Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Undefined behavior #89

Closed
razzeee opened this issue Mar 7, 2021 · 0 comments · Fixed by #90
Closed

Undefined behavior #89

razzeee opened this issue Mar 7, 2021 · 0 comments · Fixed by #90

Comments

@razzeee
Copy link
Member

razzeee commented Mar 7, 2021

Hey, I've run libfuzzer on our parser, with the instructions from ikatyang/tree-sitter-markdown#14

and while it doesn't crash, it still reports these cases of undefined behavior:

razze@razze:~/dev/tree-sitter$ ./out/python_fuzzer 
INFO: Seed: 1630354177
INFO: Loaded 1 modules   (3997 inline 8-bit counters): 3997 [0x677250, 0x6781ed), 
INFO: Loaded 1 PC tables (3997 PCs): 3997 [0x5deb38,0x5ee508), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 398 ft: 399 corp: 1/1b exec/s: 0 rss: 40Mb
#3      NEW    cov: 438 ft: 620 corp: 2/2b lim: 4 exec/s: 0 rss: 40Mb L: 1/1 MS: 1 ChangeBit-
#5      NEW    cov: 450 ft: 720 corp: 3/4b lim: 4 exec/s: 0 rss: 41Mb L: 2/2 MS: 2 CrossOver-InsertByte-
#6      NEW    cov: 456 ft: 772 corp: 4/6b lim: 4 exec/s: 0 rss: 41Mb L: 2/2 MS: 1 InsertByte-
#7      NEW    cov: 456 ft: 871 corp: 5/10b lim: 4 exec/s: 0 rss: 41Mb L: 4/4 MS: 1 CrossOver-
#9      NEW    cov: 457 ft: 981 corp: 6/14b lim: 4 exec/s: 0 rss: 41Mb L: 4/4 MS: 2 CrossOver-ShuffleBytes-
#12     NEW    cov: 457 ft: 982 corp: 7/16b lim: 4 exec/s: 0 rss: 41Mb L: 2/4 MS: 3 ShuffleBytes-EraseBytes-EraseBytes-
#19     NEW    cov: 474 ft: 1093 corp: 8/18b lim: 4 exec/s: 0 rss: 41Mb L: 2/4 MS: 2 ShuffleBytes-ChangeByte-
#20     NEW    cov: 483 ft: 1104 corp: 9/20b lim: 4 exec/s: 0 rss: 41Mb L: 2/4 MS: 1 InsertByte-
#22     NEW    cov: 483 ft: 1122 corp: 10/23b lim: 4 exec/s: 0 rss: 41Mb L: 3/4 MS: 2 ShuffleBytes-InsertByte-
#24     NEW    cov: 483 ft: 1141 corp: 11/25b lim: 4 exec/s: 0 rss: 41Mb L: 2/4 MS: 2 CrossOver-ChangeByte-
#27     NEW    cov: 483 ft: 1166 corp: 12/29b lim: 4 exec/s: 0 rss: 41Mb L: 4/4 MS: 3 ChangeByte-EraseBytes-CopyPart-
#28     NEW    cov: 483 ft: 1167 corp: 13/30b lim: 4 exec/s: 0 rss: 41Mb L: 1/4 MS: 1 EraseBytes-
#33     NEW    cov: 490 ft: 1177 corp: 14/33b lim: 4 exec/s: 0 rss: 41Mb L: 3/4 MS: 5 ShuffleBytes-ChangeBit-CopyPart-ChangeBit-ChangeBit-
#34     NEW    cov: 490 ft: 1187 corp: 15/36b lim: 4 exec/s: 0 rss: 41Mb L: 3/4 MS: 1 InsertByte-
#35     NEW    cov: 490 ft: 1188 corp: 16/40b lim: 4 exec/s: 0 rss: 41Mb L: 4/4 MS: 1 CrossOver-
#38     NEW    cov: 490 ft: 1193 corp: 17/42b lim: 4 exec/s: 0 rss: 41Mb L: 2/4 MS: 3 ChangeBit-ChangeBit-CrossOver-
#39     NEW    cov: 496 ft: 1201 corp: 18/44b lim: 4 exec/s: 0 rss: 41Mb L: 2/4 MS: 1 InsertByte-
#40     NEW    cov: 498 ft: 1203 corp: 19/46b lim: 4 exec/s: 0 rss: 41Mb L: 2/4 MS: 1 ChangeByte-
test/fixtures/grammars/python/src/scanner.cc:106:24: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior test/fixtures/grammars/python/src/scanner.cc:106:24 in 
test/fixtures/grammars/python/src/scanner.cc:130:14: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior test/fixtures/grammars/python/src/scanner.cc:130:14 in 
        NEW_FUNC[1/8]: 0x55d610 in tree_sitter_python_external_scanner_serialize /home/razze/dev/tree-sitter/test/fixtures/grammars/python/src/scanner.cc:376
        NEW_FUNC[2/8]: 0x55d690 in (anonymous namespace)::Scanner::serialize(char*) /home/razze/dev/tree-sitter/test/fixtures/grammars/python/src/scanner.cc:99
[...]
razzeee added a commit that referenced this issue Mar 7, 2021
@razzeee
Fix null pointer as argument
bf3797d 
Fuzzing did show two cases of undefined behavior. memcpy
can cause problems, so we'll use a loop instead.

Fixes #89
@razzeee razzeee mentioned this issue Mar 7, 2021
Merged
razzeee added a commit that referenced this issue Mar 7, 2021
@razzeee
Fix null pointer as argument
a4c0b18 
Fuzzing did show two cases of undefined behavior. memcpy
can cause problems, so we'll use a loop instead.

Fixes #89
razzeee added a commit that referenced this issue Mar 7, 2021
@razzeee
Fix null pointer as argument
691b5a4 
Fuzzing did show two cases of undefined behavior. memcpy
can cause problems, so we'll use a loop instead.

Fixes #89
razzeee added a commit that referenced this issue Mar 9, 2021
@razzeee
Fix null pointer as argument
1da8d3f 
Fuzzing did show two cases of undefined behavior. memcpy
can cause problems, so we'll use a loop instead.

Fixes #89
razzeee added a commit that referenced this issue Mar 9, 2021
@razzeee
Fix null pointer as argument
5b2a115 
Fuzzing did show two cases of undefined behavior. memcpy
can cause problems, so we'll use a loop instead.

Fixes #89
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix null pointer as argument elm-tooling/tree-sitter-elm
1 participant
@razzeee