Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduces disabled testcases for splicing #1932

Merged
merged 41 commits into from
Apr 9, 2024
Merged

Introduces disabled testcases for splicing #1932

merged 41 commits into from
Apr 9, 2024

Conversation

R9295
Copy link
Collaborator

@R9295 R9295 commented Mar 13, 2024
edited
Loading

implements and closes #1670

@R9295 R9295 changed the title Introduces disabled inputs Introduces disabled testcases for splicing Mar 13, 2024
domenukk
domenukk reviewed Mar 13, 2024
View reviewed changes
Copy link
Member

@domenukk domenukk left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks awesome!

libafl/src/corpus/inmemory.rs Outdated Show resolved Hide resolved
libafl/src/corpus/mod.rs Outdated Show resolved Hide resolved
libafl/src/fuzzer/mod.rs Outdated Show resolved Hide resolved
libafl/src/state/mod.rs
@@ -828,9 +828,10 @@ where
if forced {
let _: CorpusId = fuzzer.add_input(self, executor, manager, input)?;
} else {
let (res, _) = fuzzer.evaluate_input(self, executor, manager, input)?;
let (res, _) = fuzzer.evaluate_input(self, executor, manager, input.clone())?;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need the clone here? It's not a super hot path but still wondering if there's some way, like returning the input again or so

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nested call-stack makes it difficult to return input without breaking changes to evaluate_input_events, process_execution, and evaluate_input_with_observers etc.

I think the cleanest would be to make must_load_initial_inputs mandatory for State and in process_execution have if state is load_inital then fuzzer.add_disabled() else return

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@domenukk unfortunately I think we do need a clone there, otherwise we'd be cloning down the line in process_execution when returning the input. I wasn't able to come up with a clean way to include must_load_initial_inputs in process_execution either.

libafl/src/corpus/mod.rs Outdated Show resolved Hide resolved
libafl/src/mutators/mutations.rs Outdated
@@ -1138,7 +1138,7 @@ where
}

// We don't want to use the testcase we're already using for splicing
let idx = random_corpus_id!(state.corpus(), state.rand_mut());
let idx = random_corpus_id!(state.corpus(), state.rand_mut(), false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Crossover/Splicing, I think we also need to include disabled (or maybe it should be configurable)

cc @vanhauser-thc ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe even have a random chance to pick a disabled one (so a lower probability to pick them, overall)
Probably needs to be fuzzbench-ed again

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @tokatoka as well

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've enabled the inclusion of disabled entries in the meantime.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'll check after i finish my pr

libafl/src/mutators/mutations.rs Outdated Show resolved Hide resolved
@tokatoka
Copy link
Member

maybe add nth_from_all and get_from_all

@tokatoka
Copy link
Member

it's better to just add another API instead of adding a boolean flag to the existing methods

tokatoka
tokatoka reviewed Mar 13, 2024
View reviewed changes
libafl/src/fuzzer/mod.rs Outdated Show resolved Hide resolved
R9295 added 2 commits March 14, 2024 12:20
@R9295
* introduce get_from_all and nth_from_all for corpus implementations …
49f109f 
…so get() and nth() do not silently fetch disabled entries.

* remove boolean flag from random_corpus_id which allowed inclusion of disabled ids and make it into a new function random_corpus_id_with_disabled
* update docs
@R9295
remove boolean is_disabled flag from corpus::insert and make it into …
a812570 
…a separate function insert_disabled
@addisoncrump
Copy link
Collaborator

Ah, my bad, I thought you meant like touch(1).

@domenukk
Copy link
Member

domenukk commented Apr 3, 2024

Maybe we should rename the method? :D

@domenukk
Copy link
Member

domenukk commented Apr 3, 2024

I have no clue how - but this somehow breaks frida_gdiplus (?)

D:\a\LibAFL\LibAFL\fuzzers\frida_gdiplus>cargo build --profile release 
    Finished release [optimized + debuginfo] target(s) in 0.29s

D:\a\LibAFL\LibAFL\fuzzers\frida_gdiplus>copy .\target\release\frida_gdiplus.exe . 
        1 file(s) copied.
[cargo-make] INFO - Running Task: harness_windows_cmplog_test

D:\a\LibAFL\LibAFL\fuzzers\frida_gdiplus>cd "D:\a\LibAFL\LibAFL\fuzzers\frida_gdiplus" 

D:\a\LibAFL\LibAFL\fuzzers\frida_gdiplus>ml64 cmplog_test.asm /subsystem:windows /link /dll /def:cmplog_test.def /entry:dll_main /out:cmplog.dll 
Microsoft (R) Macro Assembler (x64) Version 14.38.33135.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Microsoft (R) Incremental Linker Version 14.38.33135.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/OUT:cmplog_test.exe 
cmplog_test.obj 
/dll 
/def:cmplog_test.def 
/entry:dll_main 
/out:cmplog.dll 
   Creating library cmplog.lib and object cmplog.exp
 Assembling: cmplog_test.asm
MASM : warning A4018:invalid command-line option : /subsystem:windows
[cargo-make] INFO - Running Task: test_cmplog

D:\a\LibAFL\LibAFL\fuzzers\frida_gdiplus>cd "D:\a\LibAFL\LibAFL\fuzzers\frida_gdiplus" 
Testing t1...
The system cannot find the file specified.
SUCCESS: The process "frida_gdiplus.exe" with PID 784 has been terminated.
SUCCESS: The process "frida_gdiplus.exe" with PID 4960 has been terminated.
SUCCESS: The process "frida_gdiplus.exe" with PID 4004 has been terminated.
[cargo-make] ERROR - Error while executing command, exit code: 1337
[cargo-make] WARN - Build Failed.

tokatoka
tokatoka previously requested changes Apr 3, 2024
View reviewed changes
Copy link
Member

@tokatoka tokatoka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@R9295
Can you tell me if you are ready
I would run a fuzzbench run for this before merging as it changes how mutations works

@domenukk
Copy link
Member

domenukk commented Apr 3, 2024

@tokatoka I would say it's ready for fuzzbench

@tokatoka
Copy link
Member

tokatoka commented Apr 5, 2024

https://www.fuzzbench.com/reports/experimental/2024-04-05-libafl/index.html
seems like this is a good improvement

@domenukk
Copy link
Member

domenukk commented Apr 5, 2024

Any idea what could be wrong with frida here? @s1341 maybe?

@tokatoka
Copy link
Member

tokatoka commented Apr 5, 2024
edited
Loading

@R9295
This is the log. Do you know what went wrong?

We're a client, let's fuzz :)
[UserStats   #1]  (GLOBAL) run time: 0h-0m-0s, clients: 2, corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000, edges: 0.005%
                  (CLIENT) corpus: 0, objectives: 0, executions: 0, exec/sec: 0.000, edges: 3/65536 (0%)
[Testcase    #1]  (GLOBAL) run time: 0h-0m-0s, clients: 2, corpus: 1, objectives: 0, executions: 1, exec/sec: 0.000, edges: 0.005%
                  (CLIENT) corpus: 1, objectives: 0, executions: 1, exec/sec: 0.000, edges: 3/65536 (0%)
[UserStats   #1]  (GLOBAL) run time: 0h-0m-0s, clients: 2, corpus: 1, objectives: 0, executions: 1, exec/sec: 0.000, edges: 0.006%
                  (CLIENT) corpus: 1, objectives: 0, executions: 1, exec/sec: 0.000, edges: 4/65536 (0%)
[Testcase    #1]  (GLOBAL) run time: 0h-0m-0s, clients: 2, corpus: 2, objectives: 0, executions: 2, exec/sec: 0.000, edges: 0.006%
                  (CLIENT) corpus: 2, objectives: 0, executions: 2, exec/sec: 0.000, edges: 4/65536 (0%)
The application panicked (crashed).
Message:  called `Result::unwrap()` on an `Err` value: KeyNotFound("Index 2 not found", ErrorBacktrace)
Location: C:\Users\tokaz\LibAFL\libafl\src\corpus\inmemory_ondisk.rs:99

Run with COLORBT_SHOW_HIDDEN=1 environment variable to disable frame filtering.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                              ⋮ 15 frames hidden ⋮
16: libafl::corpus::inmemory_ondisk::impl$1::add_disabled
    at C:\Users\tokaz\LibAFL\libafl\src\corpus\inmemory_ondisk.rs:99
      97 │     fn add_disabled(&mut self, testcase: Testcase<I>) -> Result<CorpusId, Error> {
      98 │         let idx = self.inner.add_disabled(testcase)?;
      99 >         let testcase = &mut self.get(idx).unwrap().borrow_mut();
     100 │         self.save_testcase(testcase, idx)?;
     101 │         *testcase.input_mut() = None;
17: libafl::corpus::cached::impl$2::add_disabled<libafl::inputs::bytes::BytesInput>
    at C:\Users\tokaz\LibAFL\libafl\src\corpus\cached.rs:100
      98 │     fn add_disabled(&mut self, testcase: Testcase<I>) -> Result<CorpusId, Error> {
      99 │         self.inner.add_disabled(testcase)
     100 >     }
     101 │
     102 │     /// Replaces the testcase at the given idx
18: libafl::fuzzer::impl$6::add_disabled_input
    at C:\Users\tokaz\LibAFL\libafl\src\fuzzer\mod.rs:583
     581 │         testcase.set_disabled(true);
     582 │         // Add the disabled input to the main corpus
     583 >         let idx = state.corpus_mut().add_disabled(testcase)?;
     584 │         Ok(idx)
     585 │     }
19: libafl::state::StdState<libafl::inputs::bytes::BytesInput,libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>,libafl_bolts::rands::RomuDuoJrRand,libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput> >::load_file
    at C:\Users\tokaz\LibAFL\libafl\src\state\mod.rs:833
     831 │             let (res, _) = fuzzer.evaluate_input(self, executor, manager, input.clone())?;
     832 │             if res == ExecuteInputResult::None {
     833 >                 fuzzer.add_disabled_input(self, input)?;
     834 │                 log::warn!("input {:?} was not interesting, adding as disabled.", &path);
     835 │             }
20: libafl::state::StdState<libafl::inputs::bytes::BytesInput,libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>,libafl_bolts::rands::RomuDuoJrRand,libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput> >::continue_
    at C:\Users\tokaz\LibAFL\libafl\src\state\mod.rs:858
     856 │             match self.next_file() {
     857 │                 Ok(path) => {
     858 >                     self.load_file(&path, manager, fuzzer, executor, forced, loader)?;
     859 │                 }
     860 │                 Err(Error::IteratorEnd(_, _)) => break,
21: libafl::state::StdState<libafl::inputs::bytes::BytesInput,libafl::corpus::cached::CachedOnDiskCorpus<libafl::inputs::bytes::BytesInput>,libafl_bolts::rands::RomuDuoJrRand,libafl::corpus::ondisk::OnDiskCorpus<libafl::inputs::bytes::BytesInput> >::load_init
    at C:\Users\tokaz\LibAFL\libafl\src\state\mod.rs:965
     963 │     {
     964 │         self.canonicalize_input_dirs(in_dirs)?;
     965 >         self.continue_loading_initial_inputs_custom(
     966 │             fuzzer,
     967 │             executor,
22: frida_gdiplus::fuzzer::fuzz::closure$1::closure$2
    at C:\Users\tokaz\LibAFL\fuzzers\frida_gdiplus\src\fuzzer.rs:314
     312 │                 // In case the corpus is empty (on first run), reset
     313 │                 if state.must_load_initial_inputs() {
     314 >                     state
     315 │                         .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &options.input)
     316 │                         .unwrap_or_else(|_| {
23: frida_gdiplus::fuzzer::fuzz::closure$1
    at C:\Users\tokaz\LibAFL\fuzzers\frida_gdiplus\src\fuzzer.rs:216
     214 │             })(state, mgr, core_id)
     215 │         } else if options.cmplog && options.cmplog_cores.contains(core_id) {
     216 >             (|state: Option<_>, mut mgr: LlmpRestartingEventManager<_, _, _>, _core_id| {
     217 │                 let gum = Gum::obtain();
     218 │
24: frida_gdiplus::main
    at C:\Users\tokaz\LibAFL\fuzzers\frida_gdiplus\src\main.rs:3
       1 │ mod fuzzer;
       2 │ pub fn main() {
       3 >     fuzzer::main();
       4 │ }
25: core::ops::function::FnOnce::call_once
    at /rustc/7cf61ebde7b22796c69757901dd346d0fe70bd97\library\core\src\ops\function.rs:250
                              ⋮ 6 frames hidden ⋮
The application panicked (crashed).
Message:  called `Result::unwrap()` on an `Err` value: TryFromPrimitiveError { number: -529697949 }
Location: C:\Users\tokaz\LibAFL\libafl\src\executors\hooks\windows.rs:340

@R9295
Copy link
Collaborator Author

R9295 commented Apr 5, 2024
edited
Loading

@tokatoka Thanks for the backtrace. I don't have time today, so I'll have a look tomorrow

@R9295
Copy link
Collaborator Author

R9295 commented Apr 9, 2024

I think the issue is that a function, probably in CachedOnDiskCorpus is trying to access a disabled entry from the enabled corpus. I'm looking into it now

@R9295
Copy link
Collaborator Author

R9295 commented Apr 9, 2024

@tokatoka / @domenukk we should be good!

@domenukk domenukk merged commit 47c41c2 into AFLplusplus:main Apr 9, 2024
78 checks passed
@domenukk
Copy link
Member

domenukk commented Apr 9, 2024

This is awesome, thanks for the hard work!

rmalmain pushed a commit that referenced this pull request Apr 10, 2024
@R9295 @domenukk @rmalmain
Introduce disabled testcases for splicing (#1932)
6db7086 
* introduce disabled field to Testcase

* separate executor's processing of execution (adding to corpus/solution/discarding) and execution of input

* introduce add_disabled_input function

* enable splicing mutators to fetch disabled inputs

* reset modified example

* clean up

* update docs

* update docs for count_with_disabled

* fix random_corpus_id for splicing mutator not considering disabled entries

* fmt

* update docs

* clippy

* fix corpus_btreemap not working

* fix clippy warnings

* fix python bindings

* typo in count_with_disabled implementations

* fix certain splicing mutators not considering disabled inputs

* rename count_with_disabled to count_all

* introduce count_disabled function

* update docs for count_all, count_disabled and count

* * introduce get_from_all and nth_from_all for corpus implementations so get() and nth() do not silently fetch disabled entries.
* remove boolean flag from random_corpus_id which allowed inclusion of disabled ids and make it into a new function random_corpus_id_with_disabled
* update docs

* remove boolean is_disabled flag from corpus::insert and make it into a separate function insert_disabled

* rename do_insert to _insert

* make get_from_all inline for cached and inmemory

* add missing functions implementation for PythonCorpus
prevent writing feedback when adding disabled testcases

* fix nth_from_all overfetching enabled corpus entries

* fix clippy & rename execute_with_res to execute_no_process

* refactor _insert for corpus_btreemap

* make LibfuzzerCorpus and ArtifactCorpus to accomodate disabled entries

* fix typo

* fix missing docs for map field

* fix clippy

* test

* (hopefully) fix CachedOnDiskCorpus using incorrect corpus when caching testcase

* fix typo in inmemory_ondisk leading to fetching disabled entry from enabled corpus

---------

Co-authored-by: aarnav <[email protected]>
Co-authored-by: Dominik Maier <[email protected]>
@tokatoka
Copy link
Member

@R9295
CachedOnDisk is still broken

@tokatoka
Copy link
Member

On 47c41c2
cargo make run in frida_libpng to reproduce. (install libc++ if you don't have)

libpng error: read error
libpng error: PLTE: invalid
libpng error: read error
libpng error: IHIE: unhandled critical chunk
libpng error: PLTE: invalid
The application panicked (crashed).
Message:  Error during fuzzing: KeyNotFound("Index 2 not found", ErrorBacktrace)
Location: src/fuzzer.rs:61

Run with COLORBT_SHOW_HIDDEN=1 environment variable to disable frame filtering.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                              ⋮ 10 frames hidden ⋮
11: frida_fuzzer::fuzzer::main::h263e25ee661cee81
    at /home/toka/LibAFL/fuzzers/frida_libpng/src/fuzzer.rs:61
      59 │         match fuzz(&options) {
      60 │             Ok(()) | Err(Error::ShuttingDown) => println!("\nFinished fuzzing. Good bye."),
      61 >             Err(e) => panic!("Error during fuzzing: {e:?}"),
      62 │         }
      63 │     }
12: frida_fuzzer::main::h067015ebad2b8d57
    at /home/toka/LibAFL/fuzzers/frida_libpng/src/main.rs:3
       1 │ mod fuzzer;
       2 │ pub fn main() {
       3 >     fuzzer::main();
       4 │ }
13: core::ops::function::FnOnce::call_once::h6f62f63d745fcf05
    at /rustc/e3181b091e88321f5ea149afed6db0edf0a4f37b/library/core/src/ops/function.rs:250
                              ⋮ 5 frames hidden ⋮
The application panicked (crashed).
Message:  Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client! This can happen if the child calls `exit()`, in that case make sure it uses `abort()`, if it got killed unrecoverable (OOM), or if there is a bug in the fuzzer itself. (Child exited with: 25856)
Location: /home/toka/LibAFL/libafl/src/events/llmp.rs:1472

Run with COLORBT_SHOW_HIDDEN=1 environment variable to disable frame filtering.

Finished fuzzing. Good bye.

@tokatoka
Copy link
Member 

The application panicked (crashed).
Message:  Error during fuzzing: KeyNotFound("Index 3 not found",    0: libafl_bolts::Error::key_not_found
             at /home/toka/LibAFL/libafl_bolts/src/lib.rs:356:40
      <libafl::corpus::inmemory::InMemoryCorpus<I> as libafl::corpus::Corpus>::get::{{closure}}
             at /home/toka/LibAFL/libafl/src/corpus/inmemory.rs:409:28
      core::option::Option<T>::ok_or_else
             at /rustc/e3181b091e88321f5ea149afed6db0edf0a4f37b/library/core/src/option.rs:1236:25
      <libafl::corpus::inmemory::InMemoryCorpus<I> as libafl::corpus::Corpus>::get
             at /home/toka/LibAFL/libafl/src/corpus/inmemory.rs:409:14
   1: <libafl::corpus::inmemory_ondisk::InMemoryOnDiskCorpus<I> as libafl::corpus::Corpus>::get
             at /home/toka/LibAFL/libafl/src/corpus/inmemory_ondisk.rs:126:9
      libafl::corpus::cached::CachedOnDiskCorpus<I>::cache_testcase
             at /home/toka/LibAFL/libafl/src/corpus/cached.rs:58:32
   2: <libafl::corpus::cached::CachedOnDiskCorpus<I> as libafl::corpus::Corpus>::get
             at /home/toka/LibAFL/libafl/src/corpus/cached.rs:128:9
      <libafl::schedulers::queue::QueueScheduler<S> as libafl::schedulers::Scheduler>::on_add
             at /home/toka/LibAFL/libafl/src/schedulers/queue.rs:35:9
      <libafl::schedulers::minimizer::MinimizerScheduler<CS,F,M> as libafl::schedulers::Scheduler>::on_add
             at /home/toka/LibAFL/libafl/src/schedulers/minimizer.rs:203:9
   3: <libafl::fuzzer::StdFuzzer<CS,F,OF,OT> as libafl::fuzzer::ExecutionProcessor<OT>>::process_execution
             at /home/toka/LibAFL/libafl/src/fuzzer/mod.rs:462:17
      <libafl::fuzzer::StdFuzzer<CS,F,OF,OT> as libafl::fuzzer::ExecutionProcessor<OT>>::execute_and_process
             at /home/toka/LibAFL/libafl/src/fuzzer/mod.rs:421:26
   4: <libafl::fuzzer::StdFuzzer<CS,F,OF,OT> as libafl::fuzzer::EvaluatorObservers<OT>>::evaluate_input_with_observers
             at /home/toka/LibAFL/libafl/src/fuzzer/mod.rs:546:9
      <libafl::fuzzer::StdFuzzer<CS,F,OF,OT> as libafl::fuzzer::Evaluator<E,EM>>::evaluate_input_events
             at /home/toka/LibAFL/libafl/src/fuzzer/mod.rs:570:9
      libafl::fuzzer::Evaluator::evaluate_input
             at /home/toka/LibAFL/libafl/src/fuzzer/mod.rs:144:9
   5: libafl::stages::mutational::MutationalStage::perform_mutational
             at /home/toka/LibAFL/libafl/src/stages/mutational.rs:138:35
      <libafl::stages::mutational::StdMutationalStage<E,EM,I,M,Z> as libafl::stages::Stage<E,EM,Z>>::perform
             at /home/toka/LibAFL/libafl/src/stages/mutational.rs:227:19
      libafl::stages::Stage::perform_restartable
             at /home/toka/LibAFL/libafl/src/stages/mod.rs:116:13
   6: <(Head,Tail) as libafl::stages::StagesTuple<E,EM,<Head as libafl::state::UsesState>::State,Z>>::perform_all
             at /home/toka/LibAFL/libafl/src/stages/mod.rs:200:17
      <libafl::fuzzer::StdFuzzer<CS,F,OF,OT> as libafl::fuzzer::Fuzzer<E,EM,ST>>::fuzz_one
             at /home/toka/LibAFL/libafl/src/fuzzer/mod.rs:713:9
      libafl::fuzzer::Fuzzer::fuzz_loop
             at /home/toka/LibAFL/libafl/src/fuzzer/mod.rs:220:13
      frida_fuzzer::fuzzer::fuzz::{{closure}}::{{closure}}
             at /home/toka/LibAFL/fuzzers/frida_libpng/src/fuzzer.rs:451:17
   7: frida_fuzzer::fuzzer::fuzz::{{closure}}
             at /home/toka/LibAFL/fuzzers/frida_libpng/src/fuzzer.rs:342:13
      core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &mut F>::call_once
             at /rustc/e3181b091e88321f5ea149afed6db0edf0a4f37b/library/core/src/ops/function.rs:305:13
   8: libafl::events::launcher::Launcher<CF,EMH,MT,S,SP>::launch_with_hooks
             at /home/toka/LibAFL/libafl/src/events/launcher.rs:265:32
      libafl::events::launcher::Launcher<CF,(),MT,S,SP>::launch
             at /home/toka/LibAFL/libafl/src/events/launcher.rs:163:9
      frida_fuzzer::fuzzer::fuzz
             at /home/toka/LibAFL/fuzzers/frida_libpng/src/fuzzer.rs:468:10
      frida_fuzzer::fuzzer::main
             at /home/toka/LibAFL/fuzzers/frida_libpng/src/fuzzer.rs:59:15
      frida_fuzzer::main
             at /home/toka/LibAFL/fuzzers/frida_libpng/src/main.rs:3:5
   9: core::ops::function::FnOnce::call_once
             at /rustc/e3181b091e88321f5ea149afed6db0edf0a4f37b/library/core/src/ops/function.rs:250:5
      std::sys_common::backtrace::__rust_begin_short_backtrace
             at /rustc/e3181b091e88321f5ea149afed6db0edf0a4f37b/library/std/src/sys_common/backtrace.rs:155:18
  10: main
  11: __libc_start_call_main
             at ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
  12: __libc_start_main_impl
             at ./csu/../csu/libc-start.c:392:3
  13: _start
)
Location: src/fuzzer.rs:61

And this is the "Real" backtrace

@tokatoka
Copy link
Member 

                let removed = self.cached_indexes.borrow_mut().pop_front().unwrap();
                if let Ok(mut borrowed) = if is_disabled {
                    self.inner.get_from_all(removed)
                } else {
                    self.inner.get(removed)
                }?
                .try_borrow_mut()

The problem is this.
Here you assume that is_disabled decide if removed is a disbled or enabled entry. but this is wrong. is_disabled is about idx not removed

@tokatoka tokatoka mentioned this pull request Apr 22, 2024
Merged
tokatoka added a commit that referenced this pull request Apr 22, 2024
@tokatoka
Fix #1932 (#2089)
0f3ad28 
* fix

* Stupid lint

* increase rate

* fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tokatoka tokatoka tokatoka left review comments

@domenukk domenukk domenukk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Keep non-interesting initial seeds around for Splicing and other things
4 participants
@R9295 @tokatoka @domenukk @addisoncrump