[Fuzzer] Cannot receive FuzzIL output

[docfate111]

I tried to fuzzing espruino https://github.com/docfate111/Espruino based on the example targets. If I add functions to the JS engine they must take void as an argument so I instead used strstr() on the input script. For some reason when I write to the file descriptor for the fuzzer the fuzzer doesn't receive any output.

[Coverage] Initialized, 0 edges
[Fuzzer] Initialized
[Fuzzer] Recommended timeout: at least 620ms. Current timeout: 250ms
[Fuzzer] Cannot receive FuzzIL output
[Fuzzer] Startup tests finished successfully

[saelo]

So for FuzzIL output to work, your patch for the target engine needs to be able to do this:

1. Fuzzilli executes some code like this: fuzzilli('FUZZILLI_PRINT', str);, where str can be any value (although in practice, fuzzilli will only pass strings). So e.g. fuzzilli('FUZZILLI_PRINT', "Hello " + "World" + String.fromCharCode(33));
2. The engine now writes the given string (in this case "Hello World!") onto REPRL_DWFD, followed by a newline character

However, you only need to implement FuzzIL output support if you plan on using runtime type collection. Otherwise it is not needed and Fuzzilli will work without it just fine.

[docfate111]

I think I did something else wrong then? The fuzzer is running but after a day I haven't gotten any crashes but fuzzing the raw bytes of JavaScript files is giving crashes?

[saelo]

You can check whether the corpus is growing, and you could check (using https://clang.llvm.org/docs/SourceBasedCodeCoverage.html) if relevant parts of the engine are covered by the .js files in corpus/. You could also try patching in some trivial bugs (e.g. just abort() on some builtin or so) to see if crashes are correctly detected and triggered. Then of course you can scale up the fuzzing, I usually fuzz on 100-500 cores for a week or so, roughly until coverage stops increasing over a few hours. Also if you are mutating raw bytes of JavaScript files then you are fuzzing the JS parser of the engine, while Fuzzilli will basically fuzz everything but the parser (since it always emits valid JavaScript code).

[docfate111]

How long does it take to get crashes? I ran for 5 days on 2 cores, is the time to short?

[saelo]

Sorry for the very slow reply... yeah it can take anywhere from a few hours to a couple of weeks on hundreds of CPUs. You can get a very rough sense of "how far" the fuzzer has come by looking e.g. at the time to last interesting sample.