Failed the examples/test on MACOS while using AFL++ mode as the README.md requires.

[Picasso-r]

These are my commans:

➜  test git:(main) ✗ AFL_DEBUG=1 afl-fuzz -i ./in -o ./out -m none -- ../../fpicker -m afl -u shm -e attach -p test -f harness.js -v
[+] Enabled environment variable AFL_DEBUG with value 1
[+] Enabled environment variable AFL_DEBUG with value 1
afl-fuzz++4.09a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[+] You have 12 CPU cores and 3 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning './in'...
[+] Loaded a total of 6 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Extended forkserver functions received (00000000).
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:0'...
1
4
[D] DEBUG: calibration stage 1/7
5
6
7
8
7
AAAAA
../../fpicker

[-] Oops, the program crashed with one of the test cases provided. There are
    several possible explanations:

    - The test case causes known crashes under normal working conditions. If
      so, please remove it. The fuzzer should be seeded with interesting
      inputs - but not ones that cause an outright crash.

    - In QEMU persistent mode the selected address(es) for the loop are not
      properly cleaning up variables and memory. Try adding
      AFL_QEMU_PERSISTENT_GPR=1 or select better addresses in the binary.

    - On MacOS X, the semantics of fork() syscalls are non-standard and may
      break afl-fuzz performance optimizations when running platform-specific
      targets. To fix this, set AFL_NO_FORKSRV=1 in the environment.

    - Least likely, there is a horrible bug in the fuzzer. If other options
      fail, poke the Awesome Fuzzing Discord for troubleshooting tips.
[!] WARNING: Test case 'id:000000,time:0,execs:0,orig:0' results in a crash, skipping

and the syslogs are:

17:19:15.804460+0800	fpicker	[JS]: [*] afl_area_ptr: 0x0
17:19:15.804554+0800	fpicker	[JS]: [*] commap: 0x103f79000
17:19:15.804807+0800	fpicker	[JS]: [*] commap_id: /fp_comm_shm_10492_1804289383
17:19:15.805056+0800	fpicker	[JS]: [*] base: 0x1027ab000
17:19:15.805157+0800	fpicker	[JS]: [*] iteration_sem: 0x4
17:19:15.805352+0800	fpicker	[JS]: [*] exec_sem: 0x4
17:19:15.805589+0800	fpicker	[JS]: [*] Not excluding test from stalker
17:19:15.805721+0800	fpicker	[JS]: [*] Setting up interceptor
17:19:15.806433+0800	fpicker	[JS]: {"type":"send","payload":{"type":"_fpicker_ready","data":[{"name":"test","base":"0x1027ab000","size":16384,"path":"/Users/wujiesong3/Desktop/fpicker_test/fpicker/examples/test/test","id":0,"end":"0x1027af000"},{"name":"libSystem.B.dylib","base":"0x7ff811cf7000","size":8192,"path":"/usr/lib/libSystem.B.dylib","id":1,"end":"0x7ff811cf9000"},{"name":"libcache.dylib","base":"0x7ff811cf1000","size":24568,"path":"/usr/lib/system/libcache.dylib","id":2,"end":"0x7ff811cf6ff8"},{"name":"libcommonCrypto.dylib","base":"0x7ff811ca8000","size":49144,"path":"/usr/lib/system/libcommonCrypto.dylib","id":3,"end":"0x7ff811cb3ff8"},{"name":"libcompiler_rt.dylib","base":"0x7ff811cd5000","size":32768,"path":"/usr/lib/system/libcompiler_rt.dylib","id":4,"end":"0x7ff811cdd000"},{"name":"libcopyfile.dylib","base":"0x7ff811cc7000","size":57344,"path":"/usr/lib/system/libcopyfile.dylib","id":5,"end":"0x7ff811cd5000"},{"name":"libcorecrypto.dylib","base":"0x7ff805c26000","size":618448,"path":"/usr/lib/system/libcorecrypto.dyli<…>
17:19:15.806474+0800	fpicker	[*] MODULE=/Users/wujiesong3/Desktop/fpicker_test/fpicker/examples/test/test, start=0x1027ab000, end=0x1027af000
17:19:15.806587+0800	fpicker	[JS]: [1] before sem_wait in wait_for_exec (1694078355805)
17:19:15.809526+0800	fpicker	[*] Harness preparation done
17:19:15.809650+0800	fpicker	[*] Everything ready, starting to fuzz!
17:19:15.827044+0800	fpicker	[2] PRE SEM_POST in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827088+0800	fpicker	[*] POST SEM_POST in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827105+0800	fpicker	[*] PRE SEM_WAIT in fuzz_iteration_in_process_shm: 1694078355827
17:19:15.827117+0800	fpicker	[*] 1
17:19:15.827572+0800	fpicker	[JS]: [3] after sem_wait in wait_for_exec (1694078355827). This took 22 ms
17:19:15.827688+0800	fpicker	[JS]: 0x103f79020 5
17:19:15.827816+0800	fpicker	[JS]: [*] Interceptor ENTER (1694078355827)
17:19:15.829277+0800	fpicker	[JS]: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8cd","type":"access-violation","address":"0x103f721b5","memory":{"operation":"read","address":"0xd8cd"},"context":{"pc":"0x103f721b5","sp":"0x700009691ef0","rax":"0xd8cd","rcx":"0xd8cd","rdx":"0x0","rbx":"0x10407c000","rsp":"0x700009691ef0","rbp":"0x700009691f20","rsi":"0x103f101f0","rdi":"0x700009692258","r8":"0x0","r9":"0x103eb66e0","r10":"0x0","r11":"0x1027aecd0","r12":"0x7000096925a0","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x103f721b5"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}}}
17:19:15.829315+0800	fpicker	[->] CRASH type received
17:19:15.829338+0800	fpicker	[->] message: {"type":"send","payload":{"type":"crash","msg":{"message":"access violation accessing 0xd8cd","type":"access-violation","address":"0x103f721b5","memory":{"operation":"read","address":"0xd8cd"},"context":{"pc":"0x103f721b5","sp":"0x700009691ef0","rax":"0xd8cd","rcx":"0xd8cd","rdx":"0x0","rbx":"0x10407c000","rsp":"0x700009691ef0","rbp":"0x700009691f20","rsi":"0x103f101f0","rdi":"0x700009692258","r8":"0x0","r9":"0x103eb66e0","r10":"0x0","r11":"0x1027aecd0","r12":"0x7000096925a0","r13":"0x1","r14":"0x2","r15":"0x0","rip":"0x103f721b5"},"nativeContext":"0x0","fileName":"test-fuzzer.js","lineNumber":38}}}
17:19:15.829353+0800	fpicker	[*] SEM_POST in _signal_exec_finished_with_ret_status 1694078355829
17:19:15.829380+0800	fpicker	[*] 2

I can't figure out where the mistakes lie. I just use the example in the repo and do as the README teaches.
This has been confuded with me for three days in work.

[Picasso-r]

OK I succeed, because the log shows [*] afl_area_ptr: 0x0 so I just refer to the fuzzer.js and find it fails on the mmap(). So I compile the AFL++ again with CFALGS = "DUSEMMAP"=1，and it works.

[owiofwm2i]

OK I succeed, because the log shows [*] afl_area_ptr: 0x0 so I just refer to the fuzzer.js and find it fails on the mmap(). So I compile the AFL++ again with CFALGS = "DUSEMMAP"=1，and it works.

hi, add this flag, compile afl++ always show:

[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc -DUSEMMAP=1 -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith -fPIC -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DLLVM_BINDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/bin\" -DVERSION=\"++4.21a\" -DLLVM_LIBDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/lib\" -DLLVM_VERSION=\"18.1.4\" -DAFL_CLANG_FLTO=\"-flto=full\" -DAFL_REAL_LD=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/ld.lld\" -DAFL_CLANG_LDPATH=\"\" -DAFL_CLANG_FUSELD=\"1\" -DCLANG_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang\" -DCLANGPP_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang++\" -DUSE_BINDIR=1 -Wno-unused-function -fdebug-prefix-map="/private/tmp/AFLplusplus=llvm_mode" -Wno-deprecated -I/opt/homebrew/opt/openssl@3/include ./test-instr.c -o test-instr -L/opt/homebrew/opt/openssl@3/lib -L/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
shmat for map: Invalid argument

[-] PROGRAM ABORT : the fuzzing target reports that the shmat() call failed.
         Location : report_error_and_exit(), src/afl-forkserver.c:494

any suggestions?

[Picasso-r]

OK I succeed, because the log shows [*] afl_area_ptr: 0x0 so I just refer to the fuzzer.js and find it fails on the mmap(). So I compile the AFL++ again with CFALGS = "DUSEMMAP"=1，and it works.

hi, add this flag, compile afl++ always show:

[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc -DUSEMMAP=1 -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith -fPIC -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DLLVM_BINDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/bin\" -DVERSION=\"++4.21a\" -DLLVM_LIBDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/lib\" -DLLVM_VERSION=\"18.1.4\" -DAFL_CLANG_FLTO=\"-flto=full\" -DAFL_REAL_LD=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/ld.lld\" -DAFL_CLANG_LDPATH=\"\" -DAFL_CLANG_FUSELD=\"1\" -DCLANG_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang\" -DCLANGPP_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang++\" -DUSE_BINDIR=1 -Wno-unused-function -fdebug-prefix-map="/private/tmp/AFLplusplus=llvm_mode" -Wno-deprecated -I/opt/homebrew/opt/openssl@3/include ./test-instr.c -o test-instr -L/opt/homebrew/opt/openssl@3/lib -L/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
shmat for map: Invalid argument

[-] PROGRAM ABORT : the fuzzing target reports that the shmat() call failed.
         Location : report_error_and_exit(), src/afl-forkserver.c:494

any suggestions?

maybe you should check the args of shmat() and find the root problem? I didn’t meet this problem. I think there is something wrong with your share memory and this can be an AFL++ problem so you can also refer to the issues of AFLplusplus repo.

[owiofwm2i]

OK I succeed, because the log shows [*] afl_area_ptr: 0x0 so I just refer to the fuzzer.js and find it fails on the mmap(). So I compile the AFL++ again with CFALGS = "DUSEMMAP"=1，and it works.

hi, add this flag, compile afl++ always show:

[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc -DUSEMMAP=1 -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith -fPIC -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DLLVM_BINDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/bin\" -DVERSION=\"++4.21a\" -DLLVM_LIBDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/lib\" -DLLVM_VERSION=\"18.1.4\" -DAFL_CLANG_FLTO=\"-flto=full\" -DAFL_REAL_LD=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/ld.lld\" -DAFL_CLANG_LDPATH=\"\" -DAFL_CLANG_FUSELD=\"1\" -DCLANG_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang\" -DCLANGPP_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang++\" -DUSE_BINDIR=1 -Wno-unused-function -fdebug-prefix-map="/private/tmp/AFLplusplus=llvm_mode" -Wno-deprecated -I/opt/homebrew/opt/openssl@3/include ./test-instr.c -o test-instr -L/opt/homebrew/opt/openssl@3/lib -L/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
shmat for map: Invalid argument

[-] PROGRAM ABORT : the fuzzing target reports that the shmat() call failed.
         Location : report_error_and_exit(), src/afl-forkserver.c:494

any suggestions?

maybe you should check the args of shmat() and find the root problem? I didn’t meet this problem. I think there is something wrong with your share memory and this can be an AFL++ problem so you can also refer to the issues of AFLplusplus repo.

hi, thanks for reply, may I know your os version and afl++ version?

[Picasso-r]

OK I succeed, because the log shows [*] afl_area_ptr: 0x0 so I just refer to the fuzzer.js and find it fails on the mmap(). So I compile the AFL++ again with CFALGS = "DUSEMMAP"=1，and it works.

hi, add this flag, compile afl++ always show:

[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc -DUSEMMAP=1 -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith -fPIC -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DLLVM_BINDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/bin\" -DVERSION=\"++4.21a\" -DLLVM_LIBDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/lib\" -DLLVM_VERSION=\"18.1.4\" -DAFL_CLANG_FLTO=\"-flto=full\" -DAFL_REAL_LD=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/ld.lld\" -DAFL_CLANG_LDPATH=\"\" -DAFL_CLANG_FUSELD=\"1\" -DCLANG_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang\" -DCLANGPP_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang++\" -DUSE_BINDIR=1 -Wno-unused-function -fdebug-prefix-map="/private/tmp/AFLplusplus=llvm_mode" -Wno-deprecated -I/opt/homebrew/opt/openssl@3/include ./test-instr.c -o test-instr -L/opt/homebrew/opt/openssl@3/lib -L/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
shmat for map: Invalid argument

[-] PROGRAM ABORT : the fuzzing target reports that the shmat() call failed.
         Location : report_error_and_exit(), src/afl-forkserver.c:494

any suggestions?

maybe you should check the args of shmat() and find the root problem? I didn’t meet this problem. I think there is something wrong with your share memory and this can be an AFL++ problem so you can also refer to the issues of AFLplusplus repo.

hi, thanks for reply, may I know your os version and afl++ version?

My computer is not handy，maybe macos 13.x.x... and I really forget the afl version

[Picasso-r]

OK I succeed, because the log shows [*] afl_area_ptr: 0x0 so I just refer to the fuzzer.js and find it fails on the mmap(). So I compile the AFL++ again with CFALGS = "DUSEMMAP"=1，and it works.

hi, add this flag, compile afl++ always show:

[*] Testing the CC wrapper and instrumentation output...
unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; ASAN_OPTIONS=detect_leaks=0 AFL_QUIET=1 AFL_PATH=. AFL_LLVM_LAF_ALL=1 ./afl-cc -DUSEMMAP=1 -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wno-pointer-arith -fPIC -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -Wall -g -Wno-cast-qual -Wno-variadic-macros -Wno-pointer-sign -I ./include/ -I ./instrumentation/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DLLVM_BINDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/bin\" -DVERSION=\"++4.21a\" -DLLVM_LIBDIR=\"/opt/homebrew/Cellar/llvm/18.1.4/lib\" -DLLVM_VERSION=\"18.1.4\" -DAFL_CLANG_FLTO=\"-flto=full\" -DAFL_REAL_LD=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/ld.lld\" -DAFL_CLANG_LDPATH=\"\" -DAFL_CLANG_FUSELD=\"1\" -DCLANG_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang\" -DCLANGPP_BIN=\"/opt/homebrew/Cellar/llvm/18.1.4/bin/clang++\" -DUSE_BINDIR=1 -Wno-unused-function -fdebug-prefix-map="/private/tmp/AFLplusplus=llvm_mode" -Wno-deprecated -I/opt/homebrew/opt/openssl@3/include ./test-instr.c -o test-instr -L/opt/homebrew/opt/openssl@3/lib -L/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib
ASAN_OPTIONS=detect_leaks=0 ./afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
shmat for map: Invalid argument

[-] PROGRAM ABORT : the fuzzing target reports that the shmat() call failed.
         Location : report_error_and_exit(), src/afl-forkserver.c:494

any suggestions?

maybe you should check the args of shmat() and find the root problem? I didn’t meet this problem. I think there is something wrong with your share memory and this can be an AFL++ problem so you can also refer to the issues of AFLplusplus repo.

hi, thanks for reply, may I know your os version and afl++ version?

Maybe you can try build an mmap demo to test the shared memory on your computer？And update your Clang or follow some advice such as https://github.com/search?q=repo%3AAFLplusplus%2FAFLplusplus+shm&type=issues