DataFlowSanitizer only for Linux


I had an issue with trying to link a program with the DataFlowSanitizer functionality, this is from the libFuzzer project, and I was seeing:

clang++ -fsanitize=address -fsanitize-coverage=edge Fuzzer*.o

Undefined symbols for architecture x86_64:

“_dfsan_create_label”, referenced from:

fuzzer::TraceState::DFSanCmpCallback(unsigned long, unsigned long, unsigned long, unsigned long long, unsigned long long, unsigned short, unsigned short) in FuzzerTraceState.o

fuzzer::Fuzzer::InitializeTraceState() in FuzzerTraceState.o

“_dfsan_get_label_info”, referenced from:

fuzzer::TraceState::GetLabelRange(unsigned short) in FuzzerTraceState.o

But then looking at the docs:

It appears that this is only supported under Linux? Is that right?

+pcc , glider

FWIW see also
As far as I understand DFSan functionality isn't required for
libFuzzer to work, so it should be safe to disable DFSan support on

Thanks! I’ll give it a shot and see what I can do to give some patches back.


I took a quick stab at patching libFuzzer for Apple, but so far I’m thinking something else is incorrect. Patch is attached but when I went to reproduce the examples, the toy example went fine, but with PCRE and Heartbleed I noticed the coverage statistics were pretty poor, and didn’t find anything. Admittedly I moved onto Heartbleed pretty quickly so PCRE probably isn’t the best judge. But here’s a sample log from the Heartbleed session (they were all similar):

$ cat fuzz-11.log

Seed: 3157140177

SetTimer 601

PreferSmall: 1

#0 READ cov 0 bits 0 units 1 exec/s 0

#1 pulse cov 0 bits 0 units 1 exec/s 0

#1 INITED cov 0 bits 0 units 0 exec/s 0

Done 1 runs in 4 second(s)

Any thoughts? Obviously I’m not attached to anything in the patch, just trying to get something working on OS X.

dfsan.patch (1.6 KB)

The log indicates that you did not add the -fsanitize-coverage=… flags.
E.g. -fsanitize-coverage=edge,indirect-calls,8bit-counters

Aha! Thank you! Works perfectly…

And for OS X, at least on my 10.10.3 system, I had to build OpenSSL via:

./Configure darwin64-x86_64-cc zlib threads shared &&
make -j 8 CC=“/usr/local/bin/clang -g -fsanitize=address $COV_FLAGS”

and then

/usr/local/bin/clang++ -g -fsanitize=address handshake_fuzz.o openssl-1.0.1f/libcrypto.a openssl-1.0.1f/libssl.a Fuzzer*.o -lz

Just in case you wanted to update the wiki…
Because OpenSSL was being finicky I had missed the sanitization args on a rebuild just as you said :slight_smile:

Thanks again. I’m going to look into the DFSan lib for OS X next week. Have a good one!