Grammar mutator issue : _pick_non_term_node

[Microsvuln]

Hello .

When running Grammar mutator on a target, there is a problem right before running AFL++ on the target .

Here is the log :

mic@mic-System-Product-Name:~/Documents/AFLplusplus$ ./afl-fuzz -m 128 -d -i testcases/others/js/ -o myouts4 -- /home/mic/Documents/jerryscript/build/bin/jerry @@
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_ONLY with value 1
[+] Loaded environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value /home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so
afl-fuzz++4.00c based on afl by Michal Zalewski and a large online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: This is v3.x which changes defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exponential power schedule (FAST)
[+] Enabled testcache with 50 MB
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[+] You have 24 CPU cores and 2 runnable tasks (utilization: 8%).
[+] Try parallel jobs - see docs/parallel_fuzzing.md.
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #0.
[*] Loading custom mutator library from '/home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so'...
[*] optional symbol 'afl_custom_post_process' not found.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[*] Symbol 'afl_custom_describe' not found.
[+] Custom mutator '/home/mic/Documents/AFLplusplus/custom_mutators/grammar_mutator/grammar_mutator/libgrammarmutator-javascript.so' installed successfully.
[*] Scanning 'testcases/others/js/'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Spinning up the fork server...
[+] All right - fork server is up.
[*] Target map size: 65536
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:small_script.js'...
    len = 20, map size = 1386, exec speed = 174 us
[+] All test cases processed.
[+] Here are some useful stats:

    Test case count : 1 favored, 0 variable, 0 ignored, 1 total
       Bitmap range : 1386 to 1386 bits (average: 1386.00 bits)
        Exec timing : 174 to 174 us (average: 174 us)

[*] No -t option specified, so I'll use an exec timeout of 20 ms.
[+] All set and ready to roll!
_pick_non_term_node returns NULL: No such file or directory

_pick_non_term_node returns NULL: No such file or directory

Flags :

export RANDOM_MUTATION_STEPS=10000
export RANDOM_RECURSIVE_MUTATION_STEPS=10000
export SPLICING_MUTATION_STEPS=10000
export AFL_CUSTOM_MUTATOR_LIBRARY=./libgrammarmutator-javascript.so
export AFL_CUSTOM_MUTATOR_ONLY=1

Ubuntu 20.04
AFL++ 4.00

Any ideas ?

[h1994st]

How do you generate the corpus (i.e., files in testcases/others/js/)? It seems the mutation operation is applied to an empty grammar tree.

The error might be thrown from here:

Grammar-Mutator/src/tree_mutation.c

Lines 202 to 209 in cbe5e32

	node_t *node = node_pick_non_term_subnode(mutated_tree->root);
	if (unlikely(node == NULL)) {
	// By design, _pick_non_term_node should not return NULL
	perror("_pick_non_term_node returns NULL");
	exit(EXIT_FAILURE);
	}

[agoodm88]

I am also trying to fuzz javascript using Grammar Mutator and a customised grammar file. The process starts off great but within a day or two I perpetually run into the fuzzer crashing as described here.

In my case I am not adding any additional test cases other than the trees generated by Grammar Mutator and am at a loss as to what is going wrong. From what I can see; only the mater process is crashing for me.

[shafouz]

try and run with a new empty output directory and an input directory generated from the
grammar_generator-YOURGRAMMAR
binary.
I had the same problem and this worked for me

[bendrissou]

I ran into the same bug. The fuzzing started great, but then after 22 minutes it crashed:

_pick_non_term_node returns NULL: Interrupted system call

The seed inputs were generated using the provided generator: libgrammarmutator-lua.so

The following is the current input as saved by AFL in .cur_input file:

function :uq (...) function . () ;
;

end
goto labela

end

Thanks.

[bendrissou]

Another crash:

_pick_non_term_node returns NULL: Numerical result out of range

Current input:

::labelb::
for r={}, (nil), (((((((((((((((((((((((((((((0xc.A)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)&...)) ""
do

end

[ljedrz]

This can happen if you neglect to include the start node; happened to me by accident once, went away right away once I put it back.

[Kristopher38]

I'm also hitting this issue:

[+] Enabled environment variable AFL_CUSTOM_MUTATOR_LIBRARY with value ./libgrammarmutator-lua.so
[+] Enabled environment variable AFL_CUSTOM_MUTATOR_ONLY with value 1
[+] Enabled environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
[+] Enabled environment variable AFL_SKIP_CPUFREQ with value 1
afl-fuzz++4.21c based on afl by Michal Zalewski and a large online community
[...]
[*] Loading custom mutator library from './libgrammarmutator-lua.so'...
[+] Found 'afl_custom_mutator'.
[+] Found 'afl_custom_fuzz_count'.
[*] optional symbol 'afl_custom_post_process' not found.
[+] Found 'afl_custom_init_trim'.
[+] Found 'afl_custom_trim'.
[+] Found 'afl_custom_post_trim'.
[*] optional symbol 'afl_custom_havoc_mutation' not found.
[*] optional symbol 'afl_custom_havoc_mutation_probability' not found.
[+] Found 'afl_custom_queue_get'.
[*] optional symbol 'afl_custom_splice_optout' not found.
[*] optional symbol 'afl_custom_fuzz_send' not found.
[*] optional symbol 'afl_custom_post_run' not found.
[+] Found 'afl_custom_queue_new_entry'.
[*] optional symbol 'afl_custom_describe' not found.
[+] Custom mutator './libgrammarmutator-lua.so' installed successfully.
[*] Scanning 'seeds'...
[+] Loaded a total of 1 seeds.
[*] Creating hard links for all input files...
[*] Validating target binary...
[+] Persistent mode binary detected.
[*] Spinning up the fork server...
[*] Using AFL++ faux forkserver...
[!] WARNING: Old fork server model is used by the target, this still works though.
[+] All right - old fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:0'...
[!] WARNING: instability detected during calibration
    len = 215, map size = 1738, exec speed = 16557 us, hash = 038e4cab3f53c0cc
[!] WARNING: Instrumentation output varies across runs.
[+] All test cases processed.
[!] WARNING: The target binary is pretty slow! See /usr/share/doc/afl/fuzzing_in_depth.md#i-improve-the-speed
[+] Here are some useful stats:

    Test case count : 1 favored, 1 variable, 0 ignored, 1 total
       Bitmap range : 1738 to 1738 bits (average: 1738.00 bits)
        Exec timing : 16.6k to 16.6k us (average: 16.6k us)

[*] No -t option specified, so I'll use an exec timeout of 60 ms.
[+] All set and ready to roll!
_pick_non_term_node returns NULL: No such file or directory

This is because indeed the grammar tree is missing from out/default/trees, since I'm using my preexisting corpus of sources. The readme doesn't say how to generate such tree from a preexisting corpus, only how to generate it with the resulting grammar_generator-<lang> binary. Has anyone figured it out?

[renatahodovan]

I'm struggling with the same issue while trying to use Grammar-Mutator from AFL with a preexisting source-based corpus. (Note: using source-based seeds works when running the built-in generator like ./grammar_generator-ruby 100 1000 ./seeds ./trees, where the seeds directory contains the sources and the trees directory is empty at the beginning). Could anybody give us a hint?