From 6c917cc3853f0bc8dcf14dd5e71dc4289fd7519f Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Wed, 9 Dec 2020 12:23:44 +0100 Subject: [PATCH] works again --- afl/src/engines/mod.rs | 68 ++++++++++++++---------------------- afl/src/events/mod.rs | 2 +- afl/src/stages/mod.rs | 3 +- afl/src/stages/mutational.rs | 30 ++++++++++------ 4 files changed, 49 insertions(+), 54 deletions(-) diff --git a/afl/src/engines/mod.rs b/afl/src/engines/mod.rs index 1e4542d36c..5d2eae6b92 100644 --- a/afl/src/engines/mod.rs +++ b/afl/src/engines/mod.rs @@ -102,23 +102,21 @@ where // TODO move some of these, like evaluate_input, to FuzzingEngine /// Runs the input and triggers observers and feedback - pub fn evaluate_input( + pub fn evaluate_input( &mut self, input: &I, - engine: &mut Engine, + executor: &mut E, ) -> Result where - C: Corpus, E: Executor, - EM: EventManager, { - engine.executor_mut().reset_observers()?; - engine.executor_mut().run_target(&input)?; + executor.reset_observers()?; + executor.run_target(&input)?; self.set_executions(self.executions() + 1); - engine.executor_mut().post_exec_observers()?; + executor.post_exec_observers()?; let mut fitness = 0; - let observers = engine.executor().observers(); + let observers = executor.observers(); for feedback in self.feedbacks_mut() { fitness += feedback.is_interesting(&input, observers)?; } @@ -183,7 +181,8 @@ where rand: &mut R, corpus: &mut C, generator: &mut G, - engine: &mut Engine, + engine: &mut Engine, + manager: &mut EM, num: usize, ) -> Result<(), AflError> where @@ -194,9 +193,9 @@ where { for _ in 0..num { let input = generator.generate(rand)?; - let fitness = self.evaluate_input(&input, engine)?; + let fitness = self.evaluate_input(&input, engine.executor_mut())?; self.add_if_interesting(corpus, input, fitness)?; - engine.events_manager_mut().fire( + manager.fire( Event::LoadInitial { sender_id: 0, phantom: PhantomData, @@ -205,7 +204,7 @@ where corpus, )?; } - engine.events_manager_mut().process(self, corpus)?; + manager.process(self, corpus)?; Ok(()) } @@ -220,35 +219,20 @@ where } } -pub struct Engine +pub struct Engine where - EM: EventManager, E: Executor, - C: Corpus, I: Input, - R: Rand, { - manager: EM, executor: E, - phantom: PhantomData<(C, I, R)>, + phantom: PhantomData, } -impl Engine +impl Engine where - EM: EventManager, E: Executor, - C: Corpus, I: Input, - R: Rand, { - pub fn events_manager(&self) -> &EM { - &self.manager - } - - pub fn events_manager_mut(&mut self) -> &mut EM { - &mut self.manager - } - /// Return the executor pub fn executor(&self) -> &E { &self.executor @@ -261,10 +245,9 @@ where // TODO additional executors, Vec>> - pub fn new(executor: E, events_manager: EM) -> Self { + pub fn new(executor: E) -> Self { Self { executor: executor, - manager: events_manager, phantom: PhantomData, } } @@ -291,15 +274,16 @@ where rand: &mut R, state: &mut State, corpus: &mut C, - engine: &mut Engine, + engine: &mut Engine, + manager: &mut EM, ) -> Result { let (_, idx) = corpus.next(rand)?; for stage in self.stages_mut() { - stage.perform(rand, state, corpus, engine, idx)?; + stage.perform(rand, state, corpus, engine, manager, idx)?; } - engine.events_manager_mut().process(state, corpus)?; + manager.process(state, corpus)?; Ok(idx) } @@ -308,15 +292,16 @@ where rand: &mut R, state: &mut State, corpus: &mut C, - engine: &mut Engine, + engine: &mut Engine, + manager: &mut EM, ) -> Result<(), AflError> { let mut last = current_milliseconds(); loop { - self.fuzz_one(rand, state, corpus, engine)?; + self.fuzz_one(rand, state, corpus, engine, manager)?; let cur = current_milliseconds(); if cur - last > 60 * 100 { last = cur; - engine.events_manager_mut().fire( + manager.fire( Event::UpdateStats { sender_id: 0, new_execs: 1, @@ -407,9 +392,8 @@ mod tests { let executor = InMemoryExecutor::::new(harness); let mut state = State::new(); - let events_manager = LoggerEventManager::new(stderr()); - - let mut engine = Engine::new(executor, events_manager); + let mut events_manager = LoggerEventManager::new(stderr()); + let mut engine = Engine::new(executor); let mut mutator = StdScheduledMutator::new(); mutator.add_mutation(mutation_bitflip); let stage = StdMutationalStage::new(mutator); @@ -420,7 +404,7 @@ mod tests { for i in 0..1000 { fuzzer - .fuzz_one(&mut rand, &mut state, &mut corpus, &mut engine) + .fuzz_one(&mut rand, &mut state, &mut corpus, &mut engine, &mut events_manager) .expect(&format!("Error in iter {}", i)); } } diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index 6608be5f8b..f9c3af8eb5 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -324,7 +324,7 @@ where corpus: &mut C, ) -> Result<(), AflError> { match event.handle_in_broker(state, corpus)? { - BrokerEventResult::Forward => event.handle_in_client(state, corpus)?, + BrokerEventResult::Forward => (), //event.handle_in_client(state, corpus)?, // Ignore broker-only events BrokerEventResult::Handled => (), } diff --git a/afl/src/stages/mod.rs b/afl/src/stages/mod.rs index 97881719ef..066adb28dd 100644 --- a/afl/src/stages/mod.rs +++ b/afl/src/stages/mod.rs @@ -23,7 +23,8 @@ where rand: &mut R, state: &mut State, corpus: &mut C, - engine: &mut Engine, + engine: &mut Engine, + manager: &mut EM, corpus_idx: usize, ) -> Result<(), AflError>; } diff --git a/afl/src/stages/mutational.rs b/afl/src/stages/mutational.rs index 9c455d6d4f..820c04e542 100644 --- a/afl/src/stages/mutational.rs +++ b/afl/src/stages/mutational.rs @@ -10,6 +10,8 @@ use crate::utils::Rand; use crate::AflError; use crate::{engines::State, events::Event}; +use crate::serde_anymap::{Ptr, PtrMut}; + // TODO multi mutators stage pub trait MutationalStage: Stage @@ -39,7 +41,8 @@ where rand: &mut R, state: &mut State, corpus: &mut C, - engine: &mut Engine, + engine: &mut Engine, + manager: &mut EM, corpus_idx: usize, ) -> Result<(), AflError> { let num = self.iterations(rand); @@ -48,23 +51,29 @@ where self.mutator_mut() .mutate(rand, corpus, &mut input_mut, i as i32)?; - let fitness = state.evaluate_input(&input_mut, engine)?; + let fitness = state.evaluate_input(&input_mut, engine.executor_mut())?; self.mutator_mut() .post_exec(fitness, &input_mut, i as i32)?; + // put all this shit in some overridable function in engine maybe? or in corpus. + // consider a corpus that strores new testcases in a temporary queue, for later processing + // in a late stage, NewTestcase should be triggere donly after the processing in the later stage + // So by default we shoudl trigger it in corpus.add, so that the user can override it and remove + // if needed by particular cases let testcase_maybe = state.testcase_if_interesting(input_mut, fitness)?; - if let Some(testcase) = testcase_maybe { - //corpus.entries()[idx] - engine.events_manager_mut().fire( - Event::NewTestcase { + if let Some(mut testcase) = testcase_maybe { + // TODO decouple events manager and engine + manager.fire( + Event::NewTestcase2 { sender_id: 0, - testcase: testcase, - phantom: PhantomData, + input: Ptr::Ref(testcase.load_input()?), + observers: PtrMut::Ref(engine.executor_mut().observers_mut()), }, state, corpus, )?; + let _ = corpus.add(testcase); } } Ok(()) @@ -119,10 +128,11 @@ where rand: &mut R, state: &mut State, corpus: &mut C, - engine: &mut Engine, + engine: &mut Engine, + manager: &mut EM, corpus_idx: usize, ) -> Result<(), AflError> { - self.perform_mutational(rand, state, corpus, engine, corpus_idx) + self.perform_mutational(rand, state, corpus, engine, manager, corpus_idx) } }