concurrentqueue
concurrentqueue copied to clipboard
cameron314
Segmentation fault during fuzztests "unaligned tcache chunk" / "double free or corruption (out)"
GCC version:
$ g++ --version
g++ (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
OS:
$ uname -a
Linux iafanasyev-pc 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
Hardware:
$ cat /proc/cpuinfo | grep "model name" | uniq
model name : Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz
Issue is detected for completely_random test type. In order to reproduce issue faster, the following patch should be applied:
$ git diff
diff --git a/tests/fuzztests/fuzztests.cpp b/tests/fuzztests/fuzztests.cpp
index 714539c..1b1f36a 100644
--- a/tests/fuzztests/fuzztests.cpp
+++ b/tests/fuzztests/fuzztests.cpp
@@ -112,8 +112,9 @@ bool run_test(uint64_t seed, int iterations, test_type& out_type, const char*& o
std::uniform_int_distribution<int> randTest(0, TEST_TYPE_COUNT - 1);
std::uniform_int_distribution<int> randInitialSize(0, 70);
- auto type = static_cast<test_type>(randTest(baseRng));
+ auto type = completely_random;
out_type = type;
+
for (int iteration = 0; iteration != iterations; ++iteration) {
RNG_t rng(baseRng);
@@ -806,7 +807,7 @@ int main(int argc, char** argv)
#endif
uint32_t iteration = 0;
- while (true) {
+ while (iteration < 64) {
seed = (static_cast<uint64_t>(std::time(NULL)) << 32) | iteration++;
// MurmurHash3 64-bit finalizer
seed ^= seed >> 33;
Compile it:
make -c tests/fuzztests
Runner:
for i in $(seq 1 1000); do date && ./build/bin/fuzztests && echo "$i -> ok" || break; done
On my machine it usually takes less than 3 minutes to catch a seg fault. Possible outputs:
Пт 04 апр 2025 09:31:04 +07
Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)
Executed 64 tests so far:
multithread_produce: 0 successful, 0 failed
multithread_consume: 0 successful, 0 failed
multithread_produce_and_consume: 0 successful, 0 failed
completely_random: 64 successful, 0 failed
core_add_only_list: 0 successful, 0 failed
core_thread_local: 0 successful, 0 failed
tcache_thread_shutdown(): unaligned tcache chunk detected
*** Abort detected (assertion failed?)
Seed: cea8e5fbfa65c9a6
...
1 -> ok
Пт 04 апр 2025 09:31:35 +07
Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)
<fuzzer hangs, nothing happened for a long time>
...
2 -> ok
Пт 04 апр 2025 09:32:47 +07
Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)
Executed 64 tests so far:
multithread_produce: 0 successful, 0 failed
multithread_consume: 0 successful, 0 failed
multithread_produce_and_consume: 0 successful, 0 failed
completely_random: 64 successful, 0 failed
core_add_only_list: 0 successful, 0 failed
core_thread_local: 0 successful, 0 failed
*** Segmentation fault detected!
Seed: 192d95fbb39f1184
Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)
Executed 64 tests so far:
multithread_produce: 0 successful, 0 failed
multithread_consume: 0 successful, 0 failed
multithread_produce_and_consume: 0 successful, 0 failed
completely_random: 64 successful, 0 failed
core_add_only_list: 0 successful, 0 failed
core_thread_local: 0 successful, 0 failed
double free or corruption (out)
*** Abort detected (assertion failed?)
Seed: 2e412bb68e949ca3
Haven't had time to look into this yet, but thanks for reporting. These seeds are from the version with your diff or without?
Haven't had time to look into this yet, but thanks for reporting. These seeds are from the version with your diff or without?
Hi. These seeds are from the version with the patch applied.