Concolic fuzzer aborts on ubuntu 24.04 #3573
Description
IMPORTANT
- You have verified that the issue to be present in the current
mainbranch
Verified
Thank you for making LibAFL better!
Describe the bug
$ RUST_BACKTRACE=1 ./target/release/libfuzzer_stb_image_concolic --concolic
Workdir: "/home/decaf/proj/libfuzzer_stb_image_concolic/fuzzer"
We're a client, let's fuzz :)
We imported 4 inputs from disk.
thread 'main' (14581) panicked at /home/decaf/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/z3-0.19.5/src/ast/bv.rs:190:5:
called `Option::unwrap()` on a `None` value
stack backtrace:
0: __rustc::rust_begin_unwind
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:698:5
1: core::panicking::panic_fmt
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/panicking.rs:75:14
2: core::panicking::panic
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/panicking.rs:145:5
3: core::option::unwrap_failed
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/option.rs:2169:5
4: core::option::Option<T>::unwrap
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/option.rs:1010:21
5: z3::ast::bv::BV::bvsub
at /home/decaf/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/z3-0.19.5/src/ast/mod.rs:74:75
6: libafl::stages::concolic::generate_mutations
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/concolic.rs:172:26
7: <libafl::stages::concolic::SimpleConcolicMutationalStage<I,Z> as libafl::stages::Stage<E,EM,S,Z>>::perform::{{closure}}
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/concolic.rs:400:31
8: core::option::Option<T>::map
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/option.rs:1159:29
9: <libafl::stages::concolic::SimpleConcolicMutationalStage<I,Z> as libafl::stages::Stage<E,EM,S,Z>>::perform
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/concolic.rs:398:70
10: <ST as libafl::stages::RestartableStage<E,EM,S,Z>>::perform_restartable
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/mod.rs:272:18
11: <(Head,Tail) as libafl::stages::StagesTuple<E,EM,S,Z>>::perform_all
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/mod.rs:193:23
12: <(Head,Tail) as libafl::stages::StagesTuple<E,EM,S,Z>>::perform_all
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/mod.rs:210:16
13: <libafl::fuzzer::StdFuzzer<CS,F,IC,IF,OF> as libafl::fuzzer::Fuzzer<E,EM,I,S,ST>>::fuzz_one
at /home/decaf/proj/LibAFL/crates/libafl/src/fuzzer/mod.rs:1034:16
14: <libafl::fuzzer::StdFuzzer<CS,F,IC,IF,OF> as libafl::fuzzer::Fuzzer<E,EM,I,S,ST>>::fuzz_loop
at /home/decaf/proj/LibAFL/crates/libafl/src/fuzzer/mod.rs:1076:18
15: libfuzzer_stb_image_concolic::fuzz
at ./src/main.rs:237:16
16: libfuzzer_stb_image_concolic::main
at ./src/main.rs:76:5
17: core::ops::function::FnOnce::call_once
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/ops/function.rs:250:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
thread 'main' (14580) panicked at /home/decaf/proj/LibAFL/crates/libafl/src/events/llmp/restarting.rs:899:21:
Fuzzer-respawner: Storing state in crashed fuzzer instance diddecaf@vr:~/proj/libfuzzer_stb_image_concolic/fuzzer$ RUST_BACKTRACE=full ./target/release/libfuzzer_stb_image_concolic --concolic
Workdir: "/home/decaf/proj/libfuzzer_stb_image_concolic/fuzzer"
We're a client, let's fuzz :)
We imported 4 inputs from disk.
thread 'main' (14588) panicked at /home/decaf/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/z3-0.19.5/src/ast/bv.rs:190:5:
called `Option::unwrap()` on a `None` value
stack backtrace:
0: 0x5a9b3f753ba2 - std::backtrace_rs::backtrace::libunwind::trace::hd6a158ff8b4ced9f
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/../../backtrace/src/backtrace/libunwind.rs:117:9
1: 0x5a9b3f753ba2 - std::backtrace_rs::backtrace::trace_unsynchronized::h92e289be85f564b0
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/../../backtrace/src/backtrace/mod.rs:66:14
2: 0x5a9b3f753ba2 - std::sys::backtrace::_print_fmt::h7593c35e5f3bf237
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:66:9
3: 0x5a9b3f753ba2 - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::haa87a551a4affa55
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:39:26
4: 0x5a9b3f5f0bcf - core::fmt::rt::Argument::fmt::h4b16ed950bbe015d
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/fmt/rt.rs:173:76
5: 0x5a9b3f5f0bcf - core::fmt::write::h80461e1e45e4fdd2
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/fmt/mod.rs:1468:25
6: 0x5a9b3f75301f - std::io::default_write_fmt::h9e4845ee80fefc13
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/io/mod.rs:639:11
7: 0x5a9b3f75301f - std::io::Write::write_fmt::h6e6c69b2d6337d9b
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/io/mod.rs:1954:13
8: 0x5a9b3f753a03 - std::sys::backtrace::BacktraceLock::print::hf67a46baa621998e
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:42:9
9: 0x5a9b3f753621 - std::panicking::default_hook::{{closure}}::h391aa815d5e47ec8
10: 0x5a9b3f753621 - std::panicking::default_hook::hd6fdcf2489bb807d
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:328:9
11: 0x5a9b3f5858ae - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h2cd972b773461255
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/alloc/src/boxed.rs:1999:9
12: 0x5a9b3f5858ae - libafl::executors::hooks::unix::unix_signal_handler::setup_panic_hook::{{closure}}::h26e434940262aed0
at /home/decaf/proj/LibAFL/crates/libafl/src/executors/hooks/unix.rs:106:13
13: 0x5a9b3f752c3c - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h0d0cdef595d02b8b
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/alloc/src/boxed.rs:1999:9
14: 0x5a9b3f752c3c - std::panicking::panic_with_hook::h185ddfb86bf14d73
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:842:13
15: 0x5a9b3f77c725 - std::panicking::panic_handler::{{closure}}::had89ddd01b6112c9
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:700:13
16: 0x5a9b3f77c6b9 - std::sys::backtrace::__rust_end_short_backtrace::h5d0fc36eef7265ea
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:174:18
17: 0x5a9b3f77c6ac - __rustc[eb8946e36839644a]::rust_begin_unwind
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:698:5
18: 0x5a9b3f5ec20f - core::panicking::panic_fmt::h92c8e5abe71dd8d1
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/panicking.rs:75:14
19: 0x5a9b3f5eccfb - core::panicking::panic::ha264d2bb233f2b69
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/panicking.rs:145:5
20: 0x5a9b3f5ec228 - core::option::unwrap_failed::h13b3e6f702cb1c04
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/option.rs:2169:5
21: 0x5a9b3f58495e - core::option::Option<T>::unwrap::hffbbf00e1b355750
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/option.rs:1010:21
22: 0x5a9b3f58495e - z3::ast::bv::BV::bvsub::hc2a99754e203db35
at /home/decaf/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/z3-0.19.5/src/ast/mod.rs:74:75
23: 0x5a9b3f58495e - libafl::stages::concolic::generate_mutations::h1ca2458734a6951d
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/concolic.rs:172:26
24: 0x5a9b3f59337d - <libafl::stages::concolic::SimpleConcolicMutationalStage<I,Z> as libafl::stages::Stage<E,EM,S,Z>>::perform::{{closure}}::hc0c20325679680b1
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/concolic.rs:400:31
25: 0x5a9b3f59337d - core::option::Option<T>::map::hc1c7857b161b3f0b
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/option.rs:1159:29
26: 0x5a9b3f59337d - <libafl::stages::concolic::SimpleConcolicMutationalStage<I,Z> as libafl::stages::Stage<E,EM,S,Z>>::perform::h43b265e00d4a951b
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/concolic.rs:398:70
27: 0x5a9b3f59337d - <ST as libafl::stages::RestartableStage<E,EM,S,Z>>::perform_restartable::hde9cb478c930de26
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/mod.rs:272:18
28: 0x5a9b3f54d752 - <(Head,Tail) as libafl::stages::StagesTuple<E,EM,S,Z>>::perform_all::h4f58704c45cc1071
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/mod.rs:193:23
29: 0x5a9b3f54d752 - <(Head,Tail) as libafl::stages::StagesTuple<E,EM,S,Z>>::perform_all::h64cda263dd74ccf0
at /home/decaf/proj/LibAFL/crates/libafl/src/stages/mod.rs:210:16
30: 0x5a9b3f54d752 - <libafl::fuzzer::StdFuzzer<CS,F,IC,IF,OF> as libafl::fuzzer::Fuzzer<E,EM,I,S,ST>>::fuzz_one::hc9ad0da10d71f11d
at /home/decaf/proj/LibAFL/crates/libafl/src/fuzzer/mod.rs:1034:16
31: 0x5a9b3f54d752 - <libafl::fuzzer::StdFuzzer<CS,F,IC,IF,OF> as libafl::fuzzer::Fuzzer<E,EM,I,S,ST>>::fuzz_loop::h340e982919eff3d2
at /home/decaf/proj/LibAFL/crates/libafl/src/fuzzer/mod.rs:1076:18
32: 0x5a9b3f54d752 - libfuzzer_stb_image_concolic::fuzz::h99d0b5300200b4b7
at /home/decaf/proj/libfuzzer_stb_image_concolic/fuzzer/src/main.rs:237:16
33: 0x5a9b3f551899 - libfuzzer_stb_image_concolic::main::hae985c0ed73fe2fa
at /home/decaf/proj/libfuzzer_stb_image_concolic/fuzzer/src/main.rs:76:5
34: 0x5a9b3f556443 - core::ops::function::FnOnce::call_once::hbc5b2e19f77d4683
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/ops/function.rs:250:5
35: 0x5a9b3f556443 - std::sys::backtrace::__rust_begin_short_backtrace::h69e880ceaf19023b
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:158:18
36: 0x5a9b3f5ac6c3 - main
37: 0x794bac42a1ca - <unknown>
38: 0x794bac42a28b - __libc_start_main
39: 0x5a9b3f532665 - _start
40: 0x0 - <unknown>
thread 'main' (14587) panicked at /home/decaf/proj/LibAFL/crates/libafl/src/events/llmp/restarting.rs:899:21:
Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! This can happen if the child calls `exit()`, in that case make sure it uses `abort()`, if it got killed unrecoverable (OOM), or if there is a bug in the fuzzer itself. (Child exited with: 101)
stack backtrace:
0: 0x5a9b3f753ba2 - std::backtrace_rs::backtrace::libunwind::trace::hd6a158ff8b4ced9f
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/../../backtrace/src/backtrace/libunwind.rs:117:9
1: 0x5a9b3f753ba2 - std::backtrace_rs::backtrace::trace_unsynchronized::h92e289be85f564b0
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/../../backtrace/src/backtrace/mod.rs:66:14
2: 0x5a9b3f753ba2 - std::sys::backtrace::_print_fmt::h7593c35e5f3bf237
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:66:9
3: 0x5a9b3f753ba2 - <std::sys::backtrace::BacktraceLock::print::DisplayBacktrace as core::fmt::Display>::fmt::haa87a551a4affa55
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:39:26
4: 0x5a9b3f5f0bcf - core::fmt::rt::Argument::fmt::h4b16ed950bbe015d
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/fmt/rt.rs:173:76
5: 0x5a9b3f5f0bcf - core::fmt::write::h80461e1e45e4fdd2
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/fmt/mod.rs:1468:25
6: 0x5a9b3f75301f - std::io::default_write_fmt::h9e4845ee80fefc13
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/io/mod.rs:639:11
7: 0x5a9b3f75301f - std::io::Write::write_fmt::h6e6c69b2d6337d9b
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/io/mod.rs:1954:13
8: 0x5a9b3f753a03 - std::sys::backtrace::BacktraceLock::print::hf67a46baa621998e
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:42:9
9: 0x5a9b3f753621 - std::panicking::default_hook::{{closure}}::h391aa815d5e47ec8
10: 0x5a9b3f753621 - std::panicking::default_hook::hd6fdcf2489bb807d
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:328:9
11: 0x5a9b3f752bff - std::panicking::panic_with_hook::h185ddfb86bf14d73
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:834:13
12: 0x5a9b3f77c758 - std::panicking::panic_handler::{{closure}}::had89ddd01b6112c9
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:707:13
13: 0x5a9b3f77c6b9 - std::sys::backtrace::__rust_end_short_backtrace::h5d0fc36eef7265ea
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:174:18
14: 0x5a9b3f77c6ac - __rustc[eb8946e36839644a]::rust_begin_unwind
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/panicking.rs:698:5
15: 0x5a9b3f5ec20f - core::panicking::panic_fmt::h92c8e5abe71dd8d1
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/panicking.rs:75:14
16: 0x5a9b3f57599f - libafl::events::llmp::restarting::RestartingMgr<EMH,I,MT,S,SP>::launch::h8f367bfc8d357d78
at /home/decaf/proj/LibAFL/crates/libafl/src/events/llmp/restarting.rs:899:21
17: 0x5a9b3f547418 - libafl::events::llmp::restarting::setup_restarting_mgr_std::hbcf6bf3aa8766a54
at /home/decaf/proj/LibAFL/crates/libafl/src/events/llmp/restarting.rs:626:10
18: 0x5a9b3f547418 - libfuzzer_stb_image_concolic::fuzz::h99d0b5300200b4b7
at /home/decaf/proj/libfuzzer_stb_image_concolic/fuzzer/src/main.rs:97:15
19: 0x5a9b3f551899 - libfuzzer_stb_image_concolic::main::hae985c0ed73fe2fa
at /home/decaf/proj/libfuzzer_stb_image_concolic/fuzzer/src/main.rs:76:5
20: 0x5a9b3f556443 - core::ops::function::FnOnce::call_once::hbc5b2e19f77d4683
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/core/src/ops/function.rs:250:5
21: 0x5a9b3f556443 - std::sys::backtrace::__rust_begin_short_backtrace::h69e880ceaf19023b
at /rustc/ed61e7d7e242494fb7057f2657300d9e77bb4fcb/library/std/src/sys/backtrace.rs:158:18
22: 0x5a9b3f5ac6c3 - main
23: 0x794bac42a1ca - <unknown>
24: 0x794bac42a28b - __libc_start_main
25: 0x5a9b3f532665 - _start
26: 0x0 - <unknown>
To Reproduce
Steps to reproduce the behavior:
- modify the stb fuzzer as described in this pr to get it to build
- build the concolic rust stb fuzzer
- launch a main broker
- launch a concolic fuzzer using the --concolic flag
- observer the concolic crash
Expected behavior
It not crash.
Additional Details
This ran fine in an ubuntu docker container on arm64 but crashes on x86, not sure if it's related