search

googleprojectzero / fuzzilli

A JavaScript Engine Fuzzer
Apache License 2.0
1.86k stars 300 forks source link

False Positive (or unreproducible) Cases #426

Open seekamoon opened 5 months ago

seekamoon commented 5 months ago

Hi,

Recently I ran the latest fuzzilli on a machine and got some crashes. However, it seems that they are all false positives (or unreproducible cases). An example:

const v2 = new Int16Array(240);
function f3(a4, a5) {
    let v6;
    try { v6 = a4(); } catch (e) {}
    for (let v7 = 0; v7 < 32; v7++) {
    }
    const v10 = v6 && -661050.8051017763;
    Math.atanh(v10);
    Math.min();
    v10 * v6;
    return a5;
}
v2.valueOf = f3;
function f14(a15, a16, a17) {
    a17 * a17;
    return f14;
}
v2["forEach"](f14);
// CRASH INFO
// ==========
// TERMSIG: 6
// STDERR:
// #
// # Fatal error in ../../src/profiler/profiler-listener.cc, line 414
// # Debug check failed: last_position.IsKnown().
// #
// #
// #
// #FailureMessage Object: 0x7ffc61a0c4d0
// ==== C stack trace ===============================
// 
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bf4b2) [0x5616efdc04b2]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bdf97) [0x5616efdbef97]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0c3b) [0x5616efdb1c3b]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0515) [0x5616efdb1515]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x193cb25) [0x5616f0e3db25]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x193c59b) [0x5616f0e3d59b]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0xcc22ea) [0x5616f01c32ea]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0xcbe532) [0x5616f01bf532]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x3b6c0eb) [0x5616f306d0eb]
// Received signal 6
// STDOUT:
// 
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=v8 --jobs=64 --storagePath=/home/foo/browser_related/fuzzilli/crash --resume --exportStatistics /home/foo/browser_related/12.4.245/out/fuzzbuild/d8
// TARGET ARGS: /home/foo/browser_related/12.4.245/out/fuzzbuild/d8 --expose-gc --omit-quit --allow-natives-syntax --fuzzing --jit-fuzzing --future --harmony --js-staging
// CONTRIBUTORS: 
// EXECUTION TIME: 169ms

Another example:

function f0(a1, a2) {
    const v3 = [a1,a1];
    let v4;
    try { v4 = v3.map(a2, v3); } catch (e) {}
    return v4 != a1;
}
const v6 = new f0();
v6.constructor(f0, v6);
%OptimizeFunctionOnNextCall(f0);
f0();
// CRASH INFO
// ==========
// TERMSIG: 6
// STDERR:
// #
// # Fatal error in ../../src/maglev/maglev-ir.h, line 1854
// # Debug check failed: id_ != kInvalidNodeId (0 vs. 0).
// #
// #
// #
// #FailureMessage Object: 0x7fbe4dff9840
// ==== C stack trace ===============================
// 
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bf4b2) [0x55aa773bf4b2]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bdf97) [0x55aa773bdf97]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0c3b) [0x55aa773b0c3b]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0515) [0x55aa773b0515]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d1113e) [0x55aa7881113e]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d10c50) [0x55aa78810c50]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d3ac93) [0x55aa7883ac93]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d16bf5) [0x55aa78816bf5]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c62f8f) [0x55aa78762f8f]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c5e8c5) [0x55aa7875e8c5]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c56e99) [0x55aa78756e99]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0xb11e0f) [0x55aa77611e0f]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c5982b) [0x55aa7875982b]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8c1caf) [0x55aa773c1caf]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8cbd25) [0x55aa773cbd25]
//     /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bba99) [0x55aa773bba99]
//     /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7fbe83c7fac3]
//     /lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7fbe83d11850]
// Received signal 6
// STDOUT:
// 
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=v8 --jobs=64 --storagePath=/home/foo/browser_related/fuzzilli/crash --resume --exportStatistics /home/foo/browser_related/12.4.245/out/fuzzbuild/d8
// TARGET ARGS: /home/foo/browser_related/12.4.245/out/fuzzbuild/d8 --expose-gc --omit-quit --allow-natives-syntax --fuzzing --jit-fuzzing --future --harmony --js-staging
// CONTRIBUTORS: 
// EXECUTION TIME: 96ms

When I fed them into v8, it looked as normal and nothing happened. What confuses me is that the crash cases even recorded the runtime context but it does not work actually... I found that a large part is about Debug check failed: last_position.IsKnown(). All such cases can be found in fp.zip.

chennbnbnb commented 4 months ago

Hello, I have also encountered this problem, and I found that this is actually caused by fuzzilli's REPRL mechanism. In order to improve execution efficiency, REPRL only creates a new Context each time, but in fact this is not enough to create a new js execution environment. For example, there are many caches in v8, so the two test samples will affect each other. As a result, it is difficult to reproduce a certain test sample when it is executed individually. My solution:

  1. Use the fork-server mechanism to ensure a new environment every time it is executed.
  2. Turn off ASLR and improve fuzz stability
  3. Turn off various randomization operations in v8 (such as --predicatable) to improve fuzz stability This will make crash easier to reproduce