Jazzer fails to merge corpora

[svenkeidel]

Hi, thanks for the great work!

When I run jazzer with -merge=1 Corpus1 Corpus2, I get an exception sh: /tmp/jazzer-9602316396620010164.sh: not found.

Here is the full trace:

/app/jazzer --cp='/fuzzing/example.jar' --autofuzz=org.example.Webserver::checkUrl --autofuzz_ignore=java.lang.Exception --coverage_report=coverage -max_len=20 -max_total_time=5 -dict=url_dict -merge=1 WebserverCorpus WebserverCorpusMinimized
OpenJDK 64-Bit Server VM warning: Option CriticalJNINatives was deprecated in version 16.0 and will likely be removed in a future release.
WARN: --coverage_report does not support parallel fuzzing and has been disabled
OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
INFO: Loaded 153 hooks from com.code_intelligence.jazzer.runtime.TraceCmpHooks
INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.TraceDivHooks
INFO: Loaded 2 hooks from com.code_intelligence.jazzer.runtime.TraceIndirHooks
INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.NativeLibHooks
INFO: Loaded 5 hooks from com.code_intelligence.jazzer.sanitizers.Deserialization
INFO: Loaded 5 hooks from com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection
INFO: Loaded 70 hooks from com.code_intelligence.jazzer.sanitizers.LdapInjection
INFO: Loaded 46 hooks from com.code_intelligence.jazzer.sanitizers.NamingContextLookup
INFO: Loaded 1 hooks from com.code_intelligence.jazzer.sanitizers.OsCommandInjection
INFO: Loaded 48 hooks from com.code_intelligence.jazzer.sanitizers.ReflectiveCall
INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.RegexInjection
INFO: Loaded 16 hooks from com.code_intelligence.jazzer.sanitizers.RegexRoadblocks
INFO: Loaded 3 hooks from com.code_intelligence.jazzer.sanitizers.ServerSideRequestForgery
INFO: Loaded 19 hooks from com.code_intelligence.jazzer.sanitizers.SqlInjection
INFO: Loaded 6 hooks from com.code_intelligence.jazzer.sanitizers.XPathInjection
INFO: Instrumented org.example.Webserver (took 21 ms, size +62%)
INFO: found LLVMFuzzerCustomMutator (0x7fca419f5390). Disabling -len_control by default.
INFO: libFuzzer ignores flags that start with '--'
Dictionary: 3 entries
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4093054809
INFO: Loaded 1 modules   (512 inline 8-bit counters): 512 [0x23fb2e0, 0x23fb4e0), 
INFO: Loaded 1 PC tables (512 PCs): 512 [0x23c9750,0x23cb750), 
MERGE-OUTER: 1 files, 1 in the initial corpus, 0 processed earlier
MERGE-OUTER: attempt 1
sh: /tmp/jazzer-9602316396620010164.sh: not found
MERGE-OUTER: the control file has 28 bytes
MERGE-OUTER: consumed 0Mb (752Mb rss) to parse the control file
MERGE-OUTER: 0 new files with 0 new features added; 0 new coverage edges

To reproduce run

git clone -b merge-corpora https://github.com/svenkeidel/example-fuzzing
cd example-fuzzing
./fuzzing.sh

[bertschneider]

Thanks for the report!

In merge mode a temporary script is created and set as argv0 to trick the internally used libFuzzer instance to start Jazzer itself again with the correct parameters. It looks like that script is missing.

Could you please check if /tmp is writeable on your system?

We will also investigate this further and get back to you.

[svenkeidel]

Thanks.

Could you please check if /tmp is writeable on your system?

I run Jazzer within the docker container cifuzz/jazzer. The /tmp directory is writable by user root, the same user that executes the jazzer command.

[bertschneider]

The issue is caused by the used shebang, #!/usr/bin/env sh, in the generated script.

Apparently it is not available in the image gcr.io/distroless/java17. We still need to investigate this further.

[svenkeidel]

env is available within busybox. We could simply symlink /busybox/env to /usr/bin/env. I created a PR.

[svenkeidel]

I tested the PR and it works for jazzer v0.18.0.
For v0.19 something else is broken.

[svenkeidel]

It seems there has been a regression. On 0.18.0 merging works.

On 0.19, when adding flag -merge=1, jazzer crashes without exception before code coverage instrumentation:

/fuzzing # /app/jazzer --cp='/fuzzing/example.jar' --target_class='org.example.WebserverFuzzer' --coverage_report=coverage.txt --coverage_dump=coverage.exec --instrumentation_includes=java.util.regex.**:org.example.* --instrumentation_excludes=org.example.Webser
verFuzzer:java.lang.Object -max_len=20 -max_total_time=60 -dict=url_dict -merge=1 WebserverCorpus WebserverCorpusMinimize
OpenJDK 64-Bit Server VM warning: Option CriticalJNINatives was deprecated in version 16.0 and will likely be removed in a future release.
WARN: --coverage_report does not support parallel fuzzing and has been disabled

crash with exit code 1

Setting flag -merge=0 works fine though.

[fmeum]

@svenkeidel --coverage_dump and --coverage_report have never been supported together with --merge=1, we just upgraded this from a warning to an error in v0.19.0 and forgot to also update the message.

[svenkeidel]

Thanks for the help!