HandleCXX (S="int main ( ) { int a = \"hello\" ; auto ( * * f2 ) ( float ( * f2 ) ( const char * state_t [ 11 ] [ 1 / ( ( ( 1 / ( ( ( 1 + ( ( ( 1.234567e10 / ( ! ( ( 0.0 / ( ( __builtin_expect ( ( ( 1 + ( ( 1 + ( - -"..., FileName=<optimized out>, ExtraArgs=std::vector of length 1, capacity 1 = {...}) at /home/user/repo/llvm-project/clang/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp:49
#27 0x0000555555accad4 in LLVMFuzzerTestOneInput (data="" "int main ( ) { int a = \"hello\" ; auto ( * * f2 ) ( float ( * f2 ) ( const char * state_t [ 11 ] [ 1 / ( ( ( 1 / ( ( ( 1 + ( ( ( 1.234567e10 / ( ! ( ( 0.0 / ( ( __builtin_expect ( ( ( 1 + ( ( 1 + ( - -"..., size=<optimized out>) at /home/user/repo/llvm-project/clang/tools/clang-fuzzer/ClangFuzzer.cpp:23
#28 0x000055555c6f96ee in ExecuteFilesOnyByOne (argc=2, argv=0x7fffffffe328, callback=callback@entry=0x555555acc990 <LLVMFuzzerTestOneInput(uint8_t*, size_t)>) at aflpp_driver.c:256
#29 0x000055555c6f94de in LLVMFuzzerRunDriver (argcp=argcp@entry=0x7fffffffe1f4, argvp=argvp@entry=0x7fffffffe1f8, callback=0x555555acc990 <LLVMFuzzerTestOneInput(uint8_t*, size_t)>) at aflpp_driver.c:377
#30 0x000055555c6f901e in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe328) at aflpp_driver.c:312
#31 0x00007ffff7a63d90 in __libc_start_call_main (main=main@entry=0x55555c6f8f60 <main>, argc=argc@entry=2, argv=argv@entry=0x7fffffffe328) at ../sysdeps/nptl/libc_start_call_main.h:58
#32 0x00007ffff7a63e40 in __libc_start_main_impl (main=0x55555c6f8f60 <main>, argc=2, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318) at ../csu/libc-start.c:392
#33 0x0000555555acc8b5 in _start ()
```
![]()
_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
