Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

envoy:filter_fuzz_test: ASSERT: base_interval_ > 0 #26840

Conversation

yanjunxiang-google
Copy link
Contributor

@yanjunxiang-google yanjunxiang-google commented Apr 19, 2023

This fuzz test ASSERT is triggered by a large proto config:

name: "envoy.filters.http.wasm"
typed_config {
[type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm] {
config {
root_id: "||"
vm_config {
code {
remote {
http_uri {
uri: "envoy.filters.http.rbac"
cluster: "2"
timeout {
}
}
sha256: "z"
retry_policy {
retry_back_off {
base_interval {
seconds: 4294967296 ->>> hex: 100000000 , if converted into uint32_t, becomes zero.
}
}
}
}
}
}
}

detail logs:
https://oss-fuzz.com/testcase-detail/6701612180832256

tracebacks:

Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/testcase
  | [2023-04-19 14:39:39.538][27194][critical][assert] [source/common/common/backoff_strategy.cc:9] assert failure: base_interval_ > 0.
  | AddressSanitizer:DEADLYSIGNAL
  | =================================================================
  | ==27194==ERROR: AddressSanitizer: ABRT on unknown address 0x053900006a3a (pc 0x79a5d4adc00b bp 0x7ffffc76a6b0 sp 0x7ffffc76a3f0 T0)
  | SCARINESS: 10 (signal)
  | #0 0x79a5d4adc00b in raise /build/glibc-SzIz7B/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
  | #1 0x79a5d4abb858 in abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:79:7
  | #2 0x5f7930a in Envoy::JitteredExponentialBackOffStrategy::JitteredExponentialBackOffStrategy(unsigned long, unsigned long, Envoy::Random::RandomGenerator&) /proc/self/cwd/source/common/common/backoff_strategy.cc:0
  | #3 0x5f782be in make_unique<Envoy::JitteredExponentialBackOffStrategy, unsigned int &, unsigned int &, Envoy::Random::RandomGenerator &> /usr/local/include/c++/v1/__memory/unique_ptr.h:724:32
  | #4 0x5f782be in Envoy::Config::Utility::buildJitteredExponentialBackOffStrategy(std::__1::optional<envoy::config::core::v3::BackoffStrategy const>, Envoy::Random::RandomGenerator&, unsigned int, std::__1::optional) /proc/self/cwd/source/common/config/utility.cc:324:12
  | #5 0x5dd1102 in std::__1::unique_ptr<Envoy::JitteredExponentialBackOffStrategy, std::__1::default_deleteEnvoy::JitteredExponentialBackOffStrategy > Envoy::Config::Utility::prepareJitteredExponentialBackOffStrategyenvoy::config::core::v3::RemoteDataSource(envoy::config::core::v3::RemoteDataSource const&, Envoy::Random::RandomGenerator&, unsigned int, std::__1::optional) /proc/self/cwd/source/common/config/utility.h:576:14
  | #6 0x5dd0410 in Envoy::Config::DataSource::RemoteAsyncDataProvider::RemoteAsyncDataProvider(Envoy::Upstream::ClusterManager&, Envoy::Init::Manager&, envoy::config::core::v3::RemoteDataSource const&, Envoy::Event::Dispatcher&, Envoy::Random::RandomGenerator&, bool, std::__1::function<void (std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator > const&)>&&) /proc/self/cwd/source/common/config/datasource.cc:69:23
  | #7 0x57dc5e1 in make_unique<Envoy::Config::DataSource::RemoteAsyncDataProvider, Envoy::Upstream::ClusterManager &, Envoy::Init::Manager &, const envoy::config::core::v3::RemoteDataSource &, Envoy::Event::Dispatcher &, Envoy::Random::RandomGenerator &, bool, (lambda at source/extensions/common/wasm/wasm.cc:414:27) &> /usr/local/include/c++/v1/__memory/unique_ptr.h:724:32
  | #8 0x57dc5e1 in Envoy::Extensions::Common::Wasm::createWasm(std::__1::shared_ptrEnvoy::Extensions::Common::Wasm::Plugin const&, std::__1::shared_ptrEnvoy::Stats::Scope const&, Envoy::Upstream::ClusterManager&, Envoy::Init::Manager&, Envoy::Event::Dispatcher&, Envoy::Api::Api&, Envoy::Server::ServerLifecycleNotifier&, std::__1::unique_ptr<Envoy::Config::DataSource::RemoteAsyncDataProvider, std::__1::default_deleteEnvoy::Config::DataSource::RemoteAsyncDataProvider >&, std::__1::function<void (std::__1::shared_ptrEnvoy::Extensions::Common::Wasm::WasmHandle)>&&, std::__1::function<proxy_wasm::ContextBase* (Envoy::Extensions::Common::Wasm::Wasm*, std::__1::shared_ptrEnvoy::Extensions::Common::Wasm::Plugin const&)>) /proc/self/cwd/source/extensions/common/wasm/wasm.cc:457:30
  | #9 0x5746fe6 in Envoy::Extensions::HttpFilters::Wasm::FilterConfig::FilterConfig(envoy::extensions::filters::http::wasm::v3::Wasm const&, Envoy::Server::Configuration::FactoryContext&) /proc/self/cwd/source/extensions/filters/http/wasm/wasm_filter.cc:23:8
  | #10 0x574039c in __shared_ptr_emplace<const envoy::extensions::filters::http::wasm::v3::Wasm &, Envoy::Server::Configuration::FactoryContext &> /usr/local/include/c++/v1/__memory/shared_ptr.h:294:37
  | #11 0x574039c in allocate_shared<Envoy::Extensions::HttpFilters::Wasm::FilterConfig, std::__1::allocatorEnvoy::Extensions::HttpFilters::Wasm::FilterConfig, const envoy::extensions::filters::http::wasm::v3::Wasm &, Envoy::Server::Configuration::FactoryContext &, void> /usr/local/include/c++/v1/__memory/shared_ptr.h:953:55
  | #12 0x574039c in make_shared<Envoy::Extensions::HttpFilters::Wasm::FilterConfig, const envoy::extensions::filters::http::wasm::v3::Wasm &, Envoy::Server::Configuration::FactoryContext &, void> /usr/local/include/c++/v1/__memory/shared_ptr.h:962:12
  | #13 0x574039c in Envoy::Extensions::HttpFilters::Wasm::WasmFilterConfig::createFilterFactoryFromProtoTyped(envoy::extensions::filters::http::wasm::v3::Wasm const&, std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator > const&, Envoy::Server::Configuration::FactoryContext&) /proc/self/cwd/source/extensions/filters/http/wasm/config.cc:21:24
  | #14 0x5741d37 in createFilterFactoryFromProto /proc/self/cwd/source/extensions/filters/http/common/factory_base.h:71:12
  | #15 0x5741d37 in non-virtual thunk to Envoy::Extensions::HttpFilters::Common::FactoryBase<envoy::extensions::filters::http::wasm::v3::Wasm, envoy::extensions::filters::http::wasm::v3::Wasm>::createFilterFactoryFromProto(google::protobuf::Message const&, std::__1::basic_string<char, std::__1::char_traits, std::__1::allocator > const&, Envoy::Server::Configuration::FactoryContext&) /proc/self/cwd/source/extensions/filters/http/common/factory_base.h:0
  | #16 0x20bb2cf in Envoy::Extensions::HttpFilters::UberFilterFuzzer::fuzz(envoy::extensions::filters::network::http_connection_manager::v3::HttpFilter const&, test::fuzz::HttpData const&, test::fuzz::HttpData const&) /proc/self/cwd/test/extensions/filters/http/common/fuzz/uber_filter.cc:76:19
  | #17 0x1fa3a7c in TestOneProtoInput /proc/self/cwd/test/extensions/filters/http/common/fuzz/filter_fuzz_test.cc:78:12
  | #18 0x1fa3a7c in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/http/common/fuzz/filter_fuzz_test.cc:13:1
  | #19 0x1e76913 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
  | #20 0x1e61422 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
  | #21 0x1e66ccc in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
  | #22 0x1e90e52 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #23 0x79a5d4abd082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  | #24 0x1e575ed in _start
  |  
  | AddressSanitizer can not provide additional info.
  | SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
  | ==27194==ABORTING
 


Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

 Envoy::JitteredExponentialBackOffStrategy::JitteredExponentialBackOffStrategy(unsigned long, unsigned long, Envoy::Random::RandomGenerator&) /proc/self/cwd/source/common/common/backoff_strategy.cc:0

Signed-off-by: Yanjun Xiang <[email protected]>
@yanjunxiang-google
Copy link
Contributor Author

From the configuration, the base_interval_ms is a 64-bit number: 0x100000000. In source/config/utility.cc, it is converted into a 32-bit number base_interval_ms, and become zero. Thus the ASSERT(base_interval_ > 0) crashes.

This is a regression issue by #24701, which changed the base_interval_ms from a uint64_t number into a uint32_t number. Consider the duration second is a uint64_t number, also the base_interval_ms in class JitteredExponentialBackOffStrategy is also a uint64_t number, let's change it back to uint64_t as well.

The alternative solution is to add a lte PGV in the proto:

gte {nanos: 1000000}
. However, that change will be some sort of a broken change? even realistically nobody will config a base_interval_ms that big. Considering this is a regression issue, change it back to uint64_t here make more sense to me.

@yanjunxiang-google
Copy link
Contributor Author

/assign @yanavlasov @KBaichoo @adisuissa

@yanjunxiang-google
Copy link
Contributor Author

yanjunxiang-google commented Apr 19, 2023

Another issue here is that after we fix the above ASSERT crash, there is a WASM filter crash observed with below traceback. This looks to me like a separate issue. I would think we should deal with it separately.

[ RUN ] CorpusExamples/FuzzerCorpusTest.RunOneCorpusFile/30
[2023-04-19 17:50:37.353][12][info][misc] [test/fuzz/main.cc:47] Corpus file: test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-minimized-filter_fuzz_test-6701612180832256
[2023-04-19 17:50:37.354][12][info][misc] [test/extensions/filters/http/common/fuzz/uber_filter.cc:69] filter name envoy.filters.http.wasm
[2023-04-19 17:50:37.354][12][warning][wasm] [source/extensions/common/wasm/wasm.cc:328] Wasm remote code fetch is unstable and may cause a crash
test/mocks/thread_local/mocks.h:65: Failure
Value of: was_set_
Actual: false
Expected: true
Stack trace:
0x55e17cc: Envoy::ThreadLocal::MockInstance::SlotImpl::get()
0x6a2b523: Envoy::ThreadLocal::TypedSlot<>::get()
0x6a2abcb: Envoy::Extensions::HttpFilters::Wasm::FilterConfig::createFilter()
0x6a286d3: std::_Function_handler<>::_M_invoke()
0x3507c45: std::function<>::operator()()
0x34fe7cd: Envoy::Extensions::HttpFilters::UberFilterFuzzer::fuzz()
0x343ce12: LLVMFuzzerTestOneInput
0x7140317: Envoy::(anonymous namespace)::FuzzerCorpusTest_RunOneCorpusFile_Test::TestBody()
0x93044e5: testing::internal::HandleExceptionsInMethodIfSupported<>()
0x92ddd5c: testing::Test::Run()
0x92df375: testing::TestInfo::Run()
... Google Test internal frames ...

source/extensions/filters/http/wasm/wasm_filter.h:34:54: runtime error: member call on null pointer of type 'Envoy::Extensions::Common::Wasm::PluginHandleSharedPtrThreadLocal'
error: failed to decompress '.debug_aranges', zlib is not available
error: failed to decompress '.debug_info', zlib is not available
error: failed to decompress '.debug_abbrev', zlib is not available
error: failed to decompress '.debug_line', zlib is not available
error: failed to decompress '.debug_str', zlib is not available
error: failed to decompress '.debug_line_str', zlib is not available
error: failed to decompress '.debug_loclists', zlib is not available
error: failed to decompress '.debug_rnglists', zlib is not available
#0 0x6a2afc4 in Envoy::Extensions::HttpFilters::Wasm::FilterConfig::createFilter() /proc/self/cwd/./source/extensions/filters/http/wasm/wasm_filter.h:34:54
#1 0x6a286d2 in std::_Function_handler<void (Envoy::Http::FilterChainFactoryCallbacks&), Envoy::Extensions::HttpFilters::Wasm::WasmFilterConfig::createFilterFactoryFromProtoTyped(envoy::extensions::filters::http::wasm::v3::Wasm const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, Envoy::Server::Configuration::FactoryContext&)::$_0>::_M_invoke(std::_Any_data const&, Envoy::Http::FilterChainFactoryCallbacks&) /proc/self/cwd/source/extensions/filters/http/wasm/config.cc:23:34
#2 0x3507c44 in std::function<void (Envoy::Http::FilterChainFactoryCallbacks&)>::operator()(Envoy::Http::FilterChainFactoryCallbacks&) const /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_function.h:591:9
#3 0x34fe7cc in Envoy::Extensions::HttpFilters::UberFilterFuzzer::fuzz(envoy::extensions::filters::network::http_connection_manager::v3::HttpFilter const&, test::fuzz::HttpData const&, test::fuzz::HttpData const&) /proc/self/cwd/test/extensions/filters/http/common/fuzz/uber_filter.cc:77:5
#4 0x343ce11 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/http/common/fuzz/filter_fuzz_test.cc:78:12
#5 0x7140316 in Envoy::(anonymous namespace)::FuzzerCorpusTest_RunOneCorpusFile_Test::TestBody() /proc/self/cwd/test/fuzz/main.cc:50:3
#6 0x93044e4 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2580:10
#7 0x92ddd5b in testing::Test::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2655:5
#8 0x92df374 in testing::TestInfo::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2832:11
#9 0x92e0a5c in testing::TestSuite::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2986:28
#10 0x92f723c in testing::internal::UnitTestImpl::RunAllTests() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:5697:44
#11 0x93077a4 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::)(), char const) /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2580:10
#12 0x92f6698 in testing::UnitTest::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:5280:10
#13 0x713eee5 in main /proc/self/cwd/external/com_google_googletest/googletest/include/gtest/gtest.h:2485:46
#14 0x7fec8ae46189 (/lib/x86_64-linux-gnu/libc.so.6+0x27189) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#15 0x7fec8ae46244 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27244) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583)
#16 0x337e9a0 in _start (/usr/local/google/home/yanjunxiang/.cache/bazel/_bazel_yanjunxiang/c9e0c5a2b4627286a241afa2f7502905/execroot/envoy/bazel-out/k8-dbg/bin/test/extensions/filters/http/common/fuzz/filter_fuzz_test+0x337e9a0)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/extensions/filters/http/wasm/wasm_filter.h:34:54 in

@yanjunxiang-google
Copy link
Contributor Author

Another issue here is that after we fix the above ASSERT crash, there is a WASM filter crash observed with below traceback. This looks to me like a separate issue. I would think we should deal with it separately.

[ RUN ] CorpusExamples/FuzzerCorpusTest.RunOneCorpusFile/30 [2023-04-19 17:50:37.353][12][info][misc] [test/fuzz/main.cc:47] Corpus file: test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-minimized-filter_fuzz_test-6701612180832256 [2023-04-19 17:50:37.354][12][info][misc] [test/extensions/filters/http/common/fuzz/uber_filter.cc:69] filter name envoy.filters.http.wasm [2023-04-19 17:50:37.354][12][warning][wasm] [source/extensions/common/wasm/wasm.cc:328] Wasm remote code fetch is unstable and may cause a crash test/mocks/thread_local/mocks.h:65: Failure Value of: was_set_ Actual: false Expected: true Stack trace: 0x55e17cc: Envoy::ThreadLocal::MockInstance::SlotImpl::get() 0x6a2b523: Envoy::ThreadLocal::TypedSlot<>::get() 0x6a2abcb: Envoy::Extensions::HttpFilters::Wasm::FilterConfig::createFilter() 0x6a286d3: std::_Function_handler<>::_M_invoke() 0x3507c45: std::function<>::operator()() 0x34fe7cd: Envoy::Extensions::HttpFilters::UberFilterFuzzer::fuzz() 0x343ce12: LLVMFuzzerTestOneInput 0x7140317: Envoy::(anonymous namespace)::FuzzerCorpusTest_RunOneCorpusFile_Test::TestBody() 0x93044e5: testing::internal::HandleExceptionsInMethodIfSupported<>() 0x92ddd5c: testing::Test::Run() 0x92df375: testing::TestInfo::Run() ... Google Test internal frames ...

source/extensions/filters/http/wasm/wasm_filter.h:34:54: runtime error: member call on null pointer of type 'Envoy::Extensions::Common::Wasm::PluginHandleSharedPtrThreadLocal' error: failed to decompress '.debug_aranges', zlib is not available error: failed to decompress '.debug_info', zlib is not available error: failed to decompress '.debug_abbrev', zlib is not available error: failed to decompress '.debug_line', zlib is not available error: failed to decompress '.debug_str', zlib is not available error: failed to decompress '.debug_line_str', zlib is not available error: failed to decompress '.debug_loclists', zlib is not available error: failed to decompress '.debug_rnglists', zlib is not available #0 0x6a2afc4 in Envoy::Extensions::HttpFilters::Wasm::FilterConfig::createFilter() /proc/self/cwd/./source/extensions/filters/http/wasm/wasm_filter.h:34:54 #1 0x6a286d2 in std::_Function_handler<void (Envoy::Http::FilterChainFactoryCallbacks&), Envoy::Extensions::HttpFilters::Wasm::WasmFilterConfig::createFilterFactoryFromProtoTyped(envoy::extensions::filters::http::wasm::v3::Wasm const&, std::_cxx11::basic_string<char, std::char_traits, std::allocator > const&, Envoy::Server::Configuration::FactoryContext&)::$0>::M_invoke(std::Any_data const&, Envoy::Http::FilterChainFactoryCallbacks&) /proc/self/cwd/source/extensions/filters/http/wasm/config.cc:23:34 #2 0x3507c44 in std::function<void (Envoy::Http::FilterChainFactoryCallbacks&)>::operator()(Envoy::Http::FilterChainFactoryCallbacks&) const /usr/lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_function.h:591:9 #3 0x34fe7cc in Envoy::Extensions::HttpFilters::UberFilterFuzzer::fuzz(envoy::extensions::filters::network::http_connection_manager::v3::HttpFilter const&, test::fuzz::HttpData const&, test::fuzz::HttpData const&) /proc/self/cwd/test/extensions/filters/http/common/fuzz/uber_filter.cc:77:5 #4 0x343ce11 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/http/common/fuzz/filter_fuzz_test.cc:78:12 #5 0x7140316 in Envoy::(anonymous namespace)::FuzzerCorpusTest_RunOneCorpusFile_Test::TestBody() /proc/self/cwd/test/fuzz/main.cc:50:3 #6 0x93044e4 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::)(), char const) /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2580:10 #7 0x92ddd5b in testing::Test::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2655:5 #8 0x92df374 in testing::TestInfo::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2832:11 #9 0x92e0a5c in testing::TestSuite::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2986:28 #10 0x92f723c in testing::internal::UnitTestImpl::RunAllTests() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:5697:44 #11 0x93077a4 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::)(), char const) /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:2580:10 #12 0x92f6698 in testing::UnitTest::Run() /proc/self/cwd/external/com_google_googletest/googletest/src/gtest.cc:5280:10 #13 0x713eee5 in main /proc/self/cwd/external/com_google_googletest/googletest/include/gtest/gtest.h:2485:46 #14 0x7fec8ae46189 (/lib/x86_64-linux-gnu/libc.so.6+0x27189) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583) #15 0x7fec8ae46244 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27244) (BuildId: e144007f35d794adf218479af5ddcb2a11a2c583) #16 0x337e9a0 in _start (/usr/local/google/home/yanjunxiang/.cache/bazel/_bazel_yanjunxiang/c9e0c5a2b4627286a241afa2f7502905/execroot/envoy/bazel-out/k8-dbg/bin/test/extensions/filters/http/common/fuzz/filter_fuzz_test+0x337e9a0)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior source/extensions/filters/http/wasm/wasm_filter.h:34:54 in

HI, @stevenzzzz ,

Could you please take a look this crash in wasm_filter code? It is easy to reproduce once you download the file:

test/extensions/filters/http/common/fuzz/filter_corpus/clusterfuzz-minimized-filter_fuzz_test-6701612180832256

and copied to your workspace this directory, then run:~/envoy_fuzz_test_issue/envoy$ bazel test -c dbg --config clang-asan test/extensions/filters/http/common/fuzz:filter_fuzz_test

@mpwarres
Copy link
Contributor

I can take a look.

@yanavlasov
Copy link
Contributor

This looks like some constraint annotations are missing from the API.

/wait-any

@yanjunxiang-google
Copy link
Contributor Author

I can take a look.

👍

@yanavlasov
Copy link
Contributor

/wait-any

@github-actions
Copy link

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label May 25, 2023
@github-actions
Copy link

github-actions bot commented Jun 1, 2023

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@yanjunxiang-google
Copy link
Contributor Author

yanjunxiang-google commented Sep 25, 2023

Below is the test logs. @mpwarres @stevenzzzz coud you please take a look?

It looks to me once the configure has remote code fetching config with a uri, then it crashed:


test_logs.docx

@yanjunxiang-google
Copy link
Contributor Author

yanjunxiang-google commented Sep 25, 2023

Function call path:

cb_ = factory.createFilterFactoryFromProto(*message, "stats", factory_context_);

which create the FilterConfig object and the callback function:

auto callback = [plugin, this](const Common::Wasm::WasmHandleSharedPtr& base_wasm) {

return [filter_config](Http::FilterChainFactoryCallbacks& callbacks) -> void {

It also create the the callback function to call tls_slot->set()

tls_slot_->set([base_wasm, plugin](Event::Dispatcher& dispatcher) {

However, it looks like the tls_slot_->set() is not called during call function createWasm() here:

if (!Common::Wasm::createWasm(plugin, context.scope().createScope(""), context.clusterManager(),

crashed here when call this callback function, which in turn call createFilter():

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants