From 4b1c8e283b458e14eee628f1e5a9442f17c14fa7 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 15 Feb 2021 14:27:54 +0100 Subject: [PATCH] Objective event --- afl/src/events/llmp.rs | 12 ++++------- afl/src/events/logger.rs | 9 ++++---- afl/src/events/mod.rs | 16 +++++--------- afl/src/executors/inprocess.rs | 38 ++++++++++++++++------------------ afl/src/state/mod.rs | 12 +++++++++++ afl/src/stats/mod.rs | 17 ++++++++++++++- 6 files changed, 59 insertions(+), 45 deletions(-) diff --git a/afl/src/events/llmp.rs b/afl/src/events/llmp.rs index ce436e2a22..bc8d52dce6 100644 --- a/afl/src/events/llmp.rs +++ b/afl/src/events/llmp.rs @@ -228,14 +228,10 @@ where stats.display(event.name().to_string() + " #" + &sender_id.to_string()); Ok(BrokerEventResult::Handled) } - Event::Crash { input: _ } => { - #[cfg(feature = "std")] - println!("Event::Crash"); - Ok(BrokerEventResult::Handled) - } - Event::Timeout { input: _ } => { - #[cfg(feature = "std")] - println!("Event::Timeout"); + Event::Objective { objective_size } => { + let client = stats.client_stats_mut_for(sender_id); + client.update_objective_size(*objective_size as u64); + stats.display(event.name().to_string() + " #" + &sender_id.to_string()); Ok(BrokerEventResult::Handled) } Event::Log { diff --git a/afl/src/events/logger.rs b/afl/src/events/logger.rs index 67a7bae7b2..d018cf6ff6 100644 --- a/afl/src/events/logger.rs +++ b/afl/src/events/logger.rs @@ -112,11 +112,10 @@ where stats.display(event.name().to_string()); Ok(BrokerEventResult::Handled) } - Event::Crash { input: _ } => { - panic!("LoggerEventManager cannot handle Event::Crash"); - } - Event::Timeout { input: _ } => { - panic!("LoggerEventManager cannot handle Event::Timeout"); + Event::Objective { objective_size } => { + stats.client_stats_mut()[0].update_objective_size(*objective_size as u64); + stats.display(event.name().to_string()); + Ok(BrokerEventResult::Handled) } Event::Log { severity_level, diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index 93b3ceaba7..35838c32f9 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -93,15 +93,10 @@ where executions: usize, phantom: PhantomData, }, - /// A crash was found - Crash { - /// Crashing input - input: I, - }, - /// A timeout was found - Timeout { - /// Timeouting input - input: I, + /// A new objective was found + Objective { + /// Objective corpus size + objective_size: usize, }, /// Write a new log Log { @@ -137,8 +132,7 @@ where executions: _, phantom: _, } => "Stats", - Event::Crash { input: _ } => "Crash", - Event::Timeout { input: _ } => "Timeout", + Event::Objective { objective_size: _ } => "Objective", Event::Log { severity_level: _, message: _, diff --git a/afl/src/executors/inprocess.rs b/afl/src/executors/inprocess.rs index 25804a4d3a..fc91aaed6e 100644 --- a/afl/src/executors/inprocess.rs +++ b/afl/src/executors/inprocess.rs @@ -291,19 +291,18 @@ pub mod unix_signals { .is_interesting_all(&input, observers, ExitKind::Crash) .expect("In crash handler objective feedbacks failure.".into()); if obj_fitness > 0 { - state + if !state .add_if_objective(input.clone(), obj_fitness) - .expect("In crash handler objective corpus add failure.".into()); + .expect("In crash handler objective corpus add failure.".into()).is_none() { + mgr.fire( + state, + Event::Objective { + objective_size: state.objective_corpus().count(), + }, + ) .expect(&format!("Could not send timeouting input {:?}", input)); + } } - mgr.fire( - state, - Event::Crash { - input: input.to_owned(), - }, - ) - .expect(&format!("Could not send crashing input {:?}", input)); - mgr.on_restart(state).unwrap(); println!("Waiting for broker..."); @@ -350,19 +349,18 @@ pub mod unix_signals { .is_interesting_all(&input, observers, ExitKind::Timeout) .expect("In timeout handler objective feedbacks failure.".into()); if obj_fitness > 0 { - state + if !state .add_if_objective(input.clone(), obj_fitness) - .expect("In timeout handler objective corpus add failure.".into()); + .expect("In timeout handler objective corpus add failure.".into()).is_none() { + mgr.fire( + state, + Event::Objective { + objective_size: state.objective_corpus().count(), + }, + ) .expect(&format!("Could not send timeouting input {:?}", input)); + } } - mgr.fire( - state, - Event::Timeout { - input: input.to_owned(), - }, - ) - .expect(&format!("Could not send timeouting input {:?}", input)); - mgr.on_restart(state).unwrap(); mgr.await_restart_safe(); diff --git a/afl/src/state/mod.rs b/afl/src/state/mod.rs index 838da07cc1..8f150d2830 100644 --- a/afl/src/state/mod.rs +++ b/afl/src/state/mod.rs @@ -260,6 +260,18 @@ where pub fn objective_feedbacks_mut(&mut self) -> &mut OFT { &mut self.objective_feedbacks } + + /// Returns the objective corpus + #[inline] + pub fn objective_corpus(&self) -> &OC { + &self.objective_corpus + } + + /// Returns the mutable objective corpus + #[inline] + pub fn objective_corpus_mut(&mut self) -> &mut OC { + &mut self.objective_corpus + } // TODO move some of these, like evaluate_input, to FuzzingEngine #[inline] diff --git a/afl/src/stats/mod.rs b/afl/src/stats/mod.rs index 9799c69123..ba5fd97168 100644 --- a/afl/src/stats/mod.rs +++ b/afl/src/stats/mod.rs @@ -15,6 +15,8 @@ pub struct ClientStats { pub corpus_size: u64, /// The total executions for this client pub executions: u64, + /// The size of the objectives corpus for this client + pub objective_size: u64, /// The last reported executions for this client pub last_window_executions: u64, /// The last time we got this information @@ -41,6 +43,11 @@ impl ClientStats { pub fn update_corpus_size(&mut self, corpus_size: u64) { self.corpus_size = corpus_size; } + + /// We got a new information about objective corpus size for this client, insert them. + pub fn update_objective_size(&mut self, objective_size: u64) { + self.objective_size = objective_size; + } /// Get the calculated executions per second for this client pub fn execs_per_sec(&mut self, cur_time: time::Duration) -> u64 { @@ -93,6 +100,13 @@ pub trait Stats { .fold(0u64, |acc, x| acc + x.corpus_size) } + /// Amount of elements in the objectives (combined for all children) + fn objective_size(&self) -> u64 { + self.client_stats() + .iter() + .fold(0u64, |acc, x| acc + x.objective_size) + } + /// Total executions #[inline] fn total_execs(&mut self) -> u64 { @@ -155,10 +169,11 @@ where fn display(&mut self, event_msg: String) { let fmt = format!( - "[{}] clients: {}, corpus: {}, executions: {}, exec/sec: {}", + "[{}] clients: {}, corpus: {}, objectives: {}, executions: {}, exec/sec: {}", event_msg, self.client_stats().len(), self.corpus_size(), + self.objective_size(), self.total_execs(), self.execs_per_sec() );