googleprojectzero
SpiderMonkey start fatal error
It seems incompatible with the newest version of the SpiderMonkey engine. I follow the profile guidance to build the js of SpiderMonkey. There is no problem running js alone, but the problem occurs when running with the following command. I've tried different build methods, but none seem to work. My system is Ubuntu 20.04.5 LTS (GNU/Linux 5.15.0-56-generic x86_64). I have run fuzzilli for jsc and d8 with no problem. But it turns into a fatal error on SpiderMonkey js. Can you instruct me on some solutions?
(base) cdp@wulab-server:~/fuzzilli$ swift run -c release FuzzilliCli --profile=spidermonkey --storagePath=/home/cdp/gecko-dev/output --exportStatistics --statisticsExportInterval=60 --jobs=64 --overwrite /home/cdp/gecko-dev/obj-fuzzbuild/dist/bin/js Building for production... Build complete! (0.12s) [Cli] Deleting all files in /home/cdp/gecko-dev/output due to --overwrite [Coverage] Initialized, 304155 edges [JavaScriptEnvironment] Initialized static JS environment model [JavaScriptEnvironment] Have 55 available builtins: ["isFinite", "Boolean", "Int16Array", "WeakSet", "Float64Array", "Symbol", "RegExp", "SyntaxError", "gc", "WeakMap", "Uint16Array", "RangeError", "Number", "Uint8ClampedArray", "Math", "TypeError", "ArrayBuffer", "Function", "SharedArrayBuffer", "Int8Array", "undefined", "ReferenceError", "AggregateError", "parseFloat", "enqueueJob", "Object", "BigInt", "BigUint64Array", "bailout", "String", "eval", "URIError", "FinalizationRegistry", "Promise", "Map", "Set", "Date", "Error", "Proxy", "drainJobQueue", "NaN", "Uint32Array", "JSON", "Uint8Array", "Float32Array", "isNaN", "BigInt64Array", "WeakRef", "Array", "EvalError", "Infinity", "Int32Array", "Reflect", "parseInt", "DataView"] [JavaScriptEnvironment] Have 222 available method names: ["codePointAt", "atan", "splice", "n", "asIntN", "log", "deleteProperty", "trim", "min", "getFloat64", "indexOf", "getSeconds", "shift", "filter", "acosh", "clz32", "assign", "create", "trimLeft", "compile", "getPrototypeOf", "replaceAll", "sqrt", "some", "setFloat32", "deref", "toJSON", "repeat", "getDay", "UTC", "split", "tanh", "getUint16", "setFullYear", "charCodeAt", "getFullYear", "clear", "abs", "from", "getUTCDate", "getOwnPropertySymbols", "getUTCDay", "add", "join", "setMinutes", "pow", "setUTCDate", "test", "toDateString", "getUint8", "isInteger", "getInt32", "toUpperCase", "toLocaleString", "getUTCSeconds", "exec", "at", "apply", "setDate", "call", "setTime", "seal", "all", "expm1", "trimRight", "ownKeys", "isSafeInteger", "getMonth", "endsWith", "setFloat64", "every", "getFloat32", "exp", "atanh", "reverse", "substring", "for", "asUintN", "cos", "setBigInt64", "setUint32", "unregister", "setYear", "bind", "asin", "getTime", "padEnd", "includes", "round", "ceil", "preventExtensions", "flat", "catch", "transfer", "findIndex", "slice", "setMilliseconds", "isView", "search", "values", "fround", "reject", "of", "setInt32", "getOwnPropertyNames", "setInt8", "getUTCMinutes", "atan2", "any", "padStart", "getMinutes", "replace", "sign", "toGMTString", "getUTCFullYear", "getBigInt64", "construct", "then", "acos", "getOwnPropertyDescriptors", "defineProperties", "startsWith", "concat", "match", "getUint32", "log10", "isArray", "allSettled", "setUTCMonth", "isFrozen", "getInt16", "isSealed", "now", "fill", "keyFor", "register", "parse", "log2", "resolve", "toUTCString", "matchAll", "toLowerCase", "normalize", "setMonth", "getOwnPropertyDescriptor", "getTimezoneOffset", "unshift", "entries", "trimEnd", "fromCharCode", "localeCompare", "sort", "lastIndexOf", "push", "toISOString", "getYear", "isExtensible", "setUint8", "stringify", "pop", "setUTCFullYear", "getInt8", "freeze", "asinh", "tan", "raw", "toString", "finally", "reduceRight", "setUTCSeconds", "setUTCMinutes", "reduce", "subarray", "cbrt", "sinh", "log1p", "get", "isNaN", "race", "cosh", "sin", "setPrototypeOf", "setSeconds", "max", "setUint16", "getUTCHours", "m", "getUTCMilliseconds", "trimStart", "getUTCMonth", "toTimeString", "setHours", "set", "grow", "setUTCHours", "copyWithin", "flatMap", "is", "getDate", "isFinite", "fromEntries", "setUTCMilliseconds", "random", "hypot", "forEach", "resize", "fromCodePoint", "delete", "charAt", "keys", "setInt16", "has", "trunc", "o", "getHours", "find", "p", "getMilliseconds", "imul", "floor", "map", "defineProperty"] [JavaScriptEnvironment] Have 56 property names that are available for read access: ["caller", "unicode", "stack", "arguments", "E", "toStringTag", "unscopables", "NEGATIVE_INFINITY", "message", "NaN", "sticky", "description", "c", "isConcatSpreadable", "EPSILON", "matchAll", "species", "multiline", "source", "name", "proto", "split", "byteOffset", "maxByteLength", "asyncIterator", "growable", "a", "hasInstance", "search", "b", "MIN_SAFE_INTEGER", "POSITIVE_INFINITY", "global", "buffer", "byteLength", "dotAll", "ignoreCase", "cause", "match", "prototype", "resizable", "length", "iterator", "replace", "flags", "MAX_VALUE", "valueOf", "e", "PI", "size", "constructor", "toPrimitive", "MIN_VALUE", "MAX_SAFE_INTEGER", "toString", "d"] [JavaScriptEnvironment] Have 10 property names that are available for write access: ["valueOf", "constructor", "length", "e", "a", "toString", "proto", "b", "c", "d"] [JavaScriptEnvironment] Have 5 custom property names: ["c", "b", "d", "e", "a"] [JavaScriptEnvironment] Have 4 custom method names: ["o", "n", "p", "m"] [Fuzzer] Initialized [Fuzzer] Cannot execute programs (exit code must be zero when no exception was thrown). Are the command line flags valid? [Fuzzer] Shutting down due to fatal error
++++++++++ Fuzzer Finished ++++++++++
Fuzzer Statistics
Fuzzer phase: Fuzzing (with MutationEngine) Uptime: 0d 0h 0m 0s Total Samples: 0 Interesting Samples Found: 0 Last Interesting Sample: 0d 0h 0m 0s Valid Samples Found: 0 Corpus Size: 0 Correctness Rate: -nan% (-nan%) Timeout Rate: -nan% (-nan%) Crashes Found: 0 Timeouts Hit: 0 Coverage: 0.00% Avg. program size: -nan Avg. corpus program size: -nan Connected workers: 0 Execs / Second: 0.00 Fuzzer Overhead: 100.00% Total Execs: 1
Are you using the latest Fuzzilli version and JS engine patches? From the output you pasted it looks like your Fuzzilli version is at least a couple months old?
You can also try the REPRLRun binary to debug issues with the target engine: swift run REPRLRun path/to/js_engine --any-flags-for-js-engine that may tell you more about the exit code reported by the target.
