no restarts on crash

libafl/src/bolts/llmp.rs

@@ -101,9 +101,6 @@ use crate::{
 
 use super::shmem::HasFd;
 
-/// The sender on this map is exiting (if broker exits, clients should exit gracefully);
-const LLMP_TAG_EXITING: u32 = 0x13C5171;
-
 /// We'll start off with 256 megabyte maps per fuzzer client
 const LLMP_PREF_INITIAL_MAP_SIZE: usize = 1 << 28;
 /// What byte count to align messages to
@@ -111,14 +108,16 @@ const LLMP_PREF_INITIAL_MAP_SIZE: usize = 1 << 28;
 const LLMP_PREF_ALIGNNMENT: usize = 64;
 
 /// A msg fresh from the press: No tag got sent by the user yet
-const LLMP_TAG_UNSET: u32 = 0xDEADAF;
+const LLMP_TAG_UNSET: Tag = 0xDEADAF;
 /// This message should not exist yet. Some bug in unsafe code!
-const LLMP_TAG_UNINITIALIZED: u32 = 0xA143AF11;
-/// The end of page mesasge
+const LLMP_TAG_UNINITIALIZED: Tag = 0xA143AF11;
+/// The end of page message
 /// When receiving this, a new sharedmap needs to be allocated.
-const LLMP_TAG_END_OF_PAGE: u32 = 0xAF1E0F1;
-/// A new client for this broekr got added.
-const LLMP_TAG_NEW_SHM_CLIENT: u32 = 0xC11E471;
+const LLMP_TAG_END_OF_PAGE: Tag = 0xAF1E0F1;
+/// A new client for this broker got added.
+const LLMP_TAG_NEW_SHM_CLIENT: Tag = 0xC11E471;
+/// The sender on this map is exiting (if broker exits, clients should exit gracefully);
+const LLMP_TAG_EXITING: Tag = 0x13C5171;
 
 /// An env var of this value indicates that the set value was a NULL PTR
 const _NULL_ENV_STR: &str = "_NULL";
@@ -865,6 +864,7 @@ where
                 tag
             )));
         }
+
         unsafe {
             let msg = self.alloc_next(buf.len())?;
             (*msg).tag = tag;

libafl/src/events/llmp.rs

@@ -1,8 +1,10 @@
-use crate::bolts::{llmp::LlmpSender, shmem::HasFd};
 use alloc::{string::ToString, vec::Vec};
 use core::{marker::PhantomData, time::Duration};
 use serde::{de::DeserializeOwned, Serialize};
 
+#[cfg(feature = "std")]
+use core::ptr::read_volatile;
+
 #[cfg(feature = "std")]
 use crate::bolts::llmp::LlmpReceiver;
 
@@ -16,8 +18,8 @@ use crate::utils::{fork, ForkResult};
 use crate::bolts::shmem::UnixShMem;
 use crate::{
     bolts::{
-        llmp::{self, LlmpClient, LlmpClientDescription, Tag},
-        shmem::ShMem,
+        llmp::{self, LlmpClient, LlmpClientDescription, LlmpSender, Tag},
+        shmem::{HasFd, ShMem},
     },
     corpus::CorpusScheduler,
     events::{BrokerEventResult, Event, EventManager},
@@ -535,6 +537,7 @@ where
             mgr.broker_loop()?;
             return Err(Error::ShuttingDown);
         } else {
+            // We are the fuzzer respawner in a llmp client
             mgr.to_env(_ENV_FUZZER_BROKER_CLIENT_INITIAL);
 
             // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts.
@@ -547,7 +550,7 @@ where
             sender.to_env(_ENV_FUZZER_SENDER)?;
             receiver.to_env(_ENV_FUZZER_RECEIVER)?;
 
-            let mut ctr = 0;
+            let mut ctr: u64 = 0;
             // Client->parent loop
             loop {
                 dbg!("Spawning next client (id {})", ctr);
@@ -563,7 +566,12 @@ where
                 #[cfg(windows)]
                 startable_self()?.status()?;
 
-                ctr += 1;
+                if unsafe { read_volatile(&(*receiver.current_recv_map.page()).size_used) } == 0 {
+                    // Storing state in the last round did not work
+                    panic!("Fuzzer-respawner: Storing state in crashed fuzzer instance did not work, no point to spawn the next client!");
+                }
+
+                ctr = ctr.wrapping_add(1);
             }
         }
     } else {