Open zhangxiaosa opened 1 year ago
bernhl
commented
1 year ago This issue affected fuzzilli some time ago; you should be able to touch the file in the repo root and successfully build. That being said, a more up-to-date version of this work is to be found here: https://github.com/googleprojectzero/fuzzilli/pull/378
zhangxiaosa
commented
1 year ago Hi thank you, I have solved this problem and successfully compile the code. While when running it, I got such an error:
$ swift run FuzzilliCli --profile=jerryscript --inspect=history --storagePath="./output" --minimizationLimit=1.0 /tmp/jerryscript-8ba0d1b6ee/build/bin/jerry
Building for debugging...
Build complete! (0.20s)
[REPRL] Script execution failed: Child in weird state after execution. Retrying in 1 second...
[REPRL] Script execution failed again: Child in weird state after execution. Giving up
[Coverage] Initialized, 14544 edges
[JavaScriptEnvironment] Initialized static JS environment model
[JavaScriptEnvironment] Have 50 available builtins: ["Date", "Reflect", "undefined", "resourceName", "isNaN", "gc", "BigInt", "ArrayBuffer", "Int16Array", "WeakMap", "Boolean", "Number", "WeakSet", "Array", "Uint8ClampedArray", "Float32Array", "RangeError", "Object", "Infinity", "print", "Float64Array", "Map", "Int8Array", "NaN", "parseInt", "EvalError", "URIError", "DataView", "parseFloat", "isFinite", "String", "TypeError", "placeholder", "Math", "Uint8Array", "Promise", "Set", "SyntaxError", "Uint16Array", "Function", "Error", "RegExp", "Symbol", "AggregateError", "Int32Array", "Uint32Array", "Proxy", "eval", "JSON", "ReferenceError"]
[JavaScriptEnvironment] Have 212 available method names: ["stringify", "defineProperties", "m", "getMinutes", "indexOf", "apply", "log", "floor", "setFloat64", "isArray", "abs", "pop", "getMilliseconds", "getUTCSeconds", "keys", "push", "padStart", "cosh", "toUpperCase", "resolve", "getTime", "acos", "getOwnPropertySymbols", "setPrototypeOf", "sinh", "reduceRight", "shift", "getUTCDay", "test", "isFinite", "setHours", "setUTCSeconds", "getUTCHours", "getFloat32", "min", "getFullYear", "catch", "bind", "reverse", "raw", "expm1", "n", "replaceAll", "getUint16", "construct", "getInt32", "call", "asIntN", "is", "cos", "has", "cbrt", "replace", "some", "startsWith", "fround", "set", "parse", "entries", "toString", "flatMap", "allSettled", "imul", "then", "log10", "setMilliseconds", "isView", "o", "find", "getInt16", "race", "getUTCMinutes", "random", "exp", "setInt32", "round", "flat", "getDay", "ownKeys", "endsWith", "getUint8", "getMonth", "search", "trimStart", "setUTCMinutes", "filter", "setInt16", "toISOString", "getUTCMonth", "map", "match", "tan", "findIndex", "substring", "UTC", "get", "getUTCMilliseconds", "trim", "resize", "trunc", "asin", "toTimeString", "setUTCFullYear", "isInteger", "setUint32", "getFloat64", "getOwnPropertyNames", "includes", "toLocaleString", "getInt8", "lastIndexOf", "getOwnPropertyDescriptors", "padEnd", "setUTCMonth", "forEach", "setYear", "unshift", "seal", "defineProperty", "getUTCDate", "join", "acosh", "charAt", "splice", "isFrozen", "trimLeft", "toJSON", "fromCodePoint", "charCodeAt", "pow", "finally", "setMonth", "getOwnPropertyDescriptor", "toLowerCase", "setSeconds", "matchAll", "assign", "log2", "setUTCMilliseconds", "tanh", "hypot", "setUTCDate", "localeCompare", "isExtensible", "delete", "trimRight", "reject", "subarray", "keyFor", "all", "setDate", "deleteProperty", "p", "toGMTString", "asinh", "split", "isSafeInteger", "asUintN", "max", "repeat", "slice", "setInt8", "for", "getHours", "setMinutes", "getTimezoneOffset", "setFloat32", "values", "freeze", "compile", "sin", "create", "setUint16", "every", "ceil", "setUTCHours", "fromCharCode", "from", "atan", "concat", "fromEntries", "isSealed", "trimEnd", "sign", "getUTCFullYear", "setUint8", "codePointAt", "clz32", "getSeconds", "fill", "now", "atan2", "getYear", "of", "setTime", "copyWithin", "preventExtensions", "isNaN", "clear", "reduce", "getDate", "sort", "toUTCString", "exec", "getPrototypeOf", "toDateString", "add", "sqrt", "setFullYear", "atanh", "getUint32", "log1p"]
[JavaScriptEnvironment] Have 52 property names that are available for read access: ["unscopables", "global", "size", "message", "species", "caller", "b", "hasInstance", "prototype", "POSITIVE_INFINITY", "byteOffset", "EPSILON", "constructor", "buffer", "replace", "PI", "dotAll", "__proto__", "source", "cause", "MIN_VALUE", "e", "c", "flags", "MAX_VALUE", "toPrimitive", "E", "d", "unicode", "multiline", "matchAll", "ignoreCase", "search", "MAX_SAFE_INTEGER", "arguments", "NEGATIVE_INFINITY", "byteLength", "description", "NaN", "MIN_SAFE_INTEGER", "split", "valueOf", "toStringTag", "iterator", "name", "toString", "length", "asyncIterator", "a", "sticky", "isConcatSpreadable", "match"]
[JavaScriptEnvironment] Have 10 property names that are available for write access: ["a", "toString", "constructor", "c", "valueOf", "length", "d", "__proto__", "e", "b"]
[JavaScriptEnvironment] Have 5 custom property names: ["c", "a", "b", "e", "d"]
[JavaScriptEnvironment] Have 4 custom method names: ["p", "n", "o", "m"]
[Fuzzer] Initialized
[REPRL] Script execution failed: Child in weird state after execution. Retrying in 1 second...
[REPRL] Script execution failed again: Child in weird state after execution. Giving up
[Fuzzer] Cannot execute programs (exit code must be zero when no exception was thrown). Are the command line flags valid?
[Fuzzer] Shutting down due to fatal error
++++++++++ Fuzzer Finished ++++++++++
Fuzzer Statistics
-----------------
Fuzzer phase: Fuzzing (with MutationEngine)
Uptime: 0d 0h 0m 3s
Total Samples: 0
Interesting Samples Found: 0
Last Interesting Sample: 0d 0h 0m 3s
Valid Samples Found: 0
Corpus Size: 0
Correctness Rate: -nan% (-nan%)
Timeout Rate: -nan% (-nan%)
Crashes Found: 0
Differentials Found: 0
Timeouts Hit: 0
Coverage: 0.00%
Avg. program size: -nan
Avg. corpus program size: -nan
Connected workers: 0
Execs / Second: 0.00
Fuzzer Overhead: 100.00%
Total Execs: 1
Differential Tests: 0The following error message shows up twice: [REPRL] Script execution failed: Child in weird state after execution. Retrying in 1 second... [REPRL] Script execution failed again: Child in weird state after execution. Giving up
Do you know why I got this error or how to bypass it? Thank you!
zhangxiaosa
commented
1 year ago Today I further inspect the code by printing out the stderr and stdout of the failed script execution, I found the stderr being empty and stdout being:
[COV] edge counters initialized. Shared memory: shm_id_867741_0 with 767659 edges Exception: ReferenceError: Can't find variable: fuzzilli_hash main@[REPRL]:2:28 global code@[REPRL]:7:5
So it seems the bug is related to fuzzilli_hash variable. And I also found your PR to Fuzzilli repo, does it mean your PR has not been merged? So could you please notify me when your PR for differential testing has passed the test and merged.
ayuan0828
commented
1 year ago Hi thank you, I have solved this problem and successfully compile the code. While when running it, I got such an error:
$ swift run FuzzilliCli --profile=jerryscript --inspect=history --storagePath="./output" --minimizationLimit=1.0 /tmp/jerryscript-8ba0d1b6ee/build/bin/jerry Building for debugging... Build complete! (0.20s) [REPRL] Script execution failed: Child in weird state after execution. Retrying in 1 second... [REPRL] Script execution failed again: Child in weird state after execution. Giving up [Coverage] Initialized, 14544 edges [JavaScriptEnvironment] Initialized static JS environment model [JavaScriptEnvironment] Have 50 available builtins: ["Date", "Reflect", "undefined", "resourceName", "isNaN", "gc", "BigInt", "ArrayBuffer", "Int16Array", "WeakMap", "Boolean", "Number", "WeakSet", "Array", "Uint8ClampedArray", "Float32Array", "RangeError", "Object", "Infinity", "print", "Float64Array", "Map", "Int8Array", "NaN", "parseInt", "EvalError", "URIError", "DataView", "parseFloat", "isFinite", "String", "TypeError", "placeholder", "Math", "Uint8Array", "Promise", "Set", "SyntaxError", "Uint16Array", "Function", "Error", "RegExp", "Symbol", "AggregateError", "Int32Array", "Uint32Array", "Proxy", "eval", "JSON", "ReferenceError"] [JavaScriptEnvironment] Have 212 available method names: ["stringify", "defineProperties", "m", "getMinutes", "indexOf", "apply", "log", "floor", "setFloat64", "isArray", "abs", "pop", "getMilliseconds", "getUTCSeconds", "keys", "push", "padStart", "cosh", "toUpperCase", "resolve", "getTime", "acos", "getOwnPropertySymbols", "setPrototypeOf", "sinh", "reduceRight", "shift", "getUTCDay", "test", "isFinite", "setHours", "setUTCSeconds", "getUTCHours", "getFloat32", "min", "getFullYear", "catch", "bind", "reverse", "raw", "expm1", "n", "replaceAll", "getUint16", "construct", "getInt32", "call", "asIntN", "is", "cos", "has", "cbrt", "replace", "some", "startsWith", "fround", "set", "parse", "entries", "toString", "flatMap", "allSettled", "imul", "then", "log10", "setMilliseconds", "isView", "o", "find", "getInt16", "race", "getUTCMinutes", "random", "exp", "setInt32", "round", "flat", "getDay", "ownKeys", "endsWith", "getUint8", "getMonth", "search", "trimStart", "setUTCMinutes", "filter", "setInt16", "toISOString", "getUTCMonth", "map", "match", "tan", "findIndex", "substring", "UTC", "get", "getUTCMilliseconds", "trim", "resize", "trunc", "asin", "toTimeString", "setUTCFullYear", "isInteger", "setUint32", "getFloat64", "getOwnPropertyNames", "includes", "toLocaleString", "getInt8", "lastIndexOf", "getOwnPropertyDescriptors", "padEnd", "setUTCMonth", "forEach", "setYear", "unshift", "seal", "defineProperty", "getUTCDate", "join", "acosh", "charAt", "splice", "isFrozen", "trimLeft", "toJSON", "fromCodePoint", "charCodeAt", "pow", "finally", "setMonth", "getOwnPropertyDescriptor", "toLowerCase", "setSeconds", "matchAll", "assign", "log2", "setUTCMilliseconds", "tanh", "hypot", "setUTCDate", "localeCompare", "isExtensible", "delete", "trimRight", "reject", "subarray", "keyFor", "all", "setDate", "deleteProperty", "p", "toGMTString", "asinh", "split", "isSafeInteger", "asUintN", "max", "repeat", "slice", "setInt8", "for", "getHours", "setMinutes", "getTimezoneOffset", "setFloat32", "values", "freeze", "compile", "sin", "create", "setUint16", "every", "ceil", "setUTCHours", "fromCharCode", "from", "atan", "concat", "fromEntries", "isSealed", "trimEnd", "sign", "getUTCFullYear", "setUint8", "codePointAt", "clz32", "getSeconds", "fill", "now", "atan2", "getYear", "of", "setTime", "copyWithin", "preventExtensions", "isNaN", "clear", "reduce", "getDate", "sort", "toUTCString", "exec", "getPrototypeOf", "toDateString", "add", "sqrt", "setFullYear", "atanh", "getUint32", "log1p"] [JavaScriptEnvironment] Have 52 property names that are available for read access: ["unscopables", "global", "size", "message", "species", "caller", "b", "hasInstance", "prototype", "POSITIVE_INFINITY", "byteOffset", "EPSILON", "constructor", "buffer", "replace", "PI", "dotAll", "__proto__", "source", "cause", "MIN_VALUE", "e", "c", "flags", "MAX_VALUE", "toPrimitive", "E", "d", "unicode", "multiline", "matchAll", "ignoreCase", "search", "MAX_SAFE_INTEGER", "arguments", "NEGATIVE_INFINITY", "byteLength", "description", "NaN", "MIN_SAFE_INTEGER", "split", "valueOf", "toStringTag", "iterator", "name", "toString", "length", "asyncIterator", "a", "sticky", "isConcatSpreadable", "match"] [JavaScriptEnvironment] Have 10 property names that are available for write access: ["a", "toString", "constructor", "c", "valueOf", "length", "d", "__proto__", "e", "b"] [JavaScriptEnvironment] Have 5 custom property names: ["c", "a", "b", "e", "d"] [JavaScriptEnvironment] Have 4 custom method names: ["p", "n", "o", "m"] [Fuzzer] Initialized [REPRL] Script execution failed: Child in weird state after execution. Retrying in 1 second... [REPRL] Script execution failed again: Child in weird state after execution. Giving up [Fuzzer] Cannot execute programs (exit code must be zero when no exception was thrown). Are the command line flags valid? [Fuzzer] Shutting down due to fatal error ++++++++++ Fuzzer Finished ++++++++++ Fuzzer Statistics ----------------- Fuzzer phase: Fuzzing (with MutationEngine) Uptime: 0d 0h 0m 3s Total Samples: 0 Interesting Samples Found: 0 Last Interesting Sample: 0d 0h 0m 3s Valid Samples Found: 0 Corpus Size: 0 Correctness Rate: -nan% (-nan%) Timeout Rate: -nan% (-nan%) Crashes Found: 0 Differentials Found: 0 Timeouts Hit: 0 Coverage: 0.00% Avg. program size: -nan Avg. corpus program size: -nan Connected workers: 0 Execs / Second: 0.00 Fuzzer Overhead: 100.00% Total Execs: 1 Differential Tests: 0The following error message shows up twice: [REPRL] Script execution failed: Child in weird state after execution. Retrying in 1 second... [REPRL] Script execution failed again: Child in weird state after execution. Giving up
Do you know why I got this error or how to bypass it? Thank you!
Today, I encountered the same issue while running, and I would like to know if this issue has been resolved. Could you please tell me?
bernhl
commented
1 year ago The implementation deviates from the standard fuzzilli reprl interface by adding more parameters. This change is implemented for jsc, v8 and spidermonkey only. If you'd like to fuzz jerryscript you'll need to extend the respective bindings. Furthermore, the fuzzilli_hash function is not implemented on jerryscript, so that is something you'd need to add also.
ayuan0828
commented
1 year ago The implementation deviates from the standard fuzzilli reprl interface by adding more parameters. This change is implemented for jsc, v8 and spidermonkey only. If you'd like to fuzz jerryscript you'll need to extend the respective bindings. Furthermore, the fuzzilli_hash function is not implemented on jerryscript, so that is something you'd need to add also.
Your advice has been incredibly helpful to me, and I will proceed to explore further based on your recommendations. Thank you for your reply!
I got something like this when building the project. My swift version is:
Could you please help to fix this issue? thanks a lot!