run llvmfuzzerinitialize at the correct time, only generate inputs if no inputs were given

afl/src/corpus/mod.rs

@@ -149,6 +149,12 @@ where
     I: Input,
     R: Rand,
 {
+    /// Returns the number of elements
+    #[inline]
+    fn count(&self) -> usize {
+        self.entries().len()
+    }
+
     /// Gets the next entry
     #[inline]
     fn next(&mut self, rand: &mut R) -> Result<(&RefCell<Testcase<I>>, usize), AflError> {

afl/src/engines/mod.rs

@@ -230,7 +230,7 @@ where
                 println!("Load file {:?}", &path);
                 let input = std::fs::read(path)?;
                 let input = BytesInput::new(input);
-                let fitness = self.evaluate_input(&input, engine.executor_mut())?;
+            //let fitness = self.evaluate_input(&input, engine.executor_mut())?;
             //self.add_if_interesting(corpus, input, fitness)?
             } else if attr.is_dir() {
                 self.load_from_directory(corpus, generator, engine, manager, &path)?;
@@ -258,10 +258,7 @@ where
         for directory in &in_dir {
             self.load_from_directory(corpus, generator, engine, manager, Path::new(directory))?;
         }
-        manager.log(
-            0,
-            format!("Loaded {} initial testcases", 123), // get corpus count
-        )?;
+        manager.log(0, format!("Loaded {} initial testcases", corpus.count()))?;
         manager.process(self, corpus)?;
         Ok(())
     }

fuzzers/libfuzzer/runtime/rt.c

@@ -1,7 +1,12 @@
+#include <stdio.h>
 #include <stdint.h>
 
 #define MAP_SIZE 65536
 
+int orig_argc;
+char **orig_argv;
+char **orig_envp;
+
 uint8_t  __lafl_dummy_map[MAP_SIZE];
 
 uint8_t *__lafl_edges_map = __lafl_dummy_map;
@@ -119,13 +124,22 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
 
 }
 
+
+ static void afl_libfuzzer_copy_args(int argc, char** argv, char** envp) {
+   orig_argc = argc;
+   orig_argv = argv;
+   orig_envp = envp;
+}
+
+__attribute__((section(".init_array"))) void (* p_afl_libfuzzer_copy_args)(int,char*[],char*[]) = &afl_libfuzzer_copy_args;
+
 __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
 void afl_libfuzzer_main();
 
-int afl_libfuzzer_init(int argc, char **argv) {
+int afl_libfuzzer_init() {
 
   if (LLVMFuzzerInitialize)
-    return LLVMFuzzerInitialize(&argc, &argv);
+    return LLVMFuzzerInitialize(&orig_argc, &orig_argv);
   else
    return 0;
 

fuzzers/libfuzzer/src/lib.rs

@@ -7,6 +7,7 @@ extern crate alloc;
 use clap::{App, Arg};
 use std::env;
 
+use afl::corpus::Corpus;
 use afl::corpus::InMemoryCorpus;
 use afl::engines::Engine;
 use afl::engines::Fuzzer;
@@ -28,8 +29,8 @@ extern "C" {
     /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
     fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32;
 
-    /// int LLVMFuzzerInitialize(int argc, char **argv)
-    fn afl_libfuzzer_init(argc: u32, argv: *const *const u8) -> i32;
+    // afl_libfuzzer_init calls LLVMFUzzerInitialize()
+    fn afl_libfuzzer_init() -> i32;
 
     static __lafl_edges_map: *mut u8;
     static __lafl_cmp_map: *mut u8;
@@ -143,11 +144,12 @@ pub extern "C" fn afl_libfuzzer_main() {
 
     let mut engine = Engine::new(executor);
 
-    //    unsafe {
-    //        if afl_libfuzzer_init(...) == -1 {
-    //            println("Warning: LLVMFuzzerInitialize failed with -1")
-    //        }
-    //    }
+    // Call LLVMFUzzerInitialize() if present.
+    unsafe {
+        if afl_libfuzzer_init() == -1 {
+            println!("Warning: LLVMFuzzerInitialize failed with -1")
+        }
+    }
 
     if input != None {
         state
@@ -159,7 +161,9 @@ pub extern "C" fn afl_libfuzzer_main() {
                 input.unwrap(),
             )
             .expect("Failed to load initial corpus");
-    } else {
+    }
+
+    if corpus.count() < 1 {
         state
             .generate_initial_inputs(
                 &mut rand,
@@ -169,9 +173,11 @@ pub extern "C" fn afl_libfuzzer_main() {
                 &mut mgr,
                 4,
             )
-            .expect("Failed to load initial inputs");
+            .expect("Failed to generate initial inputs");
     }
 
+    println!("We have {} inputs.", corpus.count());
+
     let mut mutator = HavocBytesMutator::new_default();
     mutator.set_max_size(4096);
 

fuzzers/libfuzzer/test.sh

@@ -8,15 +8,14 @@ rm -f test_fuzz.elf test_fuzz.o
 ./compiler -flto=thin test_fuzz.o -o test_fuzz.elf || exit 1
 
 RUST_BACKTRACE=1 ./test_fuzz.elf &
-PID1=$!
 
-test "$PID1" -gt 0 && {
+test "$!" -gt 0 && {
 
   usleep 250
   RUST_BACKTRACE=1 ./test_fuzz.elf -x a -x b -T5 in1 in2 &
-  sleep 10
-  kill $!
 
 }
+
 sleep 10
-kill $PID1
+killall test_fuzz.elf
+