Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grammar mutator issue : _pick_non_term_node #35

Open
Microsvuln opened this issue Jan 31, 2022 · 8 comments
Open

Grammar mutator issue : _pick_non_term_node #35

Microsvuln opened this issue Jan 31, 2022 · 8 comments
Assignees
Labels
bug Something isn't working

Comments

@Microsvuln
Copy link

Hello .

When running Grammar mutator on a target, there is a problem right before running AFL++ on the target .

Here is the log :

mic@mic-System-Product-Name:~/Documents/AFLplusplus$ ./afl-fuzz -m 128 -d -i testcases/others/js/ -o myouts4 -- /home/mic/Documents/jerryscript/build/bin/jerry @@
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_ONLY with value 1
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value /home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so
afl-fuzz++4.00c based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 24 CPU cores and 2 runnable tasks (utilization: 8%).
[+] Try parallel jobs - see docs/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Loading custom mutator library from '/home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so'...
[*] optional symbol 'afl_custom_post_process' not found.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[*] Symbol 'afl_custom_describe' not found.
[+] Custom mutator '/home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so' installed successfully.
[*] Scanning 'testcases/others/js/'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Target map size: 65536
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:small_script.js'...
    len = 20, map size = 1386, exec speed = 174 us
[+] All test cases processed.
[+] Here are some useful stats:

    Test case count : 1 favored, 0 variable, 0 ignored, 1 total
       Bitmap range : 1386 to 1386 bits (average: 1386.00 bits)
        Exec timing : 174 to 174 us (average: 174 us)

[*] No -t option specified, so I'll use an exec timeout of 20 ms.
[+] All set and ready to roll!
_pick_non_term_node returns NULL: No such file or directory

_pick_non_term_node returns NULL: No such file or directory

Flags :

export RANDOM_MUTATION_STEPS=10000
export RANDOM_RECURSIVE_MUTATION_STEPS=10000
export SPLICING_MUTATION_STEPS=10000
export AFL_CUSTOM_MUTATOR_LIBRARY=./libgrammarmutator-javascript.so
export AFL_CUSTOM_MUTATOR_ONLY=1

Ubuntu 20.04
AFL++ 4.00

Any ideas ?

@h1994st
Copy link
Collaborator

h1994st commented Jan 31, 2022

How do you generate the corpus (i.e., files in testcases/others/js/)? It seems the mutation operation is applied to an empty grammar tree.

The error might be thrown from here:

node_t *node = node_pick_non_term_subnode(mutated_tree->root);
if (unlikely(node == NULL)) {
// By design, _pick_non_term_node should not return NULL
perror("_pick_non_term_node returns NULL");
exit(EXIT_FAILURE);
}

@h1994st h1994st self-assigned this Jan 31, 2022
@h1994st h1994st added the bug Something isn't working label Jan 31, 2022
@agoodm88
Copy link

I am also trying to fuzz javascript using Grammar Mutator and a customised grammar file. The process starts off great but within a day or two I perpetually run into the fuzzer crashing as described here.

In my case I am not adding any additional test cases other than the trees generated by Grammar Mutator and am at a loss as to what is going wrong. From what I can see; only the mater process is crashing for me.

@shafouz
Copy link

shafouz commented Oct 9, 2023

try and run with a new empty output directory and an input directory generated from the
grammar_generator-YOURGRAMMAR
binary.
I had the same problem and this worked for me

@bendrissou
Copy link

bendrissou commented Jun 19, 2024

I ran into the same bug. The fuzzing started great, but then after 22 minutes it crashed:

_pick_non_term_node returns NULL: Interrupted system call

The seed inputs were generated using the provided generator: libgrammarmutator-lua.so

The following is the current input as saved by AFL in .cur_input file:

function :uq (...) function . () ;
;

end
goto labela

end

Thanks.

@bendrissou
Copy link

Another crash:

_pick_non_term_node returns NULL: Numerical result out of range

Current input:

::labelb::
for r={}, (nil), (((((((((((((((((((((((((((((0xc.A)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)) ""
do

end

@ljedrz
Copy link

ljedrz commented Sep 9, 2024

This can happen if you neglect to include the start node; happened to me by accident once, went away right away once I put it back.

@Kristopher38
Copy link

I'm also hitting this issue:

[+] Enabled environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value ./libgrammarmutator-lua.so
[+] Enabled environment variable AFL_CUSTOM_MUTATOR_ONLY with value 1
[+] Enabled environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
[+] Enabled environment variable AFL_SKIP_CPUFREQ with value 1
afl-fuzz++4.21c based on afl by Michal Zalewski and a large online community
[...]
[*] Loading custom mutator library from './libgrammarmutator-lua.so'...
[+] Found 'afl_custom_mutator'.
[+] Found 'afl_custom_fuzz_count'.
[*] optional symbol 'afl_custom_post_process' not found.
[+] Found 'afl_custom_init_trim'.
[+] Found 'afl_custom_trim'.
[+] Found 'afl_custom_post_trim'.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[+] Found 'afl_custom_queue_get'.
[*] optional symbol 'afl_custom_splice_optout' not found.
[*] optional symbol 'afl_custom_fuzz_send' not found.
[*] optional symbol 'afl_custom_post_run' not found.
[+] Found 'afl_custom_queue_new_entry'.
[*] optional symbol 'afl_custom_describe' not found.
[+] Custom mutator './libgrammarmutator-lua.so' installed successfully.
[*] Scanning 'seeds'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[+] Persistent mode binary detected.
[*] Spinning up the fork server...
[*] Using AFL++ faux forkserver...
[!] WARNING: Old fork server model is used by the target, this still works though.
[+] All right - old fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:0'...
[!] WARNING: instability detected during calibration
    len = 215, map size = 1738, exec speed = 16557 us, hash = 038e4cab3f53c0cc
[!] WARNING: Instrumentation output varies across runs.
[+] All test cases processed.
[!] WARNING: The target binary is pretty slow! See /usr/share/doc/afl/fuzzing_in_depth.md#i-improve-the-speed
[+] Here are some useful stats:

    Test case count : 1 favored, 1 variable, 0 ignored, 1 total
       Bitmap range : 1738 to 1738 bits (average: 1738.00 bits)
        Exec timing : 16.6k to 16.6k us (average: 16.6k us)

[*] No -t option specified, so I'll use an exec timeout of 60 ms.
[+] All set and ready to roll!
_pick_non_term_node returns NULL: No such file or directory

This is because indeed the grammar tree is missing from out/default/trees, since I'm using my preexisting corpus of sources. The readme doesn't say how to generate such tree from a preexisting corpus, only how to generate it with the resulting grammar_generator-<lang> binary. Has anyone figured it out?

@renatahodovan
Copy link

I'm struggling with the same issue while trying to use Grammar-Mutator from AFL with a preexisting source-based corpus. (Note: using source-based seeds works when running the built-in generator like ./grammar_generator-ruby 100 1000 ./seeds ./trees, where the seeds directory contains the sources and the trees directory is empty at the beginning). Could anybody give us a hint?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

8 participants