Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"linked panic runtime not compiled with ..." error #120

Closed
osa1 opened this issue Nov 21, 2017 · 7 comments
Closed

"linked panic runtime not compiled with ..." error #120

osa1 opened this issue Nov 21, 2017 · 7 comments

Comments

@osa1
Copy link

osa1 commented Nov 21, 2017

I get this error when I try running an example in my repo with afl.rs.

$ cargo afl build --example chat
...
error: the linked panic runtime `panic_unwind` is not compiled with this crate's panic strategy `abort`
error: aborting due to previous error
error: Could not compile `serde_derive`.
@frewsxcv
Copy link
Member

a little background here. if a rust program is being fuzzed by afl and the rust program panics (via panic_unwind), afl does not consider this a crash. because i want panics to be considered crashes, all crates compiled via cargo afl build are compiled with -C panic=abort which causes panics to be considered as crashes to afl.

serde_derive has a proc-macro crate type. for whatever reason, rustc treats this as a panic_unwind panic strategy which conflicts with the abort panic strategy.

a couple initial thoughts:

  • it'd be good if i/we figured out why proc-macro implies panic_unwind, this might even be a cargo/rustc bug
  • it should be possible to work around this by catching panics in the afl::read_stdio_bytes utility function and manually calling process:abort, but i think this is less elegant than just passing -C panic=abort

@birkenfeld
Copy link

birkenfeld commented Nov 22, 2017
edited
Loading

I've also hit this issue with a proc-macro crate. Interestingly, I can use cargo-fuzz without problems.

Minimal demo project with both afl and cargo-fuzz setup for reproduction:
mylib.tar.gz

frewsxcv added a commit that referenced this issue Nov 25, 2017
@frewsxcv
Prefer panic catching strategy over adjusting panic strategy.
f99290b 
Fixes #120.
@frewsxcv frewsxcv mentioned this issue Nov 25, 2017
Merged
@frewsxcv
Copy link
Member

@birkenfeld @osa1 i opened a new PR that avoids changing the panic strategy in an attempt to fix this: #123

if either of y'all have some time, would be curious to hear if this fixes your issues:

cargo install --force --git https://github.com/rust-fuzz/afl.rs.git --branch frewsxcv-alt-panic

@osa1
Copy link
Author

osa1 commented Nov 25, 2017

That worked. Thanks @frewsxcv .

@birkenfeld
Copy link

Works for me too!

@birkenfeld
Copy link

birkenfeld commented Nov 25, 2017
edited
Loading

Although, I still wonder why -Cpanic=abort works for cargo-fuzz...

frewsxcv added a commit that referenced this issue Nov 25, 2017
@frewsxcv
Prefer panic catching strategy over adjusting panic strategy. (#123)
8b8d471 
Fixes #120.
@frewsxcv
Copy link
Member

fyi, i just published afl 0.3.0 which has the fix in #123

PaulGrandperrin added a commit to rust-fuzz/honggfuzz-rs that referenced this issue Apr 23, 2018
@PaulGrandperrin
Important fix: make fuzzer able to tell different bugs appart (again)
5773580 
**Context:**

For the fuzzer to be able to "understand" that something went wrong,
like a panic, the process must terminate in an abnormal fashion.

The default panic hook will unwind the stack, run destructors,
optionally print a backtrace and exit with code 101. The fuzzer will
not be able to "understand" that something wwnt particuliarly wrong.

One way to stop a process in a way that the fuzzer understands as
abnormal is to call `std::process::abort()`.

**Possible solutions:**

- build with "-C panic=abort":
  incompatible with compiler plugins
  rust-lang/cargo#2738 (comment)
  rust-fuzz/afl.rs#120
- use `panic::catch_unwind()` to catch unwinding stacks and call `std::process::abort()`:
  all kind of bugs will then unwind their stack up to the code calling this function
  and therefore render different bugs indistinguishable from the fuzzer point of view.
- use a custom panic hook and call `std::process::abort()` here.

**Implemented solution**
We implemented both solution 2 and 3.
Solution 3 has no drawbacks that I know of, but could potentially be
missed if the fuzzed code modifies the panic hook. In this case, we fall
back to solution 2 as a last resort.
PaulGrandperrin added a commit to rust-fuzz/honggfuzz-rs that referenced this issue Apr 23, 2018
@PaulGrandperrin
Important fix: make fuzzer able to tell different bugs appart (again)
abe2b4c 
**Context:**

For the fuzzer to be able to "understand" that something went wrong,
like a panic, the process must terminate in an abnormal fashion.

The default panic hook will unwind the stack, run destructors,
optionally print a backtrace and exit with code 101. The fuzzer will
not be able to "understand" that something went particuliarly wrong.

One way to stop a process in a way that the fuzzer understands as
abnormal is to call `std::process::abort()`.

**Possible solutions:**

- build with "-C panic=abort":
  incompatible with compiler plugins
  rust-lang/cargo#2738 (comment)
  rust-fuzz/afl.rs#120
- use `panic::catch_unwind()` to catch unwinding stacks and call `std::process::abort()`:
  all kind of bugs will then unwind their stack up to the code calling this function
  and therefore render different bugs indistinguishable from the fuzzer's point of view.
- use a custom panic hook and call `std::process::abort()` here.

**Implemented solution**

We implemented both solution 2 and 3.
Solution 3 has no drawbacks that I know of, but could potentially be
missed if the fuzzed code modifies the panic hook. In this case, we fall
back to solution 2 as a last resort.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@birkenfeld @frewsxcv @osa1