complier AFL whit clang-5.0.0 , load the afl-llvm-pass.so result in segment fault .
2,010 views
Skip to first unread message
cc
Oct 18, 2017, 3:15:34 AM10/18/17
to afl-users
I build AFL llvm_mode with clang-4.0.1, it work OK .
But when I build llvm_mode with clang-5.0.0, an error occured !
$ clang --version
clang version 5.0.0 (tags/RELEASE_500/final)
Target: x86_64-apple-darwin16.4.0
Thread model: posix
InstalledDir: /Users/cc/code/clang+llvm-5.0.0/bin
$ make
[*] Checking for working 'llvm-config'...
[*] Checking for working 'clang'...
[*] Checking for '../afl-showmap'...
[+] All set and ready to build.
clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.51b\" afl-clang-fast.c -o ../afl-clang-fast
ln -sf afl-clang-fast ../afl-clang-fast++
clang++ `llvm-config --cxxflags` -fno-rtti -fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"2.51b\" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config --ldflags` -Wl,-flat_namespace -Wl,-undefined,suppress
clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.51b\" -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt.o
[*] Building 32-bit variant of the runtime (-m32)... success!
[*] Building 64-bit variant of the runtime (-m64)... success!
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=clang ../afl-clang-fast -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.51b\" ../test-instr.c -o test-instr
clang-5.0: error: unable to execute command: Segmentation fault: 11
clang-5.0: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 5.0.0 (tags/RELEASE_500/final)
Target: x86_64-apple-darwin16.4.0
Thread model: posix
InstalledDir: /Users/cc/code/clang+llvm-5.0.0/bin
clang-5.0: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang-5.0: error: unable to execute command: Segmentation fault: 11
clang-5.0: note: diagnostic msg: Error generating preprocessed source(s).
make: *** [test_build] Error 254
Jakub Wilk
Oct 18, 2017, 11:54:52 AM10/18/17
to afl-...@googlegroups.com
* cc <chengch...@gmail.com>, 2017-10-18, 00:15:
https://groups.google.com/d/topic/afl-users/Q_eAYAlOGLQ
I'm afaid nobody has figured out what's going on yet. :(
Backtrace:
#0 0xb7fd1b90 in ?? ()
#1 0xb56da57e in llvm::object_deleter<llvm::SmallVector<std::pair<llvm::PassManagerBuilder::ExtensionPointTy, std::function<void (llvm::PassManagerBuilder const&, llvm::legacy::PassManagerBase&)> >, 8u> >::call(void*) () at /usr/include/c++/6/functional:1690
#2 0xb4a6db38 in llvm::ManagedStaticBase::destroy() const () at .../llvm-toolchain-5.0-5.0~+rc2/lib/Support/ManagedStatic.cpp:75
#3 0xb4a6dcb9 in llvm::llvm_shutdown() () at .../llvm-toolchain-5.0-5.0~+rc2/lib/Support/ManagedStatic.cpp:87
#4 0x803f0f49 in main () at .../llvm-toolchain-5.0-5.0~+rc2/include/llvm/Support/ManagedStatic.h:92
--
Jakub Wilk
>clang-5.0: error: unable to execute command: Segmentation fault: 11
This was reported a while ago:
https://groups.google.com/d/topic/afl-users/Q_eAYAlOGLQ
I'm afaid nobody has figured out what's going on yet. :(
Backtrace:
#0 0xb7fd1b90 in ?? ()
#1 0xb56da57e in llvm::object_deleter<llvm::SmallVector<std::pair<llvm::PassManagerBuilder::ExtensionPointTy, std::function<void (llvm::PassManagerBuilder const&, llvm::legacy::PassManagerBase&)> >, 8u> >::call(void*) () at /usr/include/c++/6/functional:1690
#2 0xb4a6db38 in llvm::ManagedStaticBase::destroy() const () at .../llvm-toolchain-5.0-5.0~+rc2/lib/Support/ManagedStatic.cpp:75
#3 0xb4a6dcb9 in llvm::llvm_shutdown() () at .../llvm-toolchain-5.0-5.0~+rc2/lib/Support/ManagedStatic.cpp:87
#4 0x803f0f49 in main () at .../llvm-toolchain-5.0-5.0~+rc2/include/llvm/Support/ManagedStatic.h:92
--
Jakub Wilk
Jakub Wilk
Oct 20, 2017, 1:36:29 PM10/20/17
to afl-...@googlegroups.com
I was going to suggest building with AFL_TRACE_PC=1, but it doesn't work
either:
$ make AFL_TRACE_PC=1 CC=clang-5.0 CXX=clang++-5.0
[!] Note: using -fsanitize=trace-pc mode (this will fail with older LLVM).
[*] Checking for working 'clang-5.0'...
ln -sf afl-clang-fast ../afl-clang-fast++
clang (LLVM option parsing): Unknown command line argument '-sanitizer-coverage-block-threshold=0'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-sanitizer-coverage-level=0'?
Makefile:97: recipe for target 'test_build' failed
make: *** [test_build] Error 1
--
Jakub Wilk
either:
$ make AFL_TRACE_PC=1 CC=clang-5.0 CXX=clang++-5.0
[!] Note: using -fsanitize=trace-pc mode (this will fail with older LLVM).
[*] Checking for working 'clang-5.0'...
[*] Checking for '../afl-showmap'...
[+] All set and ready to build.
clang-5.0 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.51b\" -DUSE_TRACE_PC=1 afl-clang-fast.c -o ../afl-clang-fast
[+] All set and ready to build.
ln -sf afl-clang-fast ../afl-clang-fast++
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=clang-5.0 ../afl-clang-fast -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.51b\" -DUSE_TRACE_PC=1 ../test-instr.c -o test-instr
clang (LLVM option parsing): Unknown command line argument '-sanitizer-coverage-block-threshold=0'. Try: 'clang (LLVM option parsing) -help'
clang (LLVM option parsing): Did you mean '-sanitizer-coverage-level=0'?
Makefile:97: recipe for target 'test_build' failed
make: *** [test_build] Error 1
--
Jakub Wilk
Brian Carpenter
Oct 20, 2017, 1:51:41 PM10/20/17
to afl-...@googlegroups.com
Edit afl-clang-fast.c and change line 125 from -sanitizer-coverage-block-threshold=0 to -sanitizer-coverage-level=0 and then try compiling with AFL_TRACE_PC=1 again.
--
Jakub Wilk
--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michal Zalewski
Nov 4, 2017, 9:39:39 PM11/4/17
to afl-users
Hey folks,
This is on my list; I'll try with clang 5.0 this weekend and report back.
/mz
>> email to afl-users+...@googlegroups.com.
This is on my list; I'll try with clang 5.0 this weekend and report back.
/mz
> --
> You received this message because you are subscribed to the Google Groups
> "afl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to afl-users+...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "afl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
Michal Zalewski
Nov 5, 2017, 12:47:18 AM11/5/17
to afl-users
> This is on my list; I'll try with clang 5.0 this weekend and report back.
Hey,
Just checked with current clang on a 64-bit CentOS box, following the
usual build instructions:
https://clang.llvm.org/get_started.html
I can't repro this - the plugin still seems to be working fine for me.
I suspect there's something specific to a single distro or some
particular property of your test environment, but without being able
to repro, I'm not sure if it's a problem that can be fixed or worked
around on AFL side.
/mz
Jakub Wilk
Nov 11, 2017, 3:48:15 PM11/11/17
to afl-...@googlegroups.com
I'm not sure I'm running into the same bug as other folks, but
afl-clang-fast + clang-5.0 segfaulting is reproducible on Debian
unstable (or testing), both on i386 and amd64:
$ sudo apt-get install llvm-5.0-dev clang-5.0
...
$ cd /path/to/afl-2.52b
$ make
...
$ make -C llvm_mode LLVM_CONFIG=llvm-config-5.0 CC=clang-5.0 CXX=clang++-5.0
make: Entering directory '/path/to/afl-2.52b/llvm_mode'
ln -sf afl-clang-fast ../afl-clang-fast++
clang++-5.0 `llvm-config-5.0 --cxxflags` -fno-rtti -fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"2.52b\" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config-5.0 --ldflags`
warning: unknown warning option '-Wno-maybe-uninitialized'; did you mean '-Wno-uninitialized'? [-Wunknown-warning-option]
1 warning generated.
clang-5.0 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.52b\" -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt.o
clang: error: unable to execute command: Segmentation fault
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 5.0.0-4 (tags/RELEASE_500/final)
Target: i686-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang: error: unable to execute command: Segmentation fault
clang: note: diagnostic msg: Error generating preprocessed source(s).
make: Leaving directory '/path/to/afl-2.52b/llvm_mode'
Curiously, if I omit the "CXX=clang++-5.0" part, i.e. let the pass be
built with g++, everything works fine.
Initially I set CXX because the makefile uses clang++ by default. But
now I start to wonder if this is good idea. Wouldn't it make more sense
to use the system compiler to build the pass?
--
Jakub Wilk
afl-clang-fast + clang-5.0 segfaulting is reproducible on Debian
unstable (or testing), both on i386 and amd64:
$ sudo apt-get install llvm-5.0-dev clang-5.0
...
$ cd /path/to/afl-2.52b
$ make
...
$ make -C llvm_mode LLVM_CONFIG=llvm-config-5.0 CC=clang-5.0 CXX=clang++-5.0
make: Entering directory '/path/to/afl-2.52b/llvm_mode'
[*] Checking for working 'llvm-config'...
[*] Checking for working 'clang-5.0'...
[*] Checking for '../afl-showmap'...
[+] All set and ready to build.
clang-5.0 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.52b\" afl-clang-fast.c -o ../afl-clang-fast
[*] Checking for '../afl-showmap'...
[+] All set and ready to build.
ln -sf afl-clang-fast ../afl-clang-fast++
clang++-5.0 `llvm-config-5.0 --cxxflags` -fno-rtti -fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"2.52b\" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config-5.0 --ldflags`
warning: unknown warning option '-Wno-maybe-uninitialized'; did you mean '-Wno-uninitialized'? [-Wunknown-warning-option]
1 warning generated.
clang-5.0 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.52b\" -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt.o
[*] Building 32-bit variant of the runtime (-m32)... success!
[*] Building 64-bit variant of the runtime (-m64)... failed (that's fine)
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=clang-5.0 ../afl-clang-fast -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.52b\" ../test-instr.c -o test-instr
clang: error: unable to execute command: Segmentation fault
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 5.0.0-4 (tags/RELEASE_500/final)
Target: i686-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang: error: unable to execute command: Segmentation fault
clang: note: diagnostic msg: Error generating preprocessed source(s).
Makefile:97: recipe for target 'test_build' failed
make: *** [test_build] Error 254
make: Leaving directory '/path/to/afl-2.52b/llvm_mode'
Curiously, if I omit the "CXX=clang++-5.0" part, i.e. let the pass be
built with g++, everything works fine.
Initially I set CXX because the makefile uses clang++ by default. But
now I start to wonder if this is good idea. Wouldn't it make more sense
to use the system compiler to build the pass?
--
Jakub Wilk
Michal Zalewski
Nov 11, 2017, 5:41:58 PM11/11/17
to afl-users
> Initially I set CXX because the makefile uses clang++ by default. But now I start to wonder if this is good idea. Wouldn't it make more sense to use the system compiler to build the pass?
Weird, do you also repro this with a trunk build as per:
https://clang.llvm.org/get_started.html
...? The use of clang vs gcc should not be making a difference, so I
suspect some clang issue. The reason why llvm_mode prefers to use
clang is that there were several distros where using the flags
returned by llvm-config would not be valid with the version of gcc
they had installed, and using clang tends to alleviate this problem.
But yeah, even though llvm_mode is supposed to be the more supported
and more reliable way of doing things, it breaks a lot more than the
crude "default" approach of modifying the assembly... and the
underlying APIs change regularly, too.
/mz
Nicolas Grégoire
Nov 17, 2017, 4:28:04 PM11/17/17
to afl-...@googlegroups.com
> Weird, do you also repro this with a trunk build as per:
> https://clang.llvm.org/get_started.html
But prebuilt 5.0 and 6.0 lead to the previously described crash.
I tried under Ubuntu 16.04 Docker containers.
Cheers,
Nicolas
Michal Zalewski
Nov 17, 2017, 5:00:41 PM11/17/17
to afl-users
> I tried under Ubuntu 16.04 Docker containers.
I'm guessing that somebody done messed up with the distro (and it
doesn't normally show because basically nobody else is using
dynamically loaded compiler plugins). Jakub's workaround (to use gcc
as a compiler) or building clang from scratch, seem to be the best
options.
/mz
cc
Dec 19, 2017, 2:08:15 AM12/19/17
to afl-users
I have resolve this problem .
在 2017年11月18日星期六 UTC+8上午5:28:04,Nicolas Grégoire写道:
when you download the llvm source code , it will work well if you don't check out the libcxx module .
I try the way on Ubuntu 16.04(Linux version 4.4.0-97-generic (buildd@lcy01-33) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #120-Ubuntu SMP Tue Sep 19 17:28:18 UTC 2017), it work OK.
clang version 6.0.0 (trunk 318937)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/cc/disk/clang+llvm/build-lld/bin/.
在 2017年11月18日星期六 UTC+8上午5:28:04,Nicolas Grégoire写道:
dubek
Dec 19, 2017, 8:32:45 AM12/19/17
to afl-users
I also ran into similar problems a few months ago, but that was before clang 5.0 was released and I thought it is a "trunk" bug.
What I found was that this in line in llvm_mode/Makefile:
CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
One of the flags added by `llvm-config --cxxflags` caused a segfault when clang was loading the .so file. Unfortunately, I don't remember which one it was.
I ended up changing it to something like:
CLANG_CFL = -I$(shell llvm-config --includedir) -fno-rtti -fpic $(CXXFLAGS)
What I found was that this in line in llvm_mode/Makefile:
CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
One of the flags added by `llvm-config --cxxflags` caused a segfault when clang was loading the .so file. Unfortunately, I don't remember which one it was.
I ended up changing it to something like:
CLANG_CFL = -I$(shell llvm-config --includedir) -fno-rtti -fpic $(CXXFLAGS)
Jakub Wilk
Dec 19, 2017, 11:49:27 AM12/19/17
to afl-...@googlegroups.com
* dubek <dov....@gmail.com>, 2017-12-19, 05:32:
--
Jakub Wilk
>CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
>
>One of the flags added by `llvm-config --cxxflags` caused a segfault
>when clang was loading the .so file. Unfortunately, I don't remember
>which one it was.
For me it was -fvisibility-inlines-hidden.
>
>One of the flags added by `llvm-config --cxxflags` caused a segfault
>when clang was loading the .so file. Unfortunately, I don't remember
>which one it was.
--
Jakub Wilk
Heiko Eißfeldt
Jun 4, 2019, 2:09:57 PM6/4/19
to afl-users
Marc Heuse and I fixed this crash with the following line in the llvm_mode/Makefile
CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -Wl,-znodelete -fno-rtti -fpic $(CXXFLAGS)reference see here:
Reply all
Reply to author
Forward
0 new messages