Restructure the fuzzers folder (#2409)

* move fuzzers in subfolders

* add readme

* remove redundent fuzzers

.github/workflows/build_and_test.yml

@@ -243,7 +243,7 @@ jobs:
       - name: Run a maturin build
         run: export LLVM_CONFIG=llvm-config-16 && cd ./bindings/pylibafl && python3 -m venv .env && . .env/bin/activate && pip install --upgrade --force-reinstall . && ./test.sh
       - name: Run python test
-        run: . ./bindings/pylibafl/.env/bin/activate # && cd ./fuzzers/python_qemu/ && python3 fuzzer.py 2>&1 | grep "Bye"
+        run: . ./bindings/pylibafl/.env/bin/activate # && cd ./fuzzers/qemu/python_qemu/ && python3 fuzzer.py 2>&1 | grep "Bye"
 
   cargo-fmt:
     runs-on: ubuntu-latest
@@ -282,62 +282,76 @@ jobs:
       matrix:
         os: [ ubuntu-latest ]
         fuzzer:
-          - ./fuzzers/cargo_fuzz
-          - ./fuzzers/fuzzbench_fork_qemu
-          - ./fuzzers/libfuzzer_stb_image_sugar
-          - ./fuzzers/nyx_libxml2_standalone
-          - ./fuzzers/baby_fuzzer_gramatron
-          - ./fuzzers/tinyinst_simple
-          - ./fuzzers/baby_fuzzer_with_forkexecutor
-          - ./fuzzers/baby_no_std
-          - ./fuzzers/baby_fuzzer_swap_differential
-          - ./fuzzers/baby_fuzzer_grimoire
-          - ./fuzzers/baby_fuzzer
-          - ./fuzzers/libfuzzer_libpng_launcher
-          - ./fuzzers/libfuzzer_libpng_accounting
-          - ./fuzzers/forkserver_libafl_cc
-          # - ./fuzzers/libfuzzer_libpng_tcp_manager
-          # - ./fuzzers/sqlite_centralized_multi_machine
-          - ./fuzzers/backtrace_baby_fuzzers
-          - ./fuzzers/fuzzbench_qemu
-          - ./fuzzers/nyx_libxml2_parallel
-          - ./fuzzers/frida_gdiplus
-          - ./fuzzers/libfuzzer_stb_image_concolic
-          - ./fuzzers/nautilus_sync
-          - ./fuzzers/push_harness
-          - ./fuzzers/libfuzzer_libpng_centralized
-          - ./fuzzers/baby_fuzzer_nautilus
-          - ./fuzzers/fuzzbench_text
-          - ./fuzzers/libfuzzer_libpng_cmin
-          - ./fuzzers/forkserver_simple
-          - ./fuzzers/baby_fuzzer_unicode
-          - ./fuzzers/libfuzzer_libpng_norestart
-          - ./fuzzers/baby_fuzzer_multi
-          - ./fuzzers/libafl_atheris
-          - ./fuzzers/frida_libpng
-          - ./fuzzers/fuzzbench_ctx
-          - ./fuzzers/fuzzbench_forkserver_cmplog
-          - ./fuzzers/push_stage_harness
-          - ./fuzzers/libfuzzer_libmozjpeg
-          - ./fuzzers/libfuzzer_libpng_aflpp_ui
-          - ./fuzzers/libfuzzer_libpng
-          - ./fuzzers/baby_fuzzer_wasm
-          - ./fuzzers/fuzzbench
-          - ./fuzzers/libfuzzer_stb_image
-          - ./fuzzers/fuzzbench_forkserver
-          # - ./fuzzers/libfuzzer_windows_asan
-          # - ./fuzzers/dynamic_analysis
-          - ./fuzzers/baby_fuzzer_minimizing
-          - ./fuzzers/frida_executable_libpng
-          - ./fuzzers/tutorial
-          - ./fuzzers/baby_fuzzer_tokens
-          - ./fuzzers/backtrace_baby_fuzzers/rust_code_with_inprocess_executor
-          - ./fuzzers/backtrace_baby_fuzzers/c_code_with_fork_executor
-          - ./fuzzers/backtrace_baby_fuzzers/command_executor
-          - ./fuzzers/backtrace_baby_fuzzers/forkserver_executor
-          - ./fuzzers/backtrace_baby_fuzzers/c_code_with_inprocess_executor
-          - ./fuzzers/backtrace_baby_fuzzers/rust_code_with_fork_executor
-          - ./fuzzers/libafl-fuzz
+          # Baby
+          - ./fuzzers/baby/baby_fuzzer_with_forkexecutor
+          - ./fuzzers/baby/baby_no_std
+          - ./fuzzers/baby/baby_fuzzer_swap_differential
+          - ./fuzzers/baby/baby_fuzzer_grimoire
+          - ./fuzzers/baby/baby_fuzzer_gramatron
+          - ./fuzzers/baby/baby_fuzzer
+          - ./fuzzers/baby/baby_fuzzer_nautilus
+          # - ./fuzzers/baby/backtrace_baby_fuzzers
+          - ./fuzzers/baby/baby_fuzzer_unicode
+          - ./fuzzers/baby/baby_fuzzer_multi
+          - ./fuzzers/baby/baby_fuzzer_wasm
+          - ./fuzzers/baby/baby_fuzzer_minimizing
+          - ./fuzzers/baby/baby_fuzzer_tokens
+          - ./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor
+          - ./fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor
+          - ./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_fork_executor
+          - ./fuzzers/baby/backtrace_baby_fuzzers/rust_code_with_inprocess_executor
+          - ./fuzzers/baby/backtrace_baby_fuzzers/command_executor
+          - ./fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor
+
+          # Forkserver
+          - ./fuzzers/forkserver/forkserver_simple
+          - ./fuzzers/forkserver/forkserver_libafl_cc
+
+          # Frida
+          - ./fuzzers/frida/frida_executable_libpng
+          - ./fuzzers/frida/frida_gdiplus
+          - ./fuzzers/frida/frida_libpng
+
+          # Fuzzbench
+          - ./fuzzers/fuzzbench/fuzzbench
+          - ./fuzzers/fuzzbench/fuzzbench_qemu
+          - ./fuzzers/fuzzbench/fuzzbench_fork_qemu
+          - ./fuzzers/fuzzbench/fuzzbench_text
+          - ./fuzzers/fuzzbench/fuzzbench_ctx
+          - ./fuzzers/fuzzbench/fuzzbench_forkserver_cmplog
+          - ./fuzzers/fuzzbench/fuzzbench_forkserver
+
+          # LibPNG
+          - ./fuzzers/libpng/libfuzzer_libpng
+          - ./fuzzers/libpng/libfuzzer_libpng_launcher
+          - ./fuzzers/libpng/libfuzzer_libpng_accounting
+          - ./fuzzers/libpng/libfuzzer_libpng_centralized
+          - ./fuzzers/libpng/libfuzzer_libpng_cmin
+          - ./fuzzers/libpng/libfuzzer_libpng_norestart
+          # - ./fuzzers/libpng/libfuzzer_libpng_tcp_manager
+
+          # Nyx
+          - ./fuzzers/nyx/nyx_libxml2_standalone
+          - ./fuzzers/nyx/nyx_libxml2_parallel
+
+          # Stb
+          - ./fuzzers/stb/libfuzzer_stb_image_sugar
+          - ./fuzzers/stb/libfuzzer_stb_image
+          - ./fuzzers/stb/libfuzzer_stb_image_concolic
+
+          # Others
+          - ./fuzzers/others/cargo_fuzz
+          # - ./fuzzers/others/dynamic_analysis
+          - ./fuzzers/others/libafl_atheris
+          - ./fuzzers/others/libafl-fuzz
+          - ./fuzzers/others/libfuzzer_libmozjpeg
+          # - ./fuzzers/others/libfuzzer_windows_asan
+          - ./fuzzers/others/nautilus_sync
+          - ./fuzzers/others/push_harness
+          - ./fuzzers/others/push_stage_harness
+          # - ./fuzzers/others/sqlite_centralized_multi_machine
+          - ./fuzzers/others/tinyinst_simple
+          - ./fuzzers/others/tutorial
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v3
@@ -374,10 +388,10 @@ jobs:
       matrix:
         os: [ubuntu-latest]
         fuzzer:
-          - ./fuzzers/qemu_cmin
-          - ./fuzzers/qemu_systemmode
-          - ./fuzzers/qemu_coverage
-          - ./fuzzers/qemu_launcher
+          - ./fuzzers/qemu/qemu_cmin
+          - ./fuzzers/qemu/qemu_systemmode
+          - ./fuzzers/qemu/qemu_coverage
+          - ./fuzzers/qemu/qemu_launcher
 
     runs-on: [ self-hosted, qemu ]
     container: registry.gitlab.com/qemu-project/qemu/qemu/ubuntu2204:latest
@@ -403,9 +417,9 @@ jobs:
       - name: Add targets
         run: rustup target add arm-linux-androideabi && rustup target add thumbv6m-none-eabi
       - name: Build aarch64-unknown-none
-        run: cd ./fuzzers/baby_no_std && cargo +nightly build -Zbuild-std=core,alloc --target aarch64-unknown-none -v --release && cd ../..
+        run: cd ./fuzzers/baby/baby_no_std && cargo +nightly build -Zbuild-std=core,alloc --target aarch64-unknown-none -v --release && cd ../..
       - name: run x86_64 until panic!
-        run: cd ./fuzzers/baby_no_std && cargo +nightly run || test $? -ne 0 || exit 1
+        run: cd ./fuzzers/baby/baby_no_std && cargo +nightly run || test $? -ne 0 || exit 1
       - name: no_std tests
         run: cd ./libafl && cargo test --no-default-features
 
@@ -442,7 +456,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: ./.github/workflows/windows-tester-prepare
       - name: Build fuzzers/frida_libpng
-        run: cd fuzzers/frida_libpng/ && cargo make test
+        run: cd fuzzers/frida/frida_libpng/ && cargo make test
 
   windows-frida-libfuzzer-stb-image:
     runs-on: windows-latest
@@ -451,8 +465,8 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - uses: ./.github/workflows/windows-tester-prepare
-      - name: Build fuzzers/libfuzzer_stb_image
-        run: cd fuzzers/libfuzzer_stb_image && cargo build --release
+      - name: Build fuzzers/stb/libfuzzer_stb_image
+        run: cd fuzzers/stb/libfuzzer_stb_image && cargo build --release
 
   windows-frida-gdiplus:
     runs-on: windows-latest
@@ -461,8 +475,8 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - uses: ./.github/workflows/windows-tester-prepare
-      - name: Build fuzzers/frida_gdiplus
-        run: cd fuzzers/frida_gdiplus/ && cargo make test && cargo make test_cmplog
+      - name: Build fuzzers/frida/frida_gdiplus
+        run: cd fuzzers/frida/frida_gdiplus/ && cargo make test && cargo make test_cmplog
 
   windows-tinyinst-simple:
     runs-on: windows-latest
@@ -473,8 +487,8 @@ jobs:
       - uses: ./.github/workflows/windows-tester-prepare
       - name: install cxx bridge
         run: cargo install cxxbridge-cmd
-      - name: Build fuzzers/tinyinst_simple
-        run: cd fuzzers/tinyinst_simple/ && cargo make test
+      - name: Build fuzzers/others/tinyinst_simple
+        run: cd fuzzers/others/tinyinst_simple/ && cargo make test
 
   windows-clippy:
     runs-on: windows-latest

.gitignore

@@ -39,7 +39,6 @@ test.dict
 .idea/
 
 # Ignore all built fuzzers
-fuzzer_*
 AFLplusplus
 test_*
 *_fuzzer

fuzzers/README.md

@@ -0,0 +1,24 @@
+# LibAFL Fuzzers
+
+## Example fuzzers
+
+You can find here all the example fuzzers built on top of LibAFL.
+They are sorted by fuzzer types:
+
+- `baby`: Minimal fuzzers demonstrating a specific feature.
+- `forkserver`: Fuzzers using a forkserver-style executor.
+- `frida`: Fuzzers using [Frida](../libafl_frida).
+- `fuzzbench`: Fuzzbench fuzzers.
+- `libpng`: Fuzzers targeting libpng.
+- `nyx`: Fuzzers based on [Nyx](../libafl_nyx).
+- `others`: Various fuzzers, with no specific categories.
+- `qemu`: Fuzzers using [Qemu](../libafl_qemu).
+- `stb`: Fuzzers targeting stb.
+
+## Paper Artifacts
+
+Multiple papers based on LibAFL have been published alongside artifacts.
+Here is a list of LibAFL artifacts:
+
+- Fuzzbench implementation: https://github.com/AFLplusplus/libafl_fuzzbench
+- LibAFL QEMU experiments: https://github.com/AFLplusplus/libafl_qemu_artifacts

fuzzers/baby/baby_fuzzer/Cargo.toml

@@ -20,5 +20,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/" }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/" }
+libafl_bolts = { path = "../../../libafl_bolts/" }

fuzzers/baby/baby_fuzzer_gramatron/Cargo.toml

@@ -19,6 +19,6 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/" }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/" }
+libafl_bolts = { path = "../../../libafl_bolts/" }
 postcard = { version = "1.0", features = ["alloc"], default-features = false } # no_std compatible serde serialization format

fuzzers/baby/baby_fuzzer_grimoire/Cargo.toml

@@ -19,5 +19,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/" }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/" }
+libafl_bolts = { path = "../../../libafl_bolts/" }

fuzzers/baby/baby_fuzzer_minimizing/Cargo.toml

@@ -20,5 +20,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/", features = ["prelude"] }
-libafl_bolts = { path = "../../libafl_bolts/", features = ["prelude"] }
+libafl = { path = "../../../libafl/", features = ["prelude"] }
+libafl_bolts = { path = "../../../libafl_bolts/", features = ["prelude"] }

fuzzers/baby/baby_fuzzer_multi/Cargo.toml

@@ -20,5 +20,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/", features = ["multipart_inputs"] }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/", features = ["multipart_inputs"] }
+libafl_bolts = { path = "../../../libafl_bolts/" }

fuzzers/baby/baby_fuzzer_nautilus/Cargo.toml

@@ -19,5 +19,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/", features = ["default", "nautilus"] }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/", features = ["default", "nautilus"] }
+libafl_bolts = { path = "../../../libafl_bolts/" }

fuzzers/baby/baby_fuzzer_swap_differential/Cargo.toml

@@ -25,12 +25,12 @@ bindgen = "0.69.4"
 cc = "1.0"
 
 [dependencies]
-libafl = { path = "../../libafl" }
-libafl_bolts = { path = "../../libafl_bolts" }
-libafl_targets = { path = "../../libafl_targets", features = ["sancov_pcguard_hitcounts", "libfuzzer", "sancov_cmplog", "pointer_maps"] }
+libafl = { path = "../../../libafl" }
+libafl_bolts = { path = "../../../libafl_bolts" }
+libafl_targets = { path = "../../../libafl_targets", features = ["sancov_pcguard_hitcounts", "libfuzzer", "sancov_cmplog", "pointer_maps"] }
 mimalloc = { version = "*", default-features = false }
 
-libafl_cc = { path = "../../libafl_cc/" }
+libafl_cc = { path = "../../../libafl_cc/" }
 
 [[bin]]
 name = "fuzzer_sd"

fuzzers/baby/baby_fuzzer_tokens/Cargo.toml

@@ -19,5 +19,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/" }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/" }
+libafl_bolts = { path = "../../../libafl_bolts/" }

fuzzers/baby/baby_fuzzer_unicode/Cargo.toml

@@ -20,5 +20,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/", features = ["unicode"] }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/", features = ["unicode"] }
+libafl_bolts = { path = "../../../libafl_bolts/" }

fuzzers/baby/baby_fuzzer_wasm/Cargo.toml

@@ -14,8 +14,8 @@ default = ["console_error_panic_hook"]
 js-sys = "0.3"
 wasm-bindgen = "0.2.63"
 
-libafl = { path = "../../libafl", default-features = false }
-libafl_bolts = { path = "../../libafl_bolts", default-features = false }
+libafl = { path = "../../../libafl", default-features = false }
+libafl_bolts = { path = "../../../libafl_bolts", default-features = false }
 
 # The `console_error_panic_hook` crate provides better debugging of panics by
 # logging them with `console.error`. This is great for development, but requires

fuzzers/baby/baby_fuzzer_with_forkexecutor/Cargo.toml

@@ -19,5 +19,5 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../libafl/" }
-libafl_bolts = { path = "../../libafl_bolts/" }
+libafl = { path = "../../../libafl/" }
+libafl_bolts = { path = "../../../libafl_bolts/" }

fuzzers/baby/baby_no_std/Cargo.toml

@@ -15,8 +15,8 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { default-features = false, path = "../../libafl/" }
-libafl_bolts = { default-features = false, path = "../../libafl_bolts/" }
+libafl = { default-features = false, path = "../../../libafl/" }
+libafl_bolts = { default-features = false, path = "../../../libafl_bolts/" }
 static-alloc = "0.2.3"
 
 [target.'cfg(unix)'.dependencies]

fuzzers/baby/backtrace_baby_fuzzers/c_code_with_fork_executor/Cargo.toml

@@ -15,8 +15,8 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../../libafl/" }
-libafl_bolts = { path = "../../../libafl_bolts/" }
+libafl = { path = "../../../../libafl/" }
+libafl_bolts = { path = "../../../../libafl_bolts/" }
 libc = "0.2"
 
 [build-dependencies]

fuzzers/baby/backtrace_baby_fuzzers/c_code_with_inprocess_executor/Cargo.toml

@@ -15,8 +15,8 @@ opt-level = 3
 debug = true
 
 [dependencies]
-libafl = { path = "../../../libafl/" }
-libafl_bolts = { path = "../../../libafl_bolts/" }
+libafl = { path = "../../../../libafl/" }
+libafl_bolts = { path = "../../../../libafl_bolts/" }
 libc = "0.2"
 
 [build-dependencies]

fuzzers/baby/backtrace_baby_fuzzers/command_executor/Cargo.toml

@@ -17,5 +17,5 @@ debug = true
 cc = "*"
 
 [dependencies]
-libafl = { path = "../../../libafl/" }
-libafl_bolts = { path = "../../../libafl_bolts/" }
+libafl = { path = "../../../../libafl/" }
+libafl_bolts = { path = "../../../../libafl_bolts/" }

fuzzers/baby/backtrace_baby_fuzzers/forkserver_executor/Cargo.toml

@@ -14,5 +14,5 @@ codegen-units = 1
 opt-level = 3
 
 [dependencies]
-libafl = { path = "../../../libafl/" }
-libafl_bolts = { path = "../../../libafl_bolts/" }
+libafl = { path = "../../../../libafl/" }
+libafl_bolts = { path = "../../../../libafl_bolts/" }