segfault when compiled with depends DEBUG=1 and libc++ #24290

issue MarcoFalke openend this issue on February 8, 2022
  1. MarcoFalke commented at 11:53 am on February 8, 2022: member

    See also https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44466 and #20744 (comment)

    Steps to reproduce on a fresh install of Ubuntu Focal:

    0export DEBIAN_FRONTEND=noninteractive && apt update && apt install curl wget htop git vim ccache -y && git clone https://github.com/bitcoin/bitcoin.git bitcoin-core && cd bitcoin-core && apt install build-essential libtool autotools-dev automake pkg-config bsdmainutils python3-zmq make automake cmake curl clang llvm libc++-dev libc++abi-dev g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch bison -y  && ( cd depends && make DEBUG=1  NO_QT=1 NO_WALLET=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 -j $(nproc)  ) && ./autogen.sh && CONFIG_SITE="$PWD/depends/x86_64-pc-linux-gnu/share/config.site" ./configure CC='clang ' CXX='clang++ -stdlib=libc++' --enable-fuzz --with-sanitizers=fuzzer && make  -j $(nproc)

     0$ FUZZ=tx_pool ./src/test/fuzz/fuzz 
 1UndefinedBehaviorSanitizer:DEADLYSIGNAL
 2==52419==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f5d814ccb47 bp 0x7fff699e4ef0 sp 0x7fff699e4ea0 T52419)
 3==52419==The signal is caused by a READ memory access.
 4==52419==Hint: address points to the zero page.
 5    [#0](/bitcoin-bitcoin/0/) 0x7f5d814ccb47 in std::__1::__libcpp_db::swap(void*, void*) (/lib/x86_64-linux-gnu/libc++.so.1+0x43b47)
 6    [#1](/bitcoin-bitcoin/1/) 0x564aea7e1377 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (/bitcoin-core/src/test/fuzz/fuzz+0x577377)
 7    [#2](/bitcoin-bitcoin/2/) 0x564aea80cf94 in std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (/bitcoin-core/src/test/fuzz/fuzz+0x5a2f94)
 8    [#3](/bitcoin-bitcoin/3/) 0x564aea80bd04 in fs::path::path(std::__1::__fs::filesystem::path) (/bitcoin-core/src/test/fuzz/fuzz+0x5a1d04)
 9    [#4](/bitcoin-bitcoin/4/) 0x564aeb1f46ad in fs::absolute(fs::path const&) (/bitcoin-core/src/test/fuzz/fuzz+0xf8a6ad)
10    [#5](/bitcoin-bitcoin/5/) 0x564aeb1f4c8b in ArgsManager::GetDataDir(bool) const (/bitcoin-core/src/test/fuzz/fuzz+0xf8ac8b)
11    [#6](/bitcoin-bitcoin/6/) 0x564aea80bbfa in ArgsManager::GetDataDirNet() const (/bitcoin-core/src/test/fuzz/fuzz+0x5a1bfa)
12    [#7](/bitcoin-bitcoin/7/) 0x564aeb1fa2bb in AbsPathForConfigVal(fs::path const&, bool) (/bitcoin-core/src/test/fuzz/fuzz+0xf902bb)
13    [#8](/bitcoin-bitcoin/8/) 0x564aeb0d5074 in init::SetLoggingOptions(ArgsManager const&) (/bitcoin-core/src/test/fuzz/fuzz+0xe6b074)
14    [#9](/bitcoin-bitcoin/9/) 0x564aeaaddd15 in InitLogging(ArgsManager const&) (/bitcoin-core/src/test/fuzz/fuzz+0x873d15)
15    [#10](/bitcoin-bitcoin/10/) 0x564aeaa06412 in BasicTestingSetup::BasicTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79c412)
16    [#11](/bitcoin-bitcoin/11/) 0x564aeaa073e2 in ChainTestingSetup::ChainTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79d3e2)
17    [#12](/bitcoin-bitcoin/12/) 0x564aeaa0877f in TestingSetup::TestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x79e77f)
18    [#13](/bitcoin-bitcoin/13/) 0x564aea85508d in std::__1::__unique_if<TestingSetup const>::__unique_single std::__1::make_unique<TestingSetup const, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x5eb08d)
19    [#14](/bitcoin-bitcoin/14/) 0x564aea852a22 in std::__1::unique_ptr<TestingSetup const, std::__1::default_delete<TestingSetup const> > MakeNoLogFileContext<TestingSetup const>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (/bitcoin-core/src/test/fuzz/fuzz+0x5e8a22)
20    [#15](/bitcoin-bitcoin/15/) 0x564aea9c5817 in (anonymous namespace)::initialize_tx_pool() (/bitcoin-core/src/test/fuzz/fuzz+0x75b817)
21    [#16](/bitcoin-bitcoin/16/) 0x564aea7c8d20 in decltype(std::__1::forward<void (*&)()>(fp)()) std::__1::__invoke<void (*&)()>(void (*&)()) (/bitcoin-core/src/test/fuzz/fuzz+0x55ed20)
22    [#17](/bitcoin-bitcoin/17/) 0x564aea7c8c6d in void std::__1::__invoke_void_return_wrapper<void>::__call<void (*&)()>(void (*&)()) (/bitcoin-core/src/test/fuzz/fuzz+0x55ec6d)
23    [#18](/bitcoin-bitcoin/18/) 0x564aea7c8c0d in std::__1::__function::__alloc_func<void (*)(), std::__1::allocator<void (*)()>, void ()>::operator()() (/bitcoin-core/src/test/fuzz/fuzz+0x55ec0d)
24    [#19](/bitcoin-bitcoin/19/) 0x564aea7c7049 in std::__1::__function::__func<void (*)(), std::__1::allocator<void (*)()>, void ()>::operator()() (/bitcoin-core/src/test/fuzz/fuzz+0x55d049)
25    [#20](/bitcoin-bitcoin/20/) 0x564aeaab965c in std::__1::__function::__value_func<void ()>::operator()() const (/bitcoin-core/src/test/fuzz/fuzz+0x84f65c)
26    [#21](/bitcoin-bitcoin/21/) 0x564aeaab95e5 in std::__1::function<void ()>::operator()() const (/bitcoin-core/src/test/fuzz/fuzz+0x84f5e5)
27    [#22](/bitcoin-bitcoin/22/) 0x564aeb25ac9d in initialize() (/bitcoin-core/src/test/fuzz/fuzz+0xff0c9d)
28    [#23](/bitcoin-bitcoin/23/) 0x564aeb25b71f in LLVMFuzzerInitialize (/bitcoin-core/src/test/fuzz/fuzz+0xff171f)
29    [#24](/bitcoin-bitcoin/24/) 0x564aea743437 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/bitcoin-core/src/test/fuzz/fuzz+0x4d9437)
30    [#25](/bitcoin-bitcoin/25/) 0x564aea76df22 in main (/bitcoin-core/src/test/fuzz/fuzz+0x503f22)
31    [#26](/bitcoin-bitcoin/26/) 0x7f5d810e60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
32    [#27](/bitcoin-bitcoin/27/) 0x564aea719e7d in _start (/bitcoin-core/src/test/fuzz/fuzz+0x4afe7d)
33
34UndefinedBehaviorSanitizer can not provide additional info.
35SUMMARY: UndefinedBehaviorSanitizer: SEGV (/lib/x86_64-linux-gnu/libc++.so.1+0x43b47) in std::__1::__libcpp_db::swap(void*, void*)
36==52419==ABORTING
  2. MarcoFalke added the label Bug on Feb 8, 2022
  3. MarcoFalke added the label Tests on Feb 8, 2022
  4. MarcoFalke renamed this:
    fuzz tests immediately crash when compiled with depends DEBUG=1 and libc++
    tests immediately crash when compiled with depends DEBUG=1 and libc++
    on Feb 9, 2022
  5. MarcoFalke commented at 11:58 am on February 9, 2022: member

    I suspected those are the steps to reproduce the bug in the unit tests on a fresh install of Ubuntu Focal, however, I couldn’t

    0export DEBIAN_FRONTEND=noninteractive && apt update && apt install curl wget htop git vim ccache -y && git clone https://github.com/bitcoin/bitcoin.git ./bitcoin-core && cd bitcoin-core && apt install libc++abi-dev libc++-dev clang llvm build-essential libtool autotools-dev automake pkg-config bsdmainutils python3-zmq      make automake cmake curl g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch bison        -y  && ( cd depends && make CC=clang CXX="clang++ -stdlib=libc++" DEBUG=1 NO_QT=1 NO_WALLET=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 -j $(nproc) ) &&  ./autogen.sh && CONFIG_SITE="$PWD/depends/x86_64-pc-linux-gnu/share/config.site" ./configure CC=clang CXX="clang++ -stdlib=libc++" && make -j $(nproc)
  6. MarcoFalke commented at 11:59 am on February 9, 2022: member

    Oh, nvm. I could reproduce in the unit tests. It just needs valgrind:

     0valgrind ./src/test/test_bitcoin 
 1==102942== Memcheck, a memory error detector
 2==102942== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
 3==102942== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
 4==102942== Command: ./src/test/test_bitcoin
 5==102942== 
 6Running 449 test cases...
 7==102942== Invalid read of size 8
 8==102942==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
 9==102942==    by 0x1D5CF7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/test/test_bitcoin)
10==102942==    by 0x20702C: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/test/test_bitcoin)
11==102942==    by 0x20651C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/test/test_bitcoin)
12==102942==    by 0xC5247F: fs::absolute(fs::path const&) (in /bitcoin-core/src/test/test_bitcoin)
13==102942==    by 0xC5270A: ArgsManager::GetDataDir(bool) const (in /bitcoin-core/src/test/test_bitcoin)
14==102942==    by 0x36341B: ArgsManager::GetDataDirNet() const (in /bitcoin-core/src/test/test_bitcoin)
15==102942==    by 0xC558AB: AbsPathForConfigVal(fs::path const&, bool) (in /bitcoin-core/src/test/test_bitcoin)
16==102942==    by 0xB8B1A6: init::SetLoggingOptions(ArgsManager const&) (in /bitcoin-core/src/test/test_bitcoin)
17==102942==    by 0x7449B6: InitLogging(ArgsManager const&) (in /bitcoin-core/src/test/test_bitcoin)
18==102942==    by 0x6B8958: BasicTestingSetup::BasicTestingSetup(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::vector<char const*, std::__1::allocator<char const*> > const&) (in /bitcoin-core/src/test/test_bitcoin)
19==102942==    by 0x1C1ABA: addrman_tests::addrman_simple::addrman_simple() (in /bitcoin-core/src/test/test_bitcoin)
20==102942==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
21==102942== 
22==102942== Warning: client switching stacks?  SP change: 0x5540ad8 --> 0x1ffeffb760
23==102942==          to suppress, use: --max-stackframe=137332763784 or greater
  7. MarcoFalke added the label Upstream on Feb 9, 2022
  8. MarcoFalke removed the label Tests on Feb 9, 2022
  9. MarcoFalke renamed this:
    tests immediately crash when compiled with depends DEBUG=1 and libc++
    segfault when compiled with depends DEBUG=1 and libc++
    on Feb 9, 2022
  10. MarcoFalke commented at 12:19 pm on February 9, 2022: member

    bitcoind also affected:

     0# valgrind ./src/bitcoind -datadir=/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 1==107287== Memcheck, a memory error detector
 2==107287== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
 3==107287== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
 4==107287== Command: ./src/bitcoind -datadir=/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 5==107287== 
 6==107287== Invalid read of size 8
 7==107287==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
 8==107287==    by 0x15B0A7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/bitcoind)
 9==107287==    by 0x1AE5DC: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/bitcoind)
10==107287==    by 0x180D9C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/bitcoind)
11==107287==    by 0x7DA58F: fs::absolute(fs::path const&) (in /bitcoin-core/src/bitcoind)
12==107287==    by 0x7DD885: CheckDataDirOption() (in /bitcoin-core/src/bitcoind)
13==107287==    by 0x156201: AppInit(node::NodeContext&, int, char**) (in /bitcoin-core/src/bitcoind)
14==107287==    by 0x155E7B: main (in /bitcoin-core/src/bitcoind)
15==107287==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
16==107287== 
17==107287== 
18==107287== Process terminating with default action of signal 11 (SIGSEGV): dumping core
19==107287==  Access not within mapped region at address 0x8
20==107287==    at 0x48B6B47: std::__1::__libcpp_db::swap(void*, void*) (in /usr/lib/llvm-10/lib/libc++.so.1.0)
21==107287==    by 0x15B0A7: std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) (in /bitcoin-core/src/bitcoind)
22==107287==    by 0x1AE5DC: std::__1::__fs::filesystem::path::path(std::__1::__fs::filesystem::path&&) (in /bitcoin-core/src/bitcoind)
23==107287==    by 0x180D9C: fs::path::path(std::__1::__fs::filesystem::path) (in /bitcoin-core/src/bitcoind)
24==107287==    by 0x7DA58F: fs::absolute(fs::path const&) (in /bitcoin-core/src/bitcoind)
25==107287==    by 0x7DD885: CheckDataDirOption() (in /bitcoin-core/src/bitcoind)
26==107287==    by 0x156201: AppInit(node::NodeContext&, int, char**) (in /bitcoin-core/src/bitcoind)
27==107287==    by 0x155E7B: main (in /bitcoin-core/src/bitcoind)
28==107287==  If you believe this happened as a result of a stack
29==107287==  overflow in your program's main thread (unlikely but
30==107287==  possible), you can try to increase the size of the
31==107287==  main thread stack using the --main-stacksize= flag.
32==107287==  The main thread stack size used in this run was 8388608.
33==107287== 
34==107287== HEAP SUMMARY:
35==107287==     in use at exit: 159,334 bytes in 2,276 blocks
36==107287==   total heap usage: 8,251 allocs, 5,975 frees, 503,749 bytes allocated
37==107287== 
38==107287== LEAK SUMMARY:
39==107287==    definitely lost: 0 bytes in 0 blocks
40==107287==    indirectly lost: 0 bytes in 0 blocks
41==107287==      possibly lost: 0 bytes in 0 blocks
42==107287==    still reachable: 159,334 bytes in 2,276 blocks
43==107287==         suppressed: 0 bytes in 0 blocks
44==107287== Rerun with --leak-check=full to see details of leaked memory
45==107287== 
46==107287== For lists of detected and suppressed errors, rerun with: -s
47==107287== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
48Segmentation fault (core dumped)
  11. MarcoFalke commented at 8:57 am on February 16, 2022: member
    Closing for now as upstream bug. Feel free to continue discussion.
  12. MarcoFalke closed this on Feb 16, 2022
  13. DrahtBot locked this on Feb 16, 2023


MarcoFalke

Labels
Bug Upstream

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-21 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me