Qemu mode stuck at "[+] All right - fork server is up." #96
Description
I use afl qemu mode to fuzzing a arm library. I wrote a entrance for that library. Then I test the binary with afl-qemu-trace, and it could return correct result. Then I use command "afl-fuzz -m 8G -i aflin -o aflout -Q ./binary @@" to execute the fuzz. But the main process stucked at "[+] All right - fork server is up.". Then I use ps to see the child process "afl-qemu-trace ./binanry FILE". And I use gdb to attach on it. I found program is stuck at some mutex. Here is the call stack:
#0 __lll_lock_wait () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
#1 0x00007fbcac68d023 in __GI___pthread_mutex_lock (mutex=mutex@entry=0x55948b53e500 <tcg_ctx+288>) at ../nptl/pthread_mutex_lock.c:78
#2 0x000055948b27973a in qemu_mutex_lock (mutex=mutex@entry=0x55948b53e500 <tcg_ctx+288>) at util/qemu-thread-posix.c:65
#3 0x000055948b180e28 in tb_lock () at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/accel/tcg/translate-all.c:170
#4 cpu_restore_state (cpu=cpu@entry=0x55948e180910, retaddr=retaddr@entry=94096477451624) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/accel/tcg/translate-all.c:353
#5 0x000055948b17d442 in handle_cpu_signal (old_set=0x7ffc60edd2a8, is_write=, address=4010848012, pc=94096477451622) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/user-exec.c:124
#6 cpu_arm_signal_handler (host_signum=, pinfo=pinfo@entry=0x7ffc60edd2b0, puc=0x7ffc60edd180) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/user-exec.c:229
#7 0x000055948b1a5f41 in host_signal_handler (host_signum=11, info=0x7ffc60edd2b0, puc=0x7ffc60edd180) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/linux-user/signal.c:646
#8
#9 0x000055948b1cf566 in gen_intermediate_code (cs=cs@entry=0x55948e180910, tb=tb@entry=0x55948b615480 <static_code_gen_buffer+796080>) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/target/arm/translate.c:12011
#10 0x000055948b18107e in tb_gen_code (cpu=cpu@entry=0x55948e180910, pc=4010848012, cs_base=0, flags=524416, cflags=, cflags@entry=0) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/accel/tcg/translate-all.c:1283
#11 0x000055948b17d999 in afl_wait_tsl (fd=3, cpu=0x55948e180910) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/../patches/afl-qemu-cpu-inl.h:304
#12 afl_forkserver (cpu=cpu@entry=0x55948e180910) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/../patches/afl-qemu-cpu-inl.h:222
#13 0x000055948b17f2cd in cpu_tb_exec (itb=, itb=, cpu=) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/accel/tcg/cpu-exec.c:149
#14 cpu_loop_exec_tb (tb_exit=, last_tb=, tb=, cpu=) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/accel/tcg/cpu-exec.c:583
#15 cpu_exec (cpu=) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/accel/tcg/cpu-exec.c:681
#16 0x000055948b182ca0 in cpu_loop (env=0x55948e188ba0) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/linux-user/main.c:570
#17 0x000055948b13cbf0 in main (argc=argc@entry=4, argv=argv@entry=0x7ffc60ede9c8, envp=) at /root/AFL-2.56b/qemu_mode/qemu-2.10.0/linux-user/main.c:4862
#18 0x00007fbcac2b3b97 in __libc_start_main (main=0x55948b13c4c0
#19 0x000055948b13d35a in _start ()