$ script/test -b
[... compilation output ...]
Random seed: 1509256178
Executed 117 tests.script/test: line 104: 27775 Segmentation fault $cmd "${args[@]}"
real 0m0.008s
user 0m0.004s
sys 0m0.000s
$ out/Test/tests
Random seed: 1509256222
.....................................................................................................................Segmentation fault
$ script/test -g
[... compilation output ...]
==30044== Memcheck, a memory error detector
==30044== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==30044== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==30044== Command: out/Test/tests --reporter=singleline
==30044==
Random seed: 1509256320
Executed 117 tests.==30044== Invalid read of size 4
==30044== at 0x23A1C0: ts_document_set_language (document.c:43)
==30044== by 0x1CE675: {lambda()#1}::operator()() const::{lambda()#1}::operator()() const::{lambda()#3}::operator()() const (fuzzing-examples.cc:36)
==30044== by 0x1CF12A: std::_Function_handler<void (), {lambda()#1}::operator()() const::{lambda()#1}::operator()() const::{lambda()#3}>::_M_invoke(std::_Any_data const&) (functional:1731)
==30044== by 0x11CCA7: std::function<void ()>::operator()() const (functional:2127)
==30044== by 0x11C09A: bandit::it(char const*, std::function<void ()>, bandit::detail::listener&, std::deque<bandit::detail::context*, std::allocator<bandit::detail::context*> >&, bandit::adapters::assertion_adapter&, bandit::detail::run_policy&)::{lambda()#3}::operator()() const (grammar.h:126)
==30044== by 0x11DC51: std::_Function_handler<void (), bandit::it(char const*, std::function<void ()>, bandit::detail::listener&, std::deque<bandit::detail::context*, std::allocator<bandit::detail::context*> >&, bandit::adapters::assertion_adapter&, bandit::detail::run_policy&)::{lambda()#3}>::_M_invoke(std::_Any_data const&) (functional:1731)
==30044== by 0x11CCA7: std::function<void ()>::operator()() const (functional:2127)
==30044== by 0x11B5F4: bandit::adapters::snowhouse_adapter::adapt_exceptions(std::function<void ()>) (snowhouse.h:12)
==30044== by 0x11C29B: bandit::it(char const*, std::function<void ()>, bandit::detail::listener&, std::deque<bandit::detail::context*, std::allocator<bandit::detail::context*> >&, bandit::adapters::assertion_adapter&, bandit::detail::run_policy&) (grammar.h:128)
==30044== by 0x11C8AB: bandit::it(char const*, std::function<void ()>) (grammar.h:179)
==30044== by 0x1CE8E7: {lambda()#1}::operator()() const::{lambda()#1}::operator()() const (fuzzing-examples.cc:59)
==30044== by 0x1CF249: std::_Function_handler<void (), {lambda()#1}::operator()() const::{lambda()#1}>::_M_invoke(std::_Any_data const&) (functional:1731)
==30044== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==30044==
==30044==
==30044== Process terminating with default action of signal 11 (SIGSEGV)
==30044== Access not within mapped region at address 0x0
==30044== at 0x23A1C0: ts_document_set_language (document.c:43)
==30044== by 0x1CE675: {lambda()#1}::operator()() const::{lambda()#1}::operator()() const::{lambda()#3}::operator()() const (fuzzing-examples.cc:36)
==30044== by 0x1CF12A: std::_Function_handler<void (), {lambda()#1}::operator()() const::{lambda()#1}::operator()() const::{lambda()#3}>::_M_invoke(std::_Any_data const&) (functional:1731)
==30044== by 0x11CCA7: std::function<void ()>::operator()() const (functional:2127)
==30044== by 0x11C09A: bandit::it(char const*, std::function<void ()>, bandit::detail::listener&, std::deque<bandit::detail::context*, std::allocator<bandit::detail::context*> >&, bandit::adapters::assertion_adapter&, bandit::detail::run_policy&)::{lambda()#3}::operator()() const (grammar.h:126)
==30044== by 0x11DC51: std::_Function_handler<void (), bandit::it(char const*, std::function<void ()>, bandit::detail::listener&, std::deque<bandit::detail::context*, std::allocator<bandit::detail::context*> >&, bandit::adapters::assertion_adapter&, bandit::detail::run_policy&)::{lambda()#3}>::_M_invoke(std::_Any_data const&) (functional:1731)
==30044== by 0x11CCA7: std::function<void ()>::operator()() const (functional:2127)
==30044== by 0x11B5F4: bandit::adapters::snowhouse_adapter::adapt_exceptions(std::function<void ()>) (snowhouse.h:12)
==30044== by 0x11C29B: bandit::it(char const*, std::function<void ()>, bandit::detail::listener&, std::deque<bandit::detail::context*, std::allocator<bandit::detail::context*> >&, bandit::adapters::assertion_adapter&, bandit::detail::run_policy&) (grammar.h:128)
==30044== by 0x11C8AB: bandit::it(char const*, std::function<void ()>) (grammar.h:179)
==30044== by 0x1CE8E7: {lambda()#1}::operator()() const::{lambda()#1}::operator()() const (fuzzing-examples.cc:59)
==30044== by 0x1CF249: std::_Function_handler<void (), {lambda()#1}::operator()() const::{lambda()#1}>::_M_invoke(std::_Any_data const&) (functional:1731)
==30044== If you believe this happened as a result of a stack
==30044== overflow in your program's main thread (unlikely but
==30044== possible), you can try to increase the size of the
==30044== main thread stack using the --main-stacksize= flag.
==30044== The main thread stack size used in this run was 8388608.
==30044==
==30044== HEAP SUMMARY:
==30044== in use at exit: 11,019 bytes in 93 blocks
==30044== total heap usage: 12,319 allocs, 12,226 frees, 944,670 bytes allocated
==30044==
==30044== For a detailed leak analysis, rerun with: --leak-check=full
==30044==
==30044== For counts of detected and suppressed errors, rerun with: -v
==30044== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
From a quick look at the stack trace, we attempted a read from 0; and it looks like we're in the middle of some fuzzing. So probably the fuzzing has done its job. :-)
This is 100% reproducible for me so far (4/4) -- happy to provide whatever further details would be useful for debugging. I'm on Debian 9.1 stretch
(aka stable
), on x86_64, if that helps you reproduce it yourself.