fix restating mgr routine

afl/src/events/mod.rs

@@ -915,8 +915,10 @@ where
 /// A restarting state is a combination of restarter and runner, that can be used on systems without `fork`.
 /// The restarter will start a new process each time the child crashes or timeouts.
 #[cfg(feature = "std")]
-pub fn setup_restarting_state<I, C, FT, R, SH, ST>(
+pub fn setup_restarting_mgr<I, C, FT, R, SH, ST>(
-    mgr: &mut LlmpEventManager<I, SH, ST>,
+    //mgr: &mut LlmpEventManager<I, SH, ST>,
+    stats: ST,
+    broker_port: u16,
 ) -> Result<
     (
         Option<State<C, FT, I, R>>,
@@ -932,32 +934,44 @@ where
     SH: ShMem,
     ST: Stats,
 {
+    let mut mgr;
+
     // We start ourself as child process to actually fuzz
     if std::env::var(ENV_FUZZER_SENDER).is_err() {
-        mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL);
 
-        // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts.
+        mgr = LlmpEventManager::<I, SH, ST>::new_on_port(stats, broker_port)?;
-        let sender = LlmpSender::new(0, false)?;
+        if mgr.is_broker() {
-        let receiver = LlmpReceiver::on_existing_map(
+            // Yep, broker. Just loop here.
-            AflShmem::clone_ref(&sender.out_maps.last().unwrap().shmem)?,
+            println!("Doing broker things. Run this tool again to start fuzzing in a client.");
-            None,
+            mgr.broker_loop()?;
-        )?;
+        } else {
-        // Store the information to a map.
-        sender.to_env(ENV_FUZZER_SENDER)?;
-        receiver.to_env(ENV_FUZZER_RECEIVER)?;
         
-        let mut ctr = 0;
+            mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL);
-        // Client->parent loop
+
-        loop {
+            // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts.
-            dbg!("Spawning next client");
+            let sender = LlmpSender::new(0, false)?;
-            Command::new(env::current_exe()?)
+            let receiver = LlmpReceiver::on_existing_map(
-                .current_dir(env::current_dir()?)
+                AflShmem::clone_ref(&sender.out_maps.last().unwrap().shmem)?,
-                .args(env::args())
+                None,
-                .status()?;
+            )?;
-            ctr += 1;
+            // Store the information to a map.
-            if ctr == 10 {
+            sender.to_env(ENV_FUZZER_SENDER)?;
-                todo!("Fix this");
+            receiver.to_env(ENV_FUZZER_RECEIVER)?;
+
+            let mut ctr = 0;
+            // Client->parent loop
+            loop {
+                dbg!("Spawning next client");
+                Command::new(env::current_exe()?)
+                    .current_dir(env::current_dir()?)
+                    .args(env::args())
+                    .status()?;
+                ctr += 1;
+                if ctr == 10 {
+                    todo!("Fix this");
+                }
             }
+
         }
     }
 

afl/src/mutators/scheduled.rs

@@ -208,7 +208,7 @@ where
             let idx = self.scheduled.schedule(14, rand, input);
             let mutation = match idx {
                 0 => mutation_bitflip,
-                1 => mutation_byteflip,
+                /*1 => mutation_byteflip,
                 2 => mutation_byteinc,
                 3 => mutation_bytedec,
                 4 => mutation_byteneg,
@@ -219,7 +219,7 @@ where
                 8 => mutation_dwordadd,
                 9 => mutation_byteinteresting,
                 10 => mutation_wordinteresting,
-                11 => mutation_dwordinteresting,
+                11 => mutation_dwordinteresting,*/
                 _ => mutation_splice,
             };
             mutation(self, rand, state, input)?;
@@ -277,7 +277,7 @@ where
     pub fn new_default() -> Self {
         let mut scheduled = StdScheduledMutator::<C, I, R, S>::new();
         scheduled.add_mutation(mutation_bitflip);
-        scheduled.add_mutation(mutation_byteflip);
+        /*scheduled.add_mutation(mutation_byteflip);
         scheduled.add_mutation(mutation_byteinc);
         scheduled.add_mutation(mutation_bytedec);
         scheduled.add_mutation(mutation_byteneg);
@@ -301,7 +301,7 @@ where
         scheduled.add_mutation(mutation_bytesset);
         scheduled.add_mutation(mutation_bytesrandset);
         scheduled.add_mutation(mutation_bytescopy);
-        scheduled.add_mutation(mutation_bytesswap);
+        scheduled.add_mutation(mutation_bytesswap);*/
 
         /* TODO
         scheduled.add_mutation(mutation_tokeninsert);

fuzzers/libfuzzer_libpng/harness.cc

@@ -156,14 +156,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     return 0;
   }
 
-#ifdef HAS_BUG
   // This is going to be too slow.
   if (width && height > 100000000 / width) {
     PNG_CLEANUP
+#ifdef HAS_BUG
     asm("ud2");
+#endif
     return 0;
   }
-#endif
 
   // Set several transforms that browsers typically use:
   png_set_gray_to_rgb(png_handler.png_ptr);

fuzzers/libfuzzer_libpng/src/mod.rs

@@ -4,13 +4,14 @@
 #[macro_use]
 extern crate clap;
 
+use afl::shmem::AflShmem;
 use clap::{App, Arg};
 use std::{env, path::PathBuf};
 
 use afl::{
     corpus::{Corpus, InMemoryCorpus},
-    events::setup_restarting_state,
+    events::setup_restarting_mgr,
-    events::{LlmpEventManager, SimpleStats},
+    events::{SimpleStats},
     executors::{inprocess::InProcessExecutor, Executor, ExitKind},
     feedbacks::MaxMapFeedback,
     inputs::Input,
@@ -120,38 +121,35 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
     // 'While the stats are state, they are usually used in the broker - which is likely never restarted
     let stats = SimpleStats::new(|s| println!("{}", s));
     
-    let mut mgr = LlmpEventManager::new_on_port_std(stats, broker_port)?;
+    // The restarting state will spawn the same process again as child, then restartet it each time it crashes.
-    if mgr.is_broker() {
+    let (state_opt, mut restarting_mgr) =
-        // Yep, broker. Just loop here.
+        setup_restarting_mgr::<_, _, _, _, AflShmem, _>(stats, broker_port).expect("Failed to setup the restarter".into());
-        println!("Doing broker things. Run this tool again to start fuzzing in a client.");
-        mgr.broker_loop()?;
-    }
 
     let edges_observer =
-        StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe {
+    StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe {
-            __lafl_max_edges_size as usize
+        __lafl_max_edges_size as usize
-        });
+    });
+
+    let mut state = match state_opt {
+        Some(s) => s,
+        None => {
+            State::new(
+                InMemoryCorpus::new(),
+                tuple_list!(MaxMapFeedback::new_with_observer(
+                    &NAME_COV_MAP,
+                    &edges_observer
+                )),
+            )
+        },
+    };
+
+    println!("We're a client, let's fuzz :)");
 
     let mut mutator = HavocBytesMutator::new_default();
     mutator.set_max_size(4096);
     let stage = StdMutationalStage::new(mutator);
     let mut fuzzer = StdFuzzer::new(tuple_list!(stage));
 
-    // The restarting state will spawn the same process again as child, then restartet it each time it crashes.
-    let (state_opt, mut restarting_mgr) =
-        setup_restarting_state(&mut mgr).expect("Failed to setup the restarter".into());
-    let mut state = match state_opt {
-        Some(s) => s,
-        None => State::new(
-            InMemoryCorpus::new(),
-            tuple_list!(MaxMapFeedback::new_with_observer(
-                &NAME_COV_MAP,
-                &edges_observer
-            )),
-        ),
-    };
-
-    println!("We're a client, let's fuzz :)");
 
     // Create the executor
     let mut executor = InProcessExecutor::new(