atheris.Fuzz segfaults when using atheris.instrument_all with @singledispatch on 3.11.9 #90
Description
I've been running atheris as part of a large scale evaluation, and have run into a few repositories which throw "failed to instrument" warnings when instrumenting and subsequently segfault. I believe I've isolated this to @singledispatch on 3.11:
reproducer
from functools import singledispatch
import sys
import atheris
@singledispatch
def dispatched(x):
return x
def fuzz_one_input(b):
dispatched(b)
atheris.instrument_all()
atheris.Setup(sys.argv, fuzz_one_input)
atheris.Fuzz()Which has produces output in part:
ERROR: Failed to instrument function <function Protocol.__init_subclass__.<locals>._proto_hook at 0x2b2e3ed1d120>: '>' not supported between instances of 'NoneType' and 'int'
[2949/3004] 98%
ERROR: Failed to instrument function <function Protocol.__init_subclass__.<locals>._proto_hook at 0x2b2e3ed1d940>: '>' not supported between instances of 'NoneType' and 'int'
[2988/3004] 99%
ERROR: Failed to instrument function <function Generic.__init_subclass__ at 0x2b2e3ed0f600>: '>' not supported between instances of 'NoneType' and 'int'
[2989/3004] 99%
ERROR: Failed to instrument function <function Protocol.__init_subclass__ at 0x2b2e3ed0fc40>: '>' not supported between instances of 'NoneType' and 'int'
[2995/3004] 99%
ERROR: Failed to instrument function <function _TypedDictMeta.__new__ at 0x2b2e3ed1dc60>: '>' not supported between instances of 'NoneType' and 'int'
[3004/3004] 100%
INFO: Using built-in libfuzzer
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3305948197
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
==2403== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signalThis minimal reproducer exits with a libfuzzer "deadly signal", but I've seen segmentation faults more commonly in practice: Fatal Python error: Segmentation fault, usually after <100 examples. My guess is this crash occurs whenever atheris first produces an input which exercises an @singledispatch function.
I cannot reproduce this with python 3.10.14, or with @atheris.instrument_func on python3.11.9.
If you need a reproducer which segfaults explicitly, let me know. It's a bit fiddly to put one together. Hopefully the above is useful enough to track this down!