Fix unknown ubsan crash types

src/clusterfuzz/_internal/crash_analysis/crash_analyzer.py

@@ -103,6 +103,8 @@
     # math of crpto libraries.
     'Unsigned-integer-overflow',
     'Unreachable code',
+    'Assumption-violation',
+    'Upcast-of-null-pointer',
 ]
 UBSAN_CRASH_TYPES_SECURITY = [
     'Bad-cast',

src/clusterfuzz/_internal/tests/core/crash_analysis/stack_parsing/stack_analyzer_data/ubsan_assumption_violation.txt

@@ -0,0 +1,17 @@
+/src/project/include/test++/impl/f.inl:1234:2: runtime error: assumption is violated during execution
+    #0 0x5d4761e1112b in project::v3::impl::func_ex::func::f_key() /src/project/include/test++/impl/f.inl:1234:4
+    #1 0x5d4761e0e123 in project::v3::impl::func_ex::func::f_header() /src/project/include/test++/impl/f.inl:1111:5
+    #2 0x5d4761e0caab in project::v3::impl::func_ex::func::f_document() /src/project/include/test++/impl/f.inl:1111:44
+    #3 0x5d4761e0bf3c in project::v3::impl::func_ex::func::func(project::v3::impl::reader_interface&&) /src/project/include/test++/impl/f.inl:4321:5
+    #4 0x5d4761e09c42 in do_func /src/project/include/test++/impl/f.inl:1234:10
+    #5 0x5d4761e09c42 in project::v3::ex::func(std::__1::basic_string_view<char, std::__1::char_traits<char>>, std::__1::basic_string_view<char, std::__1::char_traits<char>>) /src/project/include/test++/impl/f.inl:1234:10
+    #6 0x5d4761e099e3 in LLVMFuzzerTestOneInput /src/project/fuzzing/test_fuzzer.cpp:20:33
+    #7 0x5d4761d6087d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
+    #8 0x5d4761d4b602 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
+    #9 0x5d4761d514d0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
+    #10 0x5d4761d7cff2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
+    #11 0x7b4fad7ea1c9 in __libc_start_call_main sysdeps/nptl/libc_start_call_main.h:58:16
+    #12 0x7b4fad7ea28a in __libc_start_main csu/libc-start.c:360:3
+    #13 0x5d4761d446e4 in _start
+
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /src/project/include/test++/impl/f.inl:1234:4

src/clusterfuzz/_internal/tests/core/crash_analysis/stack_parsing/stack_analyzer_data/ubsan_upcast_of_null_pointer.txt

@@ -0,0 +1,24 @@
+src/test.cpp:777:44: runtime error: upcast of null pointer of type 'Type::Exp'
+    #0 0x56f7022adc48 in Test::Ex::operator()(Test::List*) /src/lib/src/test.cpp:777:27
+    #1 0x56f7022ca6a6 in Test::Ex::operator()(Test::Function_Call*) /src/lib/src/test.cpp:1234:22
+    #2 0x56f7022ad260 in Test::Ex::operator()(Test::List*) /src/lib/src/test.cpp:777:27
+    #3 0x56f70230f0cb in Test::Expemple::operator()(Test::Declaration*) /src/lib/src/exemple.cpp:123:31
+    #4 0x56f702306083 in Test::Exemple::aaaaa(Test::BBBB*) /src/lib/src/exemple.cpp:123:32
+    #5 0x56f7023057af in Test::Exemple::operator()(Test::BBBB*) /src/lib/src/exemple.cpp:321:11
+    #6 0x56f702308297 in Test::Exemple::operator()(Test::SSSS*) /src/lib/src/exemple.cpp:432:27
+    #7 0x56f702306083 in Test::Exemple::aaaaa(Test::BBBB*) /src/lib/src/exemple.cpp:123:32
+    #8 0x56f7023057af in Test::Exemple::operator()(Test::BBBB*) /src/lib/src/exemple.cpp:321:11
+    #9 0x56f702115ffa in Test::Context::compile() /src/lib/src/context.cpp:653:12
+    #10 0x56f702115249 in Test::Data_Context::parse() /src/lib/src/context.cpp:624:12
+    #11 0x56f70204c1c6 in Test::test_block(T_Comp*) /src/lib/src/test_context.cpp:182:31
+    #12 0x56f70204bfbe in test_parse /src/lib/src/test_context.cpp:436:22
+    #13 0x56f70204bc67 in test_context(Test_Context*, Test::Context*) /src/lib/src/test_context.cpp:319:7
+    #14 0x56f70204a5ed in LLVMFuzzerTestOneInput /src/test_fuzzer.cc:22:1
+    #15 0x56f701fa18ed in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
+    #16 0x56f701f8c662 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
+    #17 0x56f701f92530 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
+    #18 0x56f701fbe062 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
+    #19 0x79e011082082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/libc-start.c:308:16
+    #20 0x56f701f8574d in _start
+
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/test.cpp:777:18

src/clusterfuzz/_internal/tests/core/crash_analysis/stack_parsing/stack_analyzer_test.py

@@ -277,6 +277,21 @@ def test_unknown_module(self):
     actual_state = stack_analyzer.get_crash_data(data)
     self.assertEqual(actual_state.crash_state, expected_state)
 
+  def test_ubsan_assumption_violated(self):
+    """Test the ubsan assumption violation format."""
+    data = self._read_test_data('ubsan_assumption_violation.txt')
+    expected_type = 'Assumption-violation'
+    expected_address = ''
+    expected_state = ('project::v3::impl::func_ex::func::f_key\n'
+                      'project::v3::impl::func_ex::func::f_header\n'
+                      'project::v3::impl::func_ex::func::f_document\n')
+    expected_stacktrace = data
+    expected_security_flag = False
+
+    self._validate_get_crash_data(data, expected_type, expected_address,
+                                  expected_state, expected_stacktrace,
+                                  expected_security_flag)
+
   def test_ubsan_bad_cast_downcast(self):
     """Test the ubsan bad cast downcast format."""
     data = self._read_test_data('ubsan_bad_cast_downcast.txt')
@@ -572,6 +587,21 @@ def test_ubsan_pointer_overflow_null_nonzero_offset(self):
                                   expected_state, expected_stacktrace,
                                   expected_security_flag)
 
+  def test_ubsan_upcast_null_pointer(self):
+    """Test the ubsan upcast of null pointer format."""
+    data = self._read_test_data('ubsan_upcast_of_null_pointer.txt')
+    expected_type = 'Upcast-of-null-pointer'
+    expected_address = ''
+    expected_state = ('Test::Ex::operator\n'
+                      'Test::Ex::operator\n'
+                      'Test::Ex::operator\n')
+    expected_stacktrace = data
+    expected_security_flag = False
+
+    self._validate_get_crash_data(data, expected_type, expected_address,
+                                  expected_state, expected_stacktrace,
+                                  expected_security_flag)
+
   def test_java_exception(self):
     """Tests for Java exceptions found by Jazzer."""
     data = self._read_test_data('java_IllegalStateException.txt')

src/clusterfuzz/stacktraces/__init__.py

@@ -615,6 +615,17 @@ def parse(self, stacktrace: str) -> CrashInfo:
             new_type='Bad-cast',
             new_frame_count=0)
 
+      # Golang stacktraces. Needs to be done before the other UBSan crash as
+      # it uses the same pattern of "runtime error:".
+      if state.is_golang:
+        for golang_crash_regex, golang_crash_type in GOLANG_CRASH_TYPES_MAP:
+          if self.update_state_on_match(
+              golang_crash_regex, line, state, new_type=golang_crash_type):
+            state.found_golang_crash = True
+            state.crash_state = ''
+            state.frame_count = 0
+            continue
+
       # Other UndefinedBehavior Sanitizer crash.
       ubsan_runtime_match = UBSAN_RUNTIME_ERROR_REGEX.match(line)
       if ubsan_runtime_match and not state.crash_type and self.include_ubsan:
@@ -642,16 +653,6 @@ def parse(self, stacktrace: str) -> CrashInfo:
           reset=True,
           address_from_group=2)
 
-      # Golang stacktraces.
-      if state.is_golang:
-        for golang_crash_regex, golang_crash_type in GOLANG_CRASH_TYPES_MAP:
-          if self.update_state_on_match(
-              golang_crash_regex, line, state, new_type=golang_crash_type):
-            state.found_golang_crash = True
-            state.crash_state = ''
-            state.frame_count = 0
-            continue
-
       # Python stacktraces.
       if state.is_python:
         for python_crash_regex, python_crash_type in PYTHON_CRASH_TYPES_MAP:

src/clusterfuzz/stacktraces/constants.py

@@ -259,6 +259,8 @@
     r'.*: cannot locate symbol ([`\'"])(.*)\1 referenced by')
 TRUSTY_STACK_FRAME_REGEX = re.compile(
     r'(uSP)\+([a-zA-Z0-9]{6}): (0x[a-fA-F0-9]{16}) in (\w+)')
+UBSAN_ASSUMPTION_VIOLATION = re.compile(
+    r'.*assumption is violated during execution.*')
 UBSAN_DIVISION_BY_ZERO_REGEX = re.compile(r'.*division by zero.*')
 UBSAN_FLOAT_CAST_OVERFLOW_REGEX = re.compile(r'.*outside the range of '
                                              r'representable values.*')
@@ -298,6 +300,7 @@
 UBSAN_SHIFT_ERROR_REGEX = re.compile(r'.*shift.*')
 UBSAN_UNREACHABLE_REGEX = re.compile(
     r'.*execution reached an unreachable program point.*')
+UBSAN_UPCAST_OF_NULL_POINTER = re.compile(r'.*upcast of null pointer of type.*')
 UBSAN_VLA_BOUND_REGEX = re.compile(
     r'.*variable length array bound evaluates to non-positive value.*')
 UBSAN_VPTR_REGEX = re.compile(
@@ -696,12 +699,14 @@
     (UBSAN_SHIFT_ERROR_REGEX, 'Undefined-shift'),
     (UBSAN_UNREACHABLE_REGEX, 'Unreachable code'),
     (UBSAN_UNSIGNED_INTEGER_OVERFLOW_REGEX, 'Unsigned-integer-overflow'),
+    (UBSAN_UPCAST_OF_NULL_POINTER, 'Upcast-of-null-pointer'),
     (UBSAN_VLA_BOUND_REGEX, 'Non-positive-vla-bound-value'),
 
     # The following types are supersets of other types, and should be placed
     # at the end to avoid subsuming crashes from the more specialized types.
     (UBSAN_INVALID_ENUM_VALUE_REGEX, 'Invalid-enum-value'),
     (UBSAN_INTEGER_OVERFLOW_REGEX, 'Integer-overflow'),
+    (UBSAN_ASSUMPTION_VIOLATION, 'Assumption-violation'),
 ]
 
 # Additional regexes for cleaning up format.