GenStage: A stage for generational (e.g., black-box) fuzzers (#2137)

* GenStage: A stage for generational (e.g., black-box) fuzzers * mv stages/{gen,generation}.rs * Fix doc link * `GenStage`: Alphabetize type parameters * Fighting rustdoc
2024-05-03 13:18:14 -04:00 · 2024-05-03 13:18:14 -04:00 · 382673b173
commit 382673b173
parent f75c5ff4d3
2 changed files with 74 additions and 0 deletions
--- a/libafl/src/stages/generation.rs
+++ b/libafl/src/stages/generation.rs
@ -0,0 +1,72 @@
+//! A [`Stage`] that generates a single input via a
+//! [`crate::generators::Generator`] and evaluates it using the fuzzer, possibly
+//! adding it to the corpus.
+
+use core::marker::PhantomData;
+
+use crate::{
+    generators::Generator,
+    inputs::UsesInput,
+    stages::Stage,
+    state::{HasCorpus, HasRand, UsesState},
+    Error, Evaluator,
+};
+
+/// A [`Stage`] that generates a single input via a [`Generator`] and evaluates
+/// it using the fuzzer, possibly adding it to the corpus.
+///
+/// This stage can be used to construct black-box (e.g., grammar-based) fuzzers.
+#[derive(Debug)]
+pub struct GenStage<G, Z>(G, PhantomData<Z>)
+where
+    Z: UsesState,
+    G: Generator<<<Z as UsesState>::State as UsesInput>::Input, Z::State>;
+
+impl<G, Z> GenStage<G, Z>
+where
+    Z: UsesState,
+    G: Generator<<<Z as UsesState>::State as UsesInput>::Input, Z::State>,
+{
+    /// Create a new [`GenStage`].
+    pub fn new(g: G) -> Self {
+        Self(g, PhantomData)
+    }
+}
+
+impl<G, Z> UsesState for GenStage<G, Z>
+where
+    Z: UsesState,
+    G: Generator<<<Z as UsesState>::State as UsesInput>::Input, Z::State>,
+{
+    type State = Z::State;
+}
+
+impl<E, EM, Z, G> Stage<E, EM, Z> for GenStage<G, Z>
+where
+    E: UsesState<State = Z::State>,
+    EM: UsesState<State = Z::State>,
+    Z: Evaluator<E, EM>,
+    Z::State: HasCorpus + HasRand,
+    G: Generator<<<Z as UsesState>::State as UsesInput>::Input, Z::State>,
+{
+    #[inline]
+    fn perform(
+        &mut self,
+        fuzzer: &mut Z,
+        executor: &mut E,
+        state: &mut Z::State,
+        manager: &mut EM,
+    ) -> Result<(), Error> {
+        let input = self.0.generate(state)?;
+        fuzzer.evaluate_input(state, executor, manager, input)?;
+        Ok(())
+    }
+
+    fn restart_progress_should_run(&mut self, _state: &mut Self::State) -> Result<bool, Error> {
+        Ok(true)
+    }
+
+    fn clear_restart_progress(&mut self, _state: &mut Self::State) -> Result<(), Error> {
+        Ok(())
+    }
+}
--- a/libafl/src/stages/mod.rs
+++ b/libafl/src/stages/mod.rs
@ -63,6 +63,8 @@ pub mod concolic;
 #[cfg(feature = "std")]
 pub mod dump;
 pub mod generalization;
+/// The [`generation::GenStage`] generates a single input and evaluates it.
+pub mod generation;
 pub mod logics;
 pub mod power;
 pub mod stats;