Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spidermonkey, Crash Case fails #482

Open
parthdt opened this issue Dec 14, 2024 · 1 comment
Open

Spidermonkey, Crash Case fails #482

parthdt opened this issue Dec 14, 2024 · 1 comment

Comments

@parthdt
Copy link

parthdt commented Dec 14, 2024

For some reason FUZZILLI_CRASH cases aren't working for fuzzilli when I run it on SpiderMonkey.

I have built and run from the latest repo of gecko. Running the shell locally and trying the crash works.

/mach run
 0:03.67 /home/dresden/gecko-dev/obj-fuzzbuild/dist/bin/js
[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 332092 edges
js> fuzzilli('FUZZILLI_CRASH','0')
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==20304==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000041414141 (pc 0x5c6f2bdfd038 bp 0x7ffde5e4eca0 sp 0x7ffde5e4ec00 T20304)
==20304==The signal is caused by a WRITE memory access.
    #0 0x5c6f2bdfd038 in Fuzzilli(JSContext*, unsigned int, JS::Value*) /home/dresden/gecko-dev/js/src/shell/js.cpp:3996:29
    #1 0x5c6f2beb52de in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:532:13
    #2 0x5c6f2beb45ac in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:628:12
    #3 0x5c6f2bece0e4 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:700:10
    #4 0x5c6f2bece0e4 in js::Interpret(JSContext*, js::RunState&) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:3338:16
    #5 0x5c6f2beb3409 in js::RunScript(JSContext*, js::RunState&) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:502:13
    #6 0x5c6f2beb8911 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:893:13
    #7 0x5c6f2beb911c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:926:10
    #8 0x5c6f2c0b0ae9 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:601:10
    #9 0x5c6f2c0b07f3 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:618:10
    #10 0x5c6f2be0f177 in EvalUtf8AndPrint(JSContext*, char const*, unsigned long, int, bool) /home/dresden/gecko-dev/js/src/shell/js.cpp:1807:8
    #11 0x5c6f2be0f177 in ReadEvalPrintLoop(JSContext*, _IO_FILE*, bool) /home/dresden/gecko-dev/js/src/shell/js.cpp:1882:13
    #12 0x5c6f2be0f177 in Process(JSContext*, char const*, bool, FileKind) /home/dresden/gecko-dev/js/src/shell/js.cpp:1965:10
    #13 0x5c6f2bdc90be in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/dresden/gecko-dev/js/src/shell/js.cpp:11636:12
    #14 0x5c6f2bdc90be in Shell(JSContext*, js::cli::OptionParser*) /home/dresden/gecko-dev/js/src/shell/js.cpp:11994:12
    #15 0x5c6f2bdc03da in main /home/dresden/gecko-dev/js/src/shell/js.cpp:12409:12
    #16 0x7265fc629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7265fc629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x5c6f2bd873f8 in _start (/home/dresden/gecko-dev/obj-fuzzbuild/dist/bin/js+0x1c2c3f8) (BuildId: 95506af84b0037d5135e7eb22dda4ca9)

==20304==Register values:
rax = 0x00005c6f2bdfd038  rbx = 0xfffb000000000000  rcx = 0x00005c6f2a3a981c  rdx = 0x0000000000000008  
rdi = 0x00005c6f2e0492b8  rsi = 0x00007265fb3e40a8  rbp = 0x00007ffde5e4eca0  rsp = 0x00007ffde5e4ec00  
 r8 = 0x00007ffde5e4ece0   r9 = 0x00007265fc100ee8  r10 = 0x00007265fb300018  r11 = 0x00007265fc100ee8  
r12 = 0x00007ffde5e4ec30  r13 = 0x00007265fb336230  r14 = 0x00007265fb336200  r15 = 0x00007265fb3e40a8  
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/dresden/gecko-dev/js/src/shell/js.cpp:3996:29 in Fuzzilli(JSContext*, unsigned int, JS::Value*)
==20304==ABORTING

But Fuzzilli doesn't detect it:

Fuzzer] Changing state from uninitialized to corpusGeneration
[Fuzzer] Initialized
[Fuzzer] Testcase "fuzzilli('FUZZILLI_CRASH', 0)" did not crash
[Fuzzer] Shutting down due to fatal error

++++++++++ Fuzzer Finished ++++++++++

Help would be appreciated!! 😃
@TobiasWienand
Copy link
Contributor

Did you build spidermonkey with fuzzbuild.sh?

If there is no shared memory available this indicates that the engine fuzzilli is executing is not instrumented.

To fix do the following:

  1. cp pathto/fuzzilli/Targets/Spidermonkey/fuzzbuild.sh pathto/gecko-dev/
  2. cd pathto/gecko-dev/ && bash fuzzbuild.sh
    (you might need to install rust and pick a specific variant of the engine, e.g. SpiderMonkey JavaScript engine)
  3. cd pathto/fuzzilli && swift run FuzzilliCli --profile=spidermonkey pathto/gecko-dev/obj-fuzzbuild/dist/bin/js

I hope that helps. Happy hacking

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@parthdt @TobiasWienand