[llvm-bugs] [Bug 175288] [libFuzzer] hang on start-up with corpus of known crashes

Fri, 09 Jan 2026 22:21:55 -0800

Issue 175288
Summary [libFuzzer] hang on start-up with corpus of known crashes
Labels compiler-rt:fuzzer
Assignees
Reporter firewave 
    The fuzzer might hang on start-up with a corpus (14 files) which (only) contains several known crashes. Using `CTRL+C` several times will gradually get it to proceed and ultimately start fuzzing.

The output before the hang occurs
```
$ ./oss-fuzz-client -_only_ascii_=1 -timeout=5 corpus -fork=10 -ignore_crashes=1 -ignore_timeouts=1 -use_value_profile=1 
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3352986070
INFO: Loaded 1 modules   (251050 inline 8-bit counters): 251050 [0x56129efaf9e8, 0x56129efece92), 
INFO: Loaded 1 PC tables (251050 PCs): 251050 [0x56129efece98,0x56129f3c1938), 
INFO: -fork=10: fuzzing in separate process(s)
```

Here is the strace log right before the hang occurs (full: [strace_1.log](https://github.com/user-attachments/files/24539756/strace_1.log)):
```
[...]
newfstatat(AT_FDCWD, "corpus/crash-d4091b9f8adf88ffca450c0c01d98a36758908f2", {st_mode=S_IFREG|0644, st_size=16, ...}, 0) = 0
getpid() = 68591
openat(AT_FDCWD, "/tmp/libFuzzerTemp.FuzzWithFork68591.dir", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
mkdir("/tmp/libFuzzerTemp.FuzzWithFork68591.dir", 0700) = 0
mkdir("/tmp/libFuzzerTemp.FuzzWithFork68591.dir/DFT", 0700) = 0
newfstatat(AT_FDCWD, "/tmp/libFuzzerTemp.FuzzWithFork68591.dir/merge.txt", 0x7ffc2e880260, 0) = -1 ENOENT (No such file or directory)
unlink("/tmp/libFuzzerTemp.FuzzWithFork68591.dir/merge.txt") = -1 ENOENT (No such file or directory)
futex(0x7f8b640906c8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
openat(AT_FDCWD, "/tmp/libFuzzerTemp.FuzzWithFork68591.dir/merge.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
write(3, "14\n0\ncorpus/crash-18b7d7437e79f7"..., 761) = 761
close(3) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f8b63a3e4d0}, {sa_handler=0x55beccdb1a50, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f8b63a3e4d0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f8b63a3e4d0}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f8b63da9000
rt_sigprocmask(SIG_BLOCK, ~[], [CHLD], 8) = 0
clone3({flags=CLONE_VM|CLONE_VFORK|CLONE_CLEAR_SIGHAND, exit_signal=SIGCHLD, stack=0x7f8b63da9000, stack_size=0x9000}, 88) = 68593
munmap(0x7f8b63da9000, 36864)           = 0
rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]})             = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]})             = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593, 0x7ffc2e87ff18, 0, NULL)   = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
rt_sigreturn({mask=[CHLD]}) = -1 EINTR (Interrupted system call)
wait4(68593
``

Unfortunately I am not able to send the signals to the process to make it proceed (I used `kill -S SIGINT` with the ID of the actual fuzzer parent process).

_______________________________________________
llvm-bugs mailing list
[email protected]
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to