From 5ae16e39c24f6a9747c48406fee8d7dae8f0b867 Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 11 Dec 2020 09:41:14 +0100 Subject: [PATCH] temporary remove uggy unsafe mutations --- afl/src/engines/mod.rs | 16 +++--- afl/src/events/mod.rs | 96 ++++++++++++++++++++++++++++------- afl/src/mutators/scheduled.rs | 4 +- afl/src/stages/mutational.rs | 5 +- 4 files changed, 89 insertions(+), 32 deletions(-) diff --git a/afl/src/engines/mod.rs b/afl/src/engines/mod.rs index 1432ddcdb4..58ac453b19 100644 --- a/afl/src/engines/mod.rs +++ b/afl/src/engines/mod.rs @@ -206,19 +206,21 @@ where E: Executor, EM: EventManager, { + let mut added = 0; for _ in 0..num { let input = generator.generate(rand)?; let fitness = self.evaluate_input(&input, engine.executor_mut())?; - self.add_if_interesting(corpus, input, fitness)?; + if !self.add_if_interesting(corpus, input, fitness)?.is_none() { + added += 1; + } manager.fire( Event::LoadInitial { sender_id: 0, phantom: PhantomData, - }, - self, - corpus, + } )?; } + manager.fire(Event::log(0, format!("Loaded {} over {} initial testcases", added, num)))?; manager.process(self, corpus)?; Ok(()) } @@ -316,11 +318,7 @@ where let cur = current_milliseconds(); if cur - last > 60 * 100 { last = cur; - manager.fire( - Event::update_stats(state.executions(), state.executions_over_seconds()), - state, - corpus, - )?; // TODO self.new_execs}); + manager.fire(Event::update_stats(state.executions(), state.executions_over_seconds()))?; } } } diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index 3ed12b694e..e8977a371b 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -60,6 +60,7 @@ where sender_id: u64, input: Ptr<'a, I>, observers: PtrMut<'a, crate::observers::observer_serde::NamedSerdeAnyMap>, + corpus_count: usize }, UpdateStats { sender_id: u64, @@ -108,6 +109,7 @@ where sender_id: _, input: _, observers: _, + corpus_count: _ } => "New Testcase", Event::UpdateStats { sender_id: _, @@ -167,9 +169,7 @@ where /// Fire an Event fn fire<'a>( &mut self, - event: Event<'a, I>, - state: &mut State, - corpus: &mut C, + event: Event<'a, I> ) -> Result<(), AflError>; /// Lookup for incoming events and process them. @@ -184,10 +184,8 @@ where // TODO the broker has a state? do we need to pass state and corpus? fn handle_in_broker( - &self, + &mut self, event: &Event, - /*broker: &dyn EventManager,*/ _state: &mut State, - _corpus: &mut C, ) -> Result { match event { Event::LoadInitial { @@ -198,6 +196,7 @@ where sender_id: _, input: _, observers: _, + corpus_count: _ } => Ok(BrokerEventResult::Forward), Event::UpdateStats { sender_id: _, @@ -241,16 +240,17 @@ where } fn handle_in_client( - &self, + &mut self, event: Event, - /*client: &dyn EventManager,*/ _state: &mut State, - corpus: &mut C, + _state: &mut State, + _corpus: &mut C, ) -> Result<(), AflError> { match event { Event::NewTestcase { sender_id: _, input: _, observers: _, + corpus_count: _ } => { // here u should match sender_id, if equal to the current one do not re-execute // we need to pass engine to process() too, TODO @@ -285,6 +285,12 @@ where { writer: W, count: usize, + + // stats (maybe we need a separated struct?) + executions: usize, + execs_over_sec: u64, + corpus_count: usize, + phantom: PhantomData<(C, E, I, R)>, } @@ -301,10 +307,8 @@ where fn fire<'a>( &mut self, event: Event<'a, I>, - state: &mut State, - corpus: &mut C, ) -> Result<(), AflError> { - match self.handle_in_broker(&event, state, corpus)? { + match self.handle_in_broker(&event)? { BrokerEventResult::Forward => (), //self.handle_in_client(event, state, corpus)?, // Ignore broker-only events BrokerEventResult::Handled => (), @@ -317,6 +321,59 @@ where self.count = 0; Ok(c) } + + fn handle_in_broker( + &mut self, + event: &Event, + ) -> Result { + match event { + Event::NewTestcase { + sender_id: _, + input: _, + observers: _, + corpus_count + } => { + self.corpus_count = *corpus_count; + writeln!(self.writer, "[NEW] corpus: {} execs: {} execs/s: {}", self.corpus_count, self.executions, self.execs_over_sec); + Ok(BrokerEventResult::Handled) + }, + Event::UpdateStats { + sender_id: _, + executions, + execs_over_sec, + phantom: _, + } => { + self.executions = *executions; + self.execs_over_sec = *execs_over_sec; + writeln!(self.writer, "[UPDATE] corpus: {} execs: {} execs/s: {}", self.corpus_count, self.executions, self.execs_over_sec); + Ok(BrokerEventResult::Handled) + } + Event::Crash { + sender_id: _, + input: _, + phantom: _, + } => { + panic!("LoggerEventManager cannot handle Event::Crash"); + }, + Event::Timeout { + sender_id: _, + input: _, + phantom: _, + } => { + panic!("LoggerEventManager cannot handle Event::Timeout"); + } + Event::Log { + sender_id, + severity_level, + message, + phantom: _, + } => { + writeln!(self.writer, "[LOG {}]: {}", severity_level, message); + Ok(BrokerEventResult::Handled) + } + _ => Ok(BrokerEventResult::Handled), + } + } } #[cfg(feature = "std")] @@ -333,6 +390,9 @@ where Self { writer: writer, count: 0, + executions: 0, + execs_over_sec: 0, + corpus_count: 0, phantom: PhantomData, } } @@ -388,8 +448,6 @@ where fn fire<'a>( &mut self, event: Event<'a, I>, - state: &mut State, - corpus: &mut C, ) -> Result<(), AflError> { let serialized = postcard::to_allocvec(&event)?; self.llmp_broker @@ -433,10 +491,8 @@ where } fn handle_in_broker( - &self, + &mut self, event: &Event, - /*broker: &dyn EventManager,*/ _state: &mut State, - _corpus: &mut C, ) -> Result { match event { Event::LoadInitial { @@ -447,6 +503,7 @@ where sender_id: _, input: _, observers: _, + corpus_count: _ } => Ok(BrokerEventResult::Forward), Event::UpdateStats { sender_id: _, @@ -490,7 +547,7 @@ where } fn handle_in_client( - &self, + &mut self, event: Event, /*client: &dyn EventManager,*/ _state: &mut State, corpus: &mut C, @@ -500,6 +557,7 @@ where sender_id: _, input: _, observers: _, + corpus_count: _ } => { // here u should match sender_id, if equal to the current one do not re-execute // we need to pass engine to process() too, TODO @@ -541,6 +599,7 @@ mod tests { sender_id: 0, input: Ptr::Ref(&i), observers: PtrMut::Ref(&mut map), + corpus_count: 1 }; let j = serde_json::to_string(&e).unwrap(); @@ -551,6 +610,7 @@ mod tests { sender_id: _, input: _, observers: obs, + corpus_count: _ } => { let o = obs .as_ref() diff --git a/afl/src/mutators/scheduled.rs b/afl/src/mutators/scheduled.rs index 2ad35f4551..b59ea17652 100644 --- a/afl/src/mutators/scheduled.rs +++ b/afl/src/mutators/scheduled.rs @@ -221,7 +221,7 @@ where scheduled.add_mutation(mutation_wordinteresting); scheduled.add_mutation(mutation_dwordinteresting); - scheduled.add_mutation(mutation_bytesdelete); + /*scheduled.add_mutation(mutation_bytesdelete); scheduled.add_mutation(mutation_bytesdelete); scheduled.add_mutation(mutation_bytesdelete); scheduled.add_mutation(mutation_bytesdelete); @@ -231,7 +231,7 @@ where scheduled.add_mutation(mutation_bytesset); scheduled.add_mutation(mutation_bytesrandset); scheduled.add_mutation(mutation_bytescopy); - scheduled.add_mutation(mutation_bytesswap); + scheduled.add_mutation(mutation_bytesswap);*/ // TODO dictionary and custom dictionary (redqueen etc.) /*scheduled.add_mutation(mutation_bitflip); diff --git a/afl/src/stages/mutational.rs b/afl/src/stages/mutational.rs index ee3e26e386..575f5c6079 100644 --- a/afl/src/stages/mutational.rs +++ b/afl/src/stages/mutational.rs @@ -72,9 +72,8 @@ where sender_id: 0, input: Ptr::Ref(testcase.load_input()?), observers: PtrMut::Ref(engine.executor_mut().observers_mut()), - }, - state, - corpus, + corpus_count: corpus.count() +1 + } )?; let _ = corpus.add(testcase); }