cargo-fuzz
cargo-fuzz copied to clipboard
Using `trace_macros!(false)` in a fuzzer causes a segfault
Hello!
I'm not entirely sure this is a bug in cargo-fuzz
… it may be in libfuzzer_sys
or perhaps an issue in the rustc
trace_macros!()
feature implementation.
I wrote the following fuzzer for the u8::conditional_assign
function from dalek-cryptography/subtle:
#![no_main]
#![feature(trace_macros)]
trace_macros!(false);
#[macro_use]
extern crate libfuzzer_sys;
extern crate subtle;
extern crate core;
use subtle::ConditionallyAssignable;
fuzz_target!(|data: &[u8]| {
for y in data.iter() {
let mut x: u8 = 0;
x.conditional_assign(y, 0);
assert_eq!(x, 0);
x.conditional_assign(y, 1);
assert_eq!(x, *y);
}
});
Running with cargo fuzz run conditional_assign
will segfault:
∃!isisⒶwintermute:(develop $>)~/code/rust/subtle ∴ cargo fuzz run conditional_assign
Compiling subtle v0.5.0 (file:///home/isis/code/rust/subtle)
Compiling cc v1.0.4
Compiling arbitrary v0.1.0
Running `rustc --crate-name subtle src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 --cfg 'feature="default"' --cfg 'feature="std"' -C metadata=308589c838ddeca1 -C extra-filename=-308589c838ddeca1 --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort`
Running `rustc --crate-name cc /home/isis/.cargo/registry/src/github.com-1ecc6299db9ec823/cc-1.0.4/src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 -C metadata=d28b04525e9df5db -C extra-filename=-d28b04525e9df5db --out-dir /home/isis/code/rust/subtle/fuzz/target/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --cap-lints allow`
Running `rustc --crate-name arbitrary /home/isis/.cargo/registry/src/github.com-1ecc6299db9ec823/arbitrary-0.1.0/src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 -C metadata=b1bc161df83b3bf9 -C extra-filename=-b1bc161df83b3bf9 --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --cap-lints allow -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort`
Compiling libfuzzer-sys v0.1.0 (https://github.com/rust-fuzz/libfuzzer-sys.git#737524f7)
Running `rustc --crate-name build_script_build /home/isis/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/737524f/build.rs --crate-type bin --emit=dep-info,link -C debuginfo=2 -C metadata=441f80908b9f47fa -C extra-filename=-441f80908b9f47fa --out-dir /home/isis/code/rust/subtle/fuzz/target/debug/build/libfuzzer-sys-441f80908b9f47fa -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --extern cc=/home/isis/code/rust/subtle/fuzz/target/debug/deps/libcc-d28b04525e9df5db.rlib --cap-lints allow`
Running `/home/isis/code/rust/subtle/fuzz/target/debug/build/libfuzzer-sys-441f80908b9f47fa/build-script-build`
Running `rustc --crate-name libfuzzer_sys /home/isis/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/737524f/src/lib.rs --crate-type lib --emit=dep-info,link -C debuginfo=2 -C metadata=d86f3ae62fec466d -C extra-filename=-d86f3ae62fec466d --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --extern arbitrary=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/libarbitrary-b1bc161df83b3bf9.rlib --cap-lints allow -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort -L native=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/build/libfuzzer-sys-2c2df4139d84705d/out -l static=fuzzer -l 'stdc++'`
Compiling subtle-fuzz v0.0.1 (file:///home/isis/code/rust/subtle/fuzz)
Running `rustc --crate-name conditional_assign fuzz/fuzzers/conditional_assign.rs --crate-type bin --emit=dep-info,link -C debuginfo=2 -C metadata=e121aa45b4187f8f -C extra-filename=-e121aa45b4187f8f --out-dir /home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps --target x86_64-unknown-linux-gnu -L dependency=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps -L dependency=/home/isis/code/rust/subtle/fuzz/target/debug/deps --extern libfuzzer_sys=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/liblibfuzzer_sys-d86f3ae62fec466d.rlib --extern subtle=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/deps/libsubtle-308589c838ddeca1.rlib -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=3 -Zsanitizer=address -Cpanic=abort -L native=/home/isis/code/rust/subtle/fuzz/target/x86_64-unknown-linux-gnu/debug/build/libfuzzer-sys-2c2df4139d84705d/out`
Finished dev [unoptimized + debuginfo] target(s) in 29.69 secs
Running `fuzz/target/x86_64-unknown-linux-gnu/debug/conditional_assign -artifact_prefix=/home/isis/code/rust/subtle/fuzz/artifacts/conditional_assign/ /home/isis/code/rust/subtle/fuzz/corpus/conditional_assign`
Segmentation fault
∃!isisⒶwintermute:(develop $>)~/code/rust/subtle ∴
If I change trace_macros!(false)
to trace_macros!(true)
(or remove it entirely), the segfault does not occur. What's extra weird is that if I then add trace_macros!(false)
back in, and re-run cargo fuzz run conditional_assign
, it still runs just fine.
I have no idea where the bug is, so my apologies if this is not the correct place to report, I just thought I'd start by asking people more knowledgeable. My naïve guess would be some sort of non-idempotency issues in cross-crate interactions w.r.t. the statefulness of trace_macros!()
?
cc @nagisa sounds like a libfuzzer bug
The non-idempotency is disturbing. Unsure why trace_macros is causing segfaults though, IIRC that doesn't have any runtime impact
Acknowledged. Will look at it when less busy.
Hi all. I've just tried to replicate but it seems the problem is solved now. If @isislovecruft confirms, it looks like the issue can be closed.