Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pw_fuzzer] Blocker in integration of Test Fixtures #35369

Open
1 task
Alami-Amine opened this issue Sep 3, 2024 · 1 comment
Open
1 task

[pw_fuzzer] Blocker in integration of Test Fixtures #35369

Alami-Amine opened this issue Sep 3, 2024 · 1 comment
Assignees
@Alami-Amine
Labels
bug Something isn't working

Comments

@Alami-Amine
Copy link
Contributor

Alami-Amine commented Sep 3, 2024
edited
Loading

Issue was faced while integrating pw_fuzzer FuzzTest framework #34352

  • The FuzzTest Framework supports Test Fixtures. However, an ASAN heap-buffer-overflow error is being triggered when trying to use them, could be a missing dependency in pigweed's GN files.

  • This was tried with many variations of the test, stripping it to a minimum.

Next Action

  • Check with Pigweed folks on the issue

Error Log

 
$ ./fuzz-chip-cert-pw-fixture 
[.] Sanitizer coverage enabled. Counter map size: 7847, Cmp map size: 262144
[==========] Running 1 test from 1 test suite.
[----------] Global test environment set-up.
[----------] 1 test from ChipCertDecodeFuzzTest
=================================================================
==798313==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x503000000b40 at pc 0x5f8fdedaa0b4 bp 0x7fff2e67da90 sp 0x7fff2e67d250
WRITE of size 32 at 0x503000000b40 thread T0
    #0 0x5f8fdedaa0b3 in __asan_memcpy ../../../../../../llvm-llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
    #1 0x5f8fdee11632 in absl::container_internal::CommonFields::CommonFields(absl::container_internal::CommonFields&&) third_party/abseil-cpp/src/absl/container/internal/raw_hash_set.h:1337:45
    #2 0x5f8fdee11544 in absl::container_internal::internal_compressed_tuple::Storage<absl::container_internal::CommonFields, 0ul, false>::Storage<absl::container_internal::CommonFields>(std::__2::in_place_t, absl::container_internal::CommonFields&&) third_party/abseil-cpp/src/absl/container/internal/compressed_tuple.h:90:9
    #3 0x5f8fdef7f550 in absl::container_internal::internal_compressed_tuple::CompressedTupleImpl<absl::container_internal::CompressedTuple<absl::container_internal::CommonFields, absl::container_internal::StringHash, absl::container_internal::StringEq, std::__2::allocator<std::__2::pair<std::__2::basic_string<char, std::__2::char_traits<char>, std::__2::allocator<char>> const, std::__2::pair<void (*)(), void (*)()>>>>, std::__2::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>, true>::CompressedTupleImpl<absl::container_internal::CommonFields, absl::container_internal::StringHash, absl::container_internal::StringEq, std::__2::allocator<std::__2::pair<std::__2::basic_string<char, std::__2::char_traits<char>, std::__2::allocator<char>> const, std::__2::pair<void (*)(), void (*)()>>>>(std::__2::in_place_t, absl::container_internal::CommonFields&&, absl::container_internal::StringHash&&, absl::container_internal::StringEq&&, std::__2::allocator<std::__2::pair<std::__2::basic_string<char, std::__2::char_traits<char>, std::__2::allocator<char>> const, std::__2::pair<void (*)(), void (*)()>>>&&) third_party/abseil-cpp/src/absl/container/internal/compressed_tuple.h:125:9
    #4 0x5f8fdf04e78f in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::TestSuite, void>(testing::TestSuite*, void (testing::TestSuite::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2635:10
    #5 0x5f8fdefd425f in void testing::internal::HandleExceptionsInMethodIfSupported<testing::TestSuite, void>(testing::TestSuite*, void (testing::TestSuite::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2690:12
    #6 0x5f8fdefd382b in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3022:3
    #7 0x5f8fdeff0966 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5964:44
    #8 0x5f8fdf05513f in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2635:10
    #9 0x5f8fdefefb4f in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2690:12
    #10 0x5f8fdefef840 in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5543:10
    #11 0x5f8fdf06a36d in RUN_ALL_TESTS() third_party/googletest/googletest/include/gtest/gtest.h:2334:73

0x503000000b40 is located 0 bytes after 32-byte region [0x503000000b20,0x503000000b40)
allocated by thread T0 here:
    #0 0x5f8fdeddf9bd in operator new(unsigned long) ../../../../../../llvm-llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:86:3
    #1 0x5f8fdef7f08c in fuzztest::internal::(anonymous namespace)::SetUpTearDownTestSuiteRegistry() third_party/fuzztest/fuzztest/internal/registry.cc:41:7
    #2 0x5f8fdf04e78f in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::TestSuite, void>(testing::TestSuite*, void (testing::TestSuite::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2635:10
    #3 0x5f8fdefd425f in void testing::internal::HandleExceptionsInMethodIfSupported<testing::TestSuite, void>(testing::TestSuite*, void (testing::TestSuite::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2690:12
    #4 0x5f8fdefd382b in testing::TestSuite::Run() third_party/googletest/googletest/src/gtest.cc:3022:3
    #5 0x5f8fdeff0966 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/googletest/src/gtest.cc:5964:44
    #6 0x5f8fdf05513f in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2635:10
    #7 0x5f8fdefefb4f in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/googletest/src/gtest.cc:2690:12
    #8 0x5f8fdefef840 in testing::UnitTest::Run() third_party/googletest/googletest/src/gtest.cc:5543:10
    #9 0x5f8fdf06a36d in RUN_ALL_TESTS() third_party/googletest/googletest/include/gtest/gtest.h:2334:73

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/abseil-cpp/src/absl/container/internal/raw_hash_set.h:1337:45 in absl::container_internal::CommonFields::CommonFields(absl::container_internal::CommonFields&&)
Shadow bytes around the buggy address:
  0x503000000880: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x503000000900: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
  0x503000000980: fd fa fa fa 00 00 00 fc fa fa fd fd fd fa fa fa
  0x503000000a00: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x503000000a80: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
=>0x503000000b00: fd fd fa fa 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x503000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==798313==ABORTING

FuzzTest that triggered the error

#include <cstddef>
#include <cstdint>

#include <pw_fuzzer/fuzztest.h>

#include "credentials/CHIPCert.h"

using namespace fuzztest;
using namespace std;

class ChipCertDecodeFuzzTest
{
public:
    ChipCertDecodeFuzzTest()
    { 
        cout << "Const" << endl;
    }

    ~ChipCertDecodeFuzzTest()
    {
         cout << "Dest" << endl;
    }

    void DecodeChipCertFuzzer(int a) { cout << "test" << a; }
};

FUZZ_TEST_F(ChipCertDecodeFuzzTest, DecodeChipCertFuzzer);
@Alami-Amine Alami-Amine added bug Something isn't working needs triage labels Sep 3, 2024
@Alami-Amine Alami-Amine changed the title [BUG] [pw_fuzzer] Blocker in integration of Test Fixtures Sep 3, 2024
@Alami-Amine Alami-Amine self-assigned this Sep 3, 2024
@Alami-Amine Alami-Amine mentioned this issue Sep 3, 2024
Merged
@Alami-Amine Alami-Amine mentioned this issue Oct 21, 2024
Merged
@Alami-Amine
Copy link
Contributor Author

Alami-Amine commented Oct 23, 2024
edited
Loading

Ticket created on Pigweed's side: Ticket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Alami-Amine Alami-Amine

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Alami-Amine