fuzz: connman target: terminate called after throwing an instance of ‘std::bad_alloc’ #31234

issue maflcko openend this issue on November 6, 2024
  1. maflcko commented at 5:35 pm on November 6, 2024: member

    Base64 reproducer:

    0XP//////////BiAgICBbICAHAADg/4Hf394gICAgICAgIAAgICAgIHb/FiAgICAgdGggtyAgICCB
1CAQAIDAXIAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAgYGBgYGB7QH//2ZoZWNrcHRhYWFhYWFhl2Fh
2YWFhYWFhYWFhYWFhYWFhYWFhYWFhYQAAAAAAAFxjYWFhYWFhYWFcdIFhYWFhZHJh9xP3ExPAE8BA
37/cTwBP3ExP398D3AQAAAAAAAASBgYGBgYHtAf///WdldGNmaGVja3B0YWFhYWFhYWFhl2FhYWFh
4YWFhYWFhYWFhYWFhYWFhYWFhYQ==

     0$ sha1sum ./crash && FUZZ=connman ./bld/src/test/fuzz/fuzz ./crash
 1c0f5ddd240439f74d6eac83bbb67115b1ad1d209  ./crash
 2INFO: Running with entropic power schedule (0xFF, 100).
 3INFO: Seed: 4221650549
 4INFO: Loaded 1 modules   (379889 inline 8-bit counters): 379889 [0x5ebd0d22d8e0, 0x5ebd0d28a4d1),
 5INFO: Loaded 1 PC tables (379889 PCs): 379889 [0x5ebd0d28a4d8,0x5ebd0d8563e8),
 6./bld/src/test/fuzz/fuzz: Running 1 inputs 1 time(s) each.
 7Running: ./crash
 8terminate called after throwing an instance of 'std::bad_alloc'
 9  what():  std::bad_alloc
10==3597798== ERROR: libFuzzer: deadly signal
11    [#0](/bitcoin-bitcoin/0/) 0x5ebd0be47f08 in __sanitizer_print_stack_trace (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x9bdf08) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
12    [#1](/bitcoin-bitcoin/1/) 0x5ebd0be1a1bc in fuzzer::PrintStackTrace() (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x9901bc) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
13    [#2](/bitcoin-bitcoin/2/) 0x5ebd0bdff267 in fuzzer::Fuzzer::CrashCallback() (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x975267) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
14    [#3](/bitcoin-bitcoin/3/) 0x75d5b704531f  (/lib/x86_64-linux-gnu/libc.so.6+0x4531f) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
15    [#4](/bitcoin-bitcoin/4/) 0x75d5b709eb1b in pthread_kill (/lib/x86_64-linux-gnu/libc.so.6+0x9eb1b) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
16    [#5](/bitcoin-bitcoin/5/) 0x75d5b704526d in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4526d) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
17    [#6](/bitcoin-bitcoin/6/) 0x75d5b70288fe in abort (/lib/x86_64-linux-gnu/libc.so.6+0x288fe) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
18    [#7](/bitcoin-bitcoin/7/) 0x75d5b76a5ff4  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa5ff4) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
19    [#8](/bitcoin-bitcoin/8/) 0x75d5b76bb0d9  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xbb0d9) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
20    [#9](/bitcoin-bitcoin/9/) 0x75d5b76a5a54 in std::terminate() (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa5a54) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
21    [#10](/bitcoin-bitcoin/10/) 0x75d5b76bb390 in __cxa_throw (/lib/x86_64-linux-gnu/libstdc++.so.6+0xbb390) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
22    [#11](/bitcoin-bitcoin/11/) 0x75d5b76a5ac7  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xa5ac7) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
23    [#12](/bitcoin-bitcoin/12/) 0x5ebd0c7d8d8e in std::__new_allocator<CAddress>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:151:27
24    [#13](/bitcoin-bitcoin/13/) 0x5ebd0c7d8d8e in std::allocator<CAddress>::allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/allocator.h:198:32
25    [#14](/bitcoin-bitcoin/14/) 0x5ebd0c7d8d8e in std::allocator_traits<std::allocator<CAddress>>::allocate(std::allocator<CAddress>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:482:20
26    [#15](/bitcoin-bitcoin/15/) 0x5ebd0c7d8d8e in std::_Vector_base<CAddress, std::allocator<CAddress>>::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_vector.h:381:20
27    [#16](/bitcoin-bitcoin/16/) 0x5ebd0c7d8d8e in std::vector<CAddress, std::allocator<CAddress>>::reserve(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/vector.tcc:79:22
28    [#17](/bitcoin-bitcoin/17/) 0x5ebd0c7d8d8e in AddrManImpl::GetAddr_(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/addrman.cpp:827:15
29    [#18](/bitcoin-bitcoin/18/) 0x5ebd0c7df451 in AddrManImpl::GetAddr(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/addrman.cpp:1231:22
30    [#19](/bitcoin-bitcoin/19/) 0x5ebd0c7e8a7a in AddrMan::GetAddr(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/addrman.cpp:1332:20
31    [#20](/bitcoin-bitcoin/20/) 0x5ebd0c8b6311 in CConnman::GetAddresses(unsigned long, unsigned long, std::optional<Network>, bool) const bld/src/./src/net.cpp:3438:47
32    [#21](/bitcoin-bitcoin/21/) 0x5ebd0c8b6cb4 in CConnman::GetAddresses(CNode&, unsigned long, unsigned long) bld/src/./src/net.cpp:3461:46
33    [#22](/bitcoin-bitcoin/22/) 0x5ebd0bf19d2f in connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_12::operator()() const bld/src/test/fuzz/./src/test/fuzz/connman.cpp:120:31
34    [#23](/bitcoin-bitcoin/23/) 0x5ebd0bf19d2f in unsigned long CallOneOf<connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_2, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_3, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_19>(FuzzedDataProvider&, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_2, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_3, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_4, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_5, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_6, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_7, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_8, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_9, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_10, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_0, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_1, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_11, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_12, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_13, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_14, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_15, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_16, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_17, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_18, connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>)::$_19) bld/src/test/fuzz/./src/test/fuzz/util.h:42:27
35    [#24](/bitcoin-bitcoin/24/) 0x5ebd0bf19d2f in connman_fuzz_target(std::span<unsigned char const, 18446744073709551615ul>) bld/src/test/fuzz/./src/test/fuzz/connman.cpp:76:9
36    [#25](/bitcoin-bitcoin/25/) 0x5ebd0c18fe93 in std::function<void (std::span<unsigned char const, 18446744073709551615ul>)>::operator()(std::span<unsigned char const, 18446744073709551615ul>) const /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9
37    [#26](/bitcoin-bitcoin/26/) 0x5ebd0c18fe93 in LLVMFuzzerTestOneInput bld/src/test/fuzz/util/./src/test/fuzz/fuzz.cpp:211:5
38    [#27](/bitcoin-bitcoin/27/) 0x5ebd0be0083f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x97683f) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
39    [#28](/bitcoin-bitcoin/28/) 0x5ebd0bde8533 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x95e533) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
40    [#29](/bitcoin-bitcoin/29/) 0x5ebd0bdee6e1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x9646e1) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
41    [#30](/bitcoin-bitcoin/30/) 0x5ebd0be1ad26 in main (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x990d26) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
42    [#31](/bitcoin-bitcoin/31/) 0x75d5b702a1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
43    [#32](/bitcoin-bitcoin/32/) 0x75d5b702a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
44    [#33](/bitcoin-bitcoin/33/) 0x5ebd0bde2c84 in _start (/root/fuzz_dir_nosan/scratch/fuzz_gen/code/bld/src/test/fuzz/fuzz+0x958c84) (BuildId: d2b9dd90cecdb569dc1f9fffe51cb04f92ef4f5b)
45
46NOTE: libFuzzer has rudimentary signal handlers.
47      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
48SUMMARY: libFuzzer: deadly signal
  2. maflcko added the label Tests on Nov 6, 2024
  3. brunoerg commented at 5:52 pm on November 6, 2024: contributor
    Working on it. We should limit max_addresses and max_pct.
  4. fanquake closed this on Nov 13, 2024
  5. fanquake referenced this in commit 36f5effa17 on Nov 13, 2024
  6. bitcoin locked this on Nov 13, 2025


maflcko brunoerg

Labels
Tests

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-11-28 03:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me