Tracking crashes on Jesse's fuzzer (bug 349611)

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
RESOLVED WORKSFORME
12 years ago
11 years ago

People

(Reporter: Biju, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

12 years ago
Tracking crashes on Jesse's fuzzer (bug 349611)

following crashes occured

TB22573674K, TB22568653M, TB22567158Q, TB22554559Z, TB22621523M, TB22621197X, TB22613961W, TB22611978H, TB22611521E, TB22608334K, TB22608085G, TB22606070Q

Jesse,

Please add a textarea to show all prev error msg.
It will be easy to cut and paste from textarea than alert box.

Thanks in Advance

Comment 1

12 years ago
The fuzzer outputs the function strings it's about to compile/decompile/run using dump().  That's important if you hope to file bugs on crashes :)  It also outputs all alert()ed text using dump().

On Windows, I think you need to run with -console to get dump() to do anything in opt builds.  See 
http://developer.mozilla.org/en/docs/DOM:window.dump.

Comment 2

12 years ago
set MOZ_NO_REMOTE=1
firefox.exe -P > log.out 2> log.err

Comment 3

11 years ago
> Please add a textarea to show all prev error msg.
> It will be easy to cut and paste from textarea than alert box.

Done.  Now mismatches cause the creation of PRE blocks instead of alerts in the browser.  (In the js shell, they still terminate the fuzzer.)

> following crashes occured

* QuoteString - don't know
* MSVCR80.dll - don't know
* block_getProperty - perhaps bug 352212 or bug 351122

The patch in bug 346642 fixed most of the remaining crashes I was seeing, but I don't know if they were the same crashes you were seeing.

Can you test again with a newer build and a newer version of the fuzzer?  I recommend building the command-line js shell and using that, but you can get away with using today's trunk Firefox build with Talkback if you figure out a way to get console output.  Btw, on Mac I kept running into buffering issues when I tried redirecting stdout to a file -- if the program crashed, I'd lose the important last few lines of output.

http://developer.mozilla.org/en/docs/Introduction_to_the_JavaScript_shell
(Reporter)

Comment 4

11 years ago
> Can you test again with a newer build and a newer version of the fuzzer?  
After 2 days I got TB23525754 which is a MSVCR80.dll
sadly at that time console output was not on.

can we assume testOne() in the new jsparsefuzz.js will do the dump generated statement on console before evaluation/compile it. Again I assume crash is occuring because of the compile/eval/uneval of the code.

Comment 5

11 years ago
> can we assume testOne() in the new jsparsefuzz.js will do the dump generated
> statement on console before evaluation/compile it. 

Yes -- you can verify that by looking at testOne.  Just don't redirect ./js's output to a file or to "tee" without adding fflush in js.c.

> Again I assume crash is
> occuring because of the compile/eval/uneval of the code.

I don't think I've seen any crashes with this fuzzer that happened as a result of attempting to generate the next random function.  Bug 352604 was sort of an exception, but it wasn't too hard to track down.

Sometimes, you need to execute multiple generated functions in order to crash, e.g. because one function sets x to a certain object and another function uses x in a way that crashes with that object.  If this happens, grep for tryItOut and paste 1000 to 5000 lines back into the fuzzer.
(Reporter)

Comment 6

11 years ago
I got TB23596087Z
I dont know it is related or not.

I was running fuzzer, 
along with reading yahoo mail and other web surfing.
then I closed fuzzer
continued on yahoo mail
clicked back button few time 
and got this crash.
(Again I dont have consol opend at this time)

Comment 7

11 years ago
I think this metabug-that-doesn't-depend-on-anything isn't useful any more.  Biju, if you find crashes while running jsfunfuzz in the shell or in the browser, just file bugs blocking bug 349611 (preferably with reduced testcases).

I can hook you up with a new version of the fuzzer if you're interested.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 8

11 years ago
(In reply to comment #7)
> I can hook you up with a new version of the fuzzer if you're interested.
Thanks, that will be nice, how do I run new fuzzer.

Also, is there a mechanism where I can open a web page, may be with a logon. 
And latest version of the fuzzer run from that page.
When an error or crush occurs it should log to the web server.
Later I (or somebody authorized) should be able to go thru all errors and crashes.

Comment 9

11 years ago
That would be kinda neat, to allow more people to volunteer computing power to run jsfunfuzz.  But I think that getting it to work well, with crash reporting, on multiple platforms, would take quite a bit of work.
(Reporter)

Comment 10

11 years ago
(In reply to comment #9)
> on multiple platforms, would take quite a bit of work.
it dont have be fancy.
and if it is a JSON based one, 
we can have it as an option while surfing 
http://www.mozillazine.org/
http://forums.mozillazine.org/
http://www.spreadfirefox.com/

You need to log in before you can comment on or make changes to this bug.