undefined symbol error happened when loading plugin using afl-clang-fast

2,881 views
Skip to first unread message

sunb...@gmail.com

unread,
Aug 5, 2015, 4:45:58 AM8/5/15
to afl-users
Hi guys:
     I am working on fuzz Android by AFL. When I compiling DexDump by afl-clang-fast, I met an error:
            error: unable to load plugin '/home/sun/Research/fuzz/original-afl//afl-llvm-pass.so': '/home/sun/Research/fuzz/original-afl//afl-llvm-pass.so: undefined symbol: _ZN4llvm10ModulePassD2Ev'

  Is there any idea? Thanks in advance.

here below is the compiling command:

"/home/sun/android_source/prebuilts/clang/linux-x86/host/3.5/bin/clang++" -cc1 -triple thumbv7--linux-androideabi -S -disable-free -disable-llvm-verifier -main-file-name DexDump.cpp -mrelocation-model pic -pic-level 1 -pie-level 1 -relaxed-aliasing -fmath-errno -masm-verbose -no-integrated-as -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu cortex-a8 -target-feature +soft-float-abi -target-feature +vfp3 -target-feature +d16 -target-feature -neon -target-abi aapcs-linux -mfloat-abi soft -target-linker-version 2.22 -v -v -g -ffunction-sections -fdata-sections -coverage-file /tmp/DexDump-461cdf.s -nostdsysteminc -resource-dir /home/sun/android_source/prebuilts/clang/linux-x86/host/3.5/bin/../lib/clang/3.5 -dependency-file out/target/product/generic/obj/EXECUTABLES/dexdump_intermediates/DexDump.d -MT out/target/product/generic/obj/EXECUTABLES/dexdump_intermediates/DexDump.o -sys-header-deps -isystem system/core/include -isystem hardware/libhardware/include -isystem hardware/libhardware_legacy/include -isystem hardware/ril/include -isystem libnativehelper/include -isystem frameworks/native/include -isystem frameworks/native/opengl/include -isystem frameworks/av/include -isystem frameworks/base/include -isystem out/target/product/generic/obj/include -isystem bionic/libc/arch-arm/include -isystem bionic/libc/include -isystem bionic/libstdc++/include -isystem bionic/libc/kernel/uapi -isystem bionic/libc/kernel/uapi/asm-arm -isystem bionic/libm/include -isystem bionic/libm/include/arm -isystem prebuilts/clang/linux-x86/host/3.5/lib/clang/3.5/include/ -isystem out/target/product/generic/obj/include/clang -include build/core/combo/include/arch/linux-arm/AndroidConfig.h -D _FORTIFY_SOURCE=2 -D ANDROID -D NDEBUG -D NDEBUG -U DEBUG -D __compiler_offsetof=__builtin_offsetof -D ANDROID -D NDEBUG -U DEBUG -D __AFL_HAVE_MANUAL_INIT=1 -I dalvik -I dalvik/dexdump -I out/target/product/generic/obj/EXECUTABLES/dexdump_intermediates -I out/target/product/generic/gen/EXECUTABLES/dexdump_intermediates -I libnativehelper/include/nativehelper -I build/core/combo/include/arch/linux-arm/ -internal-isystem /home/sun/android_source/prebuilts/clang/linux-x86/host/3.5/bin/../lib/clang/3.5/include -O3 -Wno-multichar -Werror=format-security -W -Wall -Wno-unused -Winit-self -Wpointer-arith -Werror=return-type -Werror=non-virtual-dtor -Werror=address -Werror=sequence-point -Wstrict-aliasing=2 -Werror=int-conversion -W -Wall -Wno-unused -Winit-self -Wpointer-arith -Wsign-promo -Werror=return-type -Werror=non-virtual-dtor -Werror=address -Werror=sequence-point -fdeprecated-macro -fno-dwarf-directory-asm -fdebug-compilation-dir /home/sun/android_source -ferror-limit 19 -fmessage-length 0 -fvisibility-inlines-hidden -funroll-loops -stack-protector 1 -mstackrealign -fno-rtti -fno-signed-char -fobjc-runtime=gcc -fdiagnostics-show-option -vectorize-loops -vectorize-slp -load /home/sun/Research/fuzz/original-afl//afl-llvm-pass.so -o /tmp/DexDump-461cdf.s -x c++ dalvik/dexdump/DexDump.cpp


teor

unread,
Aug 5, 2015, 6:52:47 AM8/5/15
to afl-...@googlegroups.com
On 5 Aug 2015, at 18:45 , sunb...@gmail.com wrote:

Hi guys:
     I am working on fuzz Android by AFL. When I compiling DexDump by afl-clang-fast, I met an error:
            error: unable to load plugin '/home/sun/Research/fuzz/original-afl//afl-llvm-pass.so': '/home/sun/Research/fuzz/original-afl//afl-llvm-pass.so: undefined symbol: _ZN4llvm10ModulePassD2Ev'

  Is there any idea? Thanks in advance.

You'll need to compile afl-llvm-pass.so in an architecture compatible with your clang++ (host), not Android (target). This is the most likely explanation for the error.

If everything has been compiled correctly, this looks like either:
* A symbol export / visibility issue, or
* An incompatibility between your version of clang, and the code AFL uses for the plugin. But I think clang 3.5 is recent enough. (You could try clang 3.6 or 3.7.)

Please try to determine:
1. The architecture of afl-llvm-pass.so, and whether it matches the architecture of clang++
2. The symbols exported by afl-llvm-pass.so
3. Whether using clang 3.6 or 3.7 resolves the issue


here below is the compiling command:

"/home/sun/android_source/prebuilts/clang/linux-x86/host/3.5/bin/clang++" -cc1 -triple thumbv7--linux-androideabi -S -disable-free -disable-llvm-verifier -main-file-name DexDump.cpp -mrelocation-model pic -pic-level 1 -pie-level 1 -relaxed-aliasing -fmath-errno -masm-verbose -no-integrated-as -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu cortex-a8 -target-feature +soft-float-abi -target-feature +vfp3 -target-feature +d16 -target-feature -neon -target-abi aapcs-linux -mfloat-abi soft -target-linker-version 2.22 -v -v -g -ffunction-sections -fdata-sections -coverage-file /tmp/DexDump-461cdf.s -nostdsysteminc -resource-dir /home/sun/android_source/prebuilts/clang/linux-x86/host/3.5/bin/../lib/clang/3.5 -dependency-file out/target/product/generic/obj/EXECUTABLES/dexdump_intermediates/DexDump.d -MT out/target/product/generic/obj/EXECUTABLES/dexdump_intermediates/DexDump.o -sys-header-deps -isystem system/core/include -isystem hardware/libhardware/include -isystem hardware/libhardware_legacy/include -isystem hardware/ril/include -isystem libnativehelper/include -isystem frameworks/native/include -isystem frameworks/native/opengl/include -isystem frameworks/av/include -isystem frameworks/base/include -isystem out/target/product/generic/obj/include -isystem bionic/libc/arch-arm/include -isystem bionic/libc/include -isystem bionic/libstdc++/include -isystem bionic/libc/kernel/uapi -isystem bionic/libc/kernel/uapi/asm-arm -isystem bionic/libm/include -isystem bionic/libm/include/arm -isystem prebuilts/clang/linux-x86/host/3.5/lib/clang/3.5/include/ -isystem out/target/product/generic/obj/include/clang -include build/core/combo/include/arch/linux-arm/AndroidConfig.h -D _FORTIFY_SOURCE=2 -D ANDROID -D NDEBUG -D NDEBUG -U DEBUG -D __compiler_offsetof=__builtin_offsetof -D ANDROID -D NDEBUG -U DEBUG -D __AFL_HAVE_MANUAL_INIT=1 -I dalvik -I dalvik/dexdump -I out/target/product/generic/obj/EXECUTABLES/dexdump_intermediates -I out/target/product/generic/gen/EXECUTABLES/dexdump_intermediates -I libnativehelper/include/nativehelper -I build/core/combo/include/arch/linux-arm/ -internal-isystem /home/sun/android_source/prebuilts/clang/linux-x86/host/3.5/bin/../lib/clang/3.5/include -O3 -Wno-multichar -Werror=format-security -W -Wall -Wno-unused -Winit-self -Wpointer-arith -Werror=return-type -Werror=non-virtual-dtor -Werror=address -Werror=sequence-point -Wstrict-aliasing=2 -Werror=int-conversion -W -Wall -Wno-unused -Winit-self -Wpointer-arith -Wsign-promo -Werror=return-type -Werror=non-virtual-dtor -Werror=address -Werror=sequence-point -fdeprecated-macro -fno-dwarf-directory-asm -fdebug-compilation-dir /home/sun/android_source -ferror-limit 19 -fmessage-length 0 -fvisibility-inlines-hidden -funroll-loops -stack-protector 1 -mstackrealign -fno-rtti -fno-signed-char -fobjc-runtime=gcc -fdiagnostics-show-option -vectorize-loops -vectorize-slp -load /home/sun/Research/fuzz/original-afl//afl-llvm-pass.so -o /tmp/DexDump-461cdf.s -x c++ dalvik/dexdump/DexDump.cpp



--
You received this message because you are subscribed to the Google Groups "afl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to afl-users+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp ABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

signature.asc

sunb...@gmail.com

unread,
Aug 6, 2015, 2:49:09 AM8/6/15
to afl-users
Hi teor:
      Thanks for your suggestion. To avoid the arch and version mismatch , I recompiled AFL on another Linux system with clang 3.6. There still symbolic error after the test of building llvm-mode:

[*] Checking for working 'llvm-config'...

[*] Checking for working 'clang-3.6'...

[*] Checking for '../afl-showmap'...

[+] All set and ready to build.

clang-3.6 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"1.85b\" afl-clang-fast.c -o ../afl-clang-fast 

ln -sf afl-clang-fast ../afl-clang-fast++

clang++-3.6 `llvm-config --cxxflags` -fno-rtti -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"1.85b\" -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config --ldflags` 

afl-llvm-pass.so.cc:50:35: warning: 'override' keyword is a C++11 extension [-Wc++11-extensions]

      bool runOnModule(Module &M) override;

                                  ^

afl-llvm-pass.so.cc:52:39: warning: 'override' keyword is a C++11 extension [-Wc++11-extensions]

      const char *getPassName() const override {

                                      ^

afl-llvm-pass.so.cc:108:8: warning: 'auto' type specifier is a C++11 extension [-Wc++11-extensions]

  for (auto &F : M)

       ^

afl-llvm-pass.so.cc:108:16: warning: range-based for loop is a C++11 extension [-Wc++11-extensions]

  for (auto &F : M)

               ^

afl-llvm-pass.so.cc:109:10: warning: 'auto' type specifier is a C++11 extension [-Wc++11-extensions]

    for (auto &BB : F) {

         ^

afl-llvm-pass.so.cc:109:19: warning: range-based for loop is a C++11 extension [-Wc++11-extensions]

    for (auto &BB : F) {

                  ^

6 warnings generated.

clang-3.6 -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"1.85b\" -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt.o

[*] Testing the CC wrapper and instrumentation output...

unset AFL_USE_ASAN AFL_USE_MSAN AFL_DEFER_FORKSRV; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. AFL_CC=clang-3.6 ../afl-clang-fast -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"1.85b\" ../test-instr.c -o test-instr 

/usr/lib/llvm-3.6/bin/clang: symbol lookup error: ../afl-llvm-pass.so: undefined symbol: _ZN4llvm14GlobalVariableC1ERNS_6ModuleEPNS_4TypeEbNS_11GlobalValue12LinkageTypesEPNS_8ConstantERKNS_5TwineEPS0_NS0_15ThreadLocalModeEjb

clang: error: unable to execute command: No such file or directory

clang: error: clang frontend command failed due to signal (use -v to see invocation)

Ubuntu clang version 3.6.0-2ubuntu1~trusty1 (tags/RELEASE_360/final) (based on LLVM 3.6.0)

Target: x86_64-pc-linux-gnu

Thread model: posix

clang: note: diagnostic msg: PLEASE submit a bug report to http://bugs.debian.org/ and include the crash backtrace, preprocessed source, and associated run script.

clang: note: diagnostic msg: 

********************


PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:

Preprocessed source(s) and associated run script(s) are located at:

clang: note: diagnostic msg: /tmp/test-instr-580c20.c

clang: note: diagnostic msg: /tmp/test-instr-580c20.sh

clang: note: diagnostic msg: 


********************

make: *** [test_build] Error 255


And I checked the said symbol by in afl-llvm-pass.so:

sunblate@sunblate-sun:~/fuzz/afl-1.85b/llvm_mode$ readelf -s -W ../afl-llvm-pass.so |grep ZN4llvm14GlobalVariableC1ERNS_6ModuleEPNS_4TypeEbNS_11GlobalValue12LinkageTypesEPNS_8ConstantERKNS_5TwineEPS0_NS0_15ThreadLocalModeEjb

    40: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND _ZN4llvm14GlobalVariableC1ERNS_6ModuleEPNS_4TypeEbNS_11GlobalValue12LinkageTypesEPNS_8ConstantERKNS_5TwineEPS0_NS0_15ThreadLocalModeEjb

   102: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT  UND _ZN4llvm14GlobalVariableC1ERNS_6ModuleEPNS_4TypeEbNS_11GlobalValue12LinkageTypesEPNS_8ConstantERKNS_5TwineEPS0_NS0_15ThreadLocalModeEjb


I think the 'UND' means 'undefined' here. 
I tried to compile with clang 3.5 too, there is same symbolic error in the same place and the same undefined symbolic names.
I don't known what to do next, any suggestion ?  


thanks

sunb...@gmail.com

unread,
Aug 9, 2015, 11:21:41 PM8/9/15
to afl-users, sunb...@gmail.com
As A Note:
     This error is caused by version mismatch of llvm and clang. 
     Solved by reinstall llvm-3.6 and clang-3.6.

sbar...@nvidia.com

unread,
Jun 8, 2016, 8:10:00 PM6/8/16
to afl-users, sunb...@gmail.com
Hi sunb...@gmail.com,

I am running into same issue of  undefined symbol: _ZN4llvm10ModulePassD2Ev'.
Were you successful compiling AFL tool for ARM based Android.

Thanks for th ehelp.

Regards
Sujeet

ele7...@qq.com

unread,
Aug 24, 2016, 11:49:46 AM8/24/16
to afl-users, sunb...@gmail.com
Hi,
 I am working on this issue, hava you solved this error?
Reply all
Reply to author
Forward
0 new messages