Hangup in php fuzz

[zr950624]

Hi,
I adopted Nautilus on PHP.
After fuzzing for a while, It hangs up.
Then I launched 10 instances for PHP and all of them have this problem.
See follow.

         _   _             _   _ _
        | \ | |           | | (_) |
        |  \| | __ _ _   _| |_ _| |_   _ ___
        | . ` |/ _` | | | | __| | | | | / __|
        | |\  | (_| | |_| | |_| | | |_| \__ \
        |_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
        |_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
------------------------------------------------------
Run Time: 0 days, 4 hours, 12 minutes, 46 seconds
Execution Count:          1230536
Executions per Sec:       217
Left in queue:            3266
Trees in Chunkstore:      8312
------------------------------------------------------
Last ASAN crash:          Not found yet.
Last SIG crash:           Not found yet.
Last Timeout:             [2020-07-26] 23:35:20
Total ASAN crashes:       0
Total SIG crashes:        0
------------------------------------------------------
New paths found by Gen:          53
New paths found by Min:          726
New paths found by Min Rec:      470
New paths found by Det:          12
New paths found by Splice:       5160
New paths found by Havoc:        1474
New paths found by Havoc Rec:    657
------------------------------------------------------
Hangup------------------------------------------------

Do you have any idea about this problem?
Thanks.

[eqv]

Unfortunately, we have made the experience that PHP and similar languages are VERY creative at getting stuck in weird places (for example by suspending the parent process using the posix_kill command). I would recommended to inspect the last input that was generated by the fuzzer (which can be found in the temp file created https://github.com/nautilus-fuzz/nautilus/blob/master/forksrv/src/lib.rs#L70), to see if you can identify any behavior that hangs the interpreter & the fuzzer by avoiding the timeout mechanism. If you identify such a condition, please share them (there is a good chance, that commenting a few function names from the grammar will fix this).

[zr950624]

I find when nautilus execute following test case, it will hang up.

“<?php\n$a = NULL;\n$b = NULL;\n$c = NULL;\n$d = NULL;\nsrand(1337);\nnext $b;\nbreak $d;\n$b = $d->getBaseUri($b);\n$c = phdfs->PDF_shfill($d,$b,$c,$a);\ncontinue $b;\ncontinue $b;\n$a = SolrParams->getTitle($d,$b,$d,$b);\nraise $c;\nnext $a;\nnext $b;\n$d = Yaf_Route_Map->Examples with PDO_4D($d);\nreturn $a;\nbreak $b;\n$b = $b->trader_cdlhikkakemod($a,$a);\nyield $b;\nyield $c;\nyield $b;\nyield $d;\nyield $c;\n$c = getCurrentTextPos($b);\nyield $b;\nyield $b;\nyield $d;\n$c = range(range(range(range(range(1,[]),range(range(range(1,NULL),range(range([],\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),1)),\"foo\")),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(range(range(range([],range(0.0,0)),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(range(range(range(0.0,NULL),range(range(0,true),0)),range(range(range(\"foo\",range(0.0,\"foo\")),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(range([],[]),range(range(range(range(NULL,range(range([],NULL),0)),range(false,false)),0),range(range(\"foo\",range(0.0,NULL)),range(range(true,[]),false)))),range(range(1,[]),range(NULL,NULL))))),range(false,\"foo\"))),range(1,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(\"foo\",range(range(\"foo\",[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),[])),NULL))))),range(range(range(range(true,range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(true,0)),range(range(range(false,range(range(NULL,false),range(false,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]))),range(true,range(0.0,NULL))),range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),0.0)))),range(range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],NULL)),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(\"foo\",range(range(0.0,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range(1,1))),range(range([],range(false,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(0,range(range(1,true),range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(NULL,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"))),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")))))),range(NULL,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",0.0))))),range(0.0,range(range(range(range(range(range(0,false),[]),range(range(0.0,NULL),1)),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(0,range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",NULL),[]),1),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(1,true),true))))),\"foo\"))));\nnext $b;\nbreak $b;\n$c = $d->isDestructor($b);\nreturn $c;\nnext $a;\ncontinue $a;\n$b = range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(NULL,range(NULL,0.0)),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(false,0)))),range(0,range(range(false,range(range(false,true),true)),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(0.0,range(range(range([],[]),1),range(NULL,NULL)))))));\n$d = range(range(range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range([],[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0])),0.0),[]),false),range(range(range(0,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true)),range(range(\"foo\",0.0),range(range(NULL,\"foo\"),range([],\"foo\")))),range(range(false,\"foo\"),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])))),range(range(range(range(range(range(false,1),NULL),range(true,range(0.0,range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],0.0),0)))),range(range(range(0,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",NULL)),NULL),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],true))),[]),range(range(range(false,NULL),range(range(true,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(\"foo\",0))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(range(false,range([],0.0)),true)))));\nyield $b;\n$b = OuterIterator->msg_remove_queue($c,$c);\nyield $b;\nyield $d;\ncontinue $c;\n$c = range(range(range(range(true,true),\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"),range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(0,range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",0.0),\"foo\"))),range(true,[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]))),range(range(range(range(false,range(range(false,range(1,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(true,1),NULL))),range(\"foo\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),0),range(range(range(range(range(1,range(1,true)),1),range(range(0,range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],1)),range([],NULL))),range(range(range(range(range(range(0,0),range(range(range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",1),range(true,NULL)),range(range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],\"foo\"),1)),range(range(true,true),[])),NULL),range(range(range(0,NULL),false),[]))),range(0,[])),range(NULL,NULL)),range(NULL,range(\"foo\",0))),range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(\"foo\",range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",[]))),[]),range(range([],range(false,\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")),range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(range(1,[]),range(1,0.0))),range(true,range(false,\"foo\"))),range(range(range(NULL,range(range(\"foo\",0.0),range(range(range(true,true),true),[]))),range(range(range(\"foo\",range(false,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\"))),0.0),0)),range(range(range(1,1),range(NULL,1)),false))))))),range(range(NULL,range(range(false,1),range(range(0,false),range(range(1,true),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(true,1)),0)))))),0))));\nfunction getTermsMaxCount($d,$c)\n$a = $c->mysql_field_name($b);\nnext $d;\ncontinue $c;\nraise $b;\n$c = setGroupOffset($c,$d);\n$d = $d->msql_num_rows($c);\nfunction newt_checkbox_tree($b)\nyield $d;\ncontinue $a;\n$b = ZMQSocket->modulateimage($a);\ncontinue $b;\nbreak $a;\nreturn $b;\nbreak $b;\nnext $a;\nyield $b;\nraise $c;\n$d = range(range(range(range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",true),range(true,range(\"foo\",1))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[])),range(1,range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\")));\nreturn $d;\ncontinue $c;\n};\n$d = apd_breakpoint($c,$c);\n$b = range(range(range(NULL,range(range(true,range(range(range(false,range(false,\"foo\")),[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]),range([],range(\"foo\",1)))),range([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],range(\"foo\",range(false,NULL))))),range(\"foo\",[])),range(range(range(1,range(range(\"foo\",1),range(1,range(0,NULL)))),range([],1)),range(\"foobadsfdsfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasfd\",range(range(range(1,[]),1),true))));\nreturn $a;\nbreak $c;\nreturn $d;\nraise $c;\nnext $b;\nyield $b;\n$d = sendQuery();\ncontinue $c;\n$b = 0;\nraise $b;\n};\nnext $b;\nyield $b;\nyield $a;\nfunction quotemeta($b)\nyield $b;\nreturn $a;\ncontinue $b;\n};\ncontinue $a;\n$b = isAcknowledged($c);\nnext $b;\ncontinue $d;\n$d = $a->unsubscribe($a);\n$d = $a->sqlsrv_fetch($c,$b,$a);\ncontinue $b;\nyield $b;\ncontinue $b;\n$d = executeCommand($c);\nraise $d;\n$a = fann_get_rprop_increase_factor($a);\nfunction setfontstyle()\n};\n?>”

It seems raw string, you may need to print it.

[zr950624]

BWT, I wonder why not just kill the hanging process and get next fuzzing round？

[eqv]

that testcase is a little to big for me to understand, I guess you would want to shrink it down a bit.
We actually try to kill the process:
https://github.com/nautilus-fuzz/nautilus/blob/master/forksrv/src/lib.rs#L178

However this is not a bullet proof mechanism. It would be interesting to see what fails. In the past we have seen php mess with the signals we used, and we have seen suspending the parent process (that's supposed to be doing the killing).