Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

 Issue 787781  has been merged into this issue.

I can reproduce this with the downloadable ASAN build.

It looks like somehow the fuzzer support is not being set up correctly, since it triggers with an input that is simply an empty file.

Hi Max, can you help me with this issue? Can it happen that LLVMFuzzerInitialize (https://cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer-support.cc?q=FuzzerSupport&sq=package:chromium&dr=CSs&l=95) is not called? I made some cleanup changes in https://chromium-review.googlesource.com/c/v8/v8/+/792949 now, maybe this gives us more clarity.

Andreas, I would be very surprised, if LLVMFuzzerInitialize is not called on Linux, but it could be. We've seen similar issue on Mac, but it was happening because of linker issues on Mac.

For your case, have you tried debugging to verify that LLVMFuzzerInitialize is called on the fuzzer startup?

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5d433b2d65c1e9196ef725c2d34d62bc08fc584b

commit 5d433b2d65c1e9196ef725c2d34d62bc08fc584b
Author: Andreas Haas <ahaas@chromium.org>
Date: Wed Nov 29 16:36:23 2017

[fuzzer] Use std::unique_ptr for the FuzzerSupport

The FuzzerSupport was keeping a single instance of itself. With this CL,
this instance is now stored in a unique_ptr. Therefore it is not
necessary to register an onExit callback to delete the FuzzerSupport
instance.

Drive-by changes: Some cleanup with the FuzzerSupport.

R=clemensh@chromium.org

Bug:  chromium:787723 
Change-Id: I5188c7aa7e778ccd45fc80ed0115c947d23a0dee
Reviewed-on: https://chromium-review.googlesource.com/792949
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49723}
[modify] https://crrev.com/5d433b2d65c1e9196ef725c2d34d62bc08fc584b/test/fuzzer/fuzzer-support.cc
[modify] https://crrev.com/5d433b2d65c1e9196ef725c2d34d62bc08fc584b/test/fuzzer/fuzzer-support.h

Hi Max, this issue is happening on Mac. Is this a known issue? I have not been able to reproduce it on Linux, and I don't have a Mac.

Oh, that's happening on Mac, my bad! Let's wait and see if it gets fixed after your change. Otherwise, I'll take a look tomorrow.

Hi Max, the issue is still happening. It surprises me though that this null pointer exception is happening right after a DCHECK_NOT_NULL.

We are running only release build on Mac, so I guess DCHECK simply is not there. Thanks for letting me know, I'll try to reproduce and debug it on Mac.

Ah, okay. Thanks!

Yes, LLVMFuzzerInitialize is not called on Mac :(

$ lldb ~/projects/chromium/src/out/asan/v8_json_parser_fuzzer ./empty 
(lldb) target create "/Users/mmoroz/projects/chromium/src/out/asan/v8_json_parser_fuzzer"
Current executable set to '/Users/mmoroz/projects/chromium/src/out/asan/v8_json_parser_fuzzer' (x86_64).
(lldb) settings set -- target.run-args  "./empty"
(lldb) b LLVMFuzzerInitialize
Breakpoint 1: no locations (pending).
WARNING:  Unable to resolve breakpoint to any actual locations.
(lldb) b LLVMFuzzerTestOneInput
Breakpoint 2: where = v8_json_parser_fuzzer`::LLVMFuzzerTestOneInput() + 4 at json.cc:12, address = 0x0000000100001964
(lldb) 


I think we had some fix for that, let me try applying that.

Interesting, even though with -fsanitize=fuzzer LLVMFuzzerInitialize is linked in, it's still not called:


$ lldb out/asan/v8_json_parser_fuzzer
(lldb) target create "out/asan/v8_json_parser_fuzzer"
Current executable set to 'out/asan/v8_json_parser_fuzzer' (x86_64).
(lldb) b LLVMFuzzerInitialize
Breakpoint 1: where = v8_json_parser_fuzzer`::LLVMFuzzerInitialize() + 16 at fuzzer-support.cc:95, address = 0x0000000100072eb0
(lldb) b LLVMFuzzerTestOneInput
Breakpoint 2: where = v8_json_parser_fuzzer`::LLVMFuzzerTestOneInput() + 4 at json.cc:12, address = 0x0000000100001784
(lldb) r
Process 64926 launched: '/Users/mmoroz/projects/chromium/src/out/asan/v8_json_parser_fuzzer' (x86_64)
INFO: Seed: 1797863134
INFO: Loaded 1 modules   (367370 inline 8-bit counters): 367370 [0x10282f3c8, 0x102888ed2), 
INFO: Loaded 1 PC tables (367370 PCs): 367370 [0x102888ed8,0x102e23f78), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
v8_json_parser_fuzzer was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 64926 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x0000000100001784 v8_json_parser_fuzzer`::LLVMFuzzerTestOneInput() at json.cc:12 [opt]
   9   	#include "include/v8.h"
   10  	#include "test/fuzzer/fuzzer-support.h"
   11  	
-> 12  	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   13  	  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
   14  	  v8::Isolate* isolate = support->GetIsolate();
   15  	

Will take a closer look tomorrow, WIP version of the CL is https://chromium-review.googlesource.com/#/c/chromium/src/+/802395

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/004f348aba415381cf5b66801e0e0f26c41baae6

commit 004f348aba415381cf5b66801e0e0f26c41baae6
Author: Max Moroz <mmoroz@chromium.org>
Date: Tue Dec 19 18:18:11 2017

[fuzzer] Add attributes to LLVMFuzzerInitialize definition.

That prevents the linker from dead-stripping the function, as it is not called
directly, it is resolved in the runtime via dlsym().

Bug:  chromium:754124 ,  chromium:787723 
Change-Id: I46a02ef01349f59b7ed944ce1483b7277e234a19
Reviewed-on: https://chromium-review.googlesource.com/833995
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50212}
[modify] https://crrev.com/004f348aba415381cf5b66801e0e0f26c41baae6/test/fuzzer/fuzzer-support.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3ffbef33bcedf4fdc31d02df3290454b2d5f5812

commit 3ffbef33bcedf4fdc31d02df3290454b2d5f5812
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Tue Dec 19 18:57:01 2017

Revert "[fuzzer] Add attributes to LLVMFuzzerInitialize definition."

This reverts commit 004f348aba415381cf5b66801e0e0f26c41baae6.

Reason for revert: Breaks msvc compile: https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20msvc/builds/672

Original change's description:
> [fuzzer] Add attributes to LLVMFuzzerInitialize definition.
> 
> That prevents the linker from dead-stripping the function, as it is not called
> directly, it is resolved in the runtime via dlsym().
> 
> Bug:  chromium:754124 ,  chromium:787723 
> Change-Id: I46a02ef01349f59b7ed944ce1483b7277e234a19
> Reviewed-on: https://chromium-review.googlesource.com/833995
> Commit-Queue: Max Moroz <mmoroz@chromium.org>
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Mathias Bynens <mathias@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#50212}

TBR=ahaas@chromium.org,mmoroz@chromium.org,mathias@chromium.org

Change-Id: Iba35b55ee4d11aca0dfb9cffde7a6a51e0c8e46c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:754124 ,  chromium:787723 
Reviewed-on: https://chromium-review.googlesource.com/834548
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50213}
[modify] https://crrev.com/3ffbef33bcedf4fdc31d02df3290454b2d5f5812/test/fuzzer/fuzzer-support.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f9eb31bb8eae3218ce5e17f58dfd920b2648790e

commit f9eb31bb8eae3218ce5e17f58dfd920b2648790e
Author: Max Moroz <mmoroz@chromium.org>
Date: Tue Dec 19 19:44:20 2017

[fuzzer] Declare LLVMFuzzerInitialize with attributes only if V8_OS_MACOSX.

R=ahaas@chromium.org, clemensh@chromium.org, mathias@chromium.org

Bug:  chromium:754124 ,  chromium:787723 
Change-Id: I7eafee50a47ca0ad56a5458f1f232e3ed07c1cca
Reviewed-on: https://chromium-review.googlesource.com/834457
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50217}
[modify] https://crrev.com/f9eb31bb8eae3218ce5e17f58dfd920b2648790e/test/fuzzer/fuzzer-support.cc

ClusterFuzz has detected this issue as fixed in range 525123:525236.

Detailed report: https://clusterfuzz.com/testcase?key=6553360202465280

Fuzzer: libFuzzer_v8_json_parser_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  v8_fuzzer::FuzzerSupport::GetIsolate
  json.cc
  start
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=493100:493156
Fixed: https://clusterfuzz.com/revisions?job=mac_libfuzzer_chrome_asan&range=525123:525236

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6553360202465280

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6553360202465280 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.