fuzz test occur runtime error

[qweryzh]

src/memory/shared_ptr.hpp:202:17: runtime error: downcast of address 0x000003638870 which does not point to an object of type 'Sass::PreValue' 0x000003638870: note: object is of type 'Sass::Unary_Expression' 00 00 00 00 48 ff c7 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 84 63 03 ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'Sass::Unary_Expression' #0 0x6a037f in Sass::SharedImplSass::PreValue::SharedImplSass::Expression(Sass::Expression*) /src/libsass/src/memory/shared_ptr.hpp:202:17 #1 0x653594 in Sass::Parser::parse_selector_schema(char const*, bool) /src/libsass/src/parser.cpp:576:24 #2 0x6549cb in Sass::Parser::parse_ruleset(Lookahead) /src/libsass/src/parser.cpp:516:17 #3 0x648a0d in Sass::Parser::parse_block_node(bool) /src/libsass/src/parser.cpp:260:21 #4 0x644b10 in Sass::Parser::parse_block_nodes(bool) /src/libsass/src/parser.cpp:171:11 #5 0x6434c1 in Sass::Parser::parse() /src/libsass/src/parser.cpp:97:5 #6 0x587661 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /src/libsass/src/context.cpp:307:24 #7 0x590e16 in Sass::Data_Context::parse() /src/libsass/src/context.cpp:621:5 #8 0x4c456a in Sass::sass_parse_block(Sass_Compiler*) /src/libsass/src/sass_context.cpp:181:31 #9 0x4c4347 in sass_compiler_parse /src/libsass/src/sass_context.cpp:435:22 #10 0x4c3f1c in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:318:7 #11 0x4c1bc3 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3 #12 0x452eb1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15 #13 0x43e212 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6 #14 0x4442a7 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776:9 #15 0x46c8f2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10 #16 0x7fc7b762682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #17 0x418828 in _start (/out/data_context_fuzzer+0x418828)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/memory/shared_ptr.hpp:202:17 in

[qweryzh]

according to the error message,the problem is caused by the conversion of the base class and the derived class. Sass::Unary_Expression,static_cast will not peforme security checks during the downcast conversion.resulting in the error.This problem can be avoided by changing static_cast to dynamic_cast.

I think this can solve the problem, please maintainer check this @hcatlin

[HamptonMakes]

@qweryzh can you explain what you are doing to trigger this error? Are you running a specific bit of Sass to compile? Are you trying to run libsass in some specific environment?

[qweryzh]

@hcatlin This occurs when I running fuzz test cases.You can download test environment from https://github.com/google/oss-fuzz.git and perform the following steps: 1.build python3 infra/helper.py build_fuzzers --sanitizer undefined libsass 2. run python3 infra/helper.py run_fuzzer libsass data_context_fuzzer -rss_limit_mb=0

and then you can reproduce above the failure