Closed andreafioraldi closed 3 years ago
It is a null ptr deref here https://github.com/AFLplusplus/Grammar-Mutator/blob/stable/src/grammar_mutator.c#L304 From gdb:
gef➤ p data
$1 = (my_mutator_t *) 0x555555abb640
gef➤ p data->cur_rules_mutation_node
$2 = (node_t *) 0x0
Seems that list_pop_front returned NULL https://github.com/AFLplusplus/Grammar-Mutator/blob/stable/src/grammar_mutator.c#L288
In fact, just before the pop, we have that
gef➤ p *data->tree_cur->non_terminal_node_list
$4 = {
head = 0x0,
tail = 0x0,
size = 0x0
}
Seems that the parser fails to parse the testcase. If I feed the fuzzer with a testcase generated with grammar_generator but without the generated tree file so that I trigger the parsing in the mutator, all is good.
we should be able to parse that simple ruby testcases. Is it a limitation of the grammar? Regex in the grammar can solve it?
we should handle the error and report the parser fail to the user, not segv
The reason for this issue is that the total number of rules mutations is 0. I just fixed it.
For your case, the parser actually parses the test case, even though errors do exist. The parsing capability depends on the input grammar file. The ruby grammar file in our project is a simplified ruby grammar, which does not cover all Ruby syntax. Although the grammar file may be inconsistent with the input test case, for any parsing errors, the ANTLR shim will not terminate but save the error portion as a terminal node, such that we may not lose too much information on the original test case.
Regex just gives the user more flexibility to specify their own grammar, which could be an enhancement in the future.
I'm trying to fuzz mruby using the testcases in mruby/test/t/ (and not the testcases generated with grammar_generator) to test the antlr shim and I get