CHECK failure: source.covers(insns) in disassembler_dex.cc |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5358735254618112 Fuzzer: libFuzzer_zucchini_disassembler_dex_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: source.covers(insns) in disassembler_dex.cc zucchini::CodeItemParser::GetCodeItemInsns zucchini::InstructionParser::InstructionParser Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=572202:572204 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5358735254618112 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jul 13
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Jul 13
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c2a778621cbcd812e2687269ba3f10132a31df12 ([Zucchini] Add dissassembler_dex Fuzzer). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jul 18
Update: ckitagawa@ has a preliminary CL that would relax the test: https://bugs.chromium.org/p/chromium/issues/detail?id=863478 However, I deemed that the DCHECK is proper, and decided to take a deeper look. Looks like the bug is due to 2 things: (1) insns size == 0 should be disallowed; this is DEX spec constraint A1: https://source.android.com/devices/tech/dalvik/constraints (2) BufferRegion::FitsIn() is too strict: We dictated that empty region won't fit in the end of buffer. I'm going to relax (2), and add a TODO for (1) (will have more rigorous checks in upcoming CL).
,
Jul 19
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2b31de169e783260c9e2fbaea295b39ae808fbf9 commit 2b31de169e783260c9e2fbaea295b39ae808fbf9 Author: Samuel Huang <huangs@chromium.org> Date: Thu Jul 19 14:32:28 2018 [Zucchini] Fix BufferRegion::FitsIn() so empty region fits at end of buffer. This CL is similar to: https://chromium-review.googlesource.com/1133688 BufferRegion::FitsIn() (and BufferViewBase::covers()) decides whether a BufferRegion fits inside a buffer. A special case is whether an empty region fits at the end of a buffer? Previously this was considered to be a pathological case, so the result is "false". However, this led to a DCHECK failure found by the DEX fuzzer: a CodeItem with insns_size = 0 is checked against an empty buffer. It may seem straightforward to change the DCHECK to a handled failure. However, the failing code (in CodeItemParser::GetCodeItemInsns()) occurs after CodeItem have been supposedly validated, so the DCHECK is correctly placed! Two causes are: (1) Technically insns_size should be > 0, as dictated by constraint A1 ("The insns array mus tnot be empty") in Dalvik spec. (2) The FitsIn() check is too stringent. This CL focuses on relaxing (2). This makes checking slightly more permissive elsewhere in code (patch_reader.cc and Win32 disassembler), but this looks like the right thing to do. As for (1), we plan to visit https://source.android.com/devices/tech/dalvik/constraints and implement more rigorous checks. So we simply add a TODO for now. Bug: 863478 Change-Id: Iacbb2bb9bf26701db960192c7b727351ea5afdec Reviewed-on: https://chromium-review.googlesource.com/1142517 Reviewed-by: agrieve <agrieve@chromium.org> Reviewed-by: Samuel Huang <huangs@chromium.org> Commit-Queue: Samuel Huang <huangs@chromium.org> Cr-Commit-Position: refs/heads/master@{#576482} [modify] https://crrev.com/2b31de169e783260c9e2fbaea295b39ae808fbf9/components/zucchini/buffer_view.h [modify] https://crrev.com/2b31de169e783260c9e2fbaea295b39ae808fbf9/components/zucchini/buffer_view_unittest.cc [modify] https://crrev.com/2b31de169e783260c9e2fbaea295b39ae808fbf9/components/zucchini/disassembler_dex.cc
,
Jul 19
,
Jul 20
ClusterFuzz has detected this issue as fixed in range 576481:576484. Detailed report: https://clusterfuzz.com/testcase?key=5358735254618112 Fuzzer: libFuzzer_zucchini_disassembler_dex_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: source.covers(insns) in disassembler_dex.cc zucchini::CodeItemParser::GetCodeItemInsns zucchini::InstructionParser::InstructionParser Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=572202:572204 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=576481:576484 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5358735254618112 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 20
ClusterFuzz testcase 5358735254618112 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Jul 13Labels: Test-Predator-Auto-Components