AddressSanitizer: SEGV on unknown address 0x000000000000

[yog...@gmail.com]

I write a very simple .cpp file as blow,

class MyClass

{

    public:

          int get(void)

                {

                     return myData;  

                 }

            MyClass(int data)

                  {

                     myData = data;

                     cout << "Construct MyClass,myData = " << myData << endl;

                  }

             private:

             int myData;

};

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

    cout << "Successfuly enter LLVMFuzzerTestOneInput!" << endl; 

    MyClass myObject((int)Size);

    int data = myObject.get();

    cout << "Successfuly! data = " << data << endl;

    return 0;    

}

built with Android.mk on Android O version as blow

include $(CLEAR_VARS)

LOCAL_SRC_FILES := fuzz_me.cpp

LOCAL_SHARED_LIBRARIES := liblog 

LOCAL_STATIC_LIBRARIES := libsan libasan

LOCAL_SANITIZE := address 

LOCAL_CFLAGS := -Wno-multichar -g

LOCAL_MODULE_TAGS := optional

LOCAL_CLANG := true

LOCAL_MODULE := fuzz_me

include $(BUILD_FUZZ_TEST)

run as blow 

make -j$(nproc) ANDROID_USE_BUILDCACHE=false

PRODUCT-$TARGET_PRODUCT-$TARGET_BUILD_VARIANT

$ make -j$(nproc) PRODUCT-$TARGET_PRODUCT-$TARGET_BUILD_VARIANT userdataimage

userdatatarball SANITIZE_TARGET='address coverage'
$ make -j$(nproc) fuzz_me

$ adb push $OUT/data/nativetest/fuzzers/cxa_demangle_fuzzer/fuzz_me /data/local/tmp
$ adb shell /data/local/tmp/fuzz_me -max_len=64

then  I got this ,it show that my code first run is ok and print normal.

but,why then ASAN get the DEADLYFIGNAL...

C:\Users\pKirinAutoTest\Desktop\yyp_test\o_android>adb shell /data/local/tmp/fuzz_me -max_len=64 -use_counters=1 -runs=1000000

WARNING: Failed to find function "__sanitizer_get_coverage_pc_buffer".

INFO: Seed: 3085682192

INFO: A corpus is not provided, starting from an empty corpus

#0      READ   units: 1 exec/s: 0

Successfuly enter LLVMFuzzerTestOneInput!

Size:0

Construct MyClass,myData = 0

Successfuly! data = 0

ASAN:DEADLYSIGNAL

=================================================================

[1m [31m==2576==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x007ff80b18c0 sp 0x007ff80b1890 T0)

[1m [0m==2576==Hint: pc points to the zero page.

==2576==The signal is caused by a READ memory access.

==2576==Hint: address points to the zero page.

AddressSanitizer can not provide additional info.

SUMMARY: AddressSanitizer: SEGV (<unknown module>)

==2576==ABORTING

artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709

Base64:

==2576== ERROR: libFuzzer: deadly signal

    #0 0x7ee71a01c7  (/data/lib64/libclang_rt.asan-aarch64-android.so+0x7d1c7)

    #1 0x608162df53  (/data/local/tmp/fuzz_me+0xcf53)

    #2 0x608162df17  (/data/local/tmp/fuzz_me+0xcf17)

    #3 0x7ee80bf4df  ([vdso]+0x4df)

[Konstantin Serebryany]

You are still using stale libFuzzer, which is unfortunately what you have in the android tree. 

Does this happen with the fresh libFuzzer? 

Does asan (w/o libFuzzer) work for you? 

Does this work for you on Linux (not Android)? 

--
You received this message because you are subscribed to the Google Groups "libfuzzer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libfuzzer+unsubscribe@googlegroups.com.
To post to this group, send email to libf...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/533fe563-aa50-4733-a840-a46e8de2830a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[yog...@gmail.com]

thank you for your reply~

the stable libFuzzer is provided by original android AOSP and version of clang in android is 3.8

I just write a Android.mk and one cpp file ,then build it to get a executable binary file running on phone.

using new version of clang and libFuzzer by changing the compile toolchain is diffcult in android compile strunction.

I run it ok, using a libFuzzer example as https://github.com/google/fuzzer-test-suite/blob/master/tutorial/fuzz_me.cc

To unsubscribe from this group and stop receiving emails from it, send an email to libfuzzer+...@googlegroups.com.

[Konstantin Serebryany]

On Sat, Mar 25, 2017 at 12:10 AM, <yog...@gmail.com> wrote:

thank you for your reply~

the stable libFuzzer is provided by original android AOSP and version of clang in android is 3.8

I just write a Android.mk and one cpp file ,then build it to get a executable binary file running on phone.

using new version of clang and libFuzzer by changing the compile toolchain is diffcult

Yes. But only changing the version of libFuzzer might be easy. It's just a bunch of .h and .cpp files that you need to replace.  

 

in android compile strunction.

I run it ok, using a libFuzzer example as https://github.com/google/fuzzer-test-suite/blob/master/tutorial/fuzz_me.cc

As with your previous question, sadly, I can not help you on Android. 

Summoning folks who can..,

--kcc 

 

To unsubscribe from this group and stop receiving emails from it, send an email to libfuzzer+unsubscribe@googlegroups.com.

To post to this group, send email to libf...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/25f091da-0e08-49c9-a126-6f0f8446ee4f%40googlegroups.com.

[daniel...@google.com]

We're working on getting the toolchain completely up to date. Here's what I've been using as a workaround:

1) make a directory for llvm & cd to it (assuming it is ~/llvm for the rest of the instructions, also assuming AOSP is located at ~/aosp)

2) svn checkout -r285906 http://llvm.org/svn/llvm-project/llvm/trunk llvm

3) cp -R ~/llvm/lib/Fuzzer ~/aosp/external/llvm/lib/Fuzzer

then change LOCAL_CFLAGS in fuzz_test.mk from

LOCAL_CFLAGS += -fsanitize-coverage=edge,indirect-calls,8bit-counters,trace-cmp

to 

LOCAL_CFLAGS += -fsanitize-coverage=trace-pc-guard

Should be able to build your fuzzer successfully after these changes. Updates should be coming soon.

[yog...@gmail.com]

very thank you for your reply.

I got this error following you said

clang++: error: unsupported argument 'trace-pc-guard' to option 'fsanitize-coverage='

I run it on Android N,its clang version is 3.8,still unsupport trace-pc-guard option  :(

then I use old couverage option,I got this

[ 92% 127/137 1.396] host C++: libLLVMFuzzerNoMain <= external/llvm/lib/Fuzzer/FuzzerInterface.cpp

FAILED: /bin/bash -c "(PWD=/proc/self/cwd   prebuilts/clang/host/linux-x86/clang-2690385/bin/clang++ -I external/compiler-rt/include -I external/llvm/lib/Fuzzer -I out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates -I out/host/linux-x86/gen/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates -I libnativehelper/include/nativehelper \$(cat out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/import_includes) -isystem system/core/include -isystem system/media/audio/include -isystem hardware/libhardware/include -isystem hardware/libhardware_legacy/include -isystem hardware/ril/include -isystem libnativehelper/include -isystem frameworks/native/include -isystem frameworks/native/opengl/include -isystem frameworks/av/include -isystem frameworks/base/include -isystem tools/include -isystem out/host/linux-x86/obj/include -c    -fno-exceptions -Wno-multichar -m64 -Wa,--noexecstack -fPIC -no-canonical-prefixes -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector -D__STDC_FORMAT_MACROS -D__STDC_CONSTANT_MACROS -DANDROID -fmessage-length=0 -W -Wall -Wno-unused -Winit-self -Wpointer-arith -Wformat -DOEMINFO_VERSION6 -O2 -g -fno-strict-aliasing -DNDEBUG -UDEBUG  -D__compiler_offsetof=__builtin_offsetof -Werror=int-conversion -Wno-reserved-id-macro -Wno-format-pedantic -Wno-unused-command-line-argument -fcolor-diagnostics   --gcc-toolchain=prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8 -fstack-protector-strong    --gcc-toolchain=prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8 --sysroot prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8/sysroot -target x86_64-linux-gnu   -Wsign-promo  -Wno-inconsistent-missing-override   --gcc-toolchain=prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8 --sysroot prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8/sysroot -isystem prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8/x86_64-linux/include/c++/4.8 -isystem prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8/x86_64-linux/include/c++/4.8/x86_64-linux -isystem prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8/x86_64-linux/include/c++/4.8/backward -target x86_64-linux-gnu  -fPIC -D_USING_LIBCXX -std=gnu++14 -nostdinc++  -Werror=int-to-pointer-cast -Werror=pointer-to-int-cast  -Werror=address-of-temporary -Werror=null-dereference -Werror=return-type    -MD -MF out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/FuzzerInterface.d -o out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/FuzzerInterface.o external/llvm/lib/Fuzzer/FuzzerInterface.cpp ) && (cp out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/FuzzerInterface.d out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/FuzzerInterface.P; sed -e 's/#.*//' -e 's/^[^:]*: *//' -e 's/ *\\\\\$//' -e '/^\$/ d' -e 's/\$/ :/' < out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/FuzzerInterface.d >> out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/FuzzerInterface.P; rm -f out/host/linux-x86/obj/STATIC_LIBRARIES/libLLVMFuzzerNoMain_intermediates/FuzzerInterface.d )"

external/llvm/lib/Fuzzer/FuzzerInterface.cpp:18:6: error: use of undeclared identifier 'FuzzerRandomLibc'

void FuzzerRandomLibc::ResetSeed(unsigned int seed) { srand(seed); }

     ^

external/llvm/lib/Fuzzer/FuzzerInterface.cpp:20:8: error: use of undeclared identifier 'FuzzerRandomLibc'

size_t FuzzerRandomLibc::Rand() { return rand(); }

       ^

external/llvm/lib/Fuzzer/FuzzerInterface.cpp:22:1: error: use of undeclared identifier 'UserSuppliedFuzzer'

UserSuppliedFuzzer::UserSuppliedFuzzer(FuzzerRandomBase *Rand)

^

external/llvm/lib/Fuzzer/FuzzerInterface.cpp:22:40: error: unknown type name 'FuzzerRandomBase'

UserSuppliedFuzzer::UserSuppliedFuzzer(FuzzerRandomBase *Rand)

                                       ^

external/llvm/lib/Fuzzer/FuzzerInterface.cpp:25:1: error: use of undeclared identifier 'UserSuppliedFuzzer'

UserSuppliedFuzzer::~UserSuppliedFuzzer() {

^

5 errors generated.

then I try to 

git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer

then I transfer Fuzzer/build.sh to Android.mk to build a libFuzzer.a by INLCUDE_STATIC_LIBRARY

it works~ 

[yog...@gmail.com]

thx all the same,you inspire me~

[yog...@gmail.com]

################################################################################

include $(CLEAR_VARS)

LOCAL_SRC_FILES :=  FuzzerExtFunctionsWeakAlias.cpp FuzzerIOPosix.cpp FuzzerShmemWindows.cpp FuzzerTracePC.cpp FuzzerExtFunctionsWeak.cpp FuzzerMain.cpp FuzzerExtFunctionsDlsym.cpp FuzzerLoop.cpp FuzzerShmemPosix.cpp FuzzerUtilLinux.cpp FuzzerUtilWindows.cpp FuzzerIOWindows.cpp FuzzerIO.cpp FuzzerUtilDarwin.cpp FuzzerMutate.cpp FuzzerUtilPosix.cpp FuzzerDriver.cpp FuzzerTraceState.cpp FuzzerSHA1.cpp FuzzerExtFunctionsDlsymWin.cpp FuzzerUtil.cpp FuzzerCrossOver.cpp FuzzerMerge.cpp

LOCAL_CFLAGS += -g -O2 -fno-omit-frame-pointer -std=c++11 

LOCAL_MODULE := libFuzzer

include $(BUILD_STATIC_LIBRARY)

################################################################################

include $(CLEAR_VARS)

LOCAL_SRC_FILES :=  fuzz_me.cpp

LOCAL_MODULE := fuzz_me_new

LOCAL_CFLAGS := -Wno-multichar -g

LOCAL_SANITIZE := address 

LOCAL_CLANG := true

include $(BUILD_FUZZ_TEST)

I write Android.mk like this, add modify build/core/fuzz_test.mk

LOCAL_STATIC_LIBRARIES += libLLVMFuzzer   ------>LOCAL_STATIC_LIBRARIES += libFuzzer

then I got this error

ERROR: no interesting inputs were found. Is the code instrumented for coverage? Exiting.

On Tuesday, March 28, 2017 at 3:04:09 AM UTC+8, Dan A wrote:

[Dan Austin]

Ah, yes, libLLVMFuzzer was changed to libFuzzer in Android recently, forgot about that.

If you copied LLVM from upstream revision 285906, trace-pc-guard should work; I just attempted it and it seems fine. Let me look into the build files a bit more, and should have a good answer for you.

You received this message because you are subscribed to a topic in the Google Groups "libfuzzer" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/libfuzzer/mkynjGyQiEU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to libfuzzer+...@googlegroups.com.

To post to this group, send email to libf...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/96aa9da5-d63b-4050-a121-b4b03bd21ec7%40googlegroups.com.

[yog...@gmail.com]

LOCAL_PATH:= $(call my-dir)

################################################################################

include $(CLEAR_VARS)

LOCAL_SRC_FILES :=  FuzzerExtFunctionsWeakAlias.cpp FuzzerIOPosix.cpp FuzzerShmemWindows.cpp FuzzerTracePC.cpp FuzzerExtFunctionsWeak.cpp FuzzerMain.cpp FuzzerExtFunctionsDlsym.cpp FuzzerLoop.cpp FuzzerShmemPosix.cpp FuzzerUtilLinux.cpp FuzzerUtilWindows.cpp FuzzerIOWindows.cpp FuzzerIO.cpp FuzzerUtilDarwin.cpp FuzzerMutate.cpp FuzzerUtilPosix.cpp FuzzerDriver.cpp FuzzerTraceState.cpp FuzzerSHA1.cpp FuzzerExtFunctionsDlsymWin.cpp FuzzerUtil.cpp FuzzerCrossOver.cpp FuzzerMerge.cpp

LOCAL_CFLAGS += -g -O2 -fno-omit-frame-pointer -std=c++11 

LOCAL_MODULE := libFuzzer

include $(BUILD_HOST_STATIC_LIBRARY)

################################################################################

include $(CLEAR_VARS)

LOCAL_SRC_FILES :=  fuzz_me.cpp

LOCAL_MODULE := fuzz_me_new

LOCAL_SANITIZE := address   

LOCAL_STATIC_LIBRARIES :=libFuzzer 

LOCAL_CFLAGS := -fsanitize-coverage=trace-pc-guard -fsanitize=address 

LOCAL_C_INCLUDES := prebuilts/clang/host/linux-x86/clang-2963211/lib/clang/5.0.0/include

LOCAL_CXX := prebuilts/clang/host/linux-x86/clang-2963211/bin/clang

include $(BUILD_HOST_EXECUTABLE)

libFuzzer  and clang is fresh ,it works~~~

[yog...@gmail.com]

but I still don't know why I use old clang and old -fsanitize-coverage=edge,indirect-calls,8bit-counters,trace-cmp  and link with libFuzzer.a  compiled from fresh  source with old clang,

then the fuzzer would tell me no coverage instrumented.

I think libFuzzer DO NOT  rely on  compiler,just need the compiler provide coverage information .

new libFuzzer don't support old  -fsanitize-coverage=edge?

[yog...@gmail.com]

but when I build a include $(BUILD_EXECUTABLE) as the same way and run the Fuzzer in the phone . make -j SANITIZE_TARGET='address coverage'

I got this error 

"/system/bin/sh": cannot locate symbol "__asan_version_mismatch_check_v6" referenced by "/system/bin/sh"...

[yog...@gmail.com]

hi~ long time no see, u still here ? :)

I found you introduce libFuzzer to Android , your reply will be very valuable to me

I'm working on libfuzzer test based on  Android O, my fuzzer always crash directlly.

I modify the  the libfuzzer lib  in build/core/fuzz_test.mk, from libLLVMFuzzer to libFuzzer which is prebuilts/clang/host/linux-x86 

my fuzzer run normally.

we have some poblems when getting coverage report ,sancov can't help us in arm :(

I download fresh libfuzzer source code to define my own libOWNFuzzer like libLLVMFuzzer in Android.bp

but I got noting when dump_coverage=1 or print_pcs=1

How can I heard from you as soon as possible. Our company has cooperation with Google，how can I send email to you  ?

thank you~

在 2017年3月30日星期四 UTC+8上午12:22:40，Dan A写道：

[Konstantin Serebryany]

On Tue, May 23, 2017 at 12:58 AM, <yog...@gmail.com> wrote:

hi~ long time no see, u still here ? :)

I found you introduce libFuzzer to Android

Not really. 

We are experimenting with libFuzzer on Android and eventually will have it working there, 

but as of today it's not going to work out of the box and we don't support it. 

Please either be patient, or fix things yourself, or use libFuzzer on a Linux box. 

--kcc  

To unsubscribe from this group and stop receiving emails from it, send an email to libfuzzer+unsubscribe@googlegroups.com.

To post to this group, send email to libf...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/libfuzzer/087fed92-23f0-4bf1-8b5d-c2ab7385a151%40googlegroups.com.

[yog...@gmail.com]

hi~ long time no see, u still here ? :)

I found you introduce libFuzzer to Android , your reply will be very valuable to me

I'm working on libfuzzer test based on  Android O, my fuzzer always crash directlly.

I modify the  the libfuzzer lib  in build/core/fuzz_test.mk, from libLLVMFuzzer to libFuzzer which is prebuilts/clang/host/linux-x86 

my fuzzer run normally.

we have some poblems when getting coverage report ,sancov can't help us in arm :(

I download fresh libfuzzer source code to define my own libOWNFuzzer like libLLVMFuzzer in Android.bp

but I got noting when dump_coverage=1 or print_pcs=1

How can I heard from you as soon as possible. Our company has cooperation with Google，how can I send email to you  ?

thank you~

在 2017年3月30日星期四 UTC+8上午12:22:40，Dan A写道：

Ah, yes, libLLVMFuzzer was changed to libFuzzer in Android recently, forgot about that.

[yog...@gmail.com]

sorry ,I said these to Dan A ,he  introduced libFuzzer to Android 

it runs ok~

thank you for your help.

在 2017年5月24日星期三 UTC+8上午12:49:46，Konstantin Serebryany写道：