0x34d opened a new issue, #10174: URL: https://github.com/apache/trafficserver/issues/10174
PR : https://github.com/apache/trafficserver/pull/10151 ### Flags: ```bash export CC=clang export CXX=clang++ export CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -fsanitize=fuzzer-no-link" export CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr -fno-sanitize-recover=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -fsanitize=fuzzer-no-link" export LIB_FUZZING_ENGINE=-fsanitize=fuzzer ``` ### Compile ```bash mkdir -p build && cd build/ cmake -DENABLE_POSIX_CAP=OFF -DENABLE_FUZZING=ON -DYAML_BUILD_SHARED_LIBS=OFF ../. make -j$(nproc) ``` ### Reproduce bug `fuzz_http.cc` ```cpp #include "HTTP.h" #include "HttpCompat.h" #include "tscore/Diags.h" #define kMinInputLength 10 #define kMaxInputLength 1024 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *input_data, size_t size_data) { if (size_data < kMinInputLength || size_data > kMaxInputLength) { return 0; } DiagsPtr::set(new Diags("fuzzing", "", "", nullptr)); http_init(); //This call the bug delete diags(); return 0; } ``` Calling `http_init();` or any other function trigger the bug. ### Root Cause: Any call to `Debug` symbol cause this error. ```CPP Debug(DEBUG_TAG "_init", "<%s> Alignment request/actual (%" PRIu32 "/%" PRIu32 ")", name, alignment, f->alignment); Debug(DEBUG_TAG "_init", "<%s> Type Size request/actual (%" PRIu32 "/%" PRIu32 ")", name, type_size, f->type_size); ```` #### NOTE: I did try some hacks but they are not working. ### error: ```log SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/0x34d/project/trafficserver.upload/lib/swoc/include/swoc/ext/HashFNV.h:181:53 in /home/0x34d/project/trafficserver.upload/src/tscore/ink_queue.cc:165:3: runtime error: member call on null pointer of type 'Diags' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/0x34d/project/trafficserver.upload/src/tscore/ink_queue.cc:165:3 in ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@trafficserver.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
