fuzzilli
fuzzilli copied to clipboard
Published
20 hours ago •
googleprojectzero
googleprojectzero
False Positive (or unreproducible) Cases
Hi,
Recently I ran the latest fuzzilli on a machine and got some crashes. However, it seems that they are all false positives (or unreproducible cases). An example:
const v2 = new Int16Array(240);
function f3(a4, a5) {
let v6;
try { v6 = a4(); } catch (e) {}
for (let v7 = 0; v7 < 32; v7++) {
}
const v10 = v6 && -661050.8051017763;
Math.atanh(v10);
Math.min();
v10 * v6;
return a5;
}
v2.valueOf = f3;
function f14(a15, a16, a17) {
a17 * a17;
return f14;
}
v2["forEach"](f14);
// CRASH INFO
// ==========
// TERMSIG: 6
// STDERR:
// #
// # Fatal error in ../../src/profiler/profiler-listener.cc, line 414
// # Debug check failed: last_position.IsKnown().
// #
// #
// #
// #FailureMessage Object: 0x7ffc61a0c4d0
// ==== C stack trace ===============================
//
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bf4b2) [0x5616efdc04b2]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bdf97) [0x5616efdbef97]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0c3b) [0x5616efdb1c3b]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0515) [0x5616efdb1515]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x193cb25) [0x5616f0e3db25]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x193c59b) [0x5616f0e3d59b]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0xcc22ea) [0x5616f01c32ea]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0xcbe532) [0x5616f01bf532]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x3b6c0eb) [0x5616f306d0eb]
// Received signal 6
// STDOUT:
//
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=v8 --jobs=64 --storagePath=/home/foo/browser_related/fuzzilli/crash --resume --exportStatistics /home/foo/browser_related/12.4.245/out/fuzzbuild/d8
// TARGET ARGS: /home/foo/browser_related/12.4.245/out/fuzzbuild/d8 --expose-gc --omit-quit --allow-natives-syntax --fuzzing --jit-fuzzing --future --harmony --js-staging
// CONTRIBUTORS:
// EXECUTION TIME: 169ms
Another example:
function f0(a1, a2) {
const v3 = [a1,a1];
let v4;
try { v4 = v3.map(a2, v3); } catch (e) {}
return v4 != a1;
}
const v6 = new f0();
v6.constructor(f0, v6);
%OptimizeFunctionOnNextCall(f0);
f0();
// CRASH INFO
// ==========
// TERMSIG: 6
// STDERR:
// #
// # Fatal error in ../../src/maglev/maglev-ir.h, line 1854
// # Debug check failed: id_ != kInvalidNodeId (0 vs. 0).
// #
// #
// #
// #FailureMessage Object: 0x7fbe4dff9840
// ==== C stack trace ===============================
//
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bf4b2) [0x55aa773bf4b2]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bdf97) [0x55aa773bdf97]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0c3b) [0x55aa773b0c3b]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8b0515) [0x55aa773b0515]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d1113e) [0x55aa7881113e]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d10c50) [0x55aa78810c50]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d3ac93) [0x55aa7883ac93]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1d16bf5) [0x55aa78816bf5]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c62f8f) [0x55aa78762f8f]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c5e8c5) [0x55aa7875e8c5]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c56e99) [0x55aa78756e99]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0xb11e0f) [0x55aa77611e0f]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x1c5982b) [0x55aa7875982b]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8c1caf) [0x55aa773c1caf]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8cbd25) [0x55aa773cbd25]
// /home/foo/browser_related/12.4.245/out/fuzzbuild/d8(+0x8bba99) [0x55aa773bba99]
// /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7fbe83c7fac3]
// /lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7fbe83d11850]
// Received signal 6
// STDOUT:
//
// FUZZER ARGS: .build/x86_64-unknown-linux-gnu/release/FuzzilliCli --profile=v8 --jobs=64 --storagePath=/home/foo/browser_related/fuzzilli/crash --resume --exportStatistics /home/foo/browser_related/12.4.245/out/fuzzbuild/d8
// TARGET ARGS: /home/foo/browser_related/12.4.245/out/fuzzbuild/d8 --expose-gc --omit-quit --allow-natives-syntax --fuzzing --jit-fuzzing --future --harmony --js-staging
// CONTRIBUTORS:
// EXECUTION TIME: 96ms
When I fed them into v8, it looked as normal and nothing happened. What confuses me is that the crash cases even recorded the runtime context but it does not work actually... I found that a large part is about Debug check failed: last_position.IsKnown(). All such cases can be found in fp.zip.
