New issue
Advanced search Search tips

Issue 628705 link

Starred by 1 user
Status: Duplicate
Merged: issue 628503
Owner:
metzman@google.com
Closed: Jul 2016
Cc:
kcc@chromium.org
eroman@chromium.org
aarya@google.com
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Spurious crashes in 10 net fuzzers with ASan and both AFL and libFuzzer

Project Member Reported by metzman@google.com, Jul 15 2016 
The following fuzzers all crash on any input when built with ASan and AFL or libFuzzer:
1. net_data_job_fuzzer
2. net_ftp_directory_listing_fuzzer
3. net_get_domain_and_registry_fuzzer
4. net_host_resolver_impl_fuzzer
5. net_http_proxy_client_socket_fuzzer
6. net_http_stream_parser_fuzzer
7. net_socks5_client_socket_fuzzer
8. net_socks_client_socket_fuzzer
9. net_unescape_url_component_fuzzer
10. net_url_request_fuzzer
11. net_websocket_frame_parser_fuzzer

Though the stack traces are all different, ASan outputs the following for all of them:
SUMMARY: AddressSanitizer: SEGV base/memory/ref_counted.h:283:46 in scoped_refptr

Below are steps to reproduce with net_data_job_fuzzer"
$ echo " " > /tmp/empty
$ ~/Downloads/libfuzzer-linux-release-405743/net_data_job_fuzzer < /tmp/empty

INFO: Seed: 3841791362
INFO: -max_len is not provided, using 64
INFO: A corpus is not provided, starting from an empty corpus
#0	READ   units: 1 exec/s: 0
ASAN:DEADLYSIGNAL
=================================================================
==4482==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000237acf9 bp 0x7ffe2a4b9110 sp 0x7ffe2a4b90f0 T0)
==4482==The signal is caused by a READ memory access.
==4482==Hint: address points to the zero page.
    #0 0x237acf8 in scoped_refptr base/memory/ref_counted.h:283:46
    #1 0x237acf8 in base::ThreadTaskRunnerHandle::Get() base/threading/thread_task_runner_handle.cc:27
    #2 0x4f42f2 in URLRequestDataJobFuzzerHarness::URLRequestDataJobFuzzerHarness() net/url_request/url_request_data_job_fuzzer.cc:30:38
    #3 0x4f338b in New base/memory/singleton.h:54:16
    #4 0x4f338b in get base/memory/singleton.h:249
    #5 0x4f338b in GetInstance net/url_request/url_request_data_job_fuzzer.cc:38
    #6 0x4f338b in LLVMFuzzerTestOneInput net/url_request/url_request_data_job_fuzzer.cc:168
    #7 0x509217 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:488:13
    #8 0x507910 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:444:3
    #9 0x508435 in RunOne third_party/libFuzzer/src/FuzzerInternal.h:429:39
    #10 0x508435 in fuzzer::Fuzzer::ShuffleAndMinimize() third_party/libFuzzer/src/FuzzerLoop.cpp:402
    #11 0x4f9ce9 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:412:5
    #12 0x517c96 in main third_party/libFuzzer/src/FuzzerMain.cpp:21:10
    #13 0x7f5918a90f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV base/memory/ref_counted.h:283:46 in scoped_refptr
==4482==ABORTING


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64:

Comment 1 by metzman@google.com, Jul 15 2016

Labels: -Type-Bug Type-Bug-Regression

Comment 2 by aarya@google.com, Jul 15 2016

Cc: eroman@chromium.org
Labels: -Pri-3 Pri-1

Comment 3 by metzman@google.com, Jul 15 2016 

Crash first appears in libFuzzer ASan build 1683

Comment 4 by eroman@chromium.org, Jul 15 2016

Mergedinto: 628503
Status: Duplicate (was: Untriaged)

Sign in to add a comment