| Issue |
173728
|
| Summary |
[clang-fuzzer] Crash in clang::APValue::MakeArray
|
| Labels |
clang
|
| Assignees |
|
| Reporter |
zczc66
|
Hi, while testing clang by AFL++, it found a crashing case:
version : llvmorg-21.1.8
Flags:
```
export LLVM_CC_NAME=/home/user/hlpfuzz_aflpp/afl-clang-fast LLVM_CXX_NAME=/home/user/hlpfuzz_aflpp/afl-clang-fast++ CC=gclang CXX=gclang++
cmake -DLLVM_ENABLE_PROJECTS=clang -DCMAKE_BUILD_TYPE=Release -DLLVM_USE_SANITIZE_COVERAGE=On -DLLVM_BUILD_RUNTIME=Off -G "Unix Makefiles" ../llvm
make clang-fuzzer
```
PoC:
```
int main ( ) { int i , sum = 0 ; for ( i = 1 ; 0x61 ; i ++ ) { sum += 1 / ( 1 + 0x35 ) ; } ( i * 4 ) + 1 ; return 1 + ( ( { struct tree_el { int val ; struct tree_el * * right , * left ; } state_t [ 1 + - ( sizeof ( 0x1c ) ) ] [ ! ( ! ( ( 1 / ( ( ( 0.0 ) ) - ( 0xaa ) ) ) + 1 ) % 2 ) % 2 == sizeof ( sizeof ( i = i <= i ) ) ] ; 0x97 < 10000 ; } ) ) ; }
```
Reproduction(Since make with ASan causes errors, I use gdb.):
```
gdb -q --batch \
-x gdb_bt.cmd \
--args /home/user/repo/llvm-project/gllvm_build/bin/clang-fuzzer poc
```
gdb_bt.cmd:
```
set pagination off
set confirm off
set print thread-events off
handle SIGSTOP nostop noprint pass
handle SIGUSR1 nostop noprint pass
run
bt
quit
```
Crashing thread backtrace:
```
Crashing thread backtrace:
Running LLVMFuzzerInitialize ...
continue...
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737348065280) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737348065280) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737348065280) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737348065280, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7a7c476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7a627f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7d25b9e in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#6 0x00007ffff7d3120c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007ffff7d31277 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00007ffff7d314d8 in __cxa_throw () from /lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00007ffff7d257ac in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x0000555559c86742 in clang::APValue::Arr::Arr (this=0x7fffffff9950, NumElts=7213, Size=4294967293) at /home/user/repo/llvm-project/clang/lib/AST/APValue.cpp:295
#11 0x0000555559c8841d in clang::APValue::MakeArray (this=0x7fffffff9948, InitElts=7213, Size=6) at /home/user/repo/llvm-project/clang/lib/AST/APValue.cpp:1087
#12 0x000055555a136717 in clang::APValue::APValue (this=0x7fffffff9948, InitElts=<optimized out>, Size=<optimized out>) at /home/user/repo/llvm-project/clang/include/clang/AST/APValue.h:349
#13 (anonymous namespace)::ArrayExprEvaluator::VisitCXXConstructExpr (this=0x7fffffff9a10, E=0x55555e37e480, Subobject=..., Value=0x55555e380480, Type=...) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:11444
#14 0x000055555a0a9129 in EvaluateArray (E=0x55555e37e480, This=..., Result=..., Info=...) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:11186
#15 EvaluateInPlace (Result=..., Info=..., This=..., E=0x55555e37e480, AllowNonLiteralTypes=<optimized out>) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:15831
#16 0x000055555a0e0f58 in EvaluateVarDecl (Info=..., VD=VD@entry=0x55555e37ddc0) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:4982
#17 0x000055555a0e11a8 in EvaluateDecl (Info=..., D=D@entry=0x55555e37ddc0) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:4996
#18 0x000055555a0d9acb in EvaluateStmt (Result=..., Info=..., S=<optimized out>, Case=<optimized out>, Case@entry=0x0) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:5333
#19 0x000055555a1b08f9 in (anonymous namespace)::ExprEvaluatorBase<(anonymous namespace)::IntExprEvaluator>::VisitStmtExpr (this=0x7fffffffa060, E=<optimized out>) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:8311
#20 0x000055555a0b0a76 in Evaluate (Result=..., Info=..., E=E@entry=0x55555e37e648) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:15747
#21 0x000055555a0abd6f in EvaluateAsRValue (Info=..., E=E@entry=0x55555e37e648, Result=...) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:15863
#22 0x000055555a0a4d7e in EvaluateAsRValue (E=0x55555e37e648, Result=..., Info=..., Ctx=...) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:15934
#23 clang::Expr::EvaluateAsRValue (this=0x55555e37e648, Result=..., Ctx=..., InConstantContext=false) at /home/user/repo/llvm-project/clang/lib/AST/ExprConstant.cpp:15983
#24 0x00005555582a39ff in GetExprRange (C=..., E=0x55555e37e648, MaxWidth=1, InConstantContext=false, Approximate=true) at /home/user/repo/llvm-project/clang/lib/Sema/SemaChecking.cpp:9480
#25 0x000055555827726e in clang::Sema::CheckImplicitConversion (this=this@entry=0x55555e3493c0, E=E@entry=0x55555e37e648, T=..., CC=CC@entry=..., ICContext=ICContext@entry=0x0, IsListInit=64) at /home/user/repo/llvm-project/clang/lib/Sema/SemaChecking.cpp:11089
#26 0x0000555558280a29 in AnalyzeImplicitConversions (S=..., Item=..., WorkList=...) at /home/user/repo/llvm-project/clang/lib/Sema/SemaChecking.cpp:11366
#27 AnalyzeImplicitConversions (S=..., OrigE=OrigE@entry=0x55555e37e6a0, CC=CC@entry=..., IsListInit=false) at /home/user/repo/llvm-project/clang/lib/Sema/SemaChecking.cpp:11463
#28 0x0000555558286849 in clang::Sema::CheckImplicitConversions (this=0x55555e3493c0, E=0x55555e37e6a0, CC=...) at /home/user/repo/llvm-project/clang/lib/Sema/SemaChecking.cpp:11728
#29 clang::Sema::CheckCompletedExpr (this=0x55555e3493c0, E=<optimized out>, CheckLoc=..., IsConstexpr=false) at /home/user/repo/llvm-project/clang/lib/Sema/SemaChecking.cpp:12656
#30 0x000055555897a4d6 in clang::Sema::ActOnFinishFullExpr (this=0x55555e3493c0, FE=0x55555e37e6a0, CC=..., DiscardedValue=<optimized out>, IsConstexpr=120, IsTemplateArgument=<optimized out>) at /home/user/repo/llvm-project/clang/lib/Sema/SemaExprCXX.cpp:9092
#31 0x0000555558df210a in clang::Sema::BuildReturnStmt (this=this@entry=0x55555e3493c0, ReturnLoc=ReturnLoc@entry=..., RetValExp=0x1c2d, AllowRecovery=36) at /home/user/repo/llvm-project/clang/lib/Sema/SemaStmt.cpp:4046
#32 0x0000555558df0d69 in clang::Sema::ActOnReturnStmt (this=0x55555e3493c0, ReturnLoc=..., RetValExp=<optimized out>, CurScope=0x55555e360120) at /home/user/repo/llvm-project/clang/lib/Sema/SemaStmt.cpp:3751
#33 0x0000555557e5b73e in clang::Parser::ParseReturnStatement (this=this@entry=0x55555e356790) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:2468
#34 0x0000555557e4f7e0 in clang::Parser::ParseStatementOrDeclarationAfterAttributes (this=this@entry=0x55555e356790, Stmts=..., StmtCtx=StmtCtx@entry=clang::Parser::ParsedStmtContext::Compound, TrailingElseLoc=TrailingElseLoc@entry=0x0, CXX11Attrs=..., GNUAttrs=...) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:341
#35 0x0000555557e4e4f5 in clang::Parser::ParseStatementOrDeclaration (this=this@entry=0x55555e356790, Stmts=..., StmtCtx=6, StmtCtx@entry=clang::Parser::ParsedStmtContext::Compound, TrailingElseLoc=0x7ffff7ad09fc <__GI___pthread_kill+300>, TrailingElseLoc@entry=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:124
#36 0x0000555557e5f14c in clang::Parser::ParseCompoundStatementBody (this=this@entry=0x55555e356790, isStmtExpr=96) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:1248
#37 0x0000555557e612da in clang::Parser::ParseFunctionStatementBody (this=0x55555e356790, Decl=0x55555e35cdc8, BodyScope=...) at /home/user/repo/llvm-project/clang/lib/Parse/ParseStmt.cpp:2526
#38 0x0000555557cf1009 in clang::Parser::ParseFunctionDefinition (this=0x55555e356790, D=..., TemplateInfo=..., LateParsedAttrs=0x7fffffffba80) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1525
#39 0x0000555557d31fe5 in clang::Parser::ParseDeclGroup (this=0x55555e356790, DS=..., Context=clang::DeclaratorContext::File, Attrs=..., TemplateInfo=..., DeclEnd=0x0, FRI=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/ParseDecl.cpp:2402
#40 0x0000555557ceed0b in clang::Parser::ParseDeclOrFunctionDefInternal (this=this@entry=0x55555e356790, Attrs=..., DeclSpecAttrs=..., DS=..., AS=AS@entry=clang::AS_none) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1249
#41 0x0000555557cedee1 in clang::Parser::ParseDeclarationOrFunctionDefinition (this=this@entry=0x55555e356790, Attrs=..., DeclSpecAttrs=..., DS=DS@entry=0x55555e356790, AS=4294940256, AS@entry=clang::AS_none) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1271
#42 0x0000555557cec26d in clang::Parser::ParseExternalDeclaration (this=this@entry=0x55555e356790, Attrs=..., DeclSpecAttrs=..., DS=0x7ffff7ad09fc <__GI___pthread_kill+300>, DS@entry=0x0) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:1074
#43 0x0000555557ce8f6b in clang::Parser::ParseTopLevelDecl (this=this@entry=0x55555e356790, Result=..., ImportState=@0x7fffffffd724: clang::Sema::ModuleImportState::FirstDecl) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:763
#44 0x0000555557ce824f in clang::Parser::ParseFirstTopLevelDecl (this=0x55555e356790, Result=..., ImportState=@0x7fffffffd724: clang::Sema::ModuleImportState::FirstDecl) at /home/user/repo/llvm-project/clang/lib/Parse/Parser.cpp:608
#45 0x0000555557cdff8d in clang::ParseAST (S=..., PrintStats=false, SkipFunctionBodies=<optimized out>) at /home/user/repo/llvm-project/clang/lib/Parse/ParseAST.cpp:170
#46 0x0000555557b850e6 in clang::FrontendAction::Execute (this=0x55555e2c96c0) at /home/user/repo/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1078
#47 0x0000555557a4ae01 in clang::CompilerInstance::ExecuteAction (this=0x7fffffffd8d8, Act=...) at /home/user/repo/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1061
#48 0x0000555557a02502 in clang::tooling::FrontendActionFactory::runInvocation (this=0x55555e2c1ef0, Invocation=..., Files=0x55555e2c6550, PCHContainerOps=..., DiagConsumer=0x7fffffffdaa0) at /home/user/repo/llvm-project/clang/lib/Tooling/Tooling.cpp:465
#49 0x0000555555acd136 in clang_fuzzer::HandleCXX (S="int main ( ) { int i , sum = 0 ; for ( i = 1 ; 0x61 ; i ++ ) { sum += 1 / ( 1 + 0x35 ) ; } ( i * 4 ) + 1 ; return 1 + ( ( { struct tree_el { int val ; struct tree_el * * right , * left ; } state_t [ 1"..., FileName=<optimized out>, ExtraArgs=std::vector of length 1, capacity 1 = {...}) at /home/user/repo/llvm-project/clang/tools/clang-fuzzer/handle-cxx/handle_cxx.cpp:49
#50 0x0000555555accad4 in LLVMFuzzerTestOneInput (data="" "int main ( ) { int i , sum = 0 ; for ( i = 1 ; 0x61 ; i ++ ) { sum += 1 / ( 1 + 0x35 ) ; } ( i * 4 ) + 1 ; return 1 + ( ( { struct tree_el { int val ; struct tree_el * * right , * left ; } state_t [ 1"..., size=<optimized out>) at /home/user/repo/llvm-project/clang/tools/clang-fuzzer/ClangFuzzer.cpp:23
#51 0x000055555c6f96ee in ExecuteFilesOnyByOne (argc=2, argv=0x7fffffffe328, callback=callback@entry=0x555555acc990 <LLVMFuzzerTestOneInput(uint8_t*, size_t)>) at aflpp_driver.c:256
#52 0x000055555c6f94de in LLVMFuzzerRunDriver (argcp=argcp@entry=0x7fffffffe1f4, argvp=argvp@entry=0x7fffffffe1f8, callback=0x555555acc990 <LLVMFuzzerTestOneInput(uint8_t*, size_t)>) at aflpp_driver.c:377
#53 0x000055555c6f901e in main (argc=argc@entry=2, argv=argv@entry=0x7fffffffe328) at aflpp_driver.c:312
#54 0x00007ffff7a63d90 in __libc_start_call_main (main=main@entry=0x55555c6f8f60 <main>, argc=argc@entry=2, argv=argv@entry=0x7fffffffe328) at ../sysdeps/nptl/libc_start_call_main.h:58
#55 0x00007ffff7a63e40 in __libc_start_main_impl (main=0x55555c6f8f60 <main>, argc=2, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318) at ../csu/libc-start.c:392
#56 0x0000555555acc8b5 in _start ()
```
![]()
_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
