From 0f26f6ea32aa74ee526636558842ec06bbfb49bb Mon Sep 17 00:00:00 2001 From: "Dongjia \"toka\" Zhang" Date: Mon, 18 Mar 2024 16:41:43 +0100 Subject: [PATCH] Remove useless feedback (#1953) * stuff * FMT * remove stuff --- fuzzers/libfuzzer_reachability/.gitignore | 1 - fuzzers/libfuzzer_reachability/Cargo.toml | 31 --- fuzzers/libfuzzer_reachability/README.md | 84 -------- .../corpus/not_kitty.png | Bin 218 -> 0 bytes .../corpus/not_kitty_alpha.png | Bin 376 -> 0 bytes .../corpus/not_kitty_gamma.png | Bin 228 -> 0 bytes .../corpus/not_kitty_icc.png | Bin 427 -> 0 bytes fuzzers/libfuzzer_reachability/diff.patch | 9 - fuzzers/libfuzzer_reachability/harness.cc | 188 ------------------ .../src/bin/libafl_cc.rs | 38 ---- .../src/bin/libafl_cxx.rs | 5 - fuzzers/libfuzzer_reachability/src/lib.rs | 164 --------------- fuzzers/libfuzzer_reachability/weak.c | 2 - libafl/src/feedbacks/map.rs | 108 ---------- 14 files changed, 630 deletions(-) delete mode 100644 fuzzers/libfuzzer_reachability/.gitignore delete mode 100644 fuzzers/libfuzzer_reachability/Cargo.toml delete mode 100644 fuzzers/libfuzzer_reachability/README.md delete mode 100644 fuzzers/libfuzzer_reachability/corpus/not_kitty.png delete mode 100644 fuzzers/libfuzzer_reachability/corpus/not_kitty_alpha.png delete mode 100644 fuzzers/libfuzzer_reachability/corpus/not_kitty_gamma.png delete mode 100644 fuzzers/libfuzzer_reachability/corpus/not_kitty_icc.png delete mode 100644 fuzzers/libfuzzer_reachability/diff.patch delete mode 100644 fuzzers/libfuzzer_reachability/harness.cc delete mode 100644 fuzzers/libfuzzer_reachability/src/bin/libafl_cc.rs delete mode 100644 fuzzers/libfuzzer_reachability/src/bin/libafl_cxx.rs delete mode 100644 fuzzers/libfuzzer_reachability/src/lib.rs delete mode 100644 fuzzers/libfuzzer_reachability/weak.c diff --git a/fuzzers/libfuzzer_reachability/.gitignore b/fuzzers/libfuzzer_reachability/.gitignore deleted file mode 100644 index a977a2ca5b..0000000000 --- a/fuzzers/libfuzzer_reachability/.gitignore +++ /dev/null @@ -1 +0,0 @@ -libpng-* \ No newline at end of file diff --git a/fuzzers/libfuzzer_reachability/Cargo.toml b/fuzzers/libfuzzer_reachability/Cargo.toml deleted file mode 100644 index 1a197fea66..0000000000 --- a/fuzzers/libfuzzer_reachability/Cargo.toml +++ /dev/null @@ -1,31 +0,0 @@ -[package] -name = "libfuzzer_reachability" -version = "0.11.2" -authors = ["Andrea Fioraldi ", "Dominik Maier "] -edition = "2021" - -[features] -default = ["std"] -std = [] - -[profile.release] -lto = true -codegen-units = 1 -opt-level = 3 -debug = true - -[build-dependencies] -cc = { version = "1.0", features = ["parallel"] } -which = "4.4" - -[dependencies] -libafl = { path = "../../libafl/" } -libafl_bolts = { path = "../../libafl_bolts/" } -libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_hitcounts", "libfuzzer"] } -# TODO Include it only when building cc -libafl_cc = { path = "../../libafl_cc/" } -mimalloc = { version = "*", default-features = false } - -[lib] -name = "libfuzzer_libpng" -crate-type = ["staticlib"] diff --git a/fuzzers/libfuzzer_reachability/README.md b/fuzzers/libfuzzer_reachability/README.md deleted file mode 100644 index 77510a1b80..0000000000 --- a/fuzzers/libfuzzer_reachability/README.md +++ /dev/null @@ -1,84 +0,0 @@ -# Libfuzzer for libpng - -This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection. - -In contrast to other fuzzer examples, this setup uses `fuzz_loop_for`, to occasionally respawn the fuzzer executor. -While this costs performance, it can be useful for targets with memory leaks or other instabilities. -If your target is really instable, however, consider exchanging the `InProcessExecutor` for a `ForkserverExecutor` instead. - -To show off crash detection, we added a `ud2` instruction to the harness, edit harness.cc if you want a non-crashing example. -It has been tested on Linux. - -## Build - -To build this example, run - -```bash -cargo build --release -clang -c weak.c -o weak.o -``` - -This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback. -In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target. - -The compiler wrappers, `libafl_cc` and `libafl_cxx`, will end up in `./target/release/` (or `./target/debug`, in case you did not build with the `--release` flag). - -Then download libpng, and unpack the archive: -```bash -wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz -tar -xvf v1.6.37.tar.gz -``` -Run `patch libpng-1.6.37/png.c diff.patch` before compiling the libpng -Now compile libpng, using the libafl_cc compiler wrapper: - -```bash -cd libpng-1.6.37 -./configure -LIBAFL_WEAK=../weak.o make CC="$(pwd)/../target/release/libafl_cc" CXX="$(pwd)/../target/release/libafl_cxx" -j `nproc` -``` - -You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`. - -Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary. - -``` -cd .. -LIBAFL_WEAK=./weak.o ./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm -``` - -Afterward, the fuzzer will be ready to run. -Note that, unless you use the `launcher`, you will have to run the binary multiple times to actually start the fuzz process, see `Run` in the following. -This allows you to run multiple different builds of the same fuzzer alongside, for example, with and without ASAN (`-fsanitize=address`) or with different mutators. - -This example also shows you how to use a user-defined variable from LibAFL. -`diff.patch` adds an array `__libafl_target_list` to `png.c`. In order to read from this variable from LibAFL, you need to weakly define __libafl_target_list as in `weak.c`. -For building, you have to set `LIBAFL_WEAK` to point to the compiled `weak.o`, so that the compiler can find this `weak.o` file and link successfully. - -## Run - -The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. Currently you must run the clients from the libfuzzer_libpng directory for them to be able to access the PNG corpus. - -``` -./fuzzer_libpng - -[libafl/src/bolts/llmp.rs:407] "We're the broker" = "We\'re the broker" -Doing broker things. Run this tool again to start fuzzing in a client. -``` - -And after running the above again in a separate terminal: - -``` -[libafl/src/bolts/llmp.rs:1464] "New connection" = "New connection" -[libafl/src/bolts/llmp.rs:1464] addr = 127.0.0.1:33500 -[libafl/src/bolts/llmp.rs:1464] stream.peer_addr().unwrap() = 127.0.0.1:33500 -[LOG Debug]: Loaded 4 initial testcases. -[New Testcase #2] clients: 3, corpus: 6, objectives: 0, executions: 5, exec/sec: 0 -< fuzzing stats > -``` - -As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`). -This means each client will start itself again to listen for crashes and timeouts. -By restarting the actual fuzzer, it can recover from these exit conditions. - -In any real-world scenario, you should use `taskset` to pin each client to an empty CPU core, the lib does not pick an empty core automatically (yet). - diff --git a/fuzzers/libfuzzer_reachability/corpus/not_kitty.png b/fuzzers/libfuzzer_reachability/corpus/not_kitty.png deleted file mode 100644 index eff7c1707b936a8f8df725814f604d454b78b5c3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 218 zcmeAS@N?(olHy`uVBq!ia0vp^3LwnE3?yBabR7dyk|nMYCBgY=CFO}lsSJ)O`AMk? zp1FzXsX?iUDV2pMQ*D5X_yc@GT+_~+`TzevkY_wIZRYx+5&y#hyq+?%!C8<`)MX5lF!N|bSRM)^r*U&J;z}U*bz{;0L z1Vuw`eoAIqC5i?kD`P_|6GMoGiCWXn12ss3YzWRzD=AMbN@Z|N$xljE@XSq2PYp^< WOsOn9nQ8-6#Ng@b=d#Wzp$PyV*n0l} diff --git a/fuzzers/libfuzzer_reachability/corpus/not_kitty_gamma.png b/fuzzers/libfuzzer_reachability/corpus/not_kitty_gamma.png deleted file mode 100644 index 939d9d29a9b9f95bac5e9a72854361ee85469921..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 228 zcmeAS@N?(olHy`uVBq!ia0vp^3LwnE3?yBabR7dyEa{HEjtmTQ929t;oCfmw1AIbU z)6Sgv|NlRbXFM})=KnKxKI=t+9LW;bh?3y^w370~qErUQl>DSr1<%~X^wgl##FWay zlc_d9MbVxvjv*GO?@o5)YH;9THa`3B|5>?^8?LvjJ}xLe>!7e@k)r^sLedir0mCVe z=5sMjEm$*~tHD+}{NS_$nMdb|ABqg-@UGMMsZ=uY-X%Cq@&3vmZ%&@H{P?6&+U!yq VvuXWlo?M_c44$rjF6*2UngF4cP+$N6 diff --git a/fuzzers/libfuzzer_reachability/corpus/not_kitty_icc.png b/fuzzers/libfuzzer_reachability/corpus/not_kitty_icc.png deleted file mode 100644 index f0c7804d99829cc6307c1c6ae9915cf42d555414..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 427 zcmV;c0aX5pP)9xSWu9|B*4Isn^#g47m^r~thH)GiR<@yX0fO)OF<2Kt#qCldyUF#H?{4jV?XGw9)psxE&K1B1m^ z1_tH{2(hG@3=G>_85ksPA;eS`Ffj19FfeR8pIlm01~rBeWCZ{dbvfq;rA3DT000kA zOjJc?%*_A){{R30GnreSaefwW^{L9a%BKPWN%_+AW3auXJt}l zVPtu6$z?nM003J_L_t(I%iWVf3V=Wi12fJ3|IHp$*hSlV@t||fKp?cDK@bHXV&o_g zF_hw;3ILUGteXmeJsVfSmcVJno)^MdQwU3bFHCtNG)uY>mLcD%`0UBaIq~Fq8#dBr V12uok3~c}a002ovPDHLkV1nKBo!S5Z diff --git a/fuzzers/libfuzzer_reachability/diff.patch b/fuzzers/libfuzzer_reachability/diff.patch deleted file mode 100644 index 8c0ca68b83..0000000000 --- a/fuzzers/libfuzzer_reachability/diff.patch +++ /dev/null @@ -1,9 +0,0 @@ -15a16,19 -> #define TARGET_SIZE 4 -> -> size_t __lafl_dummy_list[TARGET_SIZE] = {0}; -> size_t *__libafl_target_list = __lafl_dummy_list; -2562a2567 -> __lafl_dummy_list[0] = 1; -2584a2590 -> __lafl_dummy_list[1] = 1; diff --git a/fuzzers/libfuzzer_reachability/harness.cc b/fuzzers/libfuzzer_reachability/harness.cc deleted file mode 100644 index e26e707e17..0000000000 --- a/fuzzers/libfuzzer_reachability/harness.cc +++ /dev/null @@ -1,188 +0,0 @@ -// libpng_read_fuzzer.cc -// Copyright 2017-2018 Glenn Randers-Pehrson -// Copyright 2015 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that may -// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE - -// Last changed in libpng 1.6.35 [July 15, 2018] - -// The modifications in 2017 by Glenn Randers-Pehrson include -// 1. addition of a PNG_CLEANUP macro, -// 2. setting the option to ignore ADLER32 checksums, -// 3. adding "#include " which is needed on some platforms -// to provide memcpy(). -// 4. adding read_end_info() and creating an end_info structure. -// 5. adding calls to png_set_*() transforms commonly used by browsers. - -#include -#include -#include - -#include - -#define PNG_INTERNAL -#include "png.h" - -#define PNG_CLEANUP \ - if (png_handler.png_ptr) { \ - if (png_handler.row_ptr) \ - png_free(png_handler.png_ptr, png_handler.row_ptr); \ - if (png_handler.end_info_ptr) \ - png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr, \ - &png_handler.end_info_ptr); \ - else if (png_handler.info_ptr) \ - png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr, \ - nullptr); \ - else \ - png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \ - png_handler.png_ptr = nullptr; \ - png_handler.row_ptr = nullptr; \ - png_handler.info_ptr = nullptr; \ - png_handler.end_info_ptr = nullptr; \ - } - -struct BufState { - const uint8_t *data; - size_t bytes_left; -}; - -struct PngObjectHandler { - png_infop info_ptr = nullptr; - png_structp png_ptr = nullptr; - png_infop end_info_ptr = nullptr; - png_voidp row_ptr = nullptr; - BufState *buf_state = nullptr; - - ~PngObjectHandler() { - if (row_ptr) { png_free(png_ptr, row_ptr); } - if (end_info_ptr) - png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr); - else if (info_ptr) - png_destroy_read_struct(&png_ptr, &info_ptr, nullptr); - else - png_destroy_read_struct(&png_ptr, nullptr, nullptr); - delete buf_state; - } -}; - -void user_read_data(png_structp png_ptr, png_bytep data, size_t length) { - BufState *buf_state = static_cast(png_get_io_ptr(png_ptr)); - if (length > buf_state->bytes_left) { png_error(png_ptr, "read error"); } - memcpy(data, buf_state->data, length); - buf_state->bytes_left -= length; - buf_state->data += length; -} - -static const int kPngHeaderSize = 8; - -// Entry point for LibFuzzer. -// Roughly follows the libpng book example: -// http://www.libpng.org/pub/png/book/chapter13.html -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - if (size < kPngHeaderSize) { return 0; } - - std::vector v(data, data + size); - if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) { - // not a PNG. - return 0; - } - - PngObjectHandler png_handler; - png_handler.png_ptr = nullptr; - png_handler.row_ptr = nullptr; - png_handler.info_ptr = nullptr; - png_handler.end_info_ptr = nullptr; - - png_handler.png_ptr = - png_create_read_struct(PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr); - if (!png_handler.png_ptr) { return 0; } - - png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr); - if (!png_handler.info_ptr) { - PNG_CLEANUP - return 0; - } - - png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr); - if (!png_handler.end_info_ptr) { - PNG_CLEANUP - return 0; - } - - png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE); -#ifdef PNG_IGNORE_ADLER32 - png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON); -#endif - - // Setting up reading from buffer. - png_handler.buf_state = new BufState(); - png_handler.buf_state->data = data + kPngHeaderSize; - png_handler.buf_state->bytes_left = size - kPngHeaderSize; - png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data); - png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize); - - if (setjmp(png_jmpbuf(png_handler.png_ptr))) { - PNG_CLEANUP - return 0; - } - - // Reading. - png_read_info(png_handler.png_ptr, png_handler.info_ptr); - - // reset error handler to put png_deleter into scope. - if (setjmp(png_jmpbuf(png_handler.png_ptr))) { - PNG_CLEANUP - return 0; - } - - png_uint_32 width, height; - int bit_depth, color_type, interlace_type, compression_type; - int filter_type; - - if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width, &height, - &bit_depth, &color_type, &interlace_type, &compression_type, - &filter_type)) { - PNG_CLEANUP - return 0; - } - - // This is going to be too slow. - if (width && height > 100000000 / width) { - PNG_CLEANUP -#ifdef HAS_DUMMY_CRASH - #ifdef __aarch64__ - asm volatile(".word 0xf7f0a000\n"); - #else - asm("ud2"); - #endif -#endif - return 0; - } - - // Set several transforms that browsers typically use: - png_set_gray_to_rgb(png_handler.png_ptr); - png_set_expand(png_handler.png_ptr); - png_set_packing(png_handler.png_ptr); - png_set_scale_16(png_handler.png_ptr); - png_set_tRNS_to_alpha(png_handler.png_ptr); - - int passes = png_set_interlace_handling(png_handler.png_ptr); - - png_read_update_info(png_handler.png_ptr, png_handler.info_ptr); - - png_handler.row_ptr = - png_malloc(png_handler.png_ptr, - png_get_rowbytes(png_handler.png_ptr, png_handler.info_ptr)); - - for (int pass = 0; pass < passes; ++pass) { - for (png_uint_32 y = 0; y < height; ++y) { - png_read_row(png_handler.png_ptr, - static_cast(png_handler.row_ptr), nullptr); - } - } - - png_read_end(png_handler.png_ptr, png_handler.end_info_ptr); - - PNG_CLEANUP - return 0; -} diff --git a/fuzzers/libfuzzer_reachability/src/bin/libafl_cc.rs b/fuzzers/libfuzzer_reachability/src/bin/libafl_cc.rs deleted file mode 100644 index 36b2acbdf8..0000000000 --- a/fuzzers/libfuzzer_reachability/src/bin/libafl_cc.rs +++ /dev/null @@ -1,38 +0,0 @@ -use std::env; - -use libafl_cc::{ClangWrapper, CompilerWrapper, ToolWrapper}; - -pub fn main() { - let args: Vec = env::args().collect(); - if args.len() > 1 { - let mut dir = env::current_exe().unwrap(); - let weak = env::var("LIBAFL_WEAK").unwrap(); - let wrapper_name = dir.file_name().unwrap().to_str().unwrap(); - - let is_cpp = match wrapper_name[wrapper_name.len()-2..].to_lowercase().as_str() { - "cc" => false, - "++" | "pp" | "xx" => true, - _ => panic!("Could not figure out if c or c++ wrapper was called. Expected {dir:?} to end with c or cxx"), - }; - - dir.pop(); - - let mut cc = ClangWrapper::new(); - if let Some(code) = cc - .cpp(is_cpp) - // silence the compiler wrapper output, needed for some configure scripts. - .silence(true) - .parse_args(&args) - .expect("Failed to parse the command line") - .add_link_arg(weak) - .link_staticlib(&dir, "libfuzzer_libpng") - .add_arg("-fsanitize-coverage=trace-pc-guard") - .run() - .expect("Failed to run the wrapped compiler") - { - std::process::exit(code); - } - } else { - panic!("LibAFL CC: No Arguments given"); - } -} diff --git a/fuzzers/libfuzzer_reachability/src/bin/libafl_cxx.rs b/fuzzers/libfuzzer_reachability/src/bin/libafl_cxx.rs deleted file mode 100644 index dabd22971a..0000000000 --- a/fuzzers/libfuzzer_reachability/src/bin/libafl_cxx.rs +++ /dev/null @@ -1,5 +0,0 @@ -pub mod libafl_cc; - -fn main() { - libafl_cc::main(); -} diff --git a/fuzzers/libfuzzer_reachability/src/lib.rs b/fuzzers/libfuzzer_reachability/src/lib.rs deleted file mode 100644 index 1093888e3b..0000000000 --- a/fuzzers/libfuzzer_reachability/src/lib.rs +++ /dev/null @@ -1,164 +0,0 @@ -//! A libfuzzer-like fuzzer with llmp-multithreading support and restarts -//! The example harness is built for libpng. -use mimalloc::MiMalloc; -#[global_allocator] -static GLOBAL: MiMalloc = MiMalloc; - -use std::{env, path::PathBuf}; - -use libafl::{ - corpus::{Corpus, InMemoryCorpus, OnDiskCorpus}, - events::{setup_restarting_mgr_std, EventConfig, EventRestarter}, - executors::{inprocess::InProcessExecutor, ExitKind}, - feedbacks::{MaxMapFeedback, ReachabilityFeedback}, - fuzzer::{Fuzzer, StdFuzzer}, - inputs::{BytesInput, HasTargetBytes}, - monitors::SimpleMonitor, - mutators::scheduled::{havoc_mutations, StdScheduledMutator}, - observers::{HitcountsMapObserver, StdMapObserver}, - schedulers::RandScheduler, - stages::mutational::StdMutationalStage, - state::{HasCorpus, StdState}, - Error, -}; -use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice}; -use libafl_targets::{libfuzzer_initialize, libfuzzer_test_one_input, std_edges_map_observer}; - -const TARGET_SIZE: usize = 4; - -extern "C" { - static __libafl_target_list: *mut usize; -} - -/// The main fn, `no_mangle` as it is a C symbol -#[no_mangle] -pub extern "C" fn libafl_main() { - // Registry the metadata types used in this fuzzer - // Needed only on no_std - // unsafe { RegistryBuilder::register::(); } - - println!( - "Workdir: {:?}", - env::current_dir().unwrap().to_string_lossy().to_string() - ); - fuzz( - &[PathBuf::from("./corpus")], - PathBuf::from("./crashes"), - 1337, - ) - .expect("An error occurred while fuzzing"); -} - -/// The actual fuzzer -fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Result<(), Error> { - // 'While the stats are state, they are usually used in the broker - which is likely never restarted - let monitor = SimpleMonitor::new(|s| println!("{s}")); - - // The restarting state will spawn the same process again as child, then restarted it each time it crashes. - let (state, mut restarting_mgr) = - match setup_restarting_mgr_std(monitor, broker_port, EventConfig::AlwaysUnique) { - Ok(res) => res, - Err(err) => match err { - Error::ShuttingDown => { - return Ok(()); - } - _ => { - panic!("Failed to setup the restarter: {err}"); - } - }, - }; - - // Create an observation channel using the coverage map - let edges_observer = HitcountsMapObserver::new(unsafe { std_edges_map_observer("edges") }); - - let reachability_observer = - unsafe { StdMapObserver::from_mut_ptr("png.c", __libafl_target_list, TARGET_SIZE) }; - - // Feedback to rate the interestingness of an input - let mut feedback = MaxMapFeedback::new(&edges_observer); - - // A feedback to choose if an input is a solution or not - let mut objective = ReachabilityFeedback::new(&reachability_observer); - - // If not restarting, create a State from scratch - let mut state = state.unwrap_or_else(|| { - StdState::new( - // RNG - StdRand::with_seed(current_nanos()), - // Corpus that will be evolved, we keep it in memory for performance - InMemoryCorpus::new(), - // Corpus in which we store solutions (crashes in this example), - // on disk so the user can get them after stopping the fuzzer - OnDiskCorpus::new(objective_dir).unwrap(), - // States of the feedbacks. - // The feedbacks can report the data that should persist in the State. - &mut feedback, - // Same for objective feedbacks - &mut objective, - ) - .unwrap() - }); - - println!("We're a client, let's fuzz :)"); - - // Setup a basic mutator with a mutational stage - let mutator = StdScheduledMutator::new(havoc_mutations()); - let mut stages = tuple_list!(StdMutationalStage::new(mutator)); - - // A random policy to get testcasess from the corpus - let scheduler = RandScheduler::new(); - - // A fuzzer with feedbacks and a corpus scheduler - let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective); - - // The wrapped harness function, calling out to the LLVM-style harness - let mut harness = |input: &BytesInput| { - let target = input.target_bytes(); - let buf = target.as_slice(); - libfuzzer_test_one_input(buf); - ExitKind::Ok - }; - - // Create the executor for an in-process function with one observer for edge coverage and one for the execution time - let mut executor = InProcessExecutor::new( - &mut harness, - tuple_list!(edges_observer, reachability_observer), - &mut fuzzer, - &mut state, - &mut restarting_mgr, - )?; - - // The actual target run starts here. - // Call LLVMFUzzerInitialize() if present. - let args: Vec = env::args().collect(); - if libfuzzer_initialize(&args) == -1 { - println!("Warning: LLVMFuzzerInitialize failed with -1"); - } - - // In case the corpus is empty (on first run), reset - if state.must_load_initial_inputs() { - state - .load_initial_inputs(&mut fuzzer, &mut executor, &mut restarting_mgr, corpus_dirs) - .unwrap_or_else(|_| panic!("Failed to load initial corpus at {:?}", corpus_dirs)); - println!("We imported {} inputs from disk.", state.corpus().count()); - } - - // This fuzzer restarts after 1 mio `fuzz_one` executions. - // Each fuzz_one will internally do many executions of the target. - // If your target is very instable, setting a low count here may help. - // However, you will lose a lot of performance that way. - let iters = 1_000_000; - fuzzer.fuzz_loop_for( - &mut stages, - &mut executor, - &mut state, - &mut restarting_mgr, - iters, - )?; - - // It's important, that we store the state before restarting! - // Else, the parent will not respawn a new child and quit. - restarting_mgr.on_restart(&mut state)?; - - Ok(()) -} diff --git a/fuzzers/libfuzzer_reachability/weak.c b/fuzzers/libfuzzer_reachability/weak.c deleted file mode 100644 index 4228811157..0000000000 --- a/fuzzers/libfuzzer_reachability/weak.c +++ /dev/null @@ -1,2 +0,0 @@ -#include -__attribute__((weak, visibility("default"))) size_t *__libafl_target_list; diff --git a/libafl/src/feedbacks/map.rs b/libafl/src/feedbacks/map.rs index e7df0a2992..f9a3d778b4 100644 --- a/libafl/src/feedbacks/map.rs +++ b/libafl/src/feedbacks/map.rs @@ -833,114 +833,6 @@ where } } -/// A [`ReachabilityFeedback`] reports if a target has been reached. -#[derive(Clone, Debug)] -pub struct ReachabilityFeedback { - name: String, - target_idx: Vec, - phantom: PhantomData<(O, S)>, -} - -impl ReachabilityFeedback -where - O: MapObserver, - for<'it> O: AsIter<'it, Item = usize>, -{ - /// Creates a new [`ReachabilityFeedback`] for a [`MapObserver`]. - #[must_use] - pub fn new(map_observer: &O) -> Self { - Self { - name: map_observer.name().to_string(), - target_idx: vec![], - phantom: PhantomData, - } - } - - /// Creates a new [`ReachabilityFeedback`] for a [`MapObserver`] with the given `name`. - #[must_use] - pub fn with_name(name: &'static str) -> Self { - Self { - name: name.to_string(), - target_idx: vec![], - phantom: PhantomData, - } - } -} - -impl Feedback for ReachabilityFeedback -where - S: State, - O: MapObserver, - for<'it> O: AsIter<'it, Item = usize>, -{ - #[allow(clippy::wrong_self_convention)] - fn is_interesting( - &mut self, - _state: &mut S, - _manager: &mut EM, - _input: &S::Input, - observers: &OT, - _exit_kind: &ExitKind, - ) -> Result - where - EM: EventFirer, - OT: ObserversTuple, - { - // TODO Replace with match_name_type when stable - let observer = observers.match_name::(&self.name).unwrap(); - let mut hit_target: bool = false; - //check if we've hit any targets. - for (i, &elem) in observer.as_iter().enumerate() { - if elem > 0 { - self.target_idx.push(i); - hit_target = true; - } - } - if hit_target { - Ok(true) - } else { - Ok(false) - } - } - - fn append_metadata( - &mut self, - _state: &mut S, - _manager: &mut EM, - _observers: &OT, - testcase: &mut Testcase, - ) -> Result<(), Error> - where - OT: ObserversTuple, - { - if !self.target_idx.is_empty() { - let meta = MapIndexesMetadata::new(core::mem::take(self.target_idx.as_mut())); - testcase.add_metadata(meta); - }; - Ok(()) - } - - fn discard_metadata( - &mut self, - _state: &mut S, - _input: &::Input, - ) -> Result<(), Error> { - self.target_idx.clear(); - Ok(()) - } -} - -impl Named for ReachabilityFeedback -where - O: MapObserver, - for<'it> O: AsIter<'it, Item = usize>, -{ - #[inline] - fn name(&self) -> &str { - self.name.as_str() - } -} - #[cfg(test)] mod tests { use crate::feedbacks::{AllIsNovel, IsNovel, NextPow2IsNovel};