search

googleprojectzero / fuzzilli

A JavaScript Engine Fuzzer
Apache License 2.0
1.86k stars 302 forks source link

[Cli] No filesystem storage configured, found crashes will be discarded! in ubuntu 18.04 #49

Closed Hanseltu closed 4 years ago

Hanseltu commented 4 years ago

Thank you for your awesome fuzzing tool.

I just implement fuzzilli in my ubuntu 18.04 (with swift 5.0, clang 6.0) system, but not successful. Following instructors are the steps I used, pls tell me suggestions any helpful!

step 1 : Download Spidermonkey and run fuzzbuild.sh

tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev$ git branch --v
  * fuzz   b37d82a6c3a1 no bug - Bumping Firefox l10n changesets r=release a=l10n-bump DONTBUILD
  master ef914e250432 Merge autoland to mozilla-central.  a=merge
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev$ patch -p1 < ../firefox.patch 
patching file js/src/shell/js.cpp
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src$

after ./funzzbuild.sh

tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev$ cd js/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js$ ls
app.mozbuild  ductwork  examples  ffi.configure  ipc  moz.build  moz.configure  public  rust  src  sub.configure  xpconnect
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js$ cd src/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src$ ls
aclocal.m4    ctypes    fuzzbuild_OPT.OBJ  jit-test          js-config.mozbuild    jsfriendapi.h  jspubtd.h    make-source-package.sh  README.html  vtune
build         devtools  fuzzbuild.sh       jsapi.cpp         js-cxxflags.mozbuild  jslibmath.h    jsshell.msg  moz.build               rust         wasm
build.rs      doc       fuzz-tests         jsapi.h           jsdate.cpp            jsmath.cpp     jstypes.h    NamespaceImports.h      shell        Y.js
builtin       ds        gc                 jsapi-tests       jsdate.h              jsmath.h       jsutil.cpp   octane                  tests        zydis
Cargo.toml    dtoa.c    gdb                jsast.tbl         jsexn.cpp             js.msg         jsutil.h     old-configure           threading
configure     editline  irregexp           js-confdefs.h.in  jsexn.h               jsnum.cpp      lib.rs       old-configure.in        util
configure.in  frontend  jit                js-config.h.in    jsfriendapi.cpp       jsnum.h        Makefile.in  proxy                   vm
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src$ cd fuzzbuild_OPT.OBJ/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ$ ls
a.out                            binaries.json     config.status           install_dist_bin.track      Makefile      old-configure.vars  _tests
backend.FasterMakeBackend        build             config.statusd          install_dist_include.track  memory        python              third_party
backend.FasterMakeBackend.in     _build_manifests  config_status_deps.in   install_dist_private.track  mfbt          root-deps.mk        _virtualenvs
backend.mk                       config            dist                    install_dist_public.track   modules       root.mk
backend.RecursiveMakeBackend     config.cache      faster                  install__tests.track        mozglue       taskcluster
backend.RecursiveMakeBackend.in  config.log        generated-sources.json  js                          mozinfo.json  testing
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ$ cd dist/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist$ ls
bin  cppunittests  host  include  private  public  system_wrappers
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist$ cd bin/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin$ ls
gdb-tests         TestAtomics          TestDoublyLinkedList     TestJSONWriter          TestRandomNum          TestSplayTree          TestVariant
gdb-tests-gdb.py  TestBinarySearch     TestEndian               TestLinkedList          TestRange              TestSPSCQueue          TestVector
js                TestBloomFilter      TestEnumeratedArray      TestMacroArgs           TestRefPtr             TestTemplateLib        TestWeakPtr
jsapi-tests       TestBufferList       TestEnumSet              TestMacroForEach        TestResult             TestTextUtils          TestWrappingOperations
js-gdb.py         TestCasting          TestEnumTypeTraits       TestMathAlgorithms      TestRollingMean        TestThreadSafeWeakPtr  TestXorShift128PlusRNG
nsinstall         TestCeilingFloor     TestFastBernoulliTrial   TestMaybe               TestSaturate           TestTuple
run-mozilla.sh    TestCheckedInt       TestFloatingPoint        TestNonDereferenceable  TestScopeExit          TestTypedEnum
TestAlgorithm     TestCountPopulation  TestFunctionTypeTraits   TestNotNull             TestSegmentedVector    TestTypeTraits
TestArray         TestCountZeroes      TestIntegerPrintfMacros  TestPair                TestSHA1               TestUniquePtr
TestArrayUtils    TestDefineEnum       TestIntegerRange         TestPoisonArea          TestSmallPointerArray  TestUtf8

step 2: swift build and run

tuhaoxin@oscar-optimal:~/github/fuzzilli$ swift build -Xlinker='-lrt'
[7/7] Linking ./.build/x86_64-unknow-linux/debug/FuzzilliCli
tuhaoxin@oscar-optimal:~/github/fuzzilli$ swift run -Xlinker='-lrt' -c release FuzzilliCli --profile=jsc ~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin/js
[Cli] No filesystem storage configured, found crashes will be discarded!
[REPRL] Failed to communicate with child process
[REPRL] Failed to communicate with child process
[REPRL] Failed to communicate with child process
[REPRL] Failed to communicate with child process

then I got the errors.

From the suggestion in Failed to communicate with child process with firefox #15, I got the following message

tuhaoxin@oscar-optimal:~/github/fuzzilli/Misc/REPRL$ sudo ./tester ~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin/js --reprl
[COV] edge counters initialized. Shared memory: shm_id_7968 with 431547 edges
What to do? r
undefined
42
Exited normally, status: 0
Execution took 0ms
What to do? What to do? r
undefined
42
Exited normally, status: 0
Execution took 0ms
What to do? What to do? p
What to do? What to do? q
Bye
Have 431547 edges
000000004010844010c0b142952d6201211504a4c40040b000000004b11000000008011000000000000252952022222888888888a88aa804298280000004012c805b02580ba0324c00000a81c000000000000000400094a138140e023084a0000000202000000000e000008400000460c8ea000054240c900000000000000000000000000000000000000c0628240000222022088484d2300008010000000000000000000000000000000000000000000000000000000000000000000
...
"read(REPRL_CRFD, &action, 4) == 4" failed
tuhaoxin@oscar-optimal:~/github/fuzzilli/Misc/REPRL$

Could someone tell me what's the problem and how to figure it out? Thanks a lot!

saelo commented 4 years ago

Hi!

tuhaoxin@oscar-optimal:~/github/fuzzilli$ swift run -Xlinker='-lrt' -c release FuzzilliCli --profile=jsc ~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin/js here you are using the wrong profile, try with --profile=spidermonkey. Does it work then?

Hanseltu commented 4 years ago

@saelo thank you very much! I change the profile with spidermonkey in your advise, it seems work ok but the statement still exists in the terminal. Does this mean I can not store the crashes and analyze them? 

tuhaoxin@oscar-optimal:~/github/fuzzilli$ swift run -Xlinker='-lrt' -c release FuzzilliCli --profile=spidermonkey ~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin/js
[Cli] No filesystem storage configured, found crashes will be discarded!
[Coverage] Initialized, 431547 edges
[JavaScriptEnvironment] initialized static JS environment model
[JavaScriptEnvironment] Have 42 available builtins: ["Boolean", "RegExp", "DataView", "Proxy", "Promise", "Map", "isNaN", "eval", "parseInt", "arguments", "Function", "JSON", "Symbol", "Uint8Array", "Int16Array", "Math", "isFinite", "parseFloat", "Infinity", "undefined", "this", "String", "enqueueJob", "Number", "Float64Array", "bailout", "Uint32Array", "Uint8ClampedArray", "Object", "Uint16Array", "Array", "Float32Array", "drainJobQueue", "WeakSet", "Reflect", "WeakMap", "gc", "Int8Array", "ArrayBuffer", "Int32Array", "NaN", "Set"]
[JavaScriptEnvironment] Have 144 available method names: ["expm1", "get", "fround", "stringify", "c", "deleteProperty", "getPrototypeOf", "reduceRight", "find", "apply", "max", "setUint32", "codePointAt", "setInt8", "isSafeInteger", "acosh", "includes", "padEnd", "ownKeys", "some", "cbrt", "sort", "d", "ceil", "has", "getInt16", "create", "for", "setFloat64", "pop", "setPrototypeOf", "isArray", "getFloat32", "log1p", "sqrt", "padStart", "getUint32", "fromCharCode", "random", "reduce", "clear", "every", "cosh", "defineProperties", "indexOf", "slice", "getInt32", "copyWithin", "floor", "splice", "atan2", "hypot", "getUint8", "delete", "getOwnPropertyDescriptors", "fromCodePoint", "setFloat32", "startsWith", "log10", "trunc", "flatMap", "fromEntries", "trim", "cos", "fill", "is", "shift", "concat", "defineProperty", "abs", "join", "min", "values", "acos", "construct", "atan", "assign", "e", "sinh", "pow", "entries", "bind", "setUint8", "tanh", "round", "split", "toLocaleString", "getOwnPropertySymbols", "subarray", "flat", "keys", "setUint16", "imul", "endsWith", "from", "sin", "charCodeAt", "raw", "toString", "getInt8", "tan", "forEach", "set", "repeat", "substring", "unshift", "map", "getUint16", "getOwnPropertyDescriptor", "log", "b", "of", "isNaN", "seal", "charAt", "atanh", "isFinite", "add", "filter", "sign", "setInt16", "asinh", "exp", "isInteger", "keyFor", "getOwnPropertyNames", "call", "preventExtensions", "isSealed", "parse", "clz32", "a", "push", "reverse", "asin", "getFloat64", "freeze", "findIndex", "setInt32", "isExtensible", "isFrozen", "replace", "lastIndexOf", "log2"]
[JavaScriptEnvironment] Have 42 property names that are available for read access: ["EPSILON", "toStringTag", "POSITIVE_INFINITY", "length", "search", "asyncIterator", "replace", "species", "MAX_VALUE", "c", "byteOffset", "unscopable", "e", "E", "NEGATIVE_INFINITY", "buffer", "toString", "constructor", "MIN_SAFE_INTEGER", "iterator", "NaN", "arguments", "byteLength", "a", "b", "__proto__", "match", "name", "prototype", "matchAll", "valueOf", "MAX_SAFE_INTEGER", "description", "size", "caller", "PI", "d", "isConcatSpreadable", "split", "hasInstance", "MIN_VALUE", "toPrimitive"]
[JavaScriptEnvironment] Have 10 property names that are available for write access: ["__proto__", "c", "toString", "a", "valueOf", "constructor", "e", "b", "length", "d"]
[JavaScriptEnvironment] Have 5 custom property names: ["b", "c", "d", "e", "a"]
[Fuzzer] Initialized
[Fuzzer] Recommended timeout: at least 230ms. Current timeout: 250ms
[Fuzzer] Startup tests finished successfully
[Fuzzer] Let's go!
Fuzzer Statistics
-----------------
Total Samples:                170
Interesting Samples Found:    81
Valid Samples Found:          133
Corpus Size:                  81
Success Rate:                 78.24%
Timeout Rate:                 0.00%
Crashes Found:                0
Timeouts Hit:                 0
Coverage:                     7.60%
Avg. program size:            64.65
Connected workers:            0
Execs / Second:               47.91
Total Execs:                  3033
saelo commented 4 years ago

Yeah, for that just add the --storagePath=/path/to/some/dir flag, see https://github.com/googleprojectzero/fuzzilli/blob/master/Sources/FuzzilliCli/main.swift#L44 then it should work :)

Hanseltu commented 4 years ago

Great! thanks a lot ~