search

HexHive / datAFLow

A data-flow-guided fuzzer
Apache License 2.0
109 stars 9 forks source link

clang crashes upon compilation of simple program #1

Closed clesmian closed 1 year ago

clesmian commented 1 year ago

While it is possible to compile a hello world program using dataflow-cc I cannot compile a slightly more complex example reading from a file, as clang crashes with the output below.

Input file: a.c.txt

Command line: dataflow-cc -v a.c

Env variables:

FUZZALLOC_DEF_SENSITIVITY=array
FUZZALLOC_USE_SENSITIVITY=read:write
FUZZALLOC_USE_CAPTURE=use
FUZZALLOC_INST=afl

clang output

Ubuntu clang version 12.0.0-3ubuntu1~20.04.5
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-12/bin
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64
 "/usr/lib/llvm-12/bin/clang" -cc1 -triple x86_64-pc-linux-gnu -emit-obj --mrelax-relocations -disable-free -disable-llvm-verifier -main-file-name a.c -mrelocation-model static -mframe-pointer=none -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -v -resource-dir /usr/lib/llvm-12/lib/clang/12.0.0 -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-12/lib/clang/12.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir /tmp -ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -load /usr/local/lib/libMem2Reg.so -load /usr/local/lib/libLowerDebugDeclare.so -load /usr/local/lib/libLowerAtomic.so -load /usr/local/lib/libLowerMemIntrinsic.so -load /usr/local/lib/libLowerNewDelete.so -load /usr/local/lib/libLowerConstantExpr.so -load /usr/local/lib/libStripLifetime.so -load /usr/local/lib/libVariableRecovery.so -load /usr/local/lib/libMemFuncIdentify.so -load /usr/local/lib/libDefSiteIdentify.so -load /usr/local/lib/libUseSiteIdentify.so -load /usr/local/lib/libGlobalVariableTag.so -load /usr/local/lib/libLocalVariableTag.so -load /usr/local/lib/libHeapTag.so -load /usr/local/lib/libUseSite.so -mllvm -fuzzalloc-def-array -mllvm -fuzzalloc-use-read -mllvm -fuzzalloc-use-write -mllvm -fuzzalloc-capture-use -mllvm -fuzzalloc-inst-afl -faddrsig -o /tmp/a-0bce80.o -x c a.c
clang -cc1 version 12.0.0 based upon LLVM 12.0.0 default target x86_64-pc-linux-gnu
ignoring nonexistent directory "/include"
#include "..." search starts here:
#include <...> search starts here:
 /usr/local/include
 /usr/lib/llvm-12/lib/clang/12.0.0/include
 /usr/include/x86_64-linux-gnu
 /usr/include
End of search list.
clang: /usr/lib/llvm-12/include/llvm/IR/InstrTypes.h:1324: llvm::Value *llvm::CallBase::getArgOperand(unsigned int) const: Assertion `i < getNumArgOperands() && "Out of bounds!"' failed.
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.  Program arguments: /usr/lib/llvm-12/bin/clang -cc1 -triple x86_64-pc-linux-gnu -emit-obj --mrelax-relocations -disable-free -disable-llvm-verifier -main-file-name a.c -mrelocation-model static -mframe-pointer=none -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -v -resource-dir /usr/lib/llvm-12/lib/clang/12.0.0 -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-12/lib/clang/12.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir /tmp -ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -load /usr/local/lib/libMem2Reg.so -load /usr/local/lib/libLowerDebugDeclare.so -load /usr/local/lib/libLowerAtomic.so -load /usr/local/lib/libLowerMemIntrinsic.so -load /usr/local/lib/libLowerNewDelete.so -load /usr/local/lib/libLowerConstantExpr.so -load /usr/local/lib/libStripLifetime.so -load /usr/local/lib/libVariableRecovery.so -load /usr/local/lib/libMemFuncIdentify.so -load /usr/local/lib/libDefSiteIdentify.so -load /usr/local/lib/libUseSiteIdentify.so -load /usr/local/lib/libGlobalVariableTag.so -load /usr/local/lib/libLocalVariableTag.so -load /usr/local/lib/libHeapTag.so -load /usr/local/lib/libUseSite.so -mllvm -fuzzalloc-def-array -mllvm -fuzzalloc-use-read -mllvm -fuzzalloc-use-write -mllvm -fuzzalloc-capture-use -mllvm -fuzzalloc-inst-afl -faddrsig -o /tmp/a-0bce80.o -x c a.c
1.  <eof> parser at end of file
2.  Per-module optimization passes
3.  Running pass 'Strip lifetime intrinsics' on module 'a.c'.
 #0 0x00007fd1485b1ef3 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd8ef3)
 #1 0x00007fd1485b0210 llvm::sys::RunSignalHandlers() (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd7210)
 #2 0x00007fd1485b255f (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd955f)
 #3 0x00007fd14fde7420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #4 0x00007fd1474dc00b raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #5 0x00007fd1474bb859 abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:81:7
 #6 0x00007fd1474bb729 get_sysdep_segment_value /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:509:8
 #7 0x00007fd1474bb729 _nl_load_domain /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:970:34
 #8 0x00007fd1474ccfd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)
 #9 0x00007fd147374612 llvm::CallBase::getArgOperand(unsigned int) const (/usr/local/lib/libLowerMemIntrinsic.so+0x1f612)
#10 0x00007fd1472da48a StripLifetime::runOnModule(llvm::Module&) (/usr/local/lib/libStripLifetime.so+0xa48a)
#11 0x00007fd1486d99bf llvm::legacy::PassManagerImpl::run(llvm::Module&) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xd009bf)
#12 0x00007fd14e6d2365 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1543365)
#13 0x00007fd14e96970f (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x17da70f)
#14 0x00007fd14dac7d94 clang::ParseAST(clang::Sema&, bool, bool) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x938d94)
#15 0x00007fd14f05d118 clang::FrontendAction::Execute() (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1ece118)
#16 0x00007fd14efeadd1 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1e5bdd1)
#17 0x00007fd14f0bf502 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1f30502)
#18 0x0000000000412782 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/lib/llvm-12/bin/clang+0x412782)
#19 0x0000000000410afe (/usr/lib/llvm-12/bin/clang+0x410afe)
#20 0x000000000041090e main (/usr/lib/llvm-12/bin/clang+0x41090e)
#21 0x00007fd1474bd083 __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3
#22 0x000000000040dcbe _start (/usr/lib/llvm-12/bin/clang+0x40dcbe)
clang: error: unable to execute command: Aborted
clang: error: clang frontend command failed due to signal (use -v to see invocation)
Ubuntu clang version 12.0.0-3ubuntu1~20.04.5
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-12/bin
clang: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /tmp/a-0a3fc9.c
clang: note: diagnostic msg: /tmp/a-0a3fc9.sh
clang: note: diagnostic msg: 

********************

Clang reproducers: a-0a3fc9.c.txt a-0a3fc9.sh.txt

adrianherrera commented 1 year ago

Interesting, thanks for the big report! I’ll try reproduce and take a look over the weekend.

On Wed, 9 Aug 2023 at 7:43 pm, clesmian @.***> wrote:

While it is possible to compile a hello world program using dataflow-cc I cannot compile a slightly more complex example reading from a file, as clang crashes with the output below.

Input file: a.c.txt https://github.com/HexHive/datAFLow/files/12300698/a.c.txt

Env variables:

FUZZALLOC_DEF_SENSITIVITY=array FUZZALLOC_USE_SENSITIVITY=read:write FUZZALLOC_USE_CAPTURE=use FUZZALLOC_INST=afl

clang output

Ubuntu clang version 12.0.0-3ubuntu1~20.04.5 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm-12/bin Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9 Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9 Candidate multilib: .@. Candidate multilib: @. Candidate multilib: @. Selected multilib: .@. "/usr/lib/llvm-12/bin/clang" -cc1 -triple x86_64-pc-linux-gnu -emit-obj --mrelax-relocations -disable-free -disable-llvm-verifier -main-file-name a.c -mrelocation-model static -mframe-pointer=none -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -v -resource-dir /usr/lib/llvm-12/lib/clang/12.0.0 -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-12/lib/clang/12.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir /tmp -ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -load /usr/local/lib/libMem2Reg.so -load /usr/local/lib/libLowerDebugDeclare.so -load /usr/local/lib/libLowerAtomic.so -load /usr/local/lib/libLowerMemIntrinsic.so -load /usr/local/lib/libLowerNewDelete.so -load /usr/local/lib/libLowerConstantExpr.so -load /usr/local/lib/libStripLifetime.so -load /usr/local/lib/libVariableRecovery.so -load /usr/local/lib/libMemFuncIdentify.so -load /usr/local/lib/libDefSiteIdentify.so -load /usr/local/lib/libUseSiteIdentify.so -load /usr/local/lib/libGlobalVariableTag.so -load /usr/local/lib/libLocalVariableTag.so -load /usr/local/lib/libHeapTag.so -load /usr/local/lib/libUseSite.so -mllvm -fuzzalloc-def-array -mllvm -fuzzalloc-use-read -mllvm -fuzzalloc-use-write -mllvm -fuzzalloc-capture-use -mllvm -fuzzalloc-inst-afl -faddrsig -o /tmp/a-0bce80.o -x c a.c clang -cc1 version 12.0.0 based upon LLVM 12.0.0 default target x86_64-pc-linux-gnu ignoring nonexistent directory "/include"

include "..." search starts here:

include <...> search starts here:

/usr/local/include /usr/lib/llvm-12/lib/clang/12.0.0/include /usr/include/x86_64-linux-gnu /usr/include End of search list. clang: /usr/lib/llvm-12/include/llvm/IR/InstrTypes.h:1324: llvm::Value *llvm::CallBase::getArgOperand(unsigned int) const: Assertion `i < getNumArgOperands() && "Out of bounds!"' failed. PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script. Stack dump:

  1. Program arguments: /usr/lib/llvm-12/bin/clang -cc1 -triple x86_64-pc-linux-gnu -emit-obj --mrelax-relocations -disable-free -disable-llvm-verifier -main-file-name a.c -mrelocation-model static -mframe-pointer=none -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -v -resource-dir /usr/lib/llvm-12/lib/clang/12.0.0 -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-12/lib/clang/12.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir /tmp -ferror-limit 19 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -load /usr/local/lib/libMem2Reg.so -load /usr/local/lib/libLowerDebugDeclare.so -load /usr/local/lib/libLowerAtomic.so -load /usr/local/lib/libLowerMemIntrinsic.so -load /usr/local/lib/libLowerNewDelete.so -load /usr/local/lib/libLowerConstantExpr.so -load /usr/local/lib/libStripLifetime.so -load /usr/local/lib/libVariableRecovery.so -load /usr/local/lib/libMemFuncIdentify.so -load /usr/local/lib/libDefSiteIdentify.so -load /usr/local/lib/libUseSiteIdentify.so -load /usr/local/lib/libGlobalVariableTag.so -load /usr/local/lib/libLocalVariableTag.so -load /usr/local/lib/libHeapTag.so -load /usr/local/lib/libUseSite.so -mllvm -fuzzalloc-def-array -mllvm -fuzzalloc-use-read -mllvm -fuzzalloc-use-write -mllvm -fuzzalloc-capture-use -mllvm -fuzzalloc-inst-afl -faddrsig -o /tmp/a-0bce80.o -x c a.c
  2. parser at end of file
  3. Per-module optimization passes
  4. Running pass 'Strip lifetime intrinsics' on module 'a.c'.

    0 0x00007fd1485b1ef3 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd8ef3)

    1 0x00007fd1485b0210 llvm::sys::RunSignalHandlers() (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd7210)

    2 0x00007fd1485b255f (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd955f)

    3 0x00007fd14fde7420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)

    4 0x00007fd1474dc00b raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1

    5 0x00007fd1474bb859 abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:81:7

    6 0x00007fd1474bb729 get_sysdep_segment_value /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:509:8

    7 0x00007fd1474bb729 _nl_load_domain /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:970:34

    8 0x00007fd1474ccfd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)

    9 0x00007fd147374612 llvm::CallBase::getArgOperand(unsigned int) const (/usr/local/lib/libLowerMemIntrinsic.so+0x1f612)

    10 0x00007fd1472da48a StripLifetime::runOnModule(llvm::Module&) (/usr/local/lib/libStripLifetime.so+0xa48a)

    11 0x00007fd1486d99bf llvm::legacy::PassManagerImpl::run(llvm::Module&) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xd009bf)

    12 0x00007fd14e6d2365 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete >) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1543365)

    13 0x00007fd14e96970f (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x17da70f)

    14 0x00007fd14dac7d94 clang::ParseAST(clang::Sema&, bool, bool) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x938d94)

    15 0x00007fd14f05d118 clang::FrontendAction::Execute() (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1ece118)

    16 0x00007fd14efeadd1 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1e5bdd1)

    17 0x00007fd14f0bf502 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1f30502)

    18 0x0000000000412782 cc1_main(llvm::ArrayRef<char const>, char const, void*) (/usr/lib/llvm-12/bin/clang+0x412782)

    19 0x0000000000410afe (/usr/lib/llvm-12/bin/clang+0x410afe)

    20 0x000000000041090e main (/usr/lib/llvm-12/bin/clang+0x41090e)

    21 0x00007fd1474bd083 __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3

    22 0x000000000040dcbe _start (/usr/lib/llvm-12/bin/clang+0x40dcbe)

    clang: error: unable to execute command: Aborted clang: error: clang frontend command failed due to signal (use -v to see invocation) Ubuntu clang version 12.0.0-3ubuntu1~20.04.5 Target: x86_64-pc-linux-gnu Thread model: posix InstalledDir: /usr/lib/llvm-12/bin clang: note: diagnostic msg:

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT: Preprocessed source(s) and associated run script(s) are located at: clang: note: diagnostic msg: /tmp/a-0a3fc9.c clang: note: diagnostic msg: /tmp/a-0a3fc9.sh clang: note: diagnostic msg:

Clang reproducers: a-0a3fc9.c.txt https://github.com/HexHive/datAFLow/files/12300713/a-0a3fc9.c.txt a-0a3fc9.sh.txt https://github.com/HexHive/datAFLow/files/12300715/a-0a3fc9.sh.txt

— Reply to this email directly, view it on GitHub https://github.com/HexHive/datAFLow/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACB2DER5UPO2PHEPTMGB2EDXUNLVXANCNFSM6AAAAAA3JXHNJ4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>

clesmian commented 1 year ago

Do you have any idea what I could try to get it working?

adrianherrera commented 1 year ago

I couldn't work out the bug on an LLVM release build. Currently building a debug build, so I'll get back to you in a few hours :)

adrianherrera commented 1 year ago

Ok should be fixed now! Please let me know if there are any further issues :)

clesmian commented 1 year ago

Thanks for the fix, now most of my examples work. I do however still encounter the same error when building faust @ a1fc328a74b8d06f0d28f079fdf2fdb7ffa33649 (link) 

Scanning dependencies of target faust
[  0%] Building CXX object CMakeFiles/faust.dir/<faust-dir>/compiler/boxes/boxcomplexity.cpp.o
clang++: /usr/lib/llvm-12/include/llvm/IR/InstrTypes.h:1324: llvm::Value *llvm::CallBase::getArgOperand(unsigned int) const: Assertion `i < getNumArgOperands() && "Out of bounds!"' failed.
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0.  Program arguments: /usr/lib/llvm-12/bin/clang++ -g -fno-discard-value-names -Xclang -load -Xclang /usr/local/lib/libMem2Reg.so -Xclang -load -Xclang /usr/local/lib/libLowerDebugDeclare.so -Xclang -load -Xclang /usr/local/lib/libLowerAtomic.so -Xclang -load -Xclang /usr/local/lib/libLowerMemIntrinsic.so -Xclang -load -Xclang /usr/local/lib/libLowerNewDelete.so -Xclang -load -Xclang /usr/local/lib/libLowerConstantExpr.so -Xclang -load -Xclang /usr/local/lib/libStripLifetime.so -Xclang -load -Xclang /usr/local/lib/libVariableRecovery.so -Xclang -load -Xclang /usr/local/lib/libMemFuncIdentify.so -Xclang -load -Xclang /usr/local/lib/libDefSiteIdentify.so -Xclang -load -Xclang /usr/local/lib/libUseSiteIdentify.so -Xclang -load -Xclang /usr/local/lib/libGlobalVariableTag.so -Xclang -load -Xclang /usr/local/lib/libLocalVariableTag.so -Xclang -load -Xclang /usr/local/lib/libHeapTag.so -mllvm -fuzzalloc-def-array -mllvm -fuzzalloc-use-read -mllvm -fuzzalloc-use-write -mllvm -fuzzalloc-capture-use -mllvm -fuzzalloc-inst-afl -Xclang -load -Xclang /usr/local/lib/libUseSite.so -DCPP_BUILD -DLIBDIR=\"lib\" -I<faust-dir>/compiler -I<faust-dir>/compiler/boxes -I<faust-dir>/compiler/documentator -I<faust-dir>/compiler/draw -I<faust-dir>/compiler/errors -I<faust-dir>/compiler/evaluate -I<faust-dir>/compiler/extended -I<faust-dir>/compiler/generator -I<faust-dir>/compiler/generator/dlang -I<faust-dir>/compiler/generator/csharp -I<faust-dir>/compiler/generator/fir -I<faust-dir>/compiler/generator/julia -I<faust-dir>/compiler/generator/interpreter -I<faust-dir>/compiler/generator/rust -I<faust-dir>/compiler/generator/cmajor -I<faust-dir>/compiler/normalize -I<faust-dir>/compiler/parallelize -I<faust-dir>/compiler/parser -I<faust-dir>/compiler/patternmatcher -I<faust-dir>/compiler/propagate -I<faust-dir>/compiler/signals -I<faust-dir>/compiler/tlib -I<faust-dir>/compiler/transform -I<faust-dir>/compiler/utils -I<faust-dir>/compiler/draw/device -I<faust-dir>/compiler/draw/schema -I<faust-dir>/compiler/../architecture -I<faust-dir>/compiler/generator/cpp -DFAUST_EXE -std=gnu++11 -o CMakeFiles/faust.dir/<faust-dir>/compiler/boxes/boxcomplexity.cpp.o -c <faust-dir>/compiler/boxes/boxcomplexity.cpp -O3 -L/usr/local/lib -lFuzzallocRuntime -lAFLRuntime -lpthread -Qunused-arguments
1.  <eof> parser at end of file
2.  Per-module optimization passes
3.  Running pass 'Lower new/delete functions to malloc/free' on module '<faust-dir>/compiler/boxes/boxcomplexity.cpp'.
 #0 0x00007f5c10b08ef3 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd8ef3)
 #1 0x00007f5c10b07210 llvm::sys::RunSignalHandlers() (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd7210)
 #2 0x00007f5c10b0864d llvm::sys::CleanupOnSignal(unsigned long) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xbd864d)
 #3 0x00007f5c10a58416 (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xb28416)
 #4 0x00007f5c1833e420 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14420)
 #5 0x00007f5c0fa3300b raise /build/glibc-SzIz7B/glibc-2.31/signal/../sysdeps/unix/sysv/linux/raise.c:51:1
 #6 0x00007f5c0fa12859 abort /build/glibc-SzIz7B/glibc-2.31/stdlib/abort.c:81:7
 #7 0x00007f5c0fa12729 get_sysdep_segment_value /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:509:8
 #8 0x00007f5c0fa12729 _nl_load_domain /build/glibc-SzIz7B/glibc-2.31/intl/loadmsgcat.c:970:34
 #9 0x00007f5c0fa23fd6 (/lib/x86_64-linux-gnu/libc.so.6+0x33fd6)
#10 0x00007f5c0f8cb612 llvm::CallBase::getArgOperand(unsigned int) const (/usr/local/lib/libLowerMemIntrinsic.so+0x1f612)
#11 0x00007f5c0f895d0b LowerNewDelete::lowerDelete(llvm::User*, llvm::Function*) const (/usr/local/lib/libLowerNewDelete.so+0x19d0b)
#12 0x00007f5c0f896553 LowerNewDelete::runOnModule(llvm::Module&) (/usr/local/lib/libLowerNewDelete.so+0x1a553)
#13 0x00007f5c10c309bf llvm::legacy::PassManagerImpl::run(llvm::Module&) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xd009bf)
#14 0x00007f5c16c29365 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1543365)
#15 0x00007f5c16ec070f (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x17da70f)
#16 0x00007f5c1601ed94 clang::ParseAST(clang::Sema&, bool, bool) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x938d94)
#17 0x00007f5c175b4118 clang::FrontendAction::Execute() (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1ece118)
#18 0x00007f5c17541dd1 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1e5bdd1)
#19 0x00007f5c17616502 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1f30502)
#20 0x0000000000412782 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/lib/llvm-12/bin/clang+++0x412782)
#21 0x0000000000410afe (/usr/lib/llvm-12/bin/clang+++0x410afe)
#22 0x00007f5c1725dd82 (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1b77d82)
#23 0x00007f5c10a581ed llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/lib/x86_64-linux-gnu/libLLVM-12.so.1+0xb281ed)
#24 0x00007f5c1725d579 clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1b77579)
#25 0x00007f5c17232b2f clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&) const (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1b4cb2f)
#26 0x00007f5c17232ee7 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) const (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1b4cee7)
#27 0x00007f5c1724799c clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) (/lib/x86_64-linux-gnu/libclang-cpp.so.12+0x1b6199c)
#28 0x00000000004103d4 main (/usr/lib/llvm-12/bin/clang+++0x4103d4)
#29 0x00007f5c0fa14083 __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:342:3
#30 0x000000000040dcbe _start (/usr/lib/llvm-12/bin/clang+++0x40dcbe)
clang: error: clang frontend command failed with exit code 134 (use -v to see invocation)
Ubuntu clang version 12.0.0-3ubuntu1~20.04.5
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-12/bin
clang: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /tmp/boxcomplexity-41b06d.cpp
clang: note: diagnostic msg: /tmp/boxcomplexity-41b06d.sh
clang: note: diagnostic msg: 

********************

boxcomplexity-41b06d.cpp.txt boxcomplexity-41b06d.sh.txt

Sorry to bother you again with this. I'd like to see what happens when I run it on a newer version than the one you referenced in the paper.

adrianherrera commented 1 year ago

Ah yeah, same bug in the "new delete lower" code. See https://github.com/HexHive/datAFLow/blob/baggybounds/lib/Transforms/Utils/LowerNewDelete.cpp#L148

Feel free to replace CB->getNumOperands() with CB->arg_size(). I'll fix it properly tonight.

clesmian commented 1 year ago

Thanks for your fast response. I did not look into your fix, sorry my bad.

Searching for the same symbol in the code the same bug can potentially be found here https://github.com/HexHive/datAFLow/blob/bf1c3a3b9521a33d4e49633e07d68b449634b12f/lib/Analysis/UseSiteIdentify.cpp#L201 and maybe also here? https://github.com/HexHive/datAFLow/blob/bf1c3a3b9521a33d4e49633e07d68b449634b12f/lib/Transforms/Utils/LowerConstantExpr.cpp#L48 But I don't know enough about LLVM to actually verify that.

One additional question, is your code compatible with ASAN?

ghost commented 8 months ago

@clesmian @adrianherrera Sorry to bother you both. Regarding the files uploaded by @clesmian clesmian, I set the same environment variables and then use dataflow cc for compilation (this step was successful). input file a.c (same with @clesmian )

dataflow-cc ./a.c
[*] [./a.c] Use site capture: use
[+] [./a.c] Num. instrumented reads: 0
[+] [./a.c] Num. instrumented writes: 0

But there was an error in the AFL-FUZZ report. I am a beginner and I don't know where the problem lies. Hope it can be resolved smoothly `afl-fuzz -i input -o output ./a @@ afl-fuzz++4.06a based on afl by Michal Zalewski and a large online community [+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier [+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus [+] NOTE: This is v3.x which changes defaults and behaviours - see README.md [+] No -M/-S set, autoconfiguring for "-S default" [] Getting to work... [+] Using exponential power schedule (FAST) [+] Enabled testcache with 50 MB [+] Generating fuzz data with a length of min=1 max=1048576 [] Checking core_pattern... [!] WARNING: Could not check CPU scaling governor [+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%). [+] Try parallel jobs - see docs/fuzzing_in_depth.md#c-using-multiple-cores [] Setting up output directories... [+] Output directory exists but deemed OK to reuse. [] Deleting old session data... [+] Output dir cleanup successful. [] Checking CPU core loadout... [+] Found a free CPU core, try binding to #2. [] Scanning 'input'... [+] Loaded a total of 1 seeds. [] Creating hard links for all input files... [] Validating target binary...

[-] Looks like the target binary is not instrumented! The fuzzer depends on compile-time instrumentation to isolate interesting test cases while mutating the input data. For more information, and for tips on how to instrument binaries, please see docs/README.md.

When source code is not available, you may be able to leverage QEMU
mode support. Consult the README.md for tips on how to enable this.

If your target is an instrumented binary (e.g. with zafl, retrowrite,
etc.) then set 'AFL_SKIP_BIN_CHECK=1'

(It is also possible to use afl-fuzz as a traditional, non-instrumented
fuzzer. For that use the -n option - but expect much worse results.)

[-] PROGRAM ABORT : No instrumentation detected Location : check_binary(), src/afl-fuzz-init.c:2817

`

adrianherrera commented 8 months ago

Hi @HushS1gnal ,

Are you sure you are setting the same environment variables? The output of dataflow-cc indicates nothing was instrumented, which is why afl-fuzz is failing to run correctly. Can you please check the environment variables.