-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault with hashbrown
#10
Comments
My rustc version is |
Thanks a lot for the reproducible testcase! That kind of failure indicates either a bug in libdiffuzz, or a bug in hashbrown that would be caught by Address Sanitizer. I'll check it out later today. Does that code trigger a MSAN failure as well? Given their respective usage figures, I'd prefer to fix hashbrown first and investigate the libdiffuzz bug later. |
I just tried with both address sanitizer and memory sanitizer and neither report any issues, so perhaps it's a libdiffuzz bug? That would also be more reassuring than a bug in This is how I ran ASan:
And MSan:
Running the binary then reports no issues:
The weird thing is, if I then LD_PRELOAD
|
Yeah, this segfault is most likely a libdiffuzz bug. I'll try to look into it in a few days, but the current iteration of the code isn't even written by me, so chasing the issue in unsafe code is going to be challenging. Your MSAN invocation looks correct, I've added the same thing to cargo-fuzz and had no issues. So I suggest reporting the original Hashbrown issue to its maintainers. The reproducing example has been very helpful, I suggest using the same format for that report 👍 |
Hey @Shnatsel,
I was trying to work out whether msan was giving me false positives when I happened upon
libdiffuzz
. It segfaulted immediately, but in a completely different part of the code.I've isolated a small reproduceable test case here that uses
toml
andhashbrown
to trigger the segfault: https://github.com/michaelsproul/hashbrown-crashHave you seen segfaults like this before when using
libdiffuzz
? Is this a type of false positive, or ishashbrown
really doing something sketchy with uninitialized memory? The fault seems to happen in an unsafedrop_in_place
call, so I'm wondering whetherhashbrown
does contain some optimisation that assumes uninitialized memory to be 0, or something.The full backtrace is here for reference:
The text was updated successfully, but these errors were encountered: