rust-fuzz / afl.rs Goto Github PK
View Code? Open in Web Editor NEW🐇 Fuzzing Rust code with American Fuzzy Lop
Home Page: https://rust-fuzz.github.io/book/afl.html
License: Apache License 2.0
🐇 Fuzzing Rust code with American Fuzzy Lop
Home Page: https://rust-fuzz.github.io/book/afl.html
License: Apache License 2.0
Is it possible?
Extract with the GZIP + Tar libraries. Not a fan of hosting the entire source in the repository; could try just uncompressing+extracting the .tgz as part of the build process
As we've found in rust-lang/rust#36705, jemalloc has abysmal fork performance in some kernel configurations, notably on recent Ubuntu versions.
Even on good configurations system default allocator has about 20% better fork performance than jemalloc.
This can be done in documentation, by adding the 2 lines described in https://doc.rust-lang.org/nightly/book/custom-allocators.html to the instrumentation instructions.
e.g. afl_sys::fuzz(..)
should return a Process
Right now, I'm thinking we'll need to generate a binary for each AFL command we want to support, then have the lib call each binary in a Command
. I need to find a way for a library to get the path for dependent binaries.
It might require building LLVM and Rust on travis? :(
... Documentation for afl.rs can be found here:
https://frewsxcv.github.io/afl.rs/
== 404
Maybe change the URL to:
https://github.com/rust-fuzz/afl.rs/tree/master/docs/src
https://github.com/rust-lang/rfcs/blob/master/text/1513-less-unwinding.md
Since the documentation for afl.rs recommends -Z no-landing-pads
, which is basically deprecated now
When I try to compile the 'regex-afl' crate in https://github.com/SeanRBurton/regex/tree/afl, I get the following error:
/home/usr/documents/regex/src/lib.rs:453:42: 453:52 error: /home/usr/documents/regex/regex-afl/target/debug/deps/libafl_plugin-86c859d7ecd403fc.so: undefined symbol: _ZNK4llvm10ModulePass17createPrinterPassERNS_11raw_ostreamERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE /home/sean/usr/documents/regex/src/lib.rs:453 #![cfg_attr(feature = "afl-fuzz", plugin(afl_plugin))]
Can you please help me debug this?
one only needs to use LLVM 3.8 (as far as I know) to get AFL to work with Rust programs. we can then stop requiring users to compile Rust to use afl.rs.
I'm trying to run AFL against https://github.com/postmates/quantiles/. Following the information available at https://frewsxcv.github.io/afl.rs/tutorial.html I run into some kind of build failure:
➜ quantiles git:(afl_fuzzy) ✗ docker run -v $(pwd):/source -it corey/afl.rs sh
Updating registry `https://github.com/rust-lang/crates.io-index`
Downloading afl v0.1.5
Downloading afl-plugin v0.1.5
Downloading serde v0.8.13
Downloading afl-sys v0.1.5
Downloading libc v0.2.17
Downloading gcc v0.3.40
Downloading quale v1.0.0
Downloading serde_codegen v0.8.13
Downloading syn v0.9.0
Downloading syntex_syntax v0.45.0
Downloading serde_codegen_internals v0.10.0
Downloading quote v0.3.3
Downloading syntex v0.45.0
Downloading unicode-xid v0.0.3
Downloading syntex_pos v0.45.0
Downloading rustc-serialize v0.3.19
Downloading term v0.4.4
Downloading log v0.3.6
Downloading syntex_errors v0.45.0
Downloading bitflags v0.7.0
Downloading winapi v0.2.8
Downloading kernel32-sys v0.2.2
Downloading winapi-build v0.1.1
Compiling quantiles v0.2.0 (file:///source)
afl-llvm-pass by <[email protected]>
WARNING: No instrumentation targets found.
I've pushed my modifications up to https://github.com/postmates/quantiles/compare/afl_fuzzy. Have I goofed something?
Doesn't appear to do anything helpful. Maybe need to check if the directory already exists?
@bb80fc56f5ba096406c61f1790886d8edce878c9, $(which rustc) == /Users/tschottdorf/rust/rust/x86_64-apple-darwin/stage2/bin/rustc
@ 1.0.0-beta-6833-g079f384
:
$ cargo build --example hello --verbose
Fresh gcc v0.3.19
Fresh byteorder v0.3.13
Compiling afl-coverage v0.0.1 (file:///Users/tschottdorf/rust/afl.rs)
Running `/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/build-script-build`
Fresh afl-coverage-plugin v0.0.1 (file:///Users/tschottdorf/rust/afl.rs)
Running `rustc src/lib.rs --crate-name afl_coverage --crate-type lib -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -l static=afl-llvm-rt`
Running `rustc examples/hello.rs --crate-name hello --crate-type bin -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug/examples --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps --extern byteorder=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libbyteorder-3e27c88aa235985f.rlib --extern afl_coverage_plugin=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libafl_coverage_plugin-a9b7f43301ffb1fc.dylib --extern afl_coverage=/Users/tschottdorf/rust/afl.rs/target/debug/libafl_coverage.rlib -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out`
afl-llvm-pass 1.77b by <[email protected]>
Could not compile `afl-coverage`.
Caused by:
Process didn't exit successfully: `rustc examples/hello.rs --crate-name hello --crate-type bin -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug/examples --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps --extern byteorder=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libbyteorder-3e27c88aa235985f.rlib --extern afl_coverage_plugin=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libafl_coverage_plugin-a9b7f43301ffb1fc.dylib --extern afl_coverage=/Users/tschottdorf/rust/afl.rs/target/debug/libafl_coverage.rlib -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out` (signal: 11)
I've tried lldb
to get more info about the segfault as in #11 but I can't just re-run the failing command (it needs the right env, I think) and wasn't versed enough to get lldb
to attach to the forked child in cargo build
. Pointers appreciated.
I (incorrectly) made the assumption that when upgrading rustc, cargo-afl
would be rebuilt with the new version such that the archive file would get rebuilt. This is apparently not the case
Blocked on rust-lang/rust#22915
http://lcamtuf.coredump.cx/afl/ChangeLog.txt
Added support for AFL_NO_UI, as suggested by Leo Barnes.
Whenever I try to fuzz a library that has serde_derive as a dependency, I get this error message:
error: the linked panic runtime 'panic_unwind' is not compiled with this crate's panic strategy 'abort'
I think I grok what the error means but I'm not sure the exact solution. I thought I post this here to see if anybody else is running into this and has found a solution.
It would be fine to get a release uploaded there
When running alf.rs using a Rust project build using cargo build
I get 1600 execs / second. If I do cargo build --release
I get around 1900 execs / second. Maybe we should be recommending --release
?
Might fun to do something like this but with the rust logo instead of a rabbit
http://lcamtuf.coredump.cx/afl/rabbit.gif
https://groups.google.com/d/msg/afl-users/_kNrt_n5Nug/vcZvl2Y7C7EJ
afl
, afl-sys
, afl-plugin
https://github.com/frewsxcv/afl.rs/blob/master/afl-sys/fuzz.rs#L65-L74
Need to figure out a way to make this not run forevevr
It might be possible to use rust-bindgen to generate Rust bindings that map directly to AFL C functions. This would allow us to run AFL without relying on using the AFL CLI interface. It also means the user wouldn't have to install AFL since it would get bundled with afl.rs.
Hi,
I do not know if this bug comes from my setup or from afl.rs, so I'll post it here. I am trying to setup fuzzing for a tar parser built with nom, but I get a SIGILL while building the project. Here is the GDB output for the incriminated rustc call:
(gdb) r src/main.rs --crate-name tar_example --crate-type bin -g --out-dir /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug --emit=dep-info,link -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps --extern afl_coverage=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage-b12fdfb78ced2df1.rlib --extern tar=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libtar-8c75079877dd814c.rlib --extern afl_coverage_plugin=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so --extern nom=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libnom-8d822f881e715e50.rlib -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out
Starting program: /usr/local/bin/rustc src/main.rs --crate-name tar_example --crate-type bin -g --out-dir /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug --emit=dep-info,link -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps --extern afl_coverage=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage-b12fdfb78ced2df1.rlib --extern tar=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libtar-8c75079877dd814c.rlib --extern afl_coverage_plugin=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so --extern nom=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libnom-8d822f881e715e50.rlib -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Traceback (most recent call last):
File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
[New Thread 0x7fffefbff700 (LWP 13085)]
warning: Missing auto-load scripts referenced in section .debug_gdb_scripts
of file /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so
Use `info auto-load python-scripts [REGEXP]' to list them.
afl-llvm-pass 1.77b by <[email protected]>
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffefbff700 (LWP 13085)]
0x00007ffff3a57388 in llvm::PointerType::get(llvm::Type*, unsigned int) () from /usr/local/lib/librustc_llvm-d8ace771.so
(gdb) bt
#0 0x00007ffff3a57388 in llvm::PointerType::get(llvm::Type*, unsigned int) () from /usr/local/lib/librustc_llvm-d8ace771.so
#1 0x00007ffff04514a6 in (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) () from /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so
#2 0x00007ffff3a3e76f in llvm::FPPassManager::runOnFunction(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#3 0x00007ffff3a3e84e in llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#4 0x00007ffff3a3e944 in llvm::legacy::FunctionPassManager::run(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#5 0x00007ffff2addc40 in LLVMRustRunFunctionPassManager (PM=0x7fffe8116270, M=0x7fffe8004e00) at /home/geal/dev/rust/rust/src/rustllvm/PassWrapper.cpp:205
#6 0x00007ffff62ea584 in back::write::execute_work_item::h57fe4379208c73afFjd () from /usr/local/lib/librustc_trans-d8ace771.so
#7 0x00007ffff62e3417 in back::write::run_passes::h0b7edf1f79d9711erZc () from /usr/local/lib/librustc_trans-d8ace771.so
#8 0x00007ffff7ac74b4 in driver::phase_5_run_llvm_passes::h401bc1bb79e26ccfJPa () from /usr/local/lib/librustc_driver-d8ace771.so
#9 0x00007ffff7a9a018 in driver::compile_input::h5f7ce1a1b74fe3e9Tba () from /usr/local/lib/librustc_driver-d8ace771.so
#10 0x00007ffff7b769f4 in run_compiler::h99fee4b1ff194bd3x7b () from /usr/local/lib/librustc_driver-d8ace771.so
#11 0x00007ffff7b743cf in boxed::F.FnBox$LT$A$GT$::call_box::h15186281694418648608 () from /usr/local/lib/librustc_driver-d8ace771.so
#12 0x00007ffff7b73c1a in rt::unwind::try::try_fn::h4127295356855569320 () from /usr/local/lib/librustc_driver-d8ace771.so
#13 0x00007ffff75db1d9 in rust_try_inner () from /usr/local/lib/libstd-d8ace771.so
#14 0x00007ffff75db1c6 in rust_try () from /usr/local/lib/libstd-d8ace771.so
#15 0x00007ffff754eb68 in rt::unwind::try::inner_try::hc82de977351d5e1crJw () from /usr/local/lib/libstd-d8ace771.so
#16 0x00007ffff7b73e2c in boxed::F.FnBox$LT$A$GT$::call_box::h16559282529075441406 () from /usr/local/lib/librustc_driver-d8ace771.so
#17 0x00007ffff7562412 in sys::thread::Thread::new::thread_start::h63af462716e59b66oTv () from /usr/local/lib/libstd-d8ace771.so
#18 0x00007ffff1e75182 in start_thread (arg=0x7fffefbff700) at pthread_create.c:312
#19 0x00007ffff71ab47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb)
I suspect that my version of rustc may be too new (I built it this morning):
$ rustc -V
rustc 1.2.0-dev (e749f724b 2015-06-23)
This is on a Linux machine, but I made it work previously on a Macbook, although with an older rustc:
$ rustc -V
rustc 1.2.0-dev (717e8831b 2015-06-08)
I have to add that this project is a great help, fuzzing the nom projects is fun :)
Hi,
I wanted to do some fuzzy testing on the Servo project, starting with html5ever.
So I tried setting afl.rs up according to the readme. But even if I just add the two dependencies, I get the following errors from cargo build
:
failed to run custom build command for `afl-plugin v0.1.0`
Process didn't exit successfully: `/home/vagrant/html5ever/target/debug/build/afl-plugin-584d29624accb60e/build-script-build` (exit code: 101)
--- stdout
[*] $LLVM_CONFIG not set. Will assume you built rustc from source.
--- stderr
++ /opt/rust/x86_64-unknown-linux-gnu/stage2/bin/../../llvm/Release/bin/llvm-config --cxxflags
+ CXXFLAGS='-I/opt/rust/src/llvm/include -I/opt/rust/x86_64-unknown-linux-gnu/llvm/include -DNDEBUG -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -O3 -fomit-frame-pointer -std=c++11 -fvisibility-inlines-hidden -fno-exceptions -fno-rtti -fPIC -ffunction-sections -fdata-sections -Wcast-qual -O2 -fPIC -Wall -Werror -fno-rtti'
+ g++ -I/opt/rust/src/llvm/include -I/opt/rust/x86_64-unknown-linux-gnu/llvm/include -DNDEBUG -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -O3 -fomit-frame-pointer -std=c++11 -fvisibility-inlines-hidden -fno-exceptions -fno-rtti -fPIC -ffunction-sections -fdata-sections -Wcast-qual -O2 -fPIC -Wall -Werror -fno-rtti -c src/afl-llvm-pass.so.cc -o /home/vagrant/html5ever/target/debug/build/afl-plugin-584d29624accb60e/out/afl-llvm-pass.o
src/afl-llvm-pass.so.cc: In member function ‘virtual bool {anonymous}::AFLCoverage::runOnModule(llvm::Module&)’:
src/afl-llvm-pass.so.cc:106:25: error: no matching function for call to ‘llvm::IRBuilder<>::IRBuilder(llvm::BasicBlock::iterator&)’
IRBuilder<> IRB(IP);
^
In file included from src/afl-llvm-pass.so.cc:30:0:
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:579:3: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, llvm::BasicBlock::iterator, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>; llvm::BasicBlock::iterator = llvm::ilist_iterator<llvm::Instruction>]
IRBuilder(BasicBlock *TheBB, BasicBlock::iterator IP,
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:579:3: note: candidate expects 4 arguments, 1 provided
[package]
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:572:3: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, llvm::BasicBlock::iterator, const T&, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>; llvm::BasicBlock::iterator = llvm::ilist_iterator<llvm::Instruction>]
IRBuilder(BasicBlock *TheBB, BasicBlock::iterator IP, const T &F,
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:572:3: note: candidate expects 5 arguments, 1 provided
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:566:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::Instruction*, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
explicit IRBuilder(Instruction *IP, MDNode *FPMathTag = nullptr,
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:566:12: note: no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::Instruction*’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:560:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
explicit IRBuilder(BasicBlock *TheBB, MDNode *FPMathTag = nullptr,
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:560:12: note: no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::BasicBlock*’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:554:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::BasicBlock*, const T&, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
explicit IRBuilder(BasicBlock *TheBB, const T &F, MDNode *FPMathTag = nullptr,
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:554:12: note: candidate expects 4 arguments, 1 provided
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:550:12: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::LLVMContext&, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
explicit IRBuilder(LLVMContext &C, MDNode *FPMathTag = nullptr,
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:550:12: note: no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::LLVMContext&’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:544:3: note: candidate: llvm::IRBuilder<preserveNames, T, Inserter>::IRBuilder(llvm::LLVMContext&, const T&, Inserter, llvm::MDNode*, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >) [with bool preserveNames = true; T = llvm::ConstantFolder; Inserter = llvm::IRBuilderDefaultInserter<true>]
IRBuilder(LLVMContext &C, const T &F, Inserter I = Inserter(),
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:544:3: note: candidate expects 5 arguments, 1 provided
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note: candidate: llvm::IRBuilder<>::IRBuilder(const llvm::IRBuilder<>&)
class IRBuilder : public IRBuilderBase, public Inserter {
^
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note: no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘const llvm::IRBuilder<>&’
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note: candidate: llvm::IRBuilder<>::IRBuilder(llvm::IRBuilder<>&&)
/opt/rust/src/llvm/include/llvm/IR/IRBuilder.h:540:7: note: no known conversion for argument 1 from ‘llvm::BasicBlock::iterator {aka llvm::ilist_iterator<llvm::Instruction>}’ to ‘llvm::IRBuilder<>&&’
thread '<main>' panicked at 'assertion failed: Command::new("bash").arg("build.bash").status().unwrap().success()', /home/vagrant/.cargo/registry/src/github.com-88ac128001ac3a9a/afl-plugin-0.1.0/build.rs:13
note: Run with `RUST_BACKTRACE=1` for a backtrace.
This was done in the vagrant VM provided by html5ever. So to reproduce:
While following the steps in the tutorial, when attempting cargo build
I get the following:
$ cargo build
Compiling afl v0.1.4
Compiling afl-sys v0.1.4
Compiling afl-plugin v0.1.4
error: failed to run custom build command for `afl-plugin v0.1.4`
process didn't exit successfully: `/home/ken/Desktop/afl-test/rust-url/target/debug/build/afl-plugin-62cbc3ca789f3664/build-script-build` (exit code: 101)
--- stdout
TARGET = Some("i686-unknown-linux-gnu")
PROFILE = Some("debug")
TARGET = Some("i686-unknown-linux-gnu")
debug=true opt-level=2
HOST = Some("i686-unknown-linux-gnu")
TARGET = Some("i686-unknown-linux-gnu")
TARGET = Some("i686-unknown-linux-gnu")
HOST = Some("i686-unknown-linux-gnu")
CXX_i686-unknown-linux-gnu = None
CXX_i686_unknown_linux_gnu = None
HOST_CXX = None
CXX = None
HOST = Some("i686-unknown-linux-gnu")
TARGET = Some("i686-unknown-linux-gnu")
HOST = Some("i686-unknown-linux-gnu")
CXXFLAGS_i686-unknown-linux-gnu = None
CXXFLAGS_i686_unknown_linux_gnu = None
HOST_CXXFLAGS = None
CXXFLAGS = None
running: "c++" "-O2" "-ffunction-sections" "-fdata-sections" "-g" "-m32" "-march=i686" "-fPIC" "-Wall" "-Werror" "-fno-rtti" "-c" "-I/usr/include" "-march=i686" "-mtune=generic" "-O2" "-pipe" "-fstack-protector-strong" "-fPIC" "-fvisibility-inlines-hidden" "-Wall" "-W" "-Wno-unused-parameter" "-Wwrite-strings" "-Wcast-qual" "-Wno-missing-field-initializers" "-pedantic" "-Wno-long-long" "-Wno-maybe-uninitialized" "-Wdelete-non-virtual-dtor" "-Wno-comment" "-std=c++11" "-ffunction-sections" "-fdata-sections" "-O3" "-DNDEBUG" "-fno-exceptions" "-D_GNU_SOURCE" "-D__STDC_CONSTANT_MACROS" "-D__STDC_FORMAT_MACROS" "-D__STDC_LIMIT_MACROS" "-o" "/home/ken/Desktop/afl-test/rust-url/target/debug/build/afl-plugin-62cbc3ca789f3664/out/afl-llvm-pass.so.o" "-c" "afl-llvm-pass.so.cc"
cargo:warning=afl-llvm-pass.so.cc: In member function ‘virtual bool {anonymous}::AFLCoverage::runOnModule(llvm::Module&)’:
cargo:warning=afl-llvm-pass.so.cc:113:28: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare]
cargo:warning= if ((random() % 100) >= inst_ratio) continue;
cargo:warning= ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~
cargo:warning=cc1plus: all warnings being treated as errors
ExitStatus(ExitStatus(256))
command did not execute successfully, got: exit code: 1
--- stderr
thread 'main' panicked at 'explicit panic', /home/ken/.cargo/registry/src/github.com-1ecc6299db9ec823/gcc-0.3.37/src/lib.rs:952
note: Run with `RUST_BACKTRACE=1` for a backtrace.
While it could be possible to override -Werror=sign-compare
, isn't it better to fix the comparison in the source file?
Please correct me me if I am wrong here.
EDIT:
Just found out about #37. Isn't the fix included in 0.1.4
?
Stopped working after rust-lang/rust@3fd5fdd
Output I get when I try to compile a Rust version after the change above: https://gist.githubusercontent.com/frewsxcv/ca3ef34cab9fd96edd44fc5de585044d/raw/837b8b6ccbfa682a34977233f535c186e4375c93/gistfile1.txt
A lot of errors like:
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/rayon-0.4.2/src/par_iter/weight.rs:48: undefined reference to `__afl_prev_loc'
So that afl can detect them. This should be optional, because sometimes we're only interested in memory corruption and not "benign" panics.
See also what python-afl does.
I get this error when I try running an example in my repo with afl.rs.
$ cargo afl build --example chat
...
error: the linked panic runtime `panic_unwind` is not compiled with this crate's panic strategy `abort`
error: aborting due to previous error
error: Could not compile `serde_derive`.
Would be nice to make this library simpler to use. I've been thinking an API like this:
use afl;
fn main() {
// Some setup can happen here
// Loop that AFL will run
afl::run(|inputted_string| {
let _ = some_library::parse_string(inputted_string);
});
}
inputted_string
would be a String
. the closure inside afl::run
is the only thing that gets run upon every subsequent call by AFL using the deferred init strategy
#46 added some utilities to handle stdin and panics. Here's a different design I was thinking about:
struct Input(io::Stdin);
impl Input {
pub fn into_bytes() -> Vec<u8> {
unimplemented!()
}
pub fn into_string() -> Option<String> {
let mut input = String::new();
let result = io::stdin().read_to_string(&mut input);
match result {
Ok(_) => Some(input),
Err(_) => None,
}
}
}
impl Read for Input {
...
}
pub fn handle<F>(closure: F)
where F: FnOnce(Input) + UnwindSafe
{
let input = Input(io::stdin());
let result = panic::catch_unwind(|| {
closure(input);
});
if result.is_err() {
unsafe {
abort();
}
}
}
instead of handle_*
functions, just one handle
function with one input type: Input
. The downsides of this design though is that a user might want a string and to input.into_string().unwrap()
which will cause a panic sometimes which will result in a crash for AFL.
Hi,
I've been trying to fuzz a library which has a dependency on a git repository with workspaces. This is not supported with 1.11 that is currently used in the image. It fails with:
no `package` or `project` section found.
I think this has been fixed in later cargo versions (rust-lang/cargo#2938), would it be possible to upgrade the docker image with a newer rust toolchain?
Thanks!
Because gifs are great. Shouldn't be hard. Just make sure it doesn't take too long to load.
Simplify some of the process described in http://blog.troutwine.us/2017/01/06/american-fuzzy-loping-rust/
Ideally, the user should never have to directly run docker
themselves. It could also set up a Docker volume which maps to somewhere in the host filesystem acting as a cargo cache so we didn't have to fetch dependencies each time we run start a docker container and do cargo build
.
In the tutorial, it shows that you should use this command:
cargo afl fuzz -i in -o out target/debug/url-fuzz-target
I don't think many people would change the in
or out
directories, so it seems like those should only need to be provided in the rare case that someone does.
The target executable could also be inferred for most cases, I would imagine.
Ideally, the user could just run cargo afl fuzz
and get sane results.
https://manishearth.github.io/rust-internals-docs/std/panic/fn.recover.html
Could this be utilized to catch panics? In combination with:
https://manishearth.github.io/rust-internals-docs/std/intrinsics/fn.abort.html
Instead of having to use -Z no-landing-pads
First off, thanks in advance for your time, and thanks for making afl.rs :)
When I try to use afl.rs with my C++ symbol demangling crate, which depends on error-chain
, I get the following errors. I assume these are becauses error-chain
depends on a newer rustc than the one bundled; is there a way to use a newer rustc with afl.rs?
My normal rustc version (with which I can compile error-chain
and my crate):
$ rustc --version
rustc 1.16.0-nightly (47c8d9fdc 2017-01-08)
The rustc in the docker image:
# rustc --version
rustc 1.11.0-nightly (01411937f 2016-07-01)
The logs when attempting to compile my crate and error-chain
inside the docker image:
# cargo build --features fuzz
Updating registry `https://github.com/rust-lang/crates.io-index`
Downloading afl v0.1.5
Downloading afl-plugin v0.1.5
Downloading error-chain v0.7.1
Downloading afl-sys v0.1.5
Downloading libc v0.2.18
Downloading gcc v0.3.39
Downloading quale v1.0.0
Downloading backtrace v0.3.0
Downloading winapi v0.2.8
Downloading dbghelp-sys v0.2.0
Downloading backtrace-sys v0.1.5
Downloading kernel32-sys v0.2.2
Downloading cfg-if v0.1.0
Downloading rustc-demangle v0.1.3
Downloading winapi-build v0.1.1
Compiling winapi v0.2.8
Compiling cfg-if v0.1.0
Compiling gcc v0.3.39
Compiling winapi-build v0.1.1
Compiling backtrace v0.3.0
Compiling kernel32-sys v0.2.2
Compiling libc v0.2.18
Compiling rustc-demangle v0.1.3
Compiling dbghelp-sys v0.2.0
Compiling afl v0.1.5
Compiling afl-sys v0.1.5
Compiling quale v1.0.0
Compiling backtrace-sys v0.1.5
Compiling afl-plugin v0.1.5
Compiling error-chain v0.7.1
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419:9: 419:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419 #[cfg(feature = "backtrace")]
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419:9: 419:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424:9: 424:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424 #[cfg(not(feature = "backtrace"))]
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424:9: 424:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435:9: 435:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435 #[cfg(feature = "backtrace")]
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435:9: 435:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444:9: 444:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444 #[cfg(not(feature = "backtrace"))]
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444:9: 444:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454:9: 454:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454 #[cfg(feature = "backtrace")]
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454:9: 454:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456:9: 456:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456 #[cfg(not(feature = "backtrace"))]
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456:9: 456:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364:20: 364:34 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364 $( #[$meta_links] )*
^~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:81:13: 83:81 note: in this expansion of impl_extract_backtrace! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:24:9: 30:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:9:9: 14:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:325:9: 330:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:319:9: 322:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:309:9: 312:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:299:9: 302:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:339:9: 342:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/example_generated.rs:27:1: 38:2 note: in this expansion of error_chain! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364:20: 364:34 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
error: aborting due to 7 previous errors
Build failed, waiting for other jobs to finish...
error: Could not compile `error-chain`.
To learn more, run the command again with --verbose.
#
I tried to use AFL on the project https://github.com/tomprogrammer/uuid/tree/afl (rather small) but encountered the following error:
cargo build
Compiling uuid v0.1.17 (file:///home/thomas/development/uuid)
afl-llvm-pass 1.77b by <[email protected]>
rustc: /home/rustbuild/src/rust-buildbot/slave/nightly-dist-rustc-linux/build/src/llvm/lib/IR/Type.cpp:737: static llvm::PointerType* llvm::PointerType::get(llvm::Type*, unsigned int): Assertion `isValidElementType(EltTy) && "Invalid type for pointer element!"' failed.
Could not compile `uuid`.
My version of AFL is 1.89b, I used llvm-config
compiled from the rust sources. Do you have a idea what could be the cause of this error?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.