bullet3
bullet3 copied to clipboard
Published
20 hours ago •
bulletphysics
bulletphysics
Floating Point Exception during RandomTreeCreator Execution
Bug Report
Environment
- OS Version: Ubuntu 22.04
- bullet3 version: e9c461b0ace140d5c73972760781d94b7b5eee53
- Compiler name and version number: Ubuntu clang 20.0.0
Description
- Expected behavior: executing code doesn't crash
- Actual behavior: executing code crash, Floating Point Exception (FPE)
Steps to reproduce
When using a random function to create a random number, if the input data value is 0, a floating point exception will be generated when the randomInt function is called internally to generate a random number.Here's a snippet of code that demonstrates how this could occur:
#include <cmath>
#include <cstdio>
#include <cstdlib>
#include <iostream>
#include "RandomTreeCreator.hpp"
using namespace btInverseDynamics;
void InvDynJacobians_VelocitiesFromJacobians()
{
const int kRandomLoops = 20;
const int kMaxRandomBodies = 0; //
for (int loop = 0; loop < kRandomLoops; loop++)
{
RandomTreeCreator random(kMaxRandomBodies);
}
std::cout<<"creat over"<<std::endl;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
InvDynJacobians_VelocitiesFromJacobians();
return 0;
}
Output
Here is what the output shows:
(base) dct@dct-OptiPlex-Tower-Plus-7010:~/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test$ ./bullet_tests_libfuzzer input/
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2602152510
INFO: Loaded 1 modules (124 inline 8-bit counters): 124 [0x55c9568a4028, 0x55c9568a40a4),
INFO: Loaded 1 PC tables (124 PCs): 124 [0x55c9568a40a8,0x55c9568a4868),
INFO: 0 files found in input/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1132716==ERROR: AddressSanitizer: FPE on unknown address 0x55c9568561cd (pc 0x55c9568561cd bp 0x7ffde5217da0 sp 0x7ffde5217d80 T0)
/usr/bin/llvm-symbolizer-20: /home/dct/anaconda3/lib/libcurl.so.4: no version information available (required by /usr/bin/llvm-symbolizer-20)
#0 0x55c9568561cd in btInverseDynamicsBullet3::randomInt(int, int) /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet3/Extras/InverseDynamics/IDRandomUtil.cpp:19:50
#1 0x55c9568538c0 in btInverseDynamicsBullet3::RandomTreeCreator::RandomTreeCreator(int, bool) /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet3/Extras/InverseDynamics/RandomTreeCreator.cpp:20:17
#2 0x55c95685360a in InvDynJacobians_VelocitiesFromJacobians() /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/main.cpp:17:27
#3 0x55c956853708 in LLVMFuzzerTestOneInput /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/main.cpp:24:5
#4 0x55c95675553b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x5053b) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
#5 0x55c9567567e1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x517e1) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
#6 0x55c956756e6c in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x51e6c) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
#7 0x55c956744485 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x3f485) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
#8 0x55c95676f132 in main (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x6a132) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
#9 0x731d9f629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x731d9f629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#11 0x55c956738fc4 in _start (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x33fc4) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
==1132716==Register values:
rax = 0x000000006b8b4567 rbx = 0x00007ffde5217e20 rcx = 0x0000000000000000 rdx = 0x0000000000000000
rdi = 0x0000731d9f81a860 rsi = 0x00007ffde5217d54 rbp = 0x00007ffde5217da0 rsp = 0x00007ffde5217d80
r8 = 0x0000000000000000 r9 = 0x0000731d9f81a280 r10 = 0x0000731d9f6090f0 r11 = 0x0000731d9f646760
r12 = 0x00007ffde5217f87 r13 = 0x000055c9568a5600 r14 = 0x00006f3d9eae0010 r15 = 0x0000000000000000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet3/Extras/InverseDynamics/IDRandomUtil.cpp:19:50 in btInverseDynamicsBullet3::randomInt(int, int)
==1132716==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
