Angora
Angora copied to clipboard
AngoraFuzzer
exception when running angora with -i - (restart)
I get exceptions when I try to (re)run angora after a previous termination (with ^C).
First run is like this
# /angora/bin/fuzzer -i i -o o -j 24 -t translit/OBJ/x86_64-linux-clang_taint/translit -- translit/OBJ/x86_64-linux-clangfast_/translit ABCDAB VWXYZ
Then I terminate with ^C, and (re)run with
# RUST_BACKTRACE=1 /angora/bin/fuzzer -i - -o o -j 24 -t translit/OBJ/x86_64-linux-clang_taint/translit -- translit/OBJ/x86_64-linux-clangfast_/translit ABCDAB VWXYZ
ESC[0mESC[31mERRORESC[0m ESC[0mESC[1mangora::fuzz_mainESC[0m > Failed to find any branches during dry run.
Please ensure that the binary has been instrumented and/or input directory is populated.
thread 'main' panicked at 'explicit panic', fuzzer/src/fuzz_main.rs:70:9
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:39
1: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:70
2: std::panicking::default_hook::{{closure}}
at src/libstd/sys_common/backtrace.rs:58
at src/libstd/panicking.rs:200
3: std::panicking::default_hook
at src/libstd/panicking.rs:215
4: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:478
5: std::panicking::begin_panic
6: angora::fuzz_main::fuzz_main
7: fuzzer::main
8: std::rt::lang_start::{{closure}}
9: std::panicking::try::do_call
at src/libstd/rt.rs:49
at src/libstd/panicking.rs:297
10: __rust_maybe_catch_panic
at src/libpanic_unwind/lib.rs:92
11: std::rt::lang_start_internal
at src/libstd/panicking.rs:276
at src/libstd/panic.rs:388
at src/libstd/rt.rs:48
12: main
13: __libc_start_main
14: _start
#
This is independent of the target program used. Maybe I am doing something wrong.
Hi @hexcoder- . I can't reproduce this issue in binutils and file program. Can your provide the program you tested?
The logs shows that the fuzzer can not find any new branch. Can you make sure:
- the tested program is instrumented.
- Can you use RUST_LOC=info,(angora/angora_fuzzer will use it) and see that the log " INFO angora::depot::sync > sync xx file from seeds." to make sure xx is not 0. If it is 0, then please check output/queue.
I tested in file by Re-run
I updated the docker image, and tried again. First with -input i, then after 5 seconds I terminated it. Angora showed 15 paths found, but output/queue is empty then! I don't understand why.
I repeated the runs and let it run a bit longer with -i i. Then I saw that angora created alternative output directories o.1, o.2, ... and also in this format o.2019-01-10T07:18:00.792939624+00:00, which contained queue entries, but these were not found when -o o was given when restarting (leading to the error message).
The program translit is from schilytools (https://sourceforge.net/projects/schilytools/files/schily-2018-12-21.tar.bz2/download) and is like tr. I compiled once with SUBARCH=fast_ and once with SUBARCH=_taint in order to get the executables separated in different subdirectories.
o.1 is created because o directory is existed. I removed the code, and give a panic error with warning directly now. https://github.com/AngoraFuzzer/Angora/commit/6f125afeea697fd55a817003211172f3ab7ed331
The logic of restart is rename the output directory o to o.2019-01-10T07:18:00.792939624+00:00 (extend with timestamp). Then use its queue directory as seed directory.
https://github.com/AngoraFuzzer/Angora/blob/6f125afeea697fd55a817003211172f3ab7ed331/fuzzer/src/depot/depot_dir.rs#L27-L34
I still can't find the reason now. I hope these can help you.