search

prosyslab / DAFL-artifact

35 stars 3 forks source link

Error while running SPARROW on libsndfile #11

Open dr0o0id opened 4 months ago

dr0o0id commented 4 months ago

Hello there,

Really appreciate your astonishing work.

I'm trying to run DAFL on magma benchmarks. Refering to issue requested before, I knew that some modifications needed inside the run-smake.sh and run-sparrow.py.

I encoutered following errors while running the run-sparrow.py

Error popped while launching run-sparrow.py

command

/benchmark/scripts/run_sparrow.py sndfile_fuzzer thin

Error

--------------------------------------------------------------------------------
Front-end begins...
--------------------------------------------------------------------------------
/usr/local/lib/clang/12.0.0/include/emmintrin.h[1318:7-62] : syntax error
Parsing errorFatal error: exception Frontc.ParseError("Parse error")
Raised at Stdlib__Parsing.yyparse in file "parsing.ml", line 184, characters 8-17
Called from Cparser.interpret in file "src/frontc/cparser.ml" (inlined), line 6276, characters 4-44
Called from Frontc.parse_to_cabs_inner in file "src/frontc/frontc.ml" (inlined), line 191, characters 34-83
Called from Stats.time in file "src/ocamlutil/stats.ml" (inlined), line 125, characters 4-9
Called from Frontc.parse_to_cabs_inner in file "src/frontc/frontc.ml" (inlined), line 191, characters 15-90
Called from Frontc.parse_to_cabs_inner in file "src/frontc/frontc.ml", line 191, characters 15-90
[*] Executing: cp /benchmark/tmp/sndfile_fuzzer/SND001/slice_func.txt /benchmark/DAFL-input/inst-targ/sndfile_fuzzer/SND001
[*] Executing: cp /benchmark/tmp/sndfile_fuzzer/SND001/slice_dfg.txt /benchmark/DAFL-input/dfg/sndfile_fuzzer/SND001

configuration

The docker image 

prosyslab/dafl-artifact      latest                       sha256:b81d12a106cb073e5a161578f6024751953ac144cffec1cbf2a0070bcee42b36   eec595786dd0   2 months ago    25.3GB

Under the /benchmark/project, I added the a libsndfile_magma directory.

/benchmark/project/libsndfile_magma/

Following your convention, I modified the build.sh provided by magma, now it looks like ...

#!/bin/bash
set -e

##
# Pre-requirements:
# - env TARGET: path to target work dir
# - env OUT: path to directory where artifacts are stored
# - env CC, CXX, FLAGS, LIBS, etc...
##

#export TARGET=$(dirname "$0")
export TARGET="BUILD"

if [ ! -d "$TARGET/repo" ]; then
    echo "No source code in repo, now fetching......."
    git clone --no-checkout https://github.com/libsndfile/libsndfile.git "$TARGET/repo"
    git -C "$TARGET/repo" checkout 86c9f9eb7022d186ad4d0689487e7d4f04ce2b29
    #exit 1
fi

cd "$TARGET/repo"
echo "PWDPWD"
echo $(pwd)
./autogen.sh
./configure --disable-shared --enable-ossfuzzers
make -j$(nproc) clean || exit 1
make -j$(nproc) ossfuzz/sndfile_fuzzer || exit 1

cp -v ossfuzz/sndfile_fuzzer $OUT/ || exit 1
cp -v ossfuzz/sndfile_fuzzer ./sndfile_fuzzer || exit 1

An AFLGo-like BBTargets.txt file was added under /benchmark/target/line/sndfile_fuzzer/

root@7cd61d838243:/benchmark/project/libsndfile_magma# ls -la /benchmark/target/line/sndfile_fuzzer/
total 16
drwxr-xr-x 2 root root 4096 Jun 21 13:15 .
drwxr-xr-x 1 root root 4096 Jun 21 13:15 ..
-rw-r--r-- 1 root root   70 Jun 21 13:15 SND001

And the SND001 was like ...

src/paf.c:201
src/paf.c:204
src/paf.c:205
src/paf.c:206
src/paf.c:207

modified run-smake.sh

#!/bin/bash
set -x
. $(dirname $0)/build_bench_common.sh
mkdir -p /benchmark/smake-out

export CC="clang"
export CXX="clang++"
export CMAKE_EXPORT_COMPILE_COMMANDS=1

### Program: libsndfile (magma)
### added by dr0id
cd /benchmark
program="libsndfile_magma"
binaries="ossfuzz/sndfile_fuzzer"
build_target $program $CC $CXX " "
cd /benchmark/RUNDIR-$program/BUILD/repo
make clean
yes | /smake/smake --init
/smake/smake ossfuzz/sndfile_fuzzer -j 1
cd /benchmark/RUNDIR-$program
for binary in $binaries; do
    cp -r BUILD/repo/sparrow/$binary /benchmark/smake-out/sndfile_fuzzer || exit 1
done
### exit early, cuz we aim to run DAFL on magma
exit 1

modified /benchmark/scripts/benchmark.py

I added the following entry inside the SLICE_TARGET

    'sndfile_fuzzer': {
        'frontend':'cil',
        'entry_point':'main',
        'bugs': ['SND001']
    },

content inside the /benchmark/smake-out/sndfile_fuzzer

root@7cd61d838243:/benchmark/scripts# tree -r /benchmark/smake-out/sndfile_fuzzer
/benchmark/smake-out/sndfile_fuzzer
|-- 27.libstandaloneengine_la-standaloneengine.o.ii
|-- 26.libsndfile_la-xi.o.i
|-- 25.libsndfile_la-wve.o.i
|-- 24.libsndfile_la-wavlike.o.i
|-- 23.libsndfile_la-wav.o.i
|-- 22.libsndfile_la-w64.o.i
|-- 21.libsndfile_la-voc.o.i
|-- 20.libsndfile_la-txw.o.i
|-- 1f.libsndfile_la-svx.o.i
|-- 1e.libsndfile_la-sndfile.o.i
|-- 1d.libsndfile_la-sds.o.i
|-- 1c.libsndfile_la-sd2.o.i
|-- 1b.libsndfile_la-rx2.o.i
|-- 1a.libsndfile_la-rf64.o.i
|-- 19.libsndfile_la-raw.o.i
|-- 18.libsndfile_la-pvf.o.i
|-- 17.libsndfile_la-paf.o.i
|-- 16.libsndfile_la-ogg_vorbis.o.i
|-- 15.libsndfile_la-ogg_vcomment.o.i
|-- 14.libsndfile_la-ogg_speex.o.i
|-- 13.libsndfile_la-ogg_pcm.o.i
|-- 12.libsndfile_la-ogg_opus.o.i
|-- 11.libsndfile_la-ogg.o.i
|-- 10.libsndfile_la-nist.o.i
|-- 0f.libsndfile_la-mpeg.o.i
|-- 0e.libsndfile_la-mpc2k.o.i
|-- 0d.libsndfile_la-mat5.o.i
|-- 0c.libsndfile_la-mat4.o.i
|-- 0b.libsndfile_la-macos.o.i
|-- 0a.libsndfile_la-ircam.o.i
|-- 09.libsndfile_la-htk.o.i
|-- 08.libsndfile_la-g72x.o.i
|-- 07.libsndfile_la-flac.o.i
|-- 06.libsndfile_la-dwd.o.i
|-- 05.libsndfile_la-caf.o.i
|-- 04.libsndfile_la-avr.o.i
|-- 03.libsndfile_la-au.o.i
|-- 02.libsndfile_la-aiff.o.i
|-- 01.libsndfile.a -> /benchmark/RUNDIR-libsndfile_magma/BUILD/repo/sparrow/src/.libs/libsndfile.a
`-- 00.sndfile_fuzzer-sndfile_fuzzer.o.ii

1 directory, 39 files
goodtaeeun commented 4 months ago

Hi, thank you for your interest in our tool. It seems that the CIL frontend parser for sparrow cannot parse the source of libsndfile. Try updating the frontend field from cil to clang in the following dictionary entry.

    'sndfile_fuzzer': {
        'frontend':'cil',
        'entry_point':'main',
        'bugs': ['SND001']
    },
dr0o0id commented 3 months ago

Appreciate, I do make sparrow run after following your response.

However, still some obstacles with sparrow.


--------------------------------------------------------------------------------
Front-end begins...
--------------------------------------------------------------------------------

Front-end completes: 208.796966
'void*' returning functions: []
'void*' returning fields: []
Unwrapped functions: []
Unwrapped fields: []

--------------------------------------------------------------------------------
Graph construction begins...
--------------------------------------------------------------------------------
Warning: main not Found

#nodes all    : 31617
#unreachable  : 294

Graph construction completes: 0.244024

--------------------------------------------------------------------------------
Pre-processing begins...
--------------------------------------------------------------------------------
InterCfg.cfgof start
Fatal error: exception Not_found
Raised at InterCfg.cfgof in file "src/program/interCfg.ml", line 127, characters 4-19
Called from InterCfg.nodes_of_pid in file "src/program/interCfg.ml", line 138, characters 45-58
Called from PreProcess.collect_fref_from_func in file "src/core/preProcess.ml", line 123, characters 16-44
Called from PreProcess.find_func_refs in file "src/core/preProcess.ml", line 145, characters 2-72
Called from StepManager.step in file "src/util/stepManager.ml", line 19, characters 10-14
Called from Dune__exe__Main.init_analysis in file "src/core/main.ml", line 49, characters 4-194
Called from Dune__exe__Main.main in file "src/core/main.ml", line 140, characters 8-135
Called from Dune__exe__Main in file "src/core/main.ml", line 153, characters 8-15
[*] Executing: cp /benchmark/tmp/sndfile_fuzzer/SND001/slice_func.txt /benchmark/DAFL-input/inst-targ/sndfile_fuzzer/SND001
[*] Executing: cp /benchmark/tmp/sndfile_fuzzer/SND001/slice_dfg.txt /benchmark/DAFL-input/dfg/sndfile_fuzzer/SND001

A "main" function does exist inside the ILs

root@7cd61d838243:/benchmark/scripts# grep -rnw "/benchmark/smake-out/sndfile_fuzzer" -e "main"
/benchmark/smake-out/sndfile_fuzzer/27.libstandaloneengine_la-standaloneengine.o.ii:2623:int main(int argc, char **argv)

For all these libfuzzers like binaries, did we need extra config during compilation to make sparrow work flawlessly?

goodtaeeun commented 3 months ago

Hi, I am sorry for the late reply and the inconvenience.

If the target binary is in libfuzzer style, I think it will have the LLVMFuzzerTestOneInput function. If so, can you also try the following to give LLVMFuzzerTestOneInput as the entry point of the analysis?

    'sndfile_fuzzer': {
        'frontend':'clang',
        'entry_point':'LLVMFuzzerTestOneInput',
        'bugs': ['SND001']
    },

I just recalled that this worked when I was working on Fuzzer Test Suite targets, which were also in the libfuzzer style.

If it still does not work, can you share the input files for Sparrow? I can take a look at it and see if I can do something.

goodtaeeun commented 3 months ago

By the way, if you provide multiple target lines in the input file, the Python script will only deliver the first line of the file to Sparrow. This is because Sparrow generates slicing information per single line. Thus, I recommend to give the target line that is most relevant to the target bug. For instance, if it is a buffer overflow, give the line where the buffer access occurs.