AFLplusplus: LLVM-Mode Split Floating-Point Comparison incorrectness bug
When testing the attached toy example (read()
input from stdin directly into a double, then check if it is between 15.5 and 15.51), I found that the LLVM split-compares pass produced a binary that no longer crashed on an input that should should crash.
While it’s not 100% necessary that binaries with the extra comparison splitting on floating point mirror the exact precision of the original (just as long as a crash in the split-compare binary actually crashes the original), but what I found was that fuzzing the example didn’t produce a crash after an hour of fuzzing. This is unexpected given that I was able to use the QEMU-mode split-FP-comparison to find a crash in the original (gcc-compiled) binary in roughly 10 seconds.
I didn’t manage to troubleshoot where in the split-compares stuff things went wrong, but I thought I’d let you know. Example code, compilation in docker script, and input that should crash are in attached zip; tested on an x64 system with the public aflplusplus docker image.
Edit: In case this trips anyone else up in testing/troubleshooting, I also noticed that the split-comparison env flags get ignored if afl-clang-fast
doesn’t detect that it’s on a tty (as is the case for docker build
or docker run
if you don’t use -t
). My workaround was to pass AFL_DEBUG=1
as an env variable, which I stumbled across during troubleshooting, but that’s probably not intended.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15 (10 by maintainers)
Commits related to this issue
- fix issue #446 — committed to AFLplusplus/AFLplusplus by hexcoder- 4 years ago
- [NFC] typo fix (#446) — committed to mattweingarten/AFLplusplus by zchcai 4 years ago
Pulled a dev branch source zip from github, built everything on a separate machine without docker (ubuntu 18.04 with clang-9 from apt), and everything seemed to work just fine. Nice work on the fix 👍