segfault when compiled with depends DEBUG=1 and libc++ #24290

issue MarcoFalke opened this issue on February 8, 2022

MarcoFalke commented at 11:53 AM on February 8, 2022: member

Steps to reproduce on a fresh install of Ubuntu Focal:

export DEBIAN_FRONTEND=noninteractive && apt update && apt install curl wget htop git vim ccache -y && git clone https://github.com/bitcoin/bitcoin.git bitcoin-core && cd bitcoin-core && apt install build-essential libtool autotools-dev automake pkg-config bsdmainutils python3-zmq make automake cmake curl clang llvm libc++-dev libc++abi-dev g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch bison -y  && ( cd depends && make DEBUG=1  NO_QT=1 NO_WALLET=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 -j $(nproc)  ) && ./autogen.sh && CONFIG_SITE="$PWD/depends/x86_64-pc-linux-gnu/share/config.site" ./configure CC='clang ' CXX='clang++ -stdlib=libc++' --enable-fuzz --with-sanitizers=fuzzer && make  -j $(nproc)

$ FUZZ=tx_pool ./src/test/fuzz/fuzz 
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==52419==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f5d814ccb47 bp 0x7fff699e4ef0 sp 0x7fff699e4ea0 T52419)
==52419==The signal is caused by a READ memory access.
==52419==Hint: address points to the zero page.
    [#0](/bitcoin-bitcoin/0/) 0x7f5d814ccb47 in std::__1::__libcpp_db::swap(void*, void*) (/lib/x86_64-linux-gnu/libc++.so.1+0x43b47)
    [#1](/bitcoin-bitcoin/1/) 0x564aea7e1377 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (/bitcoin-core/src/test/fuzz/fuzz+0x577377)
    [#2](/bitcoin-bitcoin/2/) 0x564aea80cf94 in std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (/bitcoin-core/src/test/fuzz/fuzz+0x5a2f94)
    [#3](/bitcoin-bitcoin/3/) 0x564aea80bd04 in fs::path::path(std::__1::__fs::filesystem::path) (/bitcoin-core/src/test/fuzz/fuzz+0x5a1d04)
    [#4](/bitcoin-bitcoin/4/) 0x564aeb1f46ad in fs::absolute(fs::path const&) (/bitcoin-core/src/test/fuzz/fuzz+0xf8a6ad)
    [#5](/bitcoin-bitcoin/5/) 0x564aeb1f4c8b in ArgsManager::GetDataDir(bool) const (/bitcoin-core/src/test/fuzz/fuzz+0xf8ac8b)
    [#6](/bitcoin-bitcoin/6/) 0x564aea80bbfa in ArgsManager::GetDataDirNet() const (/bitcoin-core/src/test/fuzz/fuzz+0x5a1bfa)
    [#7](/bitcoin-bitcoin/7/) 0x564aeb1fa2bb in AbsPathForConfigVal(fs::path const&, bool) (/bitcoin-core/src/test/fuzz/fuzz+0xf902bb)
    [#8](/bitcoin-bitcoin/8/) 0x564aeb0d5074 in init::SetLoggingOptions(ArgsManager const&) (/bitcoin-core/src/test/fuzz/fuzz+0xe6b074)
    [#9](/bitcoin-bitcoin/9/) 0x564aeaaddd15 in InitLogging(ArgsManager const&) (/bitcoin-core/src/test/fuzz/fuzz+0x873d15)
    [#10](/bitcoin-bitcoin/10/) 0x564aeaa06412 in BasicTestingSetup::BasicTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79c412)
    [#11](/bitcoin-bitcoin/11/) 0x564aeaa073e2 in ChainTestingSetup::ChainTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79d3e2)
    [#12](/bitcoin-bitcoin/12/) 0x564aeaa0877f in TestingSetup::TestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79e77f)
    [#13](/bitcoin-bitcoin/13/) 0x564aea85508d in std::__1::__unique_if<TestingSetup const>::__unique_single std::__1::make_unique<TestingSetup const, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x5eb08d)
    [#14](/bitcoin-bitcoin/14/) 0x564aea852a22 in std::__1::unique_ptr<TestingSetup const, std::__1::default_delete<TestingSetup const> > MakeNoLogFileContext<TestingSetup const>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x5e8a22)
    [#15](/bitcoin-bitcoin/15/) 0x564aea9c5817 in (anonymous namespace)::initialize_tx_pool() (/bitcoin-core/src/test/fuzz/fuzz+0x75b817)
    [#16](/bitcoin-bitcoin/16/) 0x564aea7c8d20 in decltype(std::__1::forward<void (*&)()>(fp)()) std::__1::__invoke<void (*&)()>(void (*&)()) (/bitcoin-core/src/test/fuzz/fuzz+0x55ed20)
    [#17](/bitcoin-bitcoin/17/) 0x564aea7c8c6d in void std::__1::__invoke_void_return_wrapper<void>::__call<void (*&)()>(void (*&)()) (/bitcoin-core/src/test/fuzz/fuzz+0x55ec6d)
    [#18](/bitcoin-bitcoin/18/) 0x564aea7c8c0d in std::__1::__function::__alloc_func<void (*)(), std::__1::allocator<void (*)()>, void ()>::operator()() (/bitcoin-core/src/test/fuzz/fuzz+0x55ec0d)
    [#19](/bitcoin-bitcoin/19/) 0x564aea7c7049 in std::__1::__function::__func<void (*)(), std::__1::allocator<void (*)()>, void ()>::operator()() (/bitcoin-core/src/test/fuzz/fuzz+0x55d049)
    [#20](/bitcoin-bitcoin/20/) 0x564aeaab965c in std::__1::__function::__value_func<void ()>::operator()() const (/bitcoin-core/src/test/fuzz/fuzz+0x84f65c)
    [#21](/bitcoin-bitcoin/21/) 0x564aeaab95e5 in std::__1::function<void ()>::operator()() const (/bitcoin-core/src/test/fuzz/fuzz+0x84f5e5)
    [#22](/bitcoin-bitcoin/22/) 0x564aeb25ac9d in initialize() (/bitcoin-core/src/test/fuzz/fuzz+0xff0c9d)
    [#23](/bitcoin-bitcoin/23/) 0x564aeb25b71f in LLVMFuzzerInitialize (/bitcoin-core/src/test/fuzz/fuzz+0xff171f)
    [#24](/bitcoin-bitcoin/24/) 0x564aea743437 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/bitcoin-core/src/test/fuzz/fuzz+0x4d9437)
    [#25](/bitcoin-bitcoin/25/) 0x564aea76df22 in main (/bitcoin-core/src/test/fuzz/fuzz+0x503f22)
    [#26](/bitcoin-bitcoin/26/) 0x7f5d810e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    [#27](/bitcoin-bitcoin/27/) 0x564aea719e7d in _start (/bitcoin-core/src/test/fuzz/fuzz+0x4afe7d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/lib/x86_64-linux-gnu/libc++.so.1+0x43b47) in std::__1::__libcpp_db::swap(void*, void*)
==52419==ABORTING

MarcoFalke added the label Bug on Feb 8, 2022
MarcoFalke added the label Tests on Feb 8, 2022
MarcoFalke renamed this:
~~fuzz tests immediately crash when compiled with depends DEBUG=1 and libc++~~
tests immediately crash when compiled with depends DEBUG=1 and libc++
on Feb 9, 2022

MarcoFalke commented at 11:58 AM on February 9, 2022: member

I suspected those are the steps to reproduce the bug in the unit tests on a fresh install of Ubuntu Focal, however, I couldn't

export DEBIAN_FRONTEND=noninteractive && apt update && apt install curl wget htop git vim ccache -y && git clone https://github.com/bitcoin/bitcoin.git ./bitcoin-core && cd bitcoin-core && apt install libc++abi-dev libc++-dev clang llvm build-essential libtool autotools-dev automake pkg-config bsdmainutils python3-zmq      make automake cmake curl g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch bison        -y  && ( cd depends && make CC=clang CXX="clang++ -stdlib=libc++" DEBUG=1 NO_QT=1 NO_WALLET=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 -j $(nproc) ) &&  ./autogen.sh && CONFIG_SITE="$PWD/depends/x86_64-pc-linux-gnu/share/config.site" ./configure CC=clang CXX="clang++ -stdlib=libc++" && make -j $(nproc)

MarcoFalke commented at 11:59 AM on February 9, 2022: member

Oh, nvm. I could reproduce in the unit tests. It just needs valgrind:

valgrind ./src/test/test_bitcoin 
==102942== Memcheck, a memory error detector
==102942== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==102942== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==102942== Command: ./src/test/test_bitcoin
==102942== 
Running 449 test cases...
==102942== Invalid read of size 8
==102942==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
==102942==    by 0x1D5CF7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x20702C: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x20651C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xC5247F: fs::absolute(fs::path const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xC5270A: ArgsManager::GetDataDir(bool) const (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x36341B: ArgsManager::GetDataDirNet() const (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xC558AB: AbsPathForConfigVal(fs::path const&, bool) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0xB8B1A6: init::SetLoggingOptions(ArgsManager const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x7449B6: InitLogging(ArgsManager const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x6B8958: BasicTestingSetup::BasicTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (in /bitcoin-core/src/test/test_bitcoin)
==102942==    by 0x1C1ABA: addrman_tests::addrman_simple::addrman_simple() (in /bitcoin-core/src/test/test_bitcoin)
==102942==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==102942== 
==102942== Warning: client switching stacks?  SP change: 0x5540ad8 --> 0x1ffeffb760
==102942==          to suppress, use: --max-stackframe=137332763784 or greater

MarcoFalke added the label Upstream on Feb 9, 2022
MarcoFalke removed the label Tests on Feb 9, 2022
MarcoFalke renamed this:
~~tests immediately crash when compiled with depends DEBUG=1 and libc++~~
segfault when compiled with depends DEBUG=1 and libc++
on Feb 9, 2022

MarcoFalke commented at 12:19 PM on February 9, 2022: member

bitcoind also affected:

# valgrind ./src/bitcoind -datadir=/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
==107287== Memcheck, a memory error detector
==107287== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==107287== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==107287== Command: ./src/bitcoind -datadir=/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
==107287== 
==107287== Invalid read of size 8
==107287==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
==107287==    by 0x15B0A7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x1AE5DC: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x180D9C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DA58F: fs::absolute(fs::path const&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DD885: CheckDataDirOption() (in /bitcoin-core/src/bitcoind)
==107287==    by 0x156201: AppInit(node::NodeContext&, int, char**) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x155E7B: main (in /bitcoin-core/src/bitcoind)
==107287==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==107287== 
==107287== 
==107287== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==107287==  Access not within mapped region at address 0x8
==107287==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
==107287==    by 0x15B0A7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x1AE5DC: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x180D9C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DA58F: fs::absolute(fs::path const&) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x7DD885: CheckDataDirOption() (in /bitcoin-core/src/bitcoind)
==107287==    by 0x156201: AppInit(node::NodeContext&, int, char**) (in /bitcoin-core/src/bitcoind)
==107287==    by 0x155E7B: main (in /bitcoin-core/src/bitcoind)
==107287==  If you believe this happened as a result of a stack
==107287==  overflow in your program's main thread (unlikely but
==107287==  possible), you can try to increase the size of the
==107287==  main thread stack using the --main-stacksize= flag.
==107287==  The main thread stack size used in this run was 8388608.
==107287== 
==107287== HEAP SUMMARY:
==107287==     in use at exit: 159,334 bytes in 2,276 blocks
==107287==   total heap usage: 8,251 allocs, 5,975 frees, 503,749 bytes allocated
==107287== 
==107287== LEAK SUMMARY:
==107287==    definitely lost: 0 bytes in 0 blocks
==107287==    indirectly lost: 0 bytes in 0 blocks
==107287==      possibly lost: 0 bytes in 0 blocks
==107287==    still reachable: 159,334 bytes in 2,276 blocks
==107287==         suppressed: 0 bytes in 0 blocks
==107287== Rerun with --leak-check=full to see details of leaked memory
==107287== 
==107287== For lists of detected and suppressed errors, rerun with: -s
==107287== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

MarcoFalke commented at 8:57 AM on February 16, 2022: member

Closing for now as upstream bug. Feel free to continue discussion.
MarcoFalke closed this on Feb 16, 2022
DrahtBot locked this on Feb 16, 2023

Contributors

MarcoFalke

Labels

Bug Upstream

Linked (view graph)

#1 JSON-RPC support for mobile devices ("ultra-lightweight" clients)#2 Long-term, safe, store-of-value #3 Encrypt wallet #4 Export/Import wallet in a human readable, future-proof format #5 Make the version number the protocol version and not the client version #6 Treat wallet as a generic keystore #7 Block-header-only, faster startup client #8 RPC command to sign text with wallet private key #9 Fix for GUI on Macs and latest wxWidgets #10 Add address to listtransactions output #11 Nolisten patch #12 Monitor transactions and/or blocks #13 Messages with or about transactions #14 bitcoin: URI and/or bitcoin-request MIME type for click-to-pay #15 Option to specify external IP address #16 Mac UI issues #17 listaccounts method #18 Error when trying to send very precise amount #19 bitcoin(d) --help should output version number #20 JSON-RPC callback #21 Add time to category:move transactions #22 Update the list of hard-coded node IP addresses #23 CORS support #24 Gettransaction #25 sum(getaccounts) != getbalance #26 Confirmations not appearing for sent coins after recovering wallet from archive #27 listaccounts with minconf param was broken!#20744 Use std::filesystem. Remove Boost Filesystem & System #24295 Remove std::move from fs wrapper to work around -D_LIBCPP_DEBUG=1 bug