Segmentation fault during fuzztests "unaligned tcache chunk" / "double free or corruption (out)"

[ivafanas]

GCC version:

$ g++ --version
g++ (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

OS:

$ uname -a
Linux iafanasyev-pc 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Hardware:

$ cat /proc/cpuinfo | grep "model name" | uniq
model name      : Intel(R) Core(TM) i7-9700 CPU @ 3.00GHz

Issue is detected for completely_random test type. In order to reproduce issue faster, the following patch should be applied:

$ git diff
diff --git a/tests/fuzztests/fuzztests.cpp b/tests/fuzztests/fuzztests.cpp
index 714539c..1b1f36a 100644
--- a/tests/fuzztests/fuzztests.cpp
+++ b/tests/fuzztests/fuzztests.cpp
@@ -112,8 +112,9 @@ bool run_test(uint64_t seed, int iterations, test_type& out_type, const char*& o
        std::uniform_int_distribution<int> randTest(0, TEST_TYPE_COUNT - 1);
        std::uniform_int_distribution<int> randInitialSize(0, 70);

-       auto type = static_cast<test_type>(randTest(baseRng));
+       auto type = completely_random;
        out_type = type;
+
        for (int iteration = 0; iteration != iterations; ++iteration) {
                RNG_t rng(baseRng);

@@ -806,7 +807,7 @@ int main(int argc, char** argv)
 #endif

                uint32_t iteration = 0;
-               while (true) {
+               while (iteration < 64) {
                        seed = (static_cast<uint64_t>(std::time(NULL)) << 32) | iteration++;
                        // MurmurHash3 64-bit finalizer
                        seed ^= seed >> 33;

Compile it:

make -c tests/fuzztests

Runner:

for i in $(seq 1 1000); do date && ./build/bin/fuzztests && echo "$i -> ok" || break; done

On my machine it usually takes less than 3 minutes to catch a seg fault. Possible outputs:

Пт 04 апр 2025 09:31:04 +07
Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)

Executed 64 tests so far:
    multithread_produce: 0 successful, 0 failed
    multithread_consume: 0 successful, 0 failed
    multithread_produce_and_consume: 0 successful, 0 failed
    completely_random: 64 successful, 0 failed
    core_add_only_list: 0 successful, 0 failed
    core_thread_local: 0 successful, 0 failed
tcache_thread_shutdown(): unaligned tcache chunk detected
*** Abort detected (assertion failed?)
      Seed: cea8e5fbfa65c9a6

...
1 -> ok
Пт 04 апр 2025 09:31:35 +07
Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)

<fuzzer hangs, nothing happened for a long time>

...
2 -> ok
Пт 04 апр 2025 09:32:47 +07
Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)

Executed 64 tests so far:
    multithread_produce: 0 successful, 0 failed
    multithread_consume: 0 successful, 0 failed
    multithread_produce_and_consume: 0 successful, 0 failed
    completely_random: 64 successful, 0 failed
    core_add_only_list: 0 successful, 0 failed
    core_thread_local: 0 successful, 0 failed
*** Segmentation fault detected!
      Seed: 192d95fbb39f1184

Running random fuzz tests for moodycamel::ConcurrentQueue.
Press CTRL+C to exit.
(Run fuzztests --help for options.)

Executed 64 tests so far:
    multithread_produce: 0 successful, 0 failed
    multithread_consume: 0 successful, 0 failed
    multithread_produce_and_consume: 0 successful, 0 failed
    completely_random: 64 successful, 0 failed
    core_add_only_list: 0 successful, 0 failed
    core_thread_local: 0 successful, 0 failed
double free or corruption (out)
*** Abort detected (assertion failed?)
      Seed: 2e412bb68e949ca3

[cameron314]

Haven't had time to look into this yet, but thanks for reporting. These seeds are from the version with your diff or without?

[ivafanas]

Haven't had time to look into this yet, but thanks for reporting. These seeds are from the version with your diff or without?

Hi. These seeds are from the version with the patch applied.