AFLplusplus: LLVM-Mode Split Floating-Point Comparison incorrectness bug

When testing the attached toy example (read() input from stdin directly into a double, then check if it is between 15.5 and 15.51), I found that the LLVM split-compares pass produced a binary that no longer crashed on an input that should should crash.

While it’s not 100% necessary that binaries with the extra comparison splitting on floating point mirror the exact precision of the original (just as long as a crash in the split-compare binary actually crashes the original), but what I found was that fuzzing the example didn’t produce a crash after an hour of fuzzing. This is unexpected given that I was able to use the QEMU-mode split-FP-comparison to find a crash in the original (gcc-compiled) binary in roughly 10 seconds.

I didn’t manage to troubleshoot where in the split-compares stuff things went wrong, but I thought I’d let you know. Example code, compilation in docker script, and input that should crash are in attached zip; tested on an x64 system with the public aflplusplus docker image.

split-fp-test.zip

Edit: In case this trips anyone else up in testing/troubleshooting, I also noticed that the split-comparison env flags get ignored if afl-clang-fast doesn’t detect that it’s on a tty (as is the case for docker build or docker run if you don’t use -t). My workaround was to pass AFL_DEBUG=1 as an env variable, which I stumbled across during troubleshooting, but that’s probably not intended.