Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yaml_fuzz_reader CI failure #143

Open
mjp41 opened this issue Sep 23, 2024 · 4 comments
Open

yaml_fuzz_reader CI failure #143

mjp41 opened this issue Sep 23, 2024 · 4 comments

Comments

@mjp41
Copy link
Member

mjp41 commented Sep 23, 2024

https://github.com/microsoft/Trieste/actions/runs/10922530213/job/30531367761?pr=110#step:6:25

 yaml_fuzz_reader .................***Exception: SegFault  1.96 sec
Testing x100, seed: 401630379

@matajoh
@mjp41
Copy link
Member Author

mjp41 commented Dec 18, 2024 

12/14 Test #12: yaml_fuzz_to_json ................***Exception: SegFault  0.76 sec
Testing x100, seed: 53461672

@matajoh
Copy link
Member

matajoh commented Feb 18, 2025

I've looked at both of these and they appear to be fuzzer bugs, not issues with YAML per se. Both segfaults are in snmalloc, as a result of the fuzzer trying to generate nodes. Would appreciate your eyes on it, as I'm not clear exactly why snmalloc is unhappy.

@mjp41
Copy link
Member Author

mjp41 commented Feb 18, 2025

So just ran the first one in Asan:

mjp41@DESKTOP-IPIQRD7:~/trieste/build/parsers/test$ ./yaml_fuzzer reader -s 401630379
Testing x100, seed: 401630379

AddressSanitizer:DEADLYSIGNAL
=================================================================
==24691==ERROR: AddressSanitizer: stack-overflow on address 0x7ffdb5979e78 (pc 0x55a64ff8ec76 bp 0x7ffdb597a6b0 sp 0x7ffdb5979e80 T0)
    #0 0x55a64ff8ec76 in __asan_memcpy (/home/mjp41/trieste/build/parsers/test/yaml_fuzzer+0x28bc76) (BuildId: 790813fa80504504e5325e6a849ef6522ff5c297)
    #1 0x55a6500ef044 in std::_Rb_tree<trieste::Token, std::pair<trieste::Token const, unsigned long>, std::_Select1st<std::pair<trieste::Token const, unsigned long> >, std::less<trieste::Token>, std::allocator<std::pair<trieste::Token const, unsigned long> > >::find(trieste::Token const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/stl_tree.h:2536:38
    #2 0x55a6500ee52a in std::map<trieste::Token, unsigned long, std::less<trieste::Token>, std::allocator<std::pair<trieste::Token const, unsigned long> > >::find(trieste::Token const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/stl_map.h:1218:21
    #3 0x55a6501004fc in trieste::wf::Gen::choose(std::vector<trieste::Token, std::allocator<trieste::Token> > const&, unsigned long)::'lambda'(trieste::Token const&)::operator()(trieste::Token const&) const /home/mjp41/trieste/include/trieste/wf.h:88:39
    #4 0x55a6500febd5 in std::back_insert_iterator<std::vector<double, std::allocator<double> > > std::transform<__gnu_cxx::__normal_iterator<trieste::Token const*, std::vector<trieste::Token, std::allocator<trieste::Token> > >, std::back_insert_iterator<std::vector<double, std::allocator<double> > >, trieste::wf::Gen::choose(std::vector<trieste::Token, std::allocator<trieste::Token> > const&, unsigned long)::'lambda'(trieste::Token const&)>(__gnu_cxx::__normal_iterator<trieste::Token const*, std::vector<trieste::Token, std::allocator<trieste::Token> > >, __gnu_cxx::__normal_iterator<trieste::Token const*, std::vector<trieste::Token, std::allocator<trieste::Token> > >, std::back_insert_iterator<std::vector<double, std::allocator<double> > >, trieste::wf::Gen::choose(std::vector<trieste::Token, std::allocator<trieste::Token> > const&, unsigned long)::'lambda'(trieste::Token const&)) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/stl_algo.h:4263:14
    #5 0x55a6500fc58e in trieste::wf::Gen::choose(std::vector<trieste::Token, std::allocator<trieste::Token> > const&, unsigned long) /home/mjp41/trieste/include/trieste/wf.h:82:9
    #6 0x55a6500fb8e4 in trieste::wf::Choice::gen(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:236:24
    #7 0x55a650105fbb in trieste::wf::Fields::gen(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:448:24
    #8 0x55a650105cbe in auto trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&)::operator()<trieste::wf::Fields const>(auto&) const /home/mjp41/trieste/include/trieste/wf.h:752:36
    #9 0x55a650105b11 in auto std::__invoke_impl<void, trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&), trieste::wf::Fields const&>(std::__invoke_other, trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&)&&, trieste::wf::Fields const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:61:14
    #10 0x55a650105aa1 in std::__invoke_result<auto, trieste::wf::Fields const&>::type std::__invoke<trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&), trieste::wf::Fields const&>(auto&&, trieste::wf::Fields const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:96:14
    #11 0x55a6500fb089 in std::__detail::__variant::__gen_vtable_impl<std::__detail::__variant::_Multi_array<std::__detail::__variant::__deduce_visit_result<void> (*)(trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&)&&, std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&)>, std::integer_sequence<unsigned long, 1ul> >::__visit_invoke(trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&)&&, std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/variant:1031:11
    #12 0x55a6500faf87 in decltype(auto) std::__do_visit<std::__detail::__variant::__deduce_visit_result<void>, trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&), std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&>(trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&)&&, std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/variant:1791:5
    #13 0x55a6500fad92 in std::invoke_result<auto, std::__conditional<is_lvalue_reference_v<std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&> >::type<std::variant_alternative<0ul, std::remove_reference<decltype(__variant::__as(std::declval<std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&>()))>::type>::type&, std::variant_alternative<0ul, std::remove_reference<decltype(__variant::__as(std::declval<std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&>()))>::type>::type&&> >::type std::visit<trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const::'lambda'(auto&), std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&>(auto&&, std::variant<trieste::wf::Sequence, trieste::wf::Fields> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/variant:1853:13
    #14 0x55a6500ecc07 in trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:751:9
    #15 0x55a6500ecd82 in trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:755:11
    #16 0x55a6500ecd82 in trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:755:11
    #17 0x55a6500ecd82 in trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:755:11
    #18 0x55a6500ecd82 in trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:755:11
...
    #246 0x55a6500ecd82 in trieste::wf::Wellformed::gen_node(trieste::wf::Gen&, unsigned long, trieste::intrusive_ptr<trieste::NodeDef>) const /home/mjp41/trieste/include/trieste/wf.h:755:11

SUMMARY: AddressSanitizer: stack-overflow (/home/mjp41/trieste/build/parsers/test/yaml_fuzzer+0x28bc76) (BuildId: 790813fa80504504e5325e6a849ef6522ff5c297) in __asan_memcpy
==24691==ABORTING

@mjp41
Copy link
Member Author

mjp41 commented Feb 18, 2025

Same again for the second one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mjp41 @matajoh