Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crash file is empty when testing integers #649

Closed
woodsjd-cr opened this issue Oct 16, 2023 · 2 comments
Closed

Crash file is empty when testing integers #649

woodsjd-cr opened this issue Oct 16, 2023 · 2 comments

Comments

@woodsjd-cr
Copy link

Hi, not sure if i'm missing something here in my setup, but when i'm fuzz testing a function with random integers, the crash file is empty and does not show the integer that caused the error.

Fuzz test:

`import "@jazzer.js/jest-runner";
import { FuzzedDataProvider } from "@jazzer.js/core";

describe("Target", () => {
it.fuzz("executes a method", (fuzzerInputData: Buffer) => {
const data = new FuzzedDataProvider(fuzzerInputData);
const intParam = data.consumeIntegral(4);
isNotANine(intParam);
});
});

function isNotANine(data: any) {
if (data !== 9) {
return true;
} else {
throw Error('The provided data is a nine!');
}
}`

CLI logs:

`➜ <MY_APP> git:(fuzz-test) ✗ npm run fuzz

<MY_APP>@<MY_VERSION> fuzz
JAZZER_FUZZ=1 jest --config=src/fuzz-tests/jest.fuzz.config.ts

INFO: using inputs from: <MY_FILE_PATH>/.cifuzz-corpus/fuzz.fuzz/Target/executes_a_method/
INFO: using inputs from: <MY_FILE_PATH>/fuzz-tests/fuzz.fuzz/Target/executes_a_method/

RUNS Jazzer.js src/fuzz-tests/fuzz.fuzz.ts
Dictionary: 4 entries
INFO: Running with entropic power schedule (0xFF, 100).
RUNS Jazzer.js src/fuzz-tests/fuzz.fuzz.ts
INFO: Loaded 2 modules (1024 inline 8-bit counters): 512 [0x120040000, 0x120040200), 512 [0x110170000, 0x110170200),
INFO: Loaded 2 PC tables (1024 PCs): 512 [0x118000000,0x118002000), 512 [0x11e800000,0x11e802000),
INFO: 6 files found in <MY_FILE_PATH>/.cifuzz-corpus/fuzz.fuzz/Target/executes_a_method/
INFO: 0 files found in <MY_FILE_PATH>/fuzz-tests/fuzz.fuzz/Target/executes_a_method/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
FAIL Jazzer.js src/fuzz-tests/fuzz.fuzz.tstal: 24b rss: 524Mb
Target
✕ executes a method (122 ms)

● Target › executes a method

The provided data is a nine!

  14 |         return true;
  15 |     } else {
> 16 |         throw Error('The provided data is a nine!');
     |               ^
  17 |     }
  18 | }
  19 |

  at isNotANine (fuzz.fuzz.ts:16:15)
  at fuzz.fuzz.ts:8:9

Test Suites: 1 failed, 1 total
Tests: 1 failed, 1 total
Snapshots: 0 total
Time: 3.388 s
Ran all test suites.
==99587== ERROR: libFuzzer: fuzz target exited
SUMMARY: libFuzzer: fuzz target exited
MS: 1 ChangeByte-; base unit: 6dcd4ce23d88e2ee9568ba546c007c63d9131c1b
0x9,
\011
artifact_prefix='<MY_FILE_PATH>/fuzz-tests/fuzz.fuzz/Target/executes_a_method/'; Test unit written to <MY_FILE_PATH>/fuzz-tests/fuzz.fuzz/Target/executes_a_method/crash-ac9231da4082430afe8f4d40127814c613648d8e
Base64: CQ==
npm ERR! Lifecycle script fuzz failed with error:
npm ERR! Error: command failed
npm ERR! in workspace: <MY_APP>@<MY_VERSION>
npm ERR! at location: <MY_FILE_PATH>
➜ <MY_APP> git:(fuzz-test) ✗ `

@woodsjd-cr
Copy link
Author

The crash file is generated, but it is empty.

@bertschneider
Copy link
Contributor

It's a little bit hidden, but you can see the hex value of the crashing input, 0x9, in the logs. I used your example to reproduce the situation and can confirm that the crash file is written correctly. It's name contains the hash of the input, so it's the same for both of us.

» hexyl crash-ac9231da4082430afe8f4d40127814c613648d8e
┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 09                      ┊                         │_       ┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘

0x0 represents the ASCII value for a Null character and 0x9 for a horizontal tab, which explains why the file looks empty when opened in a text editor.

If you run your test in regression mode again it should reproduce the crash using the generated crash file.

Hope this clarifies the situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants