-
Notifications
You must be signed in to change notification settings - Fork 118
Description
I've been running atheris as part of a large scale evaluation, and have run into a few repositories which throw "failed to instrument" warnings when instrumenting and subsequently segfault. I believe I've isolated this to @singledispatch on 3.11:
reproducer
from functools import singledispatch import sys import atheris @singledispatch def dispatched(x): return x def fuzz_one_input(b): dispatched(b) atheris.instrument_all() atheris.Setup(sys.argv, fuzz_one_input) atheris.Fuzz()
Which has produces output in part:
ERROR: Failed to instrument function <function Protocol.__init_subclass__.<locals>._proto_hook at 0x2b2e3ed1d120>: '>' not supported between instances of 'NoneType' and 'int' [2949/3004] 98% ERROR: Failed to instrument function <function Protocol.__init_subclass__.<locals>._proto_hook at 0x2b2e3ed1d940>: '>' not supported between instances of 'NoneType' and 'int' [2988/3004] 99% ERROR: Failed to instrument function <function Generic.__init_subclass__ at 0x2b2e3ed0f600>: '>' not supported between instances of 'NoneType' and 'int' [2989/3004] 99% ERROR: Failed to instrument function <function Protocol.__init_subclass__ at 0x2b2e3ed0fc40>: '>' not supported between instances of 'NoneType' and 'int' [2995/3004] 99% ERROR: Failed to instrument function <function _TypedDictMeta.__new__ at 0x2b2e3ed1dc60>: '>' not supported between instances of 'NoneType' and 'int' [3004/3004] 100% INFO: Using built-in libfuzzer WARNING: Failed to find function "__sanitizer_acquire_crash_state". WARNING: Failed to find function "__sanitizer_print_stack_trace". WARNING: Failed to find function "__sanitizer_set_death_callback". INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 3305948197 INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes ==2403== ERROR: libFuzzer: deadly signal NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal
This minimal reproducer exits with a libfuzzer "deadly signal", but I've seen segmentation faults more commonly in practice: Fatal Python error: Segmentation fault, usually after <100 examples. My guess is this crash occurs whenever atheris first produces an input which exercises an @singledispatch function.
I cannot reproduce this with python 3.10.14, or with @atheris.instrument_func on python3.11.9.
If you need a reproducer which segfaults explicitly, let me know. It's a bit fiddly to put one together. Hopefully the above is useful enough to track this down!