Some AFL UI example fuzzer cleanup (#1529)

* Some afl ui cleanup * more info * Fix CI (#1549) * Change profiles for the fuzzbench fuzzers. * just foreground * Revert "just foreground" This reverts commit abd4fbec40fd1a7f3bcca1190ce11816fc868c53. * fix Makefile.toml * Tmate debug * fix? * fix? * Can't fix this * remove reset --------- Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>
2023-09-24 14:54:14 +02:00 · 2023-09-24 14:54:14 +02:00 · aa7993de10
commit aa7993de10
parent c103444396
12 changed files with 23 additions and 24 deletions
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/.gitignore
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/.gitignore
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/Cargo.toml
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/Cargo.toml
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/Makefile.toml
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/Makefile.toml
@ -159,16 +159,9 @@ windows_alias = "unsupported"
 script_runner = "@shell"
 script='''
 rm -rf libafl_unix_shmem_server || true
-(timeout 11s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true) &
+(timeout --foreground 11s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true) &
 sleep 0.2
-timeout 10s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
-cd ./corpus
-if [ $(ls -al |grep "^-"|wc -l) -gt 4 ]; then
-    echo "Fuzzer is working"
-else
-    echo "Fuzzer does not generate any testcases or any crashes"
-    exit 1
-fi
+timeout --foreground 10s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
 '''
 dependencies = [ "fuzzer" ]

@ -176,9 +169,9 @@ dependencies = [ "fuzzer" ]
 script_runner = "@shell"
 script='''
 rm -rf libafl_unix_shmem_server || true
-(timeout 11s ./${FUZZER_NAME} >fuzz_stdout.log 2>/dev/null || true) &
+(timeout --foreground 11s ./${FUZZER_NAME} >fuzz_stdout.log 2>/dev/null || true) &
 sleep 0.2
-timeout 10s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
+timeout --foreground 10s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
 '''
 dependencies = [ "fuzzer" ]

--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/README.md
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/README.md
@ -1,15 +1,8 @@
-# Libfuzzer for libpng
+# Libfuzzer for libpng, with AFL-style UI

 This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.

-In contrast to other fuzzer examples, this setup uses `fuzz_loop_for`, to occasionally respawn the fuzzer executor.
-While this costs performance, it can be useful for targets with memory leaks or other instabilities.
-If your target is really instable, however, consider exchanging the `InProcessExecutor` for a `ForkserverExecutor` instead.
-
-It also uses the `introspection` feature, printing fuzzer stats during execution.
-
-To show off crash detection, we added a `ud2` instruction to the harness, edit harness.cc if you want a non-crashing example.
-It has been tested on Linux.
+In contrast to other fuzzer examples, it keeps track of AFL style metrics and display them in the terminal.

 ## Build

--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty.png
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty.png
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty_alpha.png
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty_alpha.png
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty_gamma.png
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty_gamma.png
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty_icc.png
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/corpus/not_kitty_icc.png
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/harness.cc
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/harness.cc
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/src/bin/libafl_cc.rs
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/src/bin/libafl_cc.rs
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/src/bin/libafl_cxx.rs
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/src/bin/libafl_cxx.rs
--- a/fuzzers/libfuzzer_libpng_AFLStyle_UI/src/lib.rs
+++ b/fuzzers/libfuzzer_libpng_AFLStyle_UI/src/lib.rs
@ -52,6 +52,7 @@ pub extern "C" fn libafl_main() {
    );
    fuzz(
        &[PathBuf::from("./corpus")],
+        PathBuf::from("./out"),
        PathBuf::from("./crashes"),
        1337,
    )
@ -60,7 +61,12 @@ pub extern "C" fn libafl_main() {

 /// The actual fuzzer
 #[cfg(not(test))]
-fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Result<(), Error> {
+fn fuzz(
+    initial_input_dirs: &[PathBuf],
+    corpus_dir: PathBuf,
+    objective_dir: PathBuf,
+    broker_port: u16,
+) -> Result<(), Error> {
    // 'While the stats are state, they are usually used in the broker - which is likely never restarted
    // let monitor = MultiMonitor::new(|s| println!("{s}"));

@ -120,7 +126,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
            // RNG
            StdRand::with_seed(current_nanos()),
            // Corpus that will be evolved, we keep it in memory for performance
-            InMemoryOnDiskCorpus::new(&corpus_dirs.get(0).unwrap()).unwrap(),
+            InMemoryOnDiskCorpus::new(corpus_dir).unwrap(),
            // Corpus in which we store solutions (crashes in this example),
            // on disk so the user can get them after stopping the fuzzer
            OnDiskCorpus::new(objective_dir).unwrap(),
@ -205,8 +211,15 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
    // In case the corpus is empty (on first run), reset
    if state.must_load_initial_inputs() {
        state
-            .load_initial_inputs(&mut fuzzer, &mut executor, &mut restarting_mgr, corpus_dirs)
-            .unwrap_or_else(|_| panic!("Failed to load initial corpus at {:?}", &corpus_dirs));
+            .load_initial_inputs(
+                &mut fuzzer,
+                &mut executor,
+                &mut restarting_mgr,
+                initial_input_dirs,
+            )
+            .unwrap_or_else(|_| {
+                panic!("Failed to load initial corpus at {:?}", &initial_input_dirs)
+            });
        println!("We imported {} inputs from disk.", state.corpus().count());
    }