search

AngoraFuzzer / Angora

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
Apache License 2.0
916 stars 166 forks source link

llvm6 build not working correctly yet #31

Open RoelVdP opened 5 years ago

RoelVdP commented 5 years ago

1) During a test compile of a target program, I saw in the config.log (as generated by the test compile) that dfsan_abilist.txt was missing from the bin directory when using the llvm6 tree. This is using the Ubuntu stock llvm 6.

There is however a dfsan_abilist.txt which is generated in ./llvm_mode/bin/ when building Angora, so a cp llvm_mode/bin/* ./bin/ may be a valid workaround, but then there are further (likely unrelated) failures as described in point 2 below.

(And, fyi, when using Angora with a standard llvm 4.0.0 (build as described in the README) then this file is correctly generated as ./bin/dfsan_abilist.txt when using ./build/build.sh. During the output one also sees cat ./rt/done_abilist.txt ./rt/libc_ubuntu1404_abilist.txt > ../../bin//dfsan_abilist.txt - I did not check if that same steps happens with the build.sh in the llvm6 tree, i.e. it may be that build.sh is simply not maintained in the llvm6 tree, or is different there, or similar.)

2) When trying to compile target programs, as can be seen from config.log (as generated by such test compile), there are segfaults in the Angora clang;

...
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.3.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
... rest of stderr output deleted ...     << This message is actually present in config.log, it is not from me
configure:3738: $? = 1
configure:3727: /home/roel/Angora/bin/angora-clang -V >&5
clang: error: unsupported option '-V -g'
configure:3738: $? = 1
configure:3727: /home/roel/Angora/bin/angora-clang -qversion >&5
clang: error: unknown argument: '-qversion'
configure:3738: $? = 1
configure:3758: checking whether the C compiler works
configure:3780: /home/roel/Angora/bin/angora-clang    conftest.c  >&5
angora-llvm-pass
[+] Fast Mode.
ModName: conftest.c -- 2172625728
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: note: diagnostic msg: Error generating preprocessed source(s).
configure:3784: $? = 254
configure:3822: result: no
configure: failed program was:
| /* confdefs.h */
...
RoelVdP commented 5 years ago

Even though the llvm6 branch also shows cat ./rt/done_abilist.txt ./rt/libc_ubuntu1404_abilist.txt > ../../bin//dfsan_abilist.txt, it does not update angora_abilist.txt in ./bin. It does update it in ./llvm_mode/bin/.

RoelVdP commented 5 years ago

More analysis

~/conftst$ cat conftest.c 
/* confdefs.h */
#define PACKAGE_NAME "shadow"
#define PACKAGE_TARNAME "shadow"
#define PACKAGE_VERSION "4.6"
#define PACKAGE_STRING "shadow 4.6"
#define PACKAGE_BUGREPORT "pkg-shadow-devel@lists.alioth.debian.org"
#define PACKAGE_URL "https://github.com/shadow-maint/shadow"
#define PACKAGE "shadow"
#define VERSION "4.6"
/* end confdefs.h.  */
int main () { return 0; }

The following is with angora-clang compiled using llvm 6.0.0 (Ubuntu 18.10 system included one) and with the llvm6 tree.

~/conftst$ /home/roel/Angora/bin/angora-clang ./conftest.c 
angora-llvm-pass
[+] Fast Mode.
ModName: ./conftest.c -- 4175588581
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang: error: unable to execute command: Segmentation fault (core dumped)
^C
RoelVdP commented 5 years ago

The core does somehow not seem to be generated by Angora/bin/angora-clang (I get an unresolved stack in gdb when I try to backtrace it), even though that is what I used above, but by clang of the system itself. Is angora-clang a wrapper which calls clang? When using system clang with gdb, I get a partial back trace;

Core was generated by `/usr/lib/llvm-6.0/bin/clang -cc1 -triple x86_64-pc-linux-gnu -emit-obj -disable'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fbf3ae78520 in ?? ()
(gdb) bt
#0  0x00007fbf3ae78520 in ?? ()
#1  0x00007fbf3842185b in ?? () from /usr/lib/llvm-6.0/bin/../lib/libLLVM-6.0.so.1
#2  0x00007fbf3777510d in llvm::ManagedStaticBase::destroy() const ()
   from /usr/lib/llvm-6.0/bin/../lib/libLLVM-6.0.so.1
#3  0x00007fbf377752a5 in llvm::llvm_shutdown() () from /usr/lib/llvm-6.0/bin/../lib/libLLVM-6.0.so.1
#4  0x000055c3462db318 in main ()
spinpx commented 5 years ago

Sorry for my late reply. Does the tests in /path-to-angora/tests can be compiled? The second point may be caused by the reason mentioned here: https://github.com/AngoraFuzzer/Angora/pull/24#issuecomment-453035998

Also , https://bugs.llvm.org/show_bug.cgi?id=39321