Floating Point Exception during RandomTreeCreator Execution

[DUT-ShiLongYu]

Bug Report

Environment

• OS Version: Ubuntu 22.04
• bullet3 version: e9c461b0ace140d5c73972760781d94b7b5eee53
• Compiler name and version number: Ubuntu clang 20.0.0

Description

• Expected behavior: executing code doesn't crash
• Actual behavior: executing code crash, Floating Point Exception (FPE)

Steps to reproduce

When using a random function to create a random number, if the input data value is 0, a floating point exception will be generated when the randomInt function is called internally to generate a random number.Here's a snippet of code that demonstrates how this could occur:

#include <cmath>
#include <cstdio>
#include <cstdlib>
#include <iostream>
#include "RandomTreeCreator.hpp"
using namespace btInverseDynamics;
void InvDynJacobians_VelocitiesFromJacobians()
{
    const int kRandomLoops = 20;
    const int kMaxRandomBodies = 0; //
    for (int loop = 0; loop < kRandomLoops; loop++)
    {
        RandomTreeCreator random(kMaxRandomBodies);
    }
    std::cout<<"creat over"<<std::endl;
}

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
    InvDynJacobians_VelocitiesFromJacobians();
    return 0;
}

Output

Here is what the output shows:

(base) dct@dct-OptiPlex-Tower-Plus-7010:~/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test$ ./bullet_tests_libfuzzer input/
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2602152510
INFO: Loaded 1 modules   (124 inline 8-bit counters): 124 [0x55c9568a4028, 0x55c9568a40a4), 
INFO: Loaded 1 PC tables (124 PCs): 124 [0x55c9568a40a8,0x55c9568a4868), 
INFO:        0 files found in input/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1132716==ERROR: AddressSanitizer: FPE on unknown address 0x55c9568561cd (pc 0x55c9568561cd bp 0x7ffde5217da0 sp 0x7ffde5217d80 T0)
/usr/bin/llvm-symbolizer-20: /home/dct/anaconda3/lib/libcurl.so.4: no version information available (required by /usr/bin/llvm-symbolizer-20)
    #0 0x55c9568561cd in btInverseDynamicsBullet3::randomInt(int, int) /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet3/Extras/InverseDynamics/IDRandomUtil.cpp:19:50
    #1 0x55c9568538c0 in btInverseDynamicsBullet3::RandomTreeCreator::RandomTreeCreator(int, bool) /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet3/Extras/InverseDynamics/RandomTreeCreator.cpp:20:17
    #2 0x55c95685360a in InvDynJacobians_VelocitiesFromJacobians() /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/main.cpp:17:27
    #3 0x55c956853708 in LLVMFuzzerTestOneInput /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/main.cpp:24:5
    #4 0x55c95675553b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x5053b) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
    #5 0x55c9567567e1 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x517e1) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
    #6 0x55c956756e6c in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile>>&) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x51e6c) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
    #7 0x55c956744485 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x3f485) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
    #8 0x55c95676f132 in main (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x6a132) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)
    #9 0x731d9f629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #10 0x731d9f629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #11 0x55c956738fc4 in _start (/home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet_tests_libfuzzer+0x33fc4) (BuildId: f6db427013f0d09d1b1c42e56e8034db8f49b6cf)

==1132716==Register values:
rax = 0x000000006b8b4567  rbx = 0x00007ffde5217e20  rcx = 0x0000000000000000  rdx = 0x0000000000000000  
rdi = 0x0000731d9f81a860  rsi = 0x00007ffde5217d54  rbp = 0x00007ffde5217da0  rsp = 0x00007ffde5217d80  
 r8 = 0x0000000000000000   r9 = 0x0000731d9f81a280  r10 = 0x0000731d9f6090f0  r11 = 0x0000731d9f646760  
r12 = 0x00007ffde5217f87  r13 = 0x000055c9568a5600  r14 = 0x00006f3d9eae0010  r15 = 0x0000000000000000  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/dct/libfuzzer-workshop/libFuzzer/Fuzzer/bullet3_test/bullet3/Extras/InverseDynamics/IDRandomUtil.cpp:19:50 in btInverseDynamicsBullet3::randomInt(int, int)
==1132716==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000