"terminate called recursively" when a test aborts using libfuzzer

Question

"terminate called recursively" when a test aborts using libfuzzer

neuromancer opened this issue 5 years ago · 0 comments

If you use a simple test like this one with libfuzzer support:

TEST(T, A) {
  symbolic_int start;
  std::vector<int> myvector(100);
  myvector.at(start)=1;
  ASSERT(true); 
}

The default configuration fails to work, generating an endless list of:

terminate called recursively
terminate called recursively
terminate called recursively
terminate called recursively
terminate called recursively
terminate called recursively

To avoid missing an important crash, LIBFUZZER_EXIT_ON_FAIL=1 should be used:

terminate called after throwing an instance of 'std::out_of_range'
  what():  vector::_M_range_check: __n (which is 167772160) >= this->size() (which is 100)
    #0 0x55713e1e5b7b in __sanitizer_print_stack_trace (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x95b7b)
    #1 0x55713e1bff49 in fuzzer::PrintStackTrace() (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x6ff49)
    #2 0x55713e19ea79 in fuzzer::Fuzzer::ExitCallback() (.part.0) (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x4ea79)
    #3 0x55713e19eb48 in fuzzer::Fuzzer::StaticExitCallback() (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x4eb48)
    #4 0x7fcdf8e916a6 in __run_exit_handlers (/usr/lib/libc.so.6+0x3e6a6)
    #5 0x7fcdf8e9185d in exit (/usr/lib/libc.so.6+0x3e85d)
    #6 0x55713e1f579f in LLVMFuzzerTestOneInput (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0xa579f)
    #7 0x55713e19f35e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x4f35e)
    #8 0x55713e1a1560 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x51560)
    #9 0x55713e1a28c3 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x528c3)
    #10 0x55713e1a40b3 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x540b3)
    #11 0x55713e18dd78 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x3dd78)
    #12 0x55713e17b423 in main (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x2b423)
    #13 0x7fcdf8e7a152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #14 0x55713e17b4ad in _start (/home/g/Fuzz/deepstate/build/examples/OneOf_LF+0x2b4ad)