Comments (3)
sebastianpoeplau
commented on June 9, 2024
No crash with the simple backend, so probably an issue with our expression memory management vs QSYM's.
from symcc.
sebastianpoeplau
commented on June 9, 2024
I've changed the QSYM backend to make sure that we handle known expressions only (2e67dcb). Since there is no exception in this particular case even after my change, we can assume that at least the expression we use is known and therefore hasn't been freed.
For reference, here's the stack trace:
(gdb) bt
#0 0x00007ffff7b51355 in raise () from /usr/lib/libc.so.6
#1 0x00007ffff7b3a853 in abort () from /usr/lib/libc.so.6
#2 0x00007ffff7b94878 in __libc_message () from /usr/lib/libc.so.6
#3 0x00007ffff7b9bd3a in malloc_printerr () from /usr/lib/libc.so.6
#4 0x00007ffff7b9d37c in _int_free () from /usr/lib/libc.so.6
#5 0x00007ffff78e0261 in ?? () from /usr/lib/libz3.so.4.8
[...]
#24 0x00007ffff74c9f9e in ?? () from /usr/lib/libz3.so.4.8
#25 0x00007ffff6e4c8e5 in Z3_solver_reset () from /usr/lib/libz3.so.4.8
#26 0x00007ffff7e5ca14 in z3::solver::reset (this=0x55555608aa30) at /usr/include/z3++.h:2375
#27 0x00007ffff7e57e98 in qsym::Solver::reset (this=0x55555608a960) at /home/seba/work/compiler/pass/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:115
#28 0x00007ffff7e5b8e9 in qsym::Solver::negatePath (this=0x55555608a960, e=std::shared_ptr<class qsym::Expr> (use count 3, weak count 4) = {...}, taken=false)
at /home/seba/work/compiler/pass/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:519
#29 0x00007ffff7e585ad in qsym::Solver::addJcc (this=0x55555608a960, e=std::shared_ptr<class qsym::Expr> (use count 3, weak count 4) = {...}, taken=false, pc=94627535006504)
at /home/seba/work/compiler/pass/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:186
#30 0x00007ffff7e78b70 in _sym_push_path_constraint (constraint=0x5555561a5190, taken=0, site_id=94627535006504) at /home/seba/work/compiler/pass/runtime/qsym_backend/Runtime.cpp:281
#31 0x0000555555a99f3b in bfd_elf32_object_p (abfd=<optimized out>) at ./elfcode.h:629
#32 0x00005555555f8786 in bfd_check_format_matches (abfd=<optimized out>, format=bfd_unknown, matching=<optimized out>) at format.c:322
#33 0x000055555558ab5a in display_bfd (abfd=0x555556068c10) at size.c:331
#34 0x000055555558a753 in display_file (filename=0x7fffffffe494 "/usr/share/afl/testcases/others/elf/small_exec.elf") at size.c:434
#35 0x0000555555588bac in main (argc=<optimized out>, argv=0x7fffffffe1b8) at size.c:260
I guess I should try with a debug version of Z3 to get a better idea what exactly is being freed.
from symcc.
sebastianpoeplau
commented on June 9, 2024
Here we go!
(gdb) bt
#0 0x00007ffff7b50355 in raise () from /usr/lib/libc.so.6
#1 0x00007ffff7b39853 in abort () from /usr/lib/libc.so.6
#2 0x00007ffff7b93878 in __libc_message () from /usr/lib/libc.so.6
#3 0x00007ffff7b9ad3a in malloc_printerr () from /usr/lib/libc.so.6
#4 0x00007ffff7b9c37c in _int_free () from /usr/lib/libc.so.6
#5 0x00007ffff5ec06cb in memory::deallocate (p=0x55555613a288) at ../src/util/memory_manager.cpp:260
#6 0x00007ffff612dd0c in dealloc_vect<chashtable<cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value, cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value_hash_proc, cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value_eq_proc>::cell> (ptr=0x55555613a288, sz=10) at ../src/util/memory_manager.h:120
#7 0x00007ffff612d192 in chashtable<cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value, cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value_hash_proc, cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value_eq_proc>::delete_table (this=0x5555560f2780) at ../src/util/chashtable.h:86
#8 0x00007ffff612cc2e in chashtable<cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value, cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value_hash_proc, cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::key_value_eq_proc>::~chashtable (this=0x5555560f2780, __in_chrg=<optimized out>)
at ../src/util/chashtable.h:255
#9 0x00007ffff612c86e in cmap<std::pair<expr*, unsigned int>, expr*, act_cache::entry_hash, default_eq<std::pair<expr*, unsigned int> > >::~cmap (this=0x5555560f2780,
__in_chrg=<optimized out>) at ../src/util/chashtable.h:603
#10 0x00007ffff612bf00 in act_cache::~act_cache (this=0x5555560f2778, __in_chrg=<optimized out>) at ../src/ast/act_cache.cpp:94
#11 0x00007ffff6314662 in dealloc<act_cache> (ptr=0x5555560f2778) at ../src/util/memory_manager.h:96
#12 0x00007ffff6311fbd in delete_proc<act_cache>::operator() (this=0x7fffffffce9f, ptr=0x5555560f2778) at ../src/util/util.h:162
#13 0x00007ffff6311896 in std::for_each<act_cache**, delete_proc<act_cache> > (__first=0x5555560f3940, __last=0x5555560f3948, __f=...)
at /usr/include/c++/10.1.0/bits/stl_algo.h:3839
#14 0x00007ffff630dc99 in rewriter_core::del_cache_stack (this=0x55555610ec00) at ../src/ast/rewriter/rewriter.cpp:36
#15 0x00007ffff630ed6e in rewriter_core::~rewriter_core (this=0x55555610ec00, __in_chrg=<optimized out>) at ../src/ast/rewriter/rewriter.cpp:200
#16 0x00007ffff6237e6c in var_shifter_core::~var_shifter_core (this=0x55555610ec00, __in_chrg=<optimized out>) at ../src/ast/rewriter/rewriter.h:129
#17 0x00007ffff6238474 in inv_var_shifter::~inv_var_shifter (this=0x55555610ec00, __in_chrg=<optimized out>) at ../src/ast/rewriter/rewriter.h:187
#18 0x00007ffff6349874 in rewriter_tpl<(anonymous namespace)::th_rewriter_cfg>::~rewriter_tpl (this=0x55555610eae8, __in_chrg=<optimized out>)
at ../src/ast/rewriter/rewriter_def.h:628
#19 0x00007ffff6356c88 in th_rewriter::imp::~imp (this=0x55555610eae8, __in_chrg=<optimized out>) at ../src/ast/rewriter/th_rewriter.cpp:789
#20 0x00007ffff6355c47 in dealloc<th_rewriter::imp> (ptr=0x55555610eae8) at ../src/util/memory_manager.h:96
#21 0x00007ffff634804b in th_rewriter::~th_rewriter (this=0x5555560f8820, __in_chrg=<optimized out>) at ../src/ast/rewriter/th_rewriter.cpp:827
#22 0x00007ffff67b7be4 in simplify_tactic::imp::~imp (this=0x5555560f8818, __in_chrg=<optimized out>) at ../src/tactic/core/simplify_tactic.cpp:34
#23 0x00007ffff67b8042 in dealloc<simplify_tactic::imp> (ptr=0x5555560f8818) at ../src/util/memory_manager.h:96
#24 0x00007ffff67b7654 in simplify_tactic::~simplify_tactic (this=0x5555560d8a88, __in_chrg=<optimized out>) at ../src/tactic/core/simplify_tactic.cpp:79
#25 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x5555560d8a88) at ../src/util/memory_manager.h:96
#26 0x00007ffff63efbd7 in tactic::dec_ref (this=0x5555560d8a88) at ../src/tactic/tactic.h:41
#27 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x555556122bc8) at ../src/util/ref.h:34
#28 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x555556122bc8, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#29 0x00007ffff63f399e in unary_tactical::~unary_tactical (this=0x555556122bb8, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:766
#30 0x00007ffff63f8f60 in cleanup_tactical::~cleanup_tactical (this=0x555556122bb8, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:913
--Type <RET> for more, q to quit, c to continue without paging--c
#31 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x555556122bb8) at ../src/util/memory_manager.h:96
#32 0x00007ffff63efbd7 in tactic::dec_ref (this=0x555556122bb8) at ../src/tactic/tactic.h:41
#33 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x5555560dcc48) at ../src/util/ref.h:34
#34 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x5555560dcc48, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#35 0x00007ffff63efd58 in binary_tactical::~binary_tactical (this=0x5555560dcc38, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:40
#36 0x00007ffff63f00ba in and_then_tactical::~and_then_tactical (this=0x5555560dcc38, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:102
#37 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x5555560dcc38) at ../src/util/memory_manager.h:96
#38 0x00007ffff63efbd7 in tactic::dec_ref (this=0x5555560dcc38) at ../src/tactic/tactic.h:41
#39 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x555556114998) at ../src/util/ref.h:34
#40 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x555556114998, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#41 0x00007ffff63efd58 in binary_tactical::~binary_tactical (this=0x555556114988, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:40
#42 0x00007ffff63f532a in cond_tactical::~cond_tactical (this=0x555556114988, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:1028
#43 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x555556114988) at ../src/util/memory_manager.h:96
#44 0x00007ffff63efbd7 in tactic::dec_ref (this=0x555556114988) at ../src/tactic/tactic.h:41
#45 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x555556173690) at ../src/util/ref.h:34
#46 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x555556173690, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#47 0x00007ffff63efd48 in binary_tactical::~binary_tactical (this=0x555556173678, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:40
#48 0x00007ffff63f00ba in and_then_tactical::~and_then_tactical (this=0x555556173678, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:102
#49 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x555556173678) at ../src/util/memory_manager.h:96
#50 0x00007ffff63efbd7 in tactic::dec_ref (this=0x555556173678) at ../src/tactic/tactic.h:41
#51 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x555556135900) at ../src/util/ref.h:34
#52 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x555556135900, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#53 0x00007ffff63efd48 in binary_tactical::~binary_tactical (this=0x5555561358e8, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:40
#54 0x00007ffff63f00ba in and_then_tactical::~and_then_tactical (this=0x5555561358e8, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:102
#55 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x5555561358e8) at ../src/util/memory_manager.h:96
#56 0x00007ffff63efbd7 in tactic::dec_ref (this=0x5555561358e8) at ../src/tactic/tactic.h:41
#57 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x555556141248) at ../src/util/ref.h:34
#58 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x555556141248, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#59 0x00007ffff63efd58 in binary_tactical::~binary_tactical (this=0x555556141238, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:40
#60 0x00007ffff63f532a in cond_tactical::~cond_tactical (this=0x555556141238, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:1028
#61 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x555556141238) at ../src/util/memory_manager.h:96
#62 0x00007ffff63efbd7 in tactic::dec_ref (this=0x555556141238) at ../src/tactic/tactic.h:41
#63 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x555556114c20) at ../src/util/ref.h:34
#64 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x555556114c20, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#65 0x00007ffff63efd48 in binary_tactical::~binary_tactical (this=0x555556114c08, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:40
#66 0x00007ffff63f532a in cond_tactical::~cond_tactical (this=0x555556114c08, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:1028
#67 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x555556114c08) at ../src/util/memory_manager.h:96
#68 0x00007ffff63efbd7 in tactic::dec_ref (this=0x555556114c08) at ../src/tactic/tactic.h:41
#69 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x5555560fd080) at ../src/util/ref.h:34
#70 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x5555560fd080, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#71 0x00007ffff63efd48 in binary_tactical::~binary_tactical (this=0x5555560fd068, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:40
#72 0x00007ffff63f00ba in and_then_tactical::~and_then_tactical (this=0x5555560fd068, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:102
#73 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x5555560fd068) at ../src/util/memory_manager.h:96
#74 0x00007ffff63efbd7 in tactic::dec_ref (this=0x5555560fd068) at ../src/tactic/tactic.h:41
#75 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x5555560ff388) at ../src/util/ref.h:34
#76 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x5555560ff388, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#77 0x00007ffff63f399e in unary_tactical::~unary_tactical (this=0x5555560ff378, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:766
#78 0x00007ffff63f8ec0 in using_params_tactical::~using_params_tactical (this=0x5555560ff378, __in_chrg=<optimized out>) at ../src/tactic/tactical.cpp:956
#79 0x00007ffff63f5a4d in dealloc<tactic> (ptr=0x5555560ff378) at ../src/util/memory_manager.h:96
#80 0x00007ffff63efbd7 in tactic::dec_ref (this=0x5555560ff378) at ../src/tactic/tactic.h:41
#81 0x00007ffff63f6cdf in ref<tactic>::dec_ref (this=0x5555560fdd00) at ../src/util/ref.h:34
#82 0x00007ffff63f5aa0 in ref<tactic>::~ref (this=0x5555560fdd00, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#83 0x00007ffff6819d64 in (anonymous namespace)::tactic2solver::~tactic2solver (this=0x5555560fdc78, __in_chrg=<optimized out>) at ../src/solver/tactic2solver.cpp:120
#84 0x00007ffff6806e52 in dealloc<check_sat_result> (ptr=0x5555560fdc78) at ../src/util/memory_manager.h:96
#85 0x00007ffff68051bd in check_sat_result::dec_ref (this=0x5555560fdc78) at ../src/solver/check_sat_result.h:49
#86 0x00007ffff6806f99 in ref<solver>::dec_ref (this=0x5555560fe0a0) at ../src/util/ref.h:34
#87 0x00007ffff6806ed2 in ref<solver>::~ref (this=0x5555560fe0a0, __in_chrg=<optimized out>) at ../src/util/ref.h:55
#88 0x00007ffff680700e in combined_solver::~combined_solver (this=0x5555560fe068, __in_chrg=<optimized out>) at ../src/solver/combined_solver.cpp:45
#89 0x00007ffff6806e52 in dealloc<check_sat_result> (ptr=0x5555560fe068) at ../src/util/memory_manager.h:96
#90 0x00007ffff68051bd in check_sat_result::dec_ref (this=0x5555560fe068) at ../src/solver/check_sat_result.h:49
#91 0x00007ffff6806f99 in ref<solver>::dec_ref (this=0x555556041a98) at ../src/util/ref.h:34
#92 0x00007ffff6806f05 in ref<solver>::operator= (this=0x555556041a98, ptr=0x0) at ../src/util/ref.h:81
#93 0x00007ffff74c2e12 in Z3_solver_reset (c=0x555556033f78, s=0x555556041a78) at ../src/api/api_solver.cpp:437
#94 0x00007ffff7e5ba24 in z3::solver::reset (this=0x555556053f30) at /home/seba/work/compiler/z3/src/api/c++/z3++.h:2375
#95 0x00007ffff7e56ea8 in qsym::Solver::reset (this=0x555556053e60) at /home/seba/work/compiler/pass/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:115
#96 0x00007ffff7e5a8f9 in qsym::Solver::negatePath (this=0x555556053e60, e=std::shared_ptr<class qsym::Expr> (use count 3, weak count 4) = {...}, taken=false) at /home/seba/work/compiler/pass/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:519
#97 0x00007ffff7e575bd in qsym::Solver::addJcc (this=0x555556053e60, e=std::shared_ptr<class qsym::Expr> (use count 3, weak count 4) = {...}, taken=false, pc=94627535006504) at /home/seba/work/compiler/pass/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:186
#98 0x00007ffff7e77b80 in _sym_push_path_constraint (constraint=0x555556157f60, taken=0, site_id=94627535006504) at /home/seba/work/compiler/pass/runtime/qsym_backend/Runtime.cpp:281
#99 0x0000555555a99f3b in bfd_elf32_object_p (abfd=<optimized out>) at ./elfcode.h:629
#100 0x00005555555f8786 in bfd_check_format_matches (abfd=<optimized out>, format=bfd_unknown, matching=<optimized out>) at format.c:322
#101 0x000055555558ab5a in display_bfd (abfd=0x55555603b1e0) at size.c:331
#102 0x000055555558a753 in display_file (filename=0x7fffffffe494 "/usr/share/afl/testcases/others/elf/small_exec.elf") at size.c:434
#103 0x0000555555588bac in main (argc=<optimized out>, argv=0x7fffffffe1b8) at size.c:260
Frame 10 suggests that there is a problem with expressions after all...
from symcc.
Related Issues (20)
- Failed to Compile with "-DTARGET_32BIT=ON" HOT 1
- Wrong handling of i1 in visitCastInst HOT 2
- visitSelectInst does not propagate the symbolic expression HOT 2
- Store i1 into memory HOT 2
- Change the license of the runtime to LGPL HOT 6
- Support for variadic functions HOT 1
- Failed to build the Vagrantfile
- LLVM compatibility policy HOT 6
- Can't create expressions for concrete non-undef structs HOT 2
- _sym_get_input_byte() in simple backend
- sprintf wrapper
- Crash when concrete non-undef structs contain floats
- afl-showmap generating incorrectly sized map HOT 1
- SymCC may crash if test-case handlers are instrumented
- cannot generate new testcase for a simple case
- program links to libstdc++, not instructmented libc++
- Could not compile libcxx: malloc/malloc.h not found HOT 7
- Fail to compile gpac with clang frontend error HOT 1
- Fuzzing with AFL and Symcc does not work HOT 2
- SymCC fails to compile with -DTARGET_32BIT=ON HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from symcc.