Make fuzzer hold testcase bytes converter (#3127)

* add

* fixing

* done

* fix

* a

* no std

* mm

* aaa

* fix

* mm

* please stop

* please stop

* please stop

* Just

* aaaaa

* aaa

* plz stop

* aaa

* mmm

* aaa

* AAAAAAAAAAAAAA

* a bit faster CI?

* win

* wtf are these garbages..?

* no cache?

* ???

* always

* ?/

* aa

* aa

* glib

* glib

* pixman

* AAA

* AA

* unicorn

* unicron

* nyx

Author: tokatoka

.github/workflows/build_and_test.yml

@@ -270,7 +270,7 @@ jobs:
           - ./fuzzers/binary_only/fuzzbench_qemu
           - ./fuzzers/binary_only/intel_pt_baby_fuzzer
           - ./fuzzers/binary_only/intel_pt_command_executor
-          - ./fuzzers/binary_only/tinyinst_simple
+          # - ./fuzzers/binary_only/tinyinst_simple
 
           # Forkserver
           - ./fuzzers/forkserver/forkserver_simple
@@ -326,6 +326,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/workflows/fuzzer-tester-prepare
+        with:
+          fuzzer-name: ${{ matrix.fuzzer }}
       - name: Build and run example fuzzers (Linux)
         if: runner.os == 'Linux'
         shell: bash
@@ -366,7 +368,7 @@ jobs:
       - name: "Install dependencies"
         if: runner.os == 'Linux'
         shell: bash
-        run: sudo apt-get update && sudo apt-get install gcc gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
+        run: sudo apt-get update && sudo apt-get install gcc gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu gcc-riscv64-linux-gnu
       - name: Build and run example fuzzers (Linux)
         if: runner.os == 'Linux'
         shell: bash

.github/workflows/fuzzer-tester-prepare/action.yml

@@ -1,5 +1,9 @@
 name: Setup Rust Environment
 description: Sets up the Rust environment for the CI workflow
+inputs:
+  fuzzer-name:
+    description: 'The fuzzer name to run'
+    required: true
 runs:
   using: composite
   steps:
@@ -8,33 +12,33 @@ runs:
         submodules: true
         fetch-depth: 0
     - uses: ./.github/workflows/ubuntu-prepare
-    - uses: Swatinem/rust-cache@v2
-      with: { shared-key: "${{ runner.os }}-shared-fuzzer-cache" }
-    - name: Install fuzzers deps
-      shell: bash
-      run: sudo apt-get update && sudo apt-get install -y nasm nlohmann-json3-dev gcc-aarch64-linux-gnu g++-aarch64-linux-gnu gcc-mipsel-linux-gnu g++-mipsel-linux-gnu gcc-riscv64-linux-gnu gcc-powerpc-linux-gnu g++-powerpc-linux-gnu libc6-dev-i386-cross libc6-dev libc6-dev-i386 lib32gcc-11-dev lib32stdc++-11-dev libgtk-3-dev pax-utils python3-msgpack python3-jinja2 
     - name: enable mult-thread for `make`
       shell: bash
       run: export MAKEFLAGS="-j$(expr $(nproc) \+ 1)"
     - name: Add no_std toolchain
+      if: ${{ inputs.fuzzer-name == './fuzzers/fuzz_anything/baby_no_std' }}
       shell: bash
       run: rustup toolchain install nightly-x86_64-unknown-linux-gnu ; rustup component add rust-src --toolchain nightly-x86_64-unknown-linux-gnu
-    - name: Add wasm target
+    - name: Add nyx deps
+      if: ${{ inputs.fuzzer-name == './fuzzers/full_system/nyx_launcher' || inputs.fuzzer-name == './fuzzers/full_system/nyx_libxml2_standalone' || inputs.fuzzer-name == './fuzzers/full_system/nyx_libxml2_parallel' }}
       shell: bash
-      run: rustup target add wasm32-unknown-unknown
+      run: sudo apt update && sudo apt install -y libgtk-3-dev pax-utils python3-msgpack python3-jinja2 libcapstone-dev
     - name: install just
       uses: extractions/setup-just@v2
       with:
-        just-version: 1.39.0
+        just-version: '1.40.0'
+    
+    - name: Add wasm target
+      if: ${{ inputs.fuzzer-name == './fuzzers/fuzz_anything/baby_fuzzer_wasm' }}
+      shell: bash
+      run: rustup target add wasm32-unknown-unknown
     - name: install wasm-pack
+      if: ${{ inputs.fuzzer-name == './fuzzers/fuzz_anything/baby_fuzzer_wasm' }}
       uses: baptiste0928/cargo-install@v3
       with:
         crate: wasm-pack
-    - name: install cxxbridge-cmd
-      uses: baptiste0928/cargo-install@v3
-      with:
-        crate: cxxbridge-cmd
     - name: install chrome
+      if: ${{ inputs.fuzzer-name == './fuzzers/fuzz_anything/baby_fuzzer_wasm' }}
       uses: browser-actions/setup-chrome@v1
       with:
         chrome-version: stable

.github/workflows/librasan-prepare/action.yml

@@ -47,7 +47,7 @@ runs:
     - name: install just
       uses: extractions/setup-just@v2
       with:
-        just-version: 1.39.0
+        just-version: '1.40.0'
     - name: Install cargo-binstall
       shell: bash
       run: |

.github/workflows/qemu-fuzzer-tester-prepare/action.yml

@@ -16,7 +16,7 @@ runs:
     - name: install just
       uses: extractions/setup-just@v2
       with:
-        just-version: 1.39.0
+        just-version: '1.40.0'
     - uses: actions/checkout@v4
       with:
         submodules: true

.github/workflows/ubuntu-prepare/action.yml

@@ -7,13 +7,12 @@ runs:
       shell: bash
       run: |
         sudo apt-get update
-        sudo apt-get install -y curl lsb-release wget software-properties-common gnupg shellcheck pax-utils \
-          nasm libsqlite3-dev libc6-dev libgtk-3-dev gcc g++ libslirp-dev libz3-dev build-essential \
+        sudo apt-get install -y curl lsb-release wget software-properties-common gnupg shellcheck pax-utils libsqlite3-dev libpixman-1-dev libc6-dev gcc g++ build-essential libglib2.0-dev
     - uses: dtolnay/rust-toolchain@stable
     - name: install just
       uses: extractions/setup-just@v2
       with:
-        just-version: 1.39.0
+        just-version: '1.40.0'
     - name: Add stable clippy
       shell: bash
       run: rustup toolchain install stable --component clippy --allow-downgrade

.github/workflows/windows-tester-prepare/action.yml

@@ -18,4 +18,4 @@ runs:
     - name: install just
       uses: extractions/setup-just@v2
       with:
-        just-version: 1.39.0
+        just-version: '1.40.0'

.gitignore

@@ -5,9 +5,6 @@ vendor
 
 # cargo lockfiles except from binaries
 **/Cargo.lock
-# !fuzzers/**/Cargo.lock
-# !utils/**/Cargo.lock
-
 
 .DS_Store
 .env

fuzzers/baby/baby_fuzzer_custom_executor/src/main.rs

@@ -14,15 +14,15 @@ use libafl::{
     feedbacks::{CrashFeedback, MaxMapFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     generators::RandPrintablesGenerator,
-    inputs::HasTargetBytes,
+    inputs::{HasTargetBytes, NopBytesConverter},
     mutators::{havoc_mutations::havoc_mutations, scheduled::HavocScheduledMutator},
     observers::StdMapObserver,
     schedulers::QueueScheduler,
     stages::{mutational::StdMutationalStage, AflStatsStage, CalibrationStage},
     state::{HasCorpus, HasExecutions, StdState},
+    BloomInputFilter, StdFuzzerBuilder,
 };
 use libafl_bolts::{current_nanos, nonzero, rands::StdRand, tuples::tuple_list, AsSlice};
-
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
 static mut SIGNALS_PTR: *mut u8 = &raw mut SIGNALS as _;
@@ -138,8 +138,13 @@ pub fn main() {
     #[cfg(not(feature = "bloom_input_filter"))]
     let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
     #[cfg(feature = "bloom_input_filter")]
-    let mut fuzzer =
-        StdFuzzer::with_bloom_input_filter(scheduler, feedback, objective, 10_000_000, 0.001);
+    let filter = BloomInputFilter::new(10_000_000, 0.001);
+    #[cfg(feature = "bloom_input_filter")]
+    let mut fuzzer = StdFuzzerBuilder::new()
+        .input_filter(filter)
+        .bytes_converter(NopBytesConverter::default())
+        .build(scheduler, feedback, objective)
+        .unwrap();
 
     // Create the executor for an in-process function with just one observer
     let executor = CustomExecutor::new(&state);

fuzzers/forkserver/libafl-fuzz/src/fuzzer.rs

@@ -22,7 +22,7 @@ use libafl::{
         CaptureTimeoutFeedback, ConstFeedback, CrashFeedback, MaxMapFeedback, TimeFeedback,
     },
     fuzzer::StdFuzzer,
-    inputs::{BytesInput, NopTargetBytesConverter},
+    inputs::BytesInput,
     mutators::{havoc_mutations, tokens_mutations, AFLppRedQueen, HavocScheduledMutator, Tokens},
     observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
     schedulers::{
@@ -567,7 +567,7 @@ fn base_forkserver_builder<'a>(
     opt: &'a Opt,
     shmem_provider: &'a mut UnixShMemProvider,
     fuzzer_dir: &Path,
-) -> ForkserverExecutorBuilder<'a, NopTargetBytesConverter<BytesInput>, UnixShMemProvider> {
+) -> ForkserverExecutorBuilder<'a, UnixShMemProvider> {
     let mut executor = ForkserverExecutor::builder()
         .program(opt.executable.clone())
         .coverage_map_size(opt.map_size.unwrap_or(AFL_DEFAULT_MAP_SIZE))

fuzzers/structure_aware/forkserver_simple_nautilus/src/main.rs

@@ -10,9 +10,9 @@ use libafl::{
     feedbacks::{
         CrashFeedback, MaxMapFeedback, NautilusChunksMetadata, NautilusFeedback, TimeFeedback,
     },
-    fuzzer::{Fuzzer, StdFuzzer},
+    fuzzer::Fuzzer,
     generators::{NautilusContext, NautilusGenerator},
-    inputs::{NautilusInput, NautilusTargetBytesConverter},
+    inputs::{NautilusBytesConverter, NautilusInput},
     monitors::SimpleMonitor,
     mutators::{
         HavocScheduledMutator, NautilusRandomMutator, NautilusRecursionMutator,
@@ -22,7 +22,7 @@ use libafl::{
     schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
     stages::mutational::StdMutationalStage,
     state::StdState,
-    HasMetadata,
+    BloomInputFilter, HasMetadata, StdFuzzerBuilder,
 };
 use libafl_bolts::{
     current_nanos,
@@ -166,7 +166,12 @@ pub fn main() {
     let scheduler = IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());
 
     // A fuzzer with feedbacks and a corpus scheduler
-    let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+    let converter = NautilusBytesConverter::new(&context);
+    let mut fuzzer = StdFuzzerBuilder::new()
+        .input_filter(BloomInputFilter::default())
+        .bytes_converter(converter)
+        .build(scheduler, feedback, objective)
+        .unwrap();
 
     // If we should debug the child
     let debug_child = opt.debug_child;
@@ -186,7 +191,6 @@ pub fn main() {
         .coverage_map_size(MAP_SIZE)
         .timeout(Duration::from_millis(opt.timeout))
         .kill_signal(opt.signal)
-        .target_bytes_converter(NautilusTargetBytesConverter::new(&context))
         .build(tuple_list!(time_observer, edges_observer))
         .unwrap();
 

fuzzers/structure_aware/nautilus_sync/src/lib.rs

@@ -15,7 +15,7 @@ use libafl::{
     feedbacks::{CrashFeedback, MaxMapFeedback, NautilusChunksMetadata, NautilusFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     generators::{NautilusContext, NautilusGenerator},
-    inputs::{NautilusInput, NautilusToBytesInputConverter},
+    inputs::{NautilusBytesConverter, NautilusInput},
     monitors::SimpleMonitor,
     mutators::{
         HavocScheduledMutator, NautilusRandomMutator, NautilusRecursionMutator,
@@ -126,7 +126,7 @@ pub extern "C" fn libafl_main() {
             .build_on_port(
                 shmem_provider.clone(),
                 port,
-                Some(NautilusToBytesInputConverter::new(&context)),
+                Some(NautilusBytesConverter::new(&context)),
                 none_input_converter!(),
             )
             .unwrap()

libafl/src/events/launcher.rs

@@ -366,7 +366,7 @@ where
                     "Not spawning broker (spawn_broker is false). Waiting for fuzzer children to exit..."
                 );
                 unsafe {
-                    libc::waitpid(*handle, &mut status, 0);
+                    libc::waitpid(*handle, &raw mut status, 0);
                     if status != 0 {
                         log::info!("Client with pid {handle} exited with status {status}");
                     }

libafl/src/events/llmp/mod.rs

@@ -18,7 +18,7 @@ use crate::{
     Error,
     events::{Event, EventFirer, EventWithStats},
     fuzzer::EvaluatorObservers,
-    inputs::{Input, InputConverter, NopInput, NopInputConverter},
+    inputs::{Input, InputConverter, NopInput},
     state::{HasCurrentTestcase, HasSolutions, NopState},
 };
 
@@ -88,16 +88,7 @@ pub struct LlmpEventConverter<I, IC, ICB, S, SHM, SP> {
     phantom: PhantomData<(I, S)>,
 }
 
-impl
-    LlmpEventConverter<
-        NopInput,
-        NopInputConverter<NopInput>,
-        NopInputConverter<NopInput>,
-        NopState<NopInput>,
-        NopShMem,
-        NopShMemProvider,
-    >
-{
+impl LlmpEventConverter<NopInput, (), (), NopState<NopInput>, NopShMem, NopShMemProvider> {
     /// Create a builder for [`LlmpEventConverter`]
     #[must_use]
     pub fn builder() -> LlmpEventConverterBuilder {