MSan reports in libFuzzer engine. |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6420114938527744 Fuzzer: libfuzzer_renderer_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: _start Sanitizer: memory (MSAN) Recommended Security Severity: Medium Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97QYfBX-lFk2PdYgZ98cPS_nZnrylQpp8LzSmtVQUy28gLqy1XYC8MO-7M0dG6piMwel0-Fa1W-sW_XIzGPZ16WBYcUIGZ1G49KKE004T99K7ruEU9Iqs5hlhchrSBt16vKW1PTTuhyWolOh4D0WI8MN2xLtKsh6DrFUus4Fs_IDP0S14RTZkYQT9tp4PrBgPoyrGwmgvbtI62a0J_8ZAo-5K7B_4RarRJg9g2KXZaFkE2TSfHmemEz_KKFsRlVcLyo6KqeXZShOmDHToI29rQ5rcGtPC-UgNVezCvJBrmHi74Z7pz3oiPMXr2Wvza9IU8M6taMGOcTjL3qeuO_BbmXcXzBRrFQiWTv_aoWBDZeIKBoZEuynjMWHWVJlKaHY5M6JATpeeJiRQmn0Pyo6voHejmp8g?testcase_id=6420114938527744 Issue manually filed by: ochang See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 23 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6217522404917248 Fuzzer: libfuzzer_v8_wasm_code_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: __msan_warning_noreturn __msan_warning_noreturn __msan_warning_noreturn Sanitizer: memory (MSAN) Recommended Security Severity: Medium Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9734JTUkdj9t8UvI_JUDN7ESnKcispy61rFptreXwnHBbs2Dyh2Ht_Ku2uS5eMeBjA22EqsBOCot53nVroA_jTko5FQ9LebxOXEoaFVSSIEjLM-_J1DsyyhzGonJNkoA-5tOi4jz7lqNznFWpcIcC7fiPT5YBtCtNreUoLAawTxwADNLDm2_L37L197or0NKoN-26qn1lpOpdLVaFjmSo28750Z_cA14TyZqaed9J8r62611OF74gqNntvPPC1udND7yq2JcwQESqkagNBywaISY63lzaHF_lVUDpZd2zirEJvaB907XHcRegWhYkezjcrS8Mk2Lf_PMLxA1Hf83LQU9v8Nbt43ME1MawEUf5t3iBejJGcW3oZmfqKtzN2i0N-XpQzrDw7Bxe0-YWzAoXT-0aEVCA?testcase_id=6217522404917248 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 23 2017
I think this was fixed in http://llvm.org/viewvc/llvm-project?view=revision&revision=294061
,
Feb 24 2017
Ok rolling forward.
,
Feb 24 2017
Confirmed. I can reproduce the error and with the updated libFuzzer -- I can't
,
Feb 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/67c468135356b4a7ab2ebb9eb4a76568bccb9ba1 commit 67c468135356b4a7ab2ebb9eb4a76568bccb9ba1 Author: inferno <inferno@chromium.org> Date: Fri Feb 24 03:14:31 2017 Roll libFuzzer 64bdf91..5bcbfc5 https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer/+log/64bdf91..5bcbfc5 TBR=ochang@chromium.org,kcc@chromium.org BUG= 695660 Review-Url: https://codereview.chromium.org/2717463005 Cr-Commit-Position: refs/heads/master@{#452733} [modify] https://crrev.com/67c468135356b4a7ab2ebb9eb4a76568bccb9ba1/DEPS
,
Feb 25 2017
The 2 bugs are still there (https://cluster-fuzz.appspot.com/v2/crash-stats), now showing up in memmem https://cluster-fuzz.appspot.com/v2/testcase-detail/4537313750417408 Uninitialized bytes in __interceptor_memmem at offset 15 inside [0x7ffe69bc9cd1, 40) ==24543==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x512dd9 in fuzzer::SearchMemory(void const*, unsigned long, void const*, unsigned long) third_party/libFuzzer/src/FuzzerUtilPosix.cpp:118:10 #1 0x4ef769 in fuzzer::MutationDispatcher::MakeDictionaryEntryFromCMP(void const*, void const*, void const*, void const*, unsigned long, unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerMutate.cpp:220:24 #2 0x4eff01 in fuzzer::MutationDispatcher::MakeDictionaryEntryFromCMP(fuzzer::FixedWord<64ul> const&, fuzzer::FixedWord<64ul> const&, unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerMutate.cpp:245:10 #3 0x4ecfd8 in fuzzer::MutationDispatcher::Mutate_AddWordFromTORC(unsigned char*, unsigned long, unsigned long) third_party/libFuzzer/src/FuzzerMutate.cpp:267:10 #4 0x4f4eed in fuzzer::MutationDispatcher::MutateImpl(unsigned char*, unsigned long, unsigned long, std::__1::vector<fuzzer::MutationDispatcher::Mutator, std::__1::allocator<fuzzer::MutationDispatcher::Mutator> > const&) third_party/libFuzzer/src/FuzzerMutate.cpp:518:22 #5 0x4c8877 in fuzzer::Fuzzer::MutateAndTestOne() third_party/libFuzzer/src/FuzzerLoop.cpp:750:18 #6 0x4c9481 in fuzzer::Fuzzer::Loop() third_party/libFuzzer/src/FuzzerLoop.cpp:791:5 #7 0x49b337 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:567:6 #8 0x4d3ed0 in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10 #9 0x7f70c4318f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287 #10 0x422f64 in _start
,
Feb 25 2017
ClusterFuzz testcase 6217522404917248 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 28 2017
inferno, not sure what the status is? This bug got auto-closed? Should we re-open?
,
Feb 28 2017
Yes it still exists, attaching the new stacks.
,
Feb 28 2017
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4537313750417408 Fuzzer: libfuzzer_pdf_codec_fax_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: _start Sanitizer: memory (MSAN) Recommended Security Severity: Medium Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95uSTEHYSTiYzJvRxIUAer8Y-UZGOX1KrvIOWdvavx_SkB-99XHF1kgH7H3xF5PiECmGazYpGOcHl3I0U4_Brpha6QuOmD4cnTWnLzU7ptPoixTH9okvIdYPLUfn1zUCfiToZRzWv0iWFXbXZP9Q9AqICB50KjJuQnk-enwl8hqdd5E6cKhRfEhpBx2onNnwqmTKWY2FcDHqNRUf5InjBM1xdmF_x1P9TJ8TV7lFa5WGkrD1CJs59MklbSBxLVUxD8Weq5kkEKxUylhobqd1VZe85_d8wOlb-kmih2nI6uxHY5GM8ejsTlN1w3nzF4hP55AozeQQlF3MyLy5kNyR0Zf-aR10aroWOw7o_KU14Hc2MPhO6k?testcase_id=4537313750417408 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 28 2017
I may not have time in 1-2 weeks :( assigning to Mike
,
Mar 23 2017
,
Mar 23 2017
Also seeing this on OSS-Fuzz side: https://github.com/google/oss-fuzz/issues/473#issuecomment-288497760
,
Mar 23 2017
ACK. We need to do some reconstructive surgery in the upstream LLVM build & test system -- currently we don't run libFuzzer's own tests with msan so we don't see these. (Sadly, the change won't be simple, and I may not have cycles for it). Meanwhile I'll try to fix the crashes you observe on oss-fuzz & CF
,
Mar 23 2017
I think the one in #14 should be fixed now.
,
Mar 24 2017
Thanks! Kicked off new builds for OSS-Fuzz and rolling libFuzzer (https://codereview.chromium.org/2775633003/).
,
Mar 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/34f9786f8f8c3f99ea00993244f6866a429f3c7c commit 34f9786f8f8c3f99ea00993244f6866a429f3c7c Author: ochang <ochang@chromium.org> Date: Fri Mar 24 02:28:08 2017 Roll libFuzzer 34139b327..b9454401d https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer/+log/34139b327..b9454401d BUG= 695660 TBR=kcc@chromium.org,inferno@chromium.org,mmoroz@chromium.org Review-Url: https://codereview.chromium.org/2775633003 Cr-Commit-Position: refs/heads/master@{#459342} [modify] https://crrev.com/34f9786f8f8c3f99ea00993244f6866a429f3c7c/DEPS
,
May 2 2017
Bulk-WontFixing these bugs. This was a bug on ClusterFuzz side, see bug 717534. We will start seeing new testcases auto-filed in a day or two. We can't leave these open as ClusterFuzz won't autoverify them after ClusterFuzz-Wrong label.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by och...@chromium.org
, Feb 23 2017Owner: kcc@chromium.org
Status: Assigned (was: Untriaged)
Summary: MSan reports in libFuzzer engine. (was: Use-of-uninitialized-value in _start)