Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libreoffice fuzzers crash on startup #224

Closed
inferno-chromium opened this issue Dec 28, 2016 · 8 comments
Closed

libreoffice fuzzers crash on startup #224

inferno-chromium opened this issue Dec 28, 2016 · 8 comments
Assignees
@mikea @kcc

Comments

@inferno-chromium
Copy link
Collaborator

./wmffuzzer
==29580==Unmatched call to __lsan_enable().
@inferno-chromium
Copy link
Collaborator Author

@caolanm - did anything change on your side ?

@mikea
Copy link
Contributor

mikea commented Dec 28, 2016

The fuzzer runs perfectly fine on build machine:

wmffuzzer -runs=32 /tmp/seed_corpus/
INFO: Seed: 1518977845
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: /tmp/seed_corpus/
INFO: -max_len is not provided, using 1048576
#0	READ units: 185
Slowest unit: 184 s:
artifact_prefix='\''./'\''; Test unit written to ./slow-unit-fe6a71b6675317e60f2f88b6e8ac415a6f78dc0e
#185	INITED cov: 12703 bits: 31242 indir: 542 corp: 154/10379Kb exec/s: 0 rss: 356Mb
#185	DONE   cov: 12703 bits: 31242 indir: 542 corp: 154/10379Kb exec/s: 0 rss: 357Mb
Done 185 runs in 722 second(s)'

Investigating.

@mikea
Copy link
Contributor

mikea commented Dec 28, 2016

I have downloaded uploaded binaries and the fuzzer runs with exact same command line:

oot@6b00b248d961:/out# ./wmffuzzer -max_len=116 -rss_limit_mb=2048 -timeout=25 -artifact_prefix=/ -max_total_time=2950 -print_final_stats=1
INFO: Seed: 2119619214
INFO: Loaded 0 modules (0 guards): 
INFO: A corpus is not provided, starting from an empty corpus
#0      READ units: 1
#1      INITED cov: 493 bits: 440 indir: 147 corp: 1/1b exec/s: 0 rss: 97Mb
#2      NEW    cov: 579 bits: 440 indir: 147 corp: 2/2b exec/s: 0 rss: 97Mb L: 1 MS: 1 ChangeByte-
#3      NEW    cov: 589 bits: 440 indir: 147 corp: 3/3b exec/s: 0 rss: 97Mb L: 1 MS: 2 ChangeByte-ChangeBinInt-
#4      NEW    cov: 634 bits: 513 indir: 149 corp: 4/119b exec/s: 0 rss: 97Mb L: 116 MS: 3 ChangeByte-ChangeBinInt-CrossOver-
#7      NEW    cov: 635 bits: 513 indir: 149 corp: 5/120b exec/s: 0 rss: 97Mb L: 1 MS: 1 ShuffleBytes-
#8      NEW    cov: 636 bits: 513 indir: 149 corp: 6/122b exec/s: 0 rss: 97Mb L: 2 MS: 2 ShuffleBytes-CopyPart-
#10     NEW    cov: 642 bits: 519 indir: 149 corp: 7/176b exec/s: 0 rss: 97Mb L: 54 MS: 4 ShuffleBytes-CopyPart-ChangeBit-InsertRepeatedBytes-
#31     NEW    cov: 644 bits: 542 indir: 149 corp: 8/182b exec/s: 0 rss: 97Mb L: 6 MS: 5 ChangeByte-ShuffleBytes-ShuffleBytes-InsertByte-CopyPart-
#103    NEW    cov: 644 bits: 543 indir: 149 corp: 9/206b exec/s: 0 rss: 97Mb L: 24 MS: 2 InsertRepeatedBytes-InsertRepeatedBytes-
#200    NEW    cov: 646 bits: 551 indir: 149 corp: 10/228b exec/s: 0 rss: 98Mb L: 22 MS: 4 CMP-ChangeBit-ShuffleBytes-EraseBytes- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-
#220    NEW    cov: 646 bits: 556 indir: 149 corp: 11/247b exec/s: 0 rss: 98Mb L: 19 MS: 4 PersAutoDict-PersAutoDict-EraseBytes-InsertByte- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-"\x00\x00\x00\x00\x00\x00\x00\x00"-
#1120   NEW    cov: 648 bits: 570 indir: 149 corp: 12/363b exec/s: 0 rss: 100Mb L: 116 MS: 4 InsertRepeatedBytes-PersAutoDict-ChangeByte-CrossOver- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-
#2085   NEW    cov: 648 bits: 593 indir: 149 corp: 13/476b exec/s: 2085 rss: 103Mb L: 113 MS: 4 CrossOver-ShuffleBytes-ChangeBit-EraseBytes-
#4096   pulse  cov: 648 bits: 593 indir: 149 corp: 13/476b exec/s: 2048 rss: 108Mb
#8192   pulse  cov: 648 bits: 593 indir: 149 corp: 13/476b exec/s: 1638 rss: 115Mb
^C==18== libFuzzer: run interrupted; exiting
stat::number_of_executed_units: 13267
stat::average_exec_per_sec:     1658
stat::new_units_added:          12
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              115

@mikea
Copy link
Contributor

mikea commented Dec 28, 2016

gdb on the host show this:

(gdb) run
Starting program: /mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_libreoffice_1722507a6b01db31fdc90b1e6c8b4b5d1d41878b/revisions/wmffuzzer 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
==32400==Unmatched call to __lsan_enable().

Breakpoint 2, __lsan::EnableInThisThread () at /src/llvm/projects/compiler-rt/lib/lsan/lsan_common.cc:42
42      /src/llvm/projects/compiler-rt/lib/lsan/lsan_common.cc: No such file or directory.
(gdb) bt
#0  __lsan::EnableInThisThread () at /src/llvm/projects/compiler-rt/lib/lsan/lsan_common.cc:42
#1  __lsan_enable () at /src/llvm/projects/compiler-rt/lib/lsan/lsan_common.cc:735
#2  0x000000000061b472 in LLVMFuzzerInitialize (argc=0x7fffffffe3a0, argv=0x7fffffffe3b0) at /src/libreoffice/vcl/workben/wmffuzzer.cxx:70
#3  0x00000000100c1f4f in fuzzer::FuzzerDriver (argc=0x7fffffffe3a0, argv=0x7fffffffe3b0, Callback=0x61c6a0 <LLVMFuzzerTestOneInput(uint8_t const*, size_t)>) at /src/libfuzzer/FuzzerDriver.cpp:361
#4  0x00000000100bc1e9 in main (argc=1, argv=0x7fffffffe558) at /src/libfuzzer/FuzzerMain.cpp:20

I think it is this change:

https://cgit.freedesktop.org/libreoffice/core/commit/vcl/workben/wmffuzzer.cxx?id=1f799a9495795292af6f170925543bcee3c8dbae

@mikea
Copy link
Contributor

mikea commented Dec 28, 2016
edited
Loading

Confirming the cause. The fuzzer runs with leak detector off:

ASAN_OPTIONS=detect_leaks=0 ./wmffuzzer 
INFO: Seed: 266844937
INFO: Loaded 0 modules (0 guards): 
INFO: -max_len is not provided, using 64
INFO: A corpus is not provided, starting from an empty corpus
#0      READ units: 1
#1      INITED cov: 493 bits: 440 indir: 148 corp: 1/1b exec/s: 0 rss: 212Mb
#2      NEW    cov: 614 bits: 508 indir: 149 corp: 2/15b exec/s: 0 rss: 213Mb L: 14 MS: 1 InsertRepeatedBytes-
#3      NEW    cov: 624 bits: 508 indir: 149 corp: 3/30b exec/s: 0 rss: 213Mb L: 15 MS: 2 InsertRepeatedBytes-CrossOver-
#4      NEW    cov: 627 bits: 508 indir: 149 corp: 4/45b exec/s: 0 rss: 213Mb L: 15 MS: 3 InsertRepeatedBytes-CrossOver-CMP- DE: "\xff\xff"-
#5      NEW    cov: 628 bits: 508 indir: 149 corp: 5/61b exec/s: 0 rss: 213Mb L: 16 MS: 4 InsertRepeatedBytes-CrossOver-CMP-CrossOver- DE: "\xff\xff"-
#7      NEW    cov: 629 bits: 508 indir: 149 corp: 6/76b exec/s: 0 rss: 213Mb L: 15 MS: 1 ShuffleBytes-
#18     NEW    cov: 642 bits: 540 indir: 150 corp: 7/140b exec/s: 0 rss: 213Mb L: 64 MS: 2 EraseBytes-CrossOver-
#24     NEW    cov: 642 bits: 541 indir: 150 corp: 8/167b exec/s: 0 rss: 213Mb L: 27 MS: 3 InsertByte-EraseBytes-InsertRepeatedBytes-
#27     NEW    cov: 645 bits: 548 indir: 150 corp: 9/190b exec/s: 0 rss: 213Mb L: 23 MS: 1 CMP- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-
#79     NEW    cov: 646 bits: 549 indir: 150 corp: 10/232b exec/s: 0 rss: 214Mb L: 42 MS: 3 EraseBytes-CopyPart-InsertRepeatedBytes-
#120    NEW    cov: 646 bits: 556 indir: 150 corp: 11/252b exec/s: 0 rss: 214Mb L: 20 MS: 4 ShuffleBytes-InsertByte-PersAutoDict-InsertRepeatedBytes- DE: "\xff\xff"-
#151    NEW    cov: 648 bits: 570 indir: 150 corp: 12/310b exec/s: 0 rss: 214Mb L: 58 MS: 5 ShuffleBytes-CopyPart-PersAutoDict-PersAutoDict-InsertRepeatedBytes- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-"\x00\x00\x00\x00\x00\x00\x00\x00"-
^C==32521== libFuzzer: run interrupted; exiting

@caolanm mind taking a look at your latest change?

mikea added a commit that referenced this issue Dec 28, 2016
@mikea
[infra] enabling leak detector by default
d756773 
Fixes #9
Issues like #224 should fail the build now.
@mikea
Copy link
Contributor

mikea commented Dec 29, 2016

I have implemented "Unstable" build status (as in Jenkins). This currently means that build succeeds but some fuzzers crash.

libreoffice is currently unstable as expected: https://oss-fuzz-build-logs.storage.googleapis.com/status.html

@inferno-chromium
Copy link
Collaborator Author

Awesome, thanks @mikea.

@inferno-chromium
Copy link
Collaborator Author

Build seems fixed and we are now seeing new issues. Also confirmed by stats. Thanks @mikea for finding culprit cl and @caolanm for fixing.

DavidKorczynski pushed a commit that referenced this issue Jul 9, 2024
@DonggeLiu
Fix crash.json page in report. (#224)
11a1189 
Current reports fail to generate `crash.json` page because
`benchmark_json()` misuses its parameter `benchmark` (a `str`) as a
`Benchmark` class.

This PR fixes it by adding a new function to generate `Benchmark()` with
the `benchmark` string.

The PR also adds the missing index JSON, and removes outdated sorting
pages.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikea mikea

@kcc kcc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikea @kcc @inferno-chromium