Merge branch 'main' into multi-stream

AFLplusplus · Oct 11, 2023 · 29c2c84 · 29c2c84
2 parents cf90042 + 4c17da0
commit 29c2c84
Show file tree

Hide file tree

Showing 21 changed files with 337 additions and 130 deletions.
diff --git a/fuzzers/fuzzbench_forkserver_cmplog/test/test-cmplog.c b/fuzzers/fuzzbench_forkserver_cmplog/test/test-cmplog.c
@@ -16,22 +16,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t i) {
   if (*icmp != 0x69694141) return 0;
   if (memcmp(buf + 8, "1234EF", 6) == 0) abort();
   return 0;
-
 }
 
 int main(int argc, char *argv[]) {
-
   unsigned char buf[1024];
   ssize_t       i;
   while (__AFL_LOOP(1000)) {
-
     i = read(0, (char *)buf, sizeof(buf) - 1);
     if (i > 0) buf[i] = 0;
     LLVMFuzzerTestOneInput(buf, i);
-
   }
 
   return 0;
-
 }
-
diff --git a/fuzzers/qemu_systemmode/Cargo.toml b/fuzzers/qemu_systemmode/Cargo.toml
@@ -18,3 +18,4 @@ codegen-units = 1
 libafl = { path = "../../libafl/" }
 libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_qemu = { path = "../../libafl_qemu/", features = ["arm", "systemmode"] }
+env_logger = "*"
diff --git a/fuzzers/qemu_systemmode/example/main.c b/fuzzers/qemu_systemmode/example/main.c
@@ -1,9 +1,11 @@
-int BREAKPOINT() {
+int __attribute__((noinline)) BREAKPOINT() {
   for (;;) {}
 }
 
 int LLVMFuzzerTestOneInput(unsigned int *Data, unsigned int Size) {
-  // if (Data[3] == 0) {while(1){}}  // cause a timeout
+  if (Data[3] == 0) {
+    while (1) {}
+  }  // cause a timeout
   for (int i = 0; i < Size; i++) {
     // if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;}    // cause qemu to
     // crash

diff --git a/fuzzers/qemu_systemmode/src/fuzzer.rs b/fuzzers/qemu_systemmode/src/fuzzer.rs
@@ -37,6 +37,8 @@ use libafl_qemu::{
 pub static mut MAX_INPUT_SIZE: usize = 50;
 
 pub fn fuzz() {
+    env_logger::init();
+
     if let Ok(s) = env::var("FUZZ_SIZE") {
         str::parse::<usize>(&s).expect("FUZZ_SIZE was not a number");
     };
@@ -193,7 +195,7 @@ pub fn fuzz() {
         let mut hooks = QemuHooks::new(&emu, tuple_list!(QemuEdgeCoverageHelper::default()));
 
         // Create a QEMU in-process executor
-        let executor = QemuExecutor::new(
+        let mut executor = QemuExecutor::new(
             &mut hooks,
             &mut harness,
             tuple_list!(edges_observer, time_observer),
@@ -203,6 +205,9 @@ pub fn fuzz() {
         )
         .expect("Failed to create QemuExecutor");
 
+        // Instead of calling the timeout handler and restart the process, trigger a breakpoint ASAP
+        executor.break_on_timeout();
+
         // Wrap the executor to keep track of the timeout
         let mut executor = TimeoutExecutor::new(executor, timeout);
 

diff --git a/libafl/src/events/mod.rs b/libafl/src/events/mod.rs
@@ -77,6 +77,7 @@ pub type ShutdownFuncPtr =
 ///
 /// This will acceess `data` and write to the global `data.staterestorer_ptr` if it's not null.
 #[cfg(all(unix, feature = "std"))]
+#[allow(clippy::needless_pass_by_value)]
 pub unsafe fn shutdown_handler<SP>(
     signal: Signal,
     _info: &mut siginfo_t,

diff --git a/libafl/src/executors/inprocess.rs b/libafl/src/executors/inprocess.rs
@@ -2,6 +2,7 @@
 //! It should usually be paired with extra error-handling, such as a restarting event manager, to be effective.
 //!
 //! Needs the `fork` feature flag.
+#![allow(clippy::needless_pass_by_value)]
 
 use alloc::boxed::Box;
 #[cfg(all(unix, feature = "std"))]

diff --git a/libafl/src/mutators/token_mutations.rs b/libafl/src/mutators/token_mutations.rs
@@ -223,6 +223,11 @@ impl Tokens {
     pub fn tokens(&self) -> &[Vec<u8>] {
         &self.tokens_vec
     }
+
+    /// Returns an iterator over the tokens.
+    pub fn iter(&self) -> Iter<'_, Vec<u8>> {
+        <&Self as IntoIterator>::into_iter(self)
+    }
 }
 
 impl AddAssign for Tokens {

diff --git a/libafl/src/observers/concolic/serialization_format.rs b/libafl/src/observers/concolic/serialization_format.rs
@@ -381,66 +381,6 @@ impl<W: Write + Seek> MessageFileWriter<W> {
     }
 }
 
-#[cfg(test)]
-mod serialization_tests {
-    use alloc::vec::Vec;
-    use std::io::Cursor;
-
-    use super::{MessageFileReader, MessageFileWriter, SymExpr};
-
-    /// This test intends to ensure that the serialization format can efficiently encode the required information.
-    /// This is mainly useful to fail if any changes should be made in the future that (inadvertently) reduce
-    /// serialization efficiency.
-    #[test]
-    fn efficient_serialization() {
-        let mut buf = Vec::new();
-        {
-            let mut cursor = Cursor::new(&mut buf);
-            let mut writer = MessageFileWriter::from_writer(&mut cursor).unwrap();
-            let a = writer.write_message(SymExpr::True).unwrap();
-            let b = writer.write_message(SymExpr::True).unwrap();
-            writer.write_message(SymExpr::And { a, b }).unwrap();
-            writer.update_trace_header().unwrap();
-        }
-        let expected_size = 8 + // the header takes 8 bytes to encode the length of the trace
-                            1 + // tag to create SymExpr::True (a)
-                            1 + // tag to create SymExpr::True (b)
-                            1 + // tag to create SymExpr::And
-                            1 + // reference to a
-                            1; // reference to b
-        assert_eq!(buf.len(), expected_size);
-    }
-
-    /// This test intends to verify that a trace written by [`MessageFileWriter`] can indeed be read back by
-    /// [`MessageFileReader`].
-    #[test]
-    fn serialization_roundtrip() {
-        let mut buf = Vec::new();
-        {
-            let mut cursor = Cursor::new(&mut buf);
-            let mut writer = MessageFileWriter::from_writer(&mut cursor).unwrap();
-            let a = writer.write_message(SymExpr::True).unwrap();
-            let b = writer.write_message(SymExpr::True).unwrap();
-            writer.write_message(SymExpr::And { a, b }).unwrap();
-            writer.update_trace_header().unwrap();
-        }
-        let mut reader = MessageFileReader::from_length_prefixed_buffer(&buf).unwrap();
-        let (first_bool_id, first_bool) = reader.next_message().unwrap().unwrap();
-        assert_eq!(first_bool, SymExpr::True);
-        let (second_bool_id, second_bool) = reader.next_message().unwrap().unwrap();
-        assert_eq!(second_bool, SymExpr::True);
-        let (_, and) = reader.next_message().unwrap().unwrap();
-        assert_eq!(
-            and,
-            SymExpr::And {
-                a: first_bool_id,
-                b: second_bool_id
-            }
-        );
-        assert!(reader.next_message().is_none());
-    }
-}
-
 use libafl_bolts::shmem::{ShMem, ShMemCursor, ShMemProvider, StdShMemProvider};
 
 /// The default environment variable name to use for the shared memory used by the concolic tracing
@@ -511,3 +451,63 @@ impl MessageFileWriter<ShMemCursor<<StdShMemProvider as ShMemProvider>::ShMem>>
 /// A writer that will write messages to a shared memory buffer.
 pub type StdShMemMessageFileWriter =
     MessageFileWriter<ShMemCursor<<StdShMemProvider as ShMemProvider>::ShMem>>;
+
+#[cfg(test)]
+mod serialization_tests {
+    use alloc::vec::Vec;
+    use std::io::Cursor;
+
+    use super::{MessageFileReader, MessageFileWriter, SymExpr};
+
+    /// This test intends to ensure that the serialization format can efficiently encode the required information.
+    /// This is mainly useful to fail if any changes should be made in the future that (inadvertently) reduce
+    /// serialization efficiency.
+    #[test]
+    fn efficient_serialization() {
+        let mut buf = Vec::new();
+        {
+            let mut cursor = Cursor::new(&mut buf);
+            let mut writer = MessageFileWriter::from_writer(&mut cursor).unwrap();
+            let a = writer.write_message(SymExpr::True).unwrap();
+            let b = writer.write_message(SymExpr::True).unwrap();
+            writer.write_message(SymExpr::And { a, b }).unwrap();
+            writer.update_trace_header().unwrap();
+        }
+        let expected_size = 8 + // the header takes 8 bytes to encode the length of the trace
+                            1 + // tag to create SymExpr::True (a)
+                            1 + // tag to create SymExpr::True (b)
+                            1 + // tag to create SymExpr::And
+                            1 + // reference to a
+                            1; // reference to b
+        assert_eq!(buf.len(), expected_size);
+    }
+
+    /// This test intends to verify that a trace written by [`MessageFileWriter`] can indeed be read back by
+    /// [`MessageFileReader`].
+    #[test]
+    fn serialization_roundtrip() {
+        let mut buf = Vec::new();
+        {
+            let mut cursor = Cursor::new(&mut buf);
+            let mut writer = MessageFileWriter::from_writer(&mut cursor).unwrap();
+            let a = writer.write_message(SymExpr::True).unwrap();
+            let b = writer.write_message(SymExpr::True).unwrap();
+            writer.write_message(SymExpr::And { a, b }).unwrap();
+            writer.update_trace_header().unwrap();
+        }
+        let mut reader = MessageFileReader::from_length_prefixed_buffer(&buf).unwrap();
+        let (first_bool_id, first_bool) = reader.next_message().unwrap().unwrap();
+        assert_eq!(first_bool, SymExpr::True);
+        let (second_bool_id, second_bool) = reader.next_message().unwrap().unwrap();
+        assert_eq!(second_bool, SymExpr::True);
+        let (_, and) = reader.next_message().unwrap().unwrap();
+        assert_eq!(
+            and,
+            SymExpr::And {
+                a: first_bool_id,
+                b: second_bool_id
+            }
+        );
+        assert!(reader.next_message().is_none());
+    }
+}