Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuzz test occur runtime error #3144

Open
qweryzh opened this issue Jan 11, 2021 · 3 comments
Open

fuzz test occur runtime error #3144

qweryzh opened this issue Jan 11, 2021 · 3 comments
Labels

Comments

@qweryzh
Copy link

qweryzh commented Jan 11, 2021

src/memory/shared_ptr.hpp:202:17: runtime error: downcast of address 0x000003638870 which does not point to an object of type 'Sass::PreValue'
0x000003638870: note: object is of type 'Sass::Unary_Expression'
00 00 00 00 48 ff c7 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 84 63 03
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Sass::Unary_Expression'
#0 0x6a037f in Sass::SharedImplSass::PreValue::SharedImplSass::Expression(Sass::Expression*) /src/libsass/src/memory/shared_ptr.hpp:202:17
#1 0x653594 in Sass::Parser::parse_selector_schema(char const*, bool) /src/libsass/src/parser.cpp:576:24
#2 0x6549cb in Sass::Parser::parse_ruleset(Lookahead) /src/libsass/src/parser.cpp:516:17
#3 0x648a0d in Sass::Parser::parse_block_node(bool) /src/libsass/src/parser.cpp:260:21
#4 0x644b10 in Sass::Parser::parse_block_nodes(bool) /src/libsass/src/parser.cpp:171:11
#5 0x6434c1 in Sass::Parser::parse() /src/libsass/src/parser.cpp:97:5
#6 0x587661 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /src/libsass/src/context.cpp:307:24
#7 0x590e16 in Sass::Data_Context::parse() /src/libsass/src/context.cpp:621:5
#8 0x4c456a in Sass::sass_parse_block(Sass_Compiler*) /src/libsass/src/sass_context.cpp:181:31
#9 0x4c4347 in sass_compiler_parse /src/libsass/src/sass_context.cpp:435:22
#10 0x4c3f1c in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:318:7
#11 0x4c1bc3 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
#12 0x452eb1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#13 0x43e212 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#14 0x4442a7 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776:9
#15 0x46c8f2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#16 0x7fc7b762682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#17 0x418828 in _start (/out/data_context_fuzzer+0x418828)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/memory/shared_ptr.hpp:202:17 in

@qweryzh
Copy link
Author

qweryzh commented Jan 11, 2021

according to the error message,the problem is caused by the conversion of the base class and the derived class.
Sass::Unary_Expression,static_cast will not peforme security checks during the downcast conversion.resulting in the error.This problem can be avoided by changing static_cast to dynamic_cast.

I think this can solve the problem, please maintainer check this @hcatlin

@HamptonMakes
Copy link
Member

@qweryzh can you explain what you are doing to trigger this error? Are you running a specific bit of Sass to compile? Are you trying to run libsass in some specific environment?

@qweryzh
Copy link
Author

qweryzh commented Jan 12, 2021

@hcatlin This occurs when I running fuzz test cases.You can download test environment from https://github.com/google/oss-fuzz.git
and perform the following steps:
1.build
python3 infra/helper.py build_fuzzers --sanitizer undefined libsass
2. run
python3 infra/helper.py run_fuzzer libsass data_context_fuzzer -rss_limit_mb=0

and then you can reproduce above the failure

@mgreter mgreter added the Fuzzy label Mar 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants