Skip to content

[Fix fuzzer error] Memory address points to zero page.#32894

Merged
nanahpang merged 13 commits intogrpc:masterfrom
nanahpang:master
Apr 27, 2023
Merged

[Fix fuzzer error] Memory address points to zero page.#32894
nanahpang merged 13 commits intogrpc:masterfrom
nanahpang:master

Conversation

@nanahpang
Copy link
Copy Markdown
Contributor

@nanahpang nanahpang commented Apr 19, 2023
edited
Loading

Found memory access error in frame_fuzzer_test. Located the root cause in ExecCtx::Get(), where ExecCtx needs to be initialized before using HPackParser:ParseInput().

Error logs:
MemorySanitizer:DEADLYSIGNAL
==2812845==ERROR: MemorySanitizer: SEGV on unknown address 0x000000000030 (pc 0x55869275574e bp 0x7fffd7d9fb50 sp 0x7fffd7d9fb20 T2812845)
==2812845==The signal is caused by a READ memory access.
==2812845==Hint: address points to the zero page.
#0 0x55869275574e in starting_cpu third_party/grpc/src/core/lib/iomgr/exec_ctx.h:129:9
#1 0x55869275574e in grpc_core::PerCpu<grpc_core::GlobalStatsCollector::Data>::this_cpu() third_party/grpc/src/core/lib/gprpp/per_cpu.h:38:48
#2 0x558692753cda in IncrementHttp2MetadataSize third_party/grpc/src/core/lib/debug/stats_data.h:265:11
#3 0x558692753cda in grpc_core::HPackParser::ParseInput(grpc_core::HPackParser::Input, bool) third_party/grpc/src/core/ext/transport/chttp2/transport/hpack_parser.cc:933:20

@nanahpang nanahpang requested a review from ctiller as a code owner April 19, 2023 14:22
@nanahpang nanahpang changed the title Fix the memory access error: address points to zero page [Fix fuzzer error] Memory address points to zero page Apr 19, 2023
@nanahpang nanahpang added area/test release notes: no Indicates if PR should not be in release notes labels Apr 19, 2023
@ctiller
Copy link
Copy Markdown
Member

ctiller commented Apr 19, 2023

I don't think this is the root cause. For the specific fuzzer failure this will stop the error, but the fuzzer will soon give us a 1-byte long frame and this will trip again.

I wrote #32896 to demonstrate that incrementing a zero frame size always works.

Here it looks like we're trying to access a null execctx because there's none on the stack. Probably just adding a grpc_core::ExecCtx exec_ctx at the top of the fuzzer entry function would be sufficient.

@nanahpang
Remove the frame_length_ size limit, which isn't the root cause of th…
cf8501a 
…e memory access error. The root cause is ExecCtx:Get() not initialized before use.
@nanahpang
Copy link
Copy Markdown
Contributor Author

nanahpang commented Apr 19, 2023

Yes, it is due to the ExecCtx not initialized before use. I have updated the files and running the sanitizer script right now. Thanks!

ctiller
ctiller approved these changes Apr 19, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@ctiller ctiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will need to appease the sanitizer, but this looks good - thankyou!

@ctiller ctiller changed the title [Fix fuzzer error] Memory address points to zero page [Fix fuzzer error] Memory address points to zero page. Apr 27, 2023
@nanahpang nanahpang merged commit d1dda5c into grpc:master Apr 27, 2023
@copybara-service copybara-service bot added the imported Specifies if the PR has been imported to the internal repository label Apr 28, 2023
XuanWang-Amos pushed a commit to XuanWang-Amos/grpc that referenced this pull request May 1, 2023
@nanahpang @XuanWang-Amos
[Fix fuzzer error] Memory address points to zero page. (grpc#32894)
66d3f6c 
Found memory access error in frame_fuzzer_test. Located the root cause
in ExecCtx::Get(), where ExecCtx needs to be initialized before using
HPackParser:ParseInput().


Error logs:
MemorySanitizer:DEADLYSIGNAL
==2812845==ERROR: MemorySanitizer: SEGV on unknown address
0x000000000030 (pc 0x55869275574e bp 0x7fffd7d9fb50 sp 0x7fffd7d9fb20
T2812845)
==2812845==The signal is caused by a READ memory access.
==2812845==Hint: address points to the zero page.
#0 0x55869275574e in starting_cpu
[third_party/grpc/src/core/lib/iomgr/exec_ctx.h:129](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/iomgr/exec_ctx.h?l=129&ws=ladynana/2900&snapshot=42):9
#1 0x55869275574e in
grpc_core::PerCpu<grpc_core::GlobalStatsCollector::Data>::this_cpu()
[third_party/grpc/src/core/lib/gprpp/per_cpu.h:38](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/gprpp/per_cpu.h?l=38&ws=ladynana/2900&snapshot=42):48
#2 0x558692753cda in IncrementHttp2MetadataSize
[third_party/grpc/src/core/lib/debug/stats_data.h:265](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/debug/stats_data.h?l=265&ws=ladynana/2900&snapshot=42):11
#3 0x558692753cda in
grpc_core::HPackParser::ParseInput(grpc_core::HPackParser::Input, bool)
[third_party/grpc/src/core/ext/transport/chttp2/transport/hpack_parser.cc:933](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/ext/transport/chttp2/transport/hpack_parser.cc?l=933&ws=ladynana/2900&snapshot=42):20


<!--

If you know who should review your pull request, please assign it to
that
person, otherwise the pull request would get assigned randomly.

If your pull request is for a specific language, please add the
appropriate
lang label.

-->
paulosjca pushed a commit to paulosjca/grpc that referenced this pull request May 4, 2023
@nanahpang @paulosjca
[Fix fuzzer error] Memory address points to zero page. (grpc#32894)
35cb02d 
Found memory access error in frame_fuzzer_test. Located the root cause
in ExecCtx::Get(), where ExecCtx needs to be initialized before using
HPackParser:ParseInput().


Error logs:
MemorySanitizer:DEADLYSIGNAL
==2812845==ERROR: MemorySanitizer: SEGV on unknown address
0x000000000030 (pc 0x55869275574e bp 0x7fffd7d9fb50 sp 0x7fffd7d9fb20
T2812845)
==2812845==The signal is caused by a READ memory access.
==2812845==Hint: address points to the zero page.
#0 0x55869275574e in starting_cpu
[third_party/grpc/src/core/lib/iomgr/exec_ctx.h:129](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/iomgr/exec_ctx.h?l=129&ws=ladynana/2900&snapshot=42):9
#1 0x55869275574e in
grpc_core::PerCpu<grpc_core::GlobalStatsCollector::Data>::this_cpu()
[third_party/grpc/src/core/lib/gprpp/per_cpu.h:38](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/gprpp/per_cpu.h?l=38&ws=ladynana/2900&snapshot=42):48
#2 0x558692753cda in IncrementHttp2MetadataSize
[third_party/grpc/src/core/lib/debug/stats_data.h:265](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/debug/stats_data.h?l=265&ws=ladynana/2900&snapshot=42):11
#3 0x558692753cda in
grpc_core::HPackParser::ParseInput(grpc_core::HPackParser::Input, bool)
[third_party/grpc/src/core/ext/transport/chttp2/transport/hpack_parser.cc:933](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/ext/transport/chttp2/transport/hpack_parser.cc?l=933&ws=ladynana/2900&snapshot=42):20


<!--

If you know who should review your pull request, please assign it to
that
person, otherwise the pull request would get assigned randomly.

If your pull request is for a specific language, please add the
appropriate
lang label.

-->
wanlin31 pushed a commit that referenced this pull request May 18, 2023
@nanahpang @wanlin31
[Fix fuzzer error] Memory address points to zero page. (#32894)
03c0822 
Found memory access error in frame_fuzzer_test. Located the root cause
in ExecCtx::Get(), where ExecCtx needs to be initialized before using
HPackParser:ParseInput().


Error logs:
MemorySanitizer:DEADLYSIGNAL
==2812845==ERROR: MemorySanitizer: SEGV on unknown address
0x000000000030 (pc 0x55869275574e bp 0x7fffd7d9fb50 sp 0x7fffd7d9fb20
T2812845)
==2812845==The signal is caused by a READ memory access.
==2812845==Hint: address points to the zero page.
#0 0x55869275574e in starting_cpu
[third_party/grpc/src/core/lib/iomgr/exec_ctx.h:129](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/iomgr/exec_ctx.h?l=129&ws=ladynana/2900&snapshot=42):9
#1 0x55869275574e in
grpc_core::PerCpu<grpc_core::GlobalStatsCollector::Data>::this_cpu()
[third_party/grpc/src/core/lib/gprpp/per_cpu.h:38](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/gprpp/per_cpu.h?l=38&ws=ladynana/2900&snapshot=42):48
#2 0x558692753cda in IncrementHttp2MetadataSize
[third_party/grpc/src/core/lib/debug/stats_data.h:265](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/lib/debug/stats_data.h?l=265&ws=ladynana/2900&snapshot=42):11
#3 0x558692753cda in
grpc_core::HPackParser::ParseInput(grpc_core::HPackParser::Input, bool)
[third_party/grpc/src/core/ext/transport/chttp2/transport/hpack_parser.cc:933](https://cs.corp.google.com/piper///depot/google3/third_party/grpc/src/core/ext/transport/chttp2/transport/hpack_parser.cc?l=933&ws=ladynana/2900&snapshot=42):20


<!--

If you know who should review your pull request, please assign it to
that
person, otherwise the pull request would get assigned randomly.

If your pull request is for a specific language, please add the
appropriate
lang label.

-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ctiller ctiller ctiller approved these changes

Assignees

No one assigned

Labels

area/test bloat/none imported Specifies if the PR has been imported to the internal repository lang/core per-call-memory/neutral per-channel-memory/neutral release notes: no Indicates if PR should not be in release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nanahpang @ctiller