Hi, I was trying to fuzz PHP-7.2.6 with Nautilus as this was the version tagged in the paper but while trying to build the fuzz target with redqueen as was done for the mruby target (providing the same CC, CXX, and LD), it would fail with the following error:

/root/php-src/main/reentrancy.c:139:2: warning: 'readdir_r' is deprecated
      [-Wdeprecated-declarations]
        readdir_r(dirp, entry);
        ^
/usr/include/dirent.h:183:12: note: 'readdir_r' has been explicitly marked
      deprecated here
extern int readdir_r (DIR *__restrict __dirp,
           ^
/root/php-src/main/reentrancy.c:139:23: error: too few arguments to function call,
      expected 3, have 2
        readdir_r(dirp, entry);
        ~~~~~~~~~            ^
/usr/include/dirent.h:183:1: note: 'readdir_r' declared here
extern int readdir_r (DIR *__restrict __dirp,
^
1 warning and 1 error generated.

Is there some specific patch that I can apply to make it work. Also, I assume Nautilus has a Redqueen dependency? I tried running it on the PHP target compiled with just vanilla GCC and the fuzzer panicked and quit.

Hi! I'm reading the paper recently, which is well written. But when I was running the command "cargo run -p gramophone --release --bin fuzzer", I got the following errors:

error[E0407]: method replace_one is not a member of trait Step --> grammartec/src/newtypes.rs:72:5 | 72 | / fn replace_one(&mut self) -> Self { 73 | | return NodeID::from(0); 74 | | } | |_____^ not a member of trait Step

error[E0407]: method replace_zero is not a member of trait Step --> grammartec/src/newtypes.rs:75:5 | 75 | / fn replace_zero(&mut self) -> Self { 76 | | return NodeID::from(1); 77 | | } | |_____^ not a member of trait Step

error[E0407]: method add_one is not a member of trait Step --> grammartec/src/newtypes.rs:78:5 | 78 | / fn add_one(&self) -> Self { 79 | | return self.add(1); 80 | | } | |_____^ not a member of trait Step

error[E0407]: method sub_one is not a member of trait Step --> grammartec/src/newtypes.rs:81:5 | 81 | / fn sub_one(&self) -> Self { 82 | | return NodeID(self.0 - 1); 83 | | } | |_____^ not a member of trait Step

error[E0407]: method add_usize is not a member of trait Step --> grammartec/src/newtypes.rs:84:5 | 84 | / fn add_usize(&self, n: usize) -> Option { 85 | | match self.0.checked_add(n) { 86 | | Some(x) => return Some(NodeID::from(x)), 87 | | None => return None, 88 | | } 89 | | } | |_____^ not a member of trait Step

I think it may be a problem with the version of rust I use. Which version do you use? Thanks a lot.

I'm using stock ubuntu clang-6.0.0 Trying to build the example mruby as instructed. Problem: clang segfaults. What version do you use?

serj@rocket:~/_o/netstock/nautilus/forksrv/instrument/mruby$ make
ruby ./minirake
(in /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby)
CC    mrbgems/mruby-compiler/core/codegen.c -> build/test/mrbgems/mruby-compiler/core/codegen.o



==================================================== 
linking: false
running -g -std=gnu99 -O3 -Wall -Werror-implicit-function-declaration -Wdeclaration-after-statement -Wwrite-strings -Wundef -g3 -O0 -DMRB_DEBUG -DMRBGEM_MRUBY_COMPILER_VERSION=0.0.0 -I/home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/include -MMD -o /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/build/test/mrbgems/mruby-compiler/core/codegen.o -c /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/mrbgems/mruby-compiler/core/codegen.c
 =>
 -Qunused-arguments -Xclang -load -Xclang /home/serj/_o/netstock/nautilus/forksrv/instrument/clang_wrapper/afl-llvm-pass.so -g -std=gnu99 -O3 -Wall -Werror-implicit-function-declaration -Wdeclaration-after-statement -Wwrite-strings -Wundef -g3 -O0 -DMRB_DEBUG -DMRBGEM_MRUBY_COMPILER_VERSION=0.0.0 -I/home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/include -MMD -o /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/build/test/mrbgems/mruby-compiler/core/codegen.o -c /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/mrbgems/mruby-compiler/core/codegen.c -v -ggdb3 -O3 -funroll-loops -DREDQUEEN_FUZZER=1
==================================================== 



clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/i686-linux-gnu/8
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/5
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/5.5.0
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/6
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/6.5.0
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7.4.0
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/5
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/5.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6.5.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.4.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7.4.0
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64
 "/usr/lib/llvm-6.0/bin/clang" -cc1 -triple x86_64-pc-linux-gnu -emit-obj -disable-free -disable-llvm-verifier -discard-value-names -main-file-name codegen.c -mrelocation-model static -mthread-model posix -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debug-info-kind=limited -dwarf-version=4 -debugger-tuning=gdb -momit-leaf-frame-pointer -v -coverage-notes-file /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/build/test/mrbgems/mruby-compiler/core/codegen.gcno -resource-dir /usr/lib/llvm-6.0/lib/clang/6.0.0 -dependency-file /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/build/test/mrbgems/mruby-compiler/core/codegen.d -MT /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/build/test/mrbgems/mruby-compiler/core/codegen.o -D MRB_DEBUG -D MRBGEM_MRUBY_COMPILER_VERSION=0.0.0 -I /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/include -D REDQUEEN_FUZZER=1 -internal-isystem /usr/local/include -internal-isystem /usr/lib/llvm-6.0/lib/clang/6.0.0/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wall -Werror-implicit-function-declaration -Wdeclaration-after-statement -Wwrite-strings -Wundef -std=gnu99 -fconst-strings -fdebug-compilation-dir /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby -ferror-limit 19 -fmessage-length 172 -funroll-loops -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -load /home/serj/_o/netstock/nautilus/forksrv/instrument/clang_wrapper/afl-llvm-pass.so -o /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/build/test/mrbgems/mruby-compiler/core/codegen.o -x c /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/mrbgems/mruby-compiler/core/codegen.c
clang -cc1 version 6.0.0 based upon LLVM 6.0.0 default target x86_64-pc-linux-gnu
ignoring nonexistent directory "/include"
#include "..." search starts here:
#include <...> search starts here:
 /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/include
 /usr/local/include
 /usr/lib/llvm-6.0/lib/clang/6.0.0/include
 /usr/include/x86_64-linux-gnu
 /usr/include
End of search list.
rofl-llvm-pass  ripped of from afl-llvm-pass by <[email protected]>
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: error: clang frontend command failed due to signal (use -v to see invocation)
clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
clang: note: diagnostic msg: PLEASE submit a bug report to http://llvm.org/bugs/ and include the crash backtrace, preprocessed source, and associated run script.
clang: error: unable to execute command: Segmentation fault (core dumped)
clang: note: diagnostic msg: Error generating preprocessed source(s).
rake aborted!
Command Failed: [/home/serj/_o/netstock/nautilus/forksrv/instrument/clang_wrapper/redqueen-clang -g -std=gnu99 -O3 -Wall -Werror-implicit-function-declaration -Wdeclaration-after-statement -Wwrite-strings -Wundef -g3 -O0 -DMRB_DEBUG -DMRBGEM_MRUBY_COMPILER_VERSION=0.0.0 -I/home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/include -MMD -o /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/build/test/mrbgems/mruby-compiler/core/codegen.o -c /home/serj/_o/netstock/nautilus/forksrv/instrument/mruby/mrbgems/mruby-compiler/core/codegen.c]

Makefile:8: recipe for target 'all' failed
make: *** [all] Error 1

this command seems to not be correct for this repository?

python scripts/local_snapshotter.py outputs $HOME/tmp/gfsnapshots cargo -p gramophone run --release --bin fuzzer -- forksrv/instrument/mruby/bin/mruby antlr_parser/src/ruby_new_antlr_grammar.json

local_snaphotter.py exists in the gramophone directory, but references timer.sh in the local directory.

fixing the directory references, fuzzer still produces an error:

• error: Found argument 'antlr_parser/src/ruby_new_antlr_grammar.json' which wasn't expected, or isn't valid in this context

Hi!

A description what is actually does and how it achieves it would be helpful in the README :) - or a link to a paper. So what is the differentiator to afl's -x mode and/or afl-smart?

And is there a relationship to redqueen? I guess not as redqueen is for blackbox binaries and this is for grammar based approaches for source code fuzzing? (and - when is redqueen being released?)

Thanks!

Currently you have to tell the fuzzee where to read the input from using @@ or @ for stdin. How do you do it the other way around? How do you tell nautilus to put the input in a specific file?

https://github.com/RUB-SysSec/nautilus/blob/dd3554a9a417b8b503507a35d097bb422a048549/config.ron#L16

this value is passed to Fuzzer:

https://github.com/RUB-SysSec/nautilus/blob/c691086fa08a090f355afb97547b200cf3687a9c/gramophone/src/main.rs#L100-L106

And then being concatenated directly to paths of queue files, like:

https://github.com/RUB-SysSec/nautilus/blob/c691086fa08a090f355afb97547b200cf3687a9c/gramophone/src/queue.rs#L96-L98

So, current setting will leads to output folder in /data/projects/grammar_fuzz/gramophoneoutputs instead of /data/projects/grammar_fuzz/gramophone/outputs

I'm following your README, in ubuntu16.04

   Compiling grammartec v0.1.0 (/nautilus/grammartec)
error[E0554]: #![feature] may not be used on the stable release channel
 --> grammartec/src/lib.rs:1:1
  |
1 | #![feature(exclusive_range_pattern)]
  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

error[E0554]: #![feature] may not be used on the stable release channel
 --> grammartec/src/lib.rs:2:1
  |
2 | #![feature(step_trait)]
  | ^^^^^^^^^^^^^^^^^^^^^^^

warning: unused import: `std::collections::HashMap`
  --> grammartec/src/tree.rs:10:5
   |
10 | use std::collections::HashMap;
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^
   |
   = note: #[warn(unused_imports)] on by default

warning: unused imports: `Rng`, `sample`, `thread_rng`
 --> grammartec/src/recursion_info.rs:2:12
  |
2 | use rand::{sample, thread_rng, Rng, StdRng};
  |            ^^^^^^  ^^^^^^^^^^  ^^^

warning: unused import: `rule::NormalOrCustomRule`
 --> grammartec/src/recursion_info.rs:8:5
  |
8 | use rule::NormalOrCustomRule;
  |     ^^^^^^^^^^^^^^^^^^^^^^^^

warning: unnecessary parentheses around `if` condition
  --> grammartec/src/recursion_info.rs:40:19
   |
40 |                 if(ctx.get_nt(rule) == nt){
   |                   ^^^^^^^^^^^^^^^^^^^^^^^^ help: remove these parentheses
   |
   = note: #[warn(unused_parens)] on by default

warning: unnecessary parentheses around `for` head expression
  --> grammartec/src/recursion_info.rs:50:26
   |
50 |                 for _ in (0..ctx.get_num_children(rule)){
   |                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: remove these parentheses

warning: use of deprecated item 'rand::sample': renamed to seq::sample_iter
 --> grammartec/src/chunkstore.rs:3:12
  |
3 | use rand::{sample, thread_rng};
  |            ^^^^^^
  |
  = note: #[warn(deprecated)] on by default

warning: use of deprecated item 'rand::sample': renamed to seq::sample_iter
  --> grammartec/src/chunkstore.rs:66:49
   |
66 |         let selected = relevant.and_then(|iter| sample(&mut thread_rng(), iter, 1).pop());
   |                                                 ^^^^^^

warning: use of deprecated item 'rand::sample': renamed to seq::sample_iter
 --> grammartec/src/context.rs:8:12
  |
8 | use rand::{sample, thread_rng, Rng, StdRng};
  |            ^^^^^^

warning: use of deprecated item 'rand::sample': renamed to seq::sample_iter
   --> grammartec/src/context.rs:566:15
    |
566 |         match sample(&mut thread_rng(), applicable_rules, 1).pop() {
    |               ^^^^^^

warning: use of deprecated item 'rand::sample': renamed to seq::sample_iter
 --> grammartec/src/recursion_info.rs:2:12
  |
2 | use rand::{sample, thread_rng, Rng, StdRng};
  |            ^^^^^^

warning: unused import: `TreeLike`
 --> grammartec/src/recursion_info.rs:7:17
  |
7 | use tree::{Tree,TreeLike};
  |                 ^^^^^^^^

error: aborting due to 2 previous errors

For more information about this error, try `rustc --explain E0554`.
error: Could not compile `grammartec`.
warning: build failed, waiting for other jobs to finish...
error: build failed

I'm trying to build this using this Dockerfile: (which is based on ubuntu16.04)

FROM zjuchenyuan/base

RUN apt update &&\
    apt install -y g++-multilib clang llvm-3.8-dev ruby bison ruby-dev cargo

RUN git clone https://github.com/RUB-SysSec/nautilus.git &&\
    cd /nautilus/forksrv/instrument/rt &&\
    make &&\
    cd /nautilus/forksrv/instrument/clang_wrapper &&\
    make

RUN git clone https://github.com/mruby/mruby.git /nautilus/forksrv/instrument/mruby &&\
    cd /nautilus/forksrv/instrument/mruby &&\
    CC=/nautilus/forksrv/instrument/clang_wrapper/redqueen-clang \
    LD=/nautilus/forksrv/instrument/clang_wrapper/redqueen-clang \
    make

RUN cd nautilus &&\
    mkdir -p outputs/queue &&\
    sed -i 's#/data/projects/grammar_fuzz/gramophone#/nautilus#g' config.ron

And running cargo run -p gramophone --release --bin fuzzer in the container.