From 74783c2027c0ccf54a90f03ab21e7c1aae4a1b2f Mon Sep 17 00:00:00 2001 From: "Dongjia \"toka\" Zhang" Date: Thu, 5 Oct 2023 15:25:40 +0200 Subject: [PATCH] Add executions count at proper places (#1608) * executions count * tinyinst qemu frida * aaaa --------- Co-authored-by: Andrea Fioraldi --- libafl/src/corpus/minimizer.rs | 1 - libafl/src/executors/combined.rs | 5 ++++- libafl/src/executors/command.rs | 12 +++++++----- libafl/src/executors/forkserver.rs | 12 ++++++++---- libafl/src/executors/inprocess.rs | 12 ++++++++---- libafl/src/executors/mod.rs | 8 +++++--- libafl/src/fuzzer/mod.rs | 4 ---- libafl/src/stages/tmin.rs | 2 -- libafl/src/state/mod.rs | 6 ++++-- libafl_frida/src/executor.rs | 4 ++-- libafl_nyx/src/executor.rs | 7 ++++--- libafl_qemu/src/executor.rs | 2 +- libafl_tinyinst/src/executor.rs | 7 ++++--- 13 files changed, 47 insertions(+), 35 deletions(-) diff --git a/libafl/src/corpus/minimizer.rs b/libafl/src/corpus/minimizer.rs index cdea397290..a54a94ac05 100644 --- a/libafl/src/corpus/minimizer.rs +++ b/libafl/src/corpus/minimizer.rs @@ -142,7 +142,6 @@ where .observers_mut() .post_exec_all(state, &input, &kind)?; - *state.executions_mut() += 1; let executions = *state.executions(); curr += 1; diff --git a/libafl/src/executors/combined.rs b/libafl/src/executors/combined.rs index 708baa8c7f..c9015f3812 100644 --- a/libafl/src/executors/combined.rs +++ b/libafl/src/executors/combined.rs @@ -6,7 +6,7 @@ use core::fmt::Debug; use crate::{ executors::{Executor, ExitKind, HasObservers}, observers::UsesObservers, - state::UsesState, + state::{HasExecutions, UsesState}, Error, }; @@ -45,6 +45,7 @@ where A: Executor, B: Executor, EM: UsesState, + EM::State: HasExecutions, Z: UsesState, { fn run_target( @@ -54,6 +55,8 @@ where mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; + let ret = self.primary.run_target(fuzzer, state, mgr, input); self.primary.post_run_reset(); self.secondary.post_run_reset(); diff --git a/libafl/src/executors/command.rs b/libafl/src/executors/command.rs index fd8fa1e7f8..cb6bf9209e 100644 --- a/libafl/src/executors/command.rs +++ b/libafl/src/executors/command.rs @@ -30,7 +30,7 @@ use crate::{inputs::Input, Error}; use crate::{ inputs::{HasTargetBytes, UsesInput}, observers::{ObserversTuple, UsesObservers}, - state::UsesState, + state::{HasExecutions, UsesState}, std::borrow::ToOwned, }; @@ -313,7 +313,7 @@ where impl Executor for CommandExecutor where EM: UsesState, - S: UsesInput, + S: UsesInput + HasExecutions, S::Input: HasTargetBytes, T: CommandConfigurator + Debug, OT: Debug + MatchName + ObserversTuple, @@ -322,7 +322,7 @@ where fn run_target( &mut self, _fuzzer: &mut Z, - _state: &mut Self::State, + state: &mut Self::State, _mgr: &mut EM, input: &Self::Input, ) -> Result { @@ -330,6 +330,8 @@ where use wait_timeout::ChildExt; + *state.executions_mut() += 1; + let mut child = self.configurer.spawn_child(input)?; let res = match child @@ -619,7 +621,7 @@ impl CommandExecutorBuilder { #[cfg_attr(all(feature = "std", unix), doc = " ```")] #[cfg_attr(not(all(feature = "std", unix)), doc = " ```ignore")] /// use std::{io::Write, process::{Stdio, Command, Child}, time::Duration}; -/// use libafl::{Error, inputs::{HasTargetBytes, Input, UsesInput}, executors::{Executor, command::CommandConfigurator}, state::UsesState}; +/// use libafl::{Error, inputs::{HasTargetBytes, Input, UsesInput}, executors::{Executor, command::CommandConfigurator}, state::{UsesState, HasExecutions}}; /// use libafl_bolts::AsSlice; /// #[derive(Debug)] /// struct MyExecutor; @@ -650,7 +652,7 @@ impl CommandExecutorBuilder { /// where /// EM: UsesState, /// Z: UsesState, -/// EM::State: UsesInput, +/// EM::State: UsesInput + HasExecutions, /// EM::Input: HasTargetBytes /// { /// MyExecutor.into_executor(()) diff --git a/libafl/src/executors/forkserver.rs b/libafl/src/executors/forkserver.rs index 3efc6cdc7a..4b24b4d895 100644 --- a/libafl/src/executors/forkserver.rs +++ b/libafl/src/executors/forkserver.rs @@ -39,7 +39,7 @@ use crate::{ inputs::{HasTargetBytes, Input, UsesInput}, mutators::Tokens, observers::{MapObserver, Observer, ObserversTuple, UsesObservers}, - state::UsesState, + state::{HasExecutions, UsesState}, Error, }; @@ -524,6 +524,7 @@ impl Executor for TimeoutForkserverExecutor where E: Executor + HasForkserver + HasObservers + Debug, E::Input: HasTargetBytes, + E::State: HasExecutions, EM: UsesState, Z: UsesState, { @@ -531,10 +532,12 @@ where fn run_target( &mut self, _fuzzer: &mut Z, - _state: &mut Self::State, + state: &mut Self::State, _mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; + let mut exit_kind = ExitKind::Ok; let last_run_timed_out = self.executor.forkserver().last_run_timed_out_raw(); @@ -1210,7 +1213,7 @@ impl Executor for ForkserverExecutor where OT: ObserversTuple, SP: ShMemProvider, - S: UsesInput, + S: UsesInput + HasExecutions, S::Input: HasTargetBytes, EM: UsesState, Z: UsesState, @@ -1219,10 +1222,11 @@ where fn run_target( &mut self, _fuzzer: &mut Z, - _state: &mut Self::State, + state: &mut Self::State, _mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; let mut exit_kind = ExitKind::Ok; // Write to testcase diff --git a/libafl/src/executors/inprocess.rs b/libafl/src/executors/inprocess.rs index 9270c5c601..9b961e1c85 100644 --- a/libafl/src/executors/inprocess.rs +++ b/libafl/src/executors/inprocess.rs @@ -52,7 +52,7 @@ use crate::{ fuzzer::HasObjective, inputs::UsesInput, observers::{ObserversTuple, UsesObservers}, - state::{HasClientPerfMonitor, HasCorpus, HasSolutions, UsesState}, + state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions, UsesState}, Error, }; @@ -126,7 +126,7 @@ where HB: BorrowMut, EM: UsesState, OT: ObserversTuple, - S: UsesInput, + S: UsesInput + HasExecutions, Z: UsesState, { fn run_target( @@ -136,6 +136,7 @@ where mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; self.handlers .pre_run_target(self, fuzzer, state, mgr, input); @@ -1646,7 +1647,7 @@ where EM: UsesState, H: FnMut(&S::Input) -> ExitKind + ?Sized, OT: ObserversTuple, - S: UsesInput, + S: UsesInput + HasExecutions, SP: ShMemProvider, Z: UsesState, { @@ -1659,6 +1660,7 @@ where _mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; unsafe { self.shmem_provider.pre_fork()?; match fork() { @@ -1714,7 +1716,7 @@ where EM: UsesState, H: FnMut(&S::Input) -> ExitKind + ?Sized, OT: ObserversTuple, - S: UsesInput, + S: UsesInput + HasExecutions, SP: ShMemProvider, Z: UsesState, { @@ -1727,6 +1729,8 @@ where _mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; + unsafe { self.shmem_provider.pre_fork()?; match fork() { diff --git a/libafl/src/executors/mod.rs b/libafl/src/executors/mod.rs index c0bede923d..6f48360c34 100644 --- a/libafl/src/executors/mod.rs +++ b/libafl/src/executors/mod.rs @@ -41,7 +41,7 @@ use serde::{Deserialize, Serialize}; use crate::{ inputs::{HasTargetBytes, UsesInput}, observers::{ObserversTuple, UsesObservers}, - state::UsesState, + state::{HasExecutions, UsesState}, Error, }; @@ -166,17 +166,19 @@ where impl Executor for NopExecutor where EM: UsesState, - S: UsesInput + Debug, + S: UsesInput + Debug + HasExecutions, S::Input: HasTargetBytes, Z: UsesState, { fn run_target( &mut self, _fuzzer: &mut Z, - _state: &mut Self::State, + state: &mut Self::State, _mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; + if input.target_bytes().as_slice().is_empty() { Err(Error::empty("Input Empty")) } else { diff --git a/libafl/src/fuzzer/mod.rs b/libafl/src/fuzzer/mod.rs index a5df357a6e..1446c315cc 100644 --- a/libafl/src/fuzzer/mod.rs +++ b/libafl/src/fuzzer/mod.rs @@ -679,8 +679,6 @@ where executor.observers_mut().pre_exec_all(state, input)?; mark_feature_time!(state, PerfFeature::PreExecObservers); - *state.executions_mut() += 1; - start_timer!(state); let exit_kind = executor.run_target(self, state, event_mgr, input)?; mark_feature_time!(state, PerfFeature::TargetExecution); @@ -732,8 +730,6 @@ where executor.observers_mut().pre_exec_all(state, input)?; mark_feature_time!(state, PerfFeature::PreExecObservers); - *state.executions_mut() += 1; - start_timer!(state); let exit_kind = executor.run_target(self, state, event_mgr, input)?; mark_feature_time!(state, PerfFeature::TargetExecution); diff --git a/libafl/src/stages/tmin.rs b/libafl/src/stages/tmin.rs index 5d872c8088..d9f1a0755f 100644 --- a/libafl/src/stages/tmin.rs +++ b/libafl/src/stages/tmin.rs @@ -115,7 +115,6 @@ where // TODO replace if process_execution adds a return value for solution index let solution_count = state.solutions().count(); let corpus_count = state.corpus().count(); - *state.executions_mut() += 1; let (_, corpus_idx) = fuzzer.process_execution( state, manager, @@ -158,7 +157,6 @@ where if base_hash != new_hash { let exit_kind = fuzzer.execute_input(state, executor, manager, &base)?; let observers = executor.observers(); - *state.executions_mut() += 1; // assumption: this input should not be marked interesting because it was not // marked as interesting above; similarly, it should not trigger objectives fuzzer diff --git a/libafl/src/state/mod.rs b/libafl/src/state/mod.rs index a78e932bad..1e8f73e438 100644 --- a/libafl/src/state/mod.rs +++ b/libafl/src/state/mod.rs @@ -886,6 +886,7 @@ impl HasClientPerfMonitor for StdState { #[derive(Debug, Serialize, Deserialize, Default)] pub struct NopState { metadata: SerdeAnyMap, + execution: usize, rand: StdRand, phantom: PhantomData, } @@ -897,6 +898,7 @@ impl NopState { pub fn new() -> Self { NopState { metadata: SerdeAnyMap::new(), + execution: 0, rand: StdRand::default(), phantom: PhantomData, } @@ -914,11 +916,11 @@ where #[cfg(test)] impl HasExecutions for NopState { fn executions(&self) -> &usize { - unimplemented!(); + &self.execution } fn executions_mut(&mut self) -> &mut usize { - unimplemented!(); + &mut self.execution } } diff --git a/libafl_frida/src/executor.rs b/libafl_frida/src/executor.rs index 65024d1810..bd5db64e59 100644 --- a/libafl_frida/src/executor.rs +++ b/libafl_frida/src/executor.rs @@ -14,7 +14,7 @@ use libafl::{ executors::{Executor, ExitKind, HasObservers, InProcessExecutor}, inputs::{HasTargetBytes, UsesInput}, observers::{ObserversTuple, UsesObservers}, - state::UsesState, + state::{HasExecutions, UsesState}, Error, }; @@ -65,7 +65,7 @@ impl<'a, 'b, 'c, EM, H, OT, RT, S, Z> Executor where EM: UsesState, H: FnMut(&S::Input) -> ExitKind, - S: UsesInput, + S: UsesInput + HasExecutions, S::Input: HasTargetBytes, OT: ObserversTuple, RT: FridaRuntimeTuple, diff --git a/libafl_nyx/src/executor.rs b/libafl_nyx/src/executor.rs index 324695dd53..31d7c75a41 100644 --- a/libafl_nyx/src/executor.rs +++ b/libafl_nyx/src/executor.rs @@ -4,7 +4,7 @@ use libafl::{ executors::{Executor, ExitKind, HasObservers}, inputs::{HasTargetBytes, UsesInput}, observers::{ObserversTuple, UsesObservers}, - state::{State, UsesState}, + state::{HasExecutions, State, UsesState}, Error, }; use libafl_bolts::AsSlice; @@ -48,17 +48,18 @@ where impl<'a, EM, S, Z, OT> Executor for NyxExecutor<'a, S, OT> where EM: UsesState, - S: UsesInput, + S: UsesInput + HasExecutions, S::Input: HasTargetBytes, Z: UsesState, { fn run_target( &mut self, _fuzzer: &mut Z, - _state: &mut Self::State, + state: &mut Self::State, _mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; let input_owned = input.target_bytes(); let input = input_owned.as_slice(); self.helper.nyx_process.set_input( diff --git a/libafl_qemu/src/executor.rs b/libafl_qemu/src/executor.rs index 416f848811..67a6d2b51a 100644 --- a/libafl_qemu/src/executor.rs +++ b/libafl_qemu/src/executor.rs @@ -162,7 +162,7 @@ impl<'a, EM, H, OT, QT, S, Z> Executor for QemuExecutor<'a, H, OT, QT, S> where EM: UsesState, H: FnMut(&S::Input) -> ExitKind, - S: UsesInput, + S: UsesInput + HasExecutions, OT: ObserversTuple, QT: QemuHelperTuple, Z: UsesState, diff --git a/libafl_tinyinst/src/executor.rs b/libafl_tinyinst/src/executor.rs index fdafb5728e..dd799b0b7d 100644 --- a/libafl_tinyinst/src/executor.rs +++ b/libafl_tinyinst/src/executor.rs @@ -5,7 +5,7 @@ use libafl::{ executors::{Executor, ExitKind, HasObservers}, inputs::{HasTargetBytes, UsesInput}, observers::{ObserversTuple, UsesObservers}, - state::{State, UsesState}, + state::{HasExecutions, State, UsesState}, Error, }; use libafl_bolts::{ @@ -43,7 +43,7 @@ where impl<'a, EM, S, SP, OT, Z> Executor for TinyInstExecutor<'a, S, SP, OT> where EM: UsesState, - S: UsesInput, + S: UsesInput + HasExecutions, S::Input: HasTargetBytes, SP: ShMemProvider, Z: UsesState, @@ -52,10 +52,11 @@ where fn run_target( &mut self, _fuzzer: &mut Z, - _state: &mut Self::State, + state: &mut Self::State, _mgr: &mut EM, input: &Self::Input, ) -> Result { + *state.executions_mut() += 1; match &self.map { Some(_) => { // use shmem to pass testcase