【环境信息】
x86
【测试版本】
Name: libsass
Version: 3.6.4
【注意事项】
受影响版本排查(受影响/不受影响)
1、master
2、openEuler-20.03-LTS-SP3
3、openEuler-20.03-LTS-SP1
4、openEuler-20.03-LTS-SP2
5、openEuler-20.03-LTS
6、openEuler-21.03
7、openEuler-20.03-LTS-Next
8、openEuler-21.09
9、openEuler-22.03-LTS
10、openEuler-22.03-LTS-Next
11、openEuler-20.09
12、openEuler-23.03
一、【测试步骤】
1、编译
python3 infra/helper.py build_fuzzers --sanitizer memory libsass
2、执行
python3 infra/helper.py run_fuzzer libsass data_context_fuzzer
【报错信息】
src/memory/shared_ptr.hpp:202:17: runtime error: downcast of address 0x000001ba3350 which does not point to an object of type 'Sass::PreValue'
0x000001ba3350: note: object is of type 'Sass::Unary_Expression'
00 00 00 00 48 ff c7 00 00 00 00 00 01 00 00 00 00 00 00 00 00 e5 b9 01 00 00 00 00 10 e1 b9 01
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Sass::Unary_Expression'
#0 0x6a037f in Sass::SharedImplSass::PreValue::SharedImplSass::Expression(Sass::Expression*) /src/libsass/src/memory/shared_ptr.hpp:202:17
#1 0x653594 in Sass::Parser::parse_selector_schema(char const*, bool) /src/libsass/src/parser.cpp:576:24
#2 0x6549cb in Sass::Parser::parse_ruleset(Lookahead) /src/libsass/src/parser.cpp:516:17
#3 0x648a0d in Sass::Parser::parse_block_node(bool) /src/libsass/src/parser.cpp:260:21
#4 0x644b10 in Sass::Parser::parse_block_nodes(bool) /src/libsass/src/parser.cpp:171:11
#5 0x6434c1 in Sass::Parser::parse() /src/libsass/src/parser.cpp:97:5
#6 0x587661 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /src/libsass/src/context.cpp:307:24
#7 0x590e16 in Sass::Data_Context::parse() /src/libsass/src/context.cpp:621:5
#8 0x4c456a in Sass::sass_parse_block(Sass_Compiler*) /src/libsass/src/sass_context.cpp:181:31
#9 0x4c4347 in sass_compiler_parse /src/libsass/src/sass_context.cpp:435:22
#10 0x4c3f1c in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:318:7
#11 0x4c1bc3 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
#12 0x452eb1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#13 0x4525f5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
#14 0x4546c7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
#15 0x455145 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocatorfuzzer::SizedFile >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
#16 0x44411e in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
#17 0x46c8f2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#18 0x7f3d9ec8082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#19 0x418828 in _start (/out/data_context_fuzzer+0x418828)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/memory/shared_ptr.hpp:202:17 in
MS: 3 CopyPart-ChangeASCIIInt-EraseBytes-; base unit: ff956f07b3a53022be6d4e297295274825301164
0xc,0xc,0x44,0x44,0x23,0x7b,0x2b,0xc,0x2b,0x30,0x7b,0x7d,0x2b,0x32,0x2a,0x23,0x7b,0x31,0x2a,0x2b,0xc,0x2b,0x30,0x7b,0x7d,0x2b,0x32,0x2a,0x32,0x2a,
\x0c\x0cDD#{+\x0c+0{}+2*#{1*+\x0c+0{}+22
artifact_prefix='./'; Test unit written to ./crash-13cc3f33c64741d13130ed851b1d4b528ab1e608
Base64: DAxERCN7KwwrMHt9KzIqI3sxKisMKzB7fSsyKjIq
【预期结果】
运行无异常
【实际结果】
运行抛出异常
【复现步骤】
python3 infra/helper.py reproduce libsass data_context_fuzzer ./crash-13cc3f33c64741d13130ed851b1d4b528ab1e608
无法复现,为偶现问题
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
无法复现,为偶现问题
@manyong 请于rc4再次回归确认,当前问题单暂时置 已完成
登录 后才可以发表评论