Comments (12)
xuesong-bai
commented on July 19, 2024
2
Thank you for your patience.
(gdb) bt
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:384
#1 0x00007fffeec9c4be in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#2 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#3 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#4 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#5 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#6 0x00007fffeec9a78a in gen_node_start () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#7 0x00007fffeec9d106 in subtree_trimming () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#8 0x00007fffeec9ad5c in afl_custom_trim () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
#9 0x000055555556a644 in trim_case_custom (mutator=0x5555555de9a0, in_buf=0x55555560cf60 "hex: Z", q=<optimized out>,
afl=0x7ffff7559010) at src/afl-fuzz-mutators.c:393
#10 trim_case (afl=0x7ffff7559010, q=0x555555607ee0, in_buf=0x55555560cf60 "hex: Z") at src/afl-fuzz-run.c:795
#11 0x0000555555589637 in fuzz_one_original (afl=0x7ffff7559010) at src/afl-fuzz-one.c:509
#12 0x000055555555fcd0 in fuzz_one (afl=<optimized out>) at src/afl-fuzz-one.c:5583
#13 main (argc=<optimized out>, argv_orig=<optimized out>, envp=<optimized out>) at src/afl-fuzz.c:2455
from grammar-mutator.
xuesong-bai
commented on July 19, 2024
1
The commit ff4e5a2 seems working for me.
But I encountered a new situation where the program will be stuck in the initialization process right before entering the AFL fuzzing interface. This happens occasionally while I'm using the same configuration.
I will try to find out what's wrong and let you know the result.
from grammar-mutator.
h1994st
commented on July 19, 2024
Any backtraces for the segmentation fault? You can obtain the backtrace in GDB.
I can take a look at this issue later this week.
from grammar-mutator.
xuesong-bai
commented on July 19, 2024
The backtrace in GDB is shown below.
(gdb) run
Starting program: /usr/local/bin/afl-fuzz -m 1000 -i ./seeds/ -o out ./test_message_parse
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so1".
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_ONLY with value 1
[+] Loaded environment variable AFL_SKIP_CPUFREQ with value 1
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so
[+] Loaded environment variable AFL_NO_AFFINITY with value 1
afl-fuzz++4.01a based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a a length of min=1 max=1048576
[*] Checking core_pattern...
[+] You have 32 CPU cores and 8 runnable tasks (utilization: 25%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Loading custom mutator library from '/home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so'...
[*] optional symbol 'afl_custom_post_process' not found.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[*] Symbol 'afl_custom_describe' not found.
[+] Custom mutator '/home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so' installed successfully.
[*] Scanning './seeds/'...
[+] Loaded a total of 100 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[+] Persistent mode binary detected.
[*] Spinning up the fork server...
[Detaching after fork from child process 3670243]
[+] All right - fork server is up.
[*] Target map size: 65536
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:99'...
[!] WARNING: instability detected during calibration
len = 7, map size = 172, exec speed = 113 us
[!] WARNING: Instrumentation output varies across runs.
[*] Attempting dry run with 'id:000001,time:0,execs:0,orig:98'...
len = 7, map size = 172, exec speed = 26 us
[!] WARNING: No new instrumentation output, test case may be useless.
[*] Attempting dry run with 'id:000002,time:0,execs:0,orig:97'...
len = 7, map size = 172, exec speed = 25 us
[!] WARNING: No new instrumentation output, test case may be useless.
[*] Attempting dry run with 'id:000099,time:0,execs:0,orig:0'...
len = 7, map size = 172, exec speed = 25 us
[!] WARNING: No new instrumentation output, test case may be useless.
[+] All test cases processed.
[!] WARNING: Some test cases look useless. Consider using a smaller set.
[!] WARNING: You have lots of input files; try starting small.
[+] Here are some useful stats:
Test case count : 1 favored, 1 variable, 98 ignored, 100 total
Bitmap range : 172 to 172 bits (average: 172.00 bits)
Exec timing : 26 to 113 us (average: 28 us)
[*] No -t option specified, so I'll use an exec timeout of 20 ms.
[+] All set and ready to roll!
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:384
384 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb)
from grammar-mutator.
h1994st
commented on July 19, 2024
Hi, can you type bt in the last line you showed to obtain the complete backtrace?
from grammar-mutator.
domenukk
commented on July 19, 2024
The backtrace would ideally include the locations where this was called from. Try to type bt In gdb
from grammar-mutator.
xuesong-bai
commented on July 19, 2024
Thank you for your patience.
(gdb) bt #0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:384 #1 0x00007fffeec9c4be in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #2 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #3 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #4 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #5 0x00007fffeec9c524 in _node_deserialize () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #6 0x00007fffeec9a78a in gen_node_start () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #7 0x00007fffeec9d106 in subtree_trimming () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #8 0x00007fffeec9ad5c in afl_custom_trim () from /home/test/proj2/Grammar-Mutator/libgrammarmutator-test.so #9 0x000055555556a644 in trim_case_custom (mutator=0x5555555de9a0, in_buf=0x55555560cf60 "hex: Z", q=<optimized out>, afl=0x7ffff7559010) at src/afl-fuzz-mutators.c:393 #10 trim_case (afl=0x7ffff7559010, q=0x555555607ee0, in_buf=0x55555560cf60 "hex: Z") at src/afl-fuzz-run.c:795 #11 0x0000555555589637 in fuzz_one_original (afl=0x7ffff7559010) at src/afl-fuzz-one.c:509 #12 0x000055555555fcd0 in fuzz_one (afl=<optimized out>) at src/afl-fuzz-one.c:5583 #13 main (argc=<optimized out>, argv_orig=<optimized out>, envp=<optimized out>) at src/afl-fuzz.c:2455
Is this what you are looking for? @domenukk
from grammar-mutator.
domenukk
commented on July 19, 2024
Thank you! :) Sorry didn't see your response.
from grammar-mutator.
h1994st
commented on July 19, 2024
Hi @mrbaixg ,
This issue is caused by the limitation of the hex character workaround, which is discussed in #29.
However, the workaround only works for single-byte characters in the UTF-8 encoding (i.e., \u0000 ~ \u007f). \u0087 is out of the scope and is converted into 2 bytes (i.e., \xc2\x87) in the UTF-8 encoding. A minimal example for the wrong grammar file is added in c34493d
For now, you may only use hex characters within \u0000 ~ \u007f, until I can figure out a better solution for it.
from grammar-mutator.
h1994st
commented on July 19, 2024
Hi @mrbaixg ,
Please try the latest commit ff4e5a2. It should address your problem.
from grammar-mutator.
h1994st
commented on July 19, 2024
I will close this issue, which should be resolved by the latest commit ff4e5a2.
@mrbaixg Please let me know if the latest commit works. Feel free to reopen this issue, if it is not resolved.
from grammar-mutator.
h1994st
commented on July 19, 2024
The stuck at the initialization phase may be expected (see README.md), if the parsing functionality is triggered. To avoid parsing at the initialization phase, you may want to refer to README.md and #36 (comment)
Please let me know if the stuck is caused by other reasons.
from grammar-mutator.
Related Issues (20)
- Idea list HOT 9
- Enhancement: name lib and grammar generator with name of the grammar type HOT 4
- Grammar Mutator crashes due to null pointer dereference on write_tree_to_file HOT 14
- Wasteful rebuilding of non-terminal trees HOT 4
- Long recursive calls cause afl to segfault HOT 8
- Memory leaks in `splicing_mutation`
- Test compilation error HOT 1
- incorrect rule index deduction from ANTLR HOT 3
- A question about convert the ASCII HOT 9
- A question about data length HOT 2
- Issue with recursive javascript grammar HOT 6
- How to add extras dynamically during fuzzing HOT 2
- Inconsistency between compilations HOT 7
- Grammar mutator issue : _pick_non_term_node HOT 5
- `tree_from_buf` hangs when parsing a small test case HOT 4
- Is it possible to automatically eliminate indirect left-recursion HOT 1
- Does this mutator uses genetic algorithm? HOT 1
- optimized syntax '+' cause 'random_recursive_mutation' error HOT 5
- json to g4 only with "parser" cause some syntax error HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grammar-mutator.