google / fuzzing Goto Github PK

Tutorials, examples, discussions, research proposals, and other resources related to fuzzing

License: Apache License 2.0

C++ 98.45% Shell 1.55%

fuzzing's Introduction

Fuzzing Forum

This project aims at hosting tutorials, examples, discussions, research proposals, and other resources related to fuzzing.

External contributions are welcome, please see CONTRIBUTING file for more info.

Documentation

Related projects

OSS-Fuzz - Continuous Fuzzing Service for Open Source Software
ClusterFuzz - Scalable Fuzzing Infrastructure
FuzzBench - Fuzzer benchmarking as a service

Disclaimer

This is not an official Google product.

fuzzing's People

Contributors

Stargazers

Watchers

Forkers

dukebarman timxor morehouse riusksk fengjixuchui alexsandershaw zytmatrix crackercat csu-anzai attackgithub guiguzi1110 daydayup40 e4ck evilares akz747 mingke24 ootyoo sagarwani hyrathon modumn eapolinario hannahwhy alex neo4reo de4dcr0w micahhu fuzzitdev kakuye nikparam42 mcgrady1 modulexcite xtenex heyubo9 jiachenwang stplaydog qlyoung jack51706 domenukk ele7enxxh loudy2000 larkinscarvalho shalekesan oneliey coolboy43 alirezachegini eric0755 google-autofuzz wideglide julianvolodia darlinzhang microsvuln frankcai404 dav3wx asdyxcyxc bohemianrasta gdraperi marciopocebon sudneo hanzcoder faisalrathore sethisiddha1998 ashis101 abhinavprasad47 isiahw1 inarcissuss olivierh59500 juan157 shabidev 48h153k tmacbg timb-machine-mirrors bsrinivasguptha droidzzzio theotherside soez r-net-tools chrisad marcusdjohnson sillydadddy melvinvarkey an0n1m1z3 dskho bziolo longjohncoder kz9 shahid1996 ivosley 5bhuv4n35h morkarslaanesh spagu shubhamgupta0x0 arvindk459895 peterg75 rob0tsunny developer-box minkione pcanyi thomashillman c002 dokukobura

fuzzing's Issues

Best practise: error indication

Hi all,

we're fuzzing our usrsctp library and we don't clearly know how to react on internal errors.
We're executing a bunch of command before injecting the fuzzing data on each iteration.
E.g. creating a socket(), bind(), setsockopt()...
We're expecting each command to be executed successfully.

In rare cases, one of these commands fails.
Question: How should we react?

Currently, we're writing an error message and call exit() with a non-zero return code.
The documentation says, we shouldn't call exit() on any input.

If we ignore these cases, we might miss some fundamental errors in the future.
Is there a best practise to handle these cases?

@tuexen for cc notifications.

Code coverage metrics for libFuzzer

Hi!

I want to better know how experienced ppl measure coverage for fuzzing nowadays.
There was quite nice method with sancov and libFuzzer -dump_coverage=1 flag in older libFuzzer version, but now deprecated.
I seen that 15mo and 2y ago @kcc was involved in it, so maybe you know what should be done instead?

I haven't managed to make Clang Coverage working with libxml2 fuzzing example mentioned in 8th lesson of Dor1s/libfuzzer-workshop, so could you tell me:

what is 'rule of thumb' for managing code coverage now?
is there any example of Clang Coverage done with complex library and fuzzer to see how it was done and learn from it?
which libFuzzer version is used on OSS-Fuzz project?

Best regards!

Crash File Empty

Hello. I am unclear as to if this is an issue or this is an input, i generated a 2 byte heap buffer overflow on my target application as described by address sanitizer but when i cat the crash file to view the input the file is empty. I assumed this was because the file was filled with spaces or some other non printable input so i ran hexdump on the file and nothing was outputted. I am running the application on kali linux. Any help would be great.

thanks

Running fuzz test on a sample C++ project

Hi,

I have a sample C++ project having its own main(). How can I run fuzz test on it? Right now I am trying to run clang++ on the folder having .cpp files but it is not working. Simply using Makefile to build my project and running it is also not working.
What is the right approach to run a c++ project with fuzz?

Thank you.

[question] Continue after crash

Hi!

Is it possible to continue after the first found crash?

AFLPlusPlus Questionmark

The list of AFL Forks should probably include AFL++, a well-maintained fork, including QEMU Mode improvements and more :)
https://github.com/vanhauser-thc/AFLplusplus

How can I capture a crash in dynamic library?

I tried the example fuzz_me.c and run it as tutorial like, it crashed soon.

I created a header file fuzz_me.h and compile fuzz_me.cc to libfuzz_me.so with compile-flag -fsanitize=address. Then I called FuzzMe() by dynamic library. However it couldn't trigger the crash.

But when I changed the Actual parameter Size to 3 in file myfuzzer.cc at line 5, it crashed again.

Codes:

/****************************************************
* fuzz_me.cc
****************************************************/
#include <stdint.h>
#include <stddef.h>
bool FuzzMe(const uint8_t *Data, size_t DataSize) {
  return DataSize >= 3 &&
      Data[0] == 'F' &&
      Data[1] == 'U' &&
      Data[2] == 'Z' &&
      Data[3] == 'Z';  // :‑<
}
/****************************************************
* fuzz_me.h
****************************************************/
#include <stdint.h>
#include <stddef.h>
bool FuzzMe(const uint8_t *Data, size_t DataSize);
/****************************************************
* myfuzzer.h
****************************************************/
#include <stdint.h>
#include <stddef.h>
#include "fuzzme.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  FuzzMe(Data, Size);
  return 0;
}

clang -shared -o libfuzzme.so fuze_me.cc -fsanitize=address
clang -fsanitize=address,fuzzer -o myfuzzer ./myfuzzer.cc -L. -llibfuzzme

Is PR with fuzz target finding unpatched bugs soon after start isn't responsible disclosure?

Hi!

I was talking on google/oss-fuzz#402 but as description of this repo says, maybe this is better place for some discussion and thoughts.

I still have some n00b questions so forgive me please. I have read https://security.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html and some documentation out there, but still hold my horses with sharing some weapons like fuzz targets without think.

Should I run fuzz target for some grace period to see if it not founds some easy bugs, and if so - report them first privately, to fulfill responsible disclosure?

After that, post the fuzz target to upstream of fuzzed project, inform rest about improvement or so?

Thanks for answers!

msvc compiler doesn't support "-fsanitize=fuzzer-no-link"

I successfully compiled libfuzzer.lib on the windows platform with vs2019. The msvc compiler supports "-fsanitize-coverage=trace-pc", and I successfully use libfuzzer to deploy exe and lib projects, but the msvc compiler does not support "-fsanitize= fuzzer-no-link", which prevents me from deploying dll projects with libfuzzer.lib, what should I do?

clang-10: error: no such file or directory: 'BUILD/.libs/libxml2.a'

I get the above error with the current sources.

Running libfuzzer with /MD on Windows & MSVC is using incontrollable memory consumption?

I'm trying to fuzz test my library which compiled on Windows using /MD (C Runtime) with MSVC compiler.
I get incontrollable memory consumption while using libfuzzer

Repro steps:

I cloned LLVM repo
To allow MD compilation of LLVM : at https://github.com/llvm/llvm-project/blob/master/compiler-rt/CMakeLists.txt#L337, I replaced the block of if(COMPILER_RT_HAS_MT_FLAG) block with include(ChooseMSVCCRT) (I know it's not 100% supported, but I think it will be and I'm not sure if it's the cause?)
Compile LLVM with LLVM_USE_CRT_RELEASE=MD
Compile my own code using Windows 10, MSVC compiler (v14.28.29333) while linking libfuzzer libs: 'clang_rt.fuzzer-x86_64.lib','libsancov.lib', 'clang_rt.asan_dynamic-x86_64.lib', 'clang_rt.asan_dynamic_runtime_thunk-x86_64.lib' (some from MSVC libs dir, some from LLVM compilation) and using CXXFLAGS: /fsanitize=address', '/fsanitize-coverage=inline-8bit-counters', '/fsanitize-coverage=edge', '/fsanitize-coverage=trace-cmp', '/fsanitize-coverage=trace-div'.
Libfuzzer crashes because of too much memory usage (even with -rss_limit_mb=4000), so I did a sanity check to make sure no memory leak on my code:

Run 1 (with libfuzzer libs & CXXFLAGS as explained above):

FUZZ_EXPORT int __cdecl LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  const char* tt = "66";
  RunFuzzingTest((size_t)2,(const char*)tt);
  return 0;
}

Run 2 (without libfuzzer libs & CXXFLAGS as above):

int main() {
  while (true) {
  const char* tt = "66";
  RunFuzzingTest((size_t)2,(const char*)tt);
  }
  return 0;  
}

Results:
Run of (1 - libfuzzer with same input) resulted in huge and increasing memory usage (2.6GB after 5 mins)
Run of (2 - my own main with same input) resulted in pretty constant memory usage (10MB after more than 20 mins).

Thanks

After calling FDP::ConsumeRandomLengthString, remaining bytes will never start with '\'

Not sure if this is right place to report this bug, but I noticed that the escape mechanism used by FuzzedDataProvider::ConsumeRandomLengthString consumes all consecutive backslash characters at the end of a string, so that the remaining data can never start with a backslash character (ASCII byte 0x5C). This means that certain fuzz data patterns are impossible to be generated by a subsequent "Consume" operation.

Libfuzzer shows issues with no error message

Hello everyone,

When I run my .cpp file using libfuzzer. I get the following stack trace with no exact error message. Can someone please explain to me what is wrong with this?.
rinside_sample0.cpp

#include <fstream>
#include <RInside.h>
#include <iostream>
#include <RcppDeepState.h>
#include <DeepState.hpp>

TEST(testSAN_deepstate_test,rcpp_read_out_of_bound_test){
    RInside R(0,nullptr);              // create an embedded R instance 
    R["txt"] = "Hello, world!\n";       // assign a char* (string) to 'txt'
    R.parseEvalQ("cat(txt)");           // eval the init string, ignoring any returns
}

akhila@ml-experiments:~/RcppDeepStateTest/rinside/inst/examples/standard$ ./rinside_sample0 
DEBUG: INFO: Seed: 1513334196

DEBUG: INFO: Loaded 1 modules   (515 inline 8-bit counters): 
DEBUG: 515 [5ca990, 5cab93), 
DEBUG: 

DEBUG: INFO: Loaded 1 PC tables (515 PCs): 
DEBUG: 515 [587858,589888), 
DEBUG: 

DEBUG: INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes

EXTERNAL: Hello, world!

    #0 0x52ec61 in __sanitizer_print_stack_trace (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x52ec61)
    #1 0x479db8 in fuzzer::PrintStackTrace() (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x479db8)
    #2 0x45efbc in fuzzer::Fuzzer::ExitCallback() (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x45efbc)
    #3 0x7f608b67da26 in __run_exit_handlers /build/glibc-ZN95T4/glibc-2.31/stdlib/exit.c:108:8
    #4 0x7f608b67dbdf in exit /build/glibc-ZN95T4/glibc-2.31/stdlib/exit.c:139:3
    #5 0x55de16 in DeepState_Test_testSAN_deepstate_test_rcpp_read_out_of_bound_test() /home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0.cpp:26:5
    #6 0x55816a in DeepState_Run_testSAN_deepstate_test_rcpp_read_out_of_bound_test() /home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0.cpp:19:1
    #7 0x565bd7 in DeepState_RunTestNoFork (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x565bd7)
    #8 0x5659ea in LLVMFuzzerTestOneInput (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x5659ea)
    #9 0x4605c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x4605c1)
    #10 0x4622fa in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x4622fa)
    #11 0x462989 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x462989)
    #12 0x45165e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x45165e)
    #13 0x47a4a2 in main (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x47a4a2)
    #14 0x7f608b65b0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x4263fd in _start (/home/akhila/RcppDeepStateTest/rinside/inst/examples/standard/rinside_sample0+0x4263fd)

I don't get any error when I compile the same code using address sanitizer or AFL or anyother fuzzer.

akhila@ml-experiments:~/RcppDeepStateTest/rinside/inst/examples/standard$ clang++ -fsanitize=address -std=gnu++11 -I/usr/share/R/include -I/home/akhila/R/x86_64-pc-linux-gnu-library/3.6/Rcpp/include -I/home/akhila/R/x86_64-pc-linux-gnu-library/3.6/RInside/include -g -O2 -fdebug-prefix-map=/build/r-base-jbaK_j/r-base-3.6.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -g -Wall    rinside_sample0.cpp  -Wl,--export-dynamic -fopenmp -Wl,-Bsymbolic-functions -Wl,-z,relro -L/usr/lib/R/lib -lR -lpcre2-8 -lpcre -llzma -lbz2 -lz -lrt -ldl -lm -licuuc -licui18n  -lblas -llapack -I/home/akhila/R/x86_64-pc-linux-gnu-library/3.6/RcppArmadillo/include -I/home/akhila/R/x86_64-pc-linux-gnu-library/3.6/RcppDeepState/include -I${HOME}/.RcppDeepState/deepstate-master/src/include -L/home/akhila/R/x86_64-pc-linux-gnu-library/3.6/RInside/lib -lRInside -Wl,-rpath,/home/akhila/R/x86_64-pc-linux-gnu-library/3.6/RInside/lib  -L${HOME}/.RcppDeepState/deepstate-master/build_libfuzzer -Wl,-rpath=${HOME}/.RcppDeepState/deepstate-master/build_libfuzzer -lRInside -ldeepstate -ldeepstate_LF -o rinside_sample0
akhila@ml-experiments:~/RcppDeepStateTest/rinside/inst/examples/standard$ ./rinside_sample0 
TRACE: Running: testSAN_deepstate_test_rcpp_read_out_of_bound_test from rinside_sample0.cpp(19)
EXTERNAL: Hello, world!

Is here a forum where we can ask (dumb) fuzzing-related questions?

The questions may or may not be google related.

Missing Source line information of libfuzzer on sqlite

I am running libfuzzer on sqlite in fuzzer-test-suite. In the report generated by libfuzzer it doesn't have source line information but only address information. The report is like this:

Dictionary: 260 entries
INFO: Seed: 662383047
INFO: Loaded 1 modules   (19122 inline 8-bit counters): 19122 [0x938ba0, 0x93d652), 
INFO: Loaded 1 PC tables (19122 PCs): 19122 [0x89dc20,0x8e8740), 
INFO:        0 files found in CORPUS-..-fsanitize_fuzzer
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2	INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 53Mb
	NEW_FUNC[0/238]: 0x550180  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x550180)
	NEW_FUNC[1/238]: 0x550810  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x550810)

=================================================================
==43670==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 88 byte(s) in 1 object(s) allocated from:
    #0 0x5190e0  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x5190e0)
    #1 0x85ddd5  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x85ddd5)
    #2 0x433e58  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x433e58)
    #3 0x43953d  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x43953d)
    #4 0x43c805  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x43c805)
    #5 0x43dd32  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x43dd32)
    #6 0x42d4cf  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x42d4cf)
    #7 0x420a52  (/root/tmp/fuzzer-test-suite/sqlite-2016-11-14/buggyline_build/..-fsanitize_fuzzer+0x420a52)

Like in the tutorial here:https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md. I add -g fsanitize=fuzzer,addreess but still no source line information.
I am happy to provide any information if needed.

Explanation as to why unreachable code slows down fuzzing

See https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md#unreachable-code

Is there an explanation available as to why it slows down fuzzing? In our experiments (with libFuzzer) we couldn't find any evidence to support this conclusion.

How to use libFuzzer to test GUI applications

How can I test QT GUI applications that do not accept data or files from the command line?

Will the libfuzzer work with processes running from the program we submit to the libfuzzer? (tracking coverage)

wrapper(manage UI and data transfer) start -> MyGUIapplication

and use like: ./wrapper

Really need advice or any suggestions.

[Question] Remove mutations printed information

Hi,

I'm wondering if there is any way to remove the mutations that let to discover a new path in the output that libfuzzer prints.
I don't think it provides much information and pollutes the entire output for big corpuses that get mutated in several places.

I've tried with -close_fd_mask=1 but it does not work.
Thank you

We are noticing that Code Coverage is reducing suddenly - Any Clues on why would this happen?

My understanding is that Corpus continues to expand during fuzzing. We are noticing sudden drop in code coverage, and we are tryinng to understand if there is no change in the fuzzer, is this possible at all?

fuzz_me.cc no error with -O1

Compiling the simple example from the tutorial

bool fuzz_me(const uint8_t* data, size_t len) {
  return len >= 3 && data[0] == 'F' && data[1] == 'U' && data[2] == 'Z' && data[3] == 'Z';
}

as suggested works fine. However, when compiling with -O1 (as is suggested elsewhere in the guide),

clang++ -g -std=c++14 -Wall -pedantic -O1 fuzz.cpp -o fuzz.exe -fsanitize=address,fuzzer

there is no error triggered. godbolting with -O1 gives

fuzz_me(unsigned char const*, unsigned long):  
        cmp     rsi, 3
        jb      .LBB0_5
        cmp     byte ptr [rdi], 70
        jne     .LBB0_5
        cmp     byte ptr [rdi + 1], 85
        jne     .LBB0_5
        cmp     byte ptr [rdi + 2], 90
        jne     .LBB0_5
        cmp     byte ptr [rdi + 3], 90
        sete    al
        ret
.LBB0_5:
        xor     eax, eax
        ret

which to my uninitiated eye looks fine, as I see the rdi+3.
Effect on clang 10.0.0-4ubuntu1, ubuntu 20.04 as well as clang 7.0.1-8, debian 10.
Did I do something wrong? Do we need to try always with several optimization levels?

ConsumeRemainingBytes and ConsumeRemainingBytesAsString should invalidate further usages

An anti-pattern that may occur is using any methods after calling ConsumeRemainingBytes and ConsumeRemainingBytesAsString. They both consume everything left and no call on the data provider should be allowed after it. This should be prevented by throwing exception on any subsequent call.

Python script as fuzz target?

The document of good fuzz target https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md seems to imply that a fuzz target has to be in C family languages. Could it be a simple python script? Thanks.

Add some table of content / navigation guidance to README

Otherwise it'll be not super convenient, once we get more docs.

[QUESTION] How can I indicate a function not to be instrumented by libfuzzer?

Is using __attribute__((no_sanitize_address)) before the function enough?

Or should I use the method described in the SanitizerCoverage documentation and use a file to blacklist specific functions?

Thank you

Can libfuzzer work on windows 10 + Arm64 platform?

My Fuzzing target is Windows kernel driver IOCTL interface.

My platform is windows 10 + Arm64.
My assumption is that I could use libfuzzer to generate input and feed the input into ioctl buffer.

Is that possible?

Libfuzzer Time complexity

Hi,

Is there any paper which explains time complexity (using big o) for libfuzzer?
If not, how can I get the libfuzzer complexity?

clang: error: unsupported option '-fsanitize=fuzzer' for target 'x86_64-w64-windows-gnu'

I use clang from MSYS2 on Windows.
version infromation:

>> clang -v
(built by Brecht Sanders) clang version 14.0.0
Target: x86_64-w64-windows-gnu
Thread model: posix
InstalledDir: `E:/MSYS2/mingw64/bin`

error1:

>> clang -g -fsanitize=fuzzer Fuzzing_get_first_cap.c
clang: error: unsupported option '-fsanitize=fuzzer' for target 'x86_64-w64-windows-gnu'

error2:

>> clang -g -fsanitize=address Fuzzing_get_first_cap.c
E:/MSYS2/mingw64/bin/ld: cannot find E:/MSYS2/mingw64/lib/clang/14.0.0/lib/windows/libclang_rt.asan_dynamic-x86_64.dll.a: No such file or directory
E:/MSYS2/mingw64/bin/ld: cannot find E:/MSYS2/mingw64/lib/clang/14.0.0/lib/windows/libclang_rt.asan_dynamic_runtime_thunk-x86_64.a: No such file or directory
E:/MSYS2/mingw64/bin/ld: cannot find E:/MSYS2/mingw64/lib/clang/14.0.0/lib/windows/libclang_rt.asan_dynamic_runtime_thunk-x86_64.a: No such file or directory
clang: error: linker command failed with exit code 1 (use -v to see invocation)

It looks like this version hasn't support this option any more, is that true? If it isn't, how can I fix it?
And the second error shows that can't support AddressSanitizer, is that due to lack of some dependencies?

Crash on fuzz_me example

Ubuntu 16.04 LTS
I do:

# Install git and get this tutorial
sudo apt-get --yes install git
git clone https://github.com/google/fuzzing.git fuzzing

# Get fuzzer-test-suite
git clone https://github.com/google/fuzzer-test-suite.git FTS

./fuzzing/tutorial/libFuzzer/install-deps.sh  # Get deps
./fuzzing/tutorial/libFuzzer/install-clang.sh # Get fresh clang binaries

And after that and that:

clang++ -g -fsanitize=address,fuzzer fuzzing/tutorial/libFuzzer/fuzz_me.cc
./a.out

I get

INFO: Seed: 2032387296
INFO: Loaded 1 modules   (7 inline 8-bit counters): 7 [0x74ee40, 0x74ee47), 
INFO: Loaded 1 PC tables (7 PCs): 7 [0x52f8c8,0x52f938), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
==24251== ERROR: libFuzzer: deadly signal
    #0 0x4ee747 in __sanitizer_print_stack_trace /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_stack.cc:38:3
    #1 0x42c5c6 in fuzzer::Fuzzer::CrashCallback() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:5
    #2 0x42c58f in fuzzer::Fuzzer::StaticCrashSignalCallback() /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:206:6
    #3 0x7f3d207a43cf  (/lib/x86_64-linux-gnu/libpthread.so.0+0x113cf)
    #4 0x443595 in HandleCmp<unsigned long> /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:330:26
    #5 0x443595 in __sanitizer_cov_trace_const_cmp8 /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:434
    #6 0x515ed7 in FuzzMe(unsigned char const*, unsigned long) /home/user/fuzzing/tutorial/libFuzzer/fuzz_me.cc:5:19
    #7 0x516174 in LLVMFuzzerTestOneInput /home/user/fuzzing/tutorial/libFuzzer/fuzz_me.cc:13:3
    #8 0x42d81c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:515:13
    #9 0x42eead in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:701:3
    #10 0x42f1e5 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:739:3
    #11 0x424070 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
    #12 0x445c72 in main /tmp/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #13 0x7f3d1fdc882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x41d0f8 in _start (/home/user/a.out+0x41d0f8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: