googleprojectzero / fuzzilli Goto Github PK

View Code? Open in Web Editor NEW

1.9K 1.9K 300.0 3.69 MB

A JavaScript Engine Fuzzer

License: Apache License 2.0

C 2.58% Swift 94.67% Shell 1.00% Dockerfile 0.26% JavaScript 1.41% Python 0.07%

fuzzilli's People

Contributors

Stargazers

Watchers

Forkers

fcpasses wwkenwong alvarofe adrivillab ashr vngkv123 sukelluskello p1umer dzonerzy zenhumany riusksk bilkentcrap henices fatgrass littledj007 harry1080 thomasking2014 reshahar chubbymaggie nothingonyoumoon ycmint eternalsakura explife0011 p0prxx cxh852456 knooow zillafeng lovesuae sigma-random wal613 theotherside idkwim letsunlockiphone mmg1 nimdakey crackercat ckxckx zdzhjx azureplus dshtanger felixwangchao hhy5277 yibit hyrathon thaneacheron jioundai fukgg attackgithub pwmoore yngweijs johndoex1 hieulsw bwry loveraven42 carlosladd mateeuslinno qiqi1 qiaoguanli jgj212 hacker-steroids nag1bat0r heruix bb33bb superf0sh best-daniel modumn paul1nh0 fuzzamos jackery001 slox3r dev0p0 wbowling raystyle djn3m0 l0kihardt whitehat001 3kyo0 all-the-time pwnfuzzsec danildelegator imulmul darcyiw apl3b m4rm0k amarekano earlvking whooamii harsha509 vigizhang singi eagle1707 zhangxiaohong0 yeguixin marcschoenefeld simbazad phymanwow ty5491003 shabidev tobiasholl prosismil

fuzzilli's Issues

flaky crashes false positive

1.Test Environment
V8 version: 7.8.0
Ubuntu 16.04
Timeout config: 380ms

2.Issues
I find some crashes files generated by fuzzilli, when I want to reproduce the crashes by running d8, but most of them doesn't crash d8 or any errors.(I use the same machine and d8 tool to reproduce the crash.)

Command line as bellow:

  v8/out/fuzzbuild/d8 --debug-code --expose-gc --single-threaded --predictable --allow-natives-syntax --interrupt-budget=1024 --no-arguments crash_1566514916227_18444_flaky_4.js

Results:

[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 565526 edges
Test shows:

Total Samples: 4996990
Interesting Samples Found: 8601
Valid Samples Found: 2874108
Corpus Size: 1032
Success Rate: 57.52%
Timeout Rate: 2.76%
Crashes Found: 8
Timeouts Hit: 137813
Coverage: 17.26%
Avg. program size: 93.80
Connected workers: 0
Execs / Second: 18.27
Total Execs: 5768202

3.Questions
Whether the flaky crashes are false positive?Please check the flaky crashes in the attachment.

webkit.patch out of date

The webkit.patch in the JavaScriptCore profile no longer applies cleanly because of the change made in WebKit/WebKit@022e9c2

Please update the diff so that hunk 10 no longer fails.

black list for specific function

Hello,

How to add black list for specific function?

Error in V8.patch

When applying the given v8 patch, it would result in the following error

../../src/d8.cc:2502:9: error: use of undeclared identifier 'success'
        success = false;

I think this line should be changed to

exception_was_thrown = true;

instead? Without this line, the Fuzzer would fail with

[Fuzzer] Cannot detect failed executions (exit code must be nonzero when an uncaught exception was thrown)

How to generate testcases without running target programs?

Hi, Is there any option to generate testcases without running target programs?

compile gecko error

mozbuild.configure.options.InvalidOptionError: --disable-shared-js is not available in this configuration
make: *** No targets specified and no makefile found. Stop.

On Linux also need to supply -Xlinker='-lrt' as argument to swift run

On Linux also need to supply -Xlinker='-lrt'as argument to swift run

How to run it over a cluster of VMs?

Thank you for this great project. Is there any way to use it on scale? (--networkMaster=host:port)
and how slaves collaborate with master to avoid redundant work? Also, it does not use all the cores in the system, is there any specific switch to do that?

Compilation

Hi, i'm trying to compile fuzzilli on macos 1014.5 (Mojave) and get the following error message:

~/c/j/fuzzilli ❯❯❯ swift --version                     
Apple Swift version 5.0.1 (swiftlang-1001.0.82.4 clang-1001.0.46.5)
Target: x86_64-apple-darwin18.6.0

~/c/j/fuzzilli ❯❯❯ swift build 
/Users/Alexeyan/Code/js_fuzzing/fuzzilli: error: manifest parse error(s):
<module-includes>:353:9: note: in file included from <module-includes>:353:
#import "hfs/hfs_format.h"
        ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk/usr/include/hfs/hfs_format.h:794:2: error: unknown type name 'uuid_string_t'
        uuid_string_t   ext_jnl_uuid;
        ^
<module-includes>:353:9: note: in file included from <module-includes>:353:
#import "hfs/hfs_format.h"
        ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk/usr/include/hfs/hfs_format.h:796:20: error: use of undeclared identifier 'uuid_string_t'; did you mean 'uuid_variant'?
        char            reserved[JIB_RESERVED_SIZE];
                                 ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.14.sdk/usr/include/hfs/hfs_format.h:787:61: note: expanded from macro 'JIB_RESERVED_SIZE'
#define JIB_RESERVED_SIZE  ((32*sizeof(u_int32_t)) - sizeof(uuid_string_t) - 48)
                                                            ^
/usr/local/include/uuid/uuid.h:112:12: note: 'uuid_variant' declared here
extern int uuid_variant(const uuid_t uu);
           ^
<unknown>:0: error: could not build Objective-C module 'Darwin'

Fix bugs in javascript generator for v8

I get a lot of errors like this. Not sure if a valid js is getting created:

TypeError: Constructor _ requires 'new'
TypeError: undefined/_ is not a function
TypeError: Right-hand side of 'instanceof' is not an object
ReferenceError: _ is not defined
TypeError: Cannot read property _ of undefined

Here's how I'm running the crashes for repro

timeout 5 /usr/local/src/v8/out/fuzzbuild/d8 --debug-code --expose-gc --single-threaded --predictable -allow-natives-syntax --interrupt-budget=10240 $filename

But even without any extra options to d8, I get the same result in most cases.

[Cli] No filesystem storage configured, found crashes will be discarded! in ubuntu 18.04

Thank you for your awesome fuzzing tool.

I just implement fuzzilli in my ubuntu 18.04 (with swift 5.0, clang 6.0) system, but not successful. Following instructors are the steps I used, pls tell me suggestions any helpful!

step 1 : Download Spidermonkey and run fuzzbuild.sh

tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev$ git branch --v
  * fuzz   b37d82a6c3a1 no bug - Bumping Firefox l10n changesets r=release a=l10n-bump DONTBUILD
  master ef914e250432 Merge autoland to mozilla-central.  a=merge
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev$ patch -p1 < ../firefox.patch 
patching file js/src/shell/js.cpp
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src$

after ./funzzbuild.sh

tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev$ cd js/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js$ ls
app.mozbuild  ductwork  examples  ffi.configure  ipc  moz.build  moz.configure  public  rust  src  sub.configure  xpconnect
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js$ cd src/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src$ ls
aclocal.m4    ctypes    fuzzbuild_OPT.OBJ  jit-test          js-config.mozbuild    jsfriendapi.h  jspubtd.h    make-source-package.sh  README.html  vtune
build         devtools  fuzzbuild.sh       jsapi.cpp         js-cxxflags.mozbuild  jslibmath.h    jsshell.msg  moz.build               rust         wasm
build.rs      doc       fuzz-tests         jsapi.h           jsdate.cpp            jsmath.cpp     jstypes.h    NamespaceImports.h      shell        Y.js
builtin       ds        gc                 jsapi-tests       jsdate.h              jsmath.h       jsutil.cpp   octane                  tests        zydis
Cargo.toml    dtoa.c    gdb                jsast.tbl         jsexn.cpp             js.msg         jsutil.h     old-configure           threading
configure     editline  irregexp           js-confdefs.h.in  jsexn.h               jsnum.cpp      lib.rs       old-configure.in        util
configure.in  frontend  jit                js-config.h.in    jsfriendapi.cpp       jsnum.h        Makefile.in  proxy                   vm
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src$ cd fuzzbuild_OPT.OBJ/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ$ ls
a.out                            binaries.json     config.status           install_dist_bin.track      Makefile      old-configure.vars  _tests
backend.FasterMakeBackend        build             config.statusd          install_dist_include.track  memory        python              third_party
backend.FasterMakeBackend.in     _build_manifests  config_status_deps.in   install_dist_private.track  mfbt          root-deps.mk        _virtualenvs
backend.mk                       config            dist                    install_dist_public.track   modules       root.mk
backend.RecursiveMakeBackend     config.cache      faster                  install__tests.track        mozglue       taskcluster
backend.RecursiveMakeBackend.in  config.log        generated-sources.json  js                          mozinfo.json  testing
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ$ cd dist/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist$ ls
bin  cppunittests  host  include  private  public  system_wrappers
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist$ cd bin/
tuhaoxin@oscar-optimal:~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin$ ls
gdb-tests         TestAtomics          TestDoublyLinkedList     TestJSONWriter          TestRandomNum          TestSplayTree          TestVariant
gdb-tests-gdb.py  TestBinarySearch     TestEndian               TestLinkedList          TestRange              TestSPSCQueue          TestVector
js                TestBloomFilter      TestEnumeratedArray      TestMacroArgs           TestRefPtr             TestTemplateLib        TestWeakPtr
jsapi-tests       TestBufferList       TestEnumSet              TestMacroForEach        TestResult             TestTextUtils          TestWrappingOperations
js-gdb.py         TestCasting          TestEnumTypeTraits       TestMathAlgorithms      TestRollingMean        TestThreadSafeWeakPtr  TestXorShift128PlusRNG
nsinstall         TestCeilingFloor     TestFastBernoulliTrial   TestMaybe               TestSaturate           TestTuple
run-mozilla.sh    TestCheckedInt       TestFloatingPoint        TestNonDereferenceable  TestScopeExit          TestTypedEnum
TestAlgorithm     TestCountPopulation  TestFunctionTypeTraits   TestNotNull             TestSegmentedVector    TestTypeTraits
TestArray         TestCountZeroes      TestIntegerPrintfMacros  TestPair                TestSHA1               TestUniquePtr
TestArrayUtils    TestDefineEnum       TestIntegerRange         TestPoisonArea          TestSmallPointerArray  TestUtf8

step 2: swift build and run

tuhaoxin@oscar-optimal:~/github/fuzzilli$ swift build -Xlinker='-lrt'
[7/7] Linking ./.build/x86_64-unknow-linux/debug/FuzzilliCli
tuhaoxin@oscar-optimal:~/github/fuzzilli$ swift run -Xlinker='-lrt' -c release FuzzilliCli --profile=jsc ~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin/js
[Cli] No filesystem storage configured, found crashes will be discarded!
[REPRL] Failed to communicate with child process
[REPRL] Failed to communicate with child process
[REPRL] Failed to communicate with child process
[REPRL] Failed to communicate with child process

then I got the errors.

From the suggestion in Failed to communicate with child process with firefox #15, I got the following message

tuhaoxin@oscar-optimal:~/github/fuzzilli/Misc/REPRL$ sudo ./tester ~/github/fuzzilli/Targets/Spidermonkey/gecko-dev/js/src/fuzzbuild_OPT.OBJ/dist/bin/js --reprl
[COV] edge counters initialized. Shared memory: shm_id_7968 with 431547 edges
What to do? r
undefined
42
Exited normally, status: 0
Execution took 0ms
What to do? What to do? r
undefined
42
Exited normally, status: 0
Execution took 0ms
What to do? What to do? p
What to do? What to do? q
Bye
Have 431547 edges
000000004010844010c0b142952d6201211504a4c40040b000000004b11000000008011000000000000252952022222888888888a88aa804298280000004012c805b02580ba0324c00000a81c000000000000000400094a138140e023084a0000000202000000000e000008400000460c8ea000054240c900000000000000000000000000000000000000c0628240000222022088484d2300008010000000000000000000000000000000000000000000000000000000000000000000
...
"read(REPRL_CRFD, &action, 4) == 4" failed
tuhaoxin@oscar-optimal:~/github/fuzzilli/Misc/REPRL$

Could someone tell me what's the problem and how to figure it out? Thanks a lot!

An error while running './fuzzbuild.sh'

My platform is Ubuntu16.04, and i met an error while running './fuzzbuild.sh'. The info are as follows:

(base) xibeiidaxue@xibeiidaxue-X299-WU8:webkit$ ./fuzzbuild.sh
+  cmake -DPORT="JSCOnly" -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=Debug -G Ninja -DDEVELOPER_MODE=ON -DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'  -DENABLE_FTL_JIT=ON "/home/xibeiidaxue/ty/webkit"
-- The C compiler identification is Clang 4.0.0
-- The CXX compiler identification is Clang 4.0.0
-- Check for working C compiler: /usr/bin/clang
-- Check for working C compiler: /usr/bin/clang -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: /usr/bin/clang++
-- Check for working CXX compiler: /usr/bin/clang++ -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- The CMake build type is: Debug
-- Found Perl: /usr/bin/perl (found suitable version "5.22.1", minimum required is "5.10.0")
-- Found PerlModules_JSON::PP: TRUE
-- Found PerlModules: TRUE  found components:  JSON::PP
-- Found PythonInterp: /usr/bin/python2.7 (found suitable version "2.7.12", minimum required is "2.7.0")
-- Could NOT find Ruby (missing: RUBY_INCLUDE_DIR RUBY_LIBRARY RUBY_CONFIG_INCLUDE_DIR) (found suitable version "2.3.0", minimum required is "1.9")
-- Performing Test C_COMPILER_SUPPORTS_-fno-strict-aliasing
-- Performing Test C_COMPILER_SUPPORTS_-fno-strict-aliasing - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-fno-strict-aliasing
-- Performing Test CXX_COMPILER_SUPPORTS_-fno-strict-aliasing - Success
-- Performing Test C_COMPILER_SUPPORTS_-fno-exceptions
-- Performing Test C_COMPILER_SUPPORTS_-fno-exceptions - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-fno-exceptions
-- Performing Test CXX_COMPILER_SUPPORTS_-fno-exceptions - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-fno-rtti
-- Performing Test CXX_COMPILER_SUPPORTS_-fno-rtti - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wcast-align
-- Performing Test C_COMPILER_SUPPORTS_-Wcast-align - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wformat-security
-- Performing Test C_COMPILER_SUPPORTS_-Wformat-security - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wmissing-format-attribute
-- Performing Test C_COMPILER_SUPPORTS_-Wmissing-format-attribute - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wpointer-arith
-- Performing Test C_COMPILER_SUPPORTS_-Wpointer-arith - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wundef
-- Performing Test C_COMPILER_SUPPORTS_-Wundef - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wwrite-strings
-- Performing Test C_COMPILER_SUPPORTS_-Wwrite-strings - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wcast-align
-- Performing Test CXX_COMPILER_SUPPORTS_-Wcast-align - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wformat-security
-- Performing Test CXX_COMPILER_SUPPORTS_-Wformat-security - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wmissing-format-attribute
-- Performing Test CXX_COMPILER_SUPPORTS_-Wmissing-format-attribute - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wpointer-arith
-- Performing Test CXX_COMPILER_SUPPORTS_-Wpointer-arith - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wundef
-- Performing Test CXX_COMPILER_SUPPORTS_-Wundef - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wwrite-strings
-- Performing Test CXX_COMPILER_SUPPORTS_-Wwrite-strings - Success
-- Performing Test C_COMPILER_SUPPORTS_-Qunused-arguments
-- Performing Test C_COMPILER_SUPPORTS_-Qunused-arguments - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wno-maybe-uninitialized
-- Performing Test C_COMPILER_SUPPORTS_-Wno-maybe-uninitialized - Failed
-- Performing Test C_COMPILER_SUPPORTS_-Wno-noexcept-type
-- Performing Test C_COMPILER_SUPPORTS_-Wno-noexcept-type - Failed
-- Performing Test C_COMPILER_SUPPORTS_-Wno-parentheses-equality
-- Performing Test C_COMPILER_SUPPORTS_-Wno-parentheses-equality - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wno-psabi
-- Performing Test C_COMPILER_SUPPORTS_-Wno-psabi - Failed
-- Performing Test CXX_COMPILER_SUPPORTS_-Qunused-arguments
-- Performing Test CXX_COMPILER_SUPPORTS_-Qunused-arguments - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-maybe-uninitialized
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-maybe-uninitialized - Failed
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-noexcept-type
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-noexcept-type - Failed
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-parentheses-equality
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-parentheses-equality - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-psabi
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-psabi - Failed
-- Performing Test C_COMPILER_SUPPORTS_-Wall
-- Performing Test C_COMPILER_SUPPORTS_-Wall - Success
-- Performing Test C_COMPILER_SUPPORTS_-Wextra
-- Performing Test C_COMPILER_SUPPORTS_-Wextra - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wall
-- Performing Test CXX_COMPILER_SUPPORTS_-Wall - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wextra
-- Performing Test CXX_COMPILER_SUPPORTS_-Wextra - Success
-- Performing Test C_COMPILER_SUPPORTS_-fcolor-diagnostics
-- Performing Test C_COMPILER_SUPPORTS_-fcolor-diagnostics - Success
-- Performing Test C_COMPILER_SUPPORTS_-fdiagnostics-color=always
-- Performing Test C_COMPILER_SUPPORTS_-fdiagnostics-color=always - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-fcolor-diagnostics
-- Performing Test CXX_COMPILER_SUPPORTS_-fcolor-diagnostics - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-fdiagnostics-color=always
-- Performing Test CXX_COMPILER_SUPPORTS_-fdiagnostics-color=always - Success
-- Performing Test ATOMIC_INT64_IS_BUILTIN
-- Performing Test ATOMIC_INT64_IS_BUILTIN - Failed
-- Performing Test ATOMIC_INT64_REQUIRES_LIBATOMIC
-- Performing Test ATOMIC_INT64_REQUIRES_LIBATOMIC - Failed
-- Performing Test CXX_COMPILER_SUPPORTS_GSPLIT_DWARF
-- Performing Test CXX_COMPILER_SUPPORTS_GSPLIT_DWARF - Success
-- Looking for features.h
-- Looking for features.h - found
-- Looking for errno.h
-- Looking for errno.h - found
-- Looking for langinfo.h
-- Looking for langinfo.h - found
-- Looking for sys/mman.h
-- Looking for sys/mman.h - found
-- Looking for pthread_np.h
-- Looking for pthread_np.h - not found
-- Looking for strings.h
-- Looking for strings.h - found
-- Looking for sys/param.h
-- Looking for sys/param.h - found
-- Looking for sys/time.h
-- Looking for sys/time.h - found
-- Looking for sys/timeb.h
-- Looking for sys/timeb.h - found
-- Looking for linux/memfd.h
-- Looking for linux/memfd.h - found
-- Looking for _aligned_malloc
-- Looking for _aligned_malloc - not found
-- Looking for IsDebuggerPresent
-- Looking for IsDebuggerPresent - not found
-- Looking for localtime_r
-- Looking for localtime_r - found
-- Looking for malloc_trim
-- Looking for malloc_trim - found
-- Looking for strnstr
-- Looking for strnstr - not found
-- Looking for timegm
-- Looking for timegm - found
-- Looking for vasprintf
-- Looking for vasprintf - found
-- Looking for regexec
-- Looking for regexec - found
-- Looking for pthread_main_np
-- Looking for pthread_main_np - not found
-- Looking for SIGTRAP
-- Looking for SIGTRAP - found
-- Performing Test HAVE_STAT_BIRTHTIME_value
-- Performing Test HAVE_STAT_BIRTHTIME_value - Failed
-- Performing Test HAVE_TM_GMTOFF_value
-- Performing Test HAVE_TM_GMTOFF_value - Success
-- Performing Test HAVE_TM_ZONE_value
-- Performing Test HAVE_TM_ZONE_value - Success
-- Looking for sys/types.h
-- Looking for sys/types.h - found
-- Looking for stdint.h
-- Looking for stdint.h - found
-- Looking for stddef.h
-- Looking for stddef.h - found
-- Check size of __int128_t
-- Check size of __int128_t - done
-- Looking for pthread.h
-- Looking for pthread.h - found
-- Looking for pthread_create
-- Looking for pthread_create - not found
-- Looking for pthread_create in pthreads
-- Looking for pthread_create in pthreads - not found
-- Looking for pthread_create in pthread
-- Looking for pthread_create in pthread - found
-- Found Threads: TRUE
-- Found the following ICU libraries:
--   data (required)
--   i18n (required)
--   uc (required)
-- Found ICU: /usr/include/x86_64-linux-gnu (found version "55.1")
-- Platform-specific CMakeLists not found: /home/xibeiidaxue/ty/webkit/Source/bmalloc/PlatformJSCOnly.cmake
-- Using platform-specific CMakeLists: /home/xibeiidaxue/ty/webkit/Source/WTF/wtf/PlatformJSCOnly.cmake
-- Using platform-specific CMakeLists: /home/xibeiidaxue/ty/webkit/Source/JavaScriptCore/PlatformJSCOnly.cmake
-- Performing Test CXX_COMPILER_SUPPORTS_-ffp-contract=off
-- Performing Test CXX_COMPILER_SUPPORTS_-ffp-contract=off - Success
-- Platform-specific CMakeLists not found: /home/xibeiidaxue/ty/webkit/Source/JavaScriptCore/shell/PlatformJSCOnly.cmake
-- Using source list file: Sources.txt
-- Platform-specific CMakeLists not found: /home/xibeiidaxue/ty/webkit/Source/ThirdParty/gtest/PlatformJSCOnly.cmake
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-undef
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-undef - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-stringop-truncation
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-stringop-truncation - Failed
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-suggest-attribute=format
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-suggest-attribute=format - Failed
-- Platform-specific CMakeLists not found: /home/xibeiidaxue/ty/webkit/Source/PlatformJSCOnly.cmake
-- Platform-specific CMakeLists not found: /home/xibeiidaxue/ty/webkit/Tools/PlatformJSCOnly.cmake
-- Using platform-specific CMakeLists: /home/xibeiidaxue/ty/webkit/Tools/TestWebKitAPI/PlatformJSCOnly.cmake
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-dangling-else
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-dangling-else - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-sign-compare
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-sign-compare - Success
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-unused-parameter
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-unused-parameter - Success
-- Platform-specific CMakeLists not found: /home/xibeiidaxue/ty/webkit/PerformanceTests/MallocBench/MallocBench/PlatformJSCOnly.cmake
-- Platform-specific CMakeLists not found: /home/xibeiidaxue/ty/webkit/PerformanceTests/PlatformJSCOnly.cmake
-- Enabled features:
--  ENABLE_STATIC_JSC ............................. ON
-- Configuring done
-- Generating done
-- Build files have been written to: /home/xibeiidaxue/ty/webkit/FuzzBuild/Debug
+  cmake --build FuzzBuild/Debug --config Debug -- jsc testb3 testair testapi testmasm testdfg -j16
[718/1496] Building CXX object Source/...sources/UnifiedSource-23a5fd0e-9.cpp.o
FAILED: /usr/bin/clang++  -DBUILDING_JSCONLY__ -DBUILDING_JavaScriptCore -DBUILDING_WITH_CMAKE=1 -DHAVE_CONFIG_H=1 -DSTATICALLY_LINKED_WITH_WTF -IDerivedSources/ForwardingHeaders -I. -I../../Source/JavaScriptCore -I../../Source/JavaScriptCore/API -I../../Source/JavaScriptCore/assembler -I../../Source/JavaScriptCore/b3 -I../../Source/JavaScriptCore/b3/air -I../../Source/JavaScriptCore/bindings -I../../Source/JavaScriptCore/builtins -I../../Source/JavaScriptCore/bytecode -I../../Source/JavaScriptCore/bytecompiler -I../../Source/JavaScriptCore/dfg -I../../Source/JavaScriptCore/disassembler -I../../Source/JavaScriptCore/disassembler/ARM64 -I../../Source/JavaScriptCore/disassembler/udis86 -I../../Source/JavaScriptCore/domjit -I../../Source/JavaScriptCore/ftl -I../../Source/JavaScriptCore/heap -I../../Source/JavaScriptCore/debugger -I../../Source/JavaScriptCore/inspector -I../../Source/JavaScriptCore/inspector/agents -I../../Source/JavaScriptCore/inspector/augmentable -I../../Source/JavaScriptCore/inspector/remote -I../../Source/JavaScriptCore/interpreter -I../../Source/JavaScriptCore/jit -I../../Source/JavaScriptCore/llint -I../../Source/JavaScriptCore/parser -I../../Source/JavaScriptCore/profiler -I../../Source/JavaScriptCore/runtime -I../../Source/JavaScriptCore/tools -I../../Source/JavaScriptCore/wasm -I../../Source/JavaScriptCore/wasm/js -I../../Source/JavaScriptCore/yarr -IDerivedSources/JavaScriptCore -IDerivedSources/JavaScriptCore/inspector -IDerivedSources/JavaScriptCore/runtime -IDerivedSources/JavaScriptCore/yarr -IDerivedSources -I../../Source/ThirdParty -fdiagnostics-color=always -fcolor-diagnostics -Wextra -Wall -Wno-parentheses-equality -Qunused-arguments -Wwrite-strings -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -fsanitize-coverage=trace-pc-guard -O3 -lrt -fno-strict-aliasing -fno-exceptions -fno-rtti -gsplit-dwarf -g -fPIC   -ffp-contract=off -std=c++1z -MD -MT Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-23a5fd0e-9.cpp.o -MF Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-23a5fd0e-9.cpp.o.d -o Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-23a5fd0e-9.cpp.o -c DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-23a5fd0e-9.cpp
In file included from DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-23a5fd0e-9.cpp:1:
../../Source/JavaScriptCore/b3/B3Type.cpp:62:20: error: no template named 'is_pod_v' in namespace 'std'; did you mean 'is_pod'?
static_assert(std::is_pod_v<JSC::B3::TypeKind>);
              ~~~~~^~~~~~~~
                   is_pod
/usr/bin/../lib/gcc/x86_64-linux-gnu/5.5.0/../../../../include/c++/5.5.0/type_traits:656:12: note: 'is_pod' declared here
    struct is_pod
           ^
In file included from DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-23a5fd0e-9.cpp:1:
../../Source/JavaScriptCore/b3/B3Type.cpp:62:47: error: expected '(' for function-style cast or type construction
static_assert(std::is_pod_v<JSC::B3::TypeKind>);
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
2 errors generated.
[718/1496] Building CXX object Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-23a5fd0e-10.cpp.o
ninja: build stopped: subcommand failed.

I don't know what should i do, can anyone help me? If you need more detailed information, you can contact me. Thanks in advance. Thx!!!

Use new JSC compilation modes

The JSC build scripts should probably use one of these new compilation modes: WebKit/WebKit@87bdd5d (either release + asserts or optimized debug)

Implement worker synchronization over IPC

Similar to the NetworkSync module but over some IPC channel instead of TCP sockets.

Build failed when add other sanitizers to target V8

I tried adding other sanitizers such as is_tsan=true, is_ubsan=true.
But target build fails.

It works for JSC though, so I guess this is a V8 issue.

Have you tried to do this? Or any tips for V8?

fatal error when compiling JavascriptCore using webkit.patch on ubuntu 16.04

call void @__sanitizer_cov_trace_pc_guard(i32* inttoptr (i64 add (i64 ptrtoint ([37 x i32]* @_sancov_gen.1200 to i64), i64 108) to i32*))
inlinable function call in a function with debug info must have a !dbg location
call void @__sanitizer_cov_trace_pc_guard(i32* inttoptr (i64 add (i64 ptrtoint ([3 x i32]* @_sancov_gen.1205 to i64), i64 8) to i32*))
fatal error: error in backend: Broken module found, compilation aborted!
clang-6.0: error: clang frontend command failed with exit code 70 (use -v to see invocation)

Implement proper crash deduplication

This should be able to deduplicate based on (debug) assertions triggered and the current stack trace. This should ideally also produce a nice overview of all the unique crashes in some way.

Currently crashes are only deduplicated based on coverage, which does a fairly bad job most of the time...

Implement arrow functions

Arrow functions might get special treatment by the engine and so could be worth adding to FuzzIL, probably in the form of two new operations: BeginArrowFunction and EndArrowFunction.

Numerous "invalid section group" errors when building JSC on Ubuntu 18.10

After applying webkit.patch to the WebKit commit d6913c0043553080fa46caa49041e0b137db38a1 and running fuzzbuild.sh, I receive a bunch of "invalid section group" errors from clang.

Any ideas?

Full JSC build log: https://gist.github.com/GarrettVD/8d397d1d125b3d99cb49d253a51aed1f

Consistent int type for exec_time in reprl_result suggested.

Hello saelo! Thanks for sharing fuzzilli with us!

This is a bug report that could trigger on some CPUs, and on those CPUs, fuzzilli always crash as follows:

$/home/ubuntu/Desktop/fuzzilli/.build/x86_64-unknown-linux/debug/FuzzilliCli --profile=jsc ../webkit/FuzzBuild/Debug/bin/jsc

#0 0x00007ffff7bc30e1 in $Ss18_fatalErrorMessage__4file4line5flagss5NeverOs12StaticStringV_A2HSus6UInt32VtFTf4nnddn_n () from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libswiftCore.so
#1 0x00007ffff79ea11a in $SSZss17FixedWidthIntegerRzrlEyxqd__cSzRd(long, float _restrict, const) ()
from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libswiftCore.so
#2 0x00005555555aef69 in $S8Fuzzilli5REPRLC3run_11withTimeoutAA9ExecutionVSS_s6UInt32VtF (script=...,
timeout=..., self=...) at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Execution/REPRL.swift:151
#3 0x00005555555af8b6 in $S8Fuzzilli5REPRLCAA12ScriptRunnerA2aDP3run_11withTimeoutAA9ExecutionVSS_s6UInt32VtFTW ()
#4 0x00005555555f2f48 in $S8Fuzzilli6FuzzerC7execute_11withTimeoutAA9ExecutionVAA7ProgramC_s6UInt32VSgtF
(program=..., timeout=..., self=...)
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Fuzzer.swift:200
#5 0x0000555555627677 in $S8Fuzzilli17ReductionVerifierC4testySbAA7ProgramCF (reducedProgram=...,
self=...) at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Minimization/Reducer.swift:39
#6 0x0000555555627a5a in $S8Fuzzilli17ReductionVerifierC12tryReplacing13instructionAt4with2inSbSi_AA11InstructionVAA7ProgramCtF (index=..., newInstr=..., program=..., self=...)
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Minimization/Reducer.swift:54
#7 0x0000555555627c86 in $S8Fuzzilli17ReductionVerifierC10tryNopping13instructionAt2inSbSi_AA7ProgramCtF
(index=..., program=..., self=...)
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Minimization/Reducer.swift:67
#8 0x000055555561ea9a in $S8Fuzzilli25GenericInstructionReducerV6reduce_4withAA7ProgramCAG_AA17ReductionVerifierCtF (program=..., verifier=..., self=...)
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Minimization/GenericInstructionReducer.swift:23
#9 0x000055555561ed69 in $S8Fuzzilli25GenericInstructionReducerVAA0D0A2aDP6reduce_4withAA7ProgramCAI_AA17ReductionVerifierCtFTW ()
#10 0x0000555555624e67 in $S8Fuzzilli9MinimizerC8minimize_11withAspectsAA7ProgramCAG_AA0fE0CtF (
program=..., aspects=..., self=...)
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Minimization/Minimizer.swift:48
#11 0x0000555555589ab3 in $S8Fuzzilli10FuzzerCoreC18processInteresting33_3ACCD2E86945CBBB1D5983F9A675FC4DLL_13havingAspects10isImportedyAA7ProgramC_AA0qN0CSbtF (program=..., aspects=..., isImported=...,
self=...) at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Core/FuzzerCore.swift:212
#12 0x0000555555588622 in $S8Fuzzilli10FuzzerCoreC7fuzzOneyyF (self=...)
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Core/FuzzerCore.swift:153
#13 0x00005555555f336e in $S8Fuzzilli6FuzzerC7fuzzOne33_54ECDA97F7E6F07CDC352895C65FED23LLyyF (self=...)
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Fuzzer.swift:224
#14 0x00005555555f349b in $S8Fuzzilli6FuzzerC7fuzzOne33_54ECDA97F7E6F07CDC352895C65FED23LLyyFyycfU ()
at /home/ubuntu/Desktop/fuzzilli/Sources/Fuzzilli/Fuzzer.swift:228
#15 0x00005555555f646c in $S8Fuzzilli6FuzzerC7fuzzOne33_54ECDA97F7E6F07CDC352895C65FED23LLyyFyycfU_TA ()
#16 0x00005555555a143d in $SIeg_IeyB_TR ()
#17 0x00007ffff7f328c7 in _dispatch_call_block_and_release ()
from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libdispatch.so
#18 0x00007ffff7f40efc in _dispatch_main_queue_callback_4CF ()
from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libdispatch.so
#19 0x00007ffff72954f8 in CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE ()
from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libFoundation.so
#20 0x00007ffff72915a9 in __CFRunLoopRun ()
from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libFoundation.so
#21 0x00007ffff7290be8 in CFRunLoopRunSpecific ()
from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libFoundation.so
#22 0x00007ffff75447fe in $S10Foundation7RunLoopC3runyyF ()
from /home/ubuntu/Desktop/swift4/usr/lib/swift/linux/libFoundation.so
#23 0x0000555555678356 in main () at /home/ubuntu/Desktop/fuzzilli/Sources/FuzzilliCli/main.swift:204
#24 0x00007ffff5b85830 in __libc_start_main (main=0x555555672f90

, argc=0x3, argv=0x7fffffffdc18,
init=, fini=, rtld_fini=, stack_end=0x7fffffffdc08)
at ../csu/libc-start.c:291
#25 0x0000555555575799 in _start ()

This is because Sources/libreprl/include/libreprl.h has:

struct reprl_result {
int child_died;
int status;
unsigned long exec_time; //---->
char* output;
size_t output_size;
};

While Sources/Fuzzilli/Execution/Execution.swift has:

/// The result of executing a program.
public struct Execution {
/// The script that was executed to produce this result
public let script: String

/// The PID of the process that executed the program
public let pid: Int

/// The execution outcome
public let outcome: ExecutionOutcome

/// The termination signal
public let termsig: Int

/// Program output (not stdout but FuzzIL output)
public let output: String

/// Execution time in ms
public let execTime: Int           // ------>

}

And latter execTime is used as signed int such as:

    var maxExecutionTime = -1
    // Dispatch a non-trivial program and measure its execution time
    let complexProgram = makeComplexProgram()
    for _ in 0..<5 {
        let execution = execute(complexProgram)
        maxExecutionTime = max(maxExecutionTime, execution.execTime)  // ------>
    }

So reprl_result.exec_time could be defined as "long". It's better to define execTime as unsigned or something, but of course more code has to be changed. Thanks :)

Fairly high failure rate when trying to import state

I have not tested this extensively, but quite often, when I try to resume a fuzzing state by using importState, I get an error like:

[Cli] Failed to import state: The operation could not be completed. (SwiftError error 0.)

My state file can be fairly large (a few megabytes). Not sure what the problem could be.
Suspecting it could be something to do with JSONDecoder? Will update if I find anything.

Dockerfile

I've made a dockerfile for fuzzilli/v8 at https://gist.github.com/jlamendo/b013a8904032fb1600583ddc64714571

This probably doesn't belong in an issue, but I wanted to share it in the hopes that it would save someone else some time and wasn't sure where to put it so people could see it. If you'd like me to open a PR to add the dockerfile to the repo or to the readme, let me know. Happy Fuzzing!

P.S. - Thanks for the great fuzzer! Really enjoying this IL approach to fuzzing - very approachable and easy to configure.

Split minimization into multiple smaller tasks

The best way to fix

fuzzilli/Sources/Fuzzilli/Fuzzer.swift

Line 178 in d201a9a

    
           // Currently, minimization can take a very long time (up to a few minutes on slow CPUs for

, which currently causes some warnings to be printed during mostly normal operations, is probably to somehow split up minimization into multiple small steps. Ideally each step would only be a single execution. Alternatively, each minimizer could run as its own task.

false positives crashes?

I have some crashes files generated by fuzzilli but when I run on d8 with --allow-natives-syntax
most of them doesn't crash d8 or show any error... That's happening to most of the files. Are those false positives or I'm missing something?

'./fuzzbuild.sh' Build Error

I am running 5.3.18-1-MANJARO, with clang 5 , I am facing this error while I am running './fuzzbuild.sh' This is the error I am getting:

+  cmake -DPORT="JSCOnly" -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_BUILD_TYPE=Debug -DSHOW_BINDINGS_GENERATION_PROGRESS=1 -DDEVELOPER_MODE=ON -DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt'  -DENABLE_FTL_JIT=ON "/home/hadarry/jscd/WebKitFuzz/webkit"
-- The CMake build type is: Debug
-- Found the following ICU libraries:
--   data (required)
--   i18n (required)
--   uc (required)
-- Platform-specific CMakeLists not found: /home/hadarry/jscd/WebKitFuzz/webkit/Source/bmalloc/PlatformJSCOnly.cmake
-- Using platform-specific CMakeLists: /home/hadarry/jscd/WebKitFuzz/webkit/Source/WTF/wtf/PlatformJSCOnly.cmake
-- Using platform-specific CMakeLists: /home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/PlatformJSCOnly.cmake
-- Performing Test CXX_COMPILER_SUPPORTS_-ffp-contract=off
-- Performing Test CXX_COMPILER_SUPPORTS_-ffp-contract=off - Success
-- Platform-specific CMakeLists not found: /home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/shell/PlatformJSCOnly.cmake
-- Using source list file: Sources.txt
-- Platform-specific CMakeLists not found: /home/hadarry/jscd/WebKitFuzz/webkit/Source/ThirdParty/gtest/PlatformJSCOnly.cmake
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-suggest-attribute=format
-- Performing Test CXX_COMPILER_SUPPORTS_-Wno-suggest-attribute=format - Failed
-- Platform-specific CMakeLists not found: /home/hadarry/jscd/WebKitFuzz/webkit/Source/PlatformJSCOnly.cmake
-- Platform-specific CMakeLists not found: /home/hadarry/jscd/WebKitFuzz/webkit/Tools/PlatformJSCOnly.cmake
-- Using platform-specific CMakeLists: /home/hadarry/jscd/WebKitFuzz/webkit/Tools/TestWebKitAPI/PlatformJSCOnly.cmake
-- Platform-specific CMakeLists not found: /home/hadarry/jscd/WebKitFuzz/webkit/PerformanceTests/MallocBench/MallocBench/PlatformJSCOnly.cmake
-- Platform-specific CMakeLists not found: /home/hadarry/jscd/WebKitFuzz/webkit/PerformanceTests/PlatformJSCOnly.cmake
-- Enabled features:
--  ENABLE_STATIC_JSC ............................. ON
-- Configuring done
-- Generating done
-- Build files have been written to: /home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug
+  cmake --build FuzzBuild/Debug --config Debug -- jsc testb3 testair testapi testmasm testdfg -j4
make[1]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[2]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[  2%] Built target stageSharedScripts
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[  7%] Built target bmalloc_CopyHeaders
[ 29%] Built target WTF_CopyHeaders
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[ 31%] Built target bmalloc
[ 32%] Built target JavaScriptCore_CopyHeaders
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[ 41%] Built target WTF
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[ 41%] Built target LLIntSettingsExtractor
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[ 42%] Built target LLIntOffsetsExtractor
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
Scanning dependencies of target JavaScriptCore
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[ 42%] Building CXX object Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-f2e18ffc-4.cpp.o
[ 42%] Linking CXX static library ../../lib/libJavaScriptCore.a
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[ 58%] Built target JavaScriptCore
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[100%] Built target JavaScriptCore_CopyPrivateHeaders
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[3]: Entering directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
[100%] Building CXX object Source/JavaScriptCore/shell/CMakeFiles/jsc.dir/__/jsc.cpp.o
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/jsc.cpp:1379:54: error: cannot initialize a parameter of type 'JSC::ExecState *'
      (aka 'JSC::CallFrame *') with an lvalue of type 'JSC::JSGlobalObject *'
    auto operation = callFrame->argument(0).toString(globalObject)->value(globalObject);
                                                     ^~~~~~~~~~~~
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/runtime/JSString.h:1033:47: note: passing argument to parameter 'exec' here
inline JSString* JSValue::toString(ExecState* exec) const
                                              ^
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/jsc.cpp:1383:51: error: cannot initialize a parameter of type 'JSC::ExecState *'
      (aka 'JSC::CallFrame *') with an lvalue of type 'JSC::JSGlobalObject *'
        auto arg = callFrame->argument(1).toInt32(globalObject);
                                                  ^~~~~~~~~~~~
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:46:51: note: passing argument to parameter 'exec' here
ALWAYS_INLINE int32_t JSValue::toInt32(ExecState* exec) const
                                                  ^
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/jsc.cpp:1403:63: error: cannot initialize a parameter of type 'JSC::ExecState *'
      (aka 'JSC::CallFrame *') with an lvalue of type 'JSC::JSGlobalObject *'
        auto viewWithString = callFrame->argument(1).toString(globalObject)->viewWithUnderlyingString(globalObject);
                                                              ^~~~~~~~~~~~
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/runtime/JSString.h:1033:47: note: passing argument to parameter 'exec' here
inline JSString* JSValue::toString(ExecState* exec) const
                                              ^
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/jsc.cpp:2041:74: warning: unused parameter 'fd' [-Wunused-parameter]
                [&] (VM&, GlobalObject* globalObject, bool& success, int fd, size_t size) {
                                                                         ^
/home/hadarry/jscd/WebKitFuzz/webkit/Source/JavaScriptCore/jsc.cpp:2041:85: warning: unused parameter 'size' [-Wunused-parameter]
                [&] (VM&, GlobalObject* globalObject, bool& success, int fd, size_t size) {
                                                                                    ^
2 warnings and 3 errors generated.
make[3]: *** [Source/JavaScriptCore/shell/CMakeFiles/jsc.dir/build.make:63: Source/JavaScriptCore/shell/CMakeFiles/jsc.dir/__/jsc.cpp.o] Error 1
make[3]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[2]: *** [CMakeFiles/Makefile2:817: Source/JavaScriptCore/shell/CMakeFiles/jsc.dir/all] Error 2
make[2]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make[1]: *** [CMakeFiles/Makefile2:824: Source/JavaScriptCore/shell/CMakeFiles/jsc.dir/rule] Error 2
make[1]: Leaving directory '/home/hadarry/jscd/WebKitFuzz/webkit/FuzzBuild/Debug'
make: *** [Makefile:359: jsc] Error 2

I dont know what to do, i tried building couple times , anyone can help me? if you need more info Just PM me.

Issues when trying to run Fuzzilli on CentOS

I'm trying to get fuzzili running on a CentOS machine but I'm running into issues due to the usage of Swift. Are there any recommendations for how I can get this running?

Custom JS builtins should be made non enumerable

The JS engine patches that Fuzzilli requires introduce a number of new JS builtins into the engines, e.g. crash and __fuzzout__. Currently these are installed as enumerable properties on the global object which means that fuzzer generated code might accidentally invoke them if it e.g. enumerates the properties of this in global scope. To fix this, the newly introduced builtins should at least be non enumerable and preferably hidden entirely (e.g. by making them the equivalent of a let variable in global scope) if that is somehow possible because non enumerable properties will still show up in Object.getOwnPropertyNames.

Failed to communicate with child process with firefox

when I run with gecko-dev this error happened.

Implement type collection at runtime

Currently, variable types are only computed statically with the AbstractInterpreter. This is generally pretty conservative and at times incorrect as the execution semantics of FuzzIL and JavaScript differ slightly (e.g. FuzzIL has no concept of prototypes).
As such it would be nice to be able to also collect precise variable types at runtime, e.g. for programs that are afterwards stored into the corpus.

This will require at least the following:

A (lightweight) implementation of the type system in JavaScript
A way to attach existing type information to a program
A way to instrument programs so that type information is collected and afterwards send to the fuzzer process via the fuzzilli output channel

'%' unexpected token

im trying to run a crash generated by fuzilli and have something like this on the code `%NeverOptimizeFunction(main)

SyntaxError: Unexpected token %
%NeverOptimizeFunction(main);
^
SyntaxError: Unexpected token %

I'm running ./d8 without any flags.

I'd appreciate if you could tell me how to avoid that error and also what flags/parameters I should use on d8 for a better crash output detail like asan.

tks

A typo in builtin function name

In CodeGenerators.swift, this line defines some builtin functions.

var candidates = Set(["getPrototypeOf", "setPrototypeOf", "isExtensible", "preventExtension", "getOwnPropertyDescriptor", "defineProperty", "has", "get", "set", "deleteProperty", "ownKeys", "apply", "call", "construct"])

Shouldn't the preventExtension be preventExtensions according to the spec?

Support Rest Parameters

FuzzIL should have support for functions with rest parameters.

log v8 template

log info here

Fuzzilli uses too much memory

During long fuzzing sessions, Fuzzilli may eventually use a considerable amount of memory (multiple gigabytes as reported by e.g. top). This can then quickly become a problem if not enough memory is left for the target engine (which also tend to require quite a bit of memory). This issue is meant to track efforts to reduce the memory consumption of Fuzzilli.

I did some quick tests on macOS using the leaks tool and xcode's memory graph viewer and it doesn't immediately look like memory is being leaked. The heaps tool reports quite a bit of memory usage from the data structures associated with programs (instructions, variables, operations), though so it is probably worth optimizing them. It should also be noted that the sharing of Operation instances doesn't currently happen for imported programs, which might be another thing worth optimizing. However, further investigation of the main factors contributing to the high memory usage are also still necessary.

Improve the FuzzIL type system

The FuzzIL type system should be able to express the types of values in a JavaScript engine. In particular, it should support objects with properties and methods as well as functions and their signatures.

The types of variables (in an interesting sample that will be put into the corpus) can then be collected at runtime by instrumenting the program or (to some degree) be computed statically as is already done in a limited way in the TypeAnalyzer.

This should greatly benefit code generators that emit e.g. property accesses or method/function calls.

Improve handling of non-reproducible crashes

As with any fuzzer, Fuzzilli can trigger crashes that do not reproduce later on. There can be various reasons for that, e.g. memory pressure of the system during the time of the crash or simply non-deterministic behaviour of the target. As JavaScript engines are quite complex, it is expected that there will be non-reproducible crashes during fuzzing.

It would, however, be nice to have some more information about how a sample originally crashed so root-causing of non-reproducible crashes becomes easier/possible. This could e.g. be done by adding a commandline flag that, when enabled, causes Fuzzilli to record stdout + stderr of the target during fuzzing and include that in the crashing testcases. That way, it should at least be somewhat clear how the sample originally crashed.

There could also be a bug in Fuzzilli that causes it to incorrectly treat some files as crashes under some circumstances. One approach to debug this would be to comment out this line:

fuzzilli/Sources/libreprl/libreprl.c

Line 106 in 2e7c967

dup2(devnull, 2);

and thus log stderr of the target during fuzzing. That should show whether the target actually crashed and roughly how it crashed (e.g. with an assertion failure).

Environment.swift does not exist.

/Sources/Fuzzilli/Core/Environment.swift doesn't exist, is /Sources/Fuzzilli/Core/JavaScriptEnvironment.swift it?

missing argument for parameter 'bias' in call

Output for swift build -c release

Compile Swift Module 'Fuzzilli' (60 sources)
fuzzilli/Sources/Fuzzilli/FuzzIL/Program.swift:198:22: error: tuple element cannot have two labels
        case invalid(_ reason: String)
                     ^~~~~~~~~~
                     
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:35:16: error: type 'Bool' has no member 'random'
    b.loadBool(Bool.random())
               ^~~~ ~~~~~~
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:48:39: error: missing argument for parameter 'bias' in call
    for _ in 0..<Int.random(in: 0..<10) {
                                      ^
                                      , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:56:38: error: missing argument for parameter 'bias' in call
    for _ in 0..<Int.random(in: 0..<5) {
                                     ^
                                     , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:65:39: error: missing argument for parameter 'bias' in call
    for _ in 0..<Int.random(in: 0..<10) {
                                      ^
                                      , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:77:38: error: missing argument for parameter 'bias' in call
    for _ in 0..<Int.random(in: 0..<5) {
                                     ^
                                     , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:82:44: error: type 'Bool' has no member 'random'
    let spreads = initialValues.map({ _ in Bool.random() })
                                           ^~~~ ~~~~~~
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:95:57: error: missing argument for parameter 'bias' in call
    b.defineFunction(numParameters: Int.random(in: 2...5), isJSStrictMode: probability(0.2)) { _ in
                                                        ^
                                                        , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:196:69: error: missing argument for parameter 'bias' in call
    let arguments = generateCallArguments(b, n: Int.random(in: 2...5))
                                                                    ^
                                                                    , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:203:69: error: missing argument for parameter 'bias' in call
    let arguments = generateCallArguments(b, n: Int.random(in: 2...5))
                                                                    ^
                                                                    , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:216:69: error: missing argument for parameter 'bias' in call
    let arguments = generateCallArguments(b, n: Int.random(in: 2...5))
                                                                    ^
                                                                    , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:223:69: error: missing argument for parameter 'bias' in call
    let arguments = generateCallArguments(b, n: Int.random(in: 1...5))
                                                                    ^
                                                                    , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:280:46: error: missing argument for parameter 'bias' in call
    let end = b.loadInt(Int.random(in: 0...10))
                                             ^
                                             , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:291:46: error: missing argument for parameter 'bias' in call
    let end = b.loadInt(Int.random(in: 0...10))
                                             ^
                                             , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:302:46: error: missing argument for parameter 'bias' in call
    let end = b.loadInt(Int.random(in: 0...10))
                                             ^
                                             , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:358:52: error: missing argument for parameter 'bias' in call
    let size = b.loadInt(Int.random(in: 0...0x10000))
                                                   ^
                                                   , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:365:76: error: missing argument for parameter 'bias' in call
    b.createArray(with: Array(repeating: value, count: Int.random(in: 1...5)))
                                                                           ^
                                                                           , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:370:76: error: missing argument for parameter 'bias' in call
    b.createArray(with: Array(repeating: value, count: Int.random(in: 1...5)))
                                                                           ^
                                                                           , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:375:76: error: missing argument for parameter 'bias' in call
    b.createArray(with: Array(repeating: value, count: Int.random(in: 1...5)))
                                                                           ^
                                                                           , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:437:53: error: missing argument for parameter 'bias' in call
    for _ in 0..<Int.random(in: 0..<candidates.count) {
                                                    ^
                                                    , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:454:51: error: missing argument for parameter 'bias' in call
        newLength = b.loadInt(Int.random(in: 0..<3))
                                                  ^
                                                  , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift:465:51: error: missing argument for parameter 'bias' in call
    b.storeElement(value, at: Int.random(in: 0..<3), of: target)
                                                  ^
                                                  , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/Corpus.swift:70:50: error: missing argument for parameter 'bias' in call
        let idx = Int.random(in: 0..<active.count)
                                                 ^
                                                 , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/ProgramBuilder.swift:66:58: error: missing argument for parameter 'bias' in call
                Int.random(in: -0x100000000...0x100000000)
                                                         ^
                                                         , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Core/ProgramBuilder.swift:82:13: error: type 'Double' has no member 'random'
            Double.random(in: -1000000...1000000)
            ^~~~~~ ~~~~~~
fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift:37:65: error: missing argument for parameter 'bias' in call
        for _ in 0..<Int.random(in: 1...maxSimultaneousMutations) {
                                                                ^
                                                                , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/InputMutator.swift:29:63: error: missing argument for parameter 'bias' in call
        let selectedInput = Int.random(in: 0..<instr.numInputs)
                                                              ^
                                                              , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/InsertionMutator.swift:34:43: error: missing argument for parameter 'bias' in call
        b.generate(n: Int.random(in: 1...2))
                                          ^
                                          , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/JITStressMutator.swift:26:43: error: missing argument for parameter 'bias' in call
        b.generate(n: Int.random(in: 1...2))
                                          ^
                                          , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/JITStressMutator.swift:30:77: error: missing argument for parameter 'bias' in call
            let arguments = generateCallArguments(b, n: Int.random(in: 2...6))
                                                                            ^
                                                                            , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/OperationMutator.swift:41:65: error: missing argument for parameter 'bias' in call
            propertyNames[Int.random(in: 0..<propertyNames.count)] = b.genPropertyName()
                                                                ^
                                                                , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/OperationMutator.swift:47:65: error: missing argument for parameter 'bias' in call
            propertyNames[Int.random(in: 0..<propertyNames.count)] = b.genPropertyName()
                                                                ^
                                                                , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/OperationMutator.swift:52:59: error: missing argument for parameter 'bias' in call
                let idx = Int.random(in: 0..<spreads.count)
                                                          ^
                                                          , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/OperationMutator.swift:75:59: error: missing argument for parameter 'bias' in call
                let idx = Int.random(in: 0..<spreads.count)
                                                          ^
                                                          , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Mutators/SpliceMutator.swift:45:50: error: missing argument for parameter 'bias' in call
            idx = Int.random(in: 0..<program.size)
                                                 ^
                                                 , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Util/Random.swift:29:17: error: type 'Double' has no member 'random'
        var c = Double.random(in: 0..<s)
                ^~~~~~ ~~~~~~
fuzzilli/Sources/Fuzzilli/Util/Random.swift:33:18: error: type 'Range<Int>' does not conform to protocol 'Sequence'
        for i in range {
                 ^
fuzzilli/Sources/Fuzzilli/Util/Random.swift:59:58: error: missing argument for parameter 'bias' in call
    return collection[Int.random(in: 0..<collection.count)]
                                                         ^
                                                         , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Util/Random.swift:65:58: error: missing argument for parameter 'bias' in call
    return collection[Int.random(in: 0..<collection.count)]
                                                         ^
                                                         , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Util/Random.swift:71:98: error: missing argument for parameter 'bias' in call
    let i = collection.index(collection.startIndex, offsetBy: Int.random(in: 0..<collection.count))
                                                                                                 ^
                                                                                                 , bias: <#Double#>
fuzzilli/Sources/Fuzzilli/Util/Random.swift:22:24: note: 'random(in:bias:)' declared here
    public static func random(in range: Range<Int>, bias: Double) -> Int {
                       ^
fuzzilli/Sources/Fuzzilli/Util/Random.swift:90:27: error: type 'Double' has no member 'random'
    return prob == 1.0 || Double.random(in: 0..<1) < prob
                          ^~~~~~ ~~~~~~

Fuzzilli options to generate js from grammar file and linter

I'm learning fuzzilli now, but I don't know my grammar correct or not. I think by adding options to generate js given grammar file, we can check resulting js valid or not.

fuzzilli generate example_grammar
generate js from example_grammar

fuzzilli generate -n 5 example_grammar
generate 5 js combinations from example_grammar

Adding linter I think will be helpful too
fuzzilli lint example_grammar
a linter to check correctness of a grammar

Add a web UI

It would be nice to have a simple web UI to display the current fuzzing statistics, list the (unique) crashes found in the current run, and allow downloading crashing samples. Maybe it should also be able to show samples from the current corpus (so recently found interesting samples) to give some insights into what the fuzzer is currently doing.

The web UI could run on a separate dispatch queue and receive the necessary data by listening for events on the fuzzer queue.

The web UI would of course need some kind of authentication and should support TLS.

The web UI should probably be implemented as a separate package target similar to how FuzzilliCli is currently implemented.

Add ability to import existing JavaScript code

This feature would require implementing a simple "compiler" to compile JavaScript to FuzzIL. Maybe this should be implemented as a separate tool as I doubt there is a good JavaScript parsing library available for swift... :)
The compiled FuzzIL programs could then just be exported as one big JSON (or a different serialization format if supported by then) file similar to how Storage.swift currently exports the corpus.

[REPRL] Failed to communicate with child process

Sorry for the burden, I fixed the previous issue,
The Child Process for some reason now does not talk to the Father Process.

[REPRL] Failed to communicate with child process

I saw that you added new features and I want to test them but it seems this test fails.

Edit:
I'm trying to fix it on my own by reading your patch.

It seems that the internal fuzzilli function was not built into jsc itself although I've applied your patch.

Improve loops in FuzzIL

FuzzIL's representation of loops is oversimplified and cannot express the fact that more or less arbitrary computations can be performed in the loop header. This might, however, be interesting for things like JIT compiler fuzzing. As such it might make sense to split loops into constructs such as:

BeginLoopHeader
...
BeginLoopBody
...
EndLoop

However, the loop header has special requirements as only expressions are valid in there but not additional statements (so e.g. you cannot put more control flow operations into it). This would have to be expressed somehow (e.g. as a new context).

Additionally, it might make sense to define something like a "loop variable", which could be something as simple as a Phi that is emitted by the LoopHead. This would simplify the current code generators for loops.

Add option to discard non-deterministic programs

Add a new command line flag --deterministicCorpus which, when set, causes FuzzerCore to rerun every newly discovered interesting program to see if it behaves deterministically (i.e. triggers the same new behaviour a second time). If not, the sample is discarded right away.

Previously, non-deterministic samples would likely be discarded during import in a worker or master as that would cause the program to be re-executed. However, since the introduction of the new synchronization mechanism, this is no longer the case for a large part of the corpus. As such, it might make sense to "manually" filter out non-deterministic samples.

Use Target Specific Build Settings

Use the new linkerSettings in Package.swift to automatically link with lrt on linux.

symbol error

...

Add ability to perform less aggressive minimization

It should be possible to configure the fuzzer to do less aggressive minimization, e.g. to only minimize programs up to a configurable minimum number of instructions. Over-minimization could have a negative impact on the fuzzer's performance as it might remove code that can later be mutated to trigger new behaviour/crashes.

Import corpus without state

Could evaluatorState be made optional or add a flag to ignore an incompatible state when importing?

It can be useful to import a previous corpus when testing a new version

options

how to use this option?

when i supply a path, such as: --importCorpus=dir_path
output err:
the operation could not be completed at line
Sources/FuzzilliCli/main.swift#L175

Fuzzilli fails to compile on release but not on debug - LinearLifetimeChecker assertion fail.

While trying to compile Fuzzilli with the -c release flag, an assertion gets triggered.
Command:

swift build -c release

Assertion failure:

swift: /home/buildnode/jenkins/workspace/oss-swift-5.2-package-linux-ubuntu-18_04/swift/lib/SIL/LinearLifetimeChecker.cpp:515: swift::LinearLifetimeError swift::LinearLifetimeChecker::checkValue(swift::SILValue, ArrayRef<swift::BranchPropagatedUser>, ArrayRef<swift::BranchPropagatedUser>, swift::ownership::ErrorBehaviorKind, SmallVectorImpl<swift::SILBasicBlock *> *): Assertion `!consumingUses.empty() && "Must have at least one consuming user?!"' failed.

The assertion is triggered by the compiler while doing, what looks like, variable usage checks on the following line in fuzzilli https://github.com/googleprojectzero/fuzzilli/blob/master/Sources/Fuzzilli/Modules/Storage.swift#L29

The implementation of the assertion that presumably does the variable checks can be seen here on swift: https://github.com/apple/swift/blob/master/lib/SIL/LinearLifetimeChecker.cpp#L504

Finally, this is all being done on Debian unstable, however, on my local machine (also Debian unstable) I can't reproduce this issue as this only happens on a cloud service provider with the following uname -a fingerprint Linux fuzzilli-0 4.19.53-mainline-rev1 #1 SMP Wed Jun 19 23:30:45 UTC 2019 x86_64 GNU/Linux. For this reason I've tried to get all the differences with sysctl -a in both machines and seeing the kernel values but didn't find many disparities. EDIT: Just tried in an Ubuntu 18.04 docker image and baremetal Ubuntu 18.04.2 and the issue still reproduces.

Full error and stack trace

javi@fuzzilli-0:~/fuzzilli$ swift run -c release FuzzilliCli --profile=v8 /home/javi/Victims/v8/out/fuzzbuild/d8 
/home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Analyzer.swift:118:20: warning: static property 'global' produces an empty option set
        static let global     = Context(rawValue: 0)
                   ^
/home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Analyzer.swift:118:20: note: use [] to silence this warning
        static let global     = Context(rawValue: 0)
                   ^                   ~~~~~~~~~~~~~
                                       ([])
/home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/TypeSystem.swift:749:16: warning: static property 'nothing' produces an empty option set
    static let nothing     = BaseType(rawValue: 0)
               ^
/home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/TypeSystem.swift:749:16: note: use [] to silence this warning
    static let nothing     = BaseType(rawValue: 0)
               ^                     ~~~~~~~~~~~~~
                                     ([])
/home/javi/fuzzilli/Sources/Fuzzilli/Modules/NetworkSync.swift:210:42: warning: initialization of 'UnsafeMutablePointer<UInt8>' results in a dangling pointer
            let bytesRead = read(socket, UnsafeMutablePointer<UInt8>(&receiveBuffer), receiveBuffer.count)
                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/javi/fuzzilli/Sources/Fuzzilli/Modules/NetworkSync.swift:210:70: note: implicit argument conversion from '[UInt8]' to 'UnsafeMutablePointer<UInt8>' produces a pointer valid only for the duration of the call to 'init(_:)'
            let bytesRead = read(socket, UnsafeMutablePointer<UInt8>(&receiveBuffer), receiveBuffer.count)
                                                                     ^~~~~~~~~~~~~~
/home/javi/fuzzilli/Sources/Fuzzilli/Modules/NetworkSync.swift:210:70: note: use the 'withUnsafeMutableBufferPointer' method on Array in order to explicitly convert argument to buffer pointer valid for a defined scope
            let bytesRead = read(socket, UnsafeMutablePointer<UInt8>(&receiveBuffer), receiveBuffer.count)
                                                                     ^
/home/javi/fuzzilli/Sources/Fuzzilli/Modules/NetworkSync.swift:214:33: warning: initialization of 'UnsafeMutablePointer<UInt8>' results in a dangling pointer
            receivedData.append(UnsafeMutablePointer<UInt8>(&receiveBuffer), count: Int(bytesRead))
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/javi/fuzzilli/Sources/Fuzzilli/Modules/NetworkSync.swift:214:61: note: implicit argument conversion from '[UInt8]' to 'UnsafeMutablePointer<UInt8>' produces a pointer valid only for the duration of the call to 'init(_:)'
            receivedData.append(UnsafeMutablePointer<UInt8>(&receiveBuffer), count: Int(bytesRead))
                                                            ^~~~~~~~~~~~~~
/home/javi/fuzzilli/Sources/Fuzzilli/Modules/NetworkSync.swift:214:61: note: use the 'withUnsafeMutableBufferPointer' method on Array in order to explicitly convert argument to buffer pointer valid for a defined scope
            receivedData.append(UnsafeMutablePointer<UInt8>(&receiveBuffer), count: Int(bytesRead))
                                                            ^
swift: /home/buildnode/jenkins/workspace/oss-swift-5.2-package-linux-ubuntu-18_04/swift/lib/SIL/LinearLifetimeChecker.cpp:515: swift::LinearLifetimeError swift::LinearLifetimeChecker::checkValue(swift::SILValue, ArrayRef<swift::BranchPropagatedUser>, ArrayRef<swift::BranchPropagatedUser>, swift::ownership::ErrorBehaviorKind, SmallVectorImpl<swift::SILBasicBlock *> *): Assertion `!consumingUses.empty() && "Must have at least one consuming user?!"' failed.
Stack dump:
0.	Program arguments: /usr/bin/swift -frontend -c /home/javi/fuzzilli/Sources/Fuzzilli/Configuration.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/CodeGenerators.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/Component.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/Corpus.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/Environment.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/Events.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/FuzzerCore.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/JavaScriptEnvironment.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/Logging.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/ProgramBuilder.swift /home/javi/fuzzilli/Sources/Fuzzilli/Core/Timers.swift /home/javi/fuzzilli/Sources/Fuzzilli/Evaluation/ProgramAspects.swift /home/javi/fuzzilli/Sources/Fuzzilli/Evaluation/ProgramCoverageEvaluator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Evaluation/ProgramEvaluator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Execution/Execution.swift /home/javi/fuzzilli/Sources/Fuzzilli/Execution/Forkserver.swift /home/javi/fuzzilli/Sources/Fuzzilli/Execution/REPRL.swift /home/javi/fuzzilli/Sources/Fuzzilli/Execution/ScriptRunner.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Analyzer.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Blocks.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Instruction.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Operations.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Program.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/TypeSystem.swift /home/javi/fuzzilli/Sources/Fuzzilli/FuzzIL/Variable.swift /home/javi/fuzzilli/Sources/Fuzzilli/Fuzzer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Lifting/Expression.swift /home/javi/fuzzilli/Sources/Fuzzilli/Lifting/InliningPolicy.swift /home/javi/fuzzilli/Sources/Fuzzilli/Lifting/JSExpressions.swift /home/javi/fuzzilli/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift /home/javi/fuzzilli/Sources/Fuzzilli/Lifting/Lifter.swift /home/javi/fuzzilli/Sources/Fuzzilli/Lifting/ScriptWriter.swift /home/javi/fuzzilli/Sources/Fuzzilli/Minimization/BlockReducer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Minimization/CallArgumentReducer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Minimization/GenericInstructionReducer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Minimization/InliningReducer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Minimization/Minimizer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Minimization/Reducer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Minimization/ReplaceReducer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Modules/Module.swift /home/javi/fuzzilli/Sources/Fuzzilli/Modules/NetworkSync.swift /home/javi/fuzzilli/Sources/Fuzzilli/Modules/Statistics.swift /home/javi/fuzzilli/Sources/Fuzzilli/Modules/Storage.swift /home/javi/fuzzilli/Sources/Fuzzilli/Modules/ThreadSync.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/CombineMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/ConcatMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/GrowMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/InputMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/InsertionMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/JITStressMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/Mutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/OperationMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Mutators/SpliceMutator.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/CInterop.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/Error.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/Misc.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/MovingAverage.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/OperationSource.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/Random.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/RingBuffer.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/VariableMap.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/VariableSet.swift /home/javi/fuzzilli/Sources/Fuzzilli/Util/WeightedList.swift -supplementary-output-file-map /tmp/supplementaryOutputs-9ac03c -target x86_64-unknown-linux-gnu -disable-objc-interop -I /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release -I /home/javi/fuzzilli/Sources/libcoverage/include -I /home/javi/fuzzilli/Sources/libreprl/include -I /home/javi/fuzzilli/Sources/libsocket/include -I /home/javi/fuzzilli/Sources/libforkserver/include -color-diagnostics -g -module-cache-path /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/ModuleCache -swift-version 5 -O -D SWIFT_PACKAGE -Xcc -fmodule-map-file=/home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/libcoverage.build/module.modulemap -Xcc -fmodule-map-file=/home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/libreprl.build/module.modulemap -Xcc -fmodule-map-file=/home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/libsocket.build/module.modulemap -Xcc -fmodule-map-file=/home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/libforkserver.build/module.modulemap -parse-as-library -module-name Fuzzilli -num-threads 8 -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Configuration.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/CodeGenerators.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/Component.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/Corpus.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/Environment.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/Events.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/FuzzerCore.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/JavaScriptEnvironment.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/Logging.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/ProgramBuilder.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Core/Timers.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Evaluation/ProgramAspects.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Evaluation/ProgramCoverageEvaluator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Evaluation/ProgramEvaluator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Execution/Execution.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Execution/Forkserver.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Execution/REPRL.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Execution/ScriptRunner.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/AbstractInterpreter.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/Analyzer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/Blocks.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/Instruction.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/Operations.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/Program.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/TypeSystem.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/FuzzIL/Variable.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Fuzzer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Lifting/Expression.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Lifting/InliningPolicy.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Lifting/JSExpressions.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Lifting/JavaScriptLifter.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Lifting/Lifter.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Lifting/ScriptWriter.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Minimization/BlockReducer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Minimization/CallArgumentReducer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Minimization/GenericInstructionReducer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Minimization/InliningReducer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Minimization/Minimizer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Minimization/Reducer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Minimization/ReplaceReducer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Modules/Module.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Modules/NetworkSync.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Modules/Statistics.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Modules/Storage.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Modules/ThreadSync.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/BaseInstructionMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/CombineMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/ConcatMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/GrowMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/InputMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/InsertionMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/JITStressMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/Mutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/OperationMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Mutators/SpliceMutator.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/CInterop.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/Error.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/Misc.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/MovingAverage.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/OperationSource.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/Random.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/RingBuffer.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/VariableMap.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/VariableSet.swift.o -o /home/javi/fuzzilli/.build/x86_64-unknown-linux-gnu/release/Fuzzilli.build/Util/WeightedList.swift.o 
1.	Swift version 5.2 (swift-5.2-RELEASE)
2.	While running pass #30507 SILFunctionTransform "SemanticARCOpts" on SILFunction "@$s8Fuzzilli7StorageC3for10storageDir19stateExportIntervalAcA6FuzzerC_SSSdSgtcfc".
 for 'init(for:storageDir:stateExportInterval:)' (at /home/javi/fuzzilli/Sources/Fuzzilli/Modules/Storage.swift:29:12)
 #0 0x0000000004b54af4 PrintStackTraceSignalHandler(void*) (/usr/bin/swift+0x4b54af4)
 #1 0x0000000004b526ce llvm::sys::RunSignalHandlers() (/usr/bin/swift+0x4b526ce)
 #2 0x0000000004b54db6 SignalHandler(int) (/usr/bin/swift+0x4b54db6)
 #3 0x00007f9fa4f84110 __restore_rt (/lib/x86_64-linux-gnu/libpthread.so.0+0x14110)
 #4 0x00007f9fa4a15761 raise (/lib/x86_64-linux-gnu/libc.so.6+0x3b761)
 #5 0x00007f9fa49ff55b abort (/lib/x86_64-linux-gnu/libc.so.6+0x2555b)
 #6 0x00007f9fa49ff42f (/lib/x86_64-linux-gnu/libc.so.6+0x2542f)
 #7 0x00007f9fa4a0e092 (/lib/x86_64-linux-gnu/libc.so.6+0x34092)
 #8 0x0000000000dd1f4a swift::LinearLifetimeChecker::checkValue(swift::SILValue, llvm::ArrayRef<swift::BranchPropagatedUser>, llvm::ArrayRef<swift::BranchPropagatedUser>, swift::ownership::ErrorBehaviorKind, llvm::SmallVectorImpl<swift::SILBasicBlock*>*) (/usr/bin/swift+0xdd1f4a)
 #9 0x0000000000d68fe2 swift::SILInstructionVisitor<(anonymous namespace)::SemanticARCOptVisitor, bool>::visit(swift::SILInstruction*) (/usr/bin/swift+0xd68fe2)
#10 0x0000000000d64e4c (anonymous namespace)::SemanticARCOpts::run() (/usr/bin/swift+0xd64e4c)
#11 0x000000000097bbdd swift::SILPassManager::runPassOnFunction(unsigned int, swift::SILFunction*) (/usr/bin/swift+0x97bbdd)
#12 0x000000000097c8a2 swift::SILPassManager::runFunctionPasses(unsigned int, unsigned int) (/usr/bin/swift+0x97c8a2)
#13 0x000000000097dbcf swift::SILPassManager::execute() (/usr/bin/swift+0x97dbcf)
#14 0x0000000000562f78 swift::SILPassManager::executePassPipelinePlan(swift::SILPassPipelinePlan const&) (/usr/bin/swift+0x562f78)
#15 0x0000000000985c8d swift::runSILDiagnosticPasses(swift::SILModule&) (/usr/bin/swift+0x985c8d)
#16 0x000000000076122a swift::CompilerInstance::performSILProcessing(swift::SILModule*, swift::UnifiedStatsReporter*) (/usr/bin/swift+0x76122a)
#17 0x00000000004ec7a8 performCompileStepsPostSILGen(swift::CompilerInstance&, swift::CompilerInvocation&, std::unique_ptr<swift::SILModule, std::default_delete<swift::SILModule> >, bool, llvm::PointerUnion<swift::ModuleDecl*, swift::SourceFile*>, swift::PrimarySpecificPaths const&, bool, int&, swift::FrontendObserver*, swift::UnifiedStatsReporter*) (/usr/bin/swift+0x4ec7a8)
#18 0x00000000004e2655 performCompile(swift::CompilerInstance&, swift::CompilerInvocation&, llvm::ArrayRef<char const*>, int&, swift::FrontendObserver*, swift::UnifiedStatsReporter*) (/usr/bin/swift+0x4e2655)
#19 0x00000000004df453 swift::performFrontend(llvm::ArrayRef<char const*>, char const*, void*, swift::FrontendObserver*) (/usr/bin/swift+0x4df453)
#20 0x0000000000473fa5 main (/usr/bin/swift+0x473fa5)
#21 0x00007f9fa4a00e0b __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26e0b)
#22 0x0000000000473bea _start (/usr/bin/swift+0x473bea)