Pr/fixing forkserver libafl cc (#2066)

* Fixing forserver_libafl_cc

* Adding tests and showing user stats

* Restoring the map truncation

* Fmt

* small fix

* fix

* fix

* fix

---------

Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>

fuzzers/forkserver_libafl_cc/Cargo.toml

@@ -26,7 +26,7 @@ nix = "0.27"
 libafl = { path = "../../libafl/" }
 libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_cc = { path = "../../libafl_cc/" }
-libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_hitcounts", "libfuzzer"] }
+libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_hitcounts", "libfuzzer", "pointer_maps"] }
 
 [lib]
 name = "libforkserver_libafl_cc"

fuzzers/forkserver_libafl_cc/Makefile.toml

@@ -101,6 +101,26 @@ taskset -c 1 ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${CARGO_MAKE_PROJECT_NAME} ./${F
 '''
 dependencies = [ "fuzzer_crash" ]
 
+# Test
+[tasks.test]
+linux_alias = "test_unix"
+mac_alias = "test_unix"
+windows_alias = "unsupported"
+
+[tasks.test_unix]
+script_runner = "@shell"
+script='''
+timeout 30s ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${CARGO_MAKE_PROJECT_NAME} ./${FUZZER_NAME} ./corpus/ -t 1000 >fuzz_stdout.log || true
+if grep -qa "objectives: 1" fuzz_stdout.log; then
+    echo "Fuzzer is working"
+else
+    echo "Fuzzer does not generate any testcases or any crashes"
+    exit 1
+fi
+
+'''
+dependencies = [ "fuzzer" ]
+
 # Clean up
 [tasks.clean]
 linux_alias = "clean_unix"

fuzzers/forkserver_libafl_cc/src/bin/libafl_cc.rs

@@ -1,6 +1,6 @@
 use std::env;
 
-use libafl_cc::{ClangWrapper, CompilerWrapper, LLVMPasses, ToolWrapper};
+use libafl_cc::{ClangWrapper, CompilerWrapper, ToolWrapper};
 
 pub fn main() {
     let args: Vec<String> = env::args().collect();
@@ -24,6 +24,7 @@ pub fn main() {
             .parse_args(&args)
             .expect("Failed to parse the command line")
             // Enable libafl's coverage instrumentation
+            .add_arg("-fsanitize-coverage=trace-pc-guard")
             // Imitate afl-cc's compile definitions 
             .add_arg("-D__AFL_FUZZ_INIT()=int __afl_sharedmem_fuzzing = 1;extern unsigned int *__afl_fuzz_len;extern unsigned char *__afl_fuzz_ptr;unsigned char __afl_fuzz_alt[1048576];unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;void libafl_start_forkserver(void)")
             .add_arg("-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : __afl_fuzz_alt_ptr)")

fuzzers/forkserver_libafl_cc/src/main.rs

@@ -25,6 +25,7 @@ use libafl_bolts::{
     tuples::{tuple_list, MatchName, Merge},
     AsMutSlice, Truncate,
 };
+use libafl_targets::{EDGES_MAP_PTR, EDGES_MAP_SIZE};
 use nix::sys::signal::Signal;
 
 /// The commandline args this fuzzer accepts
@@ -85,8 +86,7 @@ struct Opt {
 
 #[allow(clippy::similar_names)]
 pub fn main() {
-    const MAP_SIZE: usize = 65536;
+    const MAP_SIZE: usize = EDGES_MAP_SIZE; //65536;
-
     let opt = Opt::parse();
 
     let corpus_dirs: Vec<PathBuf> = [opt.in_dir].to_vec();
@@ -99,6 +99,7 @@ pub fn main() {
     // let the forkserver know the shmid
     shmem.write_to_env("__AFL_SHM_ID").unwrap();
     let shmem_buf = shmem.as_mut_slice();
+    unsafe { EDGES_MAP_PTR = shmem_buf.as_mut_ptr() };
 
     // Create an observation channel using the signals map
     let edges_observer = unsafe {
@@ -145,7 +146,11 @@ pub fn main() {
     .unwrap();
 
     // The Monitor trait define how the fuzzer stats are reported to the user
-    let monitor = SimpleMonitor::new(|s| println!("{s}"));
+    let monitor = SimpleMonitor::with_user_monitor(
+        |s| {
+            println!("{s}");
+        }
+    );
 
     // The event manager handle the various events generated during the fuzzing loop
     // such as the notification of the addition of a new item to the corpus

fuzzers/fuzzbench_fork_qemu/src/fuzzer.rs

@@ -205,8 +205,7 @@ fn fuzz(
             #[cfg(windows)]
             println!("{s}");
             writeln!(log.borrow_mut(), "{:?} {s}", current_time()).unwrap();
-        },
+        }
-        true,
     );
 
     let mut shmem_provider = StdShMemProvider::new()?;

fuzzers/qemu_cmin/src/fuzzer.rs

@@ -145,8 +145,7 @@ pub fn fuzz() -> Result<(), Error> {
     let monitor = SimpleMonitor::with_user_monitor(
         |s| {
             println!("{s}");
-        },
+        }
-        true,
     );
     let (state, mut mgr) = match SimpleRestartingEventManager::launch(monitor, &mut shmem_provider)
     {

fuzzers/qemu_systemmode/example/main.c

@@ -1,5 +1,5 @@
 #ifdef TARGET_SYNC_EXIT
-#include "libafl_qemu.h"
+  #include "libafl_qemu.h"
 #endif
 
 int __attribute__((noinline)) BREAKPOINT() {
@@ -8,7 +8,7 @@ int __attribute__((noinline)) BREAKPOINT() {
 
 int LLVMFuzzerTestOneInput(unsigned int *Data, unsigned int Size) {
 #ifdef TARGET_SYNC_EXIT
-  LIBAFL_EXIT_START_PHYS((unsigned int) Data, Size);
+  LIBAFL_EXIT_START_PHYS((unsigned int)Data, Size);
 #endif
   if (Data[3] == 0) {
     while (1) {}

libafl/src/monitors/mod.rs

@@ -824,11 +824,11 @@ where
     }
 
     /// Creates the monitor that also prints the user monitor
-    pub fn with_user_monitor(print_fn: F, print_user_monitor: bool) -> Self {
+    pub fn with_user_monitor(print_fn: F) -> Self {
         Self {
             print_fn,
             start_time: current_time(),
-            print_user_monitor,
+            print_user_monitor: true,
             client_stats: vec![],
         }
     }

libafl_targets/src/coverage.rs

@@ -5,7 +5,7 @@ use alloc::string::String;
 #[cfg(any(target_os = "linux", target_vendor = "apple"))]
 use libafl::{mutators::Tokens, Error};
 
-use crate::{ACCOUNTING_MAP_SIZE, DDG_MAP_SIZE, EDGES_MAP_SIZE_MAX};
+use crate::{ACCOUNTING_MAP_SIZE, DDG_MAP_SIZE, EDGES_MAP_SIZE_IN_USE, EDGES_MAP_SIZE_MAX};
 
 /// The map for edges.
 #[no_mangle]
@@ -62,7 +62,7 @@ pub fn autotokens() -> Result<Tokens, Error> {
 
 /// The size of the map for edges.
 #[no_mangle]
-pub static mut __afl_map_size: usize = EDGES_MAP_SIZE_MAX;
+pub static mut __afl_map_size: usize = EDGES_MAP_SIZE_IN_USE;
 pub use __afl_map_size as EDGES_MAP_PTR_NUM;
 use libafl::observers::StdMapObserver;
 use libafl_bolts::ownedref::OwnedMutSlice;