ci: fuzz_msan failed with ==4201==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x55f0c9bdeffb in SetArgs #30760

1. 
   maflcko commented at 9:42 am on August 30, 2024: member

   I recall a similar issue previously.

    0+ [[ x86_64-pc-linux-gnu = *-mingw32 ]]
    1+ '[' -n '' ']'
    2+ '[' false = true ']'
    3+ '[' '' = true ']'
    4+ '[' false = true ']'
    5+ '[' false = true ']'
    6+ '[' true = true ']'
    7+ LD_LIBRARY_PATH=/ci_container_base/depends/x86_64-pc-linux-gnu/lib
    8+ test/fuzz/test_runner.py -j16 -l DEBUG /qa_assets/fuzz_seed_corpus/ --empty_min_time=60
    9==4201==WARNING: MemorySanitizer: use-of-uninitialized-value
   10    [#0](/bitcoin-bitcoin/0/) 0x55f0c9bdeffb in SetArgs(int, char**) ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/util/./src/test/fuzz/fuzz.cpp:50:5
   11    [#1](/bitcoin-bitcoin/1/) 0x55f0c9bdeffb in LLVMFuzzerInitialize ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/util/./src/test/fuzz/fuzz.cpp:216:5
   12    [#2](/bitcoin-bitcoin/2/) 0x55f0c8f48508 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /msan/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:650:5
   13    [#3](/bitcoin-bitcoin/3/) 0x55f0c8f758b2 in main /msan/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
   14    [#4](/bitcoin-bitcoin/4/) 0x7f7e0b6be1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
   15    [#5](/bitcoin-bitcoin/5/) 0x7f7e0b6be28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
   16    [#6](/bitcoin-bitcoin/6/) 0x55f0c8f3cbb4 in _start (/ci_container_base/ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x883bb4)
   17
   18  Member fields were destroyed
   19    [#0](/bitcoin-bitcoin/0/) 0x55f0c900849d in __sanitizer_dtor_callback_fields /msan/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:1048:5
   20    [#1](/bitcoin-bitcoin/1/) 0x55f0c8f3ba72 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::~basic_string() /msan/cxx_build/include/c++/v1/string:840:44
   21    [#2](/bitcoin-bitcoin/2/) 0x55f0c8f3ba72 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::~basic_string() /msan/cxx_build/include/c++/v1/string:1106:3
   22    [#3](/bitcoin-bitcoin/3/) 0x55f0c8f3ba72 in std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, BCLog::LogFlags>::~pair() /msan/cxx_build/include/c++/v1/__utility/pair.h:80:29
   23    [#4](/bitcoin-bitcoin/4/) 0x55f0c8f3ba72 in __cxx_global_var_init ci/scratch/build-x86_64-pc-linux-gnu/src/util/./src/logging.cpp:170:66
   24    [#5](/bitcoin-bitcoin/5/) 0x55f0c8f3ba72 in _GLOBAL__sub_I_logging.cpp ci/scratch/build-x86_64-pc-linux-gnu/src/util/./src/logging.cpp
   25    [#6](/bitcoin-bitcoin/6/) 0x7f7e0b6be303 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a303) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
   26    [#7](/bitcoin-bitcoin/7/) 0x55f0c8f3cbb4 in _start (/ci_container_base/ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/fuzz+0x883bb4)
   27
   28SUMMARY: MemorySanitizer: use-of-uninitialized-value ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/util/./src/test/fuzz/fuzz.cpp:50:5 in SetArgs(int, char**)
   29Exiting
   30Traceback (most recent call last):
   31  File "/ci_container_base/ci/scratch/build-x86_64-pc-linux-gnu/test/fuzz/test_runner.py", line 411, in <module>
   32    main()
   33  File "/ci_container_base/ci/scratch/build-x86_64-pc-linux-gnu/test/fuzz/test_runner.py", line 115, in main
   34    test_list_all = parse_test_list(
   35                    ^^^^^^^^^^^^^^^^
   36  File "/ci_container_base/ci/scratch/build-x86_64-pc-linux-gnu/test/fuzz/test_runner.py", line 397, in parse_test_list
   37    test_list_all = subprocess.run(
   38                    ^^^^^^^^^^^^^^^
   39  File "/usr/lib/python3.12/subprocess.py", line 571, in run
   40    raise CalledProcessError(retcode, process.args,
   41subprocess.CalledProcessError: Command '/ci_container_base/ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/fuzz' returned non-zero exit status 1.
   

   09730288a0cd3f33021ef00fb2d95e5216d10ab61 is the first bad commit
   1commit 9730288a0cd3f33021ef00fb2d95e5216d10ab61
   2Date:   Wed Jul 24 11:54:41 2024 +0100
   3
   4    ci: Migrate CI scripts to CMake
   

2. 
   vasild commented at 10:07 am on August 30, 2024: contributor

   0    [#0](/bitcoin-bitcoin/0/) 0x55f0c9bdeffb in SetArgs(int, char**) ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/util/./src/test/fuzz/fuzz.cpp:50:5
   

   https://github.com/bitcoin/bitcoin/blob/3ee1521c048a41bc1e876d90261db677ec958f72/src/test/fuzz/fuzz.cpp#L49-L50

   So argc is uninitialized? It comes from here:

   0    [#1](/bitcoin-bitcoin/1/) 0x55f0c9bdeffb in LLVMFuzzerInitialize ci/scratch/build-x86_64-pc-linux-gnu/src/test/fuzz/util/./src/test/fuzz/fuzz.cpp:216:5
   

   https://github.com/bitcoin/bitcoin/blob/3ee1521c048a41bc1e876d90261db677ec958f72/src/test/fuzz/fuzz.cpp#L214-L216

   0    [#2](/bitcoin-bitcoin/2/) 0x55f0c8f48508 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /msan/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:650:5
   

   https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/fuzzer/FuzzerDriver.cpp#L645-L651

   0    [#3](/bitcoin-bitcoin/3/) 0x55f0c8f758b2 in main /msan/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
   

   https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/fuzzer/FuzzerMain.cpp#L19-L20

   ---

   Looks bogus - how could argc be uninitialized in int main(int argc, ...)!?

   Was it compiled in a different way with cmake compared to autotools?

   ---

   Also this is puzzling:

   0  Member fields were destroyed
   1...
   2    [#4](/bitcoin-bitcoin/4/) 0x55f0c8f3ba72 in __cxx_global_var_init ci/scratch/build-x86_64-pc-linux-gnu/src/util/./src/logging.cpp:170:66
   

   https://github.com/bitcoin/bitcoin/blob/3ee1521c048a41bc1e876d90261db677ec958f72/src/logging.cpp#L170-L172

   What has LOG_CATEGORIES_BY_STR to do with argc being uninitialized?

3. 
   maflcko commented at 10:12 am on August 30, 2024: member

   The question is why does it happen when fuzz is compiled with cmake, but not when compiled with autotools?

   The report itself is likely a false positive.

4. 
   maflcko commented at 10:13 am on August 30, 2024: member

   Let me check https://github.com/bitcoin/bitcoin/pull/29837/files
5. 
   maflcko commented at 1:44 pm on August 30, 2024: member

   Ref https://github.com/bitcoin/bitcoin/issues/28570
6. 
   fanquake commented at 2:26 pm on August 30, 2024: member

   Looking at the output of an msan fuzz ci run from qa-assets: https://cirrus-ci.com/task/5304183451025408?logs=ci#L797, it looks like the C++ compiler flags line is just missing from the CMake output?:

   0Cross compiling ....................... FALSE
   1C++ compiler .......................... Clang 18.1.3, /usr/bin/clang++
   2Preprocessor defined macros ........... ABORT_ON_FAILED_ASSUME
   3Linker flags .......................... -fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O1 -fno-optimize-sibling-calls -nostdinc++ -nostdlib++ -isystem /msan/cxx_build/include/c++/v1 -L/msan/cxx_build/lib -Wl,-rpath,/msan/cxx_build/lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument -O2 -g -fsanitize=fuzzer,memory -fstack-protector-all -fcf-protection=full -fstack-clash-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,separate-code -fPIE -pie
   

   Not sure why that would happen, but I’m assuming that is related.

7. 
   maflcko commented at 3:35 pm on August 30, 2024: member

   Yeah, an alternative to get them may be --verbose. I’ll try that next week.
8. 
   hebasto commented at 4:30 am on August 31, 2024: member

   Looking at the output of an msan fuzz ci run from qa-assets: https://cirrus-ci.com/task/5304183451025408?logs=ci#L797, it looks like the C++ compiler flags line is just missing from the CMake output?:

   0Cross compiling ....................... FALSE
   1C++ compiler .......................... Clang 18.1.3, /usr/bin/clang++
   2Preprocessor defined macros ........... ABORT_ON_FAILED_ASSUME
   3Linker flags .......................... -fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O1 -fno-optimize-sibling-calls -nostdinc++ -nostdlib++ -isystem /msan/cxx_build/include/c++/v1 -L/msan/cxx_build/lib -Wl,-rpath,/msan/cxx_build/lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument -O2 -g -fsanitize=fuzzer,memory -fstack-protector-all -fcf-protection=full -fstack-clash-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,separate-code -fPIE -pie
   

   Not sure why that would happen, but I’m assuming that is related.

   https://cirrus-ci.com/task/5304183451025408:

   0Cross compiling ....................... FALSE
   1C++ compiler .......................... Clang 18.1.3, /usr/bin/clang++
   2CMAKE_BUILD_TYPE ...................... RelWithDebInfo
   3Preprocessor defined macros ........... ABORT_ON_FAILED_ASSUME
   4C++ compiler flags .................... -fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O1 -fno-optimize-sibling-calls -nostdinc++ -nostdlib++ -isystem /msan/cxx_build/include/c++/v1 -L/msan/cxx_build/lib -Wl,-rpath,/msan/cxx_build/lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument -O2 -g -std=c++20 -fPIC -fdebug-prefix-map=/ci_container_base=. -fmacro-prefix-map=/ci_container_base=. -Werror -fsanitize=fuzzer,memory -Wall -Wextra -Wgnu -Wformat -Wformat-security -Wvla -Wshadow-field -Wthread-safety -Wloop-analysis -Wredundant-decls -Wunused-member-function -Wdate-time -Wconditional-uninitialized -Woverloaded-virtual -Wsuggest-override -Wimplicit-fallthrough -Wunreachable-code -Wdocumentation -Wself-assign -Wundef -Wno-unused-parameter -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -Wstack-protector -fstack-protector-all -fcf-protection=full -fstack-clash-protection -DBOOST_MULTI_INDEX_ENABLE_SAFE_MODE -U_FORTIFY_SOURCE
   5Linker flags .......................... -fsanitize=memory -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer -g -O1 -fno-optimize-sibling-calls -nostdinc++ -nostdlib++ -isystem /msan/cxx_build/include/c++/v1 -L/msan/cxx_build/lib -Wl,-rpath,/msan/cxx_build/lib -lc++ -lc++abi -lpthread -Wno-unused-command-line-argument -O2 -g -fsanitize=fuzzer,memory -fstack-protector-all -fcf-protection=full -fstack-clash-protection -Wl,-z,relro -Wl,-z,now -Wl,-z,separate-code -fPIE -pie
   

9. fanquake closed this on Sep 3, 2024

   ---

10. fanquake referenced this in commit 9cb9651d92 on Sep 3, 2024

Contributors
maflcko vasild fanquake hebasto