Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A null-pointer-dereference bug in csmith #146

Open
shao-hua-li opened this issue Mar 23, 2022 · 0 comments
Open

A null-pointer-dereference bug in csmith #146

shao-hua-li opened this issue Mar 23, 2022 · 0 comments

Comments

@shao-hua-li
Copy link

Hi,

I found that csmitch would crash with --null-ptr-deref-prob parameter. So I built csmith with asan and it reported a null-pointer-deference error:

  • Csmith version: 2.4.0 (git commit deddca6)
  • run ./src/csmith --null-ptr-deref-prob 50 a few times, you'll observer that it sometimes crashes.
  • compile with CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" cmake . && make
  • run ./src/csmith --null-ptr-deref-prob 50, asan reports as follows:
=================================================================
==1477483==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5576c89c6f52 bp 0x7ffcf0c93480 sp 0x7ffcf0c92eb0 T0)
==1477483==The signal is caused by a READ memory access.
==1477483==Hint: address points to the zero page.
    #0 0x5576c89c6f52 in FactPointTo::rhs_to_lhs_transfer(std::vector<Fact const*, std::allocator<Fact const*> > const&, std::vector<Variable const*, std::allocator<Variable const*> > const&, Expression const*) /csmith/csmith/src/FactPointTo.cpp:183
    #1 0x5576c89cc909 in FactPointTo::abstract_fact_for_assign(std::vector<Fact const*, std::allocator<Fact const*> > const&, Lhs const*, Expression const*, std::vector<Fact const*, std::allocator<Fact const*> >&) /csmith/csmith/src/FactPointTo.cpp:286
    #2 0x5576c899e969 in FactMgr::update_fact_for_assign(Lhs const*, Expression const*, std::vector<Fact const*, std::allocator<Fact const*> >&) /csmith/csmith/src/FactMgr.cpp:391
    #3 0x5576c899f0e0 in FactMgr::update_fact_for_assign(StatementAssign const*, std::vector<Fact const*, std::allocator<Fact const*> >&) /csmith/csmith/src/FactMgr.cpp:415
    #4 0x5576c8959b0c in ExpressionAssign::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionAssign.cpp:61
    #5 0x5576c89557d8 in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:211
    #6 0x5576c8a2323c in FunctionInvocation::make_random_binary_ptr_comparison(CGContext&) /csmith/csmith/src/FunctionInvocation.cpp:329
    #7 0x5576c8a1fdef in FunctionInvocation::make_random_binary(CGContext&, Type const*) /csmith/csmith/src/FunctionInvocation.cpp:176
    #8 0x5576c8a1f0a6 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:116
    #9 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #10 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #11 0x5576c8a20195 in FunctionInvocation::make_random_binary(CGContext&, Type const*) /csmith/csmith/src/FunctionInvocation.cpp:202
    #12 0x5576c8a1f0a6 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:116
    #13 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #14 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #15 0x5576c8a20195 in FunctionInvocation::make_random_binary(CGContext&, Type const*) /csmith/csmith/src/FunctionInvocation.cpp:202
    #16 0x5576c8a1f0a6 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:116
    #17 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #18 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #19 0x5576c8a20195 in FunctionInvocation::make_random_binary(CGContext&, Type const*) /csmith/csmith/src/FunctionInvocation.cpp:202
    #20 0x5576c8a1f0a6 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:116
    #21 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #22 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #23 0x5576c8a20195 in FunctionInvocation::make_random_binary(CGContext&, Type const*) /csmith/csmith/src/FunctionInvocation.cpp:202
    #24 0x5576c8a1f0a6 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:116
    #25 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #26 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #27 0x5576c8b4a4d9 in StatementAssign::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/StatementAssign.cpp:169
    #28 0x5576c8959a56 in ExpressionAssign::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionAssign.cpp:59
    #29 0x5576c89557d8 in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:211
    #30 0x5576c8a20730 in FunctionInvocation::make_random_binary(CGContext&, Type const*) /csmith/csmith/src/FunctionInvocation.cpp:241
    #31 0x5576c8a1f0a6 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:116
    #32 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #33 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #34 0x5576c8a20195 in FunctionInvocation::make_random_binary(CGContext&, Type const*) /csmith/csmith/src/FunctionInvocation.cpp:202
    #35 0x5576c8a1f0a6 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:116
    #36 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #37 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #38 0x5576c8b4a4d9 in StatementAssign::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/StatementAssign.cpp:169
    #39 0x5576c8b1733b in Statement::make_random(CGContext&, eStatementType) /csmith/csmith/src/Statement.cpp:294
    #40 0x5576c883e580 in Block::make_random(CGContext&, bool) /csmith/csmith/src/Block.cpp:159
    #41 0x5576c8b6b15e in StatementFor::make_random(CGContext&) /csmith/csmith/src/StatementFor.cpp:288
    #42 0x5576c8b6c34c in StatementFor::make_random_array_loop(CGContext const&) /csmith/csmith/src/StatementFor.cpp:329
    #43 0x5576c8b37066 in StatementArrayOp::make_random(CGContext&) /csmith/csmith/src/StatementArrayOp.cpp:87
    #44 0x5576c8b17424 in Statement::make_random(CGContext&, eStatementType) /csmith/csmith/src/Statement.cpp:321
    #45 0x5576c883e580 in Block::make_random(CGContext&, bool) /csmith/csmith/src/Block.cpp:159
    #46 0x5576c8a076dd in Function::generate_body_with_known_params(CGContext const&, Effect&) /csmith/csmith/src/Function.cpp:741
    #47 0x5576c8a4d28d in FunctionInvocationUser::build_invocation_and_function(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocationUser.cpp:222
    #48 0x5576c8a1ee87 in FunctionInvocation::make_random(bool, CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/FunctionInvocation.cpp:102
    #49 0x5576c897506a in ExpressionFuncall::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/ExpressionFuncall.cpp:84
    #50 0x5576c89557af in Expression::make_random(CGContext&, Type const*, CVQualifiers const*, bool, bool, eTermType) /csmith/csmith/src/Expression.cpp:208
    #51 0x5576c8b4a4d9 in StatementAssign::make_random(CGContext&, Type const*, CVQualifiers const*) /csmith/csmith/src/StatementAssign.cpp:169
    #52 0x5576c8b1733b in Statement::make_random(CGContext&, eStatementType) /csmith/csmith/src/Statement.cpp:294
    #53 0x5576c883e580 in Block::make_random(CGContext&, bool) /csmith/csmith/src/Block.cpp:159
    #54 0x5576c8b6b15e in StatementFor::make_random(CGContext&) /csmith/csmith/src/StatementFor.cpp:288
    #55 0x5576c8b17376 in Statement::make_random(CGContext&, eStatementType) /csmith/csmith/src/Statement.cpp:300
    #56 0x5576c883e580 in Block::make_random(CGContext&, bool) /csmith/csmith/src/Block.cpp:159
    #57 0x5576c8a06605 in Function::GenerateBody(CGContext const&) /csmith/csmith/src/Function.cpp:699
    #58 0x5576c8a01815 in Function::make_first() /csmith/csmith/src/Function.cpp:499
    #59 0x5576c8a0b379 in GenerateFunctions() /csmith/csmith/src/Function.cpp:858
    #60 0x5576c893360d in DefaultProgramGenerator::goGenerator() /csmith/csmith/src/DefaultProgramGenerator.cpp:85
    #61 0x5576c8b0d7d4 in main /csmith/csmith/src/RandomProgramGenerator.cpp:1558
    #62 0x7fab2f2030b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #63 0x5576c87fd31d in _start (/csmith/csmith/src/csmith+0xa7a31d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /csmith/csmith/src/FactPointTo.cpp:183 in FactPointTo::rhs_to_lhs_transfer(std::vector<Fact const*, std::allocator<Fact const*> > const&, std::vector<Variable const*, std::allocator<Variable const*> > const&, Expression const*)
==1477483==ABORTING
@shao-hua-li shao-hua-li changed the title null-pointer-dereference in csmith A null-pointer-dereference bug in csmith Mar 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant