further general improvements

AFLplusplus · Feb 13, 2023 · 07abe31 · 07abe31
1 parent 00c02ad
commit 07abe31
Show file tree

Hide file tree

Showing 11 changed files with 245 additions and 120 deletions.
diff --git a/libafl_libfuzzer/libafl_libfuzzer_runtime/Cargo.toml b/libafl_libfuzzer/libafl_libfuzzer_runtime/Cargo.toml
@@ -18,8 +18,8 @@ crate-type = ["staticlib", "rlib"]
 
 [dependencies]
 rand = "0.8.5"
-libafl = { path = "../../libafl", default-features = false, features = ["std", "derive", "llmp_compression", "rand_trait", "fork"] }
-libafl_targets = { path = "../../libafl_targets", features = ["sancov_8bit", "sancov_cmplog", "libfuzzer"] }
+libafl = { path = "../../libafl", default-features = false, features = ["std", "derive", "llmp_compression", "rand_trait", "fork", "errors_backtrace"] }
+libafl_targets = { path = "../../libafl_targets", features = ["sancov_8bit", "sancov_cmplog", "libfuzzer", "libfuzzer_oom"] }
 mimalloc = { version = "0.1.34", default-features = false }
 
 [workspace]
diff --git a/libafl_libfuzzer/libafl_libfuzzer_runtime/src/fuzz.rs b/libafl_libfuzzer/libafl_libfuzzer_runtime/src/fuzz.rs
@@ -1,5 +1,5 @@
 use core::ffi::c_int;
-use std::{env::temp_dir, fs::create_dir, net::TcpListener, path::PathBuf};
+use std::net::TcpListener;
 
 use libafl::{
     bolts::{

diff --git a/libafl_libfuzzer/libafl_libfuzzer_runtime/src/lib.rs b/libafl_libfuzzer/libafl_libfuzzer_runtime/src/lib.rs
@@ -5,6 +5,7 @@ use crate::options::{LibfuzzerMode, LibfuzzerOptions};
 pub(crate) mod feedbacks;
 mod fuzz;
 mod options;
+mod report;
 
 use mimalloc::MiMalloc;
 #[global_allocator]
@@ -67,14 +68,15 @@ macro_rules! make_fuzz_closure {
                 powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, PowerQueueScheduler,
             },
             stages::{
-                CalibrationStage, GeneralizationStage, SkippableStage, StdMutationalStage, StdPowerMutationalStage,
-                TracingStage,
+                CalibrationStage, GeneralizationStage, MapEqualityFactory, SkippableStage, StdMutationalStage,
+                StdPowerMutationalStage, StdTMinMutationalStage, TracingStage,
             },
             state::{HasCorpus, StdState},
             StdFuzzer,
         };
         use libafl_targets::{CmpLogObserver, LLVMCustomMutator, COUNTERS_MAPS, OOMFeedback, OOMObserver};
         use rand::{thread_rng, RngCore};
+        use std::{env::temp_dir, fs::create_dir, path::PathBuf};
 
         use crate::CustomMutationStatus;
         use crate::BACKTRACE;
@@ -132,6 +134,8 @@ macro_rules! make_fuzz_closure {
             // New maximization map feedback linked to the edges observer
             let map_feedback = MaxMapFeedback::new_tracking(&edges_observer, true, grimoire);
 
+            let map_eq_factory = MapEqualityFactory::new_from_observer(&edges_observer);
+
             // Set up a generalization stage for grimoire
             let generalization = GeneralizationStage::new(&edges_observer);
             let generalization = SkippableStage::new(generalization, |_| grimoire.into());
@@ -329,7 +333,7 @@ macro_rules! make_fuzz_closure {
             let mut executor = TimeoutExecutor::new(
                 InProcessExecutor::new(
                     &mut harness,
-                    tuple_list!(oom_observer, edges_observer, time_observer, backtrace_observer),
+                    tuple_list!(edges_observer, time_observer, backtrace_observer, oom_observer),
                     &mut fuzzer,
                     &mut state,
                     &mut mgr,
@@ -369,6 +373,13 @@ macro_rules! make_fuzz_closure {
                 }
             }
 
+            let minimizer = StdScheduledMutator::new(havoc_mutations());
+            let tmin = StdTMinMutationalStage::new(
+                minimizer,
+                map_eq_factory,
+                1 << 5
+            );
+
             // Setup a tracing stage in which we log comparisons
             let tracing = TracingStage::new(InProcessExecutor::new(
                 &mut tracing_harness,
@@ -380,6 +391,7 @@ macro_rules! make_fuzz_closure {
 
             // The order of the stages matter!
             let mut stages = tuple_list!(
+                tmin,
                 generalization,
                 calibration,
                 tracing,
@@ -436,7 +448,16 @@ pub fn LLVMFuzzerRunDriver(
         LibfuzzerMode::Fuzz => fuzz::fuzz(options, harness),
         LibfuzzerMode::Merge => unimplemented!(),
         LibfuzzerMode::Cmin => unimplemented!(),
+        LibfuzzerMode::Report => report::report(options, harness),
     };
-    res.expect("Encountered error while performing libfuzzer shimming");
-    0
+    if res.is_err() {
+        let err = res.unwrap_err();
+        eprintln!(
+            "Encountered error while performing libfuzzer shimming: {}",
+            err
+        );
+        1
+    } else {
+        0
+    }
 }
diff --git a/libafl_libfuzzer/libafl_libfuzzer_runtime/src/options.rs b/libafl_libfuzzer/libafl_libfuzzer_runtime/src/options.rs
@@ -30,6 +30,7 @@ pub enum LibfuzzerMode {
     Fuzz,
     Merge,
     Cmin,
+    Report,
 }
 
 #[derive(Debug)]
@@ -234,6 +235,14 @@ impl<'a> LibfuzzerOptionsBuilder<'a> {
                                 return Err(OptionsParseError::MultipleModesSelected);
                             }
                         }
+                        "report" => {
+                            if parse_or_bail!(name, value, u64) > 0
+                                && *self.mode.get_or_insert(LibfuzzerMode::Report)
+                                    != LibfuzzerMode::Report
+                            {
+                                return Err(OptionsParseError::MultipleModesSelected);
+                            }
+                        }
                         "grimoire" => self.grimoire = Some(parse_or_bail!(name, value, u64) > 0),
                         "artifact_prefix" => {
                             self.artifact_prefix = Some(value);

diff --git a/libafl_libfuzzer/libafl_libfuzzer_runtime/src/report.rs b/libafl_libfuzzer/libafl_libfuzzer_runtime/src/report.rs
@@ -0,0 +1,52 @@
+use std::ffi::c_int;
+
+use libafl::{
+    events::{ProgressReporter, SimpleEventManager},
+    executors::HasObservers,
+    feedbacks::{MapFeedbackMetadata, MAPFEEDBACK_PREFIX},
+    inputs::UsesInput,
+    monitors::SimpleMonitor,
+    stages::StagesTuple,
+    state::{HasClientPerfMonitor, HasExecutions, HasMetadata, HasNamedMetadata},
+    Error, Fuzzer,
+};
+
+use crate::{make_fuzz_closure, options::LibfuzzerOptions};
+
+fn do_report<F, ST, E, S, EM>(
+    _fuzzer: &mut F,
+    _stages: &mut ST,
+    _executor: &mut E,
+    state: &mut S,
+    _mgr: &mut EM,
+) -> Result<(), Error>
+where
+    F: Fuzzer<E, EM, ST, State = S>,
+    S: HasClientPerfMonitor + HasMetadata + HasNamedMetadata + HasExecutions + UsesInput,
+    E: HasObservers<State = S>,
+    EM: ProgressReporter<State = S>,
+    ST: StagesTuple<E, EM, S, F>,
+{
+    let meta = state
+        .named_metadata()
+        .get::<MapFeedbackMetadata<u8>>(&(MAPFEEDBACK_PREFIX.to_string() + "edges"))
+        .unwrap();
+    let observed = meta.history_map.iter().filter(|&&e| e != 0).count();
+    let total = meta.history_map.len();
+
+    println!(
+        "Observed {observed}/{total} edges ({}%)",
+        observed as f64 / total as f64
+    );
+
+    Ok(())
+}
+
+pub fn report(
+    options: LibfuzzerOptions,
+    harness: &extern "C" fn(*const u8, usize) -> c_int,
+) -> Result<(), Error> {
+    let reporter = make_fuzz_closure!(options, harness, do_report);
+    let mgr = SimpleEventManager::new(SimpleMonitor::new(|s| eprintln!("{s}")));
+    reporter(None, mgr, 0)
+}
diff --git a/libafl_targets/Cargo.toml b/libafl_targets/Cargo.toml
@@ -16,6 +16,7 @@ categories = ["development-tools::testing", "emulators", "embedded", "os", "no-s
 default = ["std", "sanitizers_flags"]
 std = ["libafl/std"]
 libfuzzer = ["std", "sanitizer_ifaces"]
+libfuzzer_oom = ["libfuzzer"]
 sanitizers_flags = []
 pointer_maps = []
 sancov_pcguard_edges = []