CRITICAL fuzzer failed [2813 /efcf]

Question

CRITICAL fuzzer failed [2813 /efcf]

Closed this issue a year ago · 3 comments

I installed EFCF via docker following the documentation. I tested the fuzzer on the baby example and it worked. But when I tried EFCF on the attached complex contract, it reported a failure and exit. Is that possible to fix this issue so I can see the attached contract being analyzed by EFCF (for crash, for example)? Thanks

The full report was:

efcfuzz --until-crash --out ./wethF_results/ --source ./wethF.sol
2023-04-26 12:48:29 47a3bf17c1f6 INFO launching EF/CF [2813 /efcf]
2023-04-26 12:48:29 47a3bf17c1f6 WARNING Could not locate fuzzing directory mount point [2813 /efcf]
2023-04-26 12:48:29 47a3bf17c1f6 WARNING Your fuzzing directory '/tmp/efcf' is not located on a ramdisk - we recommend to use a big tmpfs or zram device for the fuzzing directory. [2813 /efcf]
2023-04-26 12:48:29 47a3bf17c1f6 INFO guessing contract name: 'scWETH' [2813 /efcf]
2023-04-26 12:48:29 47a3bf17c1f6 INFO installing solidity version with solcx - if needed [2813 /efcf]
2023-04-26 12:49:16 47a3bf17c1f6 INFO compiling sources ['/efcf/wethF.sol'] with solc v0.8.19 [2813 /efcf]
2023-04-26 12:49:17 47a3bf17c1f6 INFO resetting evm repo [2813 /efcf]
2023-04-26 12:49:17 47a3bf17c1f6 INFO restoring from git [2813 /efcf/src/eEVM]
HEAD is now at 938146a initial import
Updated 33 paths from the index
2023-04-26 12:49:17 47a3bf17c1f6 INFO running evm2cpp: evm2cpp -e /efcf/src/eEVM scWETH /efcf/efcf-build-cache/202e5980fef15b6c5cbddefde05053e2_build.combined.json [2813 /efcf]
reading input /efcf/efcf-build-cache/202e5980fef15b6c5cbddefde05053e2_build.combined.json
Writing contracts to eEVM at /efcf/src/eEVM
Selecting contract scWETH from combined.json (identifier is scWETH)
Writing ABI to /efcf/src/eEVM/fuzz/abi/scWETH.abi
Translating contract with name scWETH (identifier scWETH) to C++...
Done!
2023-04-26 12:49:17 47a3bf17c1f6 INFO building eEVM with fuzz target scWETH [2813 /efcf/src/eEVM]
2023-04-26 13:01:03 47a3bf17c1f6 INFO eEVM / native code build finished [2813 /efcf/src/eEVM]
2023-04-26 13:01:03 47a3bf17c1f6 INFO copying build to /efcf/efcf-build-cache/scWETH.src.202e5980fef15b6c5cbddefde05053e2.fuzz.build from /efcf/src/eEVM [2813 /efcf]
2023-04-26 13:01:04 47a3bf17c1f6 INFO extracting build files to /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz [2813 /efcf]
2023-04-26 13:01:04 47a3bf17c1f6 INFO preparing fuzz for target scWETH [2813 /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz]
2023-04-26 13:01:04 47a3bf17c1f6 INFO launcher fuzzer on 1 CPU cores [2813 /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz]
2023-04-26 13:01:04 47a3bf17c1f6 INFO launching fuzzer now! (AFL++ afl-fuzz) [2813 /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz]
2023-04-26 13:01:05 47a3bf17c1f6 INFO afl-fuzz is done (exit code => 134) [2813 /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz]
2023-04-26 13:01:06 47a3bf17c1f6 INFO checking fuzzing results
time : 0
total_time : 0
total_execs_done : 0
cumulative_execs_per_sec : 0
average_execs_per_sec : 0
total_crashes : 0
total_hangs : 0
fuzzer_count : 0
average_corpus_count : 0
average_corpus_found : 0
average_bitmap_cvg : 0
[2813 /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz]
2023-04-26 13:01:06 47a3bf17c1f6 WARNING AFL++ fuzzer seems to have failed! [2813 /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz]
2023-04-26 13:01:06 47a3bf17c1f6 INFO No bugs identified [2813 /tmp/efcf/scWETH.src.202e5980fef15b6c5cbddefde05053e2.vhuw7896.fuzz]
2023-04-26 13:01:06 47a3bf17c1f6 INFO fuzzer stopped - results stored to wethF_results [2813 /efcf]
2023-04-26 13:01:06 47a3bf17c1f6 CRITICAL fuzzer failed [2813 /efcf]
efcfuzz --until-crash --out ./wethF_results/ --source ./wethF.sol 795.45s user 19.23s system 107% cpu 12:37.71 total
wethF.sol.zip

Answer 1 · 2023-04-26T13:56:24.000Z

Please try with --verbose and --verbose-build and look at the results. Probably your system is not configured correctly, so AFL++ does not run correctly.

Answer 2 · 2023-04-26T14:00:46.000Z

Some more gotchas: for more complex examples you need to specify which contract to fuzz with --name. Also it seems the contract uses a lot of constant addresses, which often causes problems during fuzzing, because EF/CF does not know about those addresses so all calls will fail. You might want to look into using a live-state export from a go-ethereum or erigon node to fetch all the contract's dependencies.

Answer 3 · 2023-04-26T14:07:10.000Z

Thanks, @f0rki ! The warnings are:

2023-04-26 14:02:16 47a3bf17c1f6 WARNING Could not locate fuzzing directory mount point [3691 /efcf]
2023-04-26 14:02:16 47a3bf17c1f6 WARNING Your fuzzing directory '/tmp/efcf' is not located on a ramdisk - we recommend to use a big tmpfs or zram device for the fuzzing directory. [3691 /efcf]

and close to the end report are:

2023-04-26 14:02:18 47a3bf17c1f6 WARNING AFL++ fuzzer seems to have failed! [3691 /tmp/efcf/WETH.src.b5120e67f7cb11176c995784502fa377.g2f2y0qk.fuzz]
2023-04-26 14:02:18 47a3bf17c1f6 INFO No bugs identified [3691 /tmp/efcf/WETH.src.b5120e67f7cb11176c995784502fa377.g2f2y0qk.fuzz]
2023-04-26 14:02:18 47a3bf17c1f6 WARNING over-writing existing fuzzing run! [3691 /tmp/efcf/WETH.src.b5120e67f7cb11176c995784502fa377.g2f2y0qk.fuzz]

It guessed the contract name correctly! I will try the live-state to see what happens.

Thanks a lot!