@kyessenov @asraa
When creating an expression with && or || function, providing with no args field proves to be fatal.
This is an example of the minimal failing testcase. Attached is a local run of such a test case in cel-cpp.
R"(
call_expr: <
function: "&&"
>
)";
Screenshot 2020-07-24 at 12 21 15 PM
This issue is found by a Envoy fuzzer run, which is also linked here https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21777&can=2&q=envoy
StackTrace of the envoy fuzz test
TestRandomGenerator running with seed -549535368
| external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:110:19: runtime error: member call on null pointer of type 'google::api::expr::runtime::JumpStepBase'
| #0 0x9d64fc in google::api::expr::runtime::(anonymous namespace)::FlatExprVisitor::Jump::set_target(int) /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:110:19
| #1 0x9d4cf3 in google::api::expr::runtime::(anonymous namespace)::FlatExprVisitor::BinaryCondVisitor::PostVisit(google::api::expr::v1alpha1::Expr const*) /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:501:14
| #2 0x9bcca3 in google::api::expr::runtime::(anonymous namespace)::FlatExprVisitor::PostVisitCall(google::api::expr::v1alpha1::Expr_Call const*, google::api::expr::v1alpha1::Expr const*, google::api::expr::runtime::SourcePosition const*) /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:266:21
| #3 0xa92fa4 in google::api::expr::runtime::(anonymous namespace)::PostVisit(google::api::expr::runtime::(anonymous namespace)::StackRecord const&, google::api::expr::runtime::AstVisitor*) /proc/self/cwd/external/com_google_cel_cpp/eval/public/ast_traverse.cc:101:16
| #4 0xa91db1 in google::api::expr::runtime::AstTraverse(google::api::expr::v1alpha1::Expr const*, google::api::expr::v1alpha1::SourceInfo const*, google::api::expr::runtime::AstVisitor*) /proc/self/cwd/external/com_google_cel_cpp/eval/public/ast_traverse.cc:227:7
| #5 0x9b73a2 in google::api::expr::runtime::FlatExprBuilder::CreateExpression(google::api::expr::v1alpha1::Expr const*, google::api::expr::v1alpha1::SourceInfo const*, std::__1::vector<absl::Status, std::__1::allocatorabsl::Status >) const /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:693:3
| #6 0x9b9002 in google::api::expr::runtime::FlatExprBuilder::CreateExpression(google::api::expr::v1alpha1::Expr const, google::api::expr::v1alpha1::SourceInfo const*) const /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:714:10
| #7 0x5becb4 in Envoy::Extensions::Filters::Common::Expr::createExpression(google::api::expr::runtime::CelExpressionBuilder&, google::api::expr::v1alpha1::Expr const&) /proc/self/cwd/source/extensions/filters/common/expr/evaluator.cc:60:40
| #8 0x461358 in Envoy::Extensions::Filters::Common::Expr::(anonymous namespace)::TestOneProtoInput(test::extensions::filters::common::expr::EvaluatorTestCase const&) /proc/self/cwd/test/extensions/filters/common/expr/evaluator_fuzz_test.cc:43:32
| #9 0x460f42 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/common/expr/evaluator_fuzz_test.cc:21:1
| #10 0x56db546 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
| #11 0x56c7041 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
| #12 0x56ca48a in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
| #13 0x56c6d7a in main /src/libfuzzer/FuzzerMain.cpp:19:10
| #14 0x7fad2936a82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
| #15 0x440538 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_envoy_13526b3cec4fe4a2eb6540004a639d98790ed27f/revisions/evaluator_fuzz_test+0x440538)
|
| SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:110:19 in
@kyessenov @asraa
When creating an expression with && or || function, providing with no args field proves to be fatal.
This is an example of the minimal failing testcase. Attached is a local run of such a test case in cel-cpp.
R"(
call_expr: <
function: "&&"
>
)";
Screenshot 2020-07-24 at 12 21 15 PM
This issue is found by a Envoy fuzzer run, which is also linked here https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21777&can=2&q=envoy
StackTrace of the envoy fuzz test
TestRandomGenerator running with seed -549535368
| external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:110:19: runtime error: member call on null pointer of type 'google::api::expr::runtime::JumpStepBase'
| #0 0x9d64fc in google::api::expr::runtime::(anonymous namespace)::FlatExprVisitor::Jump::set_target(int) /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:110:19
| #1 0x9d4cf3 in google::api::expr::runtime::(anonymous namespace)::FlatExprVisitor::BinaryCondVisitor::PostVisit(google::api::expr::v1alpha1::Expr const*) /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:501:14
| #2 0x9bcca3 in google::api::expr::runtime::(anonymous namespace)::FlatExprVisitor::PostVisitCall(google::api::expr::v1alpha1::Expr_Call const*, google::api::expr::v1alpha1::Expr const*, google::api::expr::runtime::SourcePosition const*) /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:266:21
| #3 0xa92fa4 in google::api::expr::runtime::(anonymous namespace)::PostVisit(google::api::expr::runtime::(anonymous namespace)::StackRecord const&, google::api::expr::runtime::AstVisitor*) /proc/self/cwd/external/com_google_cel_cpp/eval/public/ast_traverse.cc:101:16
| #4 0xa91db1 in google::api::expr::runtime::AstTraverse(google::api::expr::v1alpha1::Expr const*, google::api::expr::v1alpha1::SourceInfo const*, google::api::expr::runtime::AstVisitor*) /proc/self/cwd/external/com_google_cel_cpp/eval/public/ast_traverse.cc:227:7
| #5 0x9b73a2 in google::api::expr::runtime::FlatExprBuilder::CreateExpression(google::api::expr::v1alpha1::Expr const*, google::api::expr::v1alpha1::SourceInfo const*, std::__1::vector<absl::Status, std::__1::allocatorabsl::Status >) const /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:693:3
| #6 0x9b9002 in google::api::expr::runtime::FlatExprBuilder::CreateExpression(google::api::expr::v1alpha1::Expr const, google::api::expr::v1alpha1::SourceInfo const*) const /proc/self/cwd/external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:714:10
| #7 0x5becb4 in Envoy::Extensions::Filters::Common::Expr::createExpression(google::api::expr::runtime::CelExpressionBuilder&, google::api::expr::v1alpha1::Expr const&) /proc/self/cwd/source/extensions/filters/common/expr/evaluator.cc:60:40
| #8 0x461358 in Envoy::Extensions::Filters::Common::Expr::(anonymous namespace)::TestOneProtoInput(test::extensions::filters::common::expr::EvaluatorTestCase const&) /proc/self/cwd/test/extensions/filters/common/expr/evaluator_fuzz_test.cc:43:32
| #9 0x460f42 in LLVMFuzzerTestOneInput /proc/self/cwd/test/extensions/filters/common/expr/evaluator_fuzz_test.cc:21:1
| #10 0x56db546 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
| #11 0x56c7041 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:296:6
| #12 0x56ca48a in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:796:9
| #13 0x56c6d7a in main /src/libfuzzer/FuzzerMain.cpp:19:10
| #14 0x7fad2936a82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
| #15 0x440538 in _start (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_envoy_13526b3cec4fe4a2eb6540004a639d98790ed27f/revisions/evaluator_fuzz_test+0x440538)
|
| SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior external/com_google_cel_cpp/eval/compiler/flat_expr_builder.cc:110:19 in