[oss-fuzz compile_fuzzer] Crashing case of assertion arraySizes != nullptr1 failed in updateArraySizes #4092
Description
Hi, we found a crashing test case when testing glslang by the fuzzing driver from oss-fuzz: https://github.com/google/oss-fuzz/blob/913344964bc1ebd3801cf8b2e24966ab4d2e836a/projects/glslang/compile_fuzzer.cc
The glslang commit version: 7099c12
Build flags: make install glslang based on README and build the fuzzing driver by:
cd install/
clang++ -fsanitize=fuzzer,address ./compile_fuzzer.cc -DENABLE_HLSL -DENABLE_OPT=0 -DGLSLANG_OSINCLUDE_UNIX -I ./include/ ./lib/libglslang.a ./lib/libSPIRV.a ./lib/libglslang-default-resource-limits.a -o ./compile_fuzzerThe PoC
void n(){int m0t m0t[
Running ./compile_fuzzer ./poc results in:
(It would not 100% reproduce stably and I'm not sure why)
compile_fuzzer: glslang/Include/Types.h:2118: void glslang::TType::updateArraySizes(const glslang::TType&): Assertion `arraySizes != nullptr' failed.
==522696== ERROR: libFuzzer: deadly signal
#0 0x56544c2b60b1 in __sanitizer_print_stack_trace (install2/compile_fuzzer+0x1320b1) (BuildId: 1d3c40d3c5422ddf41d308a66a1641da29713680)
#1 0x56544c228948 in fuzzer::PrintStackTrace() (install2/compile_fuzzer+0xa4948) (BuildId: 1d3c40d3c5422ddf41d308a66a1641da29713680)
#2 0x56544c20e3c3 in fuzzer::Fuzzer::CrashCallback() (install2/compile_fuzzer+0x8a3c3) (BuildId: 1d3c40d3c5422ddf41d308a66a1641da29713680)
#3 0x7f8c5448951f (/lib/x86_64-linux-gnu/libc.so.6+0x4251f) (BuildId: d5197096f709801829b118af1b7cf6631efa2dcd)
#4 0x7f8c544dd9fb in __pthread_kill_implementation nptl/./nptl/pthread_kill.c:43:17
#5 0x7f8c544dd9fb in __pthread_kill_internal nptl/./nptl/pthread_kill.c:78:10
#6 0x7f8c544dd9fb in pthread_kill nptl/./nptl/pthread_kill.c:89:10
#7 0x7f8c54489475 in gsignal signal/../sysdeps/posix/raise.c:26:13
#8 0x7f8c5446f7f2 in abort stdlib/./stdlib/abort.c:79:7
#9 0x7f8c5446f71a in __assert_fail_base assert/./assert/assert.c:94:3
#10 0x7f8c54480e95 in __assert_fail assert/./assert/assert.c:103:3
#11 0x56544c3b6d88 in glslang::TType::updateArraySizes(glslang::TType const&) glslang/Include/Types.h:2118:9
#12 0x56544c3a4bb9 in glslang::HlslParseContext::declareArray(glslang::TSourceLoc const&, std::__cxx11::basic_string<char, std::char_traits<char>, glslang::pool_allocator<char> > const&, glslang::TType const&, glslang::TSymbol*&, bool) glslang/HLSL/hlslParseHelper.cpp:6942:34
#13 0x56544c3a9cf7 in glslang::HlslParseContext::declareVariable(glslang::TSourceLoc const&, std::__cxx11::basic_string<char, std::char_traits<char>, glslang::pool_allocator<char> > const&, glslang::TType&, glslang::TIntermTyped*) glslang/HLSL/hlslParseHelper.cpp:8033:21
#14 0x56544c3d9158 in glslang::HlslGrammar::acceptDeclaration(TIntermNode*&) glslang/HLSL/hlslGrammar.cpp:505:66
#15 0x56544c3e3cc2 in glslang::HlslGrammar::acceptSimpleStatement(TIntermNode*&) glslang/HLSL/hlslGrammar.cpp:3678:26
#16 0x56544c3e40f3 in glslang::HlslGrammar::acceptStatement(TIntermNode*&) glslang/HLSL/hlslGrammar.cpp:3803:37
#17 0x56544c3e3e67 in glslang::HlslGrammar::acceptCompoundStatement(TIntermNode*&) glslang/HLSL/hlslGrammar.cpp:3710:27
#18 0x56544c3e1e59 in glslang::HlslGrammar::acceptFunctionBody(glslang::TFunctionDeclarator&, TIntermNode*&) glslang/HLSL/hlslGrammar.cpp:2988:34
#19 0x56544c3e1dda in glslang::HlslGrammar::acceptFunctionDefinition(glslang::TFunctionDeclarator&, TIntermNode*&, glslang::TVector<glslang::HlslToken>*) glslang/HLSL/hlslGrammar.cpp:2974:34
#20 0x56544c3d8bf5 in glslang::HlslGrammar::acceptDeclaration(TIntermNode*&) glslang/HLSL/hlslGrammar.cpp:434:48
#21 0x56544c3d7f94 in glslang::HlslGrammar::acceptDeclarationList(TIntermNode*&) glslang/HLSL/hlslGrammar.cpp:165:32
#22 0x56544c3d7e43 in glslang::HlslGrammar::acceptCompilationUnit() glslang/HLSL/hlslGrammar.cpp:130:32
#23 0x56544c3d7bbb in glslang::HlslGrammar::parse() glslang/HLSL/hlslGrammar.cpp:66:33
#24 0x56544c37f6c3 in glslang::HlslParseContext::parseShaderStrings(glslang::TPpContext&, glslang::TInputScanner&, bool) glslang/HLSL/hlslParseHelper.cpp:132:23
#25 0x56544c2ed460 in (anonymous namespace)::DoFullParse::operator()(glslang::TParseContextBase&, glslang::TPpContext&, glslang::TInputScanner&, bool, glslang::TSymbolTable&, glslang::TIntermediate&, EShOptimizationLevel, EShMessages) glslang/MachineIndependent/ShaderLang.cpp:1233:46
#26 0x56544c2f2f73 in bool (anonymous namespace)::ProcessDeferred<(anonymous namespace)::DoFullParse>(TCompiler*, char const* const*, int, int const*, char const* const*, char const*, EShOptimizationLevel, TBuiltInResource const*, int, EProfile, bool, int, bool, EShMessages, glslang::TIntermediate&, (anonymous namespace)::DoFullParse&, bool, glslang::TShader::Includer&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, glslang::TEnvironment const*, bool) glslang/MachineIndependent/ShaderLang.cpp:1008:37
#27 0x56544c2ed7f7 in (anonymous namespace)::CompileDeferred(TCompiler*, char const* const*, int, int const*, char const* const*, char const*, EShOptimizationLevel, TBuiltInResource const*, int, EProfile, bool, int, bool, EShMessages, glslang::TIntermediate&, glslang::TShader::Includer&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, glslang::TEnvironment*, bool) glslang/MachineIndependent/ShaderLang.cpp:1321:27
#28 0x56544c2ef2da in glslang::TShader::parse(TBuiltInResource const*, int, EProfile, bool, bool, EShMessages, glslang::TShader::Includer&) glslang/MachineIndependent/ShaderLang.cpp:1893:27
#29 0x56544c2e9a5c in glslang::TShader::parse(TBuiltInResource const*, int, EProfile, bool, bool, EShMessages) install2/./include/glslang/Public/ShaderLang.h:679:16
#30 0x56544c2e9882 in glslang::TShader::parse(TBuiltInResource const*, int, bool, EShMessages) install2/./include/glslang/Public/ShaderLang.h:685:16
#31 0x56544c2e961b in LLVMFuzzerTestOneInput install2/./fuzzer.cc:17:10