Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

atheris.Fuzz segfaults when using atheris.instrument_all with @singledispatch on 3.11.9 #90

Open
tybug opened this issue Jul 18, 2024 · 0 comments
Open

atheris.Fuzz segfaults when using atheris.instrument_all with @singledispatch on 3.11.9 #90

tybug opened this issue Jul 18, 2024 · 0 comments

Comments

@tybug
Copy link

tybug commented Jul 18, 2024

I've been running atheris as part of a large scale evaluation, and have run into a few repositories which throw "failed to instrument" warnings when instrumenting and subsequently segfault. I believe I've isolated this to @singledispatch on 3.11:

reproducer 
from functools import singledispatch
import sys
import atheris

@singledispatch
def dispatched(x):
    return x

def fuzz_one_input(b):
    dispatched(b)

atheris.instrument_all()
atheris.Setup(sys.argv, fuzz_one_input)
atheris.Fuzz()

Which has produces output in part:

ERROR: Failed to instrument function <function Protocol.__init_subclass__.<locals>._proto_hook at 0x2b2e3ed1d120>: '>' not supported between instances of 'NoneType' and 'int'
[2949/3004] 98%
ERROR: Failed to instrument function <function Protocol.__init_subclass__.<locals>._proto_hook at 0x2b2e3ed1d940>: '>' not supported between instances of 'NoneType' and 'int'
[2988/3004] 99%
ERROR: Failed to instrument function <function Generic.__init_subclass__ at 0x2b2e3ed0f600>: '>' not supported between instances of 'NoneType' and 'int'
[2989/3004] 99%
ERROR: Failed to instrument function <function Protocol.__init_subclass__ at 0x2b2e3ed0fc40>: '>' not supported between instances of 'NoneType' and 'int'
[2995/3004] 99%
ERROR: Failed to instrument function <function _TypedDictMeta.__new__ at 0x2b2e3ed1dc60>: '>' not supported between instances of 'NoneType' and 'int'
[3004/3004] 100%
INFO: Using built-in libfuzzer
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3305948197
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
==2403== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

This minimal reproducer exits with a libfuzzer "deadly signal", but I've seen segmentation faults more commonly in practice: Fatal Python error: Segmentation fault, usually after <100 examples. My guess is this crash occurs whenever atheris first produces an input which exercises an @singledispatch function.

I cannot reproduce this with python 3.10.14, or with @atheris.instrument_func on python3.11.9.

If you need a reproducer which segfaults explicitly, let me know. It's a bit fiddly to put one together. Hopefully the above is useful enough to track this down!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tybug