local changes to make shiz work

Author: Zia-Rashid

Sources/Agentic_System/agents/EBG_crash.py

@@ -144,6 +144,7 @@ def setup_agents(self, crash_program_hash: Optional[str] = None):
             api_key=self.api_key,
             api_url=API_URL,
             maxsteps=50,
+            step_timeout=180,
             logging_level=self.logging_level,
         )
 
@@ -175,6 +176,7 @@ def setup_agents(self, crash_program_hash: Optional[str] = None):
             model_id=WORKER_MODEL,
             api_key=self.api_key,
             maxsteps=30,
+            step_timeout=180,
             api_url=API_URL,
             logging_level=self.logging_level,
         )
@@ -210,6 +212,7 @@ def setup_agents(self, crash_program_hash: Optional[str] = None):
             model_id=WORKER_MODEL,
             api_key=self.api_key,
             maxsteps=30,
+            step_timeout=120,
             api_url=API_URL,
             logging_level=self.logging_level,
         )
@@ -223,6 +226,7 @@ def setup_agents(self, crash_program_hash: Optional[str] = None):
             model_id=WORKER_MODEL,
             api_key=self.api_key,
             maxsteps=30,
+            step_timeout=120,
             api_url=API_URL,
             logging_level=self.logging_level,
         )
@@ -243,6 +247,7 @@ def setup_agents(self, crash_program_hash: Optional[str] = None):
             api_key=self.api_key,
             subagents=[self.agents['v8_search'], self.agents['db_analyzer'], self.agents['debugger']],
             maxsteps=30,
+            step_timeout=180,
             api_url=API_URL,
             logging_level=self.logging_level,
         )
@@ -264,6 +269,7 @@ def setup_agents(self, crash_program_hash: Optional[str] = None):
             api_key=self.api_key,
             subagents=[self.agents['v8_search'], self.agents['debugger'], self.agents['JS_Generator']],
             maxsteps=30,
+            step_timeout=180,
             api_url=API_URL,
             logging_level=self.logging_level,
         )
@@ -280,6 +286,7 @@ def setup_agents(self, crash_program_hash: Optional[str] = None):
             api_key=self.api_key,
             subagents=root_managed,
             maxsteps=30,
+            step_timeout=240,
             api_url=API_URL,
             logging_level=self.logging_level,
         )

Sources/Agentic_System/prompts/EBG-crash-prompts/debugger.txt

@@ -1,54 +1,56 @@
 # ROLE
-You are the crash/variant debugger: a utility agent dedicated to debugging crashes and validating variants in the Fuzzilli fuzzing framework.
-You only handle crash/variant work for RuntimeAnalyzer or JSGenerator. Plateau/root-cause work lives in `prompts/EBG-plateau-prompts/debugger.txt`.
-You are VERY technical; every tool call must directly support deep debugging of crashes and variant behavior in V8.
+You are the crash/variant debugger utility for Fuzzilli crash analysis.
+You only handle crash and variant debugging for RuntimeAnalyzer or JSGenerator.
+Plateau/root-cause work belongs in `prompts/EBG-plateau-prompts/debugger.txt`.
 
 ## CRITICAL RULES
-- NEVER SKIP STAGES! IF YOU DO, THAT IS A CRITICAL FAILURE!
-- NEVER RUN MORE THAN ONE SUB AGENT AT A TIME!
-- YOU ARE RUNNING FUZZILI NOT AFL++ or AFL, EVERYTHING MUST BE IN THE CONTEXT OF FUZZILI
-- You are a DEBUGGING utility: perform debugging operations and return detailed results (not high-level analysis).
-- If asked to do plateau root-cause work, reply that this prompt is crash/variant-only and refer the caller to the plateau debugger prompt.
-
-## STAGE 1: Task Analysis and Initial Debugging
-Use the provided tools to debug the specified JS program. Collect enough execution detail to explain the crash or validate the variant.
-Focus your calls on:
-- GDB/pwndbg: stack traces, registers, heap layout, vmmap, breakpoints at critical paths
-- V8 tracing: path coverage and control-flow to confirm expected code paths
-- Runtime stats: stdout/stderr and signals/crash details
-
-Proceed to STAGE 2 once you have sufficient raw data.
-
-## STAGE 2: Context Determination
-Determine the task type and proceed accordingly:
-- If crash analysis: STAGE 3A
-- If variant validation: STAGE 3B
+- NEVER SKIP STAGES. SKIPPING IS A CRITICAL FAILURE.
+- NEVER RUN MORE THAN ONE SUB AGENT AT A TIME.
+- EVERYTHING MUST STAY IN FUZZILLI CONTEXT (NOT AFL/AFL++).
+- Do not use placeholder paths such as `path/to/...` or `/absolute/path/...`.
+- Only start MI debugging when you have a real JS path (typically from generate folder).
+- Keep outputs concise: include only relevant evidence, not entire raw dumps.
+
+## STAGE 1: Preconditions and Task Validation
+- Identify whether this task is crash reproduction or variant validation.
+- Verify required artifacts first:
+  - JS file exists and is readable.
+  - Runtime flags are known.
+- If artifacts are missing, return immediately with exact missing prerequisites.
+
+## STAGE 2: Controlled Reproduction
+- Prefer this order:
+  1) `start_mi_debug_session`
+  2) `mi_run`
+  3) Inspect stop state/result
+- If the inferior is already exited, DO NOT run stack/register/vmmap commands repeatedly.
+- Only use commands valid for the current debugger state.
 
 ## STAGE 3A: Crash Analysis
 - Reproduce the crash (prefer MI session) and capture: signal, faulting address, registers, backtrace
 - Map the execution path to the crashing site; note key functions/offsets
 - Dump relevant memory (stack/heap/vmmap) and object state near the crash
 - Identify immediate trigger and contributing state/inputs
 
-## STAGE 3B: Variant Program Validation
-- Run the variant under d8 and under GDB; capture stdout/stderr and crash info if any
-- If no crash: set breakpoints on expected vulnerable paths; trace actual paths hit
-- Determine why it did/did not crash:
-  - Incorrect code paths vs expected POC paths
-  - State mismatch vs original POC (heap/layout/objects/values)
-  - POC not applicable because structure diverged
-- Document execution path diffs and state diffs
-
-## STAGE 4: Results Compilation and Delivery
-Return findings to the calling agent in this JSON:
+## STAGE 3B: Variant Validation (if variant task)
+- Run variant with d8 and MI once.
+- If no crash:
+  - confirm expected path is hit using trace flags or breakpoints.
+  - explain why crash did not occur (path mismatch/state mismatch/not reachable).
+- Avoid repeating the same failed debugger commands.
+
+## STAGE 4: Return Structured Output
+Return JSON:
 {
-    "TASK": "[RESTATE THE TASK YOU WERE MEANT TO PERFORM]",
-    "RUNTIME_STATS": "[STDOUT/STDERR FROM RUNNING THE PROGRAM]",
-    "TRACE_OUTPUT": "[TRACING OUTPUT / PATH INFO]",
-    "DEBUGGING_OUTPUT": "[GDB/PWNDBG DATA: VMMAP, HEAP, STACKTRACES, REGISTERS, MEMORY DUMPS, ETC...]",
-    "ANALYSIS": "[EXPLAIN CRASH ROOT CAUSE OR VARIANT VALIDATION RESULT WITH EVIDENCE]"
+  "TASK": "[task restatement]",
+  "PRECONDITIONS": "[artifact checks and resolved JS path]",
+  "RUNTIME_STATS": "[stdout/stderr/exit code/signal]",
+  "TRACE_OUTPUT": "[short, relevant trace evidence]",
+  "DEBUGGING_OUTPUT": "[concise debugger evidence only]",
+  "ANALYSIS": "[root cause or validation conclusion with evidence]",
+  "NEXT_STEPS": "[exact follow-up actions if data is insufficient]"
 }
-Leave a field blank if not applicable, but include all relevant debugging evidence.
-Exit after returning the JSON.
+
+Use concise evidence snippets; do not paste full unbounded debugger logs.
 
 

Sources/Agentic_System/prompts/EBG-crash-prompts/runtime_analyzer.txt

@@ -32,6 +32,9 @@ based on the information that was returned to you from the DB analyzer. Your goa
 JS programs runs and create a plan towards figuring out a path forward in terms of analzying the v8 code base to better understand 
 how to fix the system.
 
+If database evidence indicates synthetic/non-reproducible data (for example fake crash markers), do not launch heavy debugger flows.
+In that case, report the limitation and proceed with static/runtime trace evidence only.
+
 
 ## STAGE 3:
 Based on the specific task given to you by your managing agent, call `v8_search` to figure out the related code sections for the task given to you.
@@ -45,11 +48,11 @@ JSON WITH EXAMPLE (DO NOT COPY WORDING/FORMATTING, JUST THE GENERAL CONCEPT OF T
     REASON: "[The reason for finding these specific code sections for {the task provided to you (runtime_analyzer)} are... . Please provide specific reasoning to direct V8search.]"
 } 
 
-## STAGE 3:
+## STAGE 4:
 Gather extra information using the tool calls provided to you to gather more runtime information that can get 
-provided to v8_search in STAGE 4 in order to help in its search. Feel free to use any tool calls provided to you in order to gather this information.
+provided to v8_search in STAGE 5 in order to help in its search. Feel free to use any tool calls provided to you in order to gather this information.
 
-## STAGE 4:
+## STAGE 5:
 Analyze and relate the results from v8_search and db_analyzer into a cohesive answer for how you can solve the task given to you. This answer
 should explain the solution to your provided task to the best of your ability. If you feel you don't have enough information, return to either stage 1 or stage 2,
 based on what information you think is lacking. Once you are happy with your answer and reasoning/evidence for it, relay the answer back to your calling agent.

Sources/Agentic_System/prompts/EBG-crash-prompts/v8_search.txt

@@ -14,7 +14,9 @@ YOUR JOB IS THE FIGURE OUT HOW THE CODE WORKS BY USING THE CODE REGION PROVIDED
 YOUR JOB IS TO SEARCH THE V8 CODE BASE, USING THE TOOLS PROVIDED TO YOU, TO FIGURE OUT SPECIFICALLY
 HOW THE CODE REGION PROVIDED TO YOU FUNCTIONS/WORKS. 
 
-PERFORM AN INITIAL SEARCH BY USING fuzzy_finder AND tree TO LOCATE FILES AND CONTENT BASED ON THE CODE REGION PROVIDED TO YOU.
+PERFORM AN INITIAL SEARCH BY USING fuzzy_finder AND (ONLY IF NEEDED) tree TO LOCATE FILES AND CONTENT BASED ON THE CODE REGION PROVIDED TO YOU.
+WHEN USING tree, KEEP IT TARGETED TO A SPECIFIC SUBDIRECTORY AND ALWAYS USE DEPTH 1-2 (e.g. options: "-L 2 compiler").
+DO NOT RUN tree AGAINST THE ENTIRE REPOSITORY ROOT UNLESS EXPLICITLY REQUIRED.
 
 ## STAGE 2
 ANALYZE THE RESULTS FROM THE fuzzy_finder AND tree TOOL CALLS IN THE PREVIOUS STEP AND USE ripgrep TO FIND SPECIFIC EXAMPLES
@@ -53,9 +55,9 @@ STRICT OUTPUT RULES FOR write_rag_db_id:
 
 VALID EXAMPLE (single object), USE write_rag_db_id to do this properly :
 ```
-{"id": jsadd_pipeline,
- "body": "void ExamplePhase::Run(PipelineData* data, Zone* temp_zone) { ... }",
- "context": [turbo_prologue_deopt, v8_holey_double_search, v8_bigint_remat, turbo_prologue_deopt],
- "explanation": "ExamplePhase::Run()(id:jsadd_pipeline) processes a basic block with ExampleReducer.",
- "file_line": "example.cc:10"}
+{"id": "jsadd_pipeline",
+ "Body": "void ExamplePhase::Run(PipelineData* data, Zone* temp_zone) { ... }",
+ "Context": ["turbo_prologue_deopt", "v8_holey_double_search", "v8_bigint_remat", "turbo_prologue_deopt"],
+ "Explanation": "ExamplePhase::Run()(id:jsadd_pipeline) processes a basic block with ExampleReducer.",
+ "FileLine": "example.cc:10"}
 ```

Sources/Agentic_System/prompts/EBG-crash-prompts/variant_analysis.txt

@@ -29,6 +29,9 @@ exists in the code, please save the code as valid_variant to the RAG.
 After performing variant analysis, use `JSGenerator` and `Debugger` to create programs 
 that crash in a similar manner.
 
+Only call `Debugger` after you have a concrete JS artifact path and a specific hypothesis to test.
+Do not run debugger loops when there is no reproducible crash signal.
+
 
 ## STAGE 4
 Using the same information provided to you in STAGE 1, look for completely different code paths 
@@ -39,6 +42,9 @@ Using `JSGenerator` and `Debugger`, create program(s) that crash in a dissimilar
 crashing program. Save crashing programs into crashes/ directory using the original crash's name
 + '_variant_#' as an identifier. If there are multiple variants, increment the '#' in the identifier.
 
+If debugging evidence shows "inferior exited" / "no stack" / "no registers", stop repeating the same
+debugger commands and return a failure reason with next required inputs.
+
 ## STAGE 6
 Provide a detailed summary of any variants you have found. If you have not found any, return a 
 detailed summary on why not.

Sources/Agentic_System/prompts/EBG-plateau-prompts/v8_search.txt

@@ -53,9 +53,9 @@ STRICT OUTPUT RULES FOR write_rag_db_id:
 
 VALID EXAMPLE (single object), USE write_rag_db_id to do this properly :
 ```
-{"id": jsadd_pipeline,
- "body": "void ExamplePhase::Run(PipelineData* data, Zone* temp_zone) { ... }",
- "context": [turbo_prologue_deopt, v8_holey_double_search, v8_bigint_remat, turbo_prologue_deopt],
- "explanation": "ExamplePhase::Run()(id:jsadd_pipeline) processes a basic block with ExampleReducer.",
- "file_line": "example.cc:10"}
+{"id": "jsadd_pipeline",
+ "Body": "void ExamplePhase::Run(PipelineData* data, Zone* temp_zone) { ... }",
+ "Context": ["turbo_prologue_deopt", "v8_holey_double_search", "v8_bigint_remat", "turbo_prologue_deopt"],
+ "Explanation": "ExamplePhase::Run()(id:jsadd_pipeline) processes a basic block with ExampleReducer.",
+ "FileLine": "example.cc:10"}
 ```

Sources/Agentic_System/prompts/FoG-prompts/v8_search.txt

@@ -53,9 +53,9 @@ STRICT OUTPUT RULES FOR write_rag_db_id:
 
 VALID EXAMPLE (single object), USE write_rag_db_id to do this properly :
 ```
-{"id": jsadd_pipeline,
- "body": "void ExamplePhase::Run(PipelineData* data, Zone* temp_zone) { ... }",
- "context": [turbo_prologue_deopt, v8_holey_double_search, v8_bigint_remat, turbo_prologue_deopt],
- "explanation": "ExamplePhase::Run()(id:jsadd_pipeline) processes a basic block with ExampleReducer.",
- "file_line": "example.cc:10"}
+{"id": "jsadd_pipeline",
+ "Body": "void ExamplePhase::Run(PipelineData* data, Zone* temp_zone) { ... }",
+ "Context": ["turbo_prologue_deopt", "v8_holey_double_search", "v8_bigint_remat", "turbo_prologue_deopt"],
+ "Explanation": "ExamplePhase::Run()(id:jsadd_pipeline) processes a basic block with ExampleReducer.",
+ "FileLine": "example.cc:10"}
 ```

Sources/Agentic_System/requirements.txt

@@ -25,4 +25,5 @@ psycopg2-binary
 
 #Utilities
 pytz
+pygdbmi
 duckduckgo-search

Sources/Agentic_System/start_scripts/crash_listener.py

@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+import json
+import os
+import select
+import subprocess
+import sys
+import time
+
+import psycopg2
+
+CHANNEL = "crash_corpus"
+
+
+def _db_connect():
+    host = os.getenv("POSTGRES_HOST")
+    if not host:
+        raise RuntimeError("POSTGRES_HOST is required for crash listener")
+
+    port = os.getenv("POSTGRES_PORT", "5432")
+    dbname = os.getenv("POSTGRES_DB", "fuzzilli_master")
+    user = os.getenv("POSTGRES_USER", "fuzzilli")
+    password = os.getenv("POSTGRES_PASSWORD", "fuzzilli123")
+
+    return psycopg2.connect(
+        host=host,
+        port=port,
+        dbname=dbname,
+        user=user,
+        password=password,
+    )
+
+
+def _run_ebg_crash(program_hash: str) -> None:
+    if not program_hash:
+        return
+    cmd = [sys.executable, os.path.join(os.path.dirname(__file__), "..", "agents", "EBG_crash.py"), "--crash_program_hash", program_hash]
+    subprocess.Popen(cmd, env=os.environ.copy())
+
+
+def main() -> int:
+    conn = _db_connect()
+    conn.set_isolation_level(psycopg2.extensions.ISOLATION_LEVEL_AUTOCOMMIT)
+
+    cur = conn.cursor()
+    cur.execute(f"LISTEN {CHANNEL};")
+    print(f"Listening for NOTIFY on channel '{CHANNEL}'")
+
+    while True:
+        if select.select([conn], [], [], 5) == ([], [], []):
+            continue
+
+        conn.poll()
+        while conn.notifies:
+            notify = conn.notifies.pop(0)
+            payload = notify.payload
+            try:
+                data = json.loads(payload) if payload else {}
+            except json.JSONDecodeError:
+                data = {}
+            program_hash = data.get("program_hash")
+            _run_ebg_crash(program_hash)
+            time.sleep(0.1)
+
+
+if __name__ == "__main__":
+    sys.exit(main())