AFLplusplus
Grammar mutator issue : _pick_non_term_node
Hello .
When running Grammar mutator on a target, there is a problem right before running AFL++ on the target .
Here is the log :
mic@mic-System-Product-Name:~/Documents/AFLplusplus$ ./afl-fuzz -m 128 -d -i testcases/others/js/ -o myouts4 -- /home/mic/Documents/jerryscript/build/bin/jerry @@
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_ONLY with value 1
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value /home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so
afl-fuzz++4.00c based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 24 CPU cores and 2 runnable tasks (utilization: 8%).
[+] Try parallel jobs - see docs/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Loading custom mutator library from '/home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so'...
[*] optional symbol 'afl_custom_post_process' not found.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[*] Symbol 'afl_custom_describe' not found.
[+] Custom mutator '/home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so' installed successfully.
[*] Scanning 'testcases/others/js/'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Target map size: 65536
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:small_script.js'...
len = 20, map size = 1386, exec speed = 174 us
[+] All test cases processed.
[+] Here are some useful stats:
Test case count : 1 favored, 0 variable, 0 ignored, 1 total
Bitmap range : 1386 to 1386 bits (average: 1386.00 bits)
Exec timing : 174 to 174 us (average: 174 us)
[*] No -t option specified, so I'll use an exec timeout of 20 ms.
[+] All set and ready to roll!
_pick_non_term_node returns NULL: No such file or directory
_pick_non_term_node returns NULL: No such file or directory
Flags :
export RANDOM_MUTATION_STEPS=10000
export RANDOM_RECURSIVE_MUTATION_STEPS=10000
export SPLICING_MUTATION_STEPS=10000
export AFL_CUSTOM_MUTATOR_LIBRARY=./libgrammarmutator-javascript.so
export AFL_CUSTOM_MUTATOR_ONLY=1
Ubuntu 20.04 AFL++ 4.00
Any ideas ?
How do you generate the corpus (i.e., files in testcases/others/js/)? It seems the mutation operation is applied to an empty grammar tree.
The error might be thrown from here: https://github.com/AFLplusplus/Grammar-Mutator/blob/cbe5e32752773945e0142fac9f1b7a0ccb5dcdff/src/tree_mutation.c#L202-L209
I am also trying to fuzz javascript using Grammar Mutator and a customised grammar file. The process starts off great but within a day or two I perpetually run into the fuzzer crashing as described here.
In my case I am not adding any additional test cases other than the trees generated by Grammar Mutator and am at a loss as to what is going wrong. From what I can see; only the mater process is crashing for me.
try and run with a new empty output directory and an input directory generated from the
grammar_generator-YOURGRAMMAR
binary.
I had the same problem and this worked for me
