8000 [BUG] A SEGV in bloaty at `src/dwarf/debug_info.h:361:18` · Issue #398 · google/bloaty · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
[BUG] A SEGV in bloaty at src/dwarf/debug_info.h:361:18 #398
New issue
New issue
Open
Open
[BUG] A SEGV in bloaty at src/dwarf/debug_info.h:361:18#398
@JJLeo

Description

@JJLeo
JJLeo
opened on Apr 3, 2025

Description

  • Version: Latest commit e115514
  • Environment:Ubuntu 20.04.6 LTS, Clang 18.1.8

Steps to reproduce

export CC="clang"
export CXX="clang++"
export CFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer"
export CXXFLAGS="-fsanitize=address -g -O0 -fno-omit-frame-pointer -stdlib=libc++"
export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
export SRC=$PWD
export WORK=$SRC/build
git clone https://github.com/google/bloaty.git 
cd bloaty && git checkout e115514
mkdir -p $WORK
cd $WORK
cmake -G Ninja -DBUILD_TESTING=false $SRC/bloaty
ninja -j$(nproc)
wget https://github.com/user-attachments/files/19586797/bloaty_crash.txt -O bloaty_crash.in
$WORK/fuzz_target bloaty_crash.in

Sanitizer output


root@623b058aa2c7:/src# ./build/fuzz_target ./build/bloaty_crash.in 
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1144911734
./build/fuzz_target: Running 1 inputs 1 time(s) each.
Running: ./build/bloaty_crash.in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==138838==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x605d6f3c7280 bp 0x74afbebff650 sp 0x74afbebff520 T5)
==138838==The signal is caused by a READ memory access.
==138838==Hint: address points to the zero page.
    #0 0x605d6f3c7280 in ReadAttributes<(lambda at /src/bloaty/src/dwarf/debug_info.cc:203:22)> /src/bloaty/src/dwarf/debug_info.h:361:18
    #1 0x605d6f3c7280 in bloaty::dwarf::CU::ReadTopLevelDIE(bloaty::dwarf::InfoReader&) /src/bloaty/src/dwarf/debug_info.cc:202:14
    #2 0x605d6f3c69b0 in bloaty::dwarf::CU::ReadHeader(std::__1::basic_string_view<char, std::__1::char_traits<char>>, std::__1::basic_string_view<char, std::__1::char_traits<char>>, bloaty::dwarf::InfoReader::Section, bloaty::dwarf::InfoReader&) /src/bloaty/src/dwarf/debug_info.cc:185:3
    #3 0x605d6f3c5fb1 in bloaty::dwarf::CUIter::NextCU(bloaty::dwarf::InfoReader&, bloaty::dwarf::CU*) /src/bloaty/src/dwarf/debug_info.cc:121:7
    #4 0x605d6f3b95a8 in bloaty::ReadDWARFDebugInfo(bloaty::dwarf::InfoReader&, bloaty::dwarf::InfoReader::Section, bloaty::DualMap const&, bloaty::RangeSink*) /src/bloaty/src/dwarf.cc:595:15
    #5 0x605d6f3b8c5c in bloaty::ReadDWARFCompileUnits(bloaty::dwarf::File const&, bloaty::DualMap const&, bloaty::dwarf::CU const*, bloaty::RangeSink*) /src/bloaty/src/dwarf.cc:670:3
    #6 0x605d6f357da1 in ReadDWARFCompileUnits /src/bloaty/src/bloaty.h:306:10
    #7 0x605d6f357da1 in bloaty::(anonymous namespace)::ElfObjectFile::ProcessFile(std::__1::vector<bloaty::RangeSink*, std::__1::allocator<bloaty::RangeSink*>> const&) const /src/bloaty/src/elf.cc:1333:11
    #8 0x605d6f314705 in bloaty::Bloaty::ScanAndRollupFile(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, bloaty::Rollup*, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*) const /src/bloaty/src/bloaty.cc:1798:9
    #9 0x605d6f31bda6 in operator() /src/bloaty/src/bloaty.cc:1863:15
    #10 0x605d6f31bda6 in __invoke<(lambda at /src/bloaty/src/bloaty.cc:1859:9), PerThreadData *> /usr/local/bin/../include/c++/v1/__type_traits/invoke.h:344:25
    #11 0x605d6f31bda6 in __thread_execute<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, (lambda at /src/bloaty/src/bloaty.cc:1859:9), PerThreadData *, 2UL> /usr/local/bin/../include/c++/v1/__thread/thread.h:193:3
    #12 0x605d6f31bda6 in void* std::__1::__thread_proxy[abi:ne180100]<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct>>, bloaty::Bloaty::ScanAndRollupFiles(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bloaty::Rollup*) const::$_0, bloaty::Bloaty::ScanAndRollupFiles(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bloaty::Rollup*) const::PerThreadData*>>(void*) /usr/local/bin/../include/c++/v1/__thread/thread.h:202:3
    #13 0x605d6f2beef8 in asan_thread_start(void*) /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:239:28
    #14 0x74afc5021608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) (BuildId: 5cfb896dd40f90aa8c6c8bb856004d1f5cfe293c)
    #15 0x74afc4f07352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/bloaty/src/dwarf/debug_info.h:361:18 in ReadAttributes<(lambda at /src/bloaty/src/dwarf/debug_info.cc:203:22)>
Thread T5 created by T0 here:
    #0 0x605d6f2a6f41 in pthread_create /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
    #1 0x605d6f315a9f in __libcpp_thread_create /usr/local/bin/../include/c++/v1/__threading_support:317:10
    #2 0x605d6f315a9f in thread<(lambda at /src/bloaty/src/bloaty.cc:1859:9), PerThreadData *, void> /usr/local/bin/../include/c++/v1/__thread/thread.h:212:14
    #3 0x605d6f315a9f in bloaty::Bloaty::ScanAndRollupFiles(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bloaty::Rollup*) const /src/bloaty/src/bloaty.cc:1858:18
    #4 0x605d6f31645d in bloaty::Bloaty::ScanAndRollup(bloaty::Options const&, bloaty::RollupOutput*) /src/bloaty/src/bloaty.cc:1906:3
    #5 0x605d6f31afab in bloaty::BloatyDoMain(bloaty::Options const&, bloaty::InputFileFactory const&, bloaty::RollupOutput*) /src/bloaty/src/bloaty.cc:2322:12
    #6 0x605d6f31b371 in bloaty::BloatyMain(bloaty::Options const&, bloaty::InputFileFactory const&, bloaty::RollupOutput*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*) /src/bloaty/src/bloaty.cc:2331:5
    #7 0x605d6f300dc9 in bloaty::RunBloaty(bloaty::InputFileFactory const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) /src/bloaty/tests/fuzz_target.cc:57:3
    #8 0x605d6f301247 in LLVMFuzzerTestOneInput /src/bloaty/tests/fuzz_target.cc:70:3
    #9 0x605d6f1b55f0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #10 0x605d6f1a0865 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #11 0x605d6f1a62ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #12 0x605d6f1d15a2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #13 0x74afc4e0c082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0323ab4806bee6f846d9ad4bccfc29afdca49a58)

==138838==ABORTING

POC

bloaty_crash.txt

Credit

Reported by Yifan Zhang, PLL

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0