Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuzzing crashes on the first seed #7

Open
zhunki opened this issue Aug 25, 2018 · 9 comments
Open

fuzzing crashes on the first seed #7

zhunki opened this issue Aug 25, 2018 · 9 comments
Labels
crash first seed ptfuzz crash on the first seed help wanted Extra attention is needed

Comments

@zhunki
Copy link

zhunki commented Aug 25, 2018

Dear authhors,
First, glad to see there is such a cool tool to use. However, when I try to use it to fuzz a regular project, i.e., jsc, it crashes on the preform_dry_run step without any hints on waht is happending.
Pls see following output:

=====================================================
python ./bin/ptfuzzer.py "-S f1 -m 1G -t 100+ -i /home/cs/webkit_fuzz/stress/ -o /home/cs/webkit_fuzz/ptout/" "/home/cs/webkit_fuzz/webkit/noinst/Release/bin/jsc "
binary type is executable
Program base by cle: 0x0
Program entry by cle: 0x40b840
.jsc.text exists, if you want to regenerate it, just delete this file.
sudo ./bin/afl-ptfuzz -r .jsc.text -l 4241472 -h 4399058 -e 4241472 -S f1 -m 1G -t 100+ -i /home/cs/webkit_fuzz/stress/ -o /home/cs/webkit_fuzz/ptout/ /home/cs/webkit_fuzz/webkit/noinst/Release/bin/jsc @@
afl-fuzz 2.52b by [email protected]
raw_bin: .jsc.text
min_addr: 4241472
max_addr: 4399058
entry_point: 4241472
init pt fuzzer.
start to disassmble binary...
build_cofi_map, total number of cofi instructions: 9726
cofi map complete percentage: 100%
[+] You have 12 CPU cores and 17 runnable tasks (utilization: 142%).
[] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[
] Checking core_pattern...
[] Checking CPU scaling governor...
[
] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[] Deleting old session data...
[+] Output dir cleanup successful.
[
] Scanning '/home/cs/webkit_fuzz/stress/'...
[+] No auto-generated dictionary tokens to reuse.
[] Creating hard links for all input files...
[
] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:IIFE-es6-default-parameters.js'...
BRANCH_MODE is null, using default TNT mode.
Run ptfuzzer with TNT_MODE

[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:

- The test case causes known crashes under normal working conditions. If
  so, please remove it. The fuzzer should be seeded with interesting
  inputs - but not ones that cause an outright crash.

- The current memory limit (1.00 GB) is too low for this program, causing
  it to die due to OOM when parsing valid files. To fix this, try
  bumping it up with the -m setting in the command line. If in doubt,
  try something along the lines of:

  ( ulimit -Sv $[1023 << 10]; /path/to/binary [...] <testcase )

  Tip: you can use http://jwilk.net/software/recidivm to quickly
  estimate the required amount of virtual memory for the binary. Also,
  if you are using ASAN, see docs/notes_for_asan.txt.

- Least likely, there is a horrible bug in the fuzzer. If other options
  fail, poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Test case 'id:000000,orig:IIFE-es6-default-parameters.js' results in a crash
Location : perform_dry_run(), /home/cs/ptfuzzer/ptfuzzer/afl-pt/afl-ptfuzz.c:2935

@zhanggenex
Copy link
Member

@zhunki It simply means your target programs crashes on the first input. AFL defines that the first input MUST NOT crash. You can use another input that not crash the target program.

@zhunki
Copy link
Author

zhunki commented Aug 27, 2018

I have already fuzzed the target for a long time and pretty sure this seed shouldn't trigger a crash. I think the most possible reason is that the instrumentation may cause the target to crash. To confirm, I removed the original first seed and the fuzzing now crashes on the another first seed.

@zhanggenex zhanggenex added help wanted Extra attention is needed crash first seed ptfuzz crash on the first seed labels Apr 9, 2019
@w343555629
Copy link

I also faced this problem, did you solved it?

@r-2007
Copy link

r-2007 commented Aug 19, 2020

Was anyone able to find a fix?

@ghost
Copy link

ghost commented Sep 8, 2020

Has anyone found a solution ? I'm facing the same problem.

@w343555629
Copy link

Make sure the target_method you can run many times first.

@xmtxuuuu
Copy link

xmtxuuuu commented Oct 6, 2020

me too...

@docfate111
Copy link

I am also having that issue

@0xKira
Copy link

0xKira commented Feb 14, 2022 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crash first seed ptfuzz crash on the first seed help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

7 participants