SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add executions count at proper places (#1608)

Browse Source 
* executions count

* tinyinst qemu frida

* aaaa

---------

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
This commit is contained in:
Dongjia "toka" Zhang 2023-10-05 15:25:40 +02:00 committed by GitHub
parent cffbf069d2
commit 74783c2027
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 47 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
libafl/src/corpus/minimizer.rs
View File

@ -142,7 +142,6 @@ where
.observers_mut() .observers_mut()
.post_exec_all(state, &input, &kind)?; .post_exec_all(state, &input, &kind)?;
*state.executions_mut() += 1;
let executions = *state.executions(); let executions = *state.executions();
curr += 1; curr += 1;

5
libafl/src/executors/combined.rs
View File

@ -6,7 +6,7 @@ use core::fmt::Debug;
use crate::{ use crate::{
executors::{Executor, ExitKind, HasObservers}, executors::{Executor, ExitKind, HasObservers},
observers::UsesObservers, observers::UsesObservers,
state::UsesState, state::{HasExecutions, UsesState},
Error, Error,
}; };
@ -45,6 +45,7 @@ where
A: Executor<EM, Z>, A: Executor<EM, Z>,
B: Executor<EM, Z, State = A::State>, B: Executor<EM, Z, State = A::State>,
EM: UsesState<State = A::State>, EM: UsesState<State = A::State>,
EM::State: HasExecutions,
Z: UsesState<State = A::State>, Z: UsesState<State = A::State>,
{ {
fn run_target( fn run_target(
@ -54,6 +55,8 @@ where
mgr: &mut EM, mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
let ret = self.primary.run_target(fuzzer, state, mgr, input); let ret = self.primary.run_target(fuzzer, state, mgr, input);
self.primary.post_run_reset(); self.primary.post_run_reset();
self.secondary.post_run_reset(); self.secondary.post_run_reset();

12
libafl/src/executors/command.rs
View File

@ -30,7 +30,7 @@ use crate::{inputs::Input, Error};
use crate::{ use crate::{
inputs::{HasTargetBytes, UsesInput}, inputs::{HasTargetBytes, UsesInput},
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::UsesState, state::{HasExecutions, UsesState},
std::borrow::ToOwned, std::borrow::ToOwned,
}; };
@ -313,7 +313,7 @@ where
impl<EM, OT, S, T, Z> Executor<EM, Z> for CommandExecutor<OT, S, T> impl<EM, OT, S, T, Z> Executor<EM, Z> for CommandExecutor<OT, S, T>
where where
EM: UsesState<State = S>, EM: UsesState<State = S>,
S: UsesInput, S: UsesInput + HasExecutions,
S::Input: HasTargetBytes, S::Input: HasTargetBytes,
T: CommandConfigurator + Debug, T: CommandConfigurator + Debug,
OT: Debug + MatchName + ObserversTuple<S>, OT: Debug + MatchName + ObserversTuple<S>,
@ -322,7 +322,7 @@ where
fn run_target( fn run_target(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
_state: &mut Self::State, state: &mut Self::State,
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
@ -330,6 +330,8 @@ where
use wait_timeout::ChildExt; use wait_timeout::ChildExt;
*state.executions_mut() += 1;
let mut child = self.configurer.spawn_child(input)?; let mut child = self.configurer.spawn_child(input)?;
let res = match child let res = match child
@ -619,7 +621,7 @@ impl CommandExecutorBuilder {
#[cfg_attr(all(feature = "std", unix), doc = " ```")] #[cfg_attr(all(feature = "std", unix), doc = " ```")]
#[cfg_attr(not(all(feature = "std", unix)), doc = " ```ignore")] #[cfg_attr(not(all(feature = "std", unix)), doc = " ```ignore")]
/// use std::{io::Write, process::{Stdio, Command, Child}, time::Duration}; /// use std::{io::Write, process::{Stdio, Command, Child}, time::Duration};
/// use libafl::{Error, inputs::{HasTargetBytes, Input, UsesInput}, executors::{Executor, command::CommandConfigurator}, state::UsesState}; /// use libafl::{Error, inputs::{HasTargetBytes, Input, UsesInput}, executors::{Executor, command::CommandConfigurator}, state::{UsesState, HasExecutions}};
/// use libafl_bolts::AsSlice; /// use libafl_bolts::AsSlice;
/// #[derive(Debug)] /// #[derive(Debug)]
/// struct MyExecutor; /// struct MyExecutor;
@ -650,7 +652,7 @@ impl CommandExecutorBuilder {
/// where /// where
/// EM: UsesState, /// EM: UsesState,
/// Z: UsesState<State = EM::State>, /// Z: UsesState<State = EM::State>,
/// EM::State: UsesInput, /// EM::State: UsesInput + HasExecutions,
/// EM::Input: HasTargetBytes /// EM::Input: HasTargetBytes
/// { /// {
/// MyExecutor.into_executor(()) /// MyExecutor.into_executor(())

12
libafl/src/executors/forkserver.rs
View File

@ -39,7 +39,7 @@ use crate::{
inputs::{HasTargetBytes, Input, UsesInput}, inputs::{HasTargetBytes, Input, UsesInput},
mutators::Tokens, mutators::Tokens,
observers::{MapObserver, Observer, ObserversTuple, UsesObservers}, observers::{MapObserver, Observer, ObserversTuple, UsesObservers},
state::UsesState, state::{HasExecutions, UsesState},
Error, Error,
}; };
@ -524,6 +524,7 @@ impl<E, EM, Z> Executor<EM, Z> for TimeoutForkserverExecutor<E>
where where
E: Executor<EM, Z> + HasForkserver + HasObservers + Debug, E: Executor<EM, Z> + HasForkserver + HasObservers + Debug,
E::Input: HasTargetBytes, E::Input: HasTargetBytes,
E::State: HasExecutions,
EM: UsesState<State = E::State>, EM: UsesState<State = E::State>,
Z: UsesState<State = E::State>, Z: UsesState<State = E::State>,
{ {
@ -531,10 +532,12 @@ where
fn run_target( fn run_target(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
_state: &mut Self::State, state: &mut Self::State,
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
let mut exit_kind = ExitKind::Ok; let mut exit_kind = ExitKind::Ok;
let last_run_timed_out = self.executor.forkserver().last_run_timed_out_raw(); let last_run_timed_out = self.executor.forkserver().last_run_timed_out_raw();
@ -1210,7 +1213,7 @@ impl<EM, OT, S, SP, Z> Executor<EM, Z> for ForkserverExecutor<OT, S, SP>
where where
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
SP: ShMemProvider, SP: ShMemProvider,
S: UsesInput, S: UsesInput + HasExecutions,
S::Input: HasTargetBytes, S::Input: HasTargetBytes,
EM: UsesState<State = S>, EM: UsesState<State = S>,
Z: UsesState<State = S>, Z: UsesState<State = S>,
@ -1219,10 +1222,11 @@ where
fn run_target( fn run_target(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
_state: &mut Self::State, state: &mut Self::State,
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
let mut exit_kind = ExitKind::Ok; let mut exit_kind = ExitKind::Ok;
// Write to testcase // Write to testcase

12
libafl/src/executors/inprocess.rs
View File

@ -52,7 +52,7 @@ use crate::{
fuzzer::HasObjective, fuzzer::HasObjective,
inputs::UsesInput, inputs::UsesInput,
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::{HasClientPerfMonitor, HasCorpus, HasSolutions, UsesState}, state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions, UsesState},
Error, Error,
}; };
@ -126,7 +126,7 @@ where
HB: BorrowMut<H>, HB: BorrowMut<H>,
EM: UsesState<State = S>, EM: UsesState<State = S>,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
S: UsesInput, S: UsesInput + HasExecutions,
Z: UsesState<State = S>, Z: UsesState<State = S>,
{ {
fn run_target( fn run_target(
@ -136,6 +136,7 @@ where
mgr: &mut EM, mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
self.handlers self.handlers
.pre_run_target(self, fuzzer, state, mgr, input); .pre_run_target(self, fuzzer, state, mgr, input);
@ -1646,7 +1647,7 @@ where
EM: UsesState<State = S>, EM: UsesState<State = S>,
H: FnMut(&S::Input) -> ExitKind + ?Sized, H: FnMut(&S::Input) -> ExitKind + ?Sized,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
S: UsesInput, S: UsesInput + HasExecutions,
SP: ShMemProvider, SP: ShMemProvider,
Z: UsesState<State = S>, Z: UsesState<State = S>,
{ {
@ -1659,6 +1660,7 @@ where
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
unsafe { unsafe {
self.shmem_provider.pre_fork()?; self.shmem_provider.pre_fork()?;
match fork() { match fork() {
@ -1714,7 +1716,7 @@ where
EM: UsesState<State = S>, EM: UsesState<State = S>,
H: FnMut(&S::Input) -> ExitKind + ?Sized, H: FnMut(&S::Input) -> ExitKind + ?Sized,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
S: UsesInput, S: UsesInput + HasExecutions,
SP: ShMemProvider, SP: ShMemProvider,
Z: UsesState<State = S>, Z: UsesState<State = S>,
{ {
@ -1727,6 +1729,8 @@ where
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
unsafe { unsafe {
self.shmem_provider.pre_fork()?; self.shmem_provider.pre_fork()?;
match fork() { match fork() {

8
libafl/src/executors/mod.rs
View File

@ -41,7 +41,7 @@ use serde::{Deserialize, Serialize};
use crate::{ use crate::{
inputs::{HasTargetBytes, UsesInput}, inputs::{HasTargetBytes, UsesInput},
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::UsesState, state::{HasExecutions, UsesState},
Error, Error,
}; };
@ -166,17 +166,19 @@ where
impl<EM, S, Z> Executor<EM, Z> for NopExecutor<S> impl<EM, S, Z> Executor<EM, Z> for NopExecutor<S>
where where
EM: UsesState<State = S>, EM: UsesState<State = S>,
S: UsesInput + Debug, S: UsesInput + Debug + HasExecutions,
S::Input: HasTargetBytes, S::Input: HasTargetBytes,
Z: UsesState<State = S>, Z: UsesState<State = S>,
{ {
fn run_target( fn run_target(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
_state: &mut Self::State, state: &mut Self::State,
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
if input.target_bytes().as_slice().is_empty() { if input.target_bytes().as_slice().is_empty() {
Err(Error::empty("Input Empty")) Err(Error::empty("Input Empty"))
} else { } else {

4
libafl/src/fuzzer/mod.rs
View File

@ -679,8 +679,6 @@ where
executor.observers_mut().pre_exec_all(state, input)?; executor.observers_mut().pre_exec_all(state, input)?;
mark_feature_time!(state, PerfFeature::PreExecObservers); mark_feature_time!(state, PerfFeature::PreExecObservers);
*state.executions_mut() += 1;
start_timer!(state); start_timer!(state);
let exit_kind = executor.run_target(self, state, event_mgr, input)?; let exit_kind = executor.run_target(self, state, event_mgr, input)?;
mark_feature_time!(state, PerfFeature::TargetExecution); mark_feature_time!(state, PerfFeature::TargetExecution);
@ -732,8 +730,6 @@ where
executor.observers_mut().pre_exec_all(state, input)?; executor.observers_mut().pre_exec_all(state, input)?;
mark_feature_time!(state, PerfFeature::PreExecObservers); mark_feature_time!(state, PerfFeature::PreExecObservers);
*state.executions_mut() += 1;
start_timer!(state); start_timer!(state);
let exit_kind = executor.run_target(self, state, event_mgr, input)?; let exit_kind = executor.run_target(self, state, event_mgr, input)?;
mark_feature_time!(state, PerfFeature::TargetExecution); mark_feature_time!(state, PerfFeature::TargetExecution);

2
libafl/src/stages/tmin.rs
View File

@ -115,7 +115,6 @@ where
// TODO replace if process_execution adds a return value for solution index // TODO replace if process_execution adds a return value for solution index
let solution_count = state.solutions().count(); let solution_count = state.solutions().count();
let corpus_count = state.corpus().count(); let corpus_count = state.corpus().count();
*state.executions_mut() += 1;
let (_, corpus_idx) = fuzzer.process_execution( let (_, corpus_idx) = fuzzer.process_execution(
state, state,
manager, manager,
@ -158,7 +157,6 @@ where
if base_hash != new_hash { if base_hash != new_hash {
let exit_kind = fuzzer.execute_input(state, executor, manager, &base)?; let exit_kind = fuzzer.execute_input(state, executor, manager, &base)?;
let observers = executor.observers(); let observers = executor.observers();
*state.executions_mut() += 1;
// assumption: this input should not be marked interesting because it was not // assumption: this input should not be marked interesting because it was not
// marked as interesting above; similarly, it should not trigger objectives // marked as interesting above; similarly, it should not trigger objectives
fuzzer fuzzer

6
libafl/src/state/mod.rs
View File

@ -886,6 +886,7 @@ impl<I, C, R, SC> HasClientPerfMonitor for StdState<I, C, R, SC> {
#[derive(Debug, Serialize, Deserialize, Default)] #[derive(Debug, Serialize, Deserialize, Default)]
pub struct NopState<I> { pub struct NopState<I> {
metadata: SerdeAnyMap, metadata: SerdeAnyMap,
execution: usize,
rand: StdRand, rand: StdRand,
phantom: PhantomData<I>, phantom: PhantomData<I>,
} }
@ -897,6 +898,7 @@ impl<I> NopState<I> {
pub fn new() -> Self { pub fn new() -> Self {
NopState { NopState {
metadata: SerdeAnyMap::new(), metadata: SerdeAnyMap::new(),
execution: 0,
rand: StdRand::default(), rand: StdRand::default(),
phantom: PhantomData, phantom: PhantomData,
} }
@ -914,11 +916,11 @@ where
#[cfg(test)] #[cfg(test)]
impl<I> HasExecutions for NopState<I> { impl<I> HasExecutions for NopState<I> {
fn executions(&self) -> &usize { fn executions(&self) -> &usize {
unimplemented!(); &self.execution
} }
fn executions_mut(&mut self) -> &mut usize { fn executions_mut(&mut self) -> &mut usize {
unimplemented!(); &mut self.execution
} }
} }

4
libafl_frida/src/executor.rs
View File

@ -14,7 +14,7 @@ use libafl::{
executors::{Executor, ExitKind, HasObservers, InProcessExecutor}, executors::{Executor, ExitKind, HasObservers, InProcessExecutor},
inputs::{HasTargetBytes, UsesInput}, inputs::{HasTargetBytes, UsesInput},
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::UsesState, state::{HasExecutions, UsesState},
Error, Error,
}; };
@ -65,7 +65,7 @@ impl<'a, 'b, 'c, EM, H, OT, RT, S, Z> Executor<EM, Z>
where where
EM: UsesState<State = S>, EM: UsesState<State = S>,
H: FnMut(&S::Input) -> ExitKind, H: FnMut(&S::Input) -> ExitKind,
S: UsesInput, S: UsesInput + HasExecutions,
S::Input: HasTargetBytes, S::Input: HasTargetBytes,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
RT: FridaRuntimeTuple, RT: FridaRuntimeTuple,

7
libafl_nyx/src/executor.rs
View File

@ -4,7 +4,7 @@ use libafl::{
executors::{Executor, ExitKind, HasObservers}, executors::{Executor, ExitKind, HasObservers},
inputs::{HasTargetBytes, UsesInput}, inputs::{HasTargetBytes, UsesInput},
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::{State, UsesState}, state::{HasExecutions, State, UsesState},
Error, Error,
}; };
use libafl_bolts::AsSlice; use libafl_bolts::AsSlice;
@ -48,17 +48,18 @@ where
impl<'a, EM, S, Z, OT> Executor<EM, Z> for NyxExecutor<'a, S, OT> impl<'a, EM, S, Z, OT> Executor<EM, Z> for NyxExecutor<'a, S, OT>
where where
EM: UsesState<State = S>, EM: UsesState<State = S>,
S: UsesInput, S: UsesInput + HasExecutions,
S::Input: HasTargetBytes, S::Input: HasTargetBytes,
Z: UsesState<State = S>, Z: UsesState<State = S>,
{ {
fn run_target( fn run_target(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
_state: &mut Self::State, state: &mut Self::State,
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
let input_owned = input.target_bytes(); let input_owned = input.target_bytes();
let input = input_owned.as_slice(); let input = input_owned.as_slice();
self.helper.nyx_process.set_input( self.helper.nyx_process.set_input(

2
libafl_qemu/src/executor.rs
View File

@ -162,7 +162,7 @@ impl<'a, EM, H, OT, QT, S, Z> Executor<EM, Z> for QemuExecutor<'a, H, OT, QT, S>
where where
EM: UsesState<State = S>, EM: UsesState<State = S>,
H: FnMut(&S::Input) -> ExitKind, H: FnMut(&S::Input) -> ExitKind,
S: UsesInput, S: UsesInput + HasExecutions,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
QT: QemuHelperTuple<S>, QT: QemuHelperTuple<S>,
Z: UsesState<State = S>, Z: UsesState<State = S>,

7
libafl_tinyinst/src/executor.rs
View File

@ -5,7 +5,7 @@ use libafl::{
executors::{Executor, ExitKind, HasObservers}, executors::{Executor, ExitKind, HasObservers},
inputs::{HasTargetBytes, UsesInput}, inputs::{HasTargetBytes, UsesInput},
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::{State, UsesState}, state::{HasExecutions, State, UsesState},
Error, Error,
}; };
use libafl_bolts::{ use libafl_bolts::{
@ -43,7 +43,7 @@ where
impl<'a, EM, S, SP, OT, Z> Executor<EM, Z> for TinyInstExecutor<'a, S, SP, OT> impl<'a, EM, S, SP, OT, Z> Executor<EM, Z> for TinyInstExecutor<'a, S, SP, OT>
where where
EM: UsesState<State = S>, EM: UsesState<State = S>,
S: UsesInput, S: UsesInput + HasExecutions,
S::Input: HasTargetBytes, S::Input: HasTargetBytes,
SP: ShMemProvider, SP: ShMemProvider,
Z: UsesState<State = S>, Z: UsesState<State = S>,
@ -52,10 +52,11 @@ where
fn run_target( fn run_target(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
_state: &mut Self::State, state: &mut Self::State,
_mgr: &mut EM, _mgr: &mut EM,
input: &Self::Input, input: &Self::Input,
) -> Result<ExitKind, Error> { ) -> Result<ExitKind, Error> {
*state.executions_mut() += 1;
match &self.map { match &self.map {
Some(_) => { Some(_) => {
// use shmem to pass testcase // use shmem to pass testcase