eurecom-s3 / symcc Goto Github PK
View Code? Open in Web Editor NEWSymCC: efficient compiler-based symbolic execution
Home Page: http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html
License: GNU General Public License v3.0
symcc's Issues
Hybrid fuzzing with simple backend
Hi,
Currently, the simple backend does not support hybrid fuzzing, simply because it does not generate the output file. I am wondering if this feature (i.e. simple backend for hybrid fuzzing) will be supported in the near future or not. (I may want to build it myself if the answer is no). Thank you in advance!
Respectfully,
Ruoyu
Rust support
This would be really nice to have.
No results when running symbolized OpenJpeg
Hello again,
I am trying to reproduce the OpenJpeg example.
I followed the instructions on http://www.s3.eurecom.fr/tools/symbolic_execution/symcc.html:
- I built SymCC in release mode (I tried both with and without QSYM).
- I configured OpenJpeg (
1f1e9682) withcmake -G Ninja .. -DBUILD_THIRDPARTY=ONandCC/CXX/SYMCC_NO_SYMBOLIC_INPUTappropriately set. - Built OpenJpeg: I can see several warnings emitted by SymCC however I didn't see any
symbolized XXX(I saw this when building the test.c example). - Unset
SYMCC_NO_SYMBOLIC_INPUT, exportedSYMCC_OUTPUT_DIRand runbin/opj_decompress -i file1.jp2 -o /tmp/image.pgm, however I didn't see any output produced by SymCC's runtime.
Did I miss some step?
Thanks
problem with compiling target with symcc/sym++ compiler
Hi .
I am trying to compile a target. I compiled and made symcc with LLVM-10 and also made the libcxx of it with symcc .
But I have the following problem when I want to compile a target source code with symcc :
Symbolizing function PredictorSub2_C
Symbolizing function PredictorSub3_C
Symbolizing function PredictorSub4_C
Symbolizing function PredictorSub5_C
Symbolizing function PredictorSub6_C
Symbolizing function PredictorSub7_C
Symbolizing function PredictorSub8_C
Symbolizing function PredictorSub9_C
Symbolizing function PredictorSub10_C
Symbolizing function PredictorSub11_C
Symbolizing function PredictorSub12_C
Symbolizing function PredictorSub13_C
Symbolizing function BitsLog2Floor
Warning: losing track of symbolic expressions at bit-count operation %8 = call i32 @llvm.ctlz.i32(i32 %7, i1 true)
Symbolizing function GetEntropyUnrefinedHelper
Symbolizing function VP8LSubPixels
CC libwebpdsp_la-ssim.lo
Symbolizer module init
Symbolizing function VP8SSIMFromStats
Symbolizing function SSIMCalculation
Symbolizing function VP8SSIMFromStatsClipped
Symbolizing function VP8SSIMDspInit
Symbolizing function VP8SSIMDspInit_body
Symbolizing function SSIMGetClipped_C
Symbolizing function SSIMGet_C
Symbolizing function AccumulateSSE_C
CC libwebpdsp_sse2_la-cost_sse2.lo
Symbolizer module init
Symbolizing function VP8EncDspCostInitSSE2
Symbolizing function SetResidualCoeffs_SSE2
clang: /home/usse/symcc/compiler/Symbolizer.cpp:608: void Symbolizer::visitBitCastInst(llvm::BitCastInst&): Assertion `I.getSrcTy()->isPointerTy() && I.getDestTy()->isPointerTy() && "Unhandled non-pointer bit cast"' failed.
Stack dump:
0. Program arguments: /home/usse/llvm-10/build/bin/clang -Xclang -load -Xclang /home/usse/symcc/build/libSymbolize.so -DHAVE_CONFIG_H -I. -I../../src/webp -I../.. -I../.. -fvisibility=hidden -Wall -Wconstant-conversion -Wdeclaration-after-statement -Wextra -Wfloat-conversion -Wformat -Wformat-nonliteral -Wformat -Wformat-security -Wmissing-declarations -Wmissing-prototypes -Wold-style-definition -Wparentheses-equality -Wshadow -Wshorten-64-to-32 -Wundef -Wunreachable-code-aggressive -Wunreachable-code -Wunused -Wvla -msse2 -DWEBP_MAX_IMAGE_SIZE=838860800 -pthread -MT libwebpdsp_sse2_la-cost_sse2.lo -MD -MP -MF .deps/libwebpdsp_sse2_la-cost_sse2.Tpo -c cost_sse2.c -o libwebpdsp_sse2_la-cost_sse2.o -L/home/usse/symcc/build/SymRuntime-prefix/src/SymRuntime-build -lSymRuntime -Wl,-rpath,/home/usse/symcc/build/SymRuntime-prefix/src/SymRuntime-build -Qunused-arguments
1. <eof> parser at end of file
2. Per-module optimization passes
3. Running pass 'Function Pass Manager' on module 'cost_sse2.c'.
4. Running pass 'Symbolization Pass' on function '@SetResidualCoeffs_SSE2'
#0 0x00007f3eea78d35a llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x70835a)
#1 0x00007f3eea78af44 llvm::sys::RunSignalHandlers() (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x705f44)
#2 0x00007f3eea78b1b5 llvm::sys::CleanupOnSignal(unsigned long) (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x7061b5) #3 0x00007f3eea6ac780 CrashRecoverySignalHandler(int) (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x627780)
#4 0x00007f3ee994a040 (/lib/x86_64-linux-gnu/libc.so.6+0x3f040)
#5 0x00007f3ee9949fb7 raise /build/glibc-S9d2JN/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:51:0
#6 0x00007f3ee994b921 abort /build/glibc-S9d2JN/glibc-2.27/stdlib/abort.c:81:0
#7 0x00007f3ee993b48a __assert_fail_base /build/glibc-S9d2JN/glibc-2.27/assert/assert.c:89:0
#8 0x00007f3ee993b502 (/lib/x86_64-linux-gnu/libc.so.6+0x30502)
#9 0x00007f3ee8898889 Symbolizer::visitBitCastInst(llvm::BitCastInst&) (/home/usse/symcc/build/libSymbolize.so+0x57889)
#10 0x00007f3ee88b325f llvm::InstVisitor<Symbolizer, void>::visitBitCast(llvm::BitCastInst&) (/home/usse/symcc/build/libSymbolize.so+0x7225f)
#11 0x00007f3ee88b25d9 llvm::InstVisitor<Symbolizer, void>::visit(llvm::Instruction&) (/home/usse/symcc/build/libSymbolize.so+0x715d9)
#12 0x00007f3ee88b1a49 llvm::InstVisitor<Symbolizer, void>::visit(llvm::Instruction*) (/home/usse/symcc/build/libSymbolize.so+0x70a49)
#13 0x00007f3ee88b09b5 SymbolizePass::runOnFunction(llvm::Function&) (/home/usse/symcc/build/libSymbolize.so+0x6f9b5)
#14 0x00007f3eea89bf6f llvm::FPPassManager::runOnFunction(llvm::Function&) (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x816f6f)
#15 0x00007f3eea89c741 llvm::FPPassManager::runOnModule(llvm::Module&) (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x817741)
#16 0x00007f3eea89cb41 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x817b41)
#17 0x00007f3eee4a7861 (anonymous namespace)::EmitAssemblyHelper::EmitAssembly(clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1450861)
#18 0x00007f3eee4a92db clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x14522db)
#19 0x00007f3eee775eac clang::BackendConsumer::HandleTranslationUnit(clang::ASTContext&) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x171eeac)
#20 0x00007f3eed856039 clang::ParseAST(clang::Sema&, bool, bool) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x7ff039)
#21 0x00007f3eeef5ce09 clang::FrontendAction::Execute() (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1f05e09)
#22 0x00007f3eeef1aaba clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1ec3aba)
#23 0x00007f3eeefe72cb clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1f902cb)
#24 0x0000563bc9bd1cf7 cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/home/usse/llvm-10/build/bin/clang+0x11cf7)
#25 0x0000563bc9bcf5ad ExecuteCC1Tool(llvm::SmallVectorImpl<char const*>&) (/home/usse/llvm-10/build/bin/clang+0xf5ad)#26 0x00007f3eeec2ae05 void llvm::function_ref<void ()>::callback_fn<clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const::'lambda'()>(long) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1bd3e05)
#27 0x00007f3eea6ac863 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/home/usse/llvm-10/build/lib/libLLVM-10.so+0x627863)
#28 0x00007f3eeec2ba70 clang::driver::CC1Command::Execute(llvm::ArrayRef<llvm::Optional<llvm::StringRef> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, bool*) const (.part.148) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1bd4a70)
#29 0x00007f3eeec04635 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&) const (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1bad635)
#30 0x00007f3eeec05091 clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) const (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1bae091)
#31 0x00007f3eeec0f345 clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) (/home/usse/llvm-10/build/lib/libclang-cpp.so.10+0x1bb8345)
#32 0x0000563bc9bcd4bc main (/home/usse/llvm-10/build/bin/clang+0xd4bc)
#33 0x00007f3ee992cbf7 __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:344:0
#34 0x0000563bc9bcf12a _start (/home/usse/llvm-10/build/bin/clang+0xf12a)
clang-10: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 10.0.1
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /home/usse/llvm-10/build/bin
clang-10: note: diagnostic msg: PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
clang-10: note: diagnostic msg:
********************
PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang-10: note: diagnostic msg: /tmp/cost_sse2-2d8176.c
clang-10: note: diagnostic msg: /tmp/cost_sse2-2d8176.sh
clang-10: note: diagnostic msg:
********************
Makefile:988: recipe for target 'libwebpdsp_sse2_la-cost_sse2.lo' failed
make[2]: *** [libwebpdsp_sse2_la-cost_sse2.lo] Error 1
make[2]: Leaving directory '/home/usse/libwebp/src/dsp'
Makefile:596: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/usse/libwebp/src'
Makefile:421: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1
Can anyone help? is something here is forgotten ? I even set SYMCC_LIBCXX_PATH to the right place :
export SYMCC_LIBCXX_PATH=~/llvm-10/libcxx_symcc_install/
Thanks!
LD_PRELOAD support?
Hey SymCC devs!
I have a question; hopefully it makes sense.
I tried out SymCC on libxml + xmllint. However, I couldn't get a symbolic input file because libxml doesn't call open/fopen directly; rather, it uses a libz wrapper around open/fopen instead. I assume that this means that I need to go and recompile libz with SymCC.
However, is it possible to compile the libc wrappers as a shared object that can intercept libc functions (when loaded with LD_PRELOAD), which will capture the above use-case without needing to recompile libz? Or will this not work, because libz still needs to be instrumented to propagate the symbolic data back to libxml?
c++ targets
I want to put afl++ and symcc on fuzzbench and I am running into problems on every target - because they all at some point are compile c++ code (latest at the harness) and this breaks, e.g.
#19 38.51 + /symcc_build/sym++ -stdlib=libc++ -pthread -Wl,--no-as-needed -Wl,-ldl -Wl,-lm -Wno-unused-command-line-argument -O3 -std=c++11 /src/target.cc .libs/libpng12.a /libAFLDriver.a -I . -lz -o /out/fuzz-target
#19 38.55 In file included from /src/target.cc:13:
#19 38.55 In file included from /libcxx_symcc_install/include/c++/v1/cstdlib:86:
#19 38.55 /libcxx_symcc_install/include/c++/v1/stdlib.h:111:82: error: use of undeclared identifier 'labs'; did you mean 'abs'?
#19 38.55 inline _LIBCPP_INLINE_VISIBILITY long abs( long __x) _NOEXCEPT {return labs(__x);}
#19 38.55 ^
I tried to include math.h, stdlib.h, cstdlib, -lm etc. but nothing solved this error.
Have you seen these issues before and if yes - how did you fix them?
also maybe update the Dockerfile to use llvm 10 instead of 8? (e.g. by moving to focal, then you would also likely not need to compile z3)
Libc wrapper fail to hook when there is a wrapper on it
When I collect the constraints of libtiff, SymCC always lost constraints. So I use gdb to debug it, after which I realized that SymCC failed to hook some critical libc functions, including memcpy and memset, because in libtiff, they use _TIFFmemcpy and _TIFFmemset (see the definition: https://gitlab.com/libtiff/libtiff/-/blob/master/libtiff/tif_unix.c#L338), instead of the original name. (see https://gitlab.com/libtiff/libtiff/-/blob/master/libtiff/tif_dirread.c#L6466).
I think this is a bug, because SymCC can hook these functions successfully as long as I use memset to replace _TIFFmemset.
Correct Z3 version
Hi,
I prepared compilation of symcc using
$ cmake -G Ninja -DQSYM_BACKEND=ON -DZ3_TRUST_SYSTEM_VERSION=on path_for_code
but I am then obtaining compilation errors related to Z3:
$ ninja check
...
FAILED: qsym_backend/CMakeFiles/SymRuntime.dir/expr_builder__gen.cpp.o
/usr/bin/c++ -DSymRuntime_EXPORTS -I/home/edrdo/symcc/runtime/qsym_backend -I/home/edrdo/symcc/runtime/qsym_backend/.. -isystem /usr/lib/llvm-11/include -isystem /home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool -std=c++17 -Wredundant-decls -Wcast-align -Wmissing-include-dirs -Wswitch-default -Wextra -Wall -Winvalid-pch -Wredundant-decls -Wformat=2 -Wmissing-format-attribute -Wformat-nonliteral -fPIC -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -MD -MT qsym_backend/CMakeFiles/SymRuntime.dir/expr_builder__gen.cpp.o -MF qsym_backend/CMakeFiles/SymRuntime.dir/expr_builder__gen.cpp.o.d -o qsym_backend/CMakeFiles/SymRuntime.dir/expr_builder__gen.cpp.o -c qsym_backend/expr_builder__gen.cpp
In file included from /usr/include/z3.h:26,
from /usr/include/z3++.h:28,
from /home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr.h:12,
from /home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr_cache.h:4,
from /home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr_builder.h:6,
from qsym_backend/expr_builder__gen.cpp:1:
/home/edrdo/symcc/runtime/qsym_backend/pin.H:35:18: error: declaration does not declare anything [-fpermissive]
typedef uint64_t __uint64;
^~~~~~~~
In file included from /home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr_cache.h:4,
from /home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr_builder.h:6,
from qsym_backend/expr_builder__gen.cpp:1:
/home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ZExtExpr::toZ3ExprRecursively(bool)':
/home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr.h:642:16: error: 'zext' is not a member of 'z3'
return z3::zext(e->toZ3Expr(verbose), bits_ - e->bits());
^~~~
/home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::SExtExpr::toZ3ExprRecursively(bool)':
/home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr.h:672:16: error: 'sext' is not a member of 'z3'
return z3::sext(e->toZ3Expr(verbose), bits_ - e->bits());
^~~~
/home/edrdo/symcc/runtime/qsym_backend/qsym/qsym/pintool/expr.h:672:16: note: suggested alternative: 'sat'
...
several other errors of the same kind
...
The Z3 version installed is the standard one for Debian 10, I think.
$ z3 --version
Z3 version 4.4.1
Should I use another Z3 version? Thanks
Use musl to overcome the problem of libc wrapper incomplete
Hi, I noticed previous issue #23 has mentioned we can try to use musl to replace some libc functions during the instrumentation. My question is: suppose we are instrumenting a large-scale problem, and we are not familiar with its building configuration, if I want to use musl to replace specific libc function in the target program (e.g., use the implementation of qsort to replace the qsort in libc), it there any convenient approach?
Compilation on macOS
Dear all,
I'd love to experiment a little with your implementation, but am currently struggling with getting the project compiled on macOS. What happens:
Everything works until ninja check, then I first get the error ld: unknown option: -z. I "solve" this my changing build.ninja, by removing -z, in line 107. Now the process proceeds further, but I get a number of new errors:
[1/5] Linking CXX shared module libSymbolize.so
FAILED: libSymbolize.so
: && /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++ -std=c++17 -Wredundant-decls -Wcast-align -Wmissing-include-dirs -Wswitch-default -Wextra -Wall -Winvalid-pch -Wredundant-decls -Wformat=2 -Wmissing-format-attribute -Wformat-nonliteral -Werror -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk -bundle -Wl,-headerpad_max_install_names -Wl,nodelete -o libSymbolize.so CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o CMakeFiles/Symbolize.dir/compiler/Pass.cpp.o CMakeFiles/Symbolize.dir/compiler/Runtime.cpp.o CMakeFiles/Symbolize.dir/compiler/Main.cpp.o && :
ld: file not found: nodelete
...
[9/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/solver.cpp.o
FAILED: qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/solver.cpp.o
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++ -DSymRuntime_EXPORTS -Isymcc/runtime/qsym_backend -Isymcc/runtime/qsym_backend/.. -isystem /opt/local/libexec/llvm-10/include -isystem /opt/local/include -isystem symcc/runtime/qsym_backend/qsym/qsym/pintool -std=c++17 -Wredundant-decls -Wcast-align -Wmissing-include-dirs -Wswitch-default -Wextra -Wall -Winvalid-pch -Wredundant-decls -Wformat=2 -Wmissing-format-attribute -Wformat-nonliteral -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk -fPIC -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -MD -MT qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/solver.cpp.o -MF qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/solver.cpp.o.d -o qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/solver.cpp.o -c symcc/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp
symcc/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:2:10: fatal error: 'byteswap.h' file not found
#include <byteswap.h>
^~~~~~~~~~~~
...
[11/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/__/LibcWrappers.cpp.o
FAILED: qsym_backend/CMakeFiles/SymRuntime.dir/__/LibcWrappers.cpp.o
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/c++ -DSymRuntime_EXPORTS -Isymcc/runtime/qsym_backend -Isymcc/runtime/qsym_backend/.. -isystem /opt/local/libexec/llvm-10/include -isystem /opt/local/include -isystem symcc/runtime/qsym_backend/qsym/qsym/pintool -std=c++17 -Wredundant-decls -Wcast-align -Wmissing-include-dirs -Wswitch-default -Wextra -Wall -Winvalid-pch -Wredundant-decls -Wformat=2 -Wmissing-format-attribute -Wformat-nonliteral -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk -fPIC -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -MD -MT qsym_backend/CMakeFiles/SymRuntime.dir/__/LibcWrappers.cpp.o -MF qsym_backend/CMakeFiles/SymRuntime.dir/__/LibcWrappers.cpp.o.d -o qsym_backend/CMakeFiles/SymRuntime.dir/__/LibcWrappers.cpp.o -c symcc/runtime/LibcWrappers.cpp
symcc/runtime/LibcWrappers.cpp:97:18: error: use of undeclared identifier 'mmap64'; did you mean 'mmap'?
auto *result = mmap64(addr, len, prot, flags, fildes, off);
^~~~~~
mmap
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/sys/mman.h:238:9: note: 'mmap' declared here
void * mmap(void *, size_t, int, int, int, off_t) __DARWIN_ALIAS(mmap);
^
symcc/runtime/LibcWrappers.cpp:165:17: error: use of undeclared identifier 'lseek64'; did you mean 'lseek'?
auto result = lseek64(fd, offset, whence);
^~~~~~~
lseek
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/unistd.h:465:8: note: 'lseek' declared here
off_t lseek(int, off_t, int);
^
symcc/runtime/LibcWrappers.cpp:211:18: error: use of undeclared identifier 'fopen64'; did you mean 'fopen'?
auto *result = fopen64(pathname, mode);
^~~~~~~
fopen
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.1.sdk/usr/include/stdio.h:153:7: note: 'fopen' declared here
FILE *fopen(const char * __restrict __filename, const char * __restrict __mode) __DARWIN_ALIAS_STARTING(__MAC_10_6, __IPHONE_2_0, __DARWIN_ALIAS(fopen));
^
3 errors generated.
as well as a couple of warnings I won't post.
Anybody has any idea about how to proceed? Thanks!!! :)
Build backend error
Hello,there is a problem when i build the backend
-- The C compiler identification is Clang 10.0.0
-- The CXX compiler identification is unknown
-- Check for working C compiler: /usr/local/bin/clang-10
-- Check for working C compiler: /usr/local/bin/clang-10 -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/clang++-10
-- Check for working CXX compiler: /usr/bin/clang++-10 -- broken
CMake Error at /usr/share/cmake-3.16/Modules/CMakeTestCXXCompiler.cmake:53 (message):
The C++ compiler
"/usr/bin/clang++-10"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: /home/suiyize/symcc_source/symcc_build_simple/CMakeFiles/CMakeTmp
Run Build Command(s):/usr/bin/ninja cmTC_e79ec && [1/2] Building CXX object CMakeFiles/cmTC_e79ec.dir/testCXXCompiler.cxx.o
FAILED: CMakeFiles/cmTC_e79ec.dir/testCXXCompiler.cxx.o
/usr/bin/clang++-10 -o CMakeFiles/cmTC_e79ec.dir/testCXXCompiler.cxx.o -c testCXXCompiler.cxx
: CommandLine Error: Option 'help-list' registered more than once!
LLVM ERROR: inconsistency in registered CommandLine options
ninja: build stopped: subcommand failed.
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:16 (project)
-- Configuring incomplete, errors occurred!
See also "/home/suiyize/symcc_source/symcc_build_simple/CMakeFiles/CMakeOutput.log".
See also "/home/suiyize/symcc_source/symcc_build_simple/CMakeFiles/CMakeError.log".
and the command is
CC=clang-10 CXX=clang++-10 cmake -G Ninja -DQSYM_BACKEND=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo -DZ3_TRUST_SYSTEM_VERSION=on -DLLVM_DIR=/usr/lib/llvm-10/cmake ~/symcc_source && ninja check
Extend SymCC to perform forking exploration (not just concolic execution)
Hi,
I'm testing with a simple test case and it seems to fail. Any idea what's going wrong ?
I'm compiling with -O0 and the expected result should be 0x10. It works with >=-O2 as the
for loop will be simplified by LLVM.
Thanks,
Peter
#include <stdint.h>
#include <stdio.h>
#include <unistd.h>
uint64_t g_value = 0x10;
int main(int argc, char *argv[]) {
uint64_t x;
if (read(STDIN_FILENO, &x, sizeof(x)) != sizeof(x)) {
printf("Failed to read x\n");
return -1;
}
uint64_t y=0;
for (int i=0;i<x;i++) {
++y;
}
printf("%s\n", (y == g_value) ? "yes" : "no");
return 0;
}
Dockerfile fails when run on git repository without submodules initialized
something broke the Dockerfile:
# docker build -t symcc .
[...]
-- Detecting CXX compile features - done
-- Could NOT find Z3 (missing: Z3_DIR)
-- Configuring done
CMake Error at qsym_backend/CMakeLists.txt:58 (add_library):
Cannot find source file:
qsym/qsym/pintool/expr_cache.cpp
Tried extensions .c .C .c++ .cc .cpp .cxx .cu .m .M .mm .h .hh .h++ .hm
.hpp .hxx .in .txx
CMake Error at qsym_backend/CMakeLists.txt:58 (add_library):
No SOURCES given to target: SymRuntime
CMake Generate step failed. Build files cannot be regenerated correctly.
[6/14] Building CXX object CMakeFiles/Symbolize.dir/compiler/Main.cpp.o
[7/14] Building CXX object CMakeFiles/Symbolize.dir/compiler/Runtime.cpp.o
[8/14] Building CXX object CMakeFiles/Symbolize.dir/compiler/Pass.cpp.o
[9/14] Building CXX object CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o
ninja: build stopped: subcommand failed.
The command '/bin/sh -c cmake -G Ninja -DQSYM_BACKEND=ON -DCMAKE_BUILD_TYPE=RelWithDebInfo -DZ3_TRUST_SYSTEM_VERSION=on /symcc_source && ninja check && cargo install --path /symcc_source/util/symcc_fuzzing_helper' returned a non-zero code: 1
Additional Questions (sorry, don't know where to put them)
So i suspect my compilation of my target under symcc is not working correctly. I went back to the 'whiteboard' and try to build some basic code to ensure it generates some output under /tmp/output.
(1) I first played with the sample.cpp that came with the docker file. I noticed the solution is only discovered if i provided an input with a string length equal to the value that is being compared (root). If i tried anything else such as echo 'a' or echo 'aaaaa' and pass it to the sample binary. the generated solution under /tmp/output does not contain 'root'. Is this the correct behaviour?
(2) The second thing I tried is to compile the sample.cpp through sym++. I understand the libc++ stuff have to also be instrumented, and that the docker container have already setup and environment variable SYMCC_LIBCXX_PATH which points to "/libcxx_symcc_install". However, when i compiled the sample.cpp, i get the following error:
ubuntu@symcc:~$ sym++ -o sample sample.cpp
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:214:
/libcxx_symcc_install/include/c++/v1/iosfwd:189:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> streampos;
^
/libcxx_symcc_install/include/c++/v1/iosfwd:190:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> wstreampos;
^
/libcxx_symcc_install/include/c++/v1/iosfwd:195:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> u16streampos;
^
/libcxx_symcc_install/include/c++/v1/iosfwd:196:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> u32streampos;
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
In file included from /libcxx_symcc_install/include/c++/v1/cstring:60:
/libcxx_symcc_install/include/c++/v1/string.h:73:64: error: use of undeclared identifier 'strchr'
char* __libcpp_strchr(const char* __s, int __c) {return (char*)strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:80:75: error: use of undeclared identifier 'strpbrk'
char* __libcpp_strpbrk(const char* __s1, const char* __s2) {return (char*)strpbrk(__s1, __s2);}
^
/libcxx_symcc_install/include/c++/v1/string.h:87:65: error: use of undeclared identifier 'strrchr'; did you mean 'strchr'?
char* __libcpp_strrchr(const char* __s, int __c) {return (char*)strrchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:94:76: error: use of undeclared identifier 'memchr'
void* __libcpp_memchr(const void* __s, int __c, size_t __n) {return (void*)memchr(__s, __c, __n);}
^
/libcxx_symcc_install/include/c++/v1/string.h:101:74: error: use of undeclared identifier 'strstr'; did you mean 'strchr'?
char* __libcpp_strstr(const char* __s1, const char* __s2) {return (char*)strstr(__s1, __s2);}
^
/libcxx_symcc_install/include/c++/v1/string.h:77:13: note: 'strchr' declared here
char* strchr( char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:101:74: error: no matching function for call to 'strchr'
char* __libcpp_strstr(const char* __s1, const char* __s2) {return (char*)strstr(__s1, __s2);}
^
/libcxx_symcc_install/include/c++/v1/string.h:77:13: note: candidate disabled:
char* strchr( char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:101:81: error: cannot initialize a parameter of type 'char ' with an lvalue of type 'const char '
char __libcpp_strstr(const char __s1, const char* __s2) {return (char*)strstr(__s1, __s2);}
^~~~
/libcxx_symcc_install/include/c++/v1/string.h:77:32: note: passing argument to parameter '__s' here
char* strchr( char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:69:9: error: no member named 'memcpy' in the global namespace; did you mean 'memchr'?
using ::memcpy;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:96:13: note: 'memchr' declared here
const void* memchr(const void* __s, int __c, size_t __n) {return __libcpp_memchr(__s, __c, __n);}
^
In file included from sample2.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:70:9: error: no member named 'memmove' in the global namespace
using ::memmove;
~~^
/libcxx_symcc_install/include/c++/v1/cstring:71:9: error: no member named 'strcpy' in the global namespace; did you mean 'strchr'?
using ::strcpy;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:72:9: error: no member named 'strncpy' in the global namespace
using ::strncpy;
~~^
/libcxx_symcc_install/include/c++/v1/cstring:73:9: error: no member named 'strcat' in the global namespace; did you mean 'strchr'?
using ::strcat;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:74:9: error: no member named 'strncat' in the global namespace
using ::strncat;
~~^
/libcxx_symcc_install/include/c++/v1/cstring:75:9: error: no member named 'memcmp' in the global namespace; did you mean 'memchr'?
using ::memcmp;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:96:13: note: 'memchr' declared here
const void* memchr(const void* __s, int __c, size_t __n) {return __libcpp_memchr(__s, __c, __n);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:76:9: error: no member named 'strcmp' in the global namespace; did you mean 'strchr'?
using ::strcmp;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
20 errors generated.
(3) Lastly, I tried to build a 'sample' under C with the following code:
#include <stdio.h>
int main(int argc, char *argv[]) {
//char *name = argv[1];
char name[100];
printf("What is your name?\n");
gets(name);
if (strcmp(name, "root") == 0)
printf("What is your command?\n");
else
printf("Hello %s\n", name);
return 0;
}
I ran symcc -o sample3 sample3.c
The build is successful, but when i run it like: "echo 'aaaa' | ./sample3", nothing gets generated in the /tmp/output folder.
buntu@symcc:$ echo 'aaaa' | ./sample3$ ls /tmp/output/
This is SymCC running with the QSYM backend
Reading program input until EOF (use Ctrl+D in a terminal)...
What is your name?
Hello aaaa
ubuntu@symcc:
ubuntu@symcc:$ ls -al /tmp/output/$
total 12
drwxr-xr-x 1 ubuntu ubuntu 4096 Oct 2 14:10 .
drwxrwxrwt 1 root root 4096 Oct 2 14:21 ..
ubuntu@symcc:
Any suggestion as to why this is not working?
Thanks.
Allow solve time granted to be in an env var
A critical success factor for symbolic solving is the time given to solve.
currently this is hardcoded in the qsym backend code that is called and is set to 5 secods.
at the start of fuzzing this is an OK setting, however for longer running fuzzing campaigns this becomes useless.
after a few hours and days the shallow paths have all been found and explored and deeper paths would require a longer solving time. at the same time, new paths are found much rarely that would give way more solving time.
Hence so that symcc is not pointless after a few hours of runtime, the solving time needs to be dynamically increased. the fuzzing helper script could do that based on the wait time it took for the next queue entry to be found by the synced afl-fuzz instance and setting that as the solve time, passing that to symcc in an environment variable.
symcc_fuzzing_helper should handle "No exit code available for afl-showmap" panic gracefully
symcc_fuzzing_helper throws an expect() panic when it fails to match on afl_show_map_status if I let it run long enough on several targets. I've yet to find a target that does not hit this exception eventually. I am not sure of the root cause, the harness will run for some number of hours before this occurs. There should be an attempt to handle this gracefully and restart the solving loop. When run directly without the harness, I've run symqemu for 14 hours until memory limits were hit.
https://github.com/eurecom-s3/symcc/blob/master/util/symcc_fuzzing_helper/src/symcc.rs#L368
[2021-01-24T11:42:14Z INFO symcc_fuzzing_helper] Running on input /tmp/afl_rar2/secondary/queue/id:002025,src:002019,time:8333074,op:havoc,rep:4,+cov
thread 'main' panicked at 'No exit code available for afl-showmap', src/symcc.rs:368:14
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
running the below afl-showmap command that would have presumably run terminates normally with code 0
afl-showmap -Q -t 5000 -m none -b -o /tmp/testcase_bitmap -- /home/vulndev/rar/unrar -mt1 -kb -o+ -p- t "/tmp/afl_rar2/secondary/queue/id:002025,src:002019,time:8333074,op:havoc,rep:4,+cov"
A issue about sym++
Hello,symcc team
I try to combine symcc and afl by symcc_fuzzing_helper,When I use symcc to compile the C project, there is no problem.However, the following problems will occur when compiling C++ projects.
-- The CXX compiler identification is unknown
-- Check for working CXX compiler: /home/dh/symcc_build_qsym/sym++
-- Check for working CXX compiler: /home/dh/symcc_build_qsym/sym++ -- broken
CMake Error at /usr/share/cmake-3.16/Modules/CMakeTestCXXCompiler.cmake:53 (message):
The C++ compiler
"/home/dh/symcc_build_qsym/sym++"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: /home/.../exiv2-0.27.4/exiv2-0.27.4/build-symcc-test/CMakeFiles/CMakeTmp
Run Build Command(s):/usr/bin/make cmTC_364f3/fast && /usr/bin/make -f CMakeFiles/cmTC_364f3.dir/build.make CMakeFiles/cmTC_364f3.dir/build
make[1]: Entering directory '/home/.../exiv2-0.27.4/exiv2-0.27.4/build-symcc-test/CMakeFiles/CMakeTmp'
Building CXX object CMakeFiles/cmTC_364f3.dir/testCXXCompiler.cxx.o
/home/dh/symcc_build_qsym/sym++ -o CMakeFiles/cmTC_364f3.dir/testCXXCompiler.cxx.o -c /home/.../exiv2-0.27.4/exiv2-0.27.4/build-symcc-test/CMakeFiles/CMakeTmp/testCXXCompiler.cxx
Please set SYMCC_LIBCXX_PATH to the directory containing libc++ or confirm usage of the system library by setting SYMCC_REGULAR_LIBCXX!
make[1]: *** [CMakeFiles/cmTC_364f3.dir/build.make:66: CMakeFiles/cmTC_364f3.dir/testCXXCompiler.cxx.o] Error 255
make[1]: Leaving directory '/home/.../exiv2-0.27.4/exiv2-0.27.4/build-symcc-test/CMakeFiles/CMakeTmp'
make: *** [Makefile:121: cmTC_364f3/fast] Error 2
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:3 (project)
-- Configuring incomplete, errors occurred!
I try to fix it with SYMCC_REGULAR_LIBCXX=1 set in the environment,it worked.But when the program compiled by sym++ is run with afl, the output is all like this
2021-07-08T08:51:39Z WARN symcc_fuzzing_helper::symcc] SymCC received signal 11
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] The target process was killed (probably timeout or out of memory); archiving to out/symcc/hangs
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Running on input out/fuzz2/queue/id:000077,src:000021,time:15399,op:havoc,rep:2,+cov
[2021-07-08T08:51:39Z WARN symcc_fuzzing_helper::symcc] SymCC received signal 11
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] The target process was killed (probably timeout or out of memory); archiving to out/symcc/hangs
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Running on input out/fuzz2/queue/id:000050,src:000021,time:340,op:havoc,rep:8,+cov
[2021-07-08T08:51:39Z WARN symcc_fuzzing_helper::symcc] SymCC received signal 11
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] The target process was killed (probably timeout or out of memory); archiving to out/symcc/hangs
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Running on input out/fuzz2/queue/id:000058,src:000021,time:1328,op:havoc,rep:4,+cov
[2021-07-08T08:51:39Z WARN symcc_fuzzing_helper::symcc] SymCC received signal 11
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] The target process was killed (probably timeout or out of memory); archiving to out/symcc/hangs
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Running on input out/fuzz2/queue/id:000055,src:000021,time:904,op:havoc,rep:4,+cov
[2021-07-08T08:51:39Z WARN symcc_fuzzing_helper::symcc] SymCC received signal 11
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] The target process was killed (probably timeout or out of memory); archiving to out/symcc/hangs
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Running on input out/fuzz2/queue/id:000069,src:000021,time:5273,op:havoc,rep:4,+cov
[2021-07-08T08:51:39Z WARN symcc_fuzzing_helper::symcc] SymCC received signal 11
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] The target process was killed (probably timeout or out of memory); archiving to out/symcc/hangs
[2021-07-08T08:51:39Z INFO symcc_fuzzing_helper] Running on input out/fuzz2/queue/id:000065,src:000021,time:3927,op:havoc,rep:8,+cov
[2021-07-08T08:51:39Z WARN symcc_fuzzing_helper::symcc] SymCC received signal 11
Projects complied with symcc(c compiler) can correctly generate test cases, so i think there must be something wrong with it.Could you tell me how to fix it?
Problem of the libc functions that don't have symbolic wrapper implementation
Hi, I noticed that there are only 26 symbolic wrapper for libc functions, but there are still many libc functions that also need to provide the symbolic wrapper, for example, the strlen().
My question is: since we can not implement symbolic wrapper for all of the functions in libc manually, what will happen if we meet strlen during the symbolic execution? I think SymCC won't instrument strlen with symbolic code, so we will lost the constraints inside the strlen.
Not sure whether my understanding is right, what's other side effect (if any) for the libc functions that don't have symbolic wrapper?
Dockerfile fails
$ docker build -t symcc .
[...]
[11/14] Performing build step for 'SymRuntime'
FAILED: SymRuntime-prefix/src/SymRuntime-stamp/SymRuntime-build
cd /symcc_build/SymRuntime-prefix/src/SymRuntime-build && /usr/bin/cmake --build .
[1/21] Generating Qsym's expr__gen.cpp
[2/21] Generating Qsym's expr__gen.cpp
[3/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/dependency.cpp.o
[4/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/allocation.cpp.o
[5/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/call_stack_manager.cpp.o
[6/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/third_party/xxhash/xxhash.cpp.o
[7/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/afl_trace_map.cpp.o
[8/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/expr_cache.cpp.o
In file included from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr_cache.h:4,
from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr_cache.cpp:1:
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::printAux(std::ostream&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:318:36: warning: unused parameter 'os' [-Wunused-parameter]
318 | virtual bool printAux(ostream& os) const {
| ~~~~~~~~~^~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual void qsym::Expr::hashAux(XXH32_state_t*)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:333:41: warning: unused parameter 'state' [-Wunused-parameter]
333 | virtual void hashAux(XXH32_state_t* state) { return; }
| ~~~~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::equalAux(const qsym::Expr&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:334:39: warning: unused parameter 'other' [-Wunused-parameter]
334 | virtual bool equalAux(const Expr& other) const { return true; }
| ~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ConstantExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:384:37: warning: unused parameter 'verbose' [-Wunused-parameter]
384 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::BoolExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:485:37: warning: unused parameter 'verbose' [-Wunused-parameter]
485 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ReadExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:525:37: warning: unused parameter 'verbose' [-Wunused-parameter]
525 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
[9/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/__/Config.cpp.o
[10/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/logging.cpp.o
In file included from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/solver.h:13,
from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/logging.cpp:6:
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::printAux(std::ostream&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:318:36: warning: unused parameter 'os' [-Wunused-parameter]
318 | virtual bool printAux(ostream& os) const {
| ~~~~~~~~~^~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual void qsym::Expr::hashAux(XXH32_state_t*)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:333:41: warning: unused parameter 'state' [-Wunused-parameter]
333 | virtual void hashAux(XXH32_state_t* state) { return; }
| ~~~~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::equalAux(const qsym::Expr&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:334:39: warning: unused parameter 'other' [-Wunused-parameter]
334 | virtual bool equalAux(const Expr& other) const { return true; }
| ~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ConstantExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:384:37: warning: unused parameter 'verbose' [-Wunused-parameter]
384 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::BoolExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:485:37: warning: unused parameter 'verbose' [-Wunused-parameter]
485 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ReadExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:525:37: warning: unused parameter 'verbose' [-Wunused-parameter]
525 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
[11/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/third_party/llvm/range.cpp.o
[12/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/expr_evaluate.cpp.o
In file included from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr_cache.h:4,
from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr_builder.h:6,
from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr_evaluate.cpp:1:
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::printAux(std::ostream&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:318:36: warning: unused parameter 'os' [-Wunused-parameter]
318 | virtual bool printAux(ostream& os) const {
| ~~~~~~~~~^~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual void qsym::Expr::hashAux(XXH32_state_t*)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:333:41: warning: unused parameter 'state' [-Wunused-parameter]
333 | virtual void hashAux(XXH32_state_t* state) { return; }
| ~~~~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::equalAux(const qsym::Expr&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:334:39: warning: unused parameter 'other' [-Wunused-parameter]
334 | virtual bool equalAux(const Expr& other) const { return true; }
| ~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ConstantExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:384:37: warning: unused parameter 'verbose' [-Wunused-parameter]
384 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::BoolExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:485:37: warning: unused parameter 'verbose' [-Wunused-parameter]
485 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ReadExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:525:37: warning: unused parameter 'verbose' [-Wunused-parameter]
525 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
[13/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/__/Shadow.cpp.o
[14/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/__/RuntimeCommon.cpp.o
[15/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/__/GarbageCollection.cpp.o
[16/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/Runtime.cpp.o
FAILED: qsym_backend/CMakeFiles/SymRuntime.dir/Runtime.cpp.o
/usr/bin/c++ -DSymRuntime_EXPORTS -I/symcc_source/runtime/qsym_backend -I/symcc_source/runtime/qsym_backend/.. -isystem /usr/lib/llvm-10/include -isystem /symcc_source/runtime/qsym_backend/qsym/qsym/pintool -std=c++17 -Wredundant-decls -Wcast-align -Wmissing-include-dirs -Wswitch-default -Wextra -Wall -Winvalid-pch -Wredundant-decls -Wformat=2 -Wmissing-format-attribute -Wformat-nonliteral -O2 -g -DNDEBUG -fPIC -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -MD -MT qsym_backend/CMakeFiles/SymRuntime.dir/Runtime.cpp.o -MF qsym_backend/CMakeFiles/SymRuntime.dir/Runtime.cpp.o.d -o qsym_backend/CMakeFiles/SymRuntime.dir/Runtime.cpp.o -c /symcc_source/runtime/qsym_backend/Runtime.cpp
/symcc_source/runtime/qsym_backend/Runtime.cpp:71:14: error: conflicting declaration 'z3::context* qsym::g_z3_context'
71 | z3::context *g_z3_context;
| ^~~~~~~~~~~~
In file included from /symcc_source/runtime/qsym_backend/Runtime.cpp:55:
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/solver.h:20:20: note: previous declaration as 'z3::context qsym::g_z3_context'
20 | extern z3::context g_z3_context;
| ^~~~~~~~~~~~
/symcc_source/runtime/qsym_backend/Runtime.cpp: In function 'void _sym_initialize()':
/symcc_source/runtime/qsym_backend/Runtime.cpp:174:34: error: no match for 'operator=' (operand types are 'z3::context' and 'z3::context*')
174 | g_z3_context = new z3::context{};
| ^
In file included from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:12,
from /symcc_source/runtime/qsym_backend/Runtime.h:18,
from /symcc_source/runtime/qsym_backend/Runtime.cpp:19:
/usr/include/z3++.h:168:19: note: candidate: 'z3::context& z3::context::operator=(const z3::context&)'
168 | context & operator=(context const & s);
| ^~~~~~~~
/usr/include/z3++.h:168:45: note: no known conversion for argument 1 from 'z3::context*' to 'const z3::context&'
168 | context & operator=(context const & s);
| ~~~~~~~~~~~~~~~~^
[17/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/expr__gen.cpp.o
qsym_backend/expr__gen.cpp: In member function 'virtual void qsym::ConstantExpr::print(std::ostream&, UINT) const':
qsym_backend/expr__gen.cpp:382:44: warning: unused parameter 'depth' [-Wunused-parameter]
382 | void ConstantExpr::print(ostream& os, UINT depth) const {
| ~~~~~^~~~~
[18/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/qsym/qsym/pintool/solver.cpp.o
In file included from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/solver.h:13,
from /symcc_source/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:3:
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::printAux(std::ostream&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:318:36: warning: unused parameter 'os' [-Wunused-parameter]
318 | virtual bool printAux(ostream& os) const {
| ~~~~~~~~~^~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual void qsym::Expr::hashAux(XXH32_state_t*)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:333:41: warning: unused parameter 'state' [-Wunused-parameter]
333 | virtual void hashAux(XXH32_state_t* state) { return; }
| ~~~~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual bool qsym::Expr::equalAux(const qsym::Expr&) const':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:334:39: warning: unused parameter 'other' [-Wunused-parameter]
334 | virtual bool equalAux(const Expr& other) const { return true; }
| ~~~~~~~~~~~~^~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ConstantExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:384:37: warning: unused parameter 'verbose' [-Wunused-parameter]
384 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::BoolExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:485:37: warning: unused parameter 'verbose' [-Wunused-parameter]
485 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h: In member function 'virtual z3::expr qsym::ReadExpr::toZ3ExprRecursively(bool)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/expr.h:525:37: warning: unused parameter 'verbose' [-Wunused-parameter]
525 | z3::expr toZ3ExprRecursively(bool verbose) override {
| ~~~~~^~~~~~~
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp: In member function 'bool qsym::Solver::isInterestingJcc(qsym::ExprRef, bool, ADDRINT)':
/symcc_source/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:511:39: warning: unused parameter 'rel_expr' [-Wunused-parameter]
511 | bool Solver::isInterestingJcc(ExprRef rel_expr, bool taken, ADDRINT pc) {
| ~~~~~~~~^~~~~~~~
[19/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/__/LibcWrappers.cpp.o
[20/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/expr_builder__gen.cpp.o
qsym_backend/expr_builder__gen.cpp: In member function 'qsym::ExprRef qsym::SymbolicExprBuilder::createSub(qsym::NonConstantExprRef, qsym::NonConstantExprRef)':
qsym_backend/expr_builder__gen.cpp:827:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
827 | if (l->getChild(0)->isConstant()) {
| ^~
qsym_backend/expr_builder__gen.cpp:832:5: note: here
832 | case Sub: {
| ^~~~
ninja: build stopped: subcommand failed.
ninja: build stopped: subcommand failed.
The command '/bin/sh -c cmake -G Ninja -DQSYM_BACKEND=ON -DCMAKE_BUILD_TYPE=RelWithDebInfo -DZ3_TRUST_SYSTEM_VERSION=on /symcc_source && ninja check && cargo install --path /symcc_source/util/symcc_fuzzing_helper' returned a non-zero code: 1
Use LLVM SanitizerCoverage?
SymCC inserts calls at the beginning of each basic block, as well as for calls and returns, to support the QSYM backend's context-aware pruning. Recent versions of LLVM have support for coverage tracing (see https://clang.llvm.org/docs/SanitizerCoverage.html), so we could consider using their mechanism instead of the custom callbacks. However, I'm not totally certain that we would get an overall benefit, and we need to support relatively old versions of LLVM.
I'll leave this issue around as a reminder, to be re-evaluated later.
Symbolizer crashes when compiling binutils
Binutils version - 2.33.1
LLVM version - 10
OS: Ubuntu 18.04
The below assertion fails during compilation
assert(!verifyFunction(F, &errs()))
Ninja check failed on ubuntu 18.04
SymCC doesn't handle SSE instructions properly and crashes in debug builds (UNREACHABLE executed at ../compiler/Symbolizer.cpp:880! when building OpenJPEG)
Hi, I'm trying to build OpenJPEG but symcc (clang 10.0.1) is crushing. I've built the master branch of symcc and 1f1e9682 of OpenJPEG with:
CC=~/symcc/build/symcc CXX=~/symcc/build/sym++ SYMCC_NO_SYMBOLIC_INPUT=1 SYMCC_LIBCXX_PATH=/usr/include/c++/v1 cmake .. -DCMAKE_BUILD_TYPE=Release -DBUILD_THIRDPARTY=ON
However, building src/lib/openjp2/CMakeFiles/openjp2.dir/dwt.c.o fails with:
/home/theo/symcc/build/symcc -Dopenjp2_EXPORTS -Isrc/lib/openjp2 -O3 -DNDEBUG -fPIC -MD -MT src/lib/openjp2/CMakeFiles/openjp2.dir/dwt.c.o -MF src/lib/openjp2/CMakeFiles/openjp2.dir/dwt.c.o.d -o src/lib/openjp2/CMakeFiles/openjp2.dir/dwt.c.o -c ../src/lib/openjp2/dwt.c
Symbolizer module init
Symbolizing function opj_dwt_encode
Symbolizing function opj_dwt_encode_procedure
Symbolizing function opj_dwt_encode_1
Symbolizing function opj_dwt_decode
Symbolizing function opj_dwt_decode_1
Symbolizing function opj_dwt_getgain
Symbolizing function opj_dwt_getnorm
Symbolizing function opj_dwt_encode_real
Symbolizing function opj_dwt_encode_1_real
Symbolizing function opj_dwt_getgain_real
Symbolizing function opj_dwt_getnorm_real
Symbolizing function opj_dwt_calc_explicit_stepsizes
Warning: unhandled LLVM intrinsic llvm.floor.f64
Symbolizing function opj_dwt_decode_real
Symbolizing function opj_v4dwt_interleave_h
Symbolizing function opj_v4dwt_decode
Unhandled type for constant expression
UNREACHABLE executed at ../compiler/Symbolizer.cpp:880!
Stack dump:
0. Program arguments: /usr/bin/clang -Xclang -load -Xclang /home/theo/symcc/build/libSymbolize.so -Dopenjp2_EXPORTS -Isrc/lib/openjp2 -O3 -DNDEBUG -fPIC -MD -MT src/lib/openjp2/CMakeFiles/openjp2.dir/dwt.c.o -MF src/lib/openjp2/CMakeFiles/openjp2.dir/dwt.c.o.d -o src/lib/openjp2/CMakeFiles/openjp2.dir/dwt.c.o -c ../src/lib/openjp2/dwt.c -L/home/theo/symcc/build/SymRuntime-prefix/src/SymRuntime-build -lSymRuntime -Wl,-rpath,/home/theo/symcc/build/SymRuntime-prefix/src/SymRuntime-build -Qunused-arguments
1. <eof> parser at end of file
2. Per-module optimization passes
3. Running pass 'Function Pass Manager' on module '../src/lib/openjp2/dwt.c'.
4. Running pass 'Symbolization Pass' on function '@opj_v4dwt_decode'
#0 0x00007f98da3efeeb llvm::sys::PrintStackTrace(llvm::raw_ostream&) (/usr/bin/../lib/libLLVM-10.so+0x9e9eeb)
#1 0x00007f98da3eda44 llvm::sys::RunSignalHandlers() (/usr/bin/../lib/libLLVM-10.so+0x9e7a44)
#2 0x00007f98da3104c9 (/usr/bin/../lib/libLLVM-10.so+0x90a4c9)
#3 0x00007f98d969e3e0 __restore_rt (/usr/bin/../lib/libc.so.6+0x3c3e0)
#4 0x00007f98d969e355 raise (/usr/bin/../lib/libc.so.6+0x3c355)
#5 0x00007f98d9687853 abort (/usr/bin/../lib/libc.so.6+0x25853)
#6 0x00007f98da31fb90 LLVMInstallFatalErrorHandler (/usr/bin/../lib/libLLVM-10.so+0x919b90)
#7 0x00007f98d74f832b Symbolizer::createValueExpression(llvm::Value*, llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>&) (/home/theo/symcc/build/libSymbolize.so+0x5a32b)
#8 0x00007f98d74f278b Symbolizer::shortCircuitExpressionUses() (/home/theo/symcc/build/libSymbolize.so+0x5478b)
#9 0x00007f98d750d4d3 SymbolizePass::runOnFunction(llvm::Function&) (/home/theo/symcc/build/libSymbolize.so+0x6f4d3)
#10 0x00007f98da5215d8 llvm::FPPassManager::runOnFunction(llvm::Function&) (/usr/bin/../lib/libLLVM-10.so+0xb1b5d8)
#11 0x00007f98da522bdd llvm::FPPassManager::runOnModule(llvm::Module&) (/usr/bin/../lib/libLLVM-10.so+0xb1cbdd)
#12 0x00007f98da522f70 llvm::legacy::PassManagerImpl::run(llvm::Module&) (/usr/bin/../lib/libLLVM-10.so+0xb1cf70)
#13 0x00007f98e0424a25 clang::EmitBackendOutput(clang::DiagnosticsEngine&, clang::HeaderSearchOptions const&, clang::CodeGenOptions const&, clang::TargetOptions const&, clang::LangOptions const&, llvm::DataLayout const&, llvm::Module*, clang::BackendAction, std::unique_ptr<llvm::raw_pwrite_stream, std::default_delete<llvm::raw_pwrite_stream> >) (/usr/bin/../lib/libclang-cpp.so.10+0x1603a25)
#14 0x00007f98e076f67b (/usr/bin/../lib/libclang-cpp.so.10+0x194e67b)
#15 0x00007f98df624ad9 clang::ParseAST(clang::Sema&, bool, bool) (/usr/bin/../lib/libclang-cpp.so.10+0x803ad9)
#16 0x00007f98e0eb20a9 clang::FrontendAction::Execute() (/usr/bin/../lib/libclang-cpp.so.10+0x20910a9)
#17 0x00007f98e0e66a94 clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/usr/bin/../lib/libclang-cpp.so.10+0x2045a94)
#18 0x00007f98e0f36832 clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/usr/bin/../lib/libclang-cpp.so.10+0x2115832)
#19 0x0000561e59f477ed cc1_main(llvm::ArrayRef<char const*>, char const*, void*) (/usr/bin/clang+0x127ed)
#20 0x0000561e59f44ffc (/usr/bin/clang+0xfffc)
#21 0x00007f98e0b33165 (/usr/bin/../lib/libclang-cpp.so.10+0x1d12165)
#22 0x00007f98da3105e3 llvm::CrashRecoveryContext::RunSafely(llvm::function_ref<void ()>) (/usr/bin/../lib/libLLVM-10.so+0x90a5e3)
#23 0x00007f98e0b33fae (/usr/bin/../lib/libclang-cpp.so.10+0x1d12fae)
#24 0x00007f98e0b09b68 clang::driver::Compilation::ExecuteCommand(clang::driver::Command const&, clang::driver::Command const*&) const (/usr/bin/../lib/libclang-cpp.so.10+0x1ce8b68)
#25 0x00007f98e0b0a45a clang::driver::Compilation::ExecuteJobs(clang::driver::JobList const&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) const (/usr/bin/../lib/libclang-cpp.so.10+0x1ce945a)
#26 0x00007f98e0b15ebc clang::driver::Driver::ExecuteCompilation(clang::driver::Compilation&, llvm::SmallVectorImpl<std::pair<int, clang::driver::Command const*> >&) (/usr/bin/../lib/libclang-cpp.so.10+0x1cf4ebc)
#27 0x0000561e59f42d09 main (/usr/bin/clang+0xdd09)
#28 0x00007f98d9689002 __libc_start_main (/usr/bin/../lib/libc.so.6+0x27002)
#29 0x0000561e59f4496e _start (/usr/bin/clang+0xf96e)
clang-10: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 10.0.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang-10: note: diagnostic msg: PLEASE submit a bug report to and include the crash backtrace, preprocessed source, and associated run script.
clang-10: note: diagnostic msg:
Am I doing something wrong?
Thanks
Support for LLVM 11
When i tried to run 'ninja check', i get the following error:
/opt/symcc/build# ninja check
[5/14] Performing configure step for 'SymRuntime'
-- The C compiler identification is GNU 10.0.1
-- The CXX compiler identification is GNU 10.0.1
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/c++
-- Check for working CXX compiler: /usr/bin/c++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done
-- Generating done
-- Build files have been written to: /opt/symcc/build/SymRuntime-prefix/src/SymRuntime-build
[8/14] Building CXX object CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o
FAILED: CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o
/usr/bin/c++ -DSymbolize_EXPORTS -isystem /usr/lib/llvm-11/include -std=c++17 -Wredundant-decls -Wcast-align -Wmissing-include-dirs -Wswitch-default -Wextra -Wall -Winvalid-pch -Wredundant-decls -Wformat=2 -Wmissing-format-attribute -Wformat-nonliteral -Werror -fPIC -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -MD -MT CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o -MF CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o.d -o CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o -c ../compiler/Symbolizer.cpp
../compiler/Symbolizer.cpp: In member function 'void Symbolizer::symbolizeFunctionArguments(llvm::Function&)':
../compiler/Symbolizer.cpp:38:77: error: no matching function for call to 'llvm::IRBuilder<>::CreateCall(llvm::Value* const&, llvm::ConstantInt*)'
38 | IRB.getInt8(arg.getArgNo()));
|
I have libllvm11, llvm-11-tools and llvm-11-dev installed, but it doesn't address the compilation issue.
Any suggestions please?
symCC not working against sample.cpp
Hi,
So i successfully built symcc and sym++ using llvm-8. I use the instructions from docker file to and manually compiled each piece. Everything appears to be compiled successfully.
When I tried to play with the sample.cpp, i followed the instruction and did "sym++ sample.cpp -o sample"
I ran the sample binary as follows:
"echo 'aaaa' | ./sample"
I got the following stdout:
This is SymCC running with the QSYM backend
Performing fully concrete execution (i.e., without symbolic input)
What's your name?
Hello, aaaa!
root@symcc:/opt# ls -al /tmp/output/
total 8
drwxr-xr-x 2 root root 4096 Sep 27 12:54 .
drwxrwxrwt 1 root root 4096 Sep 27 12:54 ..
According to the main github page for this project. There should be something in the /tmp/output folder, but I did not see anything after executing the sample binary.
Any suggestions?
Thank you.
Wishlist: secondary fuzzer instance like eclipser 2.0
eclipser 2.0 (https://github.com/SoftSec-KAIST/Eclipser#eclipser-v20) now does not its own fuzzing anymore and "just" tried to find new paths by concolic execution, basically what symcc does, but already as a ready-made tool to just just as an afl-fuzz -S secondary.
This feature is seriously missing for symcc, and would spread and improve it's usage.
my assumption is that the symcc is faster and better than eclipser so this would really be a great step forward.
Can symcc cover all the paths in one run?
Hi developers, for the following C program,
#include <unistd.h>
static int32_t g_1 = 10;
static int32_t g_2 = -1;
static int32_t func_1(void)
{
if (g_2 == 0) {
return 0;
}
if (g_1 < 0) {
return -1;
}
else {
return 1;
}
}
int main (int argc, char* argv[])
{
read(STDIN_FILENO, &g_1, sizeof(g_1));
read(STDIN_FILENO, &g_2, sizeof(g_2));
func_1();
return 0;
}If I feed g_1=10 and g_2=-1 to the instrumented executable, will symcc find the inputs for all three paths in one run?
g_2 == 0g_2 =/= 0 and g_1 < 0g_2 =/= 0 and g_1 >= 0
or do I need to recursively run the instrumented executable until no new input is generated?
C++ I/O intercept function support
Hi,
I am wondering do you have any plan to support the interception of C++ file I/O function (e.g. std::getline). Thank you in advance!
Ruoyu
Tests fail when ntohl contains inline assembly
Hi,
When building and checking with ninja check, it shows that 8 cases fail. It is weird since it works perfectly months ago and I follow the exact same building script. Could you help me check the possible issue?
I build the symcc with these commands and outputs:
CC=clang-10 CXX=clang++-10 cmake -G Ninja -DQSYM_BACKEND=OFF .
-- The C compiler identification is Clang 10.0.0
-- The CXX compiler identification is Clang 10.0.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/clang-10 - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/clang++-10 - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found LLVM 10.0.0
-- Using LLVMConfig.cmake from /usr/lib/llvm-10/cmake
-- Configuring done
-- Generating done
-- Build files have been written to: /home/ruoyu/third_lib/symcc
And then ninja check:
ninja check output.txt
Thank you in advance!
LLVM 12 support
I've been poking around at attempting to add support for LLVM 12. Is this something someone else has looked at or made progress on? I took a first stab at it, and while I can build libSymbolize.so, when I try to run it on some sample code, I get the following error:
error: unable to load plugin '<plugin_path>': '<plugin_path>: undefined symbol: _ZTIN4llvm10CallbackVHE`
Any insight is appreciated.
modify implementation of mmap() wrapper
Hi, I noticed that mmap() and mmap64() didn't create symbolic expression in their libc wrapper. However, mmap sometimes will be used as a read function, since symbolic expression will be created in read() wrapper https://github.com/eurecom-s3/symcc/blob/master/runtime/LibcWrappers.cpp#L140, I also add these code in mmap64() wrapper, so that we can create symbolic expression inside it too. Here is my implementation:
void *SYM(mmap64)(void *addr, size_t len, int prot, int flags, int fildes,
uint64_t off) {
auto *result = mmap64(addr, len, prot, flags, fildes, off);
_sym_set_return_expression(nullptr);
if (result == MAP_FAILED) // mmap failed
return result;
if (fildes == inputFileDescriptor) {
// Reading symbolic input.
ReadWriteShadow shadow(result, len);
std::generate(shadow.begin(), shadow.end(),
[]() { return _sym_get_input_byte(inputOffset++); });
} else if (!isConcrete(result, len)) {
ReadWriteShadow shadow(result, len);
std::fill(shadow.begin(), shadow.end(), nullptr);
}
tryAlternative(len, _sym_get_parameter_expression(1), SYM(mmap64));
return result;
}
I can compile it successfully, however, I got error message when I tried to run target program:
Error: Sorts (_ BitVec 64) and (_ BitVec 32) are incompatible
Any idea about how to fix it?
Crash in binutils on AFL's small_exec.elf
Reported by @chenju2k6 in #12:
But seems objdump/nm/size crashes when analyzing small_exec.elf (a seed found from AFL). I built with -DQSYM_BACKEND=ON The Binutils version is 2.33.1
The command to produce the issue is below (for objdump)
SYMCC_INPUT_FILE=/path/to/small_exec.elf ./objdump -D /path/to/small_exec.elf
We crash inside Z3_solver_reset(), invoked by the QSYM backend. Looks like a memory corruption or an invalid expression pointer.
Warning: unhandled LLVM intrinsic
Just started playing with symcc and while compiling a target I get many warnings like this:
Warning: unhandled LLVM intrinsic llvm.floor.f64
Warning: unhandled LLVM intrinsic llvm.va_start
Warning: unhandled LLVM intrinsic llvm.va_end
is this a problem?
symcc_fuzzing_helper SYMCC_AFL_COVERAGE_MAP doesnt work
so that the coverage map generated by afl-showmap and used by symcc is correct the exact same instrumentation has to be in the afl-fuzz binary as in the symcc instrumented binary.
in cases where the afl-fuzz + symcc binary is not qemu based (with symqemu) this is hardly ever the case.
all vanilla AFL instrumentations - afl-gcc, afl-llvm-pass and sancov - assign random basic block ids, so the map could never ever match.
with afl++ it is possible to match - if non-colliding coverage instrumentation types would be used, and the same clang version and the same compiler optimization options. so basically this would not be the case either.
plus I do not know if the symcc instrumentation has an influence over the control path? If so and the coverage map instrumentation is afterwards then this is impossible to ever work.
only with qemu_mode the coverage map will be guaranteed to match.
if the map does not match then wrong decisions are made to decide if a new path was found or not.
So what is the solution? I would propose not generating and using the map unless qemu_mode is used.
Collecting constraints of real-world program
Hi, I wonder if it is doable to use SymCC to collect real-world program's path constraints? Supposing we have a CVE and the corresponding poc, we want to collect the constraints along the execution trace.
I know the libc interaction will be a serious problem, and I have also noticed this: #23, so what if I add all the necessary libc wrappers, may I manage to collect the complete constraints then?
For adding libc wrappers approach, the developed of SymCC has said like this:
it doesn't scale if your target uses many libc functions on symbolic data
What the meaning of scale? Just time-consuming? If it can collect the constraints successfully, time-cost won't be a serious problem. (For example, the automatic exploit generation guys don't care about the speed much)
Tests fail due to undefined symbol _ZN4llvm15SmallVectorBase8grow_podEPvmm: libSymbolize.so
Hi, I'm trying to compile symCC, I've managed to install all the dependencies and ninja builds correctly but all the tests fail, and attempting to run ./symcc also results in this same error as the tests.
The exact log I get for each of the tests is as follows:
clang-11: error: unable to execute command: No such file or directory
clang-11: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 11.0.0 (Fedora 11.0.0-2.fc33)
I'm unsure what the cause of this is, or how to solve it and was hoping you might be able to help. The only thought I have is that its looking for some sort of Vector instruction, (Since Vector is in the symbol name) which I'm aware from reading the paper that symcc does not support, hence its position in LLVMs optimization stack.
Its possible I'm simply being an idiot and doing something wrong, please tell me if that's so!
Thanks
Edit:
I further looked into libSymbolize.so using 'nm' and indeed find that the symbol is undefined:
U _ZN4llvm15SmallVectorBase8grow_podEPvmm
Whereas most other symbols are of type 'W' meaning a weak symbol, with a default specified (I think).
I also realise I am using clang 11.0.0, which perhaps explains this, as I believe clang 11 is linked to llvm 11 which this project does not support, despite me building with llvm10?
Simple build script for Symcc?
Hello .
Isn't that better to have a simple build script (like QSYM) to install symcc requirements like LLVM and Z3 altogoether without having problem with path of different modules? like z3 path cmake and etc ?
I face a lot of problems building symcc multiple times :-(
symcc: No output for openjpeg example
After built of openjpeg, I have followed the following steps to start symbolic execution:
ubuntu@a7235eb2816d:~$ export SYMCC_INPUT_FILE='/tmp/file1.jp2'
ubuntu@a7235eb2816d:~$ unset SYMCC_NO_SYMBOLIC_INPUT
ubuntu@a7235eb2816d:~$ echo $SYMCC_INPUT_FILE
/tmp/file1.jp2
ubuntu@a7235eb2816d:~$ sudo /tmp/openjpeg/build/bin/opj_decompress -i @@ -o /tmp/output/image.pgm
This is SymCC running with the QSYM backend
Reading program input until EOF (use Ctrl+D in a terminal)...
If I run the program without sudo:
ubuntu@a7235eb2816d:~$ /tmp/openjpeg/build/bin/opj_decompress -i @@ -o /tmp/output/image.pgm
This is SymCC running with the QSYM backend
Making data read from /tmp/file1.jp2 as symbolic
!! infile cannot be read: @@ !!
Query:
Is it working? Program is waiting here for long time. Is the program waiting for input from stdin? Any suggestion.
Incorrect constraints in tcpdump
Hi,
I'm using symcc on tcpdump (version 4.9.3, with libpcap 1.9.1). I compiled it using the instructions in the docs.
When executing the binary, after some time, I'm getting the following warning (many times):
[INFO] syncConstraints: Incorrect constraints are inserted
I'm running the binary in this way:
SYMCC_INPUT_FILE=./seed/small_capture.pcap ./tcpdump_symcc -e -vv -nr ./seed/small_capture.pcapThe seed is taken from afl.
I debugged it a little bit, and it seems that just before the first warning pops out, symcc adds the following conflicting constraints to the path constraint:
Equal(0x1A567B2, 0x1A5679E + (ZExt(bits=64, And(0x3C, Shl(Read(index=36), 0x2)))))
Equal(0x1A567B4, 0x1A567A2 + (ZExt(bits=64, And(0x3C, Shl(Read(index=36), 0x2)))))
Using gdb, it seems that the constraints were added in tcp_print function. Probably they refer to the branches in the ND_TTEST_2 macro.
Any idea of what is going on? Am I doing something wrong?
Thanks,
Luca
Recommended workflow for afl and symcc combination
Hi,
I am curious about the workflow recommended for combining symcc and afl. In the documentation it is suggested to use a master + a secondary afl in combination with SymCC. Is there are reason for having two AFLs rather than one? It says in the documentation (
Line 112 in 9b20609
It is possible to run SymCC with only an AFL master or only a secondary AFLinstance; see the AFL docs for the implications." Could you elaborate on this?
Cross-referencing:
Error on compiling symcc
Hello .
I have the following output after "ninja check"
/home/crypto/symcc/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp: In member function ‘bool qsym::Solver::isInterestingJcc(qsym::ExprRef, bool, ADDRINT)’:
/home/crypto/symcc/runtime/qsym_backend/qsym/qsym/pintool/solver.cpp:511:39: warning: unused parameter ‘rel_expr’ [-Wunused-parameter]
bool Solver::isInterestingJcc(ExprRef rel_expr, bool taken, ADDRINT pc) {
^~~~~~~~
[20/21] Building CXX object qsym_backend/CMakeFiles/SymRuntime.dir/expr_builder__gen.cpp.o
qsym_backend/expr_builder__gen.cpp: In member function ‘qsym::ExprRef qsym::SymbolicExprBuilder::createSub(qsym::NonConstantExprRef, qsym::NonConstantExprRef)’:
qsym_backend/expr_builder__gen.cpp:827:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (l->getChild(0)->isConstant()) {
^~
qsym_backend/expr_builder__gen.cpp:832:5: note: here
case Sub: {
^~~~
[21/21] Linking CXX shared library libSymRuntime.so
qsym_backend/CMakeFiles/SymRuntime.dir/Runtime.cpp.o: In function `_sym_initialize':
Runtime.cpp:(.text+0x402): warning: the use of `tmpnam' is dangerous, better use `mkstemp'
[13/14] Testing the system...
/bin/sh: 1: lit: not found
FAILED: test/CMakeFiles/check
cd /home/crypto/symcc/build/test && lit --verbose --path=/home/crypto/llvm-project-llvmorg-10.0.1/build/./bin /home/crypto/symcc/build/test
ninja: build stopped: subcommand failed.
So where the problem is ?
using llvm 10 as said in the documentation . ubuntu 18 x64
The command before ninja check is :
cmake -D CMAKE_C_COMPILER=clang -D CMAKE_CXX_COMPILER=clang++ -G Ninja ../ -DQSYM_BACKEND=ON -DZ3_DIR="$FUZZER/z3/build/symcc/z3/cmake_conf"
FUZZER variable is : /home/crypto/symcc
(symcc root) .
Thanks
Missing build dependencies in README
Hi!
It would be nice to list all build dependencies in README. Like lit and so on.
SYMCC_INPUT_FILE comparison uses strstr
When running a command like
SYMCC_INPUT_FILE=inp x86_64-linux-user/symqemu-x86_64 /bin/cat -t inp2
I wouldn't expect the inp2 file to be marked as symbolic, but the environment variable comparison is using strstr instead of my expectation of strcmp.
symcc/runtime/LibcWrappers.cpp
Lines 114 to 122 in 4fddd3c
Running SymCC & Interpreting Results, Prerequisite on main Function
Dear SymCC devs,
now that I managed to compile SymCC inside my Ubuntu VM, I am trying to run it on the initial sample you provide in your readme:
#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
int foo(int a, int b) {
if (2 * a < b)
return a;
else if (a % b)
return b;
else
return a + b;
}
int main(int argc, char* argv[]) {
int x;
if (read(STDIN_FILENO, &x, sizeof(x)) != sizeof(x)) {
printf("Failed to read x\n");
return -1;
}
printf("%d\n", foo(x, 7));
return 0;
}
The output I get is:
echo 'aaaa' | ./test
This is SymCC running with the QSYM backend
Reading program input until EOF (use Ctrl+D in a terminal)...
a: 1633771873
[STAT] SMT: { "solving_time": 0, "total_time": 20337 }
[STAT] SMT: { "solving_time": 19354 }
[INFO] New testcase: /tmp/output/000000
1633771873
The file /tmp/output/000000, however, is empty. Does this mean that "000000" is the suggested test case? Unfortunately, the README does not mention the expected output and how to interpret it, so I'm a little lost here.
Also, I don't understand the code you're using for reading from STDIN (sorry, no C native), so I tried to replace it with scanf("%d\n", x) which gives me a nice integer I know how to process. But then, SymCC does not perform any instrumentation, or it does not generate any test cases. What are the prerequisites for the main function to use SymCC for own code?
It would be great if you could help me out!
I'm planning to play around with SymCC for own research, and also I'm going to present the paper in an upcoming reading group next Monday. It would be great if I knew until then how to use it!
Thanks & Best Regards,
Dominic
Failed to pipe the test input to afl-showmap
After building my own dockerfile and running on a target I constantly get:
[2021-01-24T11:35:15Z INFO symcc_fuzzing_helper] Ignoring new test case /tmp/.tmpPBic7v/output/000011-optimistic because afl-showmap timed out on it
Error: Failed to check whether test case /tmp/.tmpPBic7v/output/000003-optimistic is interesting
Caused by:
0: Failed to pipe the test input to afl-showmap
1: Broken pipe (os error 32)
which results in terminating the exploration. and as it cant continue I have to wipe out/symcc, restart and it restarts from scratch ...
wouldn't it be better to just skip if this error comes up instead of terminating?
Potential bug in the Symbolise pass -- "Calling a function with a bad signature''
Hi,
I am trying to support SymCC for Ada and I hit a potential bug while building our runtime library:
opt: /home/georgiou/work/projects/Symbolic_execution/llvm_source_10.0.0/llvm/lib/IR/Instructions.cpp:398: void llvm::CallInst::init(llvm::FunctionType*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >, const llvm::Twine&): Assertion `(i >= FTy->getNumParams() || FTy->getParamType(i) == Args[i]->getType()) && "Calling a function with a bad signature!"' failed.
Stack dump:
0. Program arguments: /home/georgiou/work/projects/Symbolic_execution/build/bin/opt -load /home/georgiou/work/projects/Symbolic_execution/SymCC/symcc_build_simple/libSymbolize.so -symbolize g-alleve.bc -o symbolize_bc/g-alleve.bc
1. Running pass 'Function Pass Manager' on module './g-alleve.bc'.
2. Running pass 'Symbolization Pass' on function '@gnat__altivec__low_level_vectors__ll_vsc_operations__abs_vxiXnn'
#0 0x000055c8e040df3e llvm::sys::PrintStackTrace(llvm::raw_ostream&) /home/georgiou/work/projects/Symbolic_execution/llvm_source_10.0.0/llvm/lib/Support/Unix/Signals.inc:568:3
....
I am attaching a zip with the LLVM bitcode file causing the issue.
Thank you,
Kyriakos
symcc_fuzzing_helper indicates process either timing out or out of memory
Hi,
So i used the new Dockerfile and can now get the sample.cc to work.
I am trying to use symcc in combination with AFL. However, i am getting the following which does not appear to be 'good':
2020-10-02T03:01:49Z INFO symcc_fuzzing_helper] Running on input /opt/outputs/fuzzer02/queue/id:000384,sync:fuzzer01,src:000081,+cov
[2020-10-02T03:03:20Z INFO symcc_fuzzing_helper] Generated 95 test cases (0 new)
[2020-10-02T03:03:20Z INFO symcc_fuzzing_helper] The target process was killed (probably timeout or out of memory); archiving to /opt/outputs/symcc/hangs
I am getting repeated 'target process was killed ..' message. Is this something with symcc? the target + harness appears to be in good shape, so I am not sure what could be the cause of the issue?
Total max runtime
I am running a concolic solver benchmark on fuzzbench with symcc, symqemu, fuzzolic and eclipser:
https://www.fuzzbench.com/reports/experimental/2021-07-03-symbolic/index.html
I try to make this as fair as possible, last issue though is the runtime/timeout given to the solver, here symcc/symqemu. there it is not possible to set a value like it is possible for fuzzolic and eclipser.
what is the total maximum time that symcc/symqemu are running? So I can set this value to fuzzolic and eclipser for the next benchmark.
thank you!
Path not found
This example file:
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
char buf[1024];
ssize_t i;
if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0;
buf[i] = 0;
if (buf[0] != 'A') return 0;
if (buf[1] != 'B') return 0;
if (buf[2] != 'C') return 0;
if (buf[3] != 'D') return 0;
if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0;
if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0)
abort();
return 0;
}
the abort() can be triggered with:
echo -en 'ABCD1234EFGHIJKLDEADBEEF\0'|./test
when I compile the test.c with symcc, and feed the most advanced input it finds, it can not get past "ABCD1234EFGHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", so it cannot solve the last strcmp with DEADBEEF\0 - I guess this is a bug? or is this too complex to solve?
Dockerfile fails
Building a container from scratch fails:
$ docker build -t symcc .
[...]
[12/14] Building CXX object CMakeFiles/Symbolize.dir/compiler/Symbolizer.cpp.o
[13/14] Linking CXX shared module libSymbolize.so
[13/14] Testing the system...
-- Testing: 16 tests, 16 workers --
FAIL: compiler :: structs.c (1 of 16)
******************** TEST 'compiler :: structs.c' FAILED ********************
Script:
--
: 'RUN: at line 15'; /symcc_build_simple/test/../symcc -O2 /symcc_source/test/structs.c -o /symcc_build_simple/test/Output/structs.c.tmp
: 'RUN: at line 16'; echo -ne "\x00\x00\x00\x05" | /symcc_build_simple/test/Output/structs.c.tmp 2>&1 | FileCheck --check-prefix=SIMPLE --check-prefix=ANY /symcc_source/test/structs.c
--
Exit Code: 1
Command Output (stdout):
--
$ ":" "RUN: at line 15"
$ "/symcc_build_simple/test/../symcc" "-O2" "/symcc_source/test/structs.c" "-o" "/symcc_build_simple/test/Output/structs.c.tmp"
# command stderr:
Warning: losing track of symbolic expressions at inline assembly %22 = call i32 asm "bswap $0", "=r,0,~{dirflag},~{fpsr},~{flags}"(i32 %16) #4, !srcloc !8
[...]
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.