Another attempt to add interesting crashing input on crash (AFLpluspl…

…us#2391) * aa * why?????????????? * ppp * aa * aa * abcde * fixer * ppp * aa * fix from windows * sugar * ff * ?? * a * to log::error * exclude * exclude libafl_qemu clippy on windows * pp * aa --------- Co-authored-by: Your Name <[email protected]>
cube0x8 · Jul 15, 2024 · 7969e7a · 7969e7a
1 parent 539ac91
commit 7969e7a
Show file tree

Hide file tree

Showing 37 changed files with 334 additions and 258 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,18 +4,11 @@ members = [
     "libafl",
     "libafl_bolts",
     "libafl_cc",
-    "libafl_concolic/symcc_runtime",
-    "libafl_concolic/symcc_libafl",
-    "libafl_concolic/test/dump_constraints",
-    "libafl_concolic/test/runtime_test",
     "libafl_derive",
-    "libafl_frida",
-    "libafl_libfuzzer",
-    "libafl_nyx",
-    "libafl_qemu",
-    "libafl_sugar",
     "libafl_targets",
-    "libafl_tinyinst",
+    "libafl_sugar",
+    "libafl_concolic/test/dump_constraints",
+    "libafl_concolic/test/runtime_test",
     "utils/build_and_test_fuzzers",
     "utils/deexit",
     "utils/libafl_benches",
@@ -33,14 +26,21 @@ default-members = [
 exclude = [
     "bindings",
     "fuzzers",
-    "libafl_qemu/libafl_qemu_build",
-    "libafl_qemu/libafl_qemu_sys",
     "utils/noaslr",
     "utils/gdb_qemu",
     "utils/libafl_fmt",
     "utils/desyscall",
     "utils/multi_machine_generator",
     "scripts",
+    "libafl_concolic/symcc_runtime",
+    "libafl_concolic/symcc_libafl",
+    "libafl_frida",
+    "libafl_libfuzzer",
+    "libafl_nyx",
+    "libafl_qemu",
+    "libafl_tinyinst",
+    "libafl_qemu/libafl_qemu_build",
+    "libafl_qemu/libafl_qemu_sys",
 ]
 
 [workspace.package]

diff --git a/libafl/Cargo.toml b/libafl/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "libafl"
-version.workspace = true
+version = "0.13.1"
 authors = ["Andrea Fioraldi <[email protected]>", "Dominik Maier <[email protected]>"]
 description = "Slot your own fuzzers together and extend their features using Rust"
 documentation = "https://docs.rs/libafl"

diff --git a/libafl/src/events/centralized.rs b/libafl/src/events/centralized.rs
@@ -38,7 +38,7 @@ use crate::{
     executors::{Executor, HasObservers},
     fuzzer::{EvaluatorObservers, ExecutionProcessor},
     inputs::{Input, NopInput, UsesInput},
-    observers::{ObserversTuple, TimeObserver},
+    observers::{ObserversTuple, TimeObserver, UsesObservers},
     state::{HasExecutions, HasLastReportTime, NopState, State, Stoppable, UsesState},
     Error, HasMetadata,
 };
@@ -371,12 +371,13 @@ where
     EM: AdaptiveSerializer + EventProcessor<E, Z> + EventFirer + HasEventManagerId,
     EMH: EventManagerHooksTuple<EM::State>,
     E: HasObservers<State = Self::State> + Executor<Self, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     S: State,
     Self::State: HasExecutions + HasMetadata,
     SP: ShMemProvider,
     Z: EvaluatorObservers<E::Observers, State = Self::State>
-        + ExecutionProcessor<E::Observers, State = Self::State>,
+        + ExecutionProcessor<State = Self::State>,
 {
     fn process(
         &mut self,
@@ -403,14 +404,15 @@ where
 impl<E, EM, EMH, S, SP, Z> EventManager<E, Z> for CentralizedEventManager<EM, EMH, S, SP>
 where
     E: HasObservers<State = Self::State> + Executor<Self, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     EM: AdaptiveSerializer + EventManager<E, Z>,
     EM::State: HasExecutions + HasMetadata + HasLastReportTime,
     EMH: EventManagerHooksTuple<EM::State>,
     S: State,
     SP: ShMemProvider,
     Z: EvaluatorObservers<E::Observers, State = Self::State>
-        + ExecutionProcessor<E::Observers, State = Self::State>,
+        + ExecutionProcessor<State = Self::State>,
 {
 }
 
@@ -527,9 +529,10 @@ where
     ) -> Result<usize, Error>
     where
         E: Executor<Self, Z> + HasObservers<State = <Self as UsesState>::State>,
+        <E as UsesObservers>::Observers: Serialize,
         <Self as UsesState>::State: UsesInput + HasExecutions + HasMetadata,
         for<'a> E::Observers: Deserialize<'a>,
-        Z: ExecutionProcessor<E::Observers, State = <Self as UsesState>::State>
+        Z: ExecutionProcessor<State = <Self as UsesState>::State>
             + EvaluatorObservers<E::Observers>,
     {
         // TODO: Get around local event copy by moving handle_in_client
@@ -576,8 +579,8 @@ where
     where
         E: Executor<Self, Z> + HasObservers<State = <Self as UsesState>::State>,
         <Self as UsesState>::State: UsesInput + HasExecutions + HasMetadata,
-        for<'a> E::Observers: Deserialize<'a>,
-        Z: ExecutionProcessor<E::Observers, State = <Self as UsesState>::State>
+        for<'a> E::Observers: Deserialize<'a> + Serialize,
+        Z: ExecutionProcessor<State = <Self as UsesState>::State>
             + EvaluatorObservers<E::Observers>,
     {
         log::debug!("handle_in_main!");

diff --git a/libafl/src/events/llmp/mgr.rs b/libafl/src/events/llmp/mgr.rs
@@ -39,8 +39,8 @@ use crate::{
     executors::{Executor, HasObservers},
     fuzzer::{Evaluator, EvaluatorObservers, ExecutionProcessor},
     inputs::{NopInput, UsesInput},
-    observers::{ObserversTuple, TimeObserver},
-    state::{HasExecutions, HasLastReportTime, NopState, State, UsesState},
+    observers::{ObserversTuple, TimeObserver, UsesObservers},
+    state::{HasExecutions, HasImported, HasLastReportTime, NopState, State, UsesState},
     Error, HasMetadata,
 };
 
@@ -389,7 +389,7 @@ where
 impl<EMH, S, SP> LlmpEventManager<EMH, S, SP>
 where
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata,
+    S: State + HasExecutions + HasMetadata + HasImported,
     SP: ShMemProvider,
 {
     // Handle arriving events in the client
@@ -404,10 +404,9 @@ where
     ) -> Result<(), Error>
     where
         E: Executor<Self, Z> + HasObservers<State = S>,
+        <E as UsesObservers>::Observers: Serialize,
         for<'a> E::Observers: Deserialize<'a>,
-        Z: ExecutionProcessor<E::Observers, State = S>
-            + EvaluatorObservers<E::Observers>
-            + Evaluator<E, Self>,
+        Z: ExecutionProcessor<State = S> + EvaluatorObservers<E::Observers> + Evaluator<E, Self>,
     {
         if !self.hooks.pre_exec_all(state, client_id, &event)? {
             return Ok(());
@@ -455,6 +454,7 @@ where
                         )?
                     };
                     if let Some(item) = res.1 {
+                        *state.imported_mut() += 1;
                         log::debug!("Added received Testcase {evt_name} as item #{item}");
                     } else {
                         log::debug!("Testcase {evt_name} was discarded");
@@ -585,13 +585,12 @@ where
 impl<E, EMH, S, SP, Z> EventProcessor<E, Z> for LlmpEventManager<EMH, S, SP>
 where
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata,
+    <E as UsesObservers>::Observers: Serialize,
+    S: State + HasExecutions + HasMetadata + HasImported,
     SP: ShMemProvider,
     E: HasObservers<State = S> + Executor<Self, Z>,
     for<'a> E::Observers: Deserialize<'a>,
-    Z: ExecutionProcessor<E::Observers, State = S>
-        + EvaluatorObservers<E::Observers>
-        + Evaluator<E, Self>,
+    Z: ExecutionProcessor<State = S> + EvaluatorObservers<E::Observers> + Evaluator<E, Self>,
 {
     fn process(
         &mut self,
@@ -638,13 +637,12 @@ where
 impl<E, EMH, S, SP, Z> EventManager<E, Z> for LlmpEventManager<EMH, S, SP>
 where
     E: HasObservers<State = S> + Executor<Self, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata + HasLastReportTime,
+    S: State + HasExecutions + HasMetadata + HasLastReportTime + HasImported,
     SP: ShMemProvider,
-    Z: ExecutionProcessor<E::Observers, State = S>
-        + EvaluatorObservers<E::Observers>
-        + Evaluator<E, Self>,
+    Z: ExecutionProcessor<State = S> + EvaluatorObservers<E::Observers> + Evaluator<E, Self>,
 {
 }
 

diff --git a/libafl/src/events/llmp/mod.rs b/libafl/src/events/llmp/mod.rs
@@ -296,7 +296,7 @@ where
         E: Executor<EM, Z> + HasObservers<State = S>,
         EM: UsesState<State = S> + EventFirer,
         for<'a> E::Observers: Deserialize<'a>,
-        Z: ExecutionProcessor<E::Observers, State = S> + EvaluatorObservers<E::Observers>,
+        Z: ExecutionProcessor<State = S> + EvaluatorObservers<E::Observers>,
     {
         match event {
             Event::NewTestcase {
@@ -350,7 +350,7 @@ where
         E: Executor<EM, Z> + HasObservers<State = S>,
         EM: UsesState<State = S> + EventFirer,
         for<'a> E::Observers: Deserialize<'a>,
-        Z: ExecutionProcessor<E::Observers, State = S> + EvaluatorObservers<E::Observers>,
+        Z: ExecutionProcessor<State = S> + EvaluatorObservers<E::Observers>,
     {
         // TODO: Get around local event copy by moving handle_in_client
         let self_id = self.llmp.sender().id();

diff --git a/libafl/src/events/llmp/restarting.rs b/libafl/src/events/llmp/restarting.rs
@@ -49,8 +49,8 @@ use crate::{
     fuzzer::{Evaluator, EvaluatorObservers, ExecutionProcessor},
     inputs::UsesInput,
     monitors::Monitor,
-    observers::{ObserversTuple, TimeObserver},
-    state::{HasExecutions, HasLastReportTime, State, UsesState},
+    observers::{ObserversTuple, TimeObserver, UsesObservers},
+    state::{HasExecutions, HasImported, HasLastReportTime, State, UsesState},
     Error, HasMetadata,
 };
 
@@ -205,11 +205,12 @@ where
 impl<E, EMH, S, SP, Z> EventProcessor<E, Z> for LlmpRestartingEventManager<EMH, S, SP>
 where
     E: HasObservers<State = S> + Executor<LlmpEventManager<EMH, S, SP>, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata,
+    S: State + HasExecutions + HasMetadata + HasImported,
     SP: ShMemProvider,
-    Z: ExecutionProcessor<E::Observers, State = S>
+    Z: ExecutionProcessor<State = S>
         + EvaluatorObservers<E::Observers>
         + Evaluator<E, LlmpEventManager<EMH, S, SP>>,
 {
@@ -228,11 +229,12 @@ where
 impl<E, EMH, S, SP, Z> EventManager<E, Z> for LlmpRestartingEventManager<EMH, S, SP>
 where
     E: HasObservers<State = S> + Executor<LlmpEventManager<EMH, S, SP>, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata + HasLastReportTime,
+    S: State + HasExecutions + HasMetadata + HasLastReportTime + HasImported,
     SP: ShMemProvider,
-    Z: ExecutionProcessor<E::Observers, State = S>
+    Z: ExecutionProcessor<State = S>
         + EvaluatorObservers<E::Observers>
         + Evaluator<E, LlmpEventManager<EMH, S, SP>>,
 {

diff --git a/libafl/src/events/tcp.rs b/libafl/src/events/tcp.rs
@@ -31,7 +31,7 @@ use libafl_bolts::os::{fork, ForkResult};
 use libafl_bolts::{shmem::ShMemProvider, tuples::tuple_list, ClientId};
 #[cfg(feature = "std")]
 use libafl_bolts::{shmem::StdShMemProvider, staterestore::StateRestorer};
-use serde::{de::DeserializeOwned, Deserialize};
+use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use tokio::{
     io::{AsyncReadExt, AsyncWriteExt},
     sync::{broadcast, broadcast::error::RecvError, mpsc},
@@ -53,7 +53,8 @@ use crate::{
     fuzzer::{EvaluatorObservers, ExecutionProcessor},
     inputs::{Input, UsesInput},
     monitors::Monitor,
-    state::{HasExecutions, HasLastReportTime, State, UsesState},
+    observers::UsesObservers,
+    state::{HasExecutions, HasImported, HasLastReportTime, State, UsesState},
     Error, HasMetadata,
 };
 
@@ -591,7 +592,7 @@ where
 impl<EMH, S> TcpEventManager<EMH, S>
 where
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata,
+    S: State + HasExecutions + HasMetadata + HasImported,
 {
     /// Write the client id for a client [`EventManager`] to env vars
     pub fn to_env(&self, env_name: &str) {
@@ -610,8 +611,9 @@ where
     ) -> Result<(), Error>
     where
         E: Executor<Self, Z> + HasObservers<State = S>,
+        <E as UsesObservers>::Observers: Serialize,
         for<'a> E::Observers: Deserialize<'a>,
-        Z: ExecutionProcessor<E::Observers, State = S> + EvaluatorObservers<E::Observers>,
+        Z: ExecutionProcessor<State = S> + EvaluatorObservers<E::Observers>,
     {
         if !self.hooks.pre_exec_all(state, client_id, &event)? {
             return Ok(());
@@ -647,6 +649,7 @@ where
                     )?
                 };
                 if let Some(item) = _res.1 {
+                    *state.imported_mut() += 1;
                     log::info!("Added received Testcase as item #{item}");
                 }
             }
@@ -748,10 +751,11 @@ where
 impl<E, EMH, S, Z> EventProcessor<E, Z> for TcpEventManager<EMH, S>
 where
     E: HasObservers<State = S> + Executor<Self, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata,
-    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor<E::Observers, State = S>,
+    S: State + HasExecutions + HasMetadata + HasImported,
+    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor<State = S>,
 {
     fn process(
         &mut self,
@@ -821,10 +825,11 @@ where
 impl<E, EMH, S, Z> EventManager<E, Z> for TcpEventManager<EMH, S>
 where
     E: HasObservers<State = S> + Executor<Self, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata + HasLastReportTime,
-    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor<E::Observers, State = S>,
+    S: State + HasExecutions + HasMetadata + HasLastReportTime + HasImported,
+    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor<State = S>,
 {
 }
 
@@ -966,10 +971,11 @@ impl<E, EMH, S, SP, Z> EventProcessor<E, Z> for TcpRestartingEventManager<EMH, S
 where
     E: HasObservers<State = S> + Executor<TcpEventManager<EMH, S>, Z>,
     for<'a> E::Observers: Deserialize<'a>,
+    <E as UsesObservers>::Observers: Serialize,
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata,
+    S: State + HasExecutions + HasMetadata + HasImported,
     SP: ShMemProvider + 'static,
-    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor<E::Observers>, //CE: CustomEvent<I>,
+    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor, //CE: CustomEvent<I>,
 {
     fn process(&mut self, fuzzer: &mut Z, state: &mut S, executor: &mut E) -> Result<usize, Error> {
         self.tcp_mgr.process(fuzzer, state, executor)
@@ -984,11 +990,12 @@ where
 impl<E, EMH, S, SP, Z> EventManager<E, Z> for TcpRestartingEventManager<EMH, S, SP>
 where
     E: HasObservers<State = S> + Executor<TcpEventManager<EMH, S>, Z>,
+    <E as UsesObservers>::Observers: Serialize,
     for<'a> E::Observers: Deserialize<'a>,
     EMH: EventManagerHooksTuple<S>,
-    S: State + HasExecutions + HasMetadata + HasLastReportTime,
+    S: State + HasExecutions + HasMetadata + HasLastReportTime + HasImported,
     SP: ShMemProvider + 'static,
-    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor<E::Observers>, //CE: CustomEvent<I>,
+    Z: EvaluatorObservers<E::Observers, State = S> + ExecutionProcessor, //CE: CustomEvent<I>,
 {
 }
 
@@ -1084,7 +1091,7 @@ pub fn setup_restarting_mgr_tcp<MT, S>(
 >
 where
     MT: Monitor + Clone,
-    S: State + HasExecutions + HasMetadata,
+    S: State + HasExecutions + HasMetadata + HasImported,
 {
     TcpRestartingMgr::builder()
         .shmem_provider(StdShMemProvider::new()?)
@@ -1149,7 +1156,7 @@ impl<EMH, MT, S, SP> TcpRestartingMgr<EMH, MT, S, SP>
 where
     EMH: EventManagerHooksTuple<S> + Copy + Clone,
     SP: ShMemProvider,
-    S: State + HasExecutions + HasMetadata,
+    S: State + HasExecutions + HasMetadata + HasImported,
     MT: Monitor + Clone,
 {
     /// Launch the restarting manager

diff --git a/libafl/src/executors/hooks/inprocess.rs b/libafl/src/executors/hooks/inprocess.rs
@@ -31,6 +31,7 @@ use crate::{
     events::{EventFirer, EventRestarter},
     executors::{hooks::ExecutorHook, inprocess::HasInProcessHooks, Executor, HasObservers},
     feedbacks::Feedback,
+    fuzzer::{ExecutionProcessor, HasScheduler},
     inputs::UsesInput,
     state::{HasCorpus, HasExecutions, HasSolutions},
     Error, HasObjective,
@@ -235,7 +236,7 @@ where
         EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
         OF: Feedback<E::State>,
         E::State: HasExecutions + HasSolutions + HasCorpus,
-        Z: HasObjective<Objective = OF, State = E::State>,
+        Z: HasObjective<Objective = OF, State = E::State> + HasScheduler + ExecutionProcessor,
     {
         #[cfg_attr(miri, allow(unused_variables))]
         unsafe {
@@ -268,7 +269,7 @@ where
         EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
         OF: Feedback<E::State>,
         E::State: State + HasExecutions + HasSolutions + HasCorpus,
-        Z: HasObjective<Objective = OF, State = E::State>,
+        Z: HasObjective<Objective = OF, State = E::State> + HasScheduler + ExecutionProcessor,
     {
         let ret;
         #[cfg(feature = "std")]