BTreeSet and HashSet cause AddressSanitizer errors

[bvinc]

#[export_name="rust_fuzzer_test_input"]
pub extern "C" fn go(data: &[u8]) {
    let mut bt: BTreeSet<u64> = BTreeSet::new();
    bt.insert(0);
}

#[export_name="rust_fuzzer_test_input"]
pub extern "C" fn go(data: &[u8]) {
    let mut bt: HashSet<u64> = HashSet::new();
    bt.insert(0);
}

Both of these functions cause a AddressSanitizer error for me. Here is the one for BTreeSet:

INFO: Seed: 765651658
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0	READ units: 20
=================================================================
==15413==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff8e0a6f10 at pc 0x55a091206598 bp 0x7fff8e0a60d0 sp 0x7fff8e0a60c8
ACCESS of size 0 at 0x7fff8e0a6f10 thread T0
    #0 0x55a091206597  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0xf597)
    #1 0x55a0912374f9  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x404f9)
    #2 0x55a091229463  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x32463)
    #3 0x55a091229503  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x32503)
    #4 0x55a09123e945  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x47945)
    #5 0x55a09124256a  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x4b56a)
    #6 0x55a09124060f  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x4960f)
    #7 0x55a09137970b  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x18270b)

Address 0x7fff8e0a6f10 is located in stack of thread T0 at offset 48 in frame
    #0 0x55a091236f0f  (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0x3ff0f)

  This frame has 5 object(s):
    [32, 48) '_11' <== Memory access at offset 48 is inside this variable
    [64, 136) 'iter'
    [176, 200) '_6'
    [240, 312) '_5'
    [352, 424) '_4'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/brain/src/roaring-rs/fuzz/target/x86_64-unknown-linux-gnu/debug/fuzzer_script_1+0xf597) 
Shadow bytes around the buggy address:
  0x100071c0cd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100071c0cda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100071c0cdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100071c0cdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100071c0cdd0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100071c0cde0: 00 00[f2]f2 00 00 00 00 00 00 00 00 00 f2 f2 f2
  0x100071c0cdf0: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00
  0x100071c0ce00: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x100071c0ce10: 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x100071c0ce20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100071c0ce30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15413==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000


artifact_prefix='artifacts/'; Test unit written to artifacts/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64: 

Can other people reproduce this? I think this is because rust does not support AddressSanitizer. Can it be disabled for cargo-fuzz? There don't appear to be any flags to set to work around it.

[Bobo1239]

That's rust-lang/rust#39882. I also tried to make ASAN ignore specific crates but wasn't able to figure it out (#3 (comment)).

[Manishearth]

Rust does support ASan. But yeah, ASan and friends are written for C, which don't have things like ZSTs, so these things tend to be buggy when it comes to rust-specific stuff. But they're LLVM tools, so these are bugs in LLVM (anything that can be expressed via LLVM IR should be an okay input to a sanitizer), not bugs in Rust.

[whitequark]

Might be fixed upstream, needs triage.

[alex]

The upstream rust bug for this is fixed, can we close?