Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hang directory populated with two non-hangs #60

Closed
floyd-fuh opened this issue Sep 18, 2019 · 2 comments
Closed

Hang directory populated with two non-hangs #60

floyd-fuh opened this issue Sep 18, 2019 · 2 comments

Comments

@floyd-fuh
Copy link
Contributor

Hi Rohan,

When I was running the AFL tutorial of JQF and simply replaced the PNG parsing with GIF parsing, feeding afl/testcases/images/gif/not_kitty.gif, I found several uncaught exceptions (attached, haven't reported them yet, feel free if you feel like it). So far so good, here are the 4 gif images:

IndexOutOfBoundsException_FileCacheImageInputStream_180

ArrayIndexOutOfBoundsException_GIFImageReader_992

IllegalArgumentException_ImageReader_2687

IndexOutOfBoundsException_GIFImageReader_786

However, at one point AFLs UI got a little stuck and soon after the hang counter went up 1. A little later another hang was found.

However, after running the hangs with either jqf-repro or a simple Java program that does the same as the driver, both did not result in a hang. One of both resulted in a "crash" (exception), the other was ok and did not result in any result (just ran through).

Do you have any idea what could cause it that hangs really occur (the UI is frozen for a short period) but the hang directory contains the wrong files? Could you try to reproduce?

In general I think the "hang" findings are very important for Java programs. While exceptions ("crashes") are good for code robustness, hangs usually indicate a more severe problem that might lead to denial of service issues.

cheers,
floyd
@rohanpadhye
Copy link
Owner

Hi floyd,

Feel free to report the crashes if they are previously unknown. You can send a PR to add trophies to the README with your name next to them.

As for hangs vs. crashes, in most programs the hangs are legit. We've found reliably hangs in Maven and Closure. However, these programs are much nicer in that they have clean entry points with usually deterministic behavior.

On the other hand, the ImageIO parsers in the JDK are really archaic pieces of code in the com.sun or java.awt package. I wouldn't be surprised if these tests were in fact non-deterministic, due to dependence on static class-level data structures. In fact, if I remember correctly, whenever I fuzzed the ImageIO library, I would see some GUI frames temporarily spring up on my desktop because java.awt was being loaded. It is also possible that JQF+AFL considers an input as a "hang" because the program paused for a long time during a particularly bad GC cycle. In general, the only solution in such cases is to simply repro the inputs and validate if there is actually a bug to be found.

Please let me know if you find some surprising issues with JQF when fuzzing something more stable, like Apache Commons, Tika, Ant, Maven, etc.

@floyd-fuh
Copy link
Contributor Author

Ok, I see, so nothing we can do here for the moment.

I did find more interesting crashes, especially a OOM in a very low level API of a third-party library... I'll let you know once I've finished the reporting and it is fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@floyd-fuh @rohanpadhye