fuzzing crashes on the first seed
Opened this issue · 9 comments
Dear authhors,
First, glad to see there is such a cool tool to use. However, when I try to use it to fuzz a regular project, i.e., jsc, it crashes on the preform_dry_run step without any hints on waht is happending.
Pls see following output:
=====================================================
python ./bin/ptfuzzer.py "-S f1 -m 1G -t 100+ -i /home/cs/webkit_fuzz/stress/ -o /home/cs/webkit_fuzz/ptout/" "/home/cs/webkit_fuzz/webkit/noinst/Release/bin/jsc "
binary type is executable
Program base by cle: 0x0
Program entry by cle: 0x40b840
.jsc.text exists, if you want to regenerate it, just delete this file.
sudo ./bin/afl-ptfuzz -r .jsc.text -l 4241472 -h 4399058 -e 4241472 -S f1 -m 1G -t 100+ -i /home/cs/webkit_fuzz/stress/ -o /home/cs/webkit_fuzz/ptout/ /home/cs/webkit_fuzz/webkit/noinst/Release/bin/jsc @@
afl-fuzz 2.52b by lcamtuf@google.com
raw_bin: .jsc.text
min_addr: 4241472
max_addr: 4399058
entry_point: 4241472
init pt fuzzer.
start to disassmble binary...
build_cofi_map, total number of cofi instructions: 9726
cofi map complete percentage: 100%
[+] You have 12 CPU cores and 17 runnable tasks (utilization: 142%).
[] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[] Checking core_pattern...
[] Checking CPU scaling governor...
[] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[] Deleting old session data...
[+] Output dir cleanup successful.
[] Scanning '/home/cs/webkit_fuzz/stress/'...
[+] No auto-generated dictionary tokens to reuse.
[] Creating hard links for all input files...
[] Validating target binary...
[*] Attempting dry run with 'id:000000,orig:IIFE-es6-default-parameters.js'...
BRANCH_MODE is null, using default TNT mode.
Run ptfuzzer with TNT_MODE
[-] Oops, the program crashed with one of the test cases provided. There are
several possible explanations:
- The test case causes known crashes under normal working conditions. If
so, please remove it. The fuzzer should be seeded with interesting
inputs - but not ones that cause an outright crash.
- The current memory limit (1.00 GB) is too low for this program, causing
it to die due to OOM when parsing valid files. To fix this, try
bumping it up with the -m setting in the command line. If in doubt,
try something along the lines of:
( ulimit -Sv $[1023 << 10]; /path/to/binary [...] <testcase )
Tip: you can use http://jwilk.net/software/recidivm to quickly
estimate the required amount of virtual memory for the binary. Also,
if you are using ASAN, see docs/notes_for_asan.txt.
- Least likely, there is a horrible bug in the fuzzer. If other options
fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.
[-] PROGRAM ABORT : Test case 'id:000000,orig:IIFE-es6-default-parameters.js' results in a crash
Location : perform_dry_run(), /home/cs/ptfuzzer/ptfuzzer/afl-pt/afl-ptfuzz.c:2935
@zhunki It simply means your target programs crashes on the first input. AFL defines that the first input MUST NOT crash. You can use another input that not crash the target program.
I have already fuzzed the target for a long time and pretty sure this seed shouldn't trigger a crash. I think the most possible reason is that the instrumentation may cause the target to crash. To confirm, I removed the original first seed and the fuzzing now crashes on the another first seed.
I also faced this problem, did you solved it?
Was anyone able to find a fix?
Has anyone found a solution ? I'm facing the same problem.
Make sure the target_method you can run many times first.
me too...
I am also having that issue