From d48524168a1532571cd22a062797492991394d1c Mon Sep 17 00:00:00 2001
From: Dominik Maier <domenukk@gmail.com>
Date: Fri, 26 Feb 2021 08:35:18 +0100
Subject: [PATCH] Moved fuzzer to examples

---
 .github/workflows/build_and_test.yml          | 30 +++++++++++--------
 Cargo.toml                                    | 14 +++++++++
 README.md                                     |  1 +
 fuzzers/libfuzzer_libpng/Cargo.toml           | 14 ++++-----
 fuzzers/libfuzzer_libpng/README.md            | 22 ++++++++++++++
 .../src/{mod.rs => fuzzer.rs}                 |  0
 fuzzers/libfuzzer_libpng/test.sh              | 13 ++++++--
 libafl/Cargo.toml                             |  8 ++---
 8 files changed, 76 insertions(+), 26 deletions(-)
 create mode 100644 Cargo.toml
 create mode 100644 fuzzers/libfuzzer_libpng/README.md
 rename fuzzers/libfuzzer_libpng/src/{mod.rs => fuzzer.rs} (100%)

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index 8bc17fffd1..bcf1a20432 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -11,31 +11,37 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - name: Build
-      run: cd libafl && cargo build --verbose
-  build-all:
+      run: cargo build --verbose
+  all-features-build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
     - name: Build
-      run: cd libafl &&cargo build --no-default-features --features runtime --features std --features anymapdbg --verbose
+      run: cargo build --all-features --verbose
   test:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
     - name: Test
-      run: cd libafl && cargo test --verbose
-  build-no-std:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Build
-      run: cd libafl && cargo build --no-default-features --verbose
-  test-no-std:
+      run: cargo test --verbose
+  examples-build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
     - name: Test
-      run: cd libafl && cargo test --no-default-features --verbose
+      run: cargo build --examples --verbose
+  no-std-build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build
+      run: cargo build --no-default-features --verbose
+  no-std-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Test
+      run: cargo test --no-default-features --verbose
   docs:
     runs-on: ubuntu-latest
     steps:
diff --git a/Cargo.toml b/Cargo.toml
new file mode 100644
index 0000000000..8973fa815d
--- /dev/null
+++ b/Cargo.toml
@@ -0,0 +1,14 @@
+
+[profile.release]
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[workspace]
+members = [
+    "libafl",
+
+    #example fuzzers
+    "fuzzers/libfuzzer_libpng",
+]
\ No newline at end of file
diff --git a/README.md b/README.md
index 8319efb070..9be6f37f58 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ It is released as Free and Open Source Software under the GNU Lesser General Pub
 
 We collect example fuzzers in `./fuzzers`.
 The best-tested fuzzer is `./fuzzers/libfuzzer_libpng`, a clone of libfuzzer using libafl for a libpng harness.
+See its readme (here)[./fuzzers/libfuzzer_libpng/README.md].
 
 If you want to get a quick overview, run `cargo doc`.
 Feel free to open issues or contact us directly. Thank you for your support. <3
diff --git a/fuzzers/libfuzzer_libpng/Cargo.toml b/fuzzers/libfuzzer_libpng/Cargo.toml
index ebfadecb72..7c0615cfd0 100644
--- a/fuzzers/libfuzzer_libpng/Cargo.toml
+++ b/fuzzers/libfuzzer_libpng/Cargo.toml
@@ -11,11 +11,11 @@ build = "build.rs"
 default = ["std"]
 std = []
 
-[profile.release]
-lto = true
-codegen-units = 1
-opt-level = 3
-debug = true
+#[profile.release]
+#lto = true
+#codegen-units = 1
+#opt-level = 3
+#debug = true
 
 [build-dependencies]
 cc = { version = "1.0", features = ["parallel"] }
@@ -24,8 +24,8 @@ num_cpus = "1.0"
 [dependencies]
 libafl = { path = "../../libafl/" }
 
-[[bin]]
+[[example]]
 name = "libfuzzer_libpng"
-path = "./src/mod.rs"
+path = "./src/fuzzer.rs"
 test = false
 bench = false
diff --git a/fuzzers/libfuzzer_libpng/README.md b/fuzzers/libfuzzer_libpng/README.md
new file mode 100644
index 0000000000..498d18babb
--- /dev/null
+++ b/fuzzers/libfuzzer_libpng/README.md
@@ -0,0 +1,22 @@
+# Libfuzzer for libpng
+
+This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
+It has been tested on Linux.
+
+## Build
+
+To build this example, run `cargo build --example libfuzzer_libpng --release`.
+This will call (the build.rs)[./builld.rs], which in turn downloads a libpng archive from the web.
+Then, it will link (the fuzzer)[./src/fuzzer.rs] against (the c++ harness)[./harness.cc] and the instrumented `libpng`.
+Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libpng`.
+
+## Run
+
+The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel.
+
+Each following execution will run a fuzzer client.
+As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`).
+This means each client will start itself again to listen for crashes and timeouts.
+By restarting the actual fuzzer, it can recover from these exit conditions.
+
+For convenience, you may just run `./test.sh` in this folder.
\ No newline at end of file
diff --git a/fuzzers/libfuzzer_libpng/src/mod.rs b/fuzzers/libfuzzer_libpng/src/fuzzer.rs
similarity index 100%
rename from fuzzers/libfuzzer_libpng/src/mod.rs
rename to fuzzers/libfuzzer_libpng/src/fuzzer.rs
diff --git a/fuzzers/libfuzzer_libpng/test.sh b/fuzzers/libfuzzer_libpng/test.sh
index e852e449e1..db3a2497d4 100755
--- a/fuzzers/libfuzzer_libpng/test.sh
+++ b/fuzzers/libfuzzer_libpng/test.sh
@@ -2,9 +2,16 @@
 
 mkdir -p ./crashes
 
-cargo build --release || exit 1
-cp ../../target/release/libfuzzer ./.libfuzzer_test.elf
+cargo build --example libfuzzer_libpng --release || exit 1
+cp ../../target/release/examples/libfuzzer_libpng ./.libfuzzer_test.elf
 
-RUST_BACKTRACE=full ./.libfuzzer_test.elf
+# The broker
+RUST_BACKTRACE=full ./.libfuzzer_test.elf &
+# Give the broker time to spawn
+sleep 2
+echo "Spawning client"
+# The 1st fuzzer client
+RUST_BACKTRACE=full ./.libfuzzer_test.elf 2>/dev/null
 
+killall .libfuzzer_test.elf
 rm -rf ./.libfuzzer_test.elf
diff --git a/libafl/Cargo.toml b/libafl/Cargo.toml
index 75488b6c61..38a94a54a1 100644
--- a/libafl/Cargo.toml
+++ b/libafl/Cargo.toml
@@ -24,10 +24,10 @@ harness = false
 name = "hash_speeds"
 harness = false
 
-[profile.release]
-lto = true
-opt-level = 3
-debug = true
+#[profile.release]
+#lto = true
+#opt-level = 3
+#debug = true
 
 [features]
 default = ["std", "anymapdbg"]