Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compatibility with LLVM6.0 on soon-to-be-release nightly #29

Closed
PaulGrandperrin opened this issue Feb 5, 2018 · 5 comments
Closed

Compatibility with LLVM6.0 on soon-to-be-release nightly #29

PaulGrandperrin opened this issue Feb 5, 2018 · 5 comments

Comments

@PaulGrandperrin
Copy link
Member

Rustc will very soon merge it's shinny new LLVM6.0 backend rust-lang/rust#47828.
It will break fuzzing with current libfuzzer because the generated coverage intrumentation will expect new symbols to be implemented by the linked fuzzer implementation.

The current libfuzzer in libfuzzer-sys is 4.0 and is missing those new symbols.
Upgrading libfuzzer source code to 6.0 while disabling sanitizers works well and is compatible with compiler using LLVM4.0 (so the transition will be easy).

However, begin able to compile with sanitizer enabled will need more work: for instance, to make sanitizer=address work, we will probably need to first package asan
@PaulGrandperrin PaulGrandperrin mentioned this issue Feb 5, 2018
Closed
@nagisa
Copy link
Member

nagisa commented Feb 5, 2018

We only support the current nightly, so this will get updated whenever a nightly with LLVM 6.0 happens.

Originally sanitizers were included only because they were required for fuzzing, however if they aren’t anymore, there’s less of the need to actually include sanitizer support with cargo fuzz. We can instead delegate users to use -Zsanitizer feature directly.

@PaulGrandperrin
Copy link
Member Author

I'm reporting this in advance because the upgrade to libFuzzer6.0 with support for sanitizer is non-trivial and might take time.
However, if we just drop the support for sanitizers, then the upgrade will be easy.
I just wanted to help the fuzzing team be aware that a decision will soon need to be made about sanitizer support or lack thereof.
If the team choose to continue to support sanitizers (which makes sense because of the unsafe{} and C libraries) then some work will need to be done before cargo-fuzz can work with rustc on LLVM6.0.

@PaulGrandperrin
Copy link
Member Author

For info here is a segfault using libfuzzer6.0 and libasan6.0:

[6] INFO: Seed: 4163609845
[6] INFO: Loaded 1 modules   (77596 guards): 77596 [0x55bface8e420, 0x55bfaceda090), 
[6] INFO:      146 files found in /home/paulg/Projets/reactfs/fuzz/corpus/btree
[6] AddressSanitizer:DEADLYSIGNAL
[6] =================================================================
[6] ==25825==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55bfac62c415 bp 0x7ffd48885eb0 sp 0x7ffd48885d60 T0)
[6] ==25825==The signal is caused by a WRITE memory access.
[6] ==25825==Hint: address points to the zero page.
[6]     #0 0x55bfac62c414  (/home/paulg/Projets/reactfs/fuzz/target/x86_64-unknown-linux-gnu/debug/btree+0x20414)
[6]     #1 0x55bfacbb681b  (/home/paulg/Projets/reactfs/fuzz/target/x86_64-unknown-linux-gnu/debug/btree+0x5aa81b)
[6]     #2 0x55bfacbb60e1  (/home/paulg/Projets/reactfs/fuzz/target/x86_64-unknown-linux-gnu/debug/btree+0x5aa0e1)
[6]     #3 0x55bfacbcd2e8  (/home/paulg/Projets/reactfs/fuzz/target/x86_64-unknown-linux-gnu/debug/btree+0x5c12e8)
[6] 
[6] AddressSanitizer can not provide additional info.
[6] SUMMARY: AddressSanitizer: SEGV (/home/paulg/Projets/reactfs/fuzz/target/x86_64-unknown-linux-gnu/debug/btree+0x20414) 
[6] ==25825==ABORTING
[6] MS: 0 ; base unit: 0000000000000000000000000000000000000000
[6] 
[6] 
[6] artifact_prefix='/home/paulg/Projets/reactfs/fuzz/artifacts/btree/'; Test unit written to /home/paulg/Projets/reactfs/fuzz/artifacts/btree/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
[6] Base64: 
Worker 6 finished fuzzing

and the same segfault without any sanitizers:

[4] INFO: Seed: 3725420511
[4] INFO: Loaded 1 modules   (27937 guards): 27937 [0x55ecad9d2b4c, 0x55ecad9edfd0), 
[4] INFO:      146 files found in /home/paulg/Projets/reactfs/fuzz/corpus/btree
[4] ==29058== ERROR: libFuzzer: deadly signal
[4] NOTE: libFuzzer has rudimentary signal handlers.
[4]       Combine libFuzzer with AddressSanitizer or similar for better crash reports.
[4] SUMMARY: libFuzzer: deadly signal
[4] MS: 0 ; base unit: 0000000000000000000000000000000000000000
[4] 
[4] 
[4] artifact_prefix='/home/paulg/Projets/reactfs/fuzz/artifacts/btree/'; Test unit written to /home/paulg/Projets/reactfs/fuzz/artifacts/btree/crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
[4] Base64: 
Worker 4 finished fuzzing

@ishitatsuyuki
Copy link

I think ThinLTO broke sanitizer and it's still a non-workaroundable problem. Was there any changes since rust-lang/rust#45220?

@frewsxcv
Copy link
Member

frewsxcv commented Feb 10, 2018
edited
Loading

Update: The rust LLVM6.0 PR merged 11 hours ago rust-lang/rust#47828

@nagisa nagisa mentioned this issue Feb 11, 2018
Merged
@frewsxcv frewsxcv mentioned this issue Feb 18, 2018
Closed
bors bot added a commit that referenced this issue Feb 18, 2018
@bors
Merge #30
4594b1f 
30: Upgrade libfuzzer for LLVM 6.0 r=frewsxcv a=nagisa

This PR pulls in the changes to libfuzzer, at commit llvm-mirror/compiler-rt@cc0ab3f.

My observation is that this works just fine with current state of affairs. That is, given a:

```
$ rustc -Cllvm-args=-version
LLVM (http://llvm.org/):
  LLVM version 6.0.0
  Optimized build.
  Default target: x86_64-unknown-linux-gnu
  Host CPU: znver1
```

The following command, when run within the both of the `example` folders in this repository work "just" fine (should also be confirmed by the CI), which somewhat counteracts observations made in #29, that libfuzzer cannot work with sanitizers anymore (quite the contrary, it seems that sanitizers are still required).

```
cargo rustc --release -- -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=4 -Cllvm-args=-sanitizer-coverage-trace-compares -Cpanic=abort -Cllvm-args=-sanitizer-coverage-trace-divs -Cllvm-args=-sanitizer-coverage-trace-geps -Cllvm-args=-sanitizer-coverage-prune-blocks=0 -Zsanitizer=address
```

If I remember correctly, cargo-fuzz generates fuzz targets with this git repository as a dependency. This means that all these fuzz targets will possibly break for people using older compilers once we upgrade, however not upgrading libfuzzer-sys will(?) break people using the new nightly.

While our compatibility story is, I believe, that we support only the current nightly without any real back or forward compatibility, this might be a good time to think about how we want to go about our versioning and release flow. Perhaps we’ll be able to find some way that does not break everybody’s fuzz targets every time LLVMup happens.

Fixes https://github.com/rust-fuzz/libfuzzer-sys/issues/29

r? @frewsxcv or @Manishearth
cc @PaulGrandperrin
@bors bors bot closed this as completed in #30 Feb 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@frewsxcv @nagisa @PaulGrandperrin @ishitatsuyuki