dibyendumajumdar/ravi

Segmentation Faults 2017-06-02

Opened this issue · 3 comments

rwhitworth commented

Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the ravi program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/ravi-fuzz/tree/master/2017-06-02

The files can be executed as ./ravi id_filename to cause seg faults. Git commit bb371e9 was used for testing

Let me know if I can provide any more information to help narrow down this issue.

rwhitworth commented

gdb backtraces:

Core was generated by `./ravi output/ravi-1/crashes/id:000000,sig:11,src:000969,op:arith8,pos:2077,val'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f800b0eb225 in luaH_getshortstr (t=<optimized out>, key=<optimized out>) at /root/ravi/include/ltable.h:85
85        Node *n = hashstr(t, key);
#0  0x00007f800b0eb225 in luaH_getshortstr (t=<optimized out>, key=<optimized out>) at /root/ravi/include/ltable.h:85
#1  luaV_execute (L=0x1c0a018) at /root/ravi/src/lvm.c:1902
#2  0x00007f800b0ac6ed in luaD_call (L=0x1c0a018, func=<optimized out>, nResults=<optimized out>) at /root/ravi/src/ldo.c:549
#3  luaD_callnoyield (L=0x1c0a018, func=<optimized out>, nResults=<optimized out>) at /root/ravi/src/ldo.c:559
#4  0x00007f800b095372 in f_call (L=0x7f800b317078, ud=0x7ffcd2f53510) at /root/ravi/src/lapi.c:1262
#5  0x00007f800b0a84d7 in luaD_rawrunprotected (L=0x1c0a018, f=0x7f800b095320 <f_call>, ud=0x7ffcd2f53510) at /root/ravi/src/ldo.c:142
#6  0x00007f800b0adb46 in luaD_pcall (L=0x1c0a018, func=0x7f800b528050, u=0x605500 <__afl_area_initial>, old_top=80, ef=64) at /root/ravi/src/ldo.c:779
#7  0x00007f800b0951a1 in lua_pcallk (L=0x1c0a018, nargs=<optimized out>, nresults=-1, errfunc=<optimized out>, ctx=<optimized out>, k=<optimized out>) at /root/ravi/src/lapi.c:1288
#8  0x000000000040345b in docall (L=0x1c0a018, narg=0, nres=-1) at /root/ravi/src/lua.c:214
#9  handle_script (L=0x1c0a018, argv=<optimized out>) at /root/ravi/src/lua.c:455
#10 pmain (L=0x1c0a018) at /root/ravi/src/lua.c:590
#11 0x00007f800b0ab18e in luaD_precall (L=0x1c0a018, func=<optimized out>, nresults=<optimized out>, op_call=<optimized out>) at /root/ravi/src/ldo.c:436
#12 0x00007f800b0ac6ba in luaD_call (L=0x1c0a018, func=<optimized out>, nResults=<optimized out>) at /root/ravi/src/ldo.c:548
#13 luaD_callnoyield (L=0x1c0a018, func=0x1c0a660, nResults=1) at /root/ravi/src/ldo.c:559
#14 0x00007f800b095372 in f_call (L=0x7f800b317078, ud=0x7ffcd2f53880) at /root/ravi/src/lapi.c:1262
#15 0x00007f800b0a84d7 in luaD_rawrunprotected (L=0x1c0a018, f=0x7f800b095320 <f_call>, ud=0x7ffcd2f53880) at /root/ravi/src/ldo.c:142
#16 0x00007f800b0adb46 in luaD_pcall (L=0x1c0a018, func=0x7f800b528050, u=0x605500 <__afl_area_initial>, old_top=16, ef=0) at /root/ravi/src/ldo.c:779
#17 0x00007f800b0951a1 in lua_pcallk (L=0x1c0a018, nargs=<optimized out>, nresults=1, errfunc=<optimized out>, ctx=<optimized out>, k=<optimized out>) at /root/ravi/src/lapi.c:1288
#18 0x0000000000402176 in main (argc=2, argv=0x7ffcd2f539e8) at /root/ravi/src/lua.c:626

Core was generated by `./ravi output/ravi-1/crashes/id:000001,sig:11,src:001464,op:flip2,pos:2093'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f0d823a6348 in luaV_execute (L=0xa7c018) at /root/ravi/src/lvm.c:1925
1925            raviH_get_float_inline(L, t, idx, ra);
#0  0x00007f0d823a6348 in luaV_execute (L=0xa7c018) at /root/ravi/src/lvm.c:1925
#1  0x00007f0d823606ed in luaD_call (L=0xa7c018, func=<optimized out>, nResults=<optimized out>) at /root/ravi/src/ldo.c:549
#2  luaD_callnoyield (L=0xa7c018, func=<optimized out>, nResults=<optimized out>) at /root/ravi/src/ldo.c:559
#3  0x00007f0d82349372 in f_call (L=0x7f0d825cb078, ud=0x7fffdeb9c6a0) at /root/ravi/src/lapi.c:1262
#4  0x00007f0d8235c4d7 in luaD_rawrunprotected (L=0xa7c018, f=0x7f0d82349320 <f_call>, ud=0x7fffdeb9c6a0) at /root/ravi/src/ldo.c:142
#5  0x00007f0d82361b46 in luaD_pcall (L=0xa7c018, func=0x7f0d827dc050, u=0x605500 <__afl_area_initial>, old_top=80, ef=64) at /root/ravi/src/ldo.c:779
#6  0x00007f0d823491a1 in lua_pcallk (L=0xa7c018, nargs=<optimized out>, nresults=-1, errfunc=<optimized out>, ctx=<optimized out>, k=<optimized out>) at /root/ravi/src/lapi.c:1288
#7  0x000000000040345b in docall (L=0xa7c018, narg=0, nres=-1) at /root/ravi/src/lua.c:214
#8  handle_script (L=0xa7c018, argv=<optimized out>) at /root/ravi/src/lua.c:455
#9  pmain (L=0xa7c018) at /root/ravi/src/lua.c:590
#10 0x00007f0d8235f18e in luaD_precall (L=0xa7c018, func=<optimized out>, nresults=<optimized out>, op_call=<optimized out>) at /root/ravi/src/ldo.c:436
#11 0x00007f0d823606ba in luaD_call (L=0xa7c018, func=<optimized out>, nResults=<optimized out>) at /root/ravi/src/ldo.c:548
#12 luaD_callnoyield (L=0xa7c018, func=0xa7c660, nResults=1) at /root/ravi/src/ldo.c:559
#13 0x00007f0d82349372 in f_call (L=0x7f0d825cb078, ud=0x7fffdeb9ca10) at /root/ravi/src/lapi.c:1262
#14 0x00007f0d8235c4d7 in luaD_rawrunprotected (L=0xa7c018, f=0x7f0d82349320 <f_call>, ud=0x7fffdeb9ca10) at /root/ravi/src/ldo.c:142
#15 0x00007f0d82361b46 in luaD_pcall (L=0xa7c018, func=0x7f0d827dc050, u=0x605500 <__afl_area_initial>, old_top=16, ef=0) at /root/ravi/src/ldo.c:779
#16 0x00007f0d823491a1 in lua_pcallk (L=0xa7c018, nargs=<optimized out>, nresults=1, errfunc=<optimized out>, ctx=<optimized out>, k=<optimized out>) at /root/ravi/src/lapi.c:1288
#17 0x0000000000402176 in main (argc=2, argv=0x7fffdeb9cb78) at /root/ravi/src/lua.c:626
dibyendumajumdar commented

Hi @rwhitworth

Thank you for taking the time to run the tests and report the results. I am somewhat tied up at the moment but will investigate the issue when I get some time (probably in a few weeks).

Regards

  • 👍1
dibyendumajumdar commented

Looks like the issues reported here were fixed in #207