Failure to run Fuzz tests when running with corpus #32089

issue Prabhat1308 openend this issue on March 18, 2025
  1. Prabhat1308 commented at 9:05 am on March 18, 2025: none

    Is there an existing issue for this?

    • I have searched the existing issues

    Current behaviour

    When running the fuzz tests with fuzz corpus raises an error

     0FUZZ=process_message build_fuzz/bin/fuzz qa-assets/fuzz_corpora/process_message/                                               ─╯
 1INFO: Running with entropic power schedule (0xFF, 100).
 2INFO: Seed: 64371175
 3INFO: Loaded 1 modules   (1252320 inline 8-bit counters): 1252320 [0x1061c8000, 0x1062f9be0), 
 4INFO: Loaded 1 PC tables (1252320 PCs): 1252320 [0x1062f9be0,0x1076159e0), 
 5=================================================================
 6==36574==ERROR: AddressSanitizer: container-overflow on address 0x60800002c268 at pc 0x000102074ef4 bp 0x00016ddd26e0 sp 0x00016ddd26d8
 7WRITE of size 8 at 0x60800002c268 thread T0
 8    [#0](/bitcoin-bitcoin/0/) 0x000102074ef0 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__init_copy_ctor_external(char const*, unsigned long)+0x1c4 (fuzz:arm64+0x100048ef0)
 9    [#1](/bitcoin-bitcoin/1/) 0x0001057b34f8 in fuzzer::ListFilesInDirRecursive(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, long*, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bool)+0x26c (fuzz:arm64+0x1037874f8)
10    [#2](/bitcoin-bitcoin/2/) 0x0001057b27c0 in fuzzer::GetSizedFilesFromDir(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>*)+0x2c (fuzz:arm64+0x1037867c0)
11    [#3](/bitcoin-bitcoin/3/) 0x0001057ae338 in fuzzer::ReadCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&)+0x4c (fuzz:arm64+0x103782338)
12    [#4](/bitcoin-bitcoin/4/) 0x0001057ae1a0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1dbc (fuzz:arm64+0x1037821a0)
13    [#5](/bitcoin-bitcoin/5/) 0x0001057c1aa8 in main+0x24 (fuzz:arm64+0x103795aa8)
14    [#6](/bitcoin-bitcoin/6/) 0x00018ce70270  (<unknown module>)
15    [#7](/bitcoin-bitcoin/7/) 0xf3547ffffffffffc  (<unknown module>)
16
170x60800002c268 is located 72 bytes inside of 96-byte region [0x60800002c220,0x60800002c280)
18allocated by thread T0 here:
19    [#0](/bitcoin-bitcoin/0/) 0x0001094d92c4 in _Znwm+0x6c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x612c4)
20    [#1](/bitcoin-bitcoin/1/) 0x0001025f0a5c in std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&)+0xf0 (fuzz:arm64+0x1005c4a5c)
21    [#2](/bitcoin-bitcoin/2/) 0x000102943a48 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>* std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>::__push_back_slow_path<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&)+0x244 (fuzz:arm64+0x100917a48)
22    [#3](/bitcoin-bitcoin/3/) 0x0001057b3468 in fuzzer::ListFilesInDirRecursive(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, long*, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bool)+0x1dc (fuzz:arm64+0x103787468)
23    [#4](/bitcoin-bitcoin/4/) 0x0001057b27c0 in fuzzer::GetSizedFilesFromDir(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>*)+0x2c (fuzz:arm64+0x1037867c0)
24    [#5](/bitcoin-bitcoin/5/) 0x0001057ae338 in fuzzer::ReadCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&)+0x4c (fuzz:arm64+0x103782338)
25    [#6](/bitcoin-bitcoin/6/) 0x0001057ae1a0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1dbc (fuzz:arm64+0x1037821a0)
26    [#7](/bitcoin-bitcoin/7/) 0x0001057c1aa8 in main+0x24 (fuzz:arm64+0x103795aa8)
27    [#8](/bitcoin-bitcoin/8/) 0x00018ce70270  (<unknown module>)
28    [#9](/bitcoin-bitcoin/9/) 0xf3547ffffffffffc  (<unknown module>)
29
30HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
31If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
32SUMMARY: AddressSanitizer: container-overflow (fuzz:arm64+0x100048ef0) in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__init_copy_ctor_external(char const*, unsigned long)+0x1c4
33Shadow bytes around the buggy address:
34  0x60800002bf80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
35  0x60800002c000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
36  0x60800002c080: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
37  0x60800002c100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
38  0x60800002c180: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
39=>0x60800002c200: fa fa fa fa 00 00 00 00 00 00 00 00 00[fc]fc fc
40  0x60800002c280: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
41  0x60800002c300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
42  0x60800002c380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
43  0x60800002c400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
44  0x60800002c480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
45Shadow byte legend (one shadow byte represents 8 application bytes):
46  Addressable:           00
47  Partially addressable: 01 02 03 04 05 06 07 
48  Heap left redzone:       fa
49  Freed heap region:       fd
50  Stack left redzone:      f1
51  Stack mid redzone:       f2
52  Stack right redzone:     f3
53  Stack after return:      f5
54  Stack use after scope:   f8
55  Global redzone:          f9
56  Global init order:       f6
57  Poisoned by user:        f7
58  Container overflow:      fc
59  Array cookie:            ac
60  Intra object redzone:    bb
61  ASan internal:           fe
62  Left alloca redzone:     ca
63  Right alloca redzone:    cb
64==36574==ABORTING
65[3]    36574 abort      FUZZ=process_message build_fuzz/bin/fuzz

    when running with without corpus , the fuzz test runs fine.

     0 FUZZ=process_message build_fuzz/bin/fuzz                                                                                       ─╯
 1INFO: Running with entropic power schedule (0xFF, 100).
 2INFO: Seed: 85124989
 3INFO: Loaded 1 modules   (1252320 inline 8-bit counters): 1252320 [0x10672c000, 0x10685dbe0), 
 4INFO: Loaded 1 PC tables (1252320 PCs): 1252320 [0x10685dbe0,0x107b799e0), 
 5INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
 6INFO: A corpus is not provided, starting from an empty corpus
 7[#2](/bitcoin-bitcoin/2/)      INITED cov: 2748 ft: 2747 corp: 1/1b exec/s: 0 rss: 193Mb
 8[#6](/bitcoin-bitcoin/6/)      NEW    cov: 2754 ft: 2848 corp: 2/2b lim: 4 exec/s: 0 rss: 193Mb L: 1/1 MS: 4 ChangeBinInt-ChangeBit-CopyPart-ChangeByte-
 9[#8](/bitcoin-bitcoin/8/)      NEW    cov: 2754 ft: 2851 corp: 3/4b lim: 4 exec/s: 0 rss: 194Mb L: 2/2 MS: 2 CopyPart-InsertByte-
10[#11](/bitcoin-bitcoin/11/)     NEW    cov: 2757 ft: 2858 corp: 4/5b lim: 4 exec/s: 0 rss: 194Mb L: 1/2 MS: 3 ChangeBit-ChangeBinInt-ChangeBit-
11[#26](/bitcoin-bitcoin/26/)     NEW    cov: 2757 ft: 2859 corp: 5/7b lim: 4 exec/s: 0 rss: 194Mb L: 2/2 MS: 5 CrossOver-ChangeBit-ChangeByte-CrossOver-CrossOver-
12[#27](/bitcoin-bitcoin/27/)     NEW    cov: 2758 ft: 2878 corp: 6/8b lim: 4 exec/s: 0 rss: 194Mb L: 1/2 MS: 1 ChangeByte-
13[#53](/bitcoin-bitcoin/53/)     NEW    cov: 2758 ft: 2879 corp: 7/12b lim: 4 exec/s: 0 rss: 195Mb L: 4/4 MS: 1 CopyPart-
14[#278](/bitcoin-bitcoin/278/)    NEW    cov: 2759 ft: 2881 corp: 8/17b lim: 6 exec/s: 0 rss: 198Mb L: 5/5 MS: 5 ShuffleBytes-ChangeByte-EraseBytes-CrossOver-CrossOver-
15[#364](/bitcoin-bitcoin/364/)    NEW    cov: 2759 ft: 2882 corp: 9/18b lim: 6 exec/s: 0 rss: 200Mb L: 1/5 MS: 1 ChangeByte-
16[#615](/bitcoin-bitcoin/615/)    NEW    cov: 2759 ft: 2890 corp: 10/20b lim: 8 exec/s: 0 rss: 204Mb L: 2/5 MS: 1 InsertByte-
17[#657](/bitcoin-bitcoin/657/)    NEW    cov: 2759 ft: 2892 corp: 11/27b lim: 8 exec/s: 0 rss: 204Mb L: 7/7 MS: 2 ChangeByte-CopyPart-
18[#692](/bitcoin-bitcoin/692/)    NEW    cov: 2759 ft: 2893 corp: 12/34b lim: 8 exec/s: 0 rss: 205Mb L: 7/7 MS: 5 InsertRepeatedBytes-InsertByte-EraseBytes-ChangeBinInt-InsertRepeatedBytes-
19[#1013](/bitcoin-bitcoin/1013/)   NEW    cov: 2759 ft: 2895 corp: 13/45b lim: 11 exec/s: 0 rss: 210Mb L: 11/11 MS: 1 InsertRepeatedBytes-
20[#1341](/bitcoin-bitcoin/1341/)   NEW    cov: 2764 ft: 2901 corp: 14/58b lim: 14 exec/s: 0 rss: 215Mb L: 13/13 MS: 3 ChangeByte-InsertRepeatedBytes-InsertRepeatedBytes-
21[#1347](/bitcoin-bitcoin/1347/)   NEW    cov: 2765 ft: 2902 corp: 15/61b lim: 14 exec/s: 0 rss: 215Mb L: 3/13 MS: 1 CrossOver-
22[#1378](/bitcoin-bitcoin/1378/)   NEW    cov: 2765 ft: 2905 corp: 16/75b lim: 14 exec/s: 0 rss: 216Mb L: 14/14 MS: 1 InsertByte-
23[#1716](/bitcoin-bitcoin/1716/)   NEW    cov: 2765 ft: 2908 corp: 17/91b lim: 17 exec/s: 0 rss: 221Mb L: 16/16 MS: 3 CrossOver-InsertRepeatedBytes-InsertRepeatedBytes-
24[#1754](/bitcoin-bitcoin/1754/)   NEW    cov: 2765 ft: 2911 corp: 18/106b lim: 17 exec/s: 0 rss: 222Mb L: 15/16 MS: 3 InsertByte-ChangeBit-CopyPart-
25[#1982](/bitcoin-bitcoin/1982/)   NEW    cov: 2766 ft: 2912 corp: 19/110b lim: 17 exec/s: 0 rss: 226Mb L: 4/16 MS: 3 ChangeBit-EraseBytes-ChangeBit-
26[#2405](/bitcoin-bitcoin/2405/)   NEW    cov: 2767 ft: 2915 corp: 20/130b lim: 21 exec/s: 0 rss: 232Mb L: 20/20 MS: 3 InsertByte-InsertRepeatedBytes-InsertRepeatedBytes-
27[#2418](/bitcoin-bitcoin/2418/)   NEW    cov: 2769 ft: 2917 corp: 21/151b lim: 21 exec/s: 0 rss: 233Mb L: 21/21 MS: 3 InsertRepeatedBytes-InsertByte-CrossOver-
28[#2629](/bitcoin-bitcoin/2629/)   REDUCE cov: 2769 ft: 2917 corp: 21/150b lim: 21 exec/s: 0 rss: 236Mb L: 6/21 MS: 1 EraseBytes-
29        NEW_FUNC[1/19]: 0x0001034cb5bc in CNetAddr::IsRFC1918() const+0x0 (fuzz:arm64+0x100f3b5bc)
30        NEW_FUNC[2/19]: 0x0001034cbd94 in CNetAddr::IsRFC2544() const+0x0 (fuzz:arm64+0x100f3bd94)
31[#3051](/bitcoin-bitcoin/3051/)   NEW    cov: 2881 ft: 3227 corp: 22/173b lim: 25 exec/s: 0 rss: 244Mb L: 23/23 MS: 2 InsertRepeatedBytes-InsertRepeatedBytes-
32[#3071](/bitcoin-bitcoin/3071/)   REDUCE cov: 2881 ft: 3227 corp: 22/170b lim: 25 exec/s: 0 rss: 244Mb L: 3/23 MS: 5 ChangeBit-CrossOver-CMP-CrossOver-EraseBytes- DE: "\377\377\377\377"-
33        NEW_FUNC[1/11]: 0x0001025a7a5c in std::__1::vector<unsigned char, std::__1::allocator<unsigned char>>::shrink_to_fit()+0x0 (fuzz:arm64+0x100017a5c)
34        NEW_FUNC[2/11]: 0x0001025a8070 in std::__1::vector<unsigned char,

    Expected behaviour

    To run the fuzz tests without any error and relevant log output.

    Steps to reproduce

    0git clone https://github.com/bitcoin-core/qa-assets
1cmake --preset=libfuzzer \
2   -DCMAKE_C_COMPILER="$(brew --prefix llvm)/bin/clang" \
3   -DCMAKE_CXX_COMPILER="$(brew --prefix llvm)/bin/clang++" \
4   -DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld"
5
6cmake --build build_fuzz -j$(sysctl -n hw.ncpu)
7FUZZ=process_message build_fuzz/bin/fuzz qa-assets/fuzz_corpora/process_message/

    Relevant log output

    NA

    How did you obtain Bitcoin Core

    Compiled from source

    What version of Bitcoin Core are you using?

    master @83a9e55ae1

    Operating system and version

    MacOS 15.3.1

    Machine specifications

    No response

  2. Prabhat1308 commented at 9:08 am on March 18, 2025: none

    I tried running with the

    0ASAN_OPTIONS=detect_container_overflow=0 FUZZ=process_message build_fuzz/bin/fuzz qa-assets/fuzz_corpora/process_message/

    It crashes with the following log

     0INFO: Running with entropic power schedule (0xFF, 100).
 1INFO: Seed: 917199606
 2INFO: Loaded 1 modules   (1252320 inline 8-bit counters): 1252320 [0x109024000, 0x109155be0), 
 3INFO: Loaded 1 PC tables (1252320 PCs): 1252320 [0x109155be0,0x10a4719e0), 
 4INFO:     4126 files found in qa-assets/fuzz_corpora/process_message/
 5INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 981836 bytes
 6INFO: seed corpus: files: 4126 min: 1b max: 981836b total: 141648651b rss: 195Mb
 7libc++abi: terminating due to uncaught exception of type std::__1::ios_base::failure: DataStream::read(): end of data: unspecified iostream_category error
 8==36931== ERROR: libFuzzer: deadly signal
 9    [#0](/bitcoin-bitcoin/0/) 0x00010c34d248 in __sanitizer_print_stack_trace+0x28 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x5d248)
10    [#1](/bitcoin-bitcoin/1/) 0x00010861d0a4 in fuzzer::PrintStackTrace()+0x2c (fuzz:arm64+0x1037950a4)
11    [#2](/bitcoin-bitcoin/2/) 0x000108610a58 in fuzzer::Fuzzer::CrashCallback()+0x54 (fuzz:arm64+0x103788a58)
12    [#3](/bitcoin-bitcoin/3/) 0x00018d226de0 in _sigtramp+0x34 (libsystem_platform.dylib:arm64+0x3de0)
13    [#4](/bitcoin-bitcoin/4/) 0x9e2380018d1eff6c  (<unknown module>)
14    [#5](/bitcoin-bitcoin/5/) 0xc23900018d0fc904  (<unknown module>)
15    [#6](/bitcoin-bitcoin/6/) 0x493e80018d1a6448  (<unknown module>)
16    [#7](/bitcoin-bitcoin/7/) 0x166a80018d194a20  (<unknown module>)
17    [#8](/bitcoin-bitcoin/8/) 0xfc5480018ce3d3f0  (<unknown module>)
18    [#9](/bitcoin-bitcoin/9/) 0x135b80018d1a570c  (<unknown module>)
19    [#10](/bitcoin-bitcoin/10/) 0xd05000018d1a8cd8  (<unknown module>)
20    [#11](/bitcoin-bitcoin/11/) 0x633f80018d1a8c80  (<unknown module>)
21    [#12](/bitcoin-bitcoin/12/) 0x9a7e0001050aac24  (<unknown module>)
22    [#13](/bitcoin-bitcoin/13/) 0x0001050bf008 in unsigned long long ReadCompactSize<DataStream>(DataStream&, bool)+0x110 (fuzz:arm64+0x100237008)
23    [#14](/bitcoin-bitcoin/14/) 0x000107720fbc in void VectorFormatter<DefaultFormatter>::Unser<DataStream, std::__1::vector<CInv, std::__1::allocator<CInv>>>(DataStream&, std::__1::vector<CInv, std::__1::allocator<CInv>>&)+0x1e8 (fuzz:arm64+0x102898fbc)
24    [#15](/bitcoin-bitcoin/15/) 0x000107652d3c in (anonymous namespace)::PeerManagerImpl::ProcessMessage(CNode&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, DataStream&, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000l>>, std::__1::atomic<bool> const&)+0x3cb4 (fuzz:arm64+0x1027cad3c)
25    [#16](/bitcoin-bitcoin/16/) 0x00010767f794 in (anonymous namespace)::PeerManagerImpl::ProcessMessages(CNode*, std::__1::atomic<bool>&)+0x24b0 (fuzz:arm64+0x1027f7794)
26    [#17](/bitcoin-bitcoin/17/) 0x000105647fa0 in process_message_fuzz_target(std::__1::span<unsigned char const, 18446744073709551615ul>)+0xaf8 (fuzz:arm64+0x1007bffa0)
27    [#18](/bitcoin-bitcoin/18/) 0x000105b366ec in LLVMFuzzerTestOneInput+0x198 (fuzz:arm64+0x100cae6ec)
28    [#19](/bitcoin-bitcoin/19/) 0x000108612004 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x12c (fuzz:arm64+0x10378a004)
29    [#20](/bitcoin-bitcoin/20/) 0x000108611884 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*)+0x3c (fuzz:arm64+0x103789884)
30    [#21](/bitcoin-bitcoin/21/) 0x0001086133c4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>&)+0x470 (fuzz:arm64+0x10378b3c4)
31    [#22](/bitcoin-bitcoin/22/) 0x0001086137fc in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>&)+0x98 (fuzz:arm64+0x10378b7fc)
32    [#23](/bitcoin-bitcoin/23/) 0x00010860a1b4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1dd0 (fuzz:arm64+0x1037821b4)
33    [#24](/bitcoin-bitcoin/24/) 0x00010861daa8 in main+0x24 (fuzz:arm64+0x103795aa8)
34    [#25](/bitcoin-bitcoin/25/) 0x00018ce70270  (<unknown module>)
35    [#26](/bitcoin-bitcoin/26/) 0x475cfffffffffffc  (<unknown module>)
36
37NOTE: libFuzzer has rudimentary signal handlers.
38      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
39SUMMARY: libFuzzer: deadly signal
40MS: 0 ; base unit: 0000000000000000000000000000000000000000
410x67,0x65,0x74,0x64,0x61,0x74,0x61,0x0,0x0,0x0,0x0,0x0,0x0,0x80,0x91,0x28,0x67,0x1,0x5c,0x9,0x5c,0x78,0x1,0x0,0x5e,0x78,0xc0,0x87,0x27,0xd8,0x9c,0xff,0xff,0xff,0xff,0x0,0xff,0xff,0x0,0x47,0x8b,0x0,0x82,0x7d,0x8b,0x7d,0x82,0x7d,0x82,0x1,0x0,0x0,0x0,0xa1,0x7d,0x82,0x7d,0xff,0xff,0xe9,0x7d,0x0,0x8b,0x8b,0x0,0x82,0xff,0xff,0x7d,0x7e,0x7d,0x82,0x1,0x0,0x0,0x0,0x73,0x65,0x6e,0x64,0x61,0x64,0x64,0x1c,0x0,0xb5,
42getdata\000\000\000\000\000\000\200\221(g\001\\\011\\x\001\000^x\300\207'\330\234\377\377\377\377\000\377\377\000G\213\000\202}\213}\202}\202\001\000\000\000\241}\202}\377\377\351}\000\213\213\000\202\377\377}~}\202\001\000\000\000sendadd\034\000\265
43artifact_prefix='./'; Test unit written to ./crash-88926609e7277110e77b9c19c108b9df4835d6e7
44Base64: Z2V0ZGF0YQAAAAAAAICRKGcBXAlceAEAXnjAhyfYnP////8A//8AR4sAgn2LfYJ9ggEAAAChfYJ9///pfQCLiwCC//99fn2CAQAAAHNlbmRhZGQcALU=

    however this seems to be specific to process_message target only . when I run it with tx_package_eval this works fine.

    0ASAN_OPTIONS=detect_container_overflow=0 FUZZ=tx_package_eval build_fuzz/bin/fuzz  qa-assets/fuzz_corpora/tx_package_eval 

    0INFO: Running with entropic power schedule (0xFF, 100).
1INFO: Seed: 1122799189
2INFO: Loaded 1 modules   (1252320 inline 8-bit counters): 1252320 [0x106cdc000, 0x106e0dbe0), 
3INFO: Loaded 1 PC tables (1252320 PCs): 1252320 [0x106e0dbe0,0x1081299e0), 
4INFO:     2435 files found in qa-assets/fuzz_corpora/tx_package_eval
5INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 999203 bytes
6INFO: seed corpus: files: 2435 min: 1b max: 999203b total: 112736936b rss: 192Mb
7[#1024](/bitcoin-bitcoin/1024/)   pulse  cov: 12171 ft: 64557 corp: 629/83Kb exec/s: 256 rss: 286Mb
  3. brunoerg commented at 1:03 pm on March 18, 2025: contributor

    I could reproduce it following the same steps on MacOS 14.3

     0FUZZ=process_message build_fuzz/bin/fuzz qa-assets/fuzz_corpora/process_message/
 1fuzz(56832,0x1e31a5c40) malloc: nano zone abandoned due to inability to reserve vm space.
 2INFO: Running with entropic power schedule (0xFF, 100).
 3INFO: Seed: 2192399851
 4INFO: Loaded 1 modules   (1252322 inline 8-bit counters): 1252322 [0x104c38000, 0x104d69be2),
 5INFO: Loaded 1 PC tables (1252322 PCs): 1252322 [0x104d69be8,0x106085a08),
 6=================================================================
 7==56832==ERROR: AddressSanitizer: container-overflow on address 0x60800002ca68 at pc 0x000100adcef4 bp 0x00016f36aa20 sp 0x00016f36aa18
 8WRITE of size 8 at 0x60800002ca68 thread T0
 9    [#0](/bitcoin-bitcoin/0/) 0x000100adcef0 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__init_copy_ctor_external(char const*, unsigned long)+0x1c4 (fuzz:arm64+0x100048ef0)
10    [#1](/bitcoin-bitcoin/1/) 0x00010421b5bc in fuzzer::ListFilesInDirRecursive(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, long*, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bool)+0x26c (fuzz:arm64+0x1037875bc)
11    [#2](/bitcoin-bitcoin/2/) 0x00010421a884 in fuzzer::GetSizedFilesFromDir(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>*)+0x2c (fuzz:arm64+0x103786884)
12    [#3](/bitcoin-bitcoin/3/) 0x0001042163fc in fuzzer::ReadCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&)+0x4c (fuzz:arm64+0x1037823fc)
13    [#4](/bitcoin-bitcoin/4/) 0x000104216264 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1dbc (fuzz:arm64+0x103782264)
14    [#5](/bitcoin-bitcoin/5/) 0x000104229b6c in main+0x24 (fuzz:arm64+0x103795b6c)
15    [#6](/bitcoin-bitcoin/6/) 0x00018c5590dc  (<unknown module>)
16    [#7](/bitcoin-bitcoin/7/) 0x9f697ffffffffffc  (<unknown module>)

    For reference: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow#false-positives

  4. maflcko added the label macOS on Mar 18, 2025
  5. maflcko added the label Tests on Mar 18, 2025
  6. maflcko added the label Upstream on Mar 18, 2025
  7. maflcko commented at 1:08 pm on March 18, 2025: member
    I presume the libfuzzer-nosan preset works fine?
  8. Prabhat1308 commented at 1:16 pm on March 18, 2025: none

    I presume the libfuzzer-nosan preset works fine?

    Works fine. I do get these warning though on the start of the run .

    0WARNING: Failed to find function "__sanitizer_acquire_crash_state". Reason dlsym(RTLD_DEFAULT, __sanitizer_acquire_crash_state): symbol not found.
1WARNING: Failed to find function "__sanitizer_print_stack_trace". Reason dlsym(RTLD_DEFAULT, __sanitizer_print_stack_trace): symbol not found.
2WARNING: Failed to find function "__sanitizer_set_death_callback". Reason dlsym(RTLD_DEFAULT, __sanitizer_set_death_callback): symbol not found.
  9. brunoerg commented at 10:51 pm on March 18, 2025: contributor
    Worth adding this “false positive” information to the documentation?
  10. maflcko commented at 7:35 pm on March 19, 2025: member

    libc++abi: terminating due to uncaught exception of type std::__1::ios_base::failure: DataStream::read(): end of data: unspecified iostream_category error

    This looks like an upstream packaging bug or asan bug on your platform, given that it passes fine when asan is disabled on your platform.

  11. maflcko commented at 7:24 am on March 27, 2025: member

    Does the issue happen with all clang versions from brew? (clang-16 to clang-20)?

    Does the issue happen when compiling clang from source?

  12. Prabhat1308 commented at 10:10 am on March 27, 2025: none

    I suspect this issue is because of the -DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld" flag.

    Other than my default llvm19 , I used llvm@18 downloaded via brew which comes with clang 18 I used 2 different configs

    0make --preset=libfuzzer \                                                                                                       
1    -DCMAKE_C_COMPILER="$(brew --prefix llvm@18)/bin/clang" \
2    -DCMAKE_CXX_COMPILER="$(brew --prefix llvm@18)/bin/clang++" \
3    -DAPPEND_LDFLAGS="-Wl,-no_warn_duplicate_libraries" \
4    -DCMAKE_EXE_LINKER_FLAGS="$LDFLAGS"

     0
 1/opt/homebrew/opt/llvm@18/bin/../include/c++/v1/variant:495:12: runtime error: call to function decltype(auto) std::__1::__variant_detail::__visitation::__base::__dispatcher<0ul, 0ul>::__dispatch[abi:ne180100]<void std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>::__generic_construct[abi:ne180100]<std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>>(std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>&, std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&&)::'lambda'(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&, auto&&)&&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&>(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&) through pointer to incorrect function type 'void (*)((lambda at /opt/homebrew/opt/llvm@18/bin/../include/c++/v1/variant:814:11) &&, std::__variant_detail::__base<std::__variant_detail::_Trait::_Available, RPCArg::Optional, std::string, UniValue> &, std::__variant_detail::__base<std::__variant_detail::_Trait::_Available, RPCArg::Optional, std::string, UniValue> &&)'
 2variant:532: note: decltype(auto) std::__1::__variant_detail::__visitation::__base::__dispatcher<0ul, 0ul>::__dispatch[abi:ne180100]<void std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>::__generic_construct[abi:ne180100]<std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>>(std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>&, std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&&)::'lambda'(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&, auto&&)&&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&>(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&) defined here
 3SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /opt/homebrew/opt/llvm@18/bin/../include/c++/v1/variant:495:12 
 4/Users/prabhatverma/projects/bitcoin/src/rpc/server.h:100:15: runtime error: call to function getblockchaininfo() through pointer to incorrect function type 'RPCHelpMan (*)()'
 5blockchain.cpp:1291: note: getblockchaininfo() defined here
 6SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/prabhatverma/projects/bitcoin/src/rpc/server.h:100:15 
 7/Users/prabhatverma/projects/bitcoin/src/rpc/server.h:102:15: runtime error: call to function getblockchaininfo() through pointer to incorrect function type 'RPCHelpMan (*)()'
 8blockchain.cpp:1291: note: getblockchaininfo() defined here
 9SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/prabhatverma/projects/bitcoin/src/rpc/server.h:102:15 
10/Users/prabhatverma/projects/bitcoin/src/tinyformat.h:544:13: runtime error: call to function void tinyformat::detail::FormatArg::formatImpl<char [13]>(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, char const*, char const*, int, void const*) through pointer to incorrect function type 'void (*)(std::ostream &, const char *, const char *, int, const void *)'
11tinyformat.h:558: note: void tinyformat::detail::FormatArg::formatImpl<char [13]>(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, char const*, char const*, int, void const*) defined here
12SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/prabhatverma/projects/bitcoin/src/tinyformat.h:544:13 
13INFO: Running with entropic power schedule (0xFF, 100).
14INFO: Seed: 1206976568
15INFO: Loaded 1 modules   (1257184 inline 8-bit counters): 1257184 [0x103ed4a48, 0x104007928), 
16INFO: Loaded 1 PC tables (1257184 PCs): 1257184 [0x104007928,0x105336728), 
17INFO:     4374 files found in qa-assets/fuzz_corpora/process_message/
18INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 981836 bytes
19INFO: seed corpus: files: 4374 min: 1b max: 981836b total: 152590538b rss: 195Mb
20[#2048](/bitcoin-bitcoin/2048/)   pulse  cov: 14987 ft: 33197 corp: 969/143Kb exec/s: 1024 rss: 435Mb
21[#4096](/bitcoin-bitcoin/4096/)   pulse  cov: 17387 ft: 57266 corp: 1814/795Kb exec/s: 1024 rss: 435Mb
22^C==35105== libFuzzer: run interrupted; exiting

    This is what the initial response was before this PR where the exe flag was added .

    Using the new config with llvm@18

    0cmake --preset=libfuzzer \
1    -DCMAKE_C_COMPILER="$(brew --prefix llvm@18)/bin/clang" \
2    -DCMAKE_CXX_COMPILER="$(brew --prefix llvm@18)/bin/clang++" \
3    -DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld"

     0
 1/opt/homebrew/opt/llvm@18/bin/../include/c++/v1/variant:495:12: runtime error: call to function decltype(auto) std::__1::__variant_detail::__visitation::__base::__dispatcher<0ul, 0ul>::__dispatch[abi:ne180100]<void std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>::__generic_construct[abi:ne180100]<std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>>(std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>&, std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&&)::'lambda'(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&, auto&&)&&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&>(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&) through pointer to incorrect function type 'void (*)((lambda at /opt/homebrew/opt/llvm@18/bin/../include/c++/v1/variant:814:11) &&, std::__variant_detail::__base<std::__variant_detail::_Trait::_Available, RPCArg::Optional, std::string, UniValue> &, std::__variant_detail::__base<std::__variant_detail::_Trait::_Available, RPCArg::Optional, std::string, UniValue> &&)'
 2(fuzz:arm64+0x101536194): note: decltype(auto) std::__1::__variant_detail::__visitation::__base::__dispatcher<0ul, 0ul>::__dispatch[abi:ne180100]<void std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>::__generic_construct[abi:ne180100]<std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>>(std::__1::__variant_detail::__ctor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>>&, std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&&)::'lambda'(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>&, auto&&)&&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&>(std::__1::__variant_detail::__move_constructor<std::__1::__variant_detail::__traits<RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>, (std::__1::__variant_detail::_Trait)1>, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, RPCArg::Optional, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, UniValue>&&) defined here
 3SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /opt/homebrew/opt/llvm@18/bin/../include/c++/v1/variant:495:12 
 4/Users/prabhatverma/projects/bitcoin/src/rpc/server.h:100:15: runtime error: call to function getblockchaininfo() through pointer to incorrect function type 'RPCHelpMan (*)()'
 5(fuzz:arm64+0x1020d8d8c): note: getblockchaininfo() defined here
 6SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/prabhatverma/projects/bitcoin/src/rpc/server.h:100:15 
 7/Users/prabhatverma/projects/bitcoin/src/rpc/server.h:102:15: runtime error: call to function getblockchaininfo() through pointer to incorrect function type 'RPCHelpMan (*)()'
 8(fuzz:arm64+0x1020d8d8c): note: getblockchaininfo() defined here
 9SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/prabhatverma/projects/bitcoin/src/rpc/server.h:102:15 
10/Users/prabhatverma/projects/bitcoin/src/tinyformat.h:544:13: runtime error: call to function void tinyformat::detail::FormatArg::formatImpl<char [13]>(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, char const*, char const*, int, void const*) through pointer to incorrect function type 'void (*)(std::ostream &, const char *, const char *, int, const void *)'
11(fuzz:arm64+0x100b9c7cc): note: void tinyformat::detail::FormatArg::formatImpl<char [13]>(std::__1::basic_ostream<char, std::__1::char_traits<char>>&, char const*, char const*, int, void const*) defined here
12SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/prabhatverma/projects/bitcoin/src/tinyformat.h:544:13 
13INFO: Running with entropic power schedule (0xFF, 100).
14INFO: Seed: 1461236862
15INFO: Loaded 1 modules   (1257184 inline 8-bit counters): 1257184 [0x107780000, 0x1078b2ee0), 
16INFO: Loaded 1 PC tables (1257184 PCs): 1257184 [0x1078b2ee0,0x108be1ce0), 
17=================================================================
18==41097==ERROR: AddressSanitizer: container-overflow on address 0x60800002c268 at pc 0x000104784be4 bp 0x00016b6c2710 sp 0x00016b6c2708
19WRITE of size 8 at 0x60800002c268 thread T0
20    [#0](/bitcoin-bitcoin/0/) 0x104784be0 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__init_copy_ctor_external(char const*, unsigned long)+0x2b4 (fuzz:arm64+0x100048be0)
21    [#1](/bitcoin-bitcoin/1/) 0x106ed8d2c in fuzzer::ListFilesInDirRecursive(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, long*, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bool)+0x21c (fuzz:arm64+0x10279cd2c)
22    [#2](/bitcoin-bitcoin/2/) 0x106ed80dc in fuzzer::GetSizedFilesFromDir(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>*)+0x2c (fuzz:arm64+0x10279c0dc)
23    [#3](/bitcoin-bitcoin/3/) 0x106ed3848 in fuzzer::ReadCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&)+0x4c (fuzz:arm64+0x102797848)
24    [#4](/bitcoin-bitcoin/4/) 0x106ed36b0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1c80 (fuzz:arm64+0x1027976b0)
25    [#5](/bitcoin-bitcoin/5/) 0x106ee7848 in main+0x24 (fuzz:arm64+0x1027ab848)
26    [#6](/bitcoin-bitcoin/6/) 0x18ce70270  (<unknown module>)
27    [#7](/bitcoin-bitcoin/7/) 0x1a2c7ffffffffffc  (<unknown module>)
28
290x60800002c268 is located 72 bytes inside of 96-byte region [0x60800002c220,0x60800002c280)
30allocated by thread T0 here:
31    [#0](/bitcoin-bitcoin/0/) 0x10a7ececc in _Znwm+0x6c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x60ecc)
32    [#1](/bitcoin-bitcoin/1/) 0x104cad68c in std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>&)+0xf0 (fuzz:arm64+0x10057168c)
33    [#2](/bitcoin-bitcoin/2/) 0x104f26814 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>* std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>::__push_back_slow_path<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&)+0x230 (fuzz:arm64+0x1007ea814)
34    [#3](/bitcoin-bitcoin/3/) 0x106ed8cb8 in fuzzer::ListFilesInDirRecursive(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, long*, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>*, bool)+0x1a8 (fuzz:arm64+0x10279ccb8)
35    [#4](/bitcoin-bitcoin/4/) 0x106ed80dc in fuzzer::GetSizedFilesFromDir(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::vector<fuzzer::SizedFile, std::__1::allocator<fuzzer::SizedFile>>*)+0x2c (fuzz:arm64+0x10279c0dc)
36    [#5](/bitcoin-bitcoin/5/) 0x106ed3848 in fuzzer::ReadCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&)+0x4c (fuzz:arm64+0x102797848)
37    [#6](/bitcoin-bitcoin/6/) 0x106ed36b0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1c80 (fuzz:arm64+0x1027976b0)
38    [#7](/bitcoin-bitcoin/7/) 0x106ee7848 in main+0x24 (fuzz:arm64+0x1027ab848)
39    [#8](/bitcoin-bitcoin/8/) 0x18ce70270  (<unknown module>)
40    [#9](/bitcoin-bitcoin/9/) 0x1a2c7ffffffffffc  (<unknown module>)
41
42HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
43If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
44SUMMARY: AddressSanitizer: container-overflow (fuzz:arm64+0x100048be0) in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__init_copy_ctor_external(char const*, unsigned long)+0x2b4
45Shadow bytes around the buggy address:
46  0x60800002bf80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
47  0x60800002c000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
48  0x60800002c080: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
49  0x60800002c100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
50  0x60800002c180: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
51=>0x60800002c200: fa fa fa fa 00 00 00 00 00 00 00 00 00[fc]fc fc
52  0x60800002c280: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
53  0x60800002c300: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
54  0x60800002c380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
55  0x60800002c400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
56  0x60800002c480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
57Shadow byte legend (one shadow byte represents 8 application bytes):
58  Addressable:           00
59  Partially addressable: 01 02 03 04 05 06 07 
60  Heap left redzone:       fa
61  Freed heap region:       fd
62  Stack left redzone:      f1
63  Stack mid redzone:       f2
64  Stack right redzone:     f3
65  Stack after return:      f5
66  Stack use after scope:   f8
67  Global redzone:          f9
68  Global init order:       f6
69  Poisoned by user:        f7
70  Container overflow:      fc
71  Array cookie:            ac
72  Intra object redzone:    bb
73  ASan internal:           fe
74  Left alloca redzone:     ca
75  Right alloca redzone:    cb
76==41097==ABORTING
77[2]    41097 abort      FUZZ=process_message build_fuzz/bin/fuzz

    Although not completely sure if this is the right config since runtime errors still appears but the bug is introduced in llvm18 also because of this.

    Can reproduce this with llvm16 too using

    0cmake --preset=libfuzzer \                                                                                                 
1    -DCMAKE_C_COMPILER="$(brew --prefix llvm@16)/bin/clang" \
2    -DCMAKE_CXX_COMPILER="$(brew --prefix llvm@16)/bin/clang++" \
3    -DCMAKE_EXE_LINKER_FLAGS="-fuse-ld=lld"


Prabhat1308 brunoerg maflcko

Labels
macOS Tests Upstream

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-03-28 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me