SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CorpusScheduler -> Scheduler and move them to the schedulers folder (#560)

Browse Source 
* CorpusScheduler -> Scheduler

* fix book

* update fuzzers

* fix tests

* fix sugar

* fix

* fix tutorial

* fix tutorial

* fmt

* fix

* fmt

* fmt
This commit is contained in:
Andrea Fioraldi 2022-03-03 14:27:37 +01:00 committed by GitHub
parent 4e3091eace
commit a56f4af7da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
62 changed files with 360 additions and 856 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/src/baby_fuzzer.md
View File

@ -135,12 +135,12 @@ let mon = SimpleMonitor::new(|s| println!("{}", s));
let mut mgr = SimpleEventManager::new(mon);
```
In addition, we have the Fuzzer, an entity that contains some actions that alter the State. One of these actions is the scheduling of the testcases to the fuzzer using a CorpusScheduler.
We create it as QueueCorpusScheduler, a scheduler that serves testcases to the fuzzer in a FIFO fashion.
In addition, we have the Fuzzer, an entity that contains some actions that alter the State. One of these actions is the scheduling of the testcases to the fuzzer using a Scheduler.
We create it as QueueScheduler, a scheduler that serves testcases to the fuzzer in a FIFO fashion.
```rust,ignore
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, (), ());
@ -187,13 +187,14 @@ extern crate libafl;
use std::path::PathBuf;
use libafl::{
bolts::{current_nanos, rands::StdRand},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
fuzzer::StdFuzzer,
generators::RandPrintablesGenerator,
inputs::{BytesInput, HasTargetBytes},
monitors::SimpleMonitor,
schedulers::QueueScheduler,
state::StdState,
};
```

5
fuzzers/baby_fuzzer/src/main.rs
View File

@ -5,7 +5,7 @@ use std::ptr::write_volatile;
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -15,6 +15,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -90,7 +91,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(mon);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/baby_fuzzer_gramatron/src/main.rs
View File

@ -10,7 +10,7 @@ use std::ptr::write_volatile;
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -23,6 +23,7 @@ use libafl::{
StdScheduledMutator,
},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -91,7 +92,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/baby_fuzzer_grimoire/src/main.rs
View File

@ -6,7 +6,7 @@ use std::ptr::write_volatile;
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -19,6 +19,7 @@ use libafl::{
GrimoireStringReplacementMutator, Tokens,
},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::{mutational::StdMutationalStage, GeneralizationStage},
state::{HasMetadata, StdState},
};
@ -126,7 +127,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/baby_fuzzer_nautilus/src/main.rs
View File

@ -5,7 +5,7 @@ use std::ptr::write_volatile;
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedback_or,
@ -20,6 +20,7 @@ use libafl::{
NautilusRandomMutator, NautilusRecursionMutator, NautilusSpliceMutator, StdScheduledMutator,
},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::{HasMetadata, StdState},
};
@ -88,7 +89,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/baby_fuzzer_tokens/src/main.rs
View File

@ -6,7 +6,7 @@ use std::ptr::write_volatile;
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -15,6 +15,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::{encoded_mutations::encoded_mutations, scheduled::StdScheduledMutator},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -99,7 +100,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/baby_fuzzer_with_forkexecutor/src/main.rs
View File

@ -11,7 +11,7 @@ use libafl::{
tuples::tuple_list,
AsMutSlice, AsSlice,
},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{ExitKind, InProcessForkExecutor},
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -21,6 +21,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -98,7 +99,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(mon);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/baby_no_std/src/main.rs
View File

@ -6,7 +6,7 @@
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{InMemoryCorpus, QueueCorpusScheduler},
corpus::InMemoryCorpus,
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -16,6 +16,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -116,7 +117,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/backtrace_baby_fuzzers/c_code_with_fork_executor/src/main.rs
View File

@ -10,7 +10,7 @@ use libafl::{
shmem::{ShMem, StdShMemProvider},
tuples::tuple_list,
},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::InProcessForkExecutor,
feedback_and,
@ -23,6 +23,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::BacktraceObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -93,7 +94,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(mon);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/backtrace_baby_fuzzers/c_code_with_inprocess_executor/src/main.rs
View File

@ -5,7 +5,7 @@ use libafl::executors::InProcessExecutor;
use libafl::observers::ConstMapObserver;
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
feedback_and,
feedbacks::{
@ -17,6 +17,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::BacktraceObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -82,7 +83,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(mon);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/backtrace_baby_fuzzers/command_executor/src/main.rs
View File

@ -6,7 +6,7 @@ use libafl::{
tuples::tuple_list,
AsMutSlice, AsSlice,
},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::command::CommandConfigurator,
feedback_and,
@ -19,6 +19,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{get_asan_runtime_flags, ASANBacktraceObserver, StdMapObserver},
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
Error,
@ -81,7 +82,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(mon);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/backtrace_baby_fuzzers/forkserver_executor/src/main.rs
View File

@ -6,7 +6,7 @@ use libafl::{
tuples::tuple_list,
AsMutSlice,
},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueScheduler},
events::SimpleEventManager,
executors::forkserver::ForkserverExecutor,
feedback_and,
@ -19,6 +19,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{ASANBacktraceObserver, ConstMapObserver, HitcountsMapObserver},
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -80,7 +81,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/backtrace_baby_fuzzers/rust_code_with_fork_executor/src/main.rs
View File

@ -11,7 +11,7 @@ use libafl::{
tuples::tuple_list,
AsMutSlice, AsSlice,
},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{ExitKind, InProcessForkExecutor},
feedback_and,
@ -24,6 +24,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{BacktraceObserver, StdMapObserver},
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -110,7 +111,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(mon);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/backtrace_baby_fuzzers/rust_code_with_inprocess_executor/src/main.rs
View File

@ -5,7 +5,7 @@ use std::ptr::write_volatile;
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueScheduler},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedback_and,
@ -18,6 +18,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{BacktraceObserver, StdMapObserver},
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -104,7 +105,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(mon);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

8
fuzzers/forkserver_simple/src/main.rs
View File

@ -8,10 +8,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsMutSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::forkserver::{ForkserverExecutor, TimeoutForkserverExecutor},
feedback_and_fast, feedback_or,
@ -21,6 +18,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::{scheduled::havoc_mutations, tokens_mutations, StdScheduledMutator, Tokens},
observers::{ConstMapObserver, HitcountsMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::mutational::StdMutationalStage,
state::{HasCorpus, HasMetadata, StdState},
};
@ -138,7 +136,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

15
fuzzers/frida_libpng/src/fuzzer.rs
View File

@ -17,10 +17,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
ondisk::OnDiskMetadataFormat, CachedOnDiskCorpus, Corpus,
IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler,
},
corpus::{ondisk::OnDiskMetadataFormat, CachedOnDiskCorpus, Corpus, OnDiskCorpus},
events::{llmp::LlmpRestartingEventManager, EventConfig},
executors::{inprocess::InProcessExecutor, ExitKind, ShadowExecutor},
feedback_or, feedback_or_fast,
@ -34,6 +31,7 @@ use libafl::{
token_mutations::Tokens,
},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage},
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -176,8 +174,7 @@ unsafe fn fuzz(options: FuzzerOptions) -> Result<(), Error> {
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
// A minimization+queue policy to get testcasess from the corpus
let scheduler =
IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
@ -295,8 +292,7 @@ unsafe fn fuzz(options: FuzzerOptions) -> Result<(), Error> {
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
// A minimization+queue policy to get testcasess from the corpus
let scheduler =
IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
@ -430,8 +426,7 @@ unsafe fn fuzz(options: FuzzerOptions) -> Result<(), Error> {
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
// A minimization+queue policy to get testcasess from the corpus
let scheduler =
IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

7
fuzzers/fuzzbench/src/lib.rs
View File

@ -26,9 +26,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, PowerQueueCorpusScheduler,
},
corpus::{Corpus, OnDiskCorpus},
events::SimpleRestartingEventManager,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or,
@ -41,6 +39,7 @@ use libafl::{
StdMOptMutator, StdScheduledMutator, Tokens,
},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{
calibrate::CalibrationStage,
power::{PowerMutationalStage, PowerSchedule},
@ -311,7 +310,7 @@ fn fuzz(
let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(PowerQueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

7
fuzzers/fuzzbench_fork_qemu/src/fuzzer.rs
View File

@ -23,9 +23,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsMutSlice, AsSlice,
},
corpus::{
Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, PowerQueueCorpusScheduler,
},
corpus::{Corpus, OnDiskCorpus},
events::SimpleRestartingEventManager,
executors::{ExitKind, ShadowExecutor},
feedback_or,
@ -38,6 +36,7 @@ use libafl::{
StdMOptMutator, StdScheduledMutator, Tokens,
},
observers::{ConstMapObserver, HitcountsMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{
calibrate::CalibrationStage,
power::{PowerMutationalStage, PowerSchedule},
@ -282,7 +281,7 @@ fn fuzz(
let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(PowerQueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

7
fuzzers/fuzzbench_qemu/src/fuzzer.rs
View File

@ -23,9 +23,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, PowerQueueCorpusScheduler,
},
corpus::{Corpus, OnDiskCorpus},
events::SimpleRestartingEventManager,
executors::{ExitKind, ShadowExecutor, TimeoutExecutor},
feedback_or,
@ -38,6 +36,7 @@ use libafl::{
StdMOptMutator, StdScheduledMutator, Tokens,
},
observers::{HitcountsMapObserver, TimeObserver, VariableMapObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{
calibrate::CalibrationStage,
power::{PowerMutationalStage, PowerSchedule},
@ -295,7 +294,7 @@ fn fuzz(
let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(PowerQueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

9
fuzzers/fuzzbench_text/src/lib.rs
View File

@ -27,9 +27,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, PowerQueueCorpusScheduler,
},
corpus::{Corpus, OnDiskCorpus},
events::SimpleRestartingEventManager,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or,
@ -47,6 +45,7 @@ use libafl::{
tokens_mutations, StdMOptMutator, StdScheduledMutator, Tokens,
},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{
calibrate::CalibrationStage,
power::{PowerMutationalStage, PowerSchedule},
@ -372,7 +371,7 @@ fn fuzz_binary(
let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(PowerQueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
@ -589,7 +588,7 @@ fn fuzz_text(
let grimoire = StdMutationalStage::new(grimoire_mutator);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(PowerQueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

1
fuzzers/generic_inmemory/.gitignore vendored
View File

@ -1 +0,0 @@
fuzzer

32
fuzzers/generic_inmemory/Cargo.toml
View File

@ -1,32 +0,0 @@
[package]
name = "generic_inmemory"
version = "0.7.1"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"
[features]
default = ["std"]
std = []
[profile.release]
lto = true
codegen-units = 1
opt-level = 3
debug = true
[build-dependencies]
cc = { version = "1.0", features = ["parallel"] }
which = { version = "4.0.2" }
num_cpus = "1.0"
[dependencies]
libafl = { path = "../../libafl/" }
libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_hitcounts", "sancov_cmplog", "libfuzzer"] }
# TODO Include it only when building cc
libafl_cc = { path = "../../libafl_cc/" }
clap = { version = "3.0", features = ["derive"] }
mimalloc = { version = "*", default-features = false }
[lib]
name = "generic_inmemory"
crate-type = ["staticlib"]

79
fuzzers/generic_inmemory/Makefile.toml
View File

@ -1,79 +0,0 @@
[env]
FUZZER_NAME="fuzzer"
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner="@shell"
script='''
echo "Cargo-make not integrated yet on this"
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build" , "--release"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build" , "--release"]
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "target/release/libafl_cc"
args = ["-O3", "fuzz.c", "-o", "fuzzer"]
dependencies = ["cc", "cxx"]
# Run
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner="@shell"
script='''
./${FUZZER_NAME} --cores 0 --broker-port 31337
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner="@shell"
script='''
timeout 10s ./${FUZZER_NAME} --cores 0 --broker-port 31337 || [ $? -eq 124 ]
'''
dependencies = ["fuzzer"]
# Clean
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
script_runner="@shell"
script='''
rm ./${FUZZER_NAME} || true
'''

3
fuzzers/generic_inmemory/README.md
View File

@ -1,3 +0,0 @@
# Generic In-Memory Fuzzer
This is a generic in-memory fuzzer based on LibAFL

16
fuzzers/generic_inmemory/fuzz.c
View File

@ -1,16 +0,0 @@
#include <stdint.h>
#include <stdlib.h>
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size >= 8 && *(uint32_t*)Data == 0xaabbccdd)
return 1;
return 0;
}
/*
int main() {
char buf [10] = {0};
LLVMFuzzerTestOneInput(buf, 10);
}*/

36
fuzzers/generic_inmemory/src/bin/libafl_cc.rs
View File

@ -1,36 +0,0 @@
use libafl_cc::{ClangWrapper, CompilerWrapper, LLVMPasses};
use std::env;
pub fn main() {
let args: Vec<String> = env::args().collect();
if args.len() > 1 {
let mut dir = env::current_exe().unwrap();
let wrapper_name = dir.file_name().unwrap().to_str().unwrap();
let is_cpp = match wrapper_name[wrapper_name.len()-2..].to_lowercase().as_str() {
"cc" => false,
"++" | "pp" | "xx" => true,
_ => panic!("Could not figure out if c or c++ warpper was called. Expected {:?} to end with c or cxx", dir),
};
dir.pop();
let mut cc = ClangWrapper::new();
if let Some(code) = cc
.cpp(is_cpp)
// silence the compiler wrapper output, needed for some configure scripts.
.silence(true)
.parse_args(&args)
.expect("Failed to parse the command line")
.link_staticlib(&dir, "generic_inmemory")
.add_arg("-fsanitize-coverage=trace-pc-guard,trace-cmp")
.add_pass(LLVMPasses::CmpLogRtn)
.run()
.expect("Failed to run the wrapped compiler")
{
std::process::exit(code);
}
} else {
panic!("LibAFL CC: No Arguments given");
}
}

5
fuzzers/generic_inmemory/src/bin/libafl_cxx.rs
View File

@ -1,5 +0,0 @@
pub mod libafl_cc;
fn main() {
libafl_cc::main()
}

314
fuzzers/generic_inmemory/src/lib.rs
View File

@ -1,314 +0,0 @@
//! A libfuzzer-like fuzzer with llmp-multithreading support and restarts
//! The `launcher` will spawn new processes for each cpu core.
use mimalloc::MiMalloc;
#[global_allocator]
static GLOBAL: MiMalloc = MiMalloc;
use clap::{self, StructOpt};
use core::time::Duration;
use std::{env, net::SocketAddr, path::PathBuf};
use libafl::{
bolts::{
current_nanos,
launcher::Launcher,
os::Cores,
rands::StdRand,
shmem::{ShMemProvider, StdShMemProvider},
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
events::EventConfig,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
fuzzer::{Fuzzer, StdFuzzer},
generators::RandBytesGenerator,
inputs::{BytesInput, HasTargetBytes},
monitors::MultiMonitor,
mutators::{
scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
token_mutations::{I2SRandReplace, Tokens},
},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
stages::{StdMutationalStage, TracingStage},
state::{HasCorpus, HasMetadata, StdState},
Error,
};
use libafl_targets::{
libfuzzer_initialize, libfuzzer_test_one_input, CmpLogObserver, CMPLOG_MAP, EDGES_MAP,
MAX_EDGES_NUM,
};
/// Parses a millseconds int into a [`Duration`], used for commandline arg parsing
fn timeout_from_millis_str(time: &str) -> Result<Duration, Error> {
Ok(Duration::from_millis(time.parse()?))
}
#[derive(Debug, StructOpt)]
#[clap(
name = "generic_inmemory",
about = "A generic libfuzzer-like fuzzer with llmp-multithreading support",
author = "Andrea Fioraldi <andreafioraldi@gmail.com>, Dominik Maier <domenukk@gmail.com>"
)]
struct Opt {
#[clap(
short,
long,
parse(try_from_str = Cores::from_cmdline),
help = "Spawn a client in each of the provided cores. Broker runs in the 0th core. 'all' to select all available cores. 'none' to run a client without binding to any core. eg: '1,2-4,6' selects the cores 1,2,3,4,6.",
name = "CORES"
)]
cores: Cores,
#[clap(
short = 'p',
long,
help = "Choose the broker TCP port, default is 1337",
name = "PORT"
)]
broker_port: u16,
#[clap(
parse(try_from_str),
short = 'a',
long,
help = "Specify a remote broker",
name = "REMOTE"
)]
remote_broker_addr: Option<SocketAddr>,
#[clap(
parse(try_from_str),
short,
long,
help = "Set an initial corpus directory",
name = "INPUT"
)]
input: Vec<PathBuf>,
#[clap(
short,
long,
parse(try_from_str),
help = "Set the output directory, default is ./out",
name = "OUTPUT",
default_value = "./out"
)]
output: PathBuf,
#[clap(
parse(try_from_str = timeout_from_millis_str),
short,
long,
help = "Set the exeucution timeout in milliseconds, default is 1000",
name = "TIMEOUT",
default_value = "1000"
)]
timeout: Duration,
#[clap(
parse(from_os_str),
short = 'x',
long,
help = "Feed the fuzzer with an user-specified list of tokens (often called \"dictionary\"",
name = "TOKENS",
multiple_occurrences = true
)]
tokens: Vec<PathBuf>,
}
/// The main fn, `no_mangle` as it is a C symbol
#[no_mangle]
pub fn libafl_main() {
// Registry the metadata types used in this fuzzer
// Needed only on no_std
//RegistryBuilder::register::<Tokens>();
let workdir = env::current_dir().unwrap();
let opt = Opt::parse();
let cores = opt.cores;
let broker_port = opt.broker_port;
let remote_broker_addr = opt.remote_broker_addr;
let input_dirs = opt.input;
let output_dir = opt.output;
let token_files = opt.tokens;
let timeout_ms = opt.timeout;
// let cmplog_enabled = matches.is_present("cmplog");
println!("Workdir: {:?}", workdir.to_string_lossy().to_string());
let shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
let monitor = MultiMonitor::new(|s| println!("{}", s));
let mut run_client = |state: Option<StdState<_, _, _, _, _>>, mut mgr, _core_id| {
// Create an observation channel using the coverage map
let edges = unsafe { &mut EDGES_MAP[0..MAX_EDGES_NUM] };
let edges_observer = HitcountsMapObserver::new(StdMapObserver::new("edges", edges));
// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
// Create the Cmp observer
let cmplog = unsafe { &mut CMPLOG_MAP };
let cmplog_observer = CmpLogObserver::new("cmplog", cmplog, true);
// The state of the edges feedback.
let feedback_state = MapFeedbackState::with_observer(&edges_observer);
// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
let feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false),
// Time feedback, this one does not need a feedback state
TimeFeedback::new_with_observer(&time_observer)
);
// A feedback to choose if an input is a solution or not
let objective = feedback_or!(CrashFeedback::new(), TimeoutFeedback::new());
// If not restarting, create a State from scratch
let mut state = state.unwrap_or_else(|| {
StdState::new(
// RNG
StdRand::with_seed(current_nanos()),
// Corpus that will be evolved, we keep it in memory for performance
InMemoryCorpus::new(),
// Corpus in which we store solutions (crashes in this example),
// on disk so the user can get them after stopping the fuzzer
OnDiskCorpus::new(output_dir.clone()).unwrap(),
// States of the feedbacks.
// They are the data related to the feedbacks that you want to persist in the State.
tuple_list!(feedback_state),
)
});
// Create a dictionary if not existing
if state.metadata().get::<Tokens>().is_none() {
for tokens_file in &token_files {
state.add_metadata(Tokens::from_file(tokens_file)?);
}
}
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
// The wrapped harness function, calling out to the LLVM-style harness
let mut harness = |input: &BytesInput| {
let target = input.target_bytes();
let buf = target.as_slice();
libfuzzer_test_one_input(buf);
ExitKind::Ok
};
// Create the executor for an in-process function with one observer for edge coverage and one for the execution time
let mut executor = TimeoutExecutor::new(
InProcessExecutor::new(
&mut harness,
tuple_list!(edges_observer, time_observer),
&mut fuzzer,
&mut state,
&mut mgr,
)?,
timeout_ms,
);
// Secondary harness due to mut ownership
let mut harness = |input: &BytesInput| {
let target = input.target_bytes();
let buf = target.as_slice();
libfuzzer_test_one_input(buf);
ExitKind::Ok
};
// Setup a tracing stage in which we log comparisons
let tracing = TracingStage::new(InProcessExecutor::new(
&mut harness,
tuple_list!(cmplog_observer),
&mut fuzzer,
&mut state,
&mut mgr,
)?);
// Setup a randomic Input2State stage
let i2s =
StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new())));
// Setup a basic mutator
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
let mutational = StdMutationalStage::new(mutator);
// The order of the stages matter!
let mut stages = tuple_list!(tracing, i2s, mutational);
// The actual target run starts here.
// Call LLVMFUzzerInitialize() if present.
let args: Vec<String> = env::args().collect();
if libfuzzer_initialize(&args) == -1 {
println!("Warning: LLVMFuzzerInitialize failed with -1")
}
// In case the corpus is empty (on first run), reset
if state.corpus().count() < 1 {
if input_dirs.is_empty() {
// Generator of printable bytearrays of max size 32
let mut generator = RandBytesGenerator::new(32);
// Generate 8 initial inputs
state
.generate_initial_inputs(
&mut fuzzer,
&mut executor,
&mut generator,
&mut mgr,
8,
)
.expect("Failed to generate the initial corpus");
println!(
"We imported {} inputs from the generator.",
state.corpus().count()
);
} else {
println!("Loading from {:?}", &input_dirs);
// Load from disk
state
.load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &input_dirs)
.unwrap_or_else(|_| {
panic!("Failed to load initial corpus at {:?}", &input_dirs)
});
println!("We imported {} inputs from disk.", state.corpus().count());
}
}
fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?;
Ok(())
};
match Launcher::builder()
.shmem_provider(shmem_provider)
.configuration(EventConfig::from_name("default"))
.monitor(monitor)
.run_client(&mut run_client)
.cores(&cores)
.broker_port(broker_port)
.remote_broker_addr(remote_broker_addr)
//.stdout_file(Some("/dev/null"))
.build()
.launch()
{
Ok(_) | Err(Error::ShuttingDown) => (),
Err(e) => panic!("{:?}", e),
};
}

8
fuzzers/libafl_atheris/src/lib.rs
View File

@ -21,10 +21,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, OnDiskCorpus},
events::EventConfig,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or,
@ -36,6 +33,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::token_mutations::{I2SRandReplace, Tokens},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{StdMutationalStage, TracingStage},
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -271,7 +269,7 @@ pub fn LLVMFuzzerRunDriver(
}
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/libfuzzer_libmozjpeg/src/lib.rs
View File

@ -13,7 +13,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus, RandCorpusScheduler},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::{setup_restarting_mgr_std, EventConfig},
executors::{inprocess::InProcessExecutor, ExitKind},
feedback_or,
@ -24,6 +24,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::token_mutations::Tokens,
observers::StdMapObserver,
schedulers::RandScheduler,
stages::mutational::StdMutationalStage,
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -136,7 +137,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
let mut stages = tuple_list!(StdMutationalStage::new(mutator));
// A random policy to get testcasess from the corpus
let scheduler = RandCorpusScheduler::new();
let scheduler = RandScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

8
fuzzers/libfuzzer_libpng/src/lib.rs
View File

@ -14,10 +14,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
PowerQueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::{setup_restarting_mgr_std, EventConfig, EventRestarter},
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -28,6 +25,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::token_mutations::Tokens,
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{
calibrate::CalibrationStage,
power::{PowerMutationalStage, PowerSchedule},
@ -138,7 +136,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
let mut stages = tuple_list!(calibration, power);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(PowerQueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

15
fuzzers/libfuzzer_libpng_accounting/src/lib.rs
View File

@ -20,10 +20,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, CoverageAccountingCorpusScheduler, InMemoryCorpus, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::EventConfig,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -34,6 +31,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::token_mutations::Tokens,
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{CoverageAccountingScheduler, QueueScheduler},
stages::mutational::StdMutationalStage,
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -202,11 +200,10 @@ pub fn libafl_main() {
let mut stages = tuple_list!(StdMutationalStage::new(mutator));
// A minimization+queue policy to get testcasess from the corpus
let scheduler = CoverageAccountingCorpusScheduler::new(
&mut state,
QueueCorpusScheduler::new(),
unsafe { &ACCOUNTING_MEMOP_MAP },
);
let scheduler =
CoverageAccountingScheduler::new(&mut state, QueueScheduler::new(), unsafe {
&ACCOUNTING_MEMOP_MAP
});
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

8
fuzzers/libfuzzer_libpng_ctx/src/lib.rs
View File

@ -20,10 +20,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::EventConfig,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -36,6 +33,7 @@ use libafl::{
token_mutations::Tokens,
},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::mutational::StdMutationalStage,
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -201,7 +199,7 @@ pub fn libafl_main() {
let mut stages = tuple_list!(StdMutationalStage::new(mutator));
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

8
fuzzers/libfuzzer_libpng_launcher/src/lib.rs
View File

@ -20,10 +20,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::EventConfig,
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -34,6 +31,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::token_mutations::Tokens,
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::mutational::StdMutationalStage,
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -200,7 +198,7 @@ pub fn libafl_main() {
let mut stages = tuple_list!(StdMutationalStage::new(mutator));
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/libfuzzer_reachability/src/lib.rs
View File

@ -8,7 +8,7 @@ use std::{env, path::PathBuf};
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus, RandCorpusScheduler},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::{setup_restarting_mgr_std, EventConfig, EventRestarter},
executors::{inprocess::InProcessExecutor, ExitKind},
feedbacks::{MapFeedbackState, MaxMapFeedback, ReachabilityFeedback},
@ -17,6 +17,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{HitcountsMapObserver, StdMapObserver},
schedulers::RandScheduler,
stages::mutational::StdMutationalStage,
state::{HasCorpus, StdState},
Error,
@ -106,7 +107,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
let mut stages = tuple_list!(StdMutationalStage::new(mutator));
// A random policy to get testcasess from the corpus
let scheduler = RandCorpusScheduler::new();
let scheduler = RandScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

8
fuzzers/libfuzzer_stb_image/src/main.rs
View File

@ -8,10 +8,7 @@ use std::{env, path::PathBuf};
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::{setup_restarting_mgr_std, EventConfig},
executors::{inprocess::InProcessExecutor, ExitKind, ShadowExecutor},
feedback_or,
@ -22,6 +19,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
mutators::token_mutations::I2SRandReplace,
observers::{StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage},
state::{HasCorpus, StdState},
Error,
@ -113,7 +111,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
println!("We're a client, let's fuzz :)");
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

8
fuzzers/libfuzzer_stb_image_concolic/fuzzer/src/main.rs
View File

@ -15,10 +15,7 @@ use libafl::{
tuples::{tuple_list, Named},
AsMutSlice, AsSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::{setup_restarting_mgr_std, EventConfig},
executors::{
command::CommandConfigurator, inprocess::InProcessExecutor, ExitKind, ShadowExecutor,
@ -39,6 +36,7 @@ use libafl::{
},
StdMapObserver, TimeObserver,
},
schedulers::{IndexesLenTimeMinimizerScheduler, PowerQueueScheduler},
stages::{
ConcolicTracingStage, ShadowTracingStage, SimpleConcolicMutationalStage,
StdMutationalStage, TracingStage,
@ -148,7 +146,7 @@ fn fuzz(
println!("We're a client, let's fuzz :)");
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/push_harness/src/main.rs
View File

@ -4,7 +4,7 @@ use klo_routines::*;
use libafl::inputs::{BytesInput, HasTargetBytes};
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
corpus::{InMemoryCorpus, OnDiskCorpus},
events::SimpleEventManager,
executors::{inprocess::InProcessExecutor, ExitKind},
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -13,6 +13,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::StdMapObserver,
schedulers::QueueScheduler,
stages::mutational::StdMutationalStage,
state::StdState,
};
@ -71,7 +72,7 @@ fn input_generator() {
let mut mgr = SimpleEventManager::new(monitor);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

7
fuzzers/push_stage_harness/src/main.rs
View File

@ -9,9 +9,7 @@ use std::{path::PathBuf, rc::Rc};
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{
Corpus, CorpusScheduler, InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler, Testcase,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus, Testcase},
events::SimpleEventManager,
executors::ExitKind,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback},
@ -20,6 +18,7 @@ use libafl::{
monitors::SimpleMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::StdMapObserver,
schedulers::{QueueScheduler, Scheduler},
stages::push::{PushStageSharedState, StdMutationalPushStage},
state::{HasCorpus, StdState},
};
@ -68,7 +67,7 @@ pub fn main() {
let mgr = SimpleEventManager::new(monitor);
// A queue policy to get testcasess from the corpus
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
// Create the executor for an in-process function with just one observer
//let mut executor = InProcessExecutor::new(&mut harness, &mut fuzzer, &mut state, &mut mgr)

8
fuzzers/qemu_launcher/src/fuzzer.rs
View File

@ -13,10 +13,7 @@ use libafl::{
tuples::tuple_list,
AsSlice,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::EventConfig,
executors::{ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -26,6 +23,7 @@ use libafl::{
monitors::MultiMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{HitcountsMapObserver, TimeObserver, VariableMapObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::StdMutationalStage,
state::{HasCorpus, StdState},
Error,
@ -154,7 +152,7 @@ pub fn fuzz() {
});
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

5
fuzzers/tutorial/src/lib.rs
View File

@ -8,7 +8,7 @@ use std::{env, path::PathBuf};
use libafl::{
bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus, PowerQueueCorpusScheduler},
corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
events::{setup_restarting_mgr_std, EventConfig, EventRestarter},
executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -17,6 +17,7 @@ use libafl::{
inputs::HasTargetBytes,
monitors::MultiMonitor,
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::PowerQueueScheduler,
stages::{
calibrate::CalibrationStage,
power::{PowerMutationalStage, PowerSchedule},
@ -133,7 +134,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
let mut stages = tuple_list!(calibration, power);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = PacketLenMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
let scheduler = PacketLenMinimizerScheduler::new(PowerQueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

7
fuzzers/tutorial/src/metadata.rs
View File

@ -1,10 +1,11 @@
use libafl::{
bolts::tuples::Named,
corpus::{FavFactor, MinimizerCorpusScheduler, Testcase},
corpus::Testcase,
events::EventFirer,
executors::ExitKind,
feedbacks::{Feedback, MapIndexesMetadata},
observers::ObserversTuple,
schedulers::{FavFactor, MinimizerScheduler},
state::{HasClientPerfMonitor, HasMetadata},
Error, SerdeAny,
};
@ -29,8 +30,8 @@ impl FavFactor<PacketData> for PacketLenFavFactor {
}
}
pub type PacketLenMinimizerCorpusScheduler<CS, S> =
MinimizerCorpusScheduler<CS, PacketLenFavFactor, PacketData, MapIndexesMetadata, S>;
pub type PacketLenMinimizerScheduler<CS, S> =
MinimizerScheduler<CS, PacketLenFavFactor, PacketData, MapIndexesMetadata, S>;
#[derive(Serialize, Deserialize, Default, Clone, Debug)]
pub struct PacketLenFeedback {

104
libafl/src/corpus/mod.rs
View File

@ -16,36 +16,9 @@ pub mod cached;
#[cfg(feature = "std")]
pub use cached::CachedOnDiskCorpus;
pub mod queue;
pub use queue::QueueCorpusScheduler;
pub mod probabilistic_sampling;
pub use probabilistic_sampling::ProbabilitySamplingCorpusScheduler;
pub mod accounting;
pub use accounting::*;
pub mod fav_factor;
pub use fav_factor::{FavFactor, LenTimeMulFavFactor};
pub mod minimizer;
pub use minimizer::{
IndexesLenTimeMinimizerCorpusScheduler, IsFavoredMetadata, LenTimeMinimizerCorpusScheduler,
MinimizerCorpusScheduler, TopRatedsMetadata,
};
pub mod powersched;
pub use powersched::PowerQueueCorpusScheduler;
use alloc::borrow::ToOwned;
use core::cell::RefCell;
use crate::{
bolts::rands::Rand,
inputs::Input,
state::{HasCorpus, HasRand},
Error,
};
use crate::{inputs::Input, Error};
/// Corpus with all current testcases
pub trait Corpus<I>: serde::Serialize + serde::de::DeserializeOwned
@ -79,81 +52,6 @@ where
fn current_mut(&mut self) -> &mut Option<usize>;
}
/// The scheduler define how the fuzzer requests a testcase from the corpus.
/// It has hooks to corpus add/replace/remove to allow complex scheduling algorithms to collect data.
pub trait CorpusScheduler<I, S>
where
I: Input,
{
/// Add an entry to the corpus and return its index
fn on_add(&self, _state: &mut S, _idx: usize) -> Result<(), Error> {
Ok(())
}
/// Replaces the testcase at the given idx
fn on_replace(
&self,
_state: &mut S,
_idx: usize,
_testcase: &Testcase<I>,
) -> Result<(), Error> {
Ok(())
}
/// Removes an entry from the corpus, returning it if it was present.
fn on_remove(
&self,
_state: &mut S,
_idx: usize,
_testcase: &Option<Testcase<I>>,
) -> Result<(), Error> {
Ok(())
}
/// Gets the next entry
fn next(&self, state: &mut S) -> Result<usize, Error>;
}
/// Feed the fuzzer simpply with a random testcase on request
#[derive(Debug, Clone)]
pub struct RandCorpusScheduler;
impl<I, S> CorpusScheduler<I, S> for RandCorpusScheduler
where
S: HasCorpus<I> + HasRand,
I: Input,
{
/// Gets the next entry at random
fn next(&self, state: &mut S) -> Result<usize, Error> {
if state.corpus().count() == 0 {
Err(Error::Empty("No entries in corpus".to_owned()))
} else {
let len = state.corpus().count();
let id = state.rand_mut().below(len as u64) as usize;
*state.corpus_mut().current_mut() = Some(id);
Ok(id)
}
}
}
impl RandCorpusScheduler {
/// Create a new [`RandCorpusScheduler`] that just schedules randomly.
#[must_use]
pub fn new() -> Self {
Self
}
}
impl Default for RandCorpusScheduler {
fn default() -> Self {
Self::new()
}
}
/// A [`StdCorpusScheduler`] uses the default scheduler in `LibAFL` to schedule [`Testcase`]s.
/// The current `Std` is a [`RandCorpusScheduler`], although this may change in the future, if another [`CorpusScheduler`] delivers better results.
pub type StdCorpusScheduler = RandCorpusScheduler;
/// `Corpus` Python bindings
#[cfg(feature = "python")]
pub mod pybind {

5
libafl/src/events/llmp.rs
View File

@ -948,11 +948,12 @@ mod tests {
staterestore::StateRestorer,
tuples::tuple_list,
},
corpus::{Corpus, InMemoryCorpus, RandCorpusScheduler, Testcase},
corpus::{Corpus, InMemoryCorpus, Testcase},
events::{llmp::_ENV_FUZZER_SENDER, LlmpEventManager},
executors::{ExitKind, InProcessExecutor},
inputs::BytesInput,
mutators::BitFlipMutator,
schedulers::RandScheduler,
stages::StdMutationalStage,
state::StdState,
Fuzzer, StdFuzzer,
@ -988,7 +989,7 @@ mod tests {
let mut llmp_mgr =
LlmpEventManager::<BytesInput, (), _, _>::new(llmp_client, "fuzzer".into()).unwrap();
let scheduler = RandCorpusScheduler::new();
let scheduler = RandScheduler::new();
let mut fuzzer = StdFuzzer::new(scheduler, (), ());

35
libafl/src/fuzzer/mod.rs
View File

@ -2,13 +2,14 @@
use crate::{
bolts::current_time,
corpus::{Corpus, CorpusScheduler, Testcase},
corpus::{Corpus, Testcase},
events::{Event, EventConfig, EventFirer, EventManager, ProgressReporter},
executors::{Executor, ExitKind, HasObservers},
feedbacks::Feedback,
inputs::Input,
mark_feature_time,
observers::ObserversTuple,
schedulers::Scheduler,
stages::StagesTuple,
start_timer,
state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions},
@ -25,9 +26,9 @@ use core::{marker::PhantomData, time::Duration};
const STATS_TIMEOUT_DEFAULT: Duration = Duration::from_secs(15);
/// Holds a scheduler
pub trait HasCorpusScheduler<CS, I, S>
pub trait HasScheduler<CS, I, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
I: Input,
{
/// The scheduler
@ -235,7 +236,7 @@ pub enum ExecuteInputResult {
#[derive(Debug)]
pub struct StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: Feedback<I, S>,
I: Input,
OF: Feedback<I, S>,
@ -247,9 +248,9 @@ where
phantom: PhantomData<(I, OT, S)>,
}
impl<CS, F, I, OF, OT, S> HasCorpusScheduler<CS, I, S> for StdFuzzer<CS, F, I, OF, OT, S>
impl<CS, F, I, OF, OT, S> HasScheduler<CS, I, S> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: Feedback<I, S>,
I: Input,
OF: Feedback<I, S>,
@ -266,7 +267,7 @@ where
impl<CS, F, I, OF, OT, S> HasFeedback<F, I, S> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: Feedback<I, S>,
I: Input,
OF: Feedback<I, S>,
@ -283,7 +284,7 @@ where
impl<CS, F, I, OF, OT, S> HasObjective<I, OF, S> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: Feedback<I, S>,
I: Input,
OF: Feedback<I, S>,
@ -300,7 +301,7 @@ where
impl<CS, F, I, OF, OT, S> ExecutionProcessor<I, OT, S> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: Feedback<I, S>,
I: Input,
OF: Feedback<I, S>,
@ -414,7 +415,7 @@ where
impl<CS, F, I, OF, OT, S> EvaluatorObservers<I, OT, S> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
OT: ObserversTuple<I, S> + serde::Serialize + serde::de::DeserializeOwned,
F: Feedback<I, S>,
I: Input,
@ -443,7 +444,7 @@ where
impl<CS, E, EM, F, I, OF, OT, S> Evaluator<E, EM, I, S> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
E: Executor<EM, I, S, Self> + HasObservers<I, OT, S>,
OT: ObserversTuple<I, S> + serde::Serialize + serde::de::DeserializeOwned,
EM: EventManager<E, I, S, Self>,
@ -509,7 +510,7 @@ where
impl<CS, E, EM, F, I, OF, OT, S, ST> Fuzzer<E, EM, I, S, ST> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventManager<E, I, S, Self>,
F: Feedback<I, S>,
I: Input,
@ -559,7 +560,7 @@ where
impl<CS, F, I, OF, OT, S> StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: Feedback<I, S>,
I: Input,
OF: Feedback<I, S>,
@ -628,7 +629,7 @@ where
impl<CS, F, I, OF, OT, S> ExecutesInput<I, OT, S, Self> for StdFuzzer<CS, F, I, OF, OT, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: Feedback<I, S>,
I: Input,
OT: ObserversTuple<I, S>,
@ -670,10 +671,10 @@ where
#[cfg(feature = "python")]
/// `Fuzzer` Python bindings
pub mod pybind {
use crate::corpus::QueueCorpusScheduler;
use crate::feedbacks::{CrashFeedback, MaxMapFeedback};
use crate::fuzzer::{Fuzzer, StdFuzzer};
use crate::inputs::BytesInput;
use crate::schedulers::QueueScheduler;
use pyo3::prelude::*;
macro_rules! define_python_fuzzer {
@ -688,7 +689,7 @@ pub mod pybind {
/// `StdFuzzer` with fixed generics
pub type $type_name = StdFuzzer<
QueueCorpusScheduler,
QueueScheduler,
MaxMapFeedback<BytesInput, $map_observer_name, $my_std_state_type_name, $datatype>,
BytesInput,
CrashFeedback,
@ -709,7 +710,7 @@ pub mod pybind {
fn new(py_max_map_feedback: $max_map_feedback_py_name) -> Self {
Self {
std_fuzzer: StdFuzzer::new(
QueueCorpusScheduler::new(),
QueueScheduler::new(),
py_max_map_feedback.max_map_feedback,
CrashFeedback::new(),
),

6
libafl/src/lib.rs
View File

@ -93,6 +93,7 @@ pub mod inputs;
pub mod monitors;
pub mod mutators;
pub mod observers;
pub mod schedulers;
pub mod stages;
pub mod state;
@ -234,11 +235,12 @@ impl std::error::Error for Error {}
mod tests {
use crate::{
bolts::{rands::StdRand, tuples::tuple_list},
corpus::{Corpus, InMemoryCorpus, RandCorpusScheduler, Testcase},
corpus::{Corpus, InMemoryCorpus, Testcase},
executors::{ExitKind, InProcessExecutor},
inputs::BytesInput,
monitors::SimpleMonitor,
mutators::{mutations::BitFlipMutator, StdScheduledMutator},
schedulers::RandScheduler,
stages::StdMutationalStage,
state::{HasCorpus, StdState},
Fuzzer, StdFuzzer,
@ -268,7 +270,7 @@ mod tests {
});
let mut event_manager = SimpleEventManager::new(monitor);
let scheduler = RandCorpusScheduler::new();
let scheduler = RandScheduler::new();
let mut fuzzer = StdFuzzer::new(scheduler, (), ());
let mut harness = |_buf: &BytesInput| ExitKind::Ok;

33
libafl/src/corpus/accounting.rs → libafl/src/schedulers/accounting.rs
View File

@ -2,12 +2,13 @@
use crate::{
bolts::{rands::Rand, AsMutSlice, AsSlice, HasLen, HasRefCnt},
corpus::{
minimizer::{IsFavoredMetadata, MinimizerCorpusScheduler, DEFAULT_SKIP_NON_FAVORED_PROB},
Corpus, CorpusScheduler, LenTimeMulFavFactor, Testcase,
},
corpus::{Corpus, Testcase},
feedbacks::MapIndexesMetadata,
inputs::Input,
schedulers::{
minimizer::{IsFavoredMetadata, MinimizerScheduler, DEFAULT_SKIP_NON_FAVORED_PROB},
LenTimeMulFavFactor, Scheduler,
},
state::{HasCorpus, HasMetadata, HasRand},
Error,
};
@ -91,20 +92,20 @@ impl TopAccountingMetadata {
/// A minimizer scheduler using coverage accounting
#[derive(Debug)]
pub struct CoverageAccountingCorpusScheduler<'a, CS, I, S>
pub struct CoverageAccountingScheduler<'a, CS, I, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
I: Input + HasLen,
S: HasCorpus<I> + HasMetadata + HasRand,
{
accounting_map: &'a [u32],
skip_non_favored_prob: u64,
inner: MinimizerCorpusScheduler<CS, LenTimeMulFavFactor<I>, I, MapIndexesMetadata, S>,
inner: MinimizerScheduler<CS, LenTimeMulFavFactor<I>, I, MapIndexesMetadata, S>,
}
impl<'a, CS, I, S> CorpusScheduler<I, S> for CoverageAccountingCorpusScheduler<'a, CS, I, S>
impl<'a, CS, I, S> Scheduler<I, S> for CoverageAccountingScheduler<'a, CS, I, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
I: Input + HasLen,
S: HasCorpus<I> + HasMetadata + HasRand,
{
@ -152,9 +153,9 @@ where
}
}
impl<'a, CS, I, S> CoverageAccountingCorpusScheduler<'a, CS, I, S>
impl<'a, CS, I, S> CoverageAccountingScheduler<'a, CS, I, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
I: Input + HasLen,
S: HasCorpus<I> + HasMetadata + HasRand,
{
@ -188,7 +189,7 @@ where
let must_remove = {
let old_meta = old.metadata_mut().get_mut::<AccountingIndexesMetadata>().ok_or_else(|| {
Error::KeyNotFound(format!(
"AccountingIndexesMetadata, needed by CoverageAccountingCorpusScheduler, not found in testcase #{}",
"AccountingIndexesMetadata, needed by CoverageAccountingScheduler, not found in testcase #{}",
old_idx
))
})?;
@ -259,18 +260,18 @@ where
Ok(())
}
/// Creates a new [`CoverageAccountingCorpusScheduler`] that wraps a `base` [`CorpusScheduler`]
/// Creates a new [`CoverageAccountingScheduler`] that wraps a `base` [`Scheduler`]
/// and has a default probability to skip non-faved [`Testcase`]s of [`DEFAULT_SKIP_NON_FAVORED_PROB`].
pub fn new(state: &mut S, base: CS, accounting_map: &'a [u32]) -> Self {
state.add_metadata(TopAccountingMetadata::new(accounting_map.len()));
Self {
accounting_map,
inner: MinimizerCorpusScheduler::new(base),
inner: MinimizerScheduler::new(base),
skip_non_favored_prob: DEFAULT_SKIP_NON_FAVORED_PROB,
}
}
/// Creates a new [`CoverageAccountingCorpusScheduler`] that wraps a `base` [`CorpusScheduler`]
/// Creates a new [`CoverageAccountingScheduler`] that wraps a `base` [`Scheduler`]
/// and has a non-default probability to skip non-faved [`Testcase`]s using (`skip_non_favored_prob`).
pub fn with_skip_prob(
state: &mut S,
@ -281,7 +282,7 @@ where
state.add_metadata(TopAccountingMetadata::new(accounting_map.len()));
Self {
accounting_map,
inner: MinimizerCorpusScheduler::with_skip_prob(base, skip_non_favored_prob),
inner: MinimizerScheduler::with_skip_prob(base, skip_non_favored_prob),
skip_non_favored_prob,
}
}

0
libafl/src/corpus/fav_factor.rs → libafl/src/schedulers/fav_factor.rs
View File

43
libafl/src/corpus/minimizer.rs → libafl/src/schedulers/minimizer.rs
View File

@ -3,9 +3,10 @@
use crate::{
bolts::{rands::Rand, serdeany::SerdeAny, AsSlice, HasRefCnt},
corpus::{Corpus, CorpusScheduler, FavFactor, LenTimeMulFavFactor, Testcase},
corpus::{Corpus, Testcase},
feedbacks::MapIndexesMetadata,
inputs::Input,
schedulers::{FavFactor, LenTimeMulFavFactor, Scheduler},
state::{HasCorpus, HasMetadata, HasRand},
Error,
};
@ -48,13 +49,13 @@ impl Default for TopRatedsMetadata {
}
}
/// The [`MinimizerCorpusScheduler`] employs a genetic algorithm to compute a subset of the
/// The [`MinimizerScheduler`] employs a genetic algorithm to compute a subset of the
/// corpus that exercise all the requested features (e.g. all the coverage seen so far)
/// prioritizing [`Testcase`]`s` using [`FavFactor`]
#[derive(Debug, Clone)]
pub struct MinimizerCorpusScheduler<CS, F, I, M, S>
pub struct MinimizerScheduler<CS, F, I, M, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: FavFactor<I>,
I: Input,
M: AsSlice<usize> + SerdeAny + HasRefCnt,
@ -65,9 +66,9 @@ where
phantom: PhantomData<(F, I, M, S)>,
}
impl<CS, F, I, M, S> CorpusScheduler<I, S> for MinimizerCorpusScheduler<CS, F, I, M, S>
impl<CS, F, I, M, S> Scheduler<I, S> for MinimizerScheduler<CS, F, I, M, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: FavFactor<I>,
I: Input,
M: AsSlice<usize> + SerdeAny + HasRefCnt,
@ -113,15 +114,15 @@ where
}
}
impl<CS, F, I, M, S> MinimizerCorpusScheduler<CS, F, I, M, S>
impl<CS, F, I, M, S> MinimizerScheduler<CS, F, I, M, S>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
F: FavFactor<I>,
I: Input,
M: AsSlice<usize> + SerdeAny + HasRefCnt,
S: HasCorpus<I> + HasMetadata + HasRand,
{
/// Update the `Corpus` score using the `MinimizerCorpusScheduler`
/// Update the `Corpus` score using the `MinimizerScheduler`
#[allow(clippy::unused_self)]
#[allow(clippy::cast_possible_wrap)]
pub fn update_score(&self, state: &mut S, idx: usize) -> Result<(), Error> {
@ -136,7 +137,7 @@ where
let factor = F::compute(&mut *entry)?;
let meta = entry.metadata_mut().get_mut::<M>().ok_or_else(|| {
Error::KeyNotFound(format!(
"Metadata needed for MinimizerCorpusScheduler not found in testcase #{}",
"Metadata needed for MinimizerScheduler not found in testcase #{}",
idx
))
})?;
@ -156,7 +157,7 @@ where
let must_remove = {
let old_meta = old.metadata_mut().get_mut::<M>().ok_or_else(|| {
Error::KeyNotFound(format!(
"Metadata needed for MinimizerCorpusScheduler not found in testcase #{}",
"Metadata needed for MinimizerScheduler not found in testcase #{}",
old_idx
))
})?;
@ -198,7 +199,7 @@ where
Ok(())
}
/// Cull the `Corpus` using the `MinimizerCorpusScheduler`
/// Cull the `Corpus` using the `MinimizerScheduler`
#[allow(clippy::unused_self)]
pub fn cull(&self, state: &mut S) -> Result<(), Error> {
let top_rated = match state.metadata().get::<TopRatedsMetadata>() {
@ -213,7 +214,7 @@ where
let mut entry = state.corpus().get(*idx)?.borrow_mut();
let meta = entry.metadata().get::<M>().ok_or_else(|| {
Error::KeyNotFound(format!(
"Metadata needed for MinimizerCorpusScheduler not found in testcase #{}",
"Metadata needed for MinimizerScheduler not found in testcase #{}",
idx
))
})?;
@ -233,7 +234,7 @@ where
&self.base
}
/// Creates a new [`MinimizerCorpusScheduler`] that wraps a `base` [`CorpusScheduler`]
/// Creates a new [`MinimizerScheduler`] that wraps a `base` [`Scheduler`]
/// and has a default probability to skip non-faved [`Testcase`]s of [`DEFAULT_SKIP_NON_FAVORED_PROB`].
pub fn new(base: CS) -> Self {
Self {
@ -243,7 +244,7 @@ where
}
}
/// Creates a new [`MinimizerCorpusScheduler`] that wraps a `base` [`CorpusScheduler`]
/// Creates a new [`MinimizerScheduler`] that wraps a `base` [`Scheduler`]
/// and has a non-default probability to skip non-faved [`Testcase`]s using (`skip_non_favored_prob`).
pub fn with_skip_prob(base: CS, skip_non_favored_prob: u64) -> Self {
Self {
@ -254,11 +255,11 @@ where
}
}
/// A [`MinimizerCorpusScheduler`] with [`LenTimeMulFavFactor`] to prioritize quick and small [`Testcase`]`s`.
pub type LenTimeMinimizerCorpusScheduler<CS, I, M, S> =
MinimizerCorpusScheduler<CS, LenTimeMulFavFactor<I>, I, M, S>;
/// A [`MinimizerScheduler`] with [`LenTimeMulFavFactor`] to prioritize quick and small [`Testcase`]`s`.
pub type LenTimeMinimizerScheduler<CS, I, M, S> =
MinimizerScheduler<CS, LenTimeMulFavFactor<I>, I, M, S>;
/// A [`MinimizerCorpusScheduler`] with [`LenTimeMulFavFactor`] to prioritize quick and small [`Testcase`]`s`
/// A [`MinimizerScheduler`] with [`LenTimeMulFavFactor`] to prioritize quick and small [`Testcase`]`s`
/// that exercise all the entries registered in the [`MapIndexesMetadata`].
pub type IndexesLenTimeMinimizerCorpusScheduler<CS, I, S> =
MinimizerCorpusScheduler<CS, LenTimeMulFavFactor<I>, I, MapIndexesMetadata, S>;
pub type IndexesLenTimeMinimizerScheduler<CS, I, S> =
MinimizerScheduler<CS, LenTimeMulFavFactor<I>, I, MapIndexesMetadata, S>;

106
libafl/src/schedulers/mod.rs Normal file
View File

@ -0,0 +1,106 @@
//! Schedule the access to the Corpus.
pub mod queue;
pub use queue::QueueScheduler;
pub mod probabilistic_sampling;
pub use probabilistic_sampling::ProbabilitySamplingScheduler;
pub mod accounting;
pub use accounting::CoverageAccountingScheduler;
pub mod fav_factor;
pub use fav_factor::{FavFactor, LenTimeMulFavFactor};
pub mod minimizer;
pub use minimizer::{
IndexesLenTimeMinimizerScheduler, LenTimeMinimizerScheduler, MinimizerScheduler,
};
pub mod powersched;
pub use powersched::PowerQueueScheduler;
use alloc::borrow::ToOwned;
use crate::{
bolts::rands::Rand,
corpus::{Corpus, Testcase},
inputs::Input,
state::{HasCorpus, HasRand},
Error,
};
/// The scheduler define how the fuzzer requests a testcase from the corpus.
/// It has hooks to corpus add/replace/remove to allow complex scheduling algorithms to collect data.
pub trait Scheduler<I, S>
where
I: Input,
{
/// Add an entry to the corpus and return its index
fn on_add(&self, _state: &mut S, _idx: usize) -> Result<(), Error> {
Ok(())
}
/// Replaces the testcase at the given idx
fn on_replace(
&self,
_state: &mut S,
_idx: usize,
_testcase: &Testcase<I>,
) -> Result<(), Error> {
Ok(())
}
/// Removes an entry from the corpus, returning it if it was present.
fn on_remove(
&self,
_state: &mut S,
_idx: usize,
_testcase: &Option<Testcase<I>>,
) -> Result<(), Error> {
Ok(())
}
/// Gets the next entry
fn next(&self, state: &mut S) -> Result<usize, Error>;
}
/// Feed the fuzzer simpply with a random testcase on request
#[derive(Debug, Clone)]
pub struct RandScheduler;
impl<I, S> Scheduler<I, S> for RandScheduler
where
S: HasCorpus<I> + HasRand,
I: Input,
{
/// Gets the next entry at random
fn next(&self, state: &mut S) -> Result<usize, Error> {
if state.corpus().count() == 0 {
Err(Error::Empty("No entries in corpus".to_owned()))
} else {
let len = state.corpus().count();
let id = state.rand_mut().below(len as u64) as usize;
*state.corpus_mut().current_mut() = Some(id);
Ok(id)
}
}
}
impl RandScheduler {
/// Create a new [`RandScheduler`] that just schedules randomly.
#[must_use]
pub fn new() -> Self {
Self
}
}
impl Default for RandScheduler {
fn default() -> Self {
Self::new()
}
}
/// A [`StdScheduler`] uses the default scheduler in `LibAFL` to schedule [`Testcase`]s.
/// The current `Std` is a [`RandScheduler`], although this may change in the future, if another [`Scheduler`] delivers better results.
pub type StdScheduler = RandScheduler;

13
libafl/src/corpus/powersched.rs → libafl/src/schedulers/powersched.rs
View File

@ -3,8 +3,9 @@
use alloc::string::{String, ToString};
use crate::{
corpus::{Corpus, CorpusScheduler, PowerScheduleTestcaseMetaData},
corpus::{Corpus, PowerScheduleTestcaseMetaData},
inputs::Input,
schedulers::Scheduler,
stages::PowerScheduleMetadata,
state::{HasCorpus, HasMetadata},
Error,
@ -12,15 +13,15 @@ use crate::{
/// A corpus scheduler using power schedules
#[derive(Clone, Debug)]
pub struct PowerQueueCorpusScheduler;
pub struct PowerQueueScheduler;
impl Default for PowerQueueCorpusScheduler {
impl Default for PowerQueueScheduler {
fn default() -> Self {
Self::new()
}
}
impl<I, S> CorpusScheduler<I, S> for PowerQueueCorpusScheduler
impl<I, S> Scheduler<I, S> for PowerQueueScheduler
where
S: HasCorpus<I> + HasMetadata,
I: Input,
@ -78,8 +79,8 @@ where
}
}
impl PowerQueueCorpusScheduler {
/// Create a new [`PowerQueueCorpusScheduler`]
impl PowerQueueScheduler {
/// Create a new [`PowerQueueScheduler`]
#[must_use]
pub fn new() -> Self {
Self

25
libafl/src/corpus/probabilistic_sampling.rs → libafl/src/schedulers/probabilistic_sampling.rs
View File

@ -3,8 +3,9 @@
use crate::{
bolts::rands::Rand,
corpus::{Corpus, CorpusScheduler, FavFactor},
corpus::Corpus,
inputs::Input,
schedulers::{FavFactor, Scheduler},
state::{HasCorpus, HasMetadata, HasRand},
Error,
};
@ -15,7 +16,7 @@ use serde::{Deserialize, Serialize};
/// Conduct reservoir sampling (probabilistic sampling) over all corpus elements.
#[derive(Debug, Clone)]
pub struct ProbabilitySamplingCorpusScheduler<I, S, F>
pub struct ProbabilitySamplingScheduler<I, S, F>
where
I: Input,
S: HasCorpus<I> + HasMetadata + HasRand,
@ -52,13 +53,13 @@ impl Default for ProbabilityMetadata {
}
}
impl<I, S, F> ProbabilitySamplingCorpusScheduler<I, S, F>
impl<I, S, F> ProbabilitySamplingScheduler<I, S, F>
where
I: Input,
S: HasCorpus<I> + HasMetadata + HasRand,
F: FavFactor<I>,
{
/// Creates a new [`struct@ProbabilitySamplingCorpusScheduler`]
/// Creates a new [`struct@ProbabilitySamplingScheduler`]
#[must_use]
pub fn new() -> Self {
Self {
@ -87,7 +88,7 @@ where
}
}
impl<I, S, F> CorpusScheduler<I, S> for ProbabilitySamplingCorpusScheduler<I, S, F>
impl<I, S, F> Scheduler<I, S> for ProbabilitySamplingScheduler<I, S, F>
where
I: Input,
S: HasCorpus<I> + HasMetadata + HasRand,
@ -121,7 +122,7 @@ where
}
}
impl<I, S, F> Default for ProbabilitySamplingCorpusScheduler<I, S, F>
impl<I, S, F> Default for ProbabilitySamplingScheduler<I, S, F>
where
I: Input,
S: HasCorpus<I> + HasMetadata + HasRand,
@ -139,11 +140,9 @@ mod tests {
use crate::{
bolts::rands::StdRand,
corpus::{
Corpus, CorpusScheduler, FavFactor, InMemoryCorpus, ProbabilitySamplingCorpusScheduler,
Testcase,
},
corpus::{Corpus, InMemoryCorpus, Testcase},
inputs::{bytes::BytesInput, Input},
schedulers::{FavFactor, ProbabilitySamplingScheduler, Scheduler},
state::StdState,
Error,
};
@ -168,15 +167,15 @@ mod tests {
}
}
pub type UniformProbabilitySamplingCorpusScheduler<I, S> =
ProbabilitySamplingCorpusScheduler<I, S, UniformDistribution<I>>;
pub type UniformProbabilitySamplingScheduler<I, S> =
ProbabilitySamplingScheduler<I, S, UniformDistribution<I>>;
#[test]
fn test_prob_sampling() {
// the first 3 probabilities will be .69, .86, .44
let rand = StdRand::with_seed(12);
let scheduler = UniformProbabilitySamplingCorpusScheduler::new();
let scheduler = UniformProbabilitySamplingScheduler::new();
let mut corpus = InMemoryCorpus::new();
let t1 = Testcase::with_filename(BytesInput::new(vec![0_u8; 4]), "1".into());

22
libafl/src/corpus/queue.rs → libafl/src/schedulers/queue.rs
View File

@ -2,18 +2,13 @@
use alloc::borrow::ToOwned;
use crate::{
corpus::{Corpus, CorpusScheduler},
inputs::Input,
state::HasCorpus,
Error,
};
use crate::{corpus::Corpus, inputs::Input, schedulers::Scheduler, state::HasCorpus, Error};
/// Walk the corpus in a queue-like fashion
#[derive(Debug, Clone)]
pub struct QueueCorpusScheduler;
pub struct QueueScheduler;
impl<I, S> CorpusScheduler<I, S> for QueueCorpusScheduler
impl<I, S> Scheduler<I, S> for QueueScheduler
where
S: HasCorpus<I>,
I: Input,
@ -39,15 +34,15 @@ where
}
}
impl QueueCorpusScheduler {
/// Creates a new `QueueCorpusScheduler`
impl QueueScheduler {
/// Creates a new `QueueScheduler`
#[must_use]
pub fn new() -> Self {
Self
}
}
impl Default for QueueCorpusScheduler {
impl Default for QueueScheduler {
fn default() -> Self {
Self::new()
}
@ -61,15 +56,16 @@ mod tests {
use crate::{
bolts::rands::StdRand,
corpus::{Corpus, CorpusScheduler, OnDiskCorpus, QueueCorpusScheduler, Testcase},
corpus::{Corpus, OnDiskCorpus, Testcase},
inputs::bytes::BytesInput,
schedulers::{QueueScheduler, Scheduler},
state::{HasCorpus, StdState},
};
#[test]
fn test_queuecorpus() {
let rand = StdRand::with_seed(4);
let scheduler = QueueCorpusScheduler::new();
let scheduler = QueueScheduler::new();
let mut q =
OnDiskCorpus::<BytesInput>::new(PathBuf::from("target/.test/fancy/path")).unwrap();

16
libafl/src/stages/mod.rs
View File

@ -38,15 +38,15 @@ pub mod sync;
pub use sync::*;
use crate::{
corpus::CorpusScheduler,
events::{EventFirer, EventRestarter, HasEventManagerId, ProgressReporter},
executors::{Executor, HasObservers},
inputs::Input,
observers::ObserversTuple,
schedulers::Scheduler,
state::{
HasExecutions, HasRand, {HasClientPerfMonitor, HasCorpus},
},
Error, EvaluatorObservers, ExecutesInput, ExecutionProcessor, HasCorpusScheduler,
Error, EvaluatorObservers, ExecutesInput, ExecutionProcessor, HasScheduler,
};
use core::{convert::From, marker::PhantomData};
@ -171,13 +171,13 @@ where
#[derive(Debug)]
pub struct PushStageAdapter<CS, EM, I, OT, PS, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId + ProgressReporter<I>,
I: Input,
OT: ObserversTuple<I, S>,
PS: PushStage<CS, EM, I, OT, S, Z>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand + HasExecutions,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
push_stage: PS,
phantom: PhantomData<(CS, EM, I, OT, S, Z)>,
@ -185,13 +185,13 @@ where
impl<CS, EM, I, OT, PS, S, Z> PushStageAdapter<CS, EM, I, OT, PS, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId + ProgressReporter<I>,
I: Input,
OT: ObserversTuple<I, S>,
PS: PushStage<CS, EM, I, OT, S, Z>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand + HasExecutions,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// Create a new [`PushStageAdapter`], wrapping the given [`PushStage`]
/// to be used as a normal [`Stage`]
@ -206,7 +206,7 @@ where
impl<CS, E, EM, I, OT, PS, S, Z> Stage<E, EM, S, Z> for PushStageAdapter<CS, EM, I, OT, PS, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
E: Executor<EM, I, S, Z> + HasObservers<I, OT, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId + ProgressReporter<I>,
I: Input,
@ -216,7 +216,7 @@ where
Z: ExecutesInput<I, OT, S, Z>
+ ExecutionProcessor<I, OT, S>
+ EvaluatorObservers<I, OT, S>
+ HasCorpusScheduler<CS, I, S>,
+ HasScheduler<CS, I, S>,
{
fn perform(
&mut self,

3
libafl/src/stages/power.rs
View File

@ -4,12 +4,13 @@ use alloc::string::{String, ToString};
use core::{fmt::Debug, marker::PhantomData};
use crate::{
corpus::{Corpus, IsFavoredMetadata, PowerScheduleTestcaseMetaData, Testcase},
corpus::{Corpus, PowerScheduleTestcaseMetaData, Testcase},
executors::{Executor, HasObservers},
fuzzer::Evaluator,
inputs::Input,
mutators::Mutator,
observers::{MapObserver, ObserversTuple},
schedulers::minimizer::IsFavoredMetadata,
stages::{MutationalStage, PowerScheduleMetadata, Stage},
state::{HasClientPerfMonitor, HasCorpus, HasMetadata},
Error,

24
libafl/src/stages/push/mod.rs
View File

@ -17,13 +17,13 @@ use core::{
use crate::{
bolts::current_time,
corpus::CorpusScheduler,
events::{EventFirer, EventRestarter, HasEventManagerId, ProgressReporter},
executors::ExitKind,
inputs::Input,
observers::ObserversTuple,
schedulers::Scheduler,
state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasRand},
Error, EvaluatorObservers, ExecutionProcessor, HasCorpusScheduler,
Error, EvaluatorObservers, ExecutionProcessor, HasScheduler,
};
/// Send a monitor update all 15 (or more) seconds
@ -34,12 +34,12 @@ const STATS_TIMEOUT_DEFAULT: Duration = Duration::from_secs(15);
#[derive(Clone, Debug)]
pub struct PushStageSharedState<CS, EM, I, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId,
I: Input,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// The [`crate::state::State`]
pub state: S,
@ -54,12 +54,12 @@ where
impl<CS, EM, I, OT, S, Z> PushStageSharedState<CS, EM, I, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId,
I: Input,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// Create a new `PushStageSharedState` that can be used by all [`PushStage`]s
#[must_use]
@ -78,12 +78,12 @@ where
#[derive(Clone, Debug)]
pub struct PushStageHelper<CS, EM, I, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId,
I: Input,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// If this stage has already been initalized.
/// This gets reset to `false` after one iteration of the stage is done.
@ -109,12 +109,12 @@ where
impl<CS, EM, I, OT, S, Z> PushStageHelper<CS, EM, I, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId,
I: Input,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// Create a new [`PushStageHelper`]
#[must_use]
@ -182,12 +182,12 @@ where
/// After it has finished once, we will call it agan for the next fuzzer round.
pub trait PushStage<CS, EM, I, OT, S, Z>: Iterator
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId + ProgressReporter<I>,
I: Input,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand + HasExecutions,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// Gets the [`PushStageHelper`]
fn push_stage_helper(&self) -> &PushStageHelper<CS, EM, I, OT, S, Z>;

25
libafl/src/stages/push/mutational.rs
View File

@ -6,16 +6,17 @@ use core::cell::{Cell, RefCell};
use crate::{
bolts::rands::Rand,
corpus::{Corpus, CorpusScheduler},
corpus::Corpus,
events::{EventFirer, EventRestarter, HasEventManagerId, ProgressReporter},
executors::ExitKind,
inputs::Input,
mark_feature_time,
mutators::Mutator,
observers::ObserversTuple,
schedulers::Scheduler,
start_timer,
state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasRand},
Error, EvaluatorObservers, ExecutionProcessor, HasCorpusScheduler,
Error, EvaluatorObservers, ExecutionProcessor, HasScheduler,
};
#[cfg(feature = "introspection")]
@ -37,13 +38,13 @@ pub static DEFAULT_MUTATIONAL_MAX_ITERATIONS: u64 = 128;
#[derive(Clone, Debug)]
pub struct StdMutationalPushStage<CS, EM, I, M, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId,
I: Input,
M: Mutator<I, S>,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
current_corpus_idx: Option<usize>,
testcases_to_do: usize,
@ -58,13 +59,13 @@ where
impl<CS, EM, I, M, OT, S, Z> StdMutationalPushStage<CS, EM, I, M, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId,
I: Input,
M: Mutator<I, S>,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// Gets the number of iterations as a random number
#[allow(clippy::unused_self, clippy::unnecessary_wraps)] // TODO: we should put this function into a trait later
@ -81,13 +82,13 @@ where
impl<CS, EM, I, M, OT, S, Z> PushStage<CS, EM, I, OT, S, Z>
for StdMutationalPushStage<CS, EM, I, M, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId + ProgressReporter<I>,
I: Input,
M: Mutator<I, S>,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand + HasExecutions,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// Creates a new default mutational stage
fn init(
@ -192,13 +193,13 @@ where
impl<CS, EM, I, M, OT, S, Z> Iterator for StdMutationalPushStage<CS, EM, I, M, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId + ProgressReporter<I>,
I: Input,
M: Mutator<I, S>,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand + HasExecutions,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
type Item = Result<I, Error>;
@ -209,13 +210,13 @@ where
impl<CS, EM, I, M, OT, S, Z> StdMutationalPushStage<CS, EM, I, M, OT, S, Z>
where
CS: CorpusScheduler<I, S>,
CS: Scheduler<I, S>,
EM: EventFirer<I> + EventRestarter<S> + HasEventManagerId,
I: Input,
M: Mutator<I, S>,
OT: ObserversTuple<I, S>,
S: HasClientPerfMonitor + HasCorpus<I> + HasRand,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasCorpusScheduler<CS, I, S>,
Z: ExecutionProcessor<I, OT, S> + EvaluatorObservers<I, OT, S> + HasScheduler<CS, I, S>,
{
/// Creates a new default mutational stage
#[must_use]

2
libafl_concolic/symcc_runtime/symcc

@ -1 +1 @@
Subproject commit 3133c0b37d3c498db9addf2331378c7c9cadbf10
Subproject commit 45cde0269ae22aef4cca2e1fb98c3b24f7bb2984

9
libafl_sugar/src/forkserver.rs
View File

@ -13,10 +13,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsMutSlice,
},
corpus::{
CachedOnDiskCorpus, Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{CachedOnDiskCorpus, Corpus, OnDiskCorpus},
events::{EventConfig, EventRestarter, LlmpRestartingEventManager},
executors::{forkserver::ForkserverExecutorBuilder, TimeoutForkserverExecutor},
feedback_or, feedback_or_fast,
@ -27,6 +24,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::token_mutations::Tokens,
observers::{ConstMapObserver, HitcountsMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::StdMutationalStage,
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -171,8 +169,7 @@ impl<'a, const MAP_SIZE: usize> ForkserverBytesCoverageSugar<'a, MAP_SIZE> {
}
// A minimization+queue policy to get testcasess from the corpus
let scheduler =
IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

9
libafl_sugar/src/inmemory.rs
View File

@ -15,10 +15,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
CachedOnDiskCorpus, Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{CachedOnDiskCorpus, Corpus, OnDiskCorpus},
events::{EventConfig, EventRestarter, LlmpRestartingEventManager},
executors::{inprocess::InProcessExecutor, ExitKind, ShadowExecutor, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -30,6 +27,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::token_mutations::{I2SRandReplace, Tokens},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage},
state::{HasCorpus, HasMetadata, StdState},
Error,
@ -192,8 +190,7 @@ where
}
// A minimization+queue policy to get testcasess from the corpus
let scheduler =
IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

9
libafl_sugar/src/qemu.rs
View File

@ -14,10 +14,7 @@ use libafl::{
tuples::{tuple_list, Merge},
AsSlice,
},
corpus::{
CachedOnDiskCorpus, Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
corpus::{CachedOnDiskCorpus, Corpus, OnDiskCorpus},
events::{EventConfig, EventRestarter, LlmpRestartingEventManager},
executors::{ExitKind, ShadowExecutor, TimeoutExecutor},
feedback_or, feedback_or_fast,
@ -29,6 +26,7 @@ use libafl::{
mutators::scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
mutators::{token_mutations::Tokens, I2SRandReplace},
observers::{HitcountsMapObserver, TimeObserver, VariableMapObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage},
state::{HasCorpus, HasMetadata, StdState},
};
@ -198,8 +196,7 @@ where
}
// A minimization+queue policy to get testcasess from the corpus
let scheduler =
IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

9
scripts/fmt_all.sh
View File

@ -9,12 +9,13 @@ echo "Welcome to the happy fmt script. :)"
echo "[*] Running fmt for the main crates"
cargo fmt
cd fuzzers
fuzzers=$(find ./fuzzers -maxdepth 1 -type d)
backtrace_fuzzers=$(find ./fuzzers/backtrace_baby_fuzzers -maxdepth 1 -type d)
for fuzzer in *;
for fuzzer in $(echo $fuzzers $backtrace_fuzzers);
do
cd $fuzzer
pushd $fuzzer
echo "[*] Running fmt for $fuzzer"
cargo fmt --all
cd ..
popd
done