Comments (4)
Unfortunately, we have made the experience that PHP and similar languages are VERY creative at getting stuck in weird places (for example by suspending the parent process using the posix_kill command). I would recommended to inspect the last input that was generated by the fuzzer (which can be found in the temp file created https://github.com/nautilus-fuzz/nautilus/blob/master/forksrv/src/lib.rs#L70), to see if you can identify any behavior that hangs the interpreter & the fuzzer by avoiding the timeout mechanism. If you identify such a condition, please share them (there is a good chance, that commenting a few function names from the grammar will fix this).
from nautilus.
I find when nautilus execute following test case, it will hang up.
“<?php\n$a = NULL;\n$b = NULL;\n$c = NULL;\n$d = NULL;\nsrand(1337);\nnext $b;\nbreak $d;\n$b = $d->getBaseUri($b);\n$c = phdfs->PDF_shfill($d,$b,$c,$a);\ncontinue $b;\ncontinue $b;\n$a = SolrParams->getTitle($d,$b,$d,$b);\nraise $c;\nnext $a;\nnext $b;\n$d = Yaf_Route_Map->Examples with PDO_4D($d);\nreturn $a;\nbreak $b;\n$b = $b->trader_cdlhikkakemod($a,$a);\nyield $b;\nyield $c;\nyield $b;\nyield $d;\nyield $c;\n$c = getCurrentTextPos($b);\nyield $b;\nyield $b;\nyield $d;\n$c = range(range(range(range(range(1,[]),range(range(range(1,NULL),range(range([],\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),1)),\"foo\")),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(range(range(range([],range(0.0,0)),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(range(range(range(0.0,NULL),range(range(0,true),0)),range(range(range(\"foo\",range(0.0,\"foo\")),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(range([],[]),range(range(range(range(NULL,range(range([],NULL),0)),range(false,false)),0),range(range(\"foo\",range(0.0,NULL)),range(range(true,[]),false)))),range(range(1,[]),range(NULL,NULL))))),range(false,\"foo\"))),range(1,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(\"foo\",range(range(\"foo\",[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),[])),NULL))))),range(range(range(range(true,range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(true,0)),range(range(range(false,range(range(NULL,false),range(false,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]))),range(true,range(0.0,NULL))),range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),0.0)))),range(range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],NULL)),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(\"foo\",range(range(0.0,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(1,1))),range(range([],range(false,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(0,range(range(1,true),range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(NULL,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"))),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")))))),range(NULL,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",0.0))))),range(0.0,range(range(range(range(range(range(0,false),[]),range(range(0.0,NULL),1)),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(0,range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",NULL),[]),1),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(1,true),true))))),\"foo\"))));\nnext $b;\nbreak $b;\n$c = $d->isDestructor($b);\nreturn $c;\nnext $a;\ncontinue $a;\n$b = range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(NULL,range(NULL,0.0)),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(false,0)))),range(0,range(range(false,range(range(false,true),true)),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(0.0,range(range(range([],[]),1),range(NULL,NULL)))))));\n$d = range(range(range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range([],[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0])),0.0),[]),false),range(range(range(0,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true)),range(range(\"foo\",0.0),range(range(NULL,\"foo\"),range([],\"foo\")))),range(range(false,\"foo\"),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])))),range(range(range(range(range(range(false,1),NULL),range(true,range(0.0,range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],0.0),0)))),range(range(range(0,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",NULL)),NULL),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],true))),[]),range(range(range(false,NULL),range(range(true,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(\"foo\",0))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(false,range([],0.0)),true)))));\nyield $b;\n$b = OuterIterator->msg_remove_queue($c,$c);\nyield $b;\nyield $d;\ncontinue $c;\n$c = range(range(range(range(true,true),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(0,range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",0.0),\"foo\"))),range(true,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]))),range(range(range(range(false,range(range(false,range(1,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(true,1),NULL))),range(\"foo\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),0),range(range(range(range(range(1,range(1,true)),1),range(range(0,range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],1)),range([],NULL))),range(range(range(range(range(range(0,0),range(range(range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",1),range(true,NULL)),range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],\"foo\"),1)),range(range(true,true),[])),NULL),range(range(range(0,NULL),false),[]))),range(0,[])),range(NULL,NULL)),range(NULL,range(\"foo\",0))),range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(\"foo\",range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",[]))),[]),range(range([],range(false,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(range(1,[]),range(1,0.0))),range(true,range(false,\"foo\"))),range(range(range(NULL,range(range(\"foo\",0.0),range(range(range(true,true),true),[]))),range(range(range(\"foo\",range(false,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"))),0.0),0)),range(range(range(1,1),range(NULL,1)),false))))))),range(range(NULL,range(range(false,1),range(range(0,false),range(range(1,true),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(true,1)),0)))))),0))));\nfunction getTermsMaxCount($d,$c)\n$a = $c->mysql_field_name($b);\nnext $d;\ncontinue $c;\nraise $b;\n$c = setGroupOffset($c,$d);\n$d = $d->msql_num_rows($c);\nfunction newt_checkbox_tree($b)\nyield $d;\ncontinue $a;\n$b = ZMQSocket->modulateimage($a);\ncontinue $b;\nbreak $a;\nreturn $b;\nbreak $b;\nnext $a;\nyield $b;\nraise $c;\n$d = range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(true,range(\"foo\",1))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])),range(1,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")));\nreturn $d;\ncontinue $c;\n};\n$d = apd_breakpoint($c,$c);\n$b = range(range(range(NULL,range(range(true,range(range(range(false,range(false,\"foo\")),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range([],range(\"foo\",1)))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(\"foo\",range(false,NULL))))),range(\"foo\",[])),range(range(range(1,range(range(\"foo\",1),range(1,range(0,NULL)))),range([],1)),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(range(1,[]),1),true))));\nreturn $a;\nbreak $c;\nreturn $d;\nraise $c;\nnext $b;\nyield $b;\n$d = sendQuery();\ncontinue $c;\n$b = 0;\nraise $b;\n};\nnext $b;\nyield $b;\nyield $a;\nfunction quotemeta($b)\nyield $b;\nreturn $a;\ncontinue $b;\n};\ncontinue $a;\n$b = isAcknowledged($c);\nnext $b;\ncontinue $d;\n$d = $a->unsubscribe($a);\n$d = $a->sqlsrv_fetch($c,$b,$a);\ncontinue $b;\nyield $b;\ncontinue $b;\n$d = executeCommand($c);\nraise $d;\n$a = fann_get_rprop_increase_factor($a);\nfunction setfontstyle()\n};\n?>”
It seems raw string, you may need to print it.
from nautilus.
BWT, I wonder why not just kill the hanging process and get next fuzzing round?
from nautilus.
that testcase is a little to big for me to understand, I guess you would want to shrink it down a bit.
We actually try to kill the process:
https://github.com/nautilus-fuzz/nautilus/blob/master/forksrv/src/lib.rs#L178
However this is not a bullet proof mechanism. It would be interesting to see what fails. In the past we have seen php mess with the signals we used, and we have seen suspending the parent process (that's supposed to be doing the killing).
from nautilus.
Related Issues (20)
- Large path gap in ChakraCore fuzz HOT 1
- Cannot generate grammar caused by panic HOT 1
- shmem error when fuzzing solidity HOT 1
- Bug in regex_mutator unicode generation
- Error while compile and run test demo HOT 1
- `#![feature]` may not be used on the stable release channel
- regex_mutator always outputting empty strings HOT 2
- thread 'fuzzer_1' panicked at 'couldn't read child hello HOT 2
- does not compile with latest rust toolchains. HOT 12
- Cannot Compile Generator HOT 1
- Error while running the generator
- some errors while fuzzing HOT 5
- share memory config error HOT 1
- `regex_mutator::generate()` panics
- No path while fuzzing ChakraCore HOT 12
- Panicked while fuzzing HOT 7
- Regex mutator panics when producing u32 values above char::MAX
- Support for specifying binary protocols/formats
- Add weights to grammar
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nautilus.