loiclec / fuzzcheck-rs

Modular, structure-aware, and feedback-driven fuzzing engine for Rust functions
MIT License
436 stars 13 forks source link

Linking issue when building sample fuzzer #2

Closed ekse closed 5 years ago

ekse commented 5 years ago

Hi,

I ran into the following linking error while trying to build the sample fuzzer from the README.

   Compiling fuzzcheck_input v0.1.0 (https://github.com/loiclec/fuzzcheck-rs#f94d9484)
   Compiling my_library-fuzz v0.0.0 (/home/ekse/my_library/fuzz)
error: linking with `cc` failed: exit code: 1

[I removed the command line as it is very long ]

  = note: /usr/bin/ld: __sancov_guards has both ordered [`__sancov_guards[_ZN102_$LT$fuzzcheck_input..vector..VectorGenerator$LT$G$GT$$u20$as$u20$fuzzcheck..input..InputGenerator$GT$9new_input17ha1bc96293fe05b0eE]' in /home/ekse/my_library/fuzz/target/x86_64-unknown-linux-gnu/release/deps/target1-95582bd24b3c88fb.26joefc9aoybq9f0.rcgu.o] and unordered [`__sancov_guards' in /home/ekse/my_library/fuzz/target/x86_64-unknown-linux-gnu/release/deps/target1-95582bd24b3c88fb.26joefc9aoybq9f0.rcgu.o] sections
          /usr/bin/ld: final link failed: bad value
          collect2: error: ld returned 1 exit status

My system:

Ubuntu 19.04
Rust nightly 2019-09-08

There is an open ticket for similar error in cargo-fuzz, it seems to be apearing when compiling with optimizations.

https://github.com/rust-fuzz/cargo-fuzz/issues/161 https://github.com/rust-lang/rust/issues/53945

I did a test where I removed the --release flag in cargo-fuzz/main.rs, but then I get segfaults of child processes when trying to start the fuzzer.

loiclec commented 5 years ago

Thank you so much for the detailed bug report! I have looked at the issues you mentioned and it seems like I can use a workaround and keep the --release flag. I am working on it, but it may take a while until I push the fix.

loiclec commented 5 years ago

I think I fixed both issues :)

The linker error is “fixed” by using the gold linker instead, if it's available. It's a hack, but it seems to work for now. The segfault was caused by the omission of frame pointers when Rust code is compiled on some platforms, which broke the__builtin_return_address function. It should be fixed by compiling with -force-frame-pointers.

So in short, the tests are now compiled with two more options: -Clink-arg=-fuse-ld=gold and -Cforce-frame-pointers=yes.

I am sorry I did not test fuzzcheck on Linux before, I will add continuous integration tests with travis soon to make sure it always works in the future.

Could you please verify that you can run the example now?

Thanks! :)

ekse commented 5 years ago

It works as expected now, thanks a lot for the fixes. I assume you usually test on macOS?

loiclec commented 5 years ago

Yes, I mostly test on macOS. I have a Linux docker container to test it on my machine now though, so I can test both easily :)