bullet3
bullet3 copied to clipboard
ERROR: Data overflow problem in DillCreator constructor
Bug Report
Environment
- OS Version: Ubuntu 20.04
- bullet3 version: e9c461b0ace140d5c73972760781d94b7b5eee53
- Compiler name and version number: Ubuntu clang 14.0.0
Description
- Expected behavior: The code is running normally
- Actual behavior: executing code crash, invalid parameters generated
Steps to reproduce
In test_invdyn_kinematics.cpp, if the value of level is greater than or equal to 31, In the DillCreator constructor, BT_ID_POW(2, level) will exceed the maximum value of the int type (2147483647). Therefore, when you assign this value to m_num_bodies, it may cause an overflow and produce a negative value.
#include <cmath>
#include <cstdio>
#include <cstdlib>
#include <iostream>
#include <gtest/gtest.h>
#include "../Extras/InverseDynamics/CoilCreator.hpp"
#include "../Extras/InverseDynamics/DillCreator.hpp"
#include "../Extras/InverseDynamics/SimpleTreeCreator.hpp"
#include "BulletInverseDynamics/MultiBodyTree.hpp"
using namespace btInverseDynamics;
const int kLevel = 31;
const int kNumBodies = BT_ID_POW(2, kLevel);
TEST(InvDynKinematicsDifferentiation, errorAbsolute)
{
//CAVEAT:these values are hand-tuned to work for the specific trajectory defined above.
#ifdef BT_ID_USE_DOUBLE_PRECISION
const idScalar kDeltaT = 1e-7;
const idScalar kAcceptableError = 1e-4;
#else
const idScalar kDeltaT = 1e-4;
const idScalar kAcceptableError = 5e-3;
#endif
const idScalar kDuration = 0.01;
DillCreator dill_creator(kLevel);
}
Output
Here is what the output shows:
INFO: Seed: 618122775
INFO: Loaded 1 modules (11817 inline 8-bit counters): 11817 [0x966728, 0x969551),
INFO: Loaded 1 PC tables (11817 PCs): 11817 [0x891458,0x8bf6e8),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 787 ft: 788 corp: 1/1b exec/s: 0 rss: 34Mb
b3Error[/root/UTopia/exp/bullet3/Extras/InverseDynamics/DillCreator.cpp,86]:
invalid body parameter (0, num_bodies: -2147483648)
b3Error[/root/UTopia/exp/bullet3/Extras/InverseDynamics/DillCreator.cpp,37]:
recurseDill failed
==2406814== ERROR: libFuzzer: deadly signal
#0 0x5e0e11 in __sanitizer_print_stack_trace (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x5e0e11)
#1 0x52bf78 in fuzzer::PrintStackTrace() (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x52bf78)
#2 0x5110c3 in fuzzer::Fuzzer::CrashCallback() (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x5110c3)
#3 0x732986a7541f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f)
#4 0x73298673600a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a)
#5 0x732986715858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858)
#6 0x626f2a in btInverseDynamicsBullet3::DillCreator::DillCreator(int) /root/UTopia/exp/bullet3/Extras/InverseDynamics/DillCreator.cpp:38:3
#7 0x60f91f in InvDynKinematicsDifferentiation_errorAbsolute_Test::TestBody() /root/UTopia/exp/bullet3/test/InverseDynamics/test_invdyn_kinematics.cpp:346:14
#8 0x6131d5 in enterAutofuzz::AutofuzzTest::runTest() /root/UTopia/exp/bullet3/test/InverseDynamics/test_invdyn_kinematics.cpp:457:9
#9 0x612dc2 in enterAutofuzz /root/UTopia/exp/bullet3/test/InverseDynamics/test_invdyn_kinematics.cpp:468:10
#10 0x73614c in TestOneProtoInput(AutoFuzz::FuzzArgsProfile const&) /root/UTopia/exp/bullet3/test/InverseDynamics/fuzz_entry.cc:45:3
#11 0x735fb4 in LLVMFuzzerTestOneInput /root/UTopia/exp/bullet3/test/InverseDynamics/fuzz_entry.cc:38:1
#12 0x512781 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x512781)
#13 0x511ec5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x511ec5)
#14 0x514167 in fuzzer::Fuzzer::MutateAndTestOne() (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x514167)
#15 0x514e65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x514e65)
#16 0x50381e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x50381e)
#17 0x52c662 in main (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x52c662)
#18 0x732986717082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#19 0x4d859d in _start (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x4d859d)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 ChangeByte-Custom-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x66,0x75,0x7a,0x7a,0x76,0x61,0x72,0x36,0x3a,0x20,0x35,0x38,0xa,
fuzzvar6: 58\x0a
artifact_prefix='./'; Test unit written to ./crash-c8369d99e3d271abeb43e3e3a26989981a36c0fd
Base64: ZnV6enZhcjY6IDU4Cg==