search

dblotsky / stringfuzz

Fuzzer and generator for string and regex problems in SMT-LIB 2.x format.
Other
20 stars 9 forks source link

Banditfuzz Branch Crashs. Three different inputs/error logs #40

Open j29scott opened 5 years ago

j29scott commented 5 years ago

Error 1: echo "(set-logic QF_S) (set-logic QF_S)(declare-fun var0 () String)(declare-fun var1 () String)(declare-fun var2 () Int)(declare-fun var3 () Int)(declare-fun var4 () Bool)(declare-fun var5 () Bool)(assert (str.suffixof var1 var0))(assert (str.in.re (str.substr var0 var3 1) (re.* re.allchar)))(check-sat)" | stringfuzzx --random bandit --operator 'InRegex'

Crash: ` Traceback (most recent call last): File "/usr/local/bin/stringfuzzx", line 7, in exec(compile(f.read(), file, 'exec')) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/bin/stringfuzzx", line 259, in main() File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/bin/stringfuzzx", line 253, in main transformed = transformer(ast, **transformer_args) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/transformers/bandit.py", line 99, in bandit pair = gen_pair(op, finder.target, finder.variables, depth) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/transformers/bandit.py", line 87, in gen_pair args.append(make_random_expression(variables, s, depth)) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/generators/random_ast.py", line 126, in make_random_expression random_args = [make_random_expression(variables, arg_sort, shrunken_depth) for arg_sort in signature] File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/generators/random_ast.py", line 126, in random_args = [make_random_expression(variables, arg_sort, shrunken_depth) for arg_sort in signature] File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/generators/random_ast.py", line 109, in make_random_expression return make_random_terminal(variables, sort) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/generators/random_ast.py", line 98, in make_random_terminal return random.choice(variables[sort]) TypeError: list indices must be integers or slices, not str

`

Error 2: echo "(set-logic QF_S) (set-logic QF_S)(declare-fun var0 () String)(declare-fun var1 () String)(declare-fun var2 () Int)(declare-fun var3 () Int)(declare-fun var4 () Bool)(declare-fun var5 () Bool)(assert (str.suffixof var1 var1))(assert (str.prefixof var1 var0))(check-sat)" | stringfuzzx --random bandit --operator '>'

Crash: Traceback (most recent call last): File "/usr/local/bin/stringfuzzx", line 7, in <module> exec(compile(f.read(), __file__, 'exec')) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/bin/stringfuzzx", line 259, in <module> main() File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/bin/stringfuzzx", line 253, in main transformed = transformer(ast, **transformer_args) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/transformers/bandit.py", line 96, in bandit finder.walk() File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/ast_walker.py", line 16, in walk self.walk_expression(expression, None) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/ast_walker.py", line 23, in walk_expression self.enter_expression(expression, parent) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/transformers/bandit.py", line 45, in enter_expression if self.op.get_symbol() == expr.get_symbol(): AttributeError: 'NoneType' object has no attribute 'get_symbol'

Error 3 echo "(set-logic QF_S) (set-logic QF_S)(declare-fun var0 () String)(declare-fun var1 () String)(declare-fun var2 () Int)(declare-fun var3 () Int)(declare-fun var4 () Bool)(declare-fun var5 () Bool)(assert (<= (str.indexof var0 "FeqdG?=_%l" 9) (str.len var1)))(assert (str.in.re (str.at "5j[^GK$1R." var3) (re.+ re.allchar)))(check-sat)" | stringfuzzx --random bandit --operator 'ReUnion'

Crash: Traceback (most recent call last): File "/usr/local/bin/stringfuzzx", line 7, in <module> exec(compile(f.read(), __file__, 'exec')) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/bin/stringfuzzx", line 259, in <module> main() File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/bin/stringfuzzx", line 229, in main ast = parse(raw_in, input_language) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/parser.py", line 419, in parse return parse_tokens(scan(text, language), language, text) File "/mnt/c/Users/joe/Desktop/BanditFuzz/banditfuzz/stringfuzz/stringfuzz/scanner.py", line 261, in scan raise ScanningError('scanning error:\n{}\n {!r}...'.format(token_context, text_context)) stringfuzz.scanner.ScanningError: scanning error: IN_RE 'str.in.re' WHITESPACE ' ' LPAREN '(' AT 'str.at' WHITESPACE ' ' '5j[^GKR. var3) (re.+ re.allchar)))(check-sat)\n'...

FedericoAureliano commented 5 years ago

Fix to Error 1 pushed to "bandit" branch. Pull it down and let me know.

Errors 2 and 3 seem to be parser issues.

FedericoAureliano commented 5 years ago

Error 2 is because "<" is not a string operator so it is not in the bandit's supported ops. Added a warning and ignoring those. Pushed to "bandit" branch.

j29scott commented 5 years ago

I'm confused, the command line interface says the following are operators: '=', '>', '<', '>=', '<=', 'Concat', 'Contains', 'At', 'Length', 'IndexOf', 'IndexOf2', 'PrefixOf', 'SuffixOf', 'Replace', 'ReInter', 'ReUnion', 'ReRange', 'RePlus', 'ReStar', 'ReConcat', 'Str2Re', 'InRegex', 'ToInt', 'FromInt', 'Substring'

FedericoAureliano commented 5 years ago

Fair. Fixed.

dblotsky commented 5 years ago

@FedericoAureliano heyoo, what do you think of merging banditfuzz into trunk, so you don't have to work on a branch? :)

Also, are there ways I can make it easier to write, say, only plugins (e.g. importing all files in a plugins folder, or looking at pip-installed packages)? That way you don't have to work on all of stringfuzz, and just have a repo with your plugin.

FedericoAureliano commented 5 years ago

Woah software engineering sensei teach me. I'm very keen for a way to write plugins that's independent (also for another project I'm working on). What's the best way to do it?

dblotsky commented 5 years ago

@FedericoAureliano Heh, I'm far from a sensei. I'm barely passable!

The methods I'm considering:

  1. Pass a --plugin path/to/plugin.py flag, and import the file at the path.
  2. Pass a --plugin pip_package_name flag, and import the specified package by name.
  3. Automatically run pip freeze in Stringfuzz, and import all things that start with a fixed string (e.g. stringfuzz-plugin-.*).
  4. Automatically import everything inside the generators or transformers folders.

And then every such package would have to conform to an API, like its argument-parsing, its methods, etc.

What do you think of these? Do you have any ideas?

FedericoAureliano commented 5 years ago

I like 1/2 a lot. Handling the subparsers might be tricky though. I guess the plugin will have to define this stuff somewhere too. Maybe having the user provide a configuration file?