fuzzilli icon indicating copy to clipboard operation
fuzzilli copied to clipboard
verified publisher icon googleprojectzero

Spidermonkey, Crash Case fails

Open parthdt opened this issue 1 year ago • 1 comments

For some reason FUZZILLI_CRASH cases aren't working for fuzzilli when I run it on SpiderMonkey.

I have built and run from the latest repo of gecko. Running the shell locally and trying the crash works.

/mach run
 0:03.67 /home/dresden/gecko-dev/obj-fuzzbuild/dist/bin/js
[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 332092 edges
js> fuzzilli('FUZZILLI_CRASH','0')
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==20304==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000041414141 (pc 0x5c6f2bdfd038 bp 0x7ffde5e4eca0 sp 0x7ffde5e4ec00 T20304)
==20304==The signal is caused by a WRITE memory access.
    #0 0x5c6f2bdfd038 in Fuzzilli(JSContext*, unsigned int, JS::Value*) /home/dresden/gecko-dev/js/src/shell/js.cpp:3996:29
    #1 0x5c6f2beb52de in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:532:13
    #2 0x5c6f2beb45ac in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:628:12
    #3 0x5c6f2bece0e4 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:700:10
    #4 0x5c6f2bece0e4 in js::Interpret(JSContext*, js::RunState&) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:3338:16
    #5 0x5c6f2beb3409 in js::RunScript(JSContext*, js::RunState&) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:502:13
    #6 0x5c6f2beb8911 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:893:13
    #7 0x5c6f2beb911c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/Interpreter.cpp:926:10
    #8 0x5c6f2c0b0ae9 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:601:10
    #9 0x5c6f2c0b07f3 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/dresden/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:618:10
    #10 0x5c6f2be0f177 in EvalUtf8AndPrint(JSContext*, char const*, unsigned long, int, bool) /home/dresden/gecko-dev/js/src/shell/js.cpp:1807:8
    #11 0x5c6f2be0f177 in ReadEvalPrintLoop(JSContext*, _IO_FILE*, bool) /home/dresden/gecko-dev/js/src/shell/js.cpp:1882:13
    #12 0x5c6f2be0f177 in Process(JSContext*, char const*, bool, FileKind) /home/dresden/gecko-dev/js/src/shell/js.cpp:1965:10
    #13 0x5c6f2bdc90be in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/dresden/gecko-dev/js/src/shell/js.cpp:11636:12
    #14 0x5c6f2bdc90be in Shell(JSContext*, js::cli::OptionParser*) /home/dresden/gecko-dev/js/src/shell/js.cpp:11994:12
    #15 0x5c6f2bdc03da in main /home/dresden/gecko-dev/js/src/shell/js.cpp:12409:12
    #16 0x7265fc629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7265fc629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #18 0x5c6f2bd873f8 in _start (/home/dresden/gecko-dev/obj-fuzzbuild/dist/bin/js+0x1c2c3f8) (BuildId: 95506af84b0037d5135e7eb22dda4ca9)

==20304==Register values:
rax = 0x00005c6f2bdfd038  rbx = 0xfffb000000000000  rcx = 0x00005c6f2a3a981c  rdx = 0x0000000000000008  
rdi = 0x00005c6f2e0492b8  rsi = 0x00007265fb3e40a8  rbp = 0x00007ffde5e4eca0  rsp = 0x00007ffde5e4ec00  
 r8 = 0x00007ffde5e4ece0   r9 = 0x00007265fc100ee8  r10 = 0x00007265fb300018  r11 = 0x00007265fc100ee8  
r12 = 0x00007ffde5e4ec30  r13 = 0x00007265fb336230  r14 = 0x00007265fb336200  r15 = 0x00007265fb3e40a8  
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/dresden/gecko-dev/js/src/shell/js.cpp:3996:29 in Fuzzilli(JSContext*, unsigned int, JS::Value*)
==20304==ABORTING

But Fuzzilli doesn't detect it:

Fuzzer] Changing state from uninitialized to corpusGeneration
[Fuzzer] Initialized
[Fuzzer] Testcase "fuzzilli('FUZZILLI_CRASH', 0)" did not crash
[Fuzzer] Shutting down due to fatal error

++++++++++ Fuzzer Finished ++++++++++

Help would be appreciated!! 😃

parthdt avatar Dec 14 '24 13:12 parthdt

Did you build spidermonkey with fuzzbuild.sh?

If there is no shared memory available this indicates that the engine fuzzilli is executing is not instrumented.

To fix do the following:

  1. cp pathto/fuzzilli/Targets/Spidermonkey/fuzzbuild.sh pathto/gecko-dev/
  2. cd pathto/gecko-dev/ && bash fuzzbuild.sh (you might need to install rust and pick a specific variant of the engine, e.g. SpiderMonkey JavaScript engine)
  3. cd pathto/fuzzilli && swift run FuzzilliCli --profile=spidermonkey pathto/gecko-dev/obj-fuzzbuild/dist/bin/js

I hope that helps. Happy hacking

TobiasWienand avatar Dec 17 '24 18:12 TobiasWienand