Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Renáta Hodován
    @renatahodovan
    yeah, it's familiar. I also keep switching between hobby fuzzing and bubble blowing with my daughter :P

    Thanks so much for your help on this.

    you're welcome :)

    Paulo Matos
    @pmatos

    This was working before but after today's changes it's a byte string instead.

    what were the changes?

    Still trying to determine when this broke.

    I am starting to think that validation never worked properly. I think that the command is a string when we first run the SUT. Then for validation we load the SUT from the database, create a path and the command becomes bytes.

    I have absolutely no evidence of the above. Trying to grok the code atm.
    Nah - that can't be right. The load from the database is for the test which forms a test file_path in the file_writer_decorator.py.
    What I am seeing is the command as bytes.
    Paulo Matos
    @pmatos
    fuzzer_1  | Exception in <fuzzinator.job.validate_job.ValidateJob object at 0xf48e6370>: expected str, got bytes
    fuzzer_1  | Traceback (most recent call last):
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/controller.py", line 413, in _run_job
    fuzzer_1  |     for issue in job.run():
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/job/validate_job.py", line 29, in run
    fuzzer_1  |     _, new_issues = self.validate()
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/job/validate_job.py", line 37, in validate
    fuzzer_1  |     issue = sut_call(**sut_call_kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/config.py", line 42, in __call__
    fuzzer_1  |     return self._callable(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/file_writer_decorator.py", line 60, in writer
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/anonymize_decorator.py", line 46, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/subprocess_property_decorator.py", line 59, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/subprocess_property_decorator.py", line 59, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/subprocess_property_decorator.py", line 59, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   [Previous line repeated 1 more time]
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/platform_info_decorator.py", line 34, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/unique_id_decorator.py", line 45, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/gdb_backtrace_decorator.py", line 60, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/venv/lib/python3.7/site-packages/fuzzinator/call/exit_code_filter.py", line 53, in filter
    fuzzer_1  |     issue = fn(*args, **kwargs)
    fuzzer_1  |   File "/jscfuzz/jsc32-fuzz/fuzzinator/igalia/fuzzinator/call/subprocess_jsccall.py", line 66, in SubprocessJSCCall
    fuzzer_1  |     command = formatter.vformat(command, (), mapping)
    fuzzer_1  |   File "/usr/lib/python3.7/string.py", line 190, in vformat
    fuzzer_1  |     result, _ = self._vformat(format_string, args, kwargs, used_args, 2)
    fuzzer_1  |   File "/usr/lib/python3.7/string.py", line 200, in _vformat
    fuzzer_1  |     self.parse(format_string):
    fuzzer_1  |   File "/usr/lib/python3.7/string.py", line 284, in parse
    fuzzer_1  |     return _string.formatter_parser(format_string)
    fuzzer_1  | TypeError: expected str, got bytes
    Paulo Matos
    @pmatos
    Reproducing this is quite a pain, unless I manage to inject something into the db manually but without knowing the db format it's hard.
    Paulo Matos
    @pmatos
    I think I found the problem by inspecting the database. This is a simple database:
    > use fuzzinator
    switched to db fuzzinator
    > db.getCollection('fuzzinator_issues').find({})
    { "_id" : ObjectId("60d1ea728c198c90cb14ffd5"), "id" : "  ", "sut" : "jsc", "backtrace" : BinData(0,""), "build_command" : BinData(0,"L2pzY2Z1enovanNjMzItZnV6ei9jb25maWdzL2pzYy1idWlsZC5zaCBsaW51eDMyCg=="), "build_name" : BinData(0,"ZGVidWdPcHQgSlNDT25seQo="), "command" : BinData(0,"Li9XZWJLaXRCdWlsZC9EZWJ1Zy9iaW4vanNjIHtvcHRpb25zfSB7dGVzdH0K"), "count" : 67, "exit_code" : -6, "first_seen" : ISODate("2021-06-22T13:49:38.486Z"), "fuzzer" : "js-fuzzer", "last_seen" : ISODate("2021-06-22T14:05:05.959Z"), "node" : "bc861183bc96", "options" : "--returnEarlyFromInfiniteLoopsForFuzzing=1 --earlyReturnFromInfiniteLoopsLimit=1000000 --useConcurrentGC=0", "platform" : "Linux-5.10.0-0.bpo.7-arm64-aarch64-with-debian-10.9", "reduced" : null, "reported" : false, "stderr" : BinData(0,""), "stdout" : BinData(0,"QlVHTlVNQkVSOiAKU1RBVFVTOiBTd2l0Y2ggd2l0aCBtb3JlIHRoYW4gNjRrIGF0b21zCiBQQVNTRUQhIFN3aXRjaCB3aXRoIG1vcmUgdGhhbiA2NGsgYXRvbXMK"), "subconfig" : { "subconfig" : "c7b4b647b" }, "test" : "/jscfuzz/fuzzinator-tmp/js_fuzzer/10855-4102971824/fuzz-9.js", "version" : BinData(0,"YTZhZmZlYTdmZDEyMzUyMGM2MGI3MzExZjI1YThlZmRjMDFjZGU3Ygo=") }
    command is saved in the database as a BinData and when it is read, it's read as bytes.
    So either it's saved as a string to begin with
    or we convert the bytes to string when reading.
    I think it makes sense to save it as a string like we do for the sut key for example.
    So currently backtrace, build_command, build_name, command, stderr, stdout are currently bindata.
    I wonder if any of those have a reason for being bindata.
    Paulo Matos
    @pmatos
    somewhere something must transform command into bytes or something. :)
    Renáta Hodován
    @renatahodovan
    I'm inspecting the code and your example database in the meantime and trying to undestand what's going on
    the first thing I don't understand, who does save the command into the database? it should not be there in the first place, it should be read from the config during the validation as well.
    second, is this a test database or a real fuzzer entry? (since there are a few interesting/wrong entry in it)
    Paulo Matos
    @pmatos
    it's a real fuzzer entry!
    however, your last message on the "who saves the command into the database" triggered me to look at my config and I found at least one problem:
    Renáta Hodován
    @renatahodovan
    third: is it the master branch that you are currently using? https://github.com/pmatos/jsc32-fuzz
    Paulo Matos
    @pmatos
    # Saves the execution command as command
    [sut.jsc.call.decorate(8)]
    property=command
    command=echo "${sut.jsc.call:command}"

    third: is it the master branch that you are currently using? https://github.com/pmatos/jsc32-fuzz

    yes

    Renáta Hodován
    @renatahodovan
    yes, I guess that this is a subprocessPropertyDecorator which save the stdout as byte array
    Paulo Matos
    @pmatos
    This should fix the command issue: pmatos/jsc32-fuzz@e4e3a64
    which other issues did you see?
    Renáta Hodován
    @renatahodovan
    yes, this should solve it, since right now your SubprocessJSCCall receives two command arguments, one from the config and one from the database. the first one is a string and the second one is a byte array (I think this way at least)
    Paulo Matos
    @pmatos
    I was actually thinking that you might read the command from the config as a string and then somehow when you import the database, you overwrite the sut['command'] with the bytes and then the validation fails.
    I wonder if some property names should be marked as special and not allowed.
    This is quite the pitfall.
    Renáta Hodován
    @renatahodovan

    which other issues did you see?

    first, your id field is empty: "id" : " ". it should be filled with a unique identifier extracted/built e.g, from the stderr. This id helps fuzzinator to avoid saving the same issue multiple times. probably your regex filter should be double-checked. the problem with this means that fuzzinator cannot distinguish the issues properly and it might misses to save further issues.

    Paulo Matos
    @pmatos
    Yes, I caused this recently...
    I removed the RegEx filter and lost the id.
    Tuomas (Apple fuzzing guy) suggested I stop fuzzing jsc with asan and when I removed the asan stuff, mistakingly I removed the regex as well.
    Need to re-add that.
    At the same time, we should implement some sort of warning when the id values are not defined to avoid an empty id.
    Renáta Hodován
    @renatahodovan
    second, the "test" field contains a file path instead of the content of the failing test case. the problem with this, that in a usual fuzzing scenario test cases are only kept until a batch of tests are executed. After this, the old tests are removed and new ones are generated. So, if you save the path of an old test, then you never will be able to reproduce. The solution is to use a FileReaderDecorator like here: https://github.com/renatahodovan/fuzzinator-configs/blob/master/sut/jsc/jsc-grammarinator-cli.ini#L47

    Tuomas (Apple fuzzing guy) suggested I stop fuzzing jsc with asan and when I removed the asan stuff, mistakingly I removed the regex as well.

    I saw this change, but you removed too much.

    removing the --asan from configs/jsc-build.sh is okay
    Paulo Matos
    @pmatos
    Interesting that the test field contains the path instead of the test. Wonder what I did recently for that to happen... I never used the FileReaderDecorator btw.
    Renáta Hodován
    @renatahodovan
    removing [jsc.build.release] and [jsc.build.debug] doesn't harm either but it has no effect if you don't use them (I might would keep them for later reuse).
    Paulo Matos
    @pmatos
    oh - i know what happened, i removed all the decorators with the word Sanitizer but those were the ones setting the values used by the UniqueIdDecorator.
    Renáta Hodován
    @renatahodovan
    the change in configs/sut-jsc_local.ini should be adapted though:
    call.decorate(3)=fuzzinator.call.SanitizerAutomatonFilter should be replaced with call.decorate(3)=fuzzinator.call.RegexAutomatonFilter. The later is the superclass of the previous. RegexAutomatonFilter process the selected stream of the SUT and looks for error patterns. If it founds a matching pattern, than it saves the mathing group name and the matching content as key-value pairs into the issue dictionary. Later, the UniqueIdDecorator will reuse these (and other) fields to generate an identifier (this is the id field which is empty now in your database)
    The only difference from SanitizerAutomatonFilter is that SanitizerAutomatonFilter contains predefined patterns for processing sanitized error messages.
    fuzzinator.call.SanitizerAnalyzerDecorator won't be neccessary after this but beside executing some extra checks it doesn't change anything if the output is not sanitized
    Paulo Matos
    @pmatos
    Thanks for the input - working on it atm.
    I am always worried though that the error patterns in the regex might miss something. Is there a way to avoid that besides writing very thorough patterns?
    I should add that armed with this knowledge, I will be on my spare time implementing a fuzzing campaign for racket. I have been holding off to do that because I didn't want to implement a fuzzing framework but now with fuzzinator things got much easier. :)
    :)