-
Notifications
You must be signed in to change notification settings - Fork 631
LLVM trace-pc mode build failed using Clang 10.0.0-svn371489 #30
Comments
Hmmm....I just successfully ran I'm not sure what to make of the fact that it works fine for AFLplusplus either. |
I was also unable to reproduce this problem using Are you sure the details of your local setup are correct? Maybe this particular version of clang is broken and if you try again it will work. |
Could you explain why you do this btw? When use trace-pc-guard we don't use afl-clang-fast and we don't use this flag, so if there is a reason not to do it, I'd be happy to get rid of it from afl-clang-fast in general. |
I can explain why this happens, as we had/have the same issue, and it has nothing to do the the pcguard feature. Starting with llvm 9 the optimizer is very strong and so what happens because all that is different in the program output of 0 and 1 is the printf parameter, that is all that is changed via an index pointer, hence the exact basic blocks are visited for both inputs. so what we did (or hexcoder who found that issue and fixed it), is that we use 0 (or 1) as the first test input, and " < /dev/null" as the second, as this triggers a different code path. |
On Wed, Sep 11, 2019 at 11:59 PM jonathanmetzman ***@***.***> wrote:
of course, I commented out -sanitizer-coverage-block-threshold=0 related
lines in afl-clang-fast.c
Could you explain why you do this btw? When use trace-pc-guard we don't
use afl-clang-fast and we don't use this flag, so if there is a reason not
to do it, I'd be happy to get rid of it from afl-clang-fast in general.
LLVM replaced "-sanitizer-coverage-block-threshold" with
"--sanitizer-coverage-level" in certain commit (probably in LLVM 5.0) and make it default to 0.
Without commenting out the related lines in afl-clang-fast.c, my builds of
AFL reports something like "Unknown command line argument
'-sanitizer-coverage-block-threshold=0'. Try: 'clang (LLVM option parsing)
--help'".
I think afl-clang-fast needs that option when LLVM sanitizer trace pc guard
mode is used, in which scenario afl-llvm-rt.o.c implements the
callbacks __sanitizer_cov_trace_pc_guard_init
and __sanitizer_cov_trace_pc_guard, rather than relies on afl-llvm-pass.so.
… —
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#30?email_source=notifications&email_token=AAGN4A6SHIKS7HLTW7BE33TQJEIXPA5CNFSM4IVVMHI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6O7YGI#issuecomment-530447385>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGN4AYAJXUPMYE26SKYB2TQJEIXPANCNFSM4IVVMHIQ>
.
|
On Thu, Sep 12, 2019 at 4:11 PM van Hauser ***@***.***> wrote:
I can explain why this happens, as we had/have the same issue, and it has
nothing to do the the pcguard feature.
Starting with llvm 9 the optimizer is very strong and so what happens
because all that is different in the program output of 0 and 1 is the
printf parameter, that is all that is changed via an index pointer, hence
the exact basic blocks are visited for both inputs.
Yes! Confirmed with the generated "test-instr" on my machine.
so what we did (or hexcoder who found that issue and fixed it), is that we
use 0 (or 1) as the first test input, and " < /dev/null" as the second, as
this triggers a different code path.
Nice trick! Perhaps a more complicated test program that dumbs the
optimizer is better:)
… —
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#30?email_source=notifications&email_token=AAGN4A5Q47ZOVTMRKUOD32TQJH2RJA5CNFSM4IVVMHI2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6RBOHQ#issuecomment-530716446>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGN4A5ROGLLIFKHIUX6SE3QJH2RJANCNFSM4IVVMHIQ>
.
|
Thanks @vanhauser-thc I'll change the test when I get a chance (probably tomorrow). |
Just to add, I encountered the similar issue.
|
Thanks for the report. I've put up #33 to fix this. |
I was trying AFL-2.54b with the LLVM trace_pc_guard feature, however it failed to build with LLVM 10.0.0-svn371489 (of course, I commented out
-sanitizer-coverage-block-threshold=0
related lines in afl-clang-fast.c).The error message is like:
So it turns out that the execution traces are unexpectedly the same when the inputs are 0 and 1, which can be confirmed by observing the following results:
I got LLVM/Clang from https://apt.llvm.org (Ubuntu 18.04.2 LTS).
I also tried building AFL-2.54b with LLVM-4.0, where there are no issues for builds, and the trace_pc_mode seems working on projects such as exiv2.
Meanwhile, I tried AFLplusplus with the same LLVM/Clang build tools (v10.0), it builds and tests without errors, despite that compared to AFL-2.54b I can see no big changes for the trace_pc_guard feature.
The text was updated successfully, but these errors were encountered: