bullet3 icon indicating copy to clipboard operation
bullet3 copied to clipboard

ERROR: Data overflow problem in DillCreator constructor

Open DUT-ShiLongYu opened this issue 4 months ago • 0 comments

Bug Report

Environment

Description

  • Expected behavior: The code is running normally
  • Actual behavior: executing code crash, invalid parameters generated

Steps to reproduce

In test_invdyn_kinematics.cpp, if the value of level is greater than or equal to 31, In the DillCreator constructor, BT_ID_POW(2, level) will exceed the maximum value of the int type (2147483647). Therefore, when you assign this value to m_num_bodies, it may cause an overflow and produce a negative value.

#include <cmath>
#include <cstdio>
#include <cstdlib>
#include <iostream>

#include <gtest/gtest.h>

#include "../Extras/InverseDynamics/CoilCreator.hpp"
#include "../Extras/InverseDynamics/DillCreator.hpp"
#include "../Extras/InverseDynamics/SimpleTreeCreator.hpp"
#include "BulletInverseDynamics/MultiBodyTree.hpp"

using namespace btInverseDynamics;

const int kLevel = 31;
const int kNumBodies = BT_ID_POW(2, kLevel);
TEST(InvDynKinematicsDifferentiation, errorAbsolute)
{
	//CAVEAT:these values are hand-tuned to work for the specific trajectory defined above.
#ifdef BT_ID_USE_DOUBLE_PRECISION
	const idScalar kDeltaT = 1e-7;
	const idScalar kAcceptableError = 1e-4;
#else
	const idScalar kDeltaT = 1e-4;
	const idScalar kAcceptableError = 5e-3;
#endif
	const idScalar kDuration = 0.01;

	DillCreator dill_creator(kLevel);
}

Output

Here is what the output shows:

INFO: Seed: 618122775
INFO: Loaded 1 modules   (11817 inline 8-bit counters): 11817 [0x966728, 0x969551), 
INFO: Loaded 1 PC tables (11817 PCs): 11817 [0x891458,0x8bf6e8), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 787 ft: 788 corp: 1/1b exec/s: 0 rss: 34Mb
b3Error[/root/UTopia/exp/bullet3/Extras/InverseDynamics/DillCreator.cpp,86]:
invalid body parameter (0, num_bodies: -2147483648)
b3Error[/root/UTopia/exp/bullet3/Extras/InverseDynamics/DillCreator.cpp,37]:
recurseDill failed
==2406814== ERROR: libFuzzer: deadly signal
    #0 0x5e0e11 in __sanitizer_print_stack_trace (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x5e0e11)
    #1 0x52bf78 in fuzzer::PrintStackTrace() (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x52bf78)
    #2 0x5110c3 in fuzzer::Fuzzer::CrashCallback() (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x5110c3)
    #3 0x732986a7541f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f)
    #4 0x73298673600a in raise (/lib/x86_64-linux-gnu/libc.so.6+0x4300a)
    #5 0x732986715858 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x22858)
    #6 0x626f2a in btInverseDynamicsBullet3::DillCreator::DillCreator(int) /root/UTopia/exp/bullet3/Extras/InverseDynamics/DillCreator.cpp:38:3
    #7 0x60f91f in InvDynKinematicsDifferentiation_errorAbsolute_Test::TestBody() /root/UTopia/exp/bullet3/test/InverseDynamics/test_invdyn_kinematics.cpp:346:14
    #8 0x6131d5 in enterAutofuzz::AutofuzzTest::runTest() /root/UTopia/exp/bullet3/test/InverseDynamics/test_invdyn_kinematics.cpp:457:9
    #9 0x612dc2 in enterAutofuzz /root/UTopia/exp/bullet3/test/InverseDynamics/test_invdyn_kinematics.cpp:468:10
    #10 0x73614c in TestOneProtoInput(AutoFuzz::FuzzArgsProfile const&) /root/UTopia/exp/bullet3/test/InverseDynamics/fuzz_entry.cc:45:3
    #11 0x735fb4 in LLVMFuzzerTestOneInput /root/UTopia/exp/bullet3/test/InverseDynamics/fuzz_entry.cc:38:1
    #12 0x512781 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x512781)
    #13 0x511ec5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x511ec5)
    #14 0x514167 in fuzzer::Fuzzer::MutateAndTestOne() (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x514167)
    #15 0x514e65 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x514e65)
    #16 0x50381e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x50381e)
    #17 0x52c662 in main (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x52c662)
    #18 0x732986717082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #19 0x4d859d in _start (/root/UTopia/exp/bullet3/output/fuzzers/InvDynKinematicsDifferentiation_errorAbsolute_Test+0x4d859d)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 ChangeByte-Custom-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x66,0x75,0x7a,0x7a,0x76,0x61,0x72,0x36,0x3a,0x20,0x35,0x38,0xa,
fuzzvar6: 58\x0a
artifact_prefix='./'; Test unit written to ./crash-c8369d99e3d271abeb43e3e3a26989981a36c0fd
Base64: ZnV6enZhcjY6IDU4Cg==

DUT-ShiLongYu avatar Oct 02 '24 06:10 DUT-ShiLongYu