qs package's c_qsave gives libfuzzer error
akhikolla opened this issue · 2 comments
Hello,
I used qs package to save all my R data types inside of a testharness and In one of those harnesses when I run the code in presence of the sanitizer and libfuzzer I get the following Issue.
I tried to save the following R Numeric matrix in the qs file.
0.00000
0.00000
0.00000
0.00000
0.00000
It shows there is an issue with the qread function :
c_qsave(SEXPREC*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool, int) /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/qs_functions.cpp:83:73
The complete sanitizer and fuzzer stack trace:
==650655==AddressSanitizer CHECK failed: /build/llvm-toolchain-10-yegZYJ/llvm-toolchain-10-10.0.0/compiler-rt/lib/asan/asan_allocator.cpp:142 "((m->chunk_state)) == ((CHUNK_QUARANTINE))" (0x0, 0x3) #0 0x52ce5e in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x52ce5e) #1 0x54137f in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x54137f) #2 0x4b0b74 in __asan::QuarantineCallback::Recycle(__asan::AsanChunk*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b0b74) #3 0x4b085c in __sanitizer::Quarantine<__asan::QuarantineCallback, __asan::AsanChunk>::DoRecycle(__sanitizer::QuarantineCache<__asan::QuarantineCallback>*, __asan::QuarantineCallback) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b085c) #4 0x4b03d6 in __sanitizer::Quarantine<__asan::QuarantineCallback, __asan::AsanChunk>::Recycle(unsigned long, __asan::QuarantineCallback) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b03d6) #5 0x4b224e in __asan::Allocator::QuarantineChunk(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4b224e) #6 0x554cc5 in operator delete(void*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x554cc5) #7 0x7fdf8bc1cb9a in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/include/c++/9/ext/new_allocator.h:128:19 #8 0x7fdf8bc1cb9a in std::allocator_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:470:9 #9 0x7fdf8bc1cb9a in std::_Vector_base<char, std::allocator<char> >::_M_deallocate(char*, unsigned long) /usr/include/c++/9/bits/stl_vector.h:351:19 #10 0x7fdf8bc1cb9a in std::_Vector_base<char, std::allocator<char> >::~_Vector_base() /usr/include/c++/9/bits/stl_vector.h:332:2 #11 0x7fdf8bc1cb9a in std::vector<char, std::allocator<char> >::~vector() /usr/include/c++/9/bits/stl_vector.h:680:7 #12 0x7fdf8bc1cb9a in CompressBuffer<std::basic_ofstream<char, std::char_traits<char> >, zstd_compress_env>::~CompressBuffer() /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/qs_serialization.h:29:8 #13 0x7fdf8bc1cb9a in c_qsave(SEXPREC*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool, int) /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/qs_functions.cpp:83:73 #14 0x7fdf8bc08b01 in _qs_c_qsave_try(SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*, SEXPREC*) /tmp/RtmpshnRLQ/R.INSTALL9e85cfad4d6a/qs/src/RcppExports.cpp:557:41 #15 0x56362a in qs::c_qsave(SEXPREC*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, bool, int) /home/akhila/R/x86_64-pc-linux-gnu-library/4.0/qs/include/qs_RcppExports.h:357:31 #16 0x5625c4 in DeepState_Test_Benchmarking_deepstate_test_chol_LO_test() /home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness.cpp:24:3 #17 0x556ce8 in DeepState_Run_Benchmarking_deepstate_test_chol_LO_test() /home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness.cpp:13:1 #18 0x59a207 in DeepState_RunTestNoFork (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x59a207) #19 0x59a01a in LLVMFuzzerTestOneInput (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x59a01a) #20 0x45f141 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x45f141) #21 0x45e885 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x45e885) #22 0x460b27 in fuzzer::Fuzzer::MutateAndTestOne() (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x460b27) #23 0x461825 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x461825) #24 0x4501de in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x4501de) #25 0x479022 in main (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x479022) #26 0x7fdf94ca60b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16 #27 0x424f7d in _start (/home/akhila/fuzzer_packages/fuzzedpackages/Benchmarking/inst/testfiles/chol_LO/libFuzzer_chol_LO/chol_LO_DeepState_TestHarness+0x424f7d)
Could you help me reproduce the error or point to the code to run the example?
Here I check using valgrind:
> R -d valgrind
x <- matrix(c(0,0,0,0,0), ncol=1)
qsave(x, file="/tmp/temp.qs")
# no error message
Looking at the error message, it points to the destructor of CompressBuffer class and then to std::vector. I'm not sure how an address issue is possible there. Is it possibly a false positive?
Any help you can give would be appreciated as I'd like to learn more about fuzz testing.