#554 assertion failure upon "c++filt _ZZ1"

[Ed Maste]

% lldb cxxfilt/c++filt _ZZ1
(lldb) target create "cxxfilt/c++filt"
Current executable set to 'cxxfilt/c++filt' (x86_64).
(lldb) settings set -- target.run-args  "_ZZ1"
(lldb) run
Process 34048 launching
Process 34048 launched: '/tank/emaste/src/elftoolchain/cxxfilt/c++filt' (x86_64)
Assertion failed: (ddata->output.size > 0), function cpp_demangle_read_sname, file libelftc_dem_gnu3.c, line 2137.
Process 34048 stopped
* thread #1, name = 'c++filt', stop reason = signal SIGABRT
    frame #0: 0x000000000025d7ba c++filt`__sys_thr_kill + 10
c++filt`__sys_thr_kill:
->  0x25d7ba <+10>: jb     0x2845c4                  ; .cerror
    0x25d7c0 <+16>: retq  
    0x25d7c1:       int3  
    0x25d7c2:       int3  
(lldb) bt
* thread #1, name = 'c++filt', stop reason = signal SIGABRT
  * frame #0: 0x000000000025d7ba c++filt`__sys_thr_kill + 10
    frame #1: 0x000000000025d78f c++filt`raise + 47
    frame #2: 0x000000000025d709 c++filt`abort + 73
    frame #3: 0x000000000027bf4a c++filt`__assert + 74
    frame #4: 0x000000000022197f c++filt`cpp_demangle_read_sname(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:2137
    frame #5: 0x0000000000220c6e c++filt`cpp_demangle_read_uqname(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:3466
    frame #6: 0x000000000021e25c c++filt`cpp_demangle_read_name(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:1767
    frame #7: 0x000000000021c226 c++filt`cpp_demangle_read_encoding(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:1646
    frame #8: 0x000000000021f141 c++filt`cpp_demangle_read_local_name(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:1665
    frame #9: 0x000000000021e21c c++filt`cpp_demangle_read_name(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:1759
    frame #10: 0x000000000021c226 c++filt`cpp_demangle_read_encoding(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:1646
    frame #11: 0x000000000021af39 c++filt`cpp_demangle_gnu3(org="_ZZ1") at libelftc_dem_gnu3.c:234
    frame #12: 0x000000000021ad60 c++filt`demangle(s="_ZZ1", style=4, rc=0) at elftc_demangle.c:68
    frame #13: 0x000000000021aab5 c++filt`elftc_demangle(mangledname="_ZZ1", buffer="", bufsize=8192, flags=0) at elftc_demangle.c:91
    frame #14: 0x000000000021a847 c++filt`demangle(name="_ZZ1") at cxxfilt.c:125
    frame #15: 0x000000000021a46f c++filt`main(argc=1, argv=0x00007fffffffe570) at cxxfilt.c:170
    frame #16: 0x000000000021a17f c++filt`_start + 383
(lldb) frame sel 4
frame #4: 0x000000000022197f c++filt`cpp_demangle_read_sname(ddata=0x00007fffffffc320) at libelftc_dem_gnu3.c:2137
   2134         if (err == 0)
   2135                 return (0);
   2136
-> 2137         assert(ddata->output.size > 0);
   2138         if (vector_read_cmd_find(&ddata->cmd, READ_TMPL) == NULL)
   2139                 ddata->last_sname =
   2140                     ddata->output.container[ddata->output.size - 1];

[Ed Maste]

Anther symbol that fails with the same crash: _ZZN7simlib318SIMLIB_create_nameEPKczE1s
from FreeBSD PR 223333, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223333

I don't recall now where I came up with the _ZZ1 testcase, but it may well have been a reduced version of the one submitted in PR 223333.

[Kai Wang]

I'll handle it.

[Ed Maste]

Ping?

[Ed Maste]

Our demangler(s) have a great number of issues; a couple of hours of fuzzing with afl turned up several hundred crashes/aborts.

american fuzzy lop 2.52b (c++filt)

┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
│        run time : 0 days, 1 hrs, 43 min, 28 sec      │  cycles done : 2      │
│   last new path : 0 days, 0 hrs, 0 min, 25 sec       │  total paths : 3333   │
│ last uniq crash : 0 days, 0 hrs, 1 min, 57 sec       │ uniq crashes : 425    │
│  last uniq hang : 0 days, 0 hrs, 56 min, 7 sec       │   uniq hangs : 80     │
├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤
│  now processing : 3106 (93.19%)     │    map density : 0.51% / 5.27%         │
│ paths timed out : 1 (0.03%)         │ count coverage : 4.36 bits/tuple       │
├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤
│  now trying : bitflip 1/1           │ favored paths : 667 (20.01%)           │
│ stage execs : 23.0k/65.6k (35.03%)  │  new edges on : 949 (28.47%)           │
│ total execs : 12.9M                 │ total crashes : 52.5k (425 unique)     │
│  exec speed : 207.3/sec             │  total tmouts : 80.7k (145 unique)     │
├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤
│   bit flips : 273/261k, 120/260k, 87/258k           │    levels : 17         │
│  byte flips : 1/32.7k, 1/31.5k, 3/29.5k             │   pending : 2320       │
│ arithmetics : 591/1.81M, 0/106k, 0/27.5k            │  pend fav : 9          │
│  known ints : 7/194k, 8/857k, 7/1.29M               │ own finds : 3332       │
│  dictionary : 0/0, 0/0, 11/104k                     │  imported : n/a        │
│       havoc : 2636/7.60M, 0/0                       │ stability : 100.00%    │
│        trim : 28.00%/10.0k, 0.62%                   ├────────────────────────┘
└─────────────────────────────────────────────────────┘             [cpu: 19%]

[Joseph Koshy]

The fixes in [r3877] appear to have helped:

% ./cxxfilt/c++filt -V                                         
c++filt (elftoolchain HEAD Linux svn:3878)

% ./cxxfilt/c++filt _ZZN7simlib318SIMLIB_create_nameEPKczE1s
simlib3::SIMLIB_create_name(char const*, ...)::s

% ./cxxfilt/c++filt _ZZ1                                    
_ZZ1