At step 7, I was trying to build libxml2. When running "./configure --disable-shared", I received the error message:
"checking for gcc... $LOCAL_PATH/aflgo/aflgo/afl-clang-fast
checking whether the C compiler works... no
configure: error: in `$LOCAL_PATH/aflgo/libxml2':
configure: error: C compiler cannot create executables"

My LLVM version is LLVM5.0.0

I used aflgo to fuzz ImageMagick, but the distance.cfg.txt is empty.

I found that it was because the BBnames.txt was like filename:line:，and its n_name was like {filename:line::, so the function find_nodes(name) return [].

def node_name(name):
    if is_cg:
        return "\"{%s}\"" % name
    else:
        return "\"{%s:" % name


#################################
# Find the graph node for a name
#################################
def find_nodes(name):
    n_name = node_name(name)
    n_list = list(filter(lambda d: 'label' in d[1] and n_name in d[1]['label'], G.nodes(data=True)))
    if len(n_list) > 0:
        return n_list
    else:
        return []

Then I found where the ':' was added in afl-llvm-pass.co.cc.

if (!bb_name.empty()) {

          BB.setName(bb_name + ":");
          if (!BB.hasName()) {
            std::string newname = bb_name + ":";
            Twine t(newname);
            SmallString<256> NameData;
            StringRef NameRef = t.toStringRef(NameData);
            BB.setValueName(ValueName::Create(NameRef));
          }

          bbnames << BB.getName().str() << "\n";
          has_BBs = true;

#ifdef AFLGO_TRACING
          Value *bbnameVal = Builder.CreateGlobalStringPtr(bb_name);
          Type *Args[] = {
              Type::getInt8PtrTy(M.getContext()) //uint8_t* bb_name
          };
          FunctionType *FTy = FunctionType::get(Type::getVoidTy(M.getContext()), Args, false);
          Constant *instrumented = M.getOrInsertFunction("llvm_profiling_call", FTy);
          Builder.CreateCall(instrumented, {bbnameVal});
#endif

        }

But I am confused why you need to add the ":" after bb_name rather than just bb_name?

I follow the tutorial on and fuzzed the xmllint for about 15hours.

However, how can I know whether the target is reached or not. How many inputs will hit the target? When is the first input that reaches the target generated

I want to debug the afl-llvm-pass.so to see the process, but I do not know how to debug it !

Hello:
I want to know the position of the Simulated Annealing algorithm in the code.
thank you!

I am using llvm-4 and the newest aflgo to instrument the binary with distance mode. However, I come across the below problems. Anyone has the same experience?

aflgo-llvm-pass (yeah!) 2.49b (distance instrumentation mode)
clang-4.0: /home/jmh/Downloads/llvm-4/llvm/lib/IR/Instructions.cpp:1355: llvm::LoadInst::LoadInst(llvm::Type*, llvm::Value*, const char*, bool, llvm::Instruction*): Assertion `Ty == cast<PointerType>(Ptr->getType())->getElementType()' failed.
#0 0x00000000038b1a16 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/jmh/Downloads/llvm-4/llvm/lib/Support/Unix/Signals.inc:402:0
#1 0x00000000038b1db5 PrintStackTraceSignalHandler(void*) /home/jmh/Downloads/llvm-4/llvm/lib/Support/Unix/Signals.inc:466:0
#2 0x00000000038afd4d llvm::sys::RunSignalHandlers() /home/jmh/Downloads/llvm-4/llvm/lib/Support/Signals.cpp:44:0
#3 0x00000000038b1277 SignalHandler(int) /home/jmh/Downloads/llvm-4/llvm/lib/Support/Unix/Signals.inc:256:0
#4 0x00007ff7d05ba390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#5 0x00007ff7cf32c428 gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x00007ff7cf32e02a abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:91:0
#7 0x00007ff7cf324bd7 __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92:0
#8 0x00007ff7cf324c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#9 0x0000000003279459 llvm::LoadInst::LoadInst(llvm::Type*, llvm::Value*, char const*, bool, llvm::Instruction*) /home/jmh/Downloads/llvm-4/llvm/lib/IR/Instructions.cpp:1356:0
#10 0x00007ff7cf0ecd00 llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>::CreateLoad(llvm::Type*, llvm::Value*, llvm::Twine const&) /home/jmh/Downloads/llvm-4/llvm/include/llvm/IR/IRBuilder.h:1089:12
#11 0x00007ff7cf0ecd00 (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) /home/jmh/Downloads/fuzz/aflgo/llvm_mode/afl-llvm-pass.so.cc:558:0
#12 0x00000000032ad59e (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/jmh/Downloads/llvm-4/llvm/lib/IR/LegacyPassManager.cpp:1590:0
#13 0x00000000032adcb3 llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/jmh/Downloads/llvm-4/llvm/lib/IR/LegacyPassManager.cpp:1693:0
#14 0x00000000032adebf llvm::legacy::PassManager::run(llvm::Module&) /home/jmh/Downloads/llvm-4/llvm/lib/IR/LegacyPassManager.cpp:1725:0
#15 0x0000000003b6b2b1 (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:723:0
#16 0x0000000003b6cab0 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:978:0
#17 0x00000000045fd33d clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:231:0
#18 0x00000000052e0995 clang::ParseAST(clang::Sema&, bool, bool) /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/Parse/ParseAST.cpp:161:0
#19 0x000000000415f9cf clang::ASTFrontendAction::ExecuteAction() /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:559:0
#20 0x00000000045fb957 clang::CodeGenAction::ExecuteAction() /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:911:0
#21 0x000000000415f41c clang::FrontendAction::Execute() /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:463:0
#22 0x0000000004100ab0 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:954:0
#23 0x000000000429dc4d clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/jmh/Downloads/llvm-4/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:249:0
#24 0x0000000001becfc7 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/jmh/Downloads/llvm-4/llvm/tools/clang/tools/driver/cc1_main.cpp:221:0
#25 0x0000000001be291b ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /home/jmh/Downloads/llvm-4/llvm/tools/clang/tools/driver/driver.cpp:299:0
#26 0x0000000001be3539 main /home/jmh/Downloads/llvm-4/llvm/tools/clang/tools/driver/driver.cpp:380:0
#27 0x00007ff7cf317830 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:325:0
#28 0x0000000001be00d9 _start (/home/jmh/Downloads/llvm-4/llvm/build/bin/clang-4.0+0x1be00d9)
Stack dump:
0.	Program arguments: /home/jmh/Downloads/llvm-4/llvm/build/bin/clang-4.0 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -mrelax-all -disable-free -main-file-name xmllint.c -mrelocation-model static -mthread-model posix -mdisable-fp-elim -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -coverage-notes-file /home/jmh/Downloads/fuzz/libxml2/xmllint.gcno -resource-dir /home/jmh/Downloads/llvm-4/llvm/build/bin/../lib/clang/4.0.0 -dependency-file .deps/xmllint.Tpo -sys-header-deps -MP -MT xmllint.o -D HAVE_CONFIG_H -I . -I ./include -I ./include -D _REENTRANT -D __AFL_HAVE_MANUAL_CONTROL=1 -D __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D __AFL_LOOP(_A)=({ static volatile char *_B __attribute__((used));  _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility("default"))) int _L(unsigned int) __asm__("__afl_persistent_loop"); _L(_A); }) -D __AFL_INIT()=do { static volatile char *_A __attribute__((used));  _A = (char*)"##SIG_AFL_DEFER_FORKSRV##"; __attribute__((visibility("default"))) void _I(void) __asm__("__afl_manual_init"); _I(); } while (0) -internal-isystem /usr/local/include -internal-isystem /home/jmh/Downloads/llvm-4/llvm/build/bin/../lib/clang/4.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wno-long-long -pedantic -fconst-strings -fdebug-compilation-dir /home/jmh/Downloads/fuzz/libxml2 -ferror-limit 19 -fmessage-length 181 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -load /home/jmh/Downloads/fuzz/aflgo/afl-llvm-pass.so -mllvm -distance=/home/jmh/distance.txt -o xmllint.o -x c xmllint.c 
1.	<eof> parser at end of file
2.	Per-module optimization passes
3.	Running pass 'Unnamed pass: implement Pass::getPassName()' on module 'xmllint.c'.
clang-4.0: error: unable to execute command: Aborted
clang-4.0: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 4.0.0 (tags/RELEASE_400/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/jmh/Downloads/llvm-4/llvm/build/bin
clang-4.0: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang-4.0: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-4.0: note: diagnostic msg: /tmp/xmllint-caf38a.c
clang-4.0: note: diagnostic msg: /tmp/xmllint-caf38a.sh
clang-4.0: note: diagnostic msg: 

********************
Makefile:1233: recipe for target 'xmllint.o' failed
make: *** [xmllint.o] Error 254

Hello, I would like to know if the LAVA data set problem has been resolved, whether there is a way to use, thank you

I read the code, and see that the distance calculation is not standard harmonic mean distance.
As below, the distance will update only if distance > i / d, this will introduce some difference when test with the example in figure 4 in your paper. By this mean, the distances for 3 node in the figure will be 2, 3, 8/3. While the harmonic mean distances for 3 node in the figure are 3/4, 1, 3/4.

1. Why did you choose this means?
2. Is there any problem?
   if d != 0 and (distance == -1 or distance > i / d) :
   distance = i / d
   

   aflgo/scripts/distance.py

   Line 55 in d98ad65

   if d != 0 and (distance == -1 or distance > i / d) :

I want to fuzz binaries in ARM architecture. Do aflgo support all of the feature in qemu mode. If not, what things can I do to make aflgo support arm.

Hello, I tried to reproduce the evoluation of CVE-2011-3328 on libpng1.5.4. I did the first instrumentation without ASAN to generate distance.cfg.txt, then I did the second instrumentation with export AFL_USE_ASAN=1. So is it correct if I do not use asan during the first instrumentation? Thanks!

Hi, I'm using aflgo, but there is always a confusing problem that the callgraph.dot generated by genDistance.sh doesn't contain all the functions. Which callgraph.*.dot file should be used when I run scripts genDistance.sh in this situation.

In README.md,

4. Download subject (e.g., libxml2)

the git repo address has changed. It is now
https://gitlab.gnome.org/GNOME/libxml2.

Hi,

I use LLVM4.0 and work on diffutils using AFLGO. I received this error message:

aflgo-llvm-pass (yeah!) 2.49b (preprocessing mode)
#0 0x00007f7e4beefba8 llvm::sys::PrintStackTrace(llvm::raw_ostream&) MY_LOCAL_PATH/llvm_4.0/src/lib/Support/Unix/Signals.inc:406:0
#1 0x00007f7e4beedd2e llvm::sys::RunSignalHandlers() MY_LOCAL_PATH/llvm_4.0/src/lib/Support/Signals.cpp:45:0
#2 0x00007f7e4beede7c SignalHandler(int) MY_LOCAL_PATH/llvm_4.0/src/lib/Support/Unix/Signals.inc:246:0
#3 0x00007f7e4ae294b0 (/lib/x86_64-linux-gnu/libc.so.6+0x354b0)
#4 0x00007f7e4af42168 /build/glibc-Cl5G7W/glibc-2.23/string/../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:245:0
#5 0x00007f7e4bed4be1 memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53:0
#6 0x00007f7e4bed4be1 void llvm::SmallVectorTemplateBase<char, true>::uninitialized_copy<char const, char>(char const*, char const*, char*, std::enable_if<std::is_same<std::remove_const::type, char>::value, void>::type*) MY_LOCAL_PATH/llvm_4.0/src/include/llvm/ADT/SmallVector.h:296:0
#7 0x00007f7e4bed4be1 void llvm::SmallVectorImpl::append<char const*>(char const*, char const*) MY_LOCAL_PATH/llvm_4.0/src/include/llvm/ADT/SmallVector.h:399:0
#8 0x00007f7e4bed4be1 llvm::raw_svector_ostream::write_impl(char const*, unsigned long) MY_LOCAL_PATH/llvm_4.0/src/lib/Support/raw_ostream.cpp:741:0
#9 0x00007f7e4bed5787 llvm::raw_ostream::write(char const*, unsigned long) MY_LOCAL_PATH/llvm_4.0/src/lib/Support/raw_ostream.cpp:225:0
#10 0x00007f7e4bec3f68 llvm::Twine::print(llvm::raw_ostream&) const MY_LOCAL_PATH/llvm_4.0/src/lib/Support/Twine.cpp:165:0
#11 0x00007f7e4bec4189 llvm::raw_pwrite_stream::~raw_pwrite_stream() MY_LOCAL_PATH/llvm_4.0/src/include/llvm/Support/raw_ostream.h:333:0
#12 0x00007f7e4bec4189 llvm::raw_svector_ostream::~raw_svector_ostream() MY_LOCAL_PATH/llvm_4.0/src/include/llvm/Support/raw_ostream.h:510:0
#13 0x00007f7e4bec4189 llvm::Twine::toVector(llvm::SmallVectorImpl&) const MY_LOCAL_PATH/llvm_4.0/src/lib/Support/Twine.cpp:33:0
#14 0x00007f7e4bec422d llvm::SmallVectorTemplateCommon<char, void>::begin() const MY_LOCAL_PATH/llvm_4.0/src/include/llvm/ADT/SmallVector.h:117:0
#15 0x00007f7e4bec422d llvm::SmallVectorTemplateCommon<char, void>::size() const MY_LOCAL_PATH/llvm_4.0/src/include/llvm/ADT/SmallVector.h:135:0
#16 0x00007f7e4bec422d llvm::Twine::toStringRef(llvm::SmallVectorImpl&) const MY_LOCAL_PATH/llvm_4.0/src/include/llvm/ADT/Twine.h:467:0
#17 0x00007f7e4bec422d llvm::Twine::strabi:cxx11 const MY_LOCAL_PATH/llvm_4.0/src/lib/Support/Twine.cpp:29:0
#18 0x00007f7e4a0842a3 llvm::DOTGraphTraits<llvm::Function const*>::getEdgeAttributes[abi:cxx11](llvm::BasicBlock const*, llvm::TerminatorInst::SuccIterator<llvm::TerminatorInst const*, llvm::BasicBlock const>, llvm::Function const*) MY_LOCAL_PATH/llvm_4.0/install/include/llvm/Analysis/CFGPrinter.h:0:18
#19 0x00007f7e4a083960 llvm::GraphWriter<llvm::Function const*>::writeEdge(llvm::BasicBlock const*, unsigned int, llvm::TerminatorInst::SuccIterator<llvm::TerminatorInst const*, llvm::BasicBlock const>) MY_LOCAL_PATH/llvm_4.0/install/include/llvm/Support/GraphWriter.h:244:7
#20 0x00007f7e4a083652 llvm::GraphWriter<llvm::Function const*>::writeNode(llvm::BasicBlock const*) MY_LOCAL_PATH/llvm_4.0/install/include/llvm/Support/GraphWriter.h:221:5
#21 0x00007f7e4a081ce3 llvm::ilist_node_base::getNext() const MY_LOCAL_PATH/llvm_4.0/install/include/llvm/ADT/ilist_node_base.h:30:45
#22 0x00007f7e4a081ce3 llvm::ilist_node_impl<llvm::ilist_detail::node_options<llvm::BasicBlock, false, false, void> >::getNext() const MY_LOCAL_PATH/llvm_4.0/install/include/llvm/ADT/ilist_node.h:74:0
#23 0x00007f7e4a081ce3 llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::BasicBlock, false, false, void>, false, true>::operator++() MY_LOCAL_PATH/llvm_4.0/install/include/llvm/ADT/ilist_iterator.h:158:0
#24 0x00007f7e4a081ce3 llvm::simple_ilistllvm::BasicBlock::begin() const MY_LOCAL_PATH/llvm_4.0/install/include/llvm/ADT/simple_ilist.h:114:0
#25 0x00007f7e4a081ce3 llvm::Function::begin() const MY_LOCAL_PATH/llvm_4.0/install/include/llvm/IR/Function.h:536:0
#26 0x00007f7e4a081ce3 llvm::GraphTraits<llvm::Function const*>::nodes_begin(llvm::Function const*) MY_LOCAL_PATH/llvm_4.0/install/include/llvm/IR/CFG.h:234:0
#27 0x00007f7e4a081ce3 llvm::GraphWriter<llvm::Function const*>::writeNodes() MY_LOCAL_PATH/llvm_4.0/install/include/llvm/Support/GraphWriter.h:146:0
#28 0x00007f7e4a081ce3 llvm::GraphWriter<llvm::Function const*>::writeGraph(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) MY_LOCAL_PATH/llvm_4.0/install/include/llvm/Support/GraphWriter.h:109:0
#29 0x00007f7e4a081ce3 llvm::raw_ostream& llvm::WriteGraph<llvm::Function const*>(llvm::raw_ostream&, llvm::Function const* const&, bool, llvm::Twine const&) MY_LOCAL_PATH/llvm_4.0/install/include/llvm/Support/GraphWriter.h:307:0
#30 0x00007f7e4a081ce3 (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) MY_LOCAL_PATH/aflgo/aflgo/llvm_mode/afl-llvm-pass.so.cc:396:0
#31 0x00007f7e4bfb9e4f runOnModule MY_LOCAL_PATH/llvm_4.0/src/lib/IR/LegacyPassManager.cpp:1590:0
#32 0x00007f7e4bfb9e4f llvm::legacy::PassManagerImpl::run(llvm::Module&) MY_LOCAL_PATH/llvm_4.0/src/lib/IR/LegacyPassManager.cpp:1693:0
#33 0x00000000007920f5 llvm::PrettyStackTraceString::~PrettyStackTraceString() MY_LOCAL_PATH/llvm_4.0/src/include/llvm/Support/PrettyStackTrace.h:52:0
#34 0x00000000007920f5 EmitAssembly MY_LOCAL_PATH/llvm_4.0/src/tools/clang/lib/CodeGen/BackendUtil.cpp:723:0
#35 0x00000000007920f5 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_deletellvm::raw_pwrite_stream >) MY_LOCAL_PATH/llvm_4.0/src/tools/clang/lib/CodeGen/BackendUtil.cpp:978:0
#36 0x0000000000b2e1a7 std::unique_ptr<llvm::raw_pwrite_stream, std::default_deletellvm::raw_pwrite_stream >::~unique_ptr() /usr/include/c++/5/bits/unique_ptr.h:235:0
#37 0x0000000000b2e1a7 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) MY_LOCAL_PATH/llvm_4.0/src/tools/clang/lib/CodeGen/CodeGenAction.cpp:229:0
#38 0x0000000000c4bb58 void std::swap(bool&, bool&) /usr/include/c++/5/bits/move.h:187:0
#39 0x0000000000c4bb58 clang::ParseAST(clang::Sema&, bool, bool) MY_LOCAL_PATH/llvm_4.0/src/tools/clang/lib/Parse/ParseAST.cpp:161:0
#40 0x0000000000aa9e2e clang::FrontendAction::Execute() MY_LOCAL_PATH/llvm_4.0/src/tools/clang/lib/Frontend/FrontendAction.cpp:459:0
#41 0x0000000000a7a616 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) MY_LOCAL_PATH/llvm_4.0/src/tools/clang/lib/Frontend/CompilerInstance.cpp:954:0
#42 0x0000000000b28a62 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) MY_LOCAL_PATH/llvm_4.0/src/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:249:0
#43 0x0000000000752c48 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) MY_LOCAL_PATH/llvm_4.0/src/tools/clang/tools/driver/cc1_main.cpp:221:0
#44 0x000000000074f25e ExecuteCC1Tool MY_LOCAL_PATH/llvm_4.0/src/tools/clang/tools/driver/driver.cpp:299:0
#45 0x000000000074f25e main MY_LOCAL_PATH/llvm_4.0/src/tools/clang/tools/driver/driver.cpp:380:0
#46 0x00007f7e4ae14830 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:325:0
#47 0x0000000000751029 _start (MY_LOCAL_PATH/llvm_4.0/install/bin/clang-4.0+0x751029)
Stack dump:
0. Program arguments: MY_LOCAL_PATH/llvm_4.0/install/bin/clang-4.0 -cc1 -triple x86_64-unknown-linux-gnu -emit-llvm-bc -flto -disable-free -disable-llvm-verifier -discard-value-names -main-file-name regex.c -mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -momit-leaf-frame-pointer -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -coverage-notes-file MY_LOCAL_PATH/aflgo/diffutils/lib/regex.gcno -resource-dir MY_LOCAL_PATH/llvm_4.0/install/bin/../lib/clang/4.0.0 -dependency-file .deps/regex.Tpo -sys-header-deps -MP -MT regex.o -I . -D __AFL_HAVE_MANUAL_CONTROL=1 -D __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D __AFL_LOOP(_A)=({ static volatile char _B attribute((used)); _B = (char)"##SIG_AFL_PERSISTENT##"; attribute((visibility("default"))) int _L(unsigned int) asm("__afl_persistent_loop"); _L(_A); }) -D __AFL_INIT()=do { static volatile char _A attribute((used)); _A = (char)"##SIG_AFL_DEFER_FORKSRV##"; attribute((visibility("default"))) void _I(void) asm("__afl_manual_init"); _I(); } while (0) -internal-isystem /usr/local/include -internal-isystem MY_LOCAL_PATH/llvm_4.0/install/bin/../lib/clang/4.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir MY_LOCAL_PATH/aflgo/diffutils/lib -ferror-limit 19 -fmessage-length 184 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -load MY_LOCAL_PATH/aflgo/aflgo/afl-llvm-pass.so -mllvm -targets=MY_LOCAL_PATH/aflgo/diffutils//BBtargets.txt -mllvm -outdir=MY_LOCAL_PATH/aflgo/diffutils/ -o regex.o -x c regex.c

1. parser at end of file
2. Per-module optimization passes
3. Running pass 'Unnamed pass: implement Pass::getPassName()' on module 'regex.c'.
   clang-4.0: error: unable to execute command: Segmentation fault (core dumped)
   clang-4.0: error: clang frontend command failed due to signal (use -v to see invocation)
   clang version 4.0.0 (tags/RELEASE_400/final)
   Target: x86_64-unknown-linux-gnu
   Thread model: posix
   InstalledDir: /u/z/w/zw/llvm_4.0/install/bin

How could I fix this problem?

I want to test the AFLGO using LAVA-M benchmark, but it can not wok.

aflgo-compiler (yeah!) 2.49b
#0 0x0000000003f62e5f llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/stly/Documents/llvm/llvm-5.0/lib/Support/Unix/Signals.inc:398:0
#1 0x0000000003f62ef2 PrintStackTraceSignalHandler(void*) /home/stly/Documents/llvm/llvm-5.0/lib/Support/Unix/Signals.inc:462:0
#2 0x0000000003f61139 llvm::sys::RunSignalHandlers() /home/stly/Documents/llvm/llvm-5.0/lib/Support/Signals.cpp:49:0
#3 0x0000000003f626d4 SignalHandler(int) /home/stly/Documents/llvm/llvm-5.0/lib/Support/Unix/Signals.inc:252:0
#4 0x00007fddf933b390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#5 0x00007fddf80ad428 gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x00007fddf80af02a abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:91:0
#7 0x00007fddf80a5bd7 __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92:0
#8 0x00007fddf80a5c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#9 0x0000000003ef4a78 llvm::SmallVectorBase::grow_pod(void*, unsigned long, unsigned long) /home/stly/Documents/llvm/llvm-5.0/lib/Support/SmallVector.cpp:38:0
#10 0x0000000001e8add0 llvm::SmallVectorTemplateCommon<char, void>::grow_pod(unsigned long, unsigned long) /home/stly/Documents/llvm/llvm-5.0/include/llvm/ADT/SmallVector.h:83:0
#11 0x0000000001e89512 llvm::SmallVectorTemplateBase<char, true>::grow(unsigned long) /home/stly/Documents/llvm/llvm-5.0/include/llvm/ADT/SmallVector.h:303:0
#12 0x0000000001e873f6 void llvm::SmallVectorImpl<char>::append<char const*, void>(char const*, char const*) /home/stly/Documents/llvm/llvm-5.0/include/llvm/ADT/SmallVector.h:402:0
#13 0x0000000003f3a1e0 llvm::raw_svector_ostream::write_impl(char const*, unsigned long) /home/stly/Documents/llvm/llvm-5.0/lib/Support/raw_ostream.cpp:769:0
#14 0x0000000003f3868a llvm::raw_ostream::write(char const*, unsigned long) /home/stly/Documents/llvm/llvm-5.0/lib/Support/raw_ostream.cpp:225:0
#15 0x0000000002653527 llvm::raw_ostream::operator<<(llvm::SmallVectorImpl<char> const&) /home/stly/Documents/llvm/llvm-5.0/include/llvm/Support/raw_ostream.h:195:0
#16 0x0000000003f2a5a5 llvm::Twine::printOneChild(llvm::raw_ostream&, llvm::Twine::Child, llvm::Twine::NodeKind) const /home/stly/Documents/llvm/llvm-5.0/lib/Support/Twine.cpp:76:0
#17 0x0000000003f2aa4b llvm::Twine::print(llvm::raw_ostream&) const /home/stly/Documents/llvm/llvm-5.0/lib/Support/Twine.cpp:166:0
#18 0x0000000003f2a53e llvm::Twine::printOneChild(llvm::raw_ostream&, llvm::Twine::Child, llvm::Twine::NodeKind) const /home/stly/Documents/llvm/llvm-5.0/lib/Support/Twine.cpp:64:0
#19 0x0000000003f2aa24 llvm::Twine::print(llvm::raw_ostream&) const /home/stly/Documents/llvm/llvm-5.0/lib/Support/Twine.cpp:165:0
#20 0x0000000003f2a309 llvm::Twine::toVector(llvm::SmallVectorImpl<char>&) const /home/stly/Documents/llvm/llvm-5.0/lib/Support/Twine.cpp:33:0
#21 0x0000000003868da5 llvm::Twine::toStringRef(llvm::SmallVectorImpl<char>&) const /home/stly/Documents/llvm/llvm-5.0/include/llvm/ADT/Twine.h:467:0
#22 0x0000000003f2a271 llvm::Twine::str[abi:cxx11]() const /home/stly/Documents/llvm/llvm-5.0/lib/Support/Twine.cpp:29:0
#23 0x00007fddf9765e78 llvm::DOTGraphTraits<llvm::Function const*>::getEdgeAttributes[abi:cxx11](llvm::BasicBlock const*, llvm::TerminatorInst::SuccIterator<llvm::TerminatorInst const*, llvm::BasicBlock const>, llvm::Function const*) /home/stly/Documents/binutils-gdb/build/installed/include/llvm/Analysis/CFGPrinter.h:176:18
#24 0x00007fddf976544f llvm::GraphWriter<llvm::Function const*>::writeEdge(llvm::BasicBlock const*, unsigned int, llvm::TerminatorInst::SuccIterator<llvm::TerminatorInst const*, llvm::BasicBlock const>) /home/stly/Documents/binutils-gdb/build/installed/include/llvm/Support/GraphWriter.h:253:7
#25 0x00007fddf9765151 llvm::GraphWriter<llvm::Function const*>::writeNode(llvm::BasicBlock const*) /home/stly/Documents/binutils-gdb/build/installed/include/llvm/Support/GraphWriter.h:230:5
#26 0x00007fddf9764893 llvm::ilist_node_base<true>::getNext() const /home/stly/Documents/binutils-gdb/build/installed/include/llvm/ADT/ilist_node_base.h:44:45
#27 0x00007fddf9764893 llvm::ilist_node_impl<llvm::ilist_detail::node_options<llvm::BasicBlock, true, false, void> >::getNext() const /home/stly/Documents/binutils-gdb/build/installed/include/llvm/ADT/ilist_node.h:75:0
#28 0x00007fddf9764893 llvm::ilist_iterator<llvm::ilist_detail::node_options<llvm::BasicBlock, true, false, void>, false, true>::operator++() /home/stly/Documents/binutils-gdb/build/installed/include/llvm/ADT/ilist_iterator.h:159:0
#29 0x00007fddf9764893 llvm::simple_ilist<llvm::BasicBlock>::begin() const /home/stly/Documents/binutils-gdb/build/installed/include/llvm/ADT/simple_ilist.h:119:0
#30 0x00007fddf9764893 llvm::Function::begin() const /home/stly/Documents/binutils-gdb/build/installed/include/llvm/IR/Function.h:581:0
#31 0x00007fddf9764893 llvm::GraphTraits<llvm::Function const*>::nodes_begin(llvm::Function const*) /home/stly/Documents/binutils-gdb/build/installed/include/llvm/IR/CFG.h:236:0
#32 0x00007fddf9764893 llvm::iterator_range<llvm::GraphTraits<llvm::Function const*>::nodes_iterator> llvm::nodes<llvm::Function const*>(llvm::Function const* const&) /home/stly/Documents/binutils-gdb/build/installed/include/llvm/ADT/GraphTraits.h:90:0
#33 0x00007fddf9764893 llvm::GraphWriter<llvm::Function const*>::writeNodes() /home/stly/Documents/binutils-gdb/build/installed/include/llvm/Support/GraphWriter.h:156:0
#34 0x00007fddf9764893 llvm::GraphWriter<llvm::Function const*>::writeGraph(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/stly/Documents/binutils-gdb/build/installed/include/llvm/Support/GraphWriter.h:119:0
#35 0x00007fddf97633f9 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_data() const /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:135:28
#36 0x00007fddf97633f9 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_is_local() const /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:170:0
#37 0x00007fddf97633f9 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose() /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:179:0
#38 0x00007fddf97633f9 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/basic_string.h:543:0
#39 0x00007fddf97633f9 llvm::raw_ostream& llvm::WriteGraph<llvm::Function const*>(llvm::raw_ostream&, llvm::Function const* const&, bool, llvm::Twine const&) /home/stly/Documents/binutils-gdb/build/installed/include/llvm/Support/GraphWriter.h:316:0
#40 0x00007fddf97633f9 (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) /home/stly/Documents/TargetFuzz/tools/aflgo/llvm_mode/afl-llvm-pass.so.cc:396:0
#41 0x000000000384dcd6 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/stly/Documents/llvm/llvm-5.0/lib/IR/LegacyPassManager.cpp:1591:0
#42 0x000000000384e3eb llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/stly/Documents/llvm/llvm-5.0/lib/IR/LegacyPassManager.cpp:1694:0
#43 0x000000000384e5f7 llvm::legacy::PassManager::run(llvm::Module&) /home/stly/Documents/llvm/llvm-5.0/lib/IR/LegacyPassManager.cpp:1726:0
#44 0x000000000420a2bf (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/CodeGen/BackendUtil.cpp:784:0
#45 0x000000000420c4d2 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/CodeGen/BackendUtil.cpp:1134:0
#46 0x0000000004d531b3 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/CodeGen/CodeGenAction.cpp:263:0
#47 0x0000000005a660ff clang::ParseAST(clang::Sema&, bool, bool) /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/Parse/ParseAST.cpp:161:0
#48 0x0000000004858207 clang::ASTFrontendAction::ExecuteAction() /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/Frontend/FrontendAction.cpp:1004:0
#49 0x0000000004d50f76 clang::CodeGenAction::ExecuteAction() /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/CodeGen/CodeGenAction.cpp:993:0
#50 0x0000000004857c1c clang::FrontendAction::Execute() /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/Frontend/FrontendAction.cpp:906:0
#51 0x00000000047f5526 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/Frontend/CompilerInstance.cpp:981:0
#52 0x00000000049a19bd clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/stly/Documents/llvm/llvm-5.0/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:251:0
#53 0x0000000001e8def4 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/stly/Documents/llvm/llvm-5.0/tools/clang/tools/driver/cc1_main.cpp:221:0
#54 0x0000000001e83105 ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /home/stly/Documents/llvm/llvm-5.0/tools/clang/tools/driver/driver.cpp:306:0
#55 0x0000000001e83d23 main /home/stly/Documents/llvm/llvm-5.0/tools/clang/tools/driver/driver.cpp:387:0
#56 0x00007fddf8098830 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:325:0
#57 0x0000000001e80719 _start (/home/stly/Documents/binutils-gdb/build/installed/bin/clang-5.0+0x1e80719)
Stack dump:
0.	Program arguments: /home/stly/Documents/binutils-gdb/build/installed/bin/clang-5.0 -cc1 -triple x86_64-unknown-linux-gnu -emit-llvm-bc -flto -flto-unit -disable-free -main-file-name getndelim2.c -mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -momit-leaf-frame-pointer -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -coverage-notes-file /home/stly/Documents/TargetFuzz/Benchmark/LAVA-M/base64/coreutils-8.24-lava-safe/lib/getndelim2.gcno -resource-dir /home/stly/Documents/binutils-gdb/build/installed/lib/clang/5.0.0 -dependency-file lib/.deps/getndelim2.Tpo -sys-header-deps -MP -MT lib/getndelim2.o -I . -I ./lib -I lib -I ./lib -I src -I ./src -D __AFL_HAVE_MANUAL_CONTROL=1 -D __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D __AFL_LOOP(_A)=({ static volatile char *_B __attribute__((used));  _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility("default"))) int _L(unsigned int) __asm__("__afl_persistent_loop"); _L(_A); }) -D __AFL_INIT()=do { static volatile char *_A __attribute__((used));  _A = (char*)"##SIG_AFL_DEFER_FORKSRV##"; __attribute__((visibility("default"))) void _I(void) __asm__("__afl_manual_init"); _I(); } while (0) -internal-isystem /usr/local/include -internal-isystem /home/stly/Documents/binutils-gdb/build/installed/lib/clang/5.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir /home/stly/Documents/TargetFuzz/Benchmark/LAVA-M/base64/coreutils-8.24-lava-safe -ferror-limit 19 -fmessage-length 97 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -load /home/stly/Documents/TargetFuzz/tools/aflgo/afl-llvm-pass.so -mllvm -targets=/home/stly/Documents/TargetFuzz/Benchmark/LAVA-M/base64/coreutils-8.24-lava-safe/AFLGO_TEMP/bbtargets.txt -mllvm -outdir=/home/stly/Documents/TargetFuzz/Benchmark/LAVA-M/base64/coreutils-8.24-lava-safe/AFLGO_TEMP -o lib/getndelim2.o -x c lib/getndelim2.c 
1.	<eof> parser at end of file
2.	Per-module optimization passes
3.	Running pass 'Unnamed pass: implement Pass::getPassName()' on module 'lib/getndelim2.c'.
clang-5.0: error: unable to execute command: Aborted
clang-5.0: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 5.0.0 (tags/RELEASE_500/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/stly/Documents/binutils-gdb/build/installed/bin
clang-5.0: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.

Hi, I have some problems about Ftargets.txt and Generate Distance when fuzzing LAVA-M benchamrk(base64).

1. How to create Ftargets.txt?
2. Is Ftargets.txt is necessary?
3. When I run step 7($AFLGO/scripts/genDistance.sh $SUBJECT $TMP_DIR xmllint) with LAVA-M benchamrk, it said "No targets avaliable" and "Problem in step 2 of generating !", does it relative to Ftargets.txt? Or what should I do if not?
   I am waiting for your anwsers, thx!

I follow the steps in the README to try to build aflgo. I came across some problems:

When I type make clean all under the directory of aflgo. Everything works well

rm -f afl-gcc afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 qemu_mode/qemu-2.3.0.tar.bz2 afl-qemu-trace
rm -rf out_dir qemu_mode/qemu-2.3.0
make -C llvm_mode clean
make[1]: Entering directory '/home/jmh/Downloads/aflgo/llvm_mode'
rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 
rm -f ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../afl-clang-fast++
make[1]: Leaving directory '/home/jmh/Downloads/aflgo/llvm_mode'
make -C libdislocator clean
make[1]: Entering directory '/home/jmh/Downloads/aflgo/libdislocator'
rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
rm -f libdislocator.so
make[1]: Leaving directory '/home/jmh/Downloads/aflgo/libdislocator'
make -C libtokencap clean
make[1]: Entering directory '/home/jmh/Downloads/aflgo/libtokencap'
rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
rm -f libtokencap.so
make[1]: Leaving directory '/home/jmh/Downloads/aflgo/libtokencap'
[*] Checking for the ability to compile x86 code...
[+] Everything seems to be working, ready to compile.
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-gcc.c -o afl-gcc -ldl -lm
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $i; done
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-fuzz.c -o afl-fuzz -ldl -lm
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-showmap.c -o afl-showmap -ldl -lm
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-tmin.c -o afl-tmin -ldl -lm
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-gotcpu.c -o afl-gotcpu -ldl -lm
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-analyze.c -o afl-analyze -ldl -lm
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-as.c -o afl-as -ldl -lm
ln -sf afl-as as
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./afl-gcc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" test-instr.c -o test-instr -ldl -lm
echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
[+] All right, the instrumentation seems to be working!
[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc.
[+] All done! Be sure to review README - it's pretty short and useful.

Then I enter the directory llvm-mode and type make clean all. The following problems are shown

jmh@jmh-SYS:~/Downloads/aflgo/llvm_mode$ make clean all
rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 
rm -f ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o ../afl-clang-fast++
[*] Checking for working 'llvm-config'...
[*] Checking for working 'clang'...
[*] Checking for '../afl-showmap'...
[+] All set and ready to build.
clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.49b\"  afl-clang-fast.c -o ../afl-clang-fast 
ln -sf afl-clang-fast ../afl-clang-fast++
clang++ `llvm-config --cxxflags` -fno-rtti -fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"2.49b\" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config --ldflags` 
warning: unknown warning option '-Wno-maybe-uninitialized'; did you mean '-Wno-uninitialized'? [-Wunknown-warning-option]
1 warning generated.
clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.49b\"  -fPIC -c afl-llvm-rt.o.c -o ../afl-llvm-rt.o
[*] Building 32-bit variant of the runtime (-m32)... success!
[*] Building 64-bit variant of the runtime (-m64)... success!
[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=clang ../afl-clang-fast -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.49b\"  ../test-instr.c -o test-instr 
Stack dump:
0.	Program arguments: /home/jmh/Downloads/llvm/build/bin/clang-7 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -disable-free -main-file-name test-instr.c -mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -momit-leaf-frame-pointer -resource-dir /home/jmh/Downloads/llvm/build/lib/clang/7.0.0 -D _FORTIFY_SOURCE=2 -D AFL_PATH="/usr/local/lib/afl" -D BIN_PATH="/usr/local/bin" -D VERSION="2.49b" -D __AFL_HAVE_MANUAL_CONTROL=1 -D __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D __AFL_LOOP(_A)=({ static volatile char *_B __attribute__((used));  _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility("default"))) int _L(unsigned int) __asm__("__afl_persistent_loop"); _L(_A); }) -D __AFL_INIT()=do { static volatile char *_A __attribute__((used));  _A = (char*)"##SIG_AFL_DEFER_FORKSRV##"; __attribute__((visibility("default"))) void _I(void) __asm__("__afl_manual_init"); _I(); } while (0) -internal-isystem /usr/local/include -internal-isystem /home/jmh/Downloads/llvm/build/lib/clang/7.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wall -Wno-pointer-sign -fdebug-compilation-dir /home/jmh/Downloads/aflgo/llvm_mode -ferror-limit 19 -fmessage-length 169 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -load ../afl-llvm-pass.so -o /tmp/test-instr-098a4e.o -x c ../test-instr.c 
clang-7: error: unable to execute command: Segmentation fault (core dumped)
clang-7: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 7.0.0 (trunk 334196)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/jmh/Downloads/llvm/build/bin
clang-7: note: diagnostic msg: PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
clang-7: error: unable to execute command: Segmentation fault (core dumped)
clang-7: note: diagnostic msg: Error generating preprocessed source(s).
Makefile:97: recipe for target 'test_build' failed
make: *** [test_build] Error 254

Is it because of the llvm version? Or the other reason. Thanks for your help

Hi, thanks for your AFLGO.
Now I am using aflgo following the steps with llvm-3.9.1 but failed in step7 many times.
This is what i get running "./autogen.sh". You can see the error: C compiler cannot create executables.
It seems that your compiler failed the check.
Could you please give me any suggestion about how to solve the problem?
Thank you very much!

chenyixiu@chenyixiu-INVALID:/libxml2$ ./autogen.sh
I am going to run ./configure with no arguments - if you wish
to pass any to it, please specify them on the ./autogen.sh command line.
configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated.
aclocal.m4:9200: AM_INIT_AUTOMAKE is expanded from...
configure.ac:52: the top level
libtoolize: putting auxiliary files in .'. libtoolize: copying file ./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, m4'. libtoolize: copying file m4/libtool.m4'
libtoolize: copying file m4/ltoptions.m4' libtoolize: copying file m4/ltsugar.m4'
libtoolize: copying file m4/ltversion.m4' libtoolize: copying file m4/ltobsolete.m4'
configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated.
aclocal.m4:598: AM_INIT_AUTOMAKE is expanded from...
configure.ac:52: the top level
configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. For more info, see:
configure.ac:52: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation
configure.ac:60: installing './compile'
configure.ac:7: installing './config.guess'
configure.ac:7: installing './config.sub'
configure.ac:52: installing './install-sh'
configure.ac:52: installing './missing'
Makefile.am: installing './INSTALL'
Makefile.am: installing './COPYING' using GNU General Public License v3 file
Makefile.am: Consider adding the COPYING file to the version control system
Makefile.am: for your code, to avoid questions about which license your project uses
/usr/share/automake-1.14/am/ltlibrary.am: warning: 'libxml2.la': linking libtool libraries using a non-POSIX
/usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac'
Makefile.am:22: while processing Libtool library 'libxml2.la'
/usr/share/automake-1.14/am/ltlibrary.am: warning: 'testdso.la': linking libtool libraries using a non-POSIX
/usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac'
Makefile.am:173: while processing Libtool library 'testdso.la'
Makefile.am: installing './depcomp'
doc/Makefile.am:21: warning: wildcard tutorial/.html: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard tutorial/.c: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard tutorial/.pdf: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard tutorial/images/.png: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard tutorial/images/callouts/.png: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard API.html: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard *.1: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard *.xsl: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard .html: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard .gif: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard html/.html: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:21: warning: wildcard html/.png: non-POSIX variable name
doc/Makefile.am:21: (probably a GNU make extension)
doc/Makefile.am:301: warning: filter-out %/xmlversion.h, $(wildcard $(top_srcdir: non-POSIX variable name
doc/Makefile.am:301: (probably a GNU make extension)
doc/Makefile.am:301: warning: wildcard $(top_srcdir: non-POSIX variable name
doc/Makefile.am:301: (probably a GNU make extension)
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
extra=CVE-2015-8317-5-gef709ce
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for gcc... /home/chenyixiu/aflgo/afl-clang-fast
checking whether the C compiler works... no
configure: error: in /home/chenyixiu/libxml2': configure: error: C compiler cannot create executables See config.log' for more details

Now type 'make' to compile libxml2.

I have been having trouble trying to use aflgo with anything other than libxml2 from the tutorial (which worked!) I just wanted to test it with a very simple code so that I know how to run codes that are different from the libxml.

I wanted to try it with something like this buffer overflow example:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE ***

void vuln(){
  char buf[20];
  gets(buf);
  puts(buf);
  fflush(stdout);
}

int main(void)
{
	char login[32];
	char passwd[32];
	
	printf("Login: ");
	gets(login);
	printf("Password: ");
	gets(passwd);
	
	if (strcmp(login, "root") == 0) {
		if (strcmp(passwd, "12345678") == 0) {
			printf("Access Granted.\n");
			
			// Set the gid to the effective gid
  			// this prevents /bin/sh from dropping the privileges
  			printf("Database Search: ");
  			gid_t gid = getegid();
  			setresgid(gid, gid, gid);

  			vuln();
  			return 0;
		}
	}
	
	printf("Access Denied.\n");
	return 1;
}

Hi,

I tried to instrument the libxml2 project. While I compile the project on two different machines (they share the same file system, the major difference is that they have different processors), the distance results computed are different. The result in distance.cfg computed on one machine is a strict subset of the other one.

What I found is that the input files to the genDistance.sh script on two machines are already different, for example, the BBname files. However, if I did not compile libxml2 in parallel, the result on both machines are the same. Operationally, if I changed " make -j$(nproc) all" to "make all", the issue would be resolved. The files generated on two machines are the same. So I am wondering whether parallelizing the compilation might lead to inaccuracy when computing the distance.

Hi, first of all, thank you for the awesome tool. During the installation of LLVM and Gold plugin (https://github.com/aflgo/oss-fuzz/blob/master/infra/base-images/base-clang/checkout_build_install_llvm.sh#L28)
When I run cmake -G "Ninja" \ -DLIBCXX_ENABLE_SHARED=OFF -DLIBCXX_ENABLE_STATIC_ABI_LIBRARY=ON \ -DCMAKE_BUILD_TYPE=Release -DLLVM_TARGETS_TO_BUILD="X86" \ -DLLVM_BINUTILS_INCDIR=/usr/include $SRC/llvm
I have an error:
CMake Error: The source directory "/llvm" does not appear to contain CMakeLists.txt.
Any advice will be appreciated, thank you!

In order to successfully follow along in the tutorial guide (for libxml2), I needed to run export LDFLAGS=-lpthreads before the configure line, otherwise xmllint would fail to run because of a missing pthreads_getspecific symbol (along with others probably).

Additionally, the configure script specifies the disable shared flag should be --disable-shared instead of -disable-shared (two dashes instead of one).

Could you please update the tutorial, so that others can more easily follow along?

Hi, I am trying to install the oss-fuzz before installing aflgo and im doing this behind corporate firewall. I keep getting the error:

E: Unable to locate package libc6-dev
E: Unable to locate package binutils
E: Unable to locate package libgcc-5-dev

when the /infra/base-images/base-clang/Dockerfile is running. I poked around google and most suggestions include doing sudo apt-get update, sudo apt-get upgrade, adding repositories like multiverse etc etc, and i've tried them but this error is still thrown.
I've also tried editing the Dockerfile to run RUN apt-get install -y libc6-dev binutils libgcc-5-dev, but the error message:

Step 3/12 : RUN sudo apt-get install -y libc6-dev binutils libgcc-5-dev
 ---> Running in fa2d4767bc4c
/bin/sh: 1: sudo: not found
The command '/bin/sh -c sudo apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 127

then appears. Help!! Not sure if its the corporate firewall preventing it from downloading the packages (which, last time I checked, were the latest versions already as of 25 June 2018)

Below is what comes up in the terminal when entering infra/base-images/all.sh:

+ docker build --pull -t gcr.io/oss-fuzz-base/base-image infra/base-images/base-image
Sending build context to Docker daemon   2.56kB
Step 1/9 : FROM ubuntu:16.04
16.04: Pulling from library/ubuntu
Digest: sha256:b050c1822d37a4463c01ceda24d0fc4c679b0dd3c43e742730e2884d3c582e3a
Status: Image is up to date for ubuntu:16.04
 ---> 5e8b97a2a082
Step 2/9 : MAINTAINER [email protected]
 ---> Using cache
 ---> ce3911a754ea
Step 3/9 : ENV DEBIAN_FRONTEND noninteractive
 ---> Using cache
 ---> ae05540f823a
Step 4/9 : RUN apt-get update && apt-get upgrade -y && apt-get autoremove -y
 ---> Using cache
 ---> 9dbd6c3bdefc
Step 5/9 : ENV OUT /out
 ---> Using cache
 ---> 498e0b22b8b3
Step 6/9 : ENV SRC /src
 ---> Using cache
 ---> 9a6be30850ec
Step 7/9 : ENV WORK /work
 ---> Using cache
 ---> 0ca61162fa17
Step 8/9 : ENV PATH "$PATH:/out"
 ---> Using cache
 ---> 5e933374ad11
Step 9/9 : RUN mkdir -p $OUT $SRC $WORK && chmod a+rwx $OUT $SRC $WORK
 ---> Using cache
 ---> 85e3704aafae
Successfully built 85e3704aafae
Successfully tagged gcr.io/oss-fuzz-base/base-image:latest
+ docker build -t gcr.io/oss-fuzz-base/base-clang infra/base-images/base-clang
Sending build context to Docker daemon  6.656kB
Step 1/12 : FROM gcr.io/oss-fuzz-base/base-image
 ---> 85e3704aafae
Step 2/12 : MAINTAINER [email protected]
 ---> Using cache
 ---> 15da6853474d
Step 3/12 : RUN apt-get install -y libc6-dev binutils libgcc-5-dev
 ---> Running in 0c969a46d227
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package libc6-dev
E: Unable to locate package binutils
E: Unable to locate package libgcc-5-dev
The command '/bin/sh -c apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 100```

Hi.
I set just one target in the BBtargets.txt, such as cdf.c:203, why it will return two Function names in Ftargets.txt, such as cdf_unpack_header and cdf_read_header.

From the backtrace, cdf_read_header calls cdf_unpack_header, and program crashes in the cdf_unpack_header function.
cdf.c:203 is the crash line in the cdf_unpack_header function.
thankyou

Hi,Thank you for your work and open source tools.I am recreating the work in your thesis. I don't know if it is because of the seed that I didn't reach the target for a long time. So can you make the target program and seed of your experiment public?

Hi, thanks for your aflgo tool.

When I try to compile AFLGO with AFLGO_TRACING enabled, it says "../hashset.h file not found".
I check this file and found it does not exist in the original afl source code.
Is the "../hashset.h" file written by yourself?
Could you please let me know where I can get this file?

Thank you.

Fuzzing target

Apache httpd

Patched used

The patch for CVE-2016-2161.

Httpd version

Commit 5da25a4

Aflgo version

Compiled from the latest commit on master branch.

Issue description

Unable to find the targets in $TMP_DIR/Ftarget.txt in the callgraph (dot-files/callgraph.dot).

Hi!
As the instruction says, we should install LLVMgold first before running aflgo.
Why should do this and What is the role LLVMgold plays in this process?
Thank you very much!

Thanks so much for opening source AFLGo and providing such a good idea for testing!

I started trying AFLGo to do some directed fuzzing these two days and had some observations.

I followed the instructions in README.md and tested xmllint with commit ef709ce2. Since the test input file dtd1 takes a bit longer time, I ignored that case. Both AFL and AFLGo generated some crashes within 3s in average. I found backtraces of the crashes do not contain the target function xmlAddID, one of them is:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004f4c75 in xmlDumpElementContent (buf=0xa26390, content=0xa23070, glob=0x1) at valid.c:1175
1175                if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
#0  0x00000000004f4c75 in xmlDumpElementContent (buf=0xa26390, content=0xa23070, glob=0x1) at valid.c:1175
#1  0x00000000004f4953 in xmlDumpElementDecl (buf=0xa26390, elem=0xa26310) at valid.c:1704
#2  0x00000000007846de in xmlBufDumpElementDecl (buf=0xa231a0, elem=0xa26310) at xmlsave.c:501
#3  xmlNodeDumpOutputInternal (ctxt=<optimized out>, cur=0xa26310) at xmlsave.c:939
#4  0x000000000078d9db in xmlNodeListDumpOutput (ctxt=<optimized out>, cur=<optimized out>) at xmlsave.c:825
#5  xmlDtdDumpOutput (ctxt=0xa230f0, dtd=<optimized out>) at xmlsave.c:749
#6  0x0000000000784659 in xmlNodeDumpOutputInternal (ctxt=0xa230f0, cur=0xa22fa0) at xmlsave.c:931
#7  0x0000000000783733 in xmlDocContentDumpOutput (ctxt=0xa230f0, cur=0xa22e40) at xmlsave.c:1234
#8  0x0000000000782aac in xmlSaveDoc (ctxt=0xa26390, doc=0x0) at xmlsave.c:1936
#9  0x000000000041141d in parseAndPrintFile (filename=0x7fffffffbb06 "./crashes/id:000000,sig:11,src:000000,op:havoc,rep:4", rectxt=<optimized out>) at xmllint.c:2705
#10 0x0000000000408561 in main (argc=0x4, argv=0x7fffffffb3a8) at xmllint.c:3759

Similar crashes are also when including dtd1.

I guess it is that there are security bug fixes after ef709ce2 and other bugs dominated this target. So is there a way for AFLGo to check whether the crash indeed reached the target?

Another question is the way -c and -z affect the mutation results. I learned from your paper that initially AFLGo started with exploration mode and do not weigh much about the target at first. Is it used to create enough seeds initially?

Hi Böhme @mboehme ,

I'm trying to play around with Binutils version 2.26 to reproduce CVE-2016-4487 - 4493 ( see also #20 ).
I can reproduce them with AFL 1.94b farily quickly @fuseproj.
And I'm trying AFLGo, but the provided script seems to stuck when generating the distance (I waited for around 12 hours and it still cannot generate the distance file).
Do you still keep your instrumented version of cxxfilt?
Can you release some instrumented binaries for us to play with?
Or can you provide more tutorials (like the libxml2 one) for us to reproduce the results in your experiments?

Hi,
I'm trying to build binutils to reproduce the bug CVE-2016-4487.
But I'm not able to build binutils using similar commands given in the example.
This is the error that i get when trying to build:

/usr/bin/ld.gold: error: arlex.o: multiple definition of 'yylex'
/usr/bin/ld.gold: ar.o: previous definition here
/usr/bin/ld.gold: error: arlex.o: multiple definition of 'yywrap'
/usr/bin/ld.gold: ar.o: previous definition here

I'm getting the following error if I skip the "-Wl,-plugin-opt=save-temps" parameter

clang (LLVM option parsing): for the -targets option: may only occur zero or one times!
clang (LLVM option parsing): for the -outdir option: may only occur zero or one times!

Can anyone share the build steps for binutils?

When doing make all I get the following error:

[+] All set and ready to build.
clang -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.49b\"  afl-clang-fast.c -o ../afl-clang-fast 
ln -sf afl-clang-fast ../afl-clang-fast++
clang++ `llvm-config --cxxflags` -fno-rtti -fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"2.49b\" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config --ldflags` 
afl-llvm-pass.so.cc:264:9: error: unknown type name 'TerminatorInst'
        TerminatorInst *TI = BB.getTerminator();
        ^
afl-llvm-pass.so.cc:423:11: error: unknown type name 'TerminatorInst'
          TerminatorInst *TI = BB.getTerminator();
          ^
2 errors generated.

I am using the following Dockerfile, which is essentially a copy/paste of the instructions from the README:

FROM gcr.io/gcp-runtimes/ubuntu_16_0_4:latest

RUN  apt-get update && \
     apt-get install -y python3 python3-dev python3-pip git libc6-dev binutils libgcc-5-dev && \
     pip3 install networkx pydot pydotplus

ENV SRC /root/src
RUN mkdir /root/src
ENV WORK /root/work
RUN mkdir /root/work
ADD https://raw.githubusercontent.com/aflgo/oss-fuzz/master/infra/base-images/base-clang/checkout_build_install_llvm.sh /root/
RUN chmod +x /root/checkout_build_install_llvm.sh && /root/checkout_build_install_llvm.sh
RUN  apt-get update && \
     apt-get install -y git build-essential
COPY install-aflgo.sh /root/
RUN chmod +x /root/install-aflgo.sh && /root/install-aflgo.sh

The file install-aflgo.sh contains the contents from step 3 of the readme.

Hi, if I define AFLGO_TRACING in afl-llvm-pass.so.cc file, there is always an error as follows when i using afl-clang-fast to compiler libtiff-4.0.7.

/home/lt/aflgo-org/afl-clang-fast
lt@e7c1d8be0a16:/libtiff/tiff-4.0.7-save-temp/aflgo-build$ ls
lt@e7c1d8be0a16:/libtiff/tiff-4.0.7-save-temp/aflgo-build$ cmake ..
-- Building tiff version 4.0.7
-- libtiff library version 5.2.5
-- The C compiler identification is unknown
-- Check for working C compiler: /home/lt/aflgo-org/afl-clang-fast
-- Check for working C compiler: /home/lt/aflgo-org/afl-clang-fast -- broken
CMake Error at /usr/share/cmake-3.5/Modules/CMakeTestCCompiler.cmake:61 (message):
The C compiler "/home/lt/aflgo-org/afl-clang-fast" is not able to compile a
simple test program.

It fails with the following output:

Change Dir: /home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp

Run Build Command:"/usr/bin/make" "cmTC_695f0/fast"

/usr/bin/make -f CMakeFiles/cmTC_695f0.dir/build.make
CMakeFiles/cmTC_695f0.dir/build

make[1]: Entering directory
'/home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp'

Building C object CMakeFiles/cmTC_695f0.dir/testCCompiler.c.o

/home/lt/aflgo-org/afl-clang-fast
-targets=/home/lt/libtiff/tiff-4.0.7-save-temp/temp/BBtargets.txt
-outdir=/home/lt/libtiff/tiff-4.0.7-save-temp/temp -flto -fuse-ld=gold
-Wl,-plugin-opt=save-temps -lz -ljbig -lm -o
CMakeFiles/cmTC_695f0.dir/testCCompiler.c.o -c
/home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp/testCCompiler.c

#0 0x0000000001474d8a llvm::sys::PrintStackTrace(llvm::raw_ostream&)
(/usr/local/bin/clang-7.0+0x1474d8a)

#1 0x0000000001472e6e llvm::sys::RunSignalHandlers()
(/usr/local/bin/clang-7.0+0x1472e6e)

#2 0x0000000001472fbc SignalHandler(int)
(/usr/local/bin/clang-7.0+0x1472fbc)

#3 0x00007f9fabede390 __restore_rt
(/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)

#4 0x0000000000f8e8cf llvm::ConstantExpr::getGetElementPtr(llvm::Type*,
llvm::Constant*, llvm::ArrayRefllvm::Value*, bool,
llvm::Optional, llvm::Type*)
(/usr/local/bin/clang-7.0+0xf8e8cf)

#5 0x00007f9faae583be
llvm::ConstantExpr::getInBoundsGetElementPtr(llvm::Type*, llvm::Constant*,
llvm::ArrayRefllvm::Value*)
/usr/local/include/llvm/IR/Constants.h:1160:12

#6 0x00007f9faae583be
llvm::ConstantFolder::CreateInBoundsGetElementPtr(llvm::Type*,
llvm::Constant*, llvm::ArrayRefllvm::Value*) const
/usr/local/include/llvm/IR/ConstantFolder.h:174:0

#7 0x00007f9faae583be llvm::IRBuilder<llvm::ConstantFolder,
llvm::IRBuilderDefaultInserter>::CreateInBoundsGEP(llvm::Type*,
llvm::Value*, llvm::ArrayRefllvm::Value*, llvm::Twine const&)
/usr/local/include/llvm/IR/IRBuilder.h:1335:0

#8 0x00007f9faae583be llvm::IRBuilder<llvm::ConstantFolder,
llvm::IRBuilderDefaultInserter>::CreateGlobalStringPtr(llvm::StringRef,
llvm::Twine const&, unsigned int)
/usr/local/include/llvm/IR/IRBuilder.h:1455:0

#9 0x00007f9faae583be (anonymous
namespace)::AFLCoverage::runOnModule(llvm::Module&)
/home/lt/aflgo-org/llvm_mode/afl-llvm-pass.so.cc:376:0

#10 0x0000000001009d14 llvm::legacy::PassManagerImpl::run(llvm::Module&)
(/usr/local/bin/clang-7.0+0x1009d14)

#11 0x0000000001643251 (anonymous
namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_deletellvm::raw_pwrite_stream >)
(/usr/local/bin/clang-7.0+0x1643251)

#12 0x0000000001645362 clang::EmitBackendOutput(clang::DiagnosticsEngine&,
clang::HeaderSearchOptions const&, clang::CodeGenOptions const&,
clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout
const&, llvm::Module*, clang::BackendAction,
std::unique_ptr<llvm::raw_pwrite_stream,
std::default_deletellvm::raw_pwrite_stream >)
(/usr/local/bin/clang-7.0+0x1645362)

#13 0x0000000001d4dc44
clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&)
(/usr/local/bin/clang-7.0+0x1d4dc44)

#14 0x0000000002541240 clang::ParseAST(clang::Sema&, bool, bool)
(/usr/local/bin/clang-7.0+0x2541240)

#15 0x0000000001d4d227 clang::CodeGenAction::ExecuteAction()
(/usr/local/bin/clang-7.0+0x1d4d227)

#16 0x0000000001a0c17e clang::FrontendAction::Execute()
(/usr/local/bin/clang-7.0+0x1a0c17e)

#17 0x00000000019d7996
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
(/usr/local/bin/clang-7.0+0x19d7996)

#18 0x0000000001a9f87c
clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
(/usr/local/bin/clang-7.0+0x1a9f87c)

#19 0x00000000008a41b8 cc1_main(llvm::ArrayRef<char const*>, char const*,
void*) (/usr/local/bin/clang-7.0+0x8a41b8)

#20 0x000000000084fe97 main (/usr/local/bin/clang-7.0+0x84fe97)

#21 0x00007f9fab07e830 __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20830)

#22 0x00000000008a18e9 _start (/usr/local/bin/clang-7.0+0x8a18e9)

Stack dump:

0. Program arguments: /usr/local/bin/clang-7.0 -cc1 -triple
   x86_64-unknown-linux-gnu -emit-llvm-bc -flto -flto-unit -disable-free
   -disable-llvm-verifier -discard-value-names -main-file-name testCCompiler.c
   -mrelocation-model static -mthread-model posix
   -fno-escaping-block-tail-calls -fmath-errno -masm-verbose
   -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64
   -dwarf-column-info -debug-info-kind=limited -dwarf-version=4
   -debugger-tuning=gdb -momit-leaf-frame-pointer -coverage-notes-file
   /home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp/CMakeFiles/cmTC_695f0.dir/testCCompiler.c.gcno
   -resource-dir /usr/local/lib/clang/7.0.0 -D __AFL_HAVE_MANUAL_CONTROL=1 -D
   __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D
   __AFL_LOOP(_A)=({ static volatile char _B attribute((used)); _B =
   (char)"##SIG_AFL_PERSISTENT##"; attribute((visibility("default"))) int
   _L(unsigned int) asm("__afl_persistent_loop"); _L(_A); }) -D
   __AFL_INIT()=do { static volatile char _A attribute((used)); _A =
   (char)"##SIG_AFL_DEFER_FORKSRV##"; attribute((visibility("default")))
   void _I(void) asm("__afl_manual_init"); _I(); } while (0)
   -internal-isystem /usr/local/include -internal-isystem
   /usr/local/lib/clang/7.0.0/include -internal-externc-isystem
   /usr/include/x86_64-linux-gnu -internal-externc-isystem /include
   -internal-externc-isystem /usr/include -O3 -fdebug-compilation-dir
   /home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp
   -ferror-limit 19 -fmessage-length 0 -funroll-loops -fobjc-runtime=gcc
   -fdiagnostics-show-option -vectorize-loops -vectorize-slp -load
   /home/lt/aflgo-org/afl-llvm-pass.so -mllvm
   -targets=/home/lt/libtiff/tiff-4.0.7-save-temp/temp/BBtargets.txt -mllvm
   -outdir=/home/lt/libtiff/tiff-4.0.7-save-temp/temp -o
   CMakeFiles/cmTC_695f0.dir/testCCompiler.c.o -x c
   /home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp/testCCompiler.c

1. parser at end of file

2. Per-module optimization passes

3. Running pass 'Unnamed pass: implement Pass::getPassName()' on module
   '/home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp/testCCompiler.c'.

clang-7.0: error: unable to execute command: Segmentation fault (core
dumped)

clang-7.0: error: clang frontend command failed due to signal (use -v to
see invocation)

clang version 7.0.0 (http://llvm.org/git/clang.git
4890a84991653f96f89aaad7e8215afdba8b0441) (http://llvm.org/git/llvm.git
92758f37a54d542b201d1b48724e5c0da9290419)

Target: x86_64-unknown-linux-gnu

Thread model: posix

InstalledDir: /usr/local/bin

clang-7.0: note: diagnostic msg: PLEASE submit a bug report to
https://bugs.llvm.org/ and include the crash backtrace, preprocessed
source, and associated run script.

clang-7.0: note: diagnostic msg:

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:

Preprocessed source(s) and associated run script(s) are located at:

clang-7.0: note: diagnostic msg: /tmp/testCCompiler-5b1bda.c

clang-7.0: note: diagnostic msg: /tmp/testCCompiler-5b1bda.sh

clang-7.0: note: diagnostic msg:

CMakeFiles/cmTC_695f0.dir/build.make:65: recipe for target
'CMakeFiles/cmTC_695f0.dir/testCCompiler.c.o' failed

make[1]: *** [CMakeFiles/cmTC_695f0.dir/testCCompiler.c.o] Error 254

make[1]: Leaving directory
'/home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeTmp'

Makefile:126: recipe for target 'cmTC_695f0/fast' failed

make: *** [cmTC_695f0/fast] Error 2

CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:71 (project)

-- Configuring incomplete, errors occurred!
See also "/home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeOutput.log".
See also "/home/lt/libtiff/tiff-4.0.7-save-temp/aflgo-build/CMakeFiles/CMakeError.log".

Hi,
I want to fuzz cve-2016-9831 in lib-ming.
And the crash report is as follow:

#0 0x57f341 in parseSWF_RGBA /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:66:12  
#1 0x57f341 in parseSWF_MORPHGRADIENTRECORD /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:746   
#2 0x57f341 in parseSWF_MORPHGRADIENT /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:761    
#3 0x57e25a in parseSWF_MORPHFILLSTYLE /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:777:7   
#4 0x58b9b8 in parseSWF_MORPHFILLSTYLES /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:804:7    
#5 0x58b9b8 in parseSWF_DEFINEMORPHSHAPE /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/parser.c:2098    
#6 0x5302cb in blockParse /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/blocktypes.c:145:14    
#7 0x527d4f in readMovie /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/main.c:265:11    
#8 0x527d4f in main /tmp/portage/media- libs/ming-0.4.7/work/ming-0_4_7/util/main.c:350

In this situation, how to select a suitable BBtarget.txt? Just select the last location, parser.c:66, as the targets, or all the locations in the call-stack?

The former is as follow:

parser.c:66

The last is as follow

parser.c:66
parser.c:746
parser.c:761
parser.c:777
parser.c:804
parser.c:2098
blocktypes.c:145

https://github.com/aflgo/aflgo/blob/fd1b9f7/scripts/fuzz/lrzip-CVE-2018-11496.sh

@strongcourage thanks for your scripts.

I can set things up, fuzzing lrzip using aflgo, but I observed cycle explosion when using empty seed.

Log:

# echo "">in/in
# $AFLGO/afl-fuzz -m none -z exp -c 45m -i in -o out ./lrzip -t @@ |tee log.txt
aflgo (yeah!) 2.52b
[+] Running with EXP schedule and time-to-exploitation set to 45 minutes
[+] Looks like we're not running on a tty, so I'll be a bit less verbose.
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see docs/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #1.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[*] Scanning 'in'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:in'...
[*] Spinning up the fork server...
[+] All right - fork server is up.
    len = 1, map size = 211, exec speed = 439 us
[!] WARNING: No new instrumentation output, test case may be useless.
[+] All test cases processed.

[!] WARNING: Some test cases look useless. Consider using a smaller set.
[+] Here are some useful stats:

    Test case count : 1 favored, 0 variable, 1 total
       Bitmap range : 211 to 211 bits (average: 211.00 bits)
        Exec timing : 439 to 439 us (average: 439 us)

[*] No -t option specified, so I'll use exec timeout of 20 ms.
[+] All set and ready to roll!
[*] Entering queue cycle 1.
[*] Fuzzing test case #0 (1 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 2.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 3.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 4.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 5.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 6.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 7.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 8.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 9.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 10.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 11.
[*] Fuzzing test case #0 (2 total, 0 uniq crashes found)...
[*] Fuzzing test case #1 (2 total, 0 uniq crashes found)...
[*] Entering queue cycle 12.

queue cycle number quickly increase, is this normal or as expected? I think this may due to afl cannot find any new paths using havoc, so the queue quickly finished over and over again.

Do you think generate a lrzip seed file by ./lrzip -b ../description-pak -o in/seed.lrz is a better choice?

As I remember in my previous fuzzing, AFLFast has the same phenomenon using empty seed.

Hi,
I'm trying to fuzz libpng using AFLGo. I'm using the method mentioned by michal here :
https://groups.google.com/forum/#!topic/afl-users/thZScGa6Qt0

But I'm unable to compile the readpng.c file.
Can you elaborate on how you fuzzed the libpng library?

Recently I read your AFLFast and AFLGo papers.
I found some experiment results on binutils are different in these two papers.

These are the result clips from the papers.

For CVE-2016-4487, AFL found the bug in 2.63h, and AFLFast found it in 0.46h; however in AFLGo paper, AFL found the bug in 4m and AFLGo found in 2m.
(CVE-2016-4488, CVE-2016-4489, CVE-2016-4490, CVE-2016-4492 are similar)

If this is because that the initial seeds in AFLGo are closer to the bugs, then why in AFLFast can find the bugs faster than AFLGo in CVE-2016-4491 and CVE-2016-6131?

If the in each of the paper AFL and the extension tools are provided with a same set of initial seeds, then why the "factor" of AFLFast looks better than the "factor" of AFLGo (second last column)?

I wonder why the directed fuzzer find the bugs slower than the general purpose fuzzer?

Can you open source your initial seeds for binutils?

I was running AFLGO on a test program. I specified one of the lines with some code as BBtarget, but the result Ftargets.txt was empty.

In AFLGO's llvm pass file(afl-llvm-pass.so.cc), I modified the code to let each instruction write its line number to a disk file but inside the disk file I cannot find my target line number...This situation is very confused to me...

I wrote a llvm pass before and my pass can output the my target line number. The difference is that my tool uses llvm-5.0, while AFLGO uses llvm-4.0. I do not know whether the problem is caused by different versions of llvm.

I want to use the aflgo to test the binaries in CB_multios. I add the
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -targets=/path/BBtargets.txt -outdir=/path/temp -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps").
But each time, it failed at the linking time, and I do not know what is wrong?
Is there any method to detect the problems?
thank you very much!

Hi,

The distance.cfg.txt is empty. I have two step* files in $TEMP directory, step1.log and step2.log.

The content of step1.log is: "Writing 'callgraph.dot'..."

The content of step2.log is:
"Parsing $TEMP/dot-files/callgraph.dot ..
Name: Call graph
Type: DiGraph
Number of nodes: 2308
Number of edges: 10655
Average in degree: 4.6166
Average out degree: 4.6166

Working in CG mode..
Loading targets..
Calculating distance..

Parsing $TEMP/dot-files/cfg.areBlanks.dot ..
Name: CFG for 'areBlanks' function
Type: DiGraph
Number of nodes: 24
Number of edges: 42
Average in degree: 1.7500
Average out degree: 1.7500

Working in CFG mode..
Loading cg_distance for function 'areBlanks'..
Adding target BBs (if any)..
Calculating distance..

Parsing $TEMP/dot-files/cfg.asciiToUTF8.dot ..
Name: CFG for 'asciiToUTF8' function
Type: DiGraph
Number of nodes: 10
Number of edges: 14
Average in degree: 1.4000
Average out degree: 1.4000

Working in CFG mode..
Loading cg_distance for function 'asciiToUTF8'..
Adding target BBs (if any)..
Calculating distance..

Parsing $TEMP/dot-files/cfg.attributeDeclDebug.dot ..
Name: CFG for 'attributeDeclDebug' function
Type: DiGraph
Number of nodes: 1
Number of edges: 0
Average in degree: 0.0000
Average out degree: 0.0000

Working in CFG mode..
Loading cg_distance for function 'attributeDeclDebug'..
Adding target BBs (if any)..
Calculating distance..

Parsing $TEMP/dot-files/cfg.attributeDecl.dot ..
Name: CFG for 'attributeDecl' function
Type: DiGraph
Number of nodes: 3
Number of edges: 3
Average in degree: 1.0000
Average out degree: 1.0000

Working in CFG mode..
Loading cg_distance for function 'attributeDecl'..
Adding target BBs (if any)..
Calculating distance..

Parsing $TEMP/dot-files/cfg.attributeDeclSplit.dot ..
Name: CFG for 'attributeDeclSplit' function
Type: DiGraph
Number of nodes: 6
Number of edges: 8
Average in degree: 1.3333
Average out degree: 1.3333
........
........
Parsing $TEMP/dot-files/cfg.xmlXPtrStringRangeFunction.dot ..
Name: CFG for 'xmlXPtrStringRangeFunction' function
Type: DiGraph
Number of nodes: 140
Number of edges: 224
Average in degree: 1.6000
Average out degree: 1.6000

Working in CFG mode..
Loading cg_distance for function 'xmlXPtrStringRangeFunction'..
Adding target BBs (if any)..
Calculating distance..

Parsing $TEMP/dot-files/cfg.xmlXPtrWrapLocationSet.dot ..
Name: CFG for 'xmlXPtrWrapLocationSet' function
Type: DiGraph
Number of nodes: 4
Number of edges: 4
Average in degree: 1.0000
Average out degree: 1.0000

Working in CFG mode..
Loading cg_distance for function 'xmlXPtrWrapLocationSet'..
Adding target BBs (if any)..
Calculating distance.."

The distance.callggraph.txt seems fine. The content is like
"..............
main,4.999999999999999
main,4.999999999999999
xmlNextChar,12.0
xmlNoNetExternalEntityLoader,14.0
......................"

I am not sure what the expected output is like and how to fix this problem.

I want to use AFLGo to fuzz cve-2011-2501,but when I try to generate distance.callgraph.txt,there is an error."$AFLGO/scripts/genDistance.sh $subject $TMP_DIR [fuzzer name]".I don't know what's fuzzer name.And I use gif2png to test.But when I use gif2png as the third argument,there is wrong either.

Hi. According to the tutorial. I found that target information is used while building the binary and generating the distance.

It seems that we have to build the binary once again with the generated distance. Actually, I want to know when the target information is used during the whole work flow.

In other words, if I changed my targets. What information could be used and what are need to be generated once again? Is the distance information related to the targets or it is the information for the whole binary and could be reused no matter how we change the targets. Many Thanks

clang-6.0: error: unsupported option '-V -g'
configure:3582: $? = 1
configure:3571: /home/aflgo/aflgo/afl-clang-fast -qversion >&5
clang-6.0: error: unknown argument: '-qversion'
configure:3582: $? = 1
configure:3602: checking whether the C compiler works
configure:3624: /home/aflgo/aflgo/afl-clang-fast -targets=/home/aflgo/temp/BBtargets.txt -outdir=/home/aflgo/temp -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps -L/usr/lib conftest.c -lpthreads >&5
/usr/bin/ld.gold: error: cannot find -lpthreads

but when I use root permission,it could be done,but the Ftargets.txt is empty,I want to know the reason of these problems

https://github.com/aflgo/aflgo/blob/0f45722/scripts/build/aflgo-build.sh

set -e can be added

Exit immediately if a command exits with a non-zero status.

It's suggested to add apt install sudo wget for Docker building

Do not assume sudo, curl and wget are present by default

Why do you clone clang from chromium_tools?

It seems ~/build/chromium_tools is not used afterwards

Please use correct command to decompress xz files

tar xvzf is for tar.gz files, not for tar.xz

tar xf llvm-4.0.0.src.tar.xz is enough here.

Please change directory to ~/build before decompress

This version of script will download xz files to ~/build/chromium_tools, not ~/build

Please change directory after ninja install

Or, you can change mkdir -p build-llvm/msan; cd build-llvm/msan to mkdir -p ~/build/build-llvm/msan; cd ~/build/build-llvm/msan

Do not forget -y for apt install

python3 -m pip is better than pip3

About python version

Why do you install both python2 and python3? Do AFL-Go require both?

Besides, please add apt install -y pkg-config gawk to scripts/fuzz/libxml2-ef709ce2.sh

Hi,
when I use aflgo, i always meet a problem that the cat: ..../AFLGO/temp/distance.callgraph.txt: No such file or directory
there are my environment
subject:libxml2
OS: ubuntu 16.04
LLVM: 4.0

and when i excute the command $AFLGO/scripts/genDistance.sh $SUBJECT $TMP_DIR xmllint, the result is
(1) Constructing CG for /home/wcc/Downloads/AFLGO/libxml2/.libs/xmllint..
(2) Computing distance for call graph ..
cat: /home/wcc/Downloads/AFLGO/temp/distance.callgraph.txt: No such file or directory

Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot ..
Name: Call graph
Type: DiGraph
Number of nodes: 252
Number of edges: 765
Average in degree: 3.0357
Average out degree: 3.0357

Working in CG mode..
Loading targets..
No targets available
-- Problem in Step 2 of generating !
-- You can resume by executing:
$ /home/wcc/Downloads/AFLGO/aflgo/scripts/genDistance.sh /home/wcc/Downloads/AFLGO/libxml2 /home/wcc/Downloads/AFLGO/temp xmllint /home/wcc/Downloads/AFLGO/temp

And the Ftargets.txt is
xmlAddID__internal_alias
xmlAddID
step2.log is
Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot ..
Name: Call graph
Type: DiGraph
Number of nodes: 252
Number of edges: 765
Average in degree: 3.0357
Average out degree: 3.0357

Working in CG mode..
Loading targets..
No targets available

Thanks!

Hi, I try to use the aflgo as the Readme.md, in the setp 9 Instrument subject (i.e., libxml2), I meet an error.
It shows :

1.	<eof> parser at end of file
2.	Per-module optimization passes
3.	Running pass 'Unnamed pass: implement Pass::getPassName()' on module 'parserInternals.c'.
clang-6.0: error: unable to execute command: Aborted
clang-6.0: error: clang frontend command failed due to signal (use -v to see invocation)

The details is as follows:

aflgo-llvm-pass (yeah!) 2.49b (distance instrumentation mode)
clang-6.0: /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/IR/Instructions.cpp:1362: llvm::LoadInst::LoadInst(llvm::Type*, llvm::Value*, const char*, bool, llvm::Instruction*): Assertion `Ty == cast<PointerType>(Ptr->getType())->getElementType()' failed.
#0 0x000000000425a6bb llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/Support/Unix/Signals.inc:398:0
#1 0x000000000425a74e PrintStackTraceSignalHandler(void*) /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/Support/Unix/Signals.inc:462:0
#2 0x0000000004258937 llvm::sys::RunSignalHandlers() /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/Support/Signals.cpp:49:0
#3 0x0000000004259f30 SignalHandler(int) /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/Support/Unix/Signals.inc:252:0
#4 0x00007f0479d2e390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#5 0x00007f0478aa0428 gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x00007f0478aa202a abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:91:0
#7 0x00007f0478a98bd7 __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92:0
#8 0x00007f0478a98c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#9 0x0000000003a79c7b llvm::LoadInst::LoadInst(llvm::Type*, llvm::Value*, char const*, bool, llvm::Instruction*) /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/IR/Instructions.cpp:1363:0
#10 0x00007f047a11ba45 llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>::CreateLoad(llvm::Type*, llvm::Value*, llvm::Twine const&) /home/lzs243/binutils/build/INSTALL/include/llvm/IR/IRBuilder.h:1175:42
#11 0x00007f047a11941c (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) /home/lzs243/Documents/TargetFuzz/tools/aflgo/llvm_mode/afl-llvm-pass.so.cc:559:35
#12 0x0000000003aafff2 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/IR/LegacyPassManager.cpp:1597:0
#13 0x0000000003ab0707 llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/IR/LegacyPassManager.cpp:1700:0
#14 0x0000000003ab0913 llvm::legacy::PassManager::run(llvm::Module&) /home/lzs243/llvm-6.0/llvm-6.0.0.src/lib/IR/LegacyPassManager.cpp:1732:0
#15 0x0000000004536623 (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/CodeGen/BackendUtil.cpp:809:0
#16 0x000000000453901a clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/CodeGen/BackendUtil.cpp:1181:0
#17 0x0000000005106ad7 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/CodeGen/CodeGenAction.cpp:294:0
#18 0x0000000005ea9c21 clang::ParseAST(clang::Sema&, bool, bool) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/Parse/ParseAST.cpp:161:0
#19 0x0000000004be062d clang::ASTFrontendAction::ExecuteAction() /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/Frontend/FrontendAction.cpp:999:0
#20 0x0000000005104958 clang::CodeGenAction::ExecuteAction() /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/CodeGen/CodeGenAction.cpp:1032:0
#21 0x0000000004be0042 clang::FrontendAction::Execute() /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/Frontend/FrontendAction.cpp:901:0
#22 0x0000000004b7ae4e clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/Frontend/CompilerInstance.cpp:992:0
#23 0x0000000004d325c1 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/lib/FrontendTool/ExecuteCompilerInvocation.cpp:252:0
#24 0x000000000200e024 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/tools/driver/cc1_main.cpp:221:0
#25 0x0000000002002f26 ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/tools/driver/driver.cpp:309:0
#26 0x0000000002003c30 main /home/lzs243/llvm-6.0/llvm-6.0.0.src/tools/clang-6.0/tools/driver/driver.cpp:388:0
#27 0x00007f0478a8b830 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:325:0
#28 0x0000000002000539 _start (/home/lzs243/binutils/build/INSTALL/bin/clang-6.0+0x2000539)
Stack dump:
0.	Program arguments: /home/lzs243/binutils/build/INSTALL/bin/clang-6.0 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -disable-free -main-file-name parserInternals.c -mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -momit-leaf-frame-pointer -coverage-notes-file /home/lzs243/Documents/TargetFuzz/tools/aflgo/libxml2/parserInternals.gcno -resource-dir /home/lzs243/binutils/build/INSTALL/lib/clang/6.0.0 -D HAVE_CONFIG_H -I . -I ./include -I ./include -D _REENTRANT -D __AFL_HAVE_MANUAL_CONTROL=1 -D __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D __AFL_LOOP(_A)=({ static volatile char *_B __attribute__((used));  _B = (char*)"##SIG_AFL_PERSISTENT##"; __attribute__((visibility("default"))) int _L(unsigned int) __asm__("__afl_persistent_loop"); _L(_A); }) -D __AFL_INIT()=do { static volatile char *_A __attribute__((used));  _A = (char*)"##SIG_AFL_DEFER_FORKSRV##"; __attribute__((visibility("default"))) void _I(void) __asm__("__afl_manual_init"); _I(); } while (0) -internal-isystem /usr/local/include -internal-isystem /home/lzs243/binutils/build/INSTALL/lib/clang/6.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wno-long-long -pedantic -fconst-strings -fdebug-compilation-dir /home/lzs243/Documents/TargetFuzz/tools/aflgo/libxml2 -ferror-limit 19 -fmessage-length 115 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -load ../afl-llvm-pass.so -mllvm -distance=/home/lzs243/Documents/TargetFuzz/tools/aflgo/temp/distance.cfg.txt -o parserInternals.o -x c parserInternals.c 
1.	<eof> parser at end of file
2.	Per-module optimization passes
3.	Running pass 'Unnamed pass: implement Pass::getPassName()' on module 'parserInternals.c'.
clang-6.0: error: unable to execute command: Aborted
clang-6.0: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 6.0.0 (tags/RELEASE_600/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/lzs243/binutils/build/INSTALL/bin
clang-6.0: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang-6.0: note: diagnostic msg: 
********************

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-6.0: note: diagnostic msg: /tmp/parserInternals-1cd145.c
clang-6.0: note: diagnostic msg: /tmp/parserInternals-1cd145.sh
clang-6.0: note: diagnostic msg: 

********************
Makefile:1249: recipe for target 'parserInternals.lo' failed
make[2]: *** [parserInternals.lo] Error 1
make[2]: *** Waiting for unfinished jobs....

When I use libtiff to have a try,I set location manually and as the rule.But I found the Ftarget.txt is incorrect,because I choose an alone function,but it's always main.I don't know why.

Fuzzing target

Nginx server

Patch used

The patch for CVE-2017-7529.
The patch for CVE-2016-4450.

Nginx version

nginx-1.12.1 (latest stable release as of Sept. 5, 2017)
Download release tarball here.

Aflgo version

Compiled from latest commit on master branch.

Issue description

$TMP_DIR/Ftargets.txt is empty (i.e no content) after compiling. Take CVE-2016-4450 for an example, we write $TMP_DIR/BBtargets.txt manually (instead of generating from git commit), which is:

src/os/unix/ngx_files.c:360
src/os/unix/ngx_files.c:361
src/os/unix/ngx_files.c:362

Minor comment

Note that we have to disable linker optimization (compiler option -flto) to get Nginx to compile using afl-clang-fast and (other) CFLAGS required by Aflgo.

Hi:
when I use the
"./config -target=/path -outdir=/path" to compile the openssl,
the output is
"clang-6.0: error: unknown argument: '-target=/path".
How to compile the openssl with aflgo?

I'm not familiar with llvm, can anybody tell me which llvm version should I use?

I can build aflgo with clang 4.0.0, do I need to change to higher or latest llvm version for better performance or something else?

Please make README and the building script consistent.

Hi, thanks for your aflgo tool.
I am now using aflgo according to the steps mentioned in README.md.
But when I run Step 9 (instrumentation with distance file), I got the following error.
Could you please give me any suggestion about how to solve the problem?
Thank you very much.

===================
aflgo-llvm-pass (yeah!) 2.49b (distance instrumentation mode)
clang-4.0: /home/fuzzer123/llvm/lib/IR/Instructions.cpp:1350: llvm::LoadInst::LoadInst(llvm::Type*, llvm::Value*, const char*, bool, llvm::Instruction*): Assertion `Ty == cast(Ptr->getType())->getElementType()' failed.
#0 0x00000000039febec llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/fuzzer123/llvm/lib/Support/Unix/Signals.inc:402:0
#1 0x00000000039fef8b PrintStackTraceSignalHandler(void*) /home/fuzzer123/llvm/lib/Support/Unix/Signals.inc:466:0
#2 0x00000000039fcf23 llvm::sys::RunSignalHandlers() /home/fuzzer123/llvm/lib/Support/Signals.cpp:44:0
#3 0x00000000039fe44d SignalHandler(int) /home/fuzzer123/llvm/lib/Support/Unix/Signals.inc:256:0
#4 0x00007fea32523390 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x11390)
#5 0x00007fea316d8428 gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x35428)
#6 0x00007fea316da02a abort (/lib/x86_64-linux-gnu/libc.so.6+0x3702a)
#7 0x00007fea316d0bd7 (/lib/x86_64-linux-gnu/libc.so.6+0x2dbd7)
#8 0x00007fea316d0c82 (/lib/x86_64-linux-gnu/libc.so.6+0x2dc82)
#9 0x00000000033c4b7f llvm::LoadInst::LoadInst(llvm::Type*, llvm::Value*, char const*, bool, llvm::Instruction*) /home/fuzzer123/llvm/lib/IR/Instructions.cpp:1351:0
#10 0x00007fea31498d00 llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>::CreateLoad(llvm::Type*, llvm::Value*, llvm::Twine const&) /usr/local/include/llvm/IR/IRBuilder.h:1089:12
#11 0x00007fea31498d00 (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) /home/fuzzer123/aflgo/llvm_mode/afl-llvm-pass.so.cc:558:0
#12 0x00000000033f8cc4 (anonymous namespace)::MPPassManager::runOnModule(llvm::Module&) /home/fuzzer123/llvm/lib/IR/LegacyPassManager.cpp:1590:0
#13 0x00000000033f93d9 llvm::legacy::PassManagerImpl::run(llvm::Module&) /home/fuzzer123/llvm/lib/IR/LegacyPassManager.cpp:1693:0
#14 0x00000000033f95e5 llvm::legacy::PassManager::run(llvm::Module&) /home/fuzzer123/llvm/lib/IR/LegacyPassManager.cpp:1725:0
#15 0x0000000003cb79c5 (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_deletellvm::raw_pwrite_stream >) /home/fuzzer123/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:723:0
#16 0x0000000003cb91c4 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_deletellvm::raw_pwrite_stream >) /home/fuzzer123/llvm/tools/clang/lib/CodeGen/BackendUtil.cpp:978:0
#17 0x00000000048591a3 clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) /home/fuzzer123/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:231:0
#18 0x000000000553c6e9 clang::ParseAST(clang::Sema&, bool, bool) /home/fuzzer123/llvm/tools/clang/lib/Parse/ParseAST.cpp:161:0
#19 0x00000000042ac7bb clang::ASTFrontendAction::ExecuteAction() /home/fuzzer123/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:559:0
#20 0x00000000048577e3 clang::CodeGenAction::ExecuteAction() /home/fuzzer123/llvm/tools/clang/lib/CodeGen/CodeGenAction.cpp:911:0
#21 0x00000000042ac208 clang::FrontendAction::Execute() /home/fuzzer123/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:463:0
#22 0x000000000424d35c clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) /home/fuzzer123/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:954:0
#23 0x00000000043eaa39 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) /home/fuzzer123/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:249:0
#24 0x0000000001d390e2 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) /home/fuzzer123/llvm/tools/clang/tools/driver/cc1_main.cpp:221:0
#25 0x0000000001d2ea1b ExecuteCC1Tool(llvm::ArrayRef<char const*>, llvm::StringRef) /home/fuzzer123/llvm/tools/clang/tools/driver/driver.cpp:299:0
#26 0x0000000001d2f639 main /home/fuzzer123/llvm/tools/clang/tools/driver/driver.cpp:380:0
#27 0x00007fea316c3830 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20830)
#28 0x0000000001d2c1d9 _start (/usr/local/bin/clang-4.0+0x1d2c1d9)
Stack dump:
0. Program arguments: /usr/local/bin/clang-4.0 -cc1 -triple x86_64-unknown-linux-gnu -emit-obj -disable-free -main-file-name parserInternals.c -mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -momit-leaf-frame-pointer -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -coverage-notes-file /home/fuzzer123/poc/libxml2/parserInternals.gcno -resource-dir /usr/local/bin/../lib/clang/4.0.1 -dependency-file .deps/parserInternals.Tpo -sys-header-deps -MP -MT parserInternals.lo -D HAVE_CONFIG_H -I . -I ./include -I ./include -D _REENTRANT -D __AFL_HAVE_MANUAL_CONTROL=1 -D __AFL_COMPILER=1 -D FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1 -D __AFL_LOOP(_A)=({ static volatile char _B attribute((used)); _B = (char)"##SIG_AFL_PERSISTENT##"; attribute((visibility("default"))) int _L(unsigned int) asm("__afl_persistent_loop"); _L(_A); }) -D __AFL_INIT()=do { static volatile char _A attribute((used)); _A = (char)"##SIG_AFL_DEFER_FORKSRV##"; attribute((visibility("default"))) void _I(void) asm("__afl_manual_init"); _I(); } while (0) -internal-isystem /usr/local/include -internal-isystem /usr/local/bin/../lib/clang/4.0.1/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -W -Wformat -Wunused -Wimplicit -Wreturn-type -Wswitch -Wcomment -Wtrigraphs -Wformat -Wchar-subscripts -Wuninitialized -Wparentheses -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wredundant-decls -Wno-long-long -pedantic -fconst-strings -fdebug-compilation-dir /home/fuzzer123/poc/libxml2 -ferror-limit 19 -fmessage-length 80 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -vectorize-loops -vectorize-slp -load /home/fuzzer123/aflgo/afl-llvm-pass.so -mllvm -distance=/home/fuzzer123/poc/temp/distance.cfg.txt -o parserInternals.o -x c parserInternals.c

1. parser at end of file
2. Per-module optimization passes
3. Running pass 'Unnamed pass: implement Pass::getPassName()' on module 'parserInternals.c'.
   clang-4.0: error: unable to execute command: Aborted (core dumped)
   clang-4.0: error: clang frontend command failed due to signal (use -v to see invocation)
   clang version 4.0.1 (tags/RELEASE_401/final)
   Target: x86_64-unknown-linux-gnu
   Thread model: posix
   InstalledDir: /usr/local/bin
   clang-4.0: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
   clang-4.0: note: diagnostic msg:

PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-4.0: note: diagnostic msg: /tmp/parserInternals-8469e8.c
clang-4.0: note: diagnostic msg: /tmp/parserInternals-8469e8.sh
clang-4.0: note: diagnostic msg:

Makefile:1247: recipe for target 'parserInternals.lo' failed
make[2]: *** [parserInternals.lo] Error 1
make[2]: Leaving directory '/home/fuzzer123/poc/libxml2'
Makefile:1439: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/fuzzer123/poc/libxml2'
Makefile:858: recipe for target 'all' failed
make: *** [all] Error 2