relay
relay copied to clipboard
Published
20 hours ago •
facebook
facebook
graphql-syntax: Parser crash parse_document_with_features (internal error: entered unreachable code)
NOTE: This bug report is part of a trial for using fuzz-harnesses, see https://github.com/facebook/relay/issues/4566#issuecomment-1883491254 for more context. This bug was found using the fuzz harness in #4565.
Steps to reproduce
use arbitrary::Arbitrary;
use common::SourceLocationKey;
use graphql_syntax::parse_document_with_features;
use graphql_syntax::ParserFeatures;
fn main() {
let _res = parse_document_with_features( ">\"\"\"\u{1}", SourceLocationKey::Generated, ParserFeatures { fragment_argument_capability: None});
};
My approximation of the information that you'll get from google/oss-fuzz if this where integrated.
Stacktrace and error input
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4194742229
INFO: Loaded 1 modules (288424 inline 8-bit counters): 288424 [0x560cf4589100, 0x560cf45cf7a8),
INFO: Loaded 1 PC tables (288424 PCs): 288424 [0x560cf45cf7a8,0x560cf4a36228),
fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_parser: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/fuzz_parser/crash-000e7e5841247d5c5a2d4c1d35e2c4603696bf67
thread '<unnamed>' panicked at /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/lexer.rs:171:40:
internal error: entered unreachable code
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==450552== ERROR: libFuzzer: deadly signal
#0 0x560cf34e0311 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x560cf417f049 in fuzzer::PrintStackTrace() /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerUtil.cpp:210:38
#2 0x560cf416a415 in fuzzer::Fuzzer::CrashCallback() /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerLoop.cpp:233:18
#3 0x560cf416a415 in fuzzer::Fuzzer::CrashCallback() /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerLoop.cpp:228:6
#4 0x7f82a3851d9f (/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/lib/libc.so.6+0x38d9f) (BuildId: 2b9ebcc534a497a5e424c017f310e087ec14b7b6)
#5 0x7f82a38a0b1b in __pthread_kill_implementation (/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/lib/libc.so.6+0x87b1b) (BuildId: 2b9ebcc534a497a5e424c017f310e087ec14b7b6)
#6 0x7f82a3851cf5 in gsignal (/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/lib/libc.so.6+0x38cf5) (BuildId: 2b9ebcc534a497a5e424c017f310e087ec14b7b6)
#7 0x7f82a383b8b9 in abort (/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/lib/libc.so.6+0x228b9) (BuildId: 2b9ebcc534a497a5e424c017f310e087ec14b7b6)
#8 0x560cf4230856 in std::sys::unix::abort_internal::hb88d147b24444ccb /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/sys/unix/mod.rs:375:14
#9 0x560cf3436de6 in std::process::abort::h48da3a1587f663a3 /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/process.rs:2279:5
#10 0x560cf4164664 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::hb85733ac7a5d2d57 /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:91:9
#11 0x560cf4225325 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h1171429379e58ebd /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/alloc/src/boxed.rs:2030:9
#12 0x560cf4225325 in std::panicking::rust_panic_with_hook::he8cd11bc79b74e48 /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/panicking.rs:783:13
#13 0x560cf4225038 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::he1868b3475576648 /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/panicking.rs:649:13
#14 0x560cf42225d5 in std::sys_common::backtrace::__rust_end_short_backtrace::h9210389720f5c16a /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/sys_common/backtrace.rs:171:18
#15 0x560cf4224dcf in rust_begin_unwind /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/panicking.rs:645:5
#16 0x560cf343a2c4 in core::panicking::panic_fmt::hfbd09a125111b8b4 /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/core/src/panicking.rs:72:14
#17 0x560cf343a382 in core::panicking::panic::h8ed89a8593b3dafc /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/core/src/panicking.rs:144:5
#18 0x560cf36c9278 in graphql_syntax::lexer::lex_block_string::h86ba99d274db84ed /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/lexer.rs:171:40
#19 0x560cf376b523 in _$LT$graphql_syntax..lexer..TokenKind$u20$as$u20$logos..Logos$GT$::lex::goto123_ctx122_x::h32924aece556a76b /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/lexer.rs:22:10
#20 0x560cf376b523 in _$LT$graphql_syntax..lexer..TokenKind$u20$as$u20$logos..Logos$GT$::lex::goto161_ctx122_x::h6d7e6b820486cfae /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/lexer.rs:22:10
#21 0x560cf376b523 in _$LT$graphql_syntax..lexer..TokenKind$u20$as$u20$logos..Logos$GT$::lex::goto163::h28d275448eeb9341 /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/lexer.rs:22:10
#22 0x560cf374bd88 in _$LT$graphql_syntax..lexer..TokenKind$u20$as$u20$logos..Logos$GT$::lex::h1ec0620679ceae3f /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/lexer.rs:22:10
#23 0x560cf374bd88 in _$LT$logos..lexer..Lexer$LT$Token$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::ha28f92ec0e772dd6 /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/logos-0.12.1/src/lexer.rs:193:9
#24 0x560cf374bd88 in graphql_syntax::parser::Parser::parse_token::hcf3541829ed158cc /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/parser.rs:2090:35
#25 0x560cf36ede1e in graphql_syntax::parser::Parser::with_offset::h196041aa3c089511 /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/parser.rs:108:9
#26 0x560cf36ede1e in graphql_syntax::parser::Parser::new::hc5998c675170d841 /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/parser.rs:72:9
#27 0x560cf375186f in graphql_syntax::parse_document_with_features::hc35ddc8d183e458d /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/src/lib.rs:50:18
#28 0x560cf35533a3 in fuzz_parser::_::__libfuzzer_sys_run::hbcfe1f90ad32aaed /home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/fuzz/fuzz_targets/fuzz_parser.rs:20:11
#29 0x560cf35523db in rust_fuzzer_test_input /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:297:60
#30 0x560cf415ed38 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hc1ebeb1e5434c8ae /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:61:9
#31 0x560cf415ed38 in std::panicking::try::do_call::h6689f7f2ac49fcc9 /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/panicking.rs:552:40
#32 0x560cf4164877 in __rust_try libfuzzer_sys.16b8e11d1125706d-cgu.0
#33 0x560cf4163931 in std::panicking::try::hd5c10ed80d3d2169 /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/panicking.rs:516:19
#34 0x560cf4163931 in std::panic::catch_unwind::h15c7e6ee02f461d0 /rustc/75c68cfd2b9870f2953b62d250bd7d0564a7b56d/library/std/src/panic.rs:142:14
#35 0x560cf4163931 in LLVMFuzzerTestOneInput /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/src/lib.rs:59:22
#36 0x560cf416a949 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerLoop.cpp:612:15
#37 0x560cf418b12d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerDriver.cpp:324:21
#38 0x560cf4192e4e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerDriver.cpp:860:19
#39 0x560cf343acd2 in main /home/nathaniel/.cargo/registry/src/index.crates.io-6f17d22bba15001f/libfuzzer-sys-0.4.7/libfuzzer/FuzzerMain.cpp:20:30
#40 0x7f82a383cb0d in __libc_start_call_main (/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/lib/libc.so.6+0x23b0d) (BuildId: 2b9ebcc534a497a5e424c017f310e087ec14b7b6)
#41 0x7f82a383cbc8 in __libc_start_main@GLIBC_2.2.5 (/nix/store/whypqfa83z4bsn43n4byvmw80n4mg3r8-glibc-2.37-45/lib/libc.so.6+0x23bc8) (BuildId: 2b9ebcc534a497a5e424c017f310e087ec14b7b6)
#42 0x560cf343ae34 in _start (/home/nathaniel/projects/github.com/silvergasp/relay/compiler/crates/graphql-syntax/fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_parser+0x786e34)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
Crash file
OSS-fuzz will automatically minimise the test-case so there is no need to run cargo fuzz tmin.
crash-000e7e5841247d5c5a2d4c1d35e2c4603696bf67.txt
To reproduce using cargo fuzz simply run;
cd compiler/crates/graphql-syntax
cargo fuzz run fuzz_parser path/to/downloaded/crash-000e7e5841247d5c5a2d4c1d35e2c4603696bf67.txt
