Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

运行AnalyzeKernelInterface时出现断言错误。 #6

Open
zzzzzec opened this issue Apr 10, 2024 · 0 comments
Open

运行AnalyzeKernelInterface时出现断言错误。 #6

zzzzzec opened this issue Apr 10, 2024 · 0 comments

Comments

@zzzzzec
Copy link

zzzzzec commented Apr 10, 2024
edited
Loading

作者您好!
在尝试复现时,prepare_for_manual_instrumentprepare_kernel_bitcode两个阶段可以正常运行,不过在analyze_kernel_syscall时出现了问题。
具体来说,在source/syzdirect/Runner/SyscallAnalyze/SyscallAnalyze.py文件中的第24行,运行代码
generating_cmd=f"cd {caseInterfaceWorkingDir} && {Config.FunctionModelBinary} --verbose-level=4 {caseBitcodeDir} 2>&1 | tee log"时(命令展开为cd /home/xxx/SyzDirect/source/syzdirect/Runner/workdir/interfaces/case_0 && /home/xxx/SyzDirect/source/syzdirect/syzdirect_function_model/build/lib/interface_generator --verbose-level=4 /home/xxx/SyzDirect/source/syzdirect/Runner/workdir/bcs/case_0 2>&1 | tee log),调用了interface_generator,不过在interface_generator运行时出现了assert failed,backtrace可以发现:

[DeviceExtractor] Updated in 0 modules.
[DeviceExtractor] Postprocessing ...
 #0 0x0000000000680708 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (/home/zec/SyzDirect/source/syzdirect/syzdirect_function_model/build/lib/interface_generator+0x680708)
 #1 0x00000000006807cf PrintStackTraceSignalHandler(void*) Signals.cpp:0:0
 #2 0x000000000067e25b llvm::sys::RunSignalHandlers() (/home/zec/SyzDirect/source/syzdirect/syzdirect_function_model/build/lib/interface_generator+0x67e25b)
 #3 0x0000000000680038 SignalHandler(int) Signals.cpp:0:0
 #4 0x00007fd6d3626520 (/lib/x86_64-linux-gnu/libc.so.6+0x42520)
 #5 0x000000000049bcec llvm::Value::getType() const /home/zec/SyzDirect/source/llvm-project-new/llvm/include/llvm/IR/Value.h:256:34
 #6 0x00000000005245e5 llvm::ConstantStruct::getType() const /home/zec/SyzDirect/source/llvm-project-new/llvm/include/llvm/IR/Constants.h:481:36
 #7 0x0000000000522e12 DeviceExtractorPass::doFinalization(llvm::Module*) /home/zec/SyzDirect/source/syzdirect/syzdirect_function_model/src/lib/DeviceExtractor.cc:897:30
 #8 0x0000000000454bd6 IterativeModulePass::run(std::vector<std::pair<llvm::Module*, llvm::StringRef>, std::allocator<std::pair<llvm::Module*, llvm::StringRef> > >&) /home/zec/SyzDirect/source/syzdirect/syzdirect_function_model/src/lib/Analyzer.cc:149:16
 #9 0x0000000000456e9b main /home/zec/SyzDirect/source/syzdirect/syzdirect_function_model/src/lib/Analyzer.cc:392:10
#10 0x00007fd6d360dd90 (/lib/x86_64-linux-gnu/libc.so.6+0x29d90)
#11 0x00007fd6d360de40 __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e40)
#12 0x0000000000414e25 _start (/home/xxx/SyzDirect/source/syzdirect/syzdirect_function_model/build/lib/interface_generator+0x414e25)
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace.
Stack dump:
0.      Program arguments: /home/xxx/SyzDirect/source/syzdirect/syzdirect_function_model/build/lib/interface_generator --verbose-level=4 /home/xxx/SyzDirect/source/syzdirect/Runner/workdir/bcs/case_0
Segmentation fault (core dumped)

可以发现是getName函数触发的断言错误,以代码中的source/syzdirect/syzdirect_function_model/src/lib/TypeInitializer.cc文件中的bool TypeInitializerPass::doInitialization(Module *M)函数为例。

bool TypeInitializerPass::doInitialization(Module *M) {

	// Initializing TypeValueMap
	// Map every gloable struct wihout type name to their
	// value name
	for(Module::global_iterator gi = M->global_begin(),
			ge = M->global_end(); gi != ge; ++gi) {
		GlobalValue *GV = &*gi;
		Type *GVTy = GV->getValueType();
		string Vname = static_cast<string>(GV->getName());
		if (StructType *GVSTy = dyn_cast<StructType>(GVTy)) {
			if(GVSTy->hasName())
				continue;
			TypeValueMap.insert(pair<Type*, string>(GVTy,Vname));
		}
	}

	// Initializing StructTNMap
	// Map global variable name to their struct type name
	for (Module::iterator ff = M->begin(),
			MEnd = M->end();ff != MEnd; ++ff) {
		Function *Func = &*ff;
		if (Func->isIntrinsic())
			continue;
		for (inst_iterator ii = inst_begin(Func), e = inst_end(Func);
					ii != e; ++ii) {
			Instruction *Inst = &*ii;
			unsigned T = Inst->getNumOperands();
			for(int i = 0; i < T; i++) {
				Value *VI = Inst->getOperand(i);
				if (!VI)
					continue;
				if (!VI->hasName())
					continue;
				Type *VT = VI->getType();
				while(VT && VT->isPointerTy())
					VT = VT->getPointerElementType();
				if (!VT)
					continue;

				if (StructType *SVT = dyn_cast<StructType>(VT)) {
					if (SVT->isLiteral()){
						continue;
					}
					string ValueName = static_cast<string>(VI->getName());
					string StructName = static_cast<string>(SVT->getName());
					VnameToTypenameMap.insert(pair<string, string>(ValueName,StructName));
				}

			}
		}
	}

	return false;
}

其在执行到

string StructName = static_cast<string>(SVT->getName());

语句时,会触发llvm中的 /home/zec/SyzDirect/source/llvm-project-new/llvm/lib/IR/Type.cpp 这个文件中的一个assert failed

StringRef StructType::getName() const {
  assert(!isLiteral() && "Literal structs never have names");
  if (!SymbolTableEntry) return StringRef();

  return ((StringMapEntry<StructType*> *)SymbolTableEntry)->getKey();
}

并不是每次调用都会产生断言错误,不过在其他文件中调用getName()时也有概率产生。
我不太清楚这是否意味着内核bitcode的生成出现了问题,还是什么其他的问题,希望作者能给与一些指导。
感谢您的帮助!

另,使用的BUG内核commit为数据集中的commit11c514a99bb960941535134f0587102855e8ddee,机器配置为32C+64G
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zzzzzec