No path while fuzzing ChakraCore

[zr950624]

Nautilus cannot find any path while fuzzing ChakraCore with grammars/javascript_new.py.
I set up nautilus with the instructions in README.md
Then I enlarged the size of bitmap to 1 << 20 and instrument ChakraCore with afl-clang-fast.
modified the config.ron at

bitmap_size:                            1048576, //1<<20

pathed file forksrv/src/lib.rs at

return (shm_id, trace_bits as *mut [u8; 1 << 20]);

Fuzzer status

It cannot find any path during fuzzing. See following output.

------------------------------------------------------
Run Time: 0 days, 0 hours, 0 minutes, 45 seconds
Execution Count:          2643
Executions per Sec:       71
Left in queue:            0
Trees in Chunkstore:      1
------------------------------------------------------
Last ASAN crash:          Not found yet.
Last SIG crash:           Not found yet.
Last Timeout:             No Timeout yet.
Total ASAN crashes:       0
Total SIG crashes:        0
------------------------------------------------------
New paths found by Gen:          1
New paths found by Min:          0
New paths found by Min Rec:      0
New paths found by Det:          0
New paths found by Splice:       0
New paths found by Havoc:        0
New paths found by Havoc Rec:    0
------------------------------------------------------

My System Infomation

git:(master) ✗ uname -a
Linux alucard 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

git:(master) ✗ rustc --version
rustc 1.45.0-nightly (75e1463c5 2020-05-13)

git:(master) ✗ rustup toolchain list
stable-x86_64-unknown-linux-gnu (default)
nightly-2020-05-14-x86_64-unknown-linux-gnu

[eqv]

Can you confirm that AFL++ finds paths on the same target binary?

[zr950624]

Can you confirm that AFL++ finds paths on the same target binary?

Yes, AFL++ works well with enlarging memory settings by using -m none.

               american fuzzy lop ++2.64d (ch) [explore] {0}
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 0 min, 8 sec       │  cycles done : 0     │
│   last new path : 0 days, 0 hrs, 0 min, 0 sec       │  total paths : 31    │
│ last uniq crash : none seen yet                     │ uniq crashes : 0     │
│  last uniq hang : none seen yet                     │   uniq hangs : 0     │
├─ cycle progress ───────────────────┬─ map coverage ─┴──────────────────────┤
│  now processing : 0.0 (0.0%)       │    map density : 3.26% / 7.39%        │
│ paths timed out : 0 (0.00%)        │ count coverage : 1.69 bits/tuple      │
├─ stage progress ───────────────────┼─ findings in depth ───────────────────┤
│  now trying : calibration          │ favored paths : 20 (64.52%)           │
│ stage execs : 17/40 (42.50%)       │  new edges on : 30 (96.77%)           │
│ total execs : 1097                 │ total crashes : 0 (0 unique)          │
│  exec speed : 55.31/sec (slow!)    │  total tmouts : 0 (0 unique)          │
├─ fuzzing strategy yields ──────────┴───────────────┬─ path geometry ───────┤
│   bit flips : 0/0, 0/0, 0/0                        │    levels : 2         │
│  byte flips : 0/0, 0/0, 0/0                        │   pending : 31        │
│ arithmetics : 0/0, 0/0, 0/0                        │  pend fav : 20        │
│  known ints : 0/0, 0/0, 0/0                        │ own finds : 10        │
│  dictionary : 0/0, 0/0, 0/0                        │  imported : n/a       │
│   havoc/rad : 0/0, 0/0, 0/0                        │ stability : 99.63%    │
│   py/custom : 0/0, 0/0                             ├───────────────────────┘
│        trim : 28.69%/88, n/a                       │          [cpu000:  6%]
└────────────────────────────────────────────────────┘

[eqv]

I'll look into this later. Can you check if it works without the bitmap size changes?

[zr950624]

I'll look into this later. Can you check if it works without the bitmap size changes?

Still no path without bitmap size changes.

[eqv]

I tried to compile chakracore with afl-clang-fast, but ran into some problems regarding the fact that it is split into the "ch" binary, and libChakraCore.so. Could you post your build steps in a reproducible way?

[zr950624]

I tried to compile chakracore with afl-clang-fast, but ran into some problems regarding the fact that it is split into the "ch" binary, and libChakraCore.so. Could you post your build steps in a reproducible way?

I build ChakraCore with ./build.sh --cc=/path/to/afl-clang-fast --cxx=/path/to/afl-clang-fast++ --static -j=30.
Then fuzz "ch" with nautilus.

[eqv]

Cool, looking into it. Didn't see the --static flag.

[eqv]

Ok I can reproduce this. Looking into it.

[eqv]

Should be fixed by a132369, when porting the Forkserver we forgot to add the program path to the argument list, resulting in ch not receiving the input file path. Please verify and close this issue.

[zr950624]

Thanks for fixing! It works well now.

[zr950624]

Just a notification lol.
https://github.com/nautilus-fuzz/nautilus/blob/master/fuzzer/src/fuzzer.rs#L339

[eqv]

Yeah, that's the "stability score" of AFL expressed... well... less optimally^^ If you see lots of these (with ch you will), that means the bitmap target is pretty nondeterministic.