fuzz test occur runtime error

[qweryzh]

src/memory/shared_ptr.hpp:202:17: runtime error: downcast of address 0x000003638870 which does not point to an object of type 'Sass::PreValue'
0x000003638870: note: object is of type 'Sass::Unary_Expression'
00 00 00 00 48 ff c7 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 84 63 03
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'Sass::Unary_Expression'
#0 0x6a037f in Sass::SharedImplSass::PreValue::SharedImplSass::Expression(Sass::Expression*) /src/libsass/src/memory/shared_ptr.hpp:202:17
#1 0x653594 in Sass::Parser::parse_selector_schema(char const*, bool) /src/libsass/src/parser.cpp:576:24
#2 0x6549cb in Sass::Parser::parse_ruleset(Lookahead) /src/libsass/src/parser.cpp:516:17
#3 0x648a0d in Sass::Parser::parse_block_node(bool) /src/libsass/src/parser.cpp:260:21
#4 0x644b10 in Sass::Parser::parse_block_nodes(bool) /src/libsass/src/parser.cpp:171:11
#5 0x6434c1 in Sass::Parser::parse() /src/libsass/src/parser.cpp:97:5
#6 0x587661 in Sass::Context::register_resource(Sass::Include const&, Sass::Resource const&) /src/libsass/src/context.cpp:307:24
#7 0x590e16 in Sass::Data_Context::parse() /src/libsass/src/context.cpp:621:5
#8 0x4c456a in Sass::sass_parse_block(Sass_Compiler*) /src/libsass/src/sass_context.cpp:181:31
#9 0x4c4347 in sass_compiler_parse /src/libsass/src/sass_context.cpp:435:22
#10 0x4c3f1c in sass_compile_context(Sass_Context*, Sass::Context*) /src/libsass/src/sass_context.cpp:318:7
#11 0x4c1bc3 in LLVMFuzzerTestOneInput /src/data_context_fuzzer.cc:26:3
#12 0x452eb1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
#13 0x43e212 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:296:6
#14 0x4442a7 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:776:9
#15 0x46c8f2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
#16 0x7fc7b762682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#17 0x418828 in _start (/out/data_context_fuzzer+0x418828)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/memory/shared_ptr.hpp:202:17 in

[qweryzh]

according to the error message,the problem is caused by the conversion of the base class and the derived class.
Sass::Unary_Expression,static_cast will not peforme security checks during the downcast conversion.resulting in the error.This problem can be avoided by changing static_cast to dynamic_cast.

I think this can solve the problem, please maintainer check this @hcatlin

[HamptonMakes]

@qweryzh can you explain what you are doing to trigger this error? Are you running a specific bit of Sass to compile? Are you trying to run libsass in some specific environment?

[qweryzh]

@hcatlin This occurs when I running fuzz test cases.You can download test environment from https://github.com/google/oss-fuzz.git
and perform the following steps:
1.build
python3 infra/helper.py build_fuzzers --sanitizer undefined libsass
2. run
python3 infra/helper.py run_fuzzer libsass data_context_fuzzer -rss_limit_mb=0

and then you can reproduce above the failure