Make corpus and solution not mutually exclusive (#3029)

* make fuzzer great again

* crash handlers

* hello from windows

* fk

* gee

* m

* temporary fix

* f

* mm

* CICI

* fixer

* Fix Dockerfile

* lol

* clp

* Fuck you clippy

* This lint makes no sense, 0

* ??

* a

* fix

* this lint makes 0 sense

* mm

* clp

* a

* a

* clp

* clippy

* clp

* mm

* FMT

* p

---------

Co-authored-by: Your Name <[email protected]>
Co-authored-by: toka <[email protected]>

Author: 3 people

Cargo.toml

@@ -156,8 +156,8 @@ std_instead_of_core = "deny"
 cargo = { level = "warn", priority = -1 }
 
 # Allow
-negative_feature_names = "allow"    # TODO: turn into 'warn' when working
-multiple_crate_versions = "allow"   # TODO: turn into `warn` when working
+negative_feature_names = "allow"       # TODO: turn into 'warn' when working
+multiple_crate_versions = "allow"      # TODO: turn into `warn` when working
 unreadable_literal = "allow"
 type_repetition_in_bounds = "allow"
 missing_errors_doc = "allow"
@@ -169,8 +169,8 @@ module_name_repetitions = "allow"
 unsafe_derive_deserialize = "allow"
 similar_names = "allow"
 too_many_lines = "allow"
-comparison_chain = "allow"          # This lint makes **ZERO** sense
-
+comparison_chain = "allow"             # This lint makes **ZERO** sense
+unnecessary_debug_formatting = "allow" # :thumbsdown: :thumbsdown: :thumbsdown: :thumbsdown: :thumbsdown: :thumbsdown: 
 
 [workspace.lints.rustdoc]
 # Deny

Dockerfile

@@ -68,28 +68,33 @@ RUN set -ex &&\
   chmod +x llvm.sh &&\
   ./llvm.sh ${LLVM_VERSION}
 
+RUN apt-get update && \
+  apt-get install -y \
+  clang-format-${LLVM_VERSION}
+
 RUN git config --global core.pager cat
 
 # Install a modern version of QEMU
-
 WORKDIR /root
 ENV QEMU_VER=9.2.1
-RUN wget https://download.qemu.org/qemu-${QEMU_VER}.tar.xz
-RUN tar xvJf qemu-${QEMU_VER}.tar.xz
-WORKDIR /root/qemu-${QEMU_VER}
-RUN ./configure --target-list="\
-    arm-linux-user,\
-    aarch64-linux-user,\
-    i386-linux-user,\
-    ppc-linux-user,\
-    mips-linux-user,\
-    arm-softmmu,\
-    aarch64-softmmu,\
-    i386-softmmu,\
-    ppc-softmmu,\
-    mips-softmmu"
-RUN make -j
-RUN make install
+RUN wget https://download.qemu.org/qemu-${QEMU_VER}.tar.xz && \
+    tar xvJf qemu-${QEMU_VER}.tar.xz && \
+    cd /root/qemu-${QEMU_VER} && \
+   ./configure --target-list="\
+      arm-linux-user,\
+      aarch64-linux-user,\
+      i386-linux-user,\
+      ppc-linux-user,\
+      mips-linux-user,\
+      arm-softmmu,\
+      aarch64-softmmu,\
+      i386-softmmu,\
+      ppc-softmmu,\
+      mips-softmmu" && \
+    make -j && \
+    make install && \
+    cd /root && \
+    rm -rf qemu-${QEMU_VER}
 
 # Copy a dummy.rs and Cargo.toml first, so that dependencies are cached
 WORKDIR /libafl

fuzzers/forkserver/libafl-fuzz/src/corpus.rs

@@ -146,12 +146,10 @@ pub fn check_autoresume(fuzzer_dir: &Path, auto_resume: bool) -> Result<Flock<Fi
 
 pub fn create_dir_if_not_exists(path: &Path) -> io::Result<()> {
     if path.is_file() {
-        return Err(io::Error::new(
-            // TODO: change this to ErrorKind::NotADirectory
-            // when stabilitzed https://github.com/rust-lang/rust/issues/86442
-            io::ErrorKind::Other,
-            format!("{} expected a directory; got a file", path.display()),
-        ));
+        return Err(io::Error::other(format!(
+            "{} expected a directory; got a file",
+            path.display()
+        )));
     }
     match std::fs::create_dir(path) {
         Ok(()) => Ok(()),

fuzzers/forkserver/libafl-fuzz/src/feedback/seed.rs

@@ -100,12 +100,6 @@ where
         Ok(())
     }
 
-    /// Discard the stored metadata in case that the testcase is not added to the corpus
-    #[inline]
-    fn discard_metadata(&mut self, state: &mut S, input: &I) -> Result<(), Error> {
-        self.inner.discard_metadata(state, input)?;
-        Ok(())
-    }
     #[cfg(feature = "track_hit_feedbacks")]
     fn last_result(&self) -> Result<bool, Error> {
         self.inner.last_result()

fuzzers/inprocess/fuzzbench_ctx/src/lib.rs

@@ -345,16 +345,6 @@ fn fuzz(
 
     let mut tracing_harness = harness;
     let ctx_hook = CtxHook::new();
-    // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
-    let mut executor = HookableInProcessExecutor::with_timeout_generic(
-        tuple_list!(ctx_hook),
-        &mut harness,
-        tuple_list!(edges_observer, time_observer),
-        &mut fuzzer,
-        &mut state,
-        &mut mgr,
-        timeout,
-    )?;
 
     // Setup a tracing stage in which we log comparisons
     let tracing = TracingStage::new(
@@ -369,6 +359,17 @@ fn fuzz(
         // Give it more time!
     );
 
+    // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
+    let mut executor = HookableInProcessExecutor::with_timeout_generic(
+        tuple_list!(ctx_hook),
+        &mut harness,
+        tuple_list!(edges_observer, time_observer),
+        &mut fuzzer,
+        &mut state,
+        &mut mgr,
+        timeout,
+    )?;
+
     // The order of the stages matter!
     let mut stages = tuple_list!(calibration, tracing, i2s, power);
 

libafl/src/events/launcher.rs

@@ -274,7 +274,7 @@ where
         // Spawn clients
         let mut index = 0_usize;
         for bind_to in core_ids {
-            if self.cores.ids.iter().any(|&x| x == bind_to) {
+            if self.cores.ids.contains(&bind_to) {
                 for overcommit_id in 0..self.overcommit {
                     index += 1;
                     self.shmem_provider.pre_fork()?;
@@ -456,7 +456,7 @@ where
                 //spawn clients
                 let mut index = 0;
                 for core_id in core_ids {
-                    if self.cores.ids.iter().any(|&x| x == core_id) {
+                    if self.cores.ids.contains(&core_id) {
                         for overcommit_i in 0..self.overcommit {
                             index += 1;
                             // Forward own stdio to child processes, if requested by user
@@ -748,7 +748,7 @@ where
         // Spawn clients
         let mut index = 0_usize;
         for bind_to in core_ids {
-            if self.cores.ids.iter().any(|&x| x == bind_to) {
+            if self.cores.ids.contains(&bind_to) {
                 for overcommit_id in 0..self.overcommit {
                     index += 1;
                     self.shmem_provider.pre_fork()?;

libafl/src/executors/hooks/inprocess.rs

@@ -24,7 +24,7 @@ use windows::Win32::System::Threading::{CRITICAL_SECTION, PTP_TIMER};
 #[cfg(feature = "std")]
 use crate::executors::hooks::timer::TimerStruct;
 use crate::{
-    Error, HasObjective,
+    Error, HasFeedback, HasObjective,
     events::{EventFirer, EventRestarter},
     executors::{Executor, HasObservers, hooks::ExecutorHook, inprocess::HasInProcessHooks},
     feedbacks::Feedback,
@@ -202,7 +202,7 @@ impl<I, S> ExecutorHook<I, S> for InProcessHooks<I, S> {
         // Imagine there are two executors, you have to set the correct crash handlers for each of the executor.
         unsafe {
             let data = &raw mut GLOBAL_STATE;
-            assert!((*data).crash_handler == null());
+            assert!((*data).crash_handler.is_null());
             // usually timeout handler and crash handler is set together
             // so no check for timeout handler is null or not
             (*data).crash_handler = self.crash_handler;
@@ -232,14 +232,15 @@ impl<I, S> InProcessHooks<I, S> {
     /// Create new [`InProcessHooks`].
     #[cfg(unix)]
     #[allow(unused_variables)] // for `exec_tmout` without `std`
-    pub fn new<E, EM, OF, Z>(exec_tmout: Duration) -> Result<Self, Error>
+    pub fn new<E, EM, F, OF, Z>(exec_tmout: Duration) -> Result<Self, Error>
     where
         E: Executor<EM, I, S, Z> + HasObservers + HasInProcessHooks<I, S>,
         E::Observers: ObserversTuple<I, S>,
         EM: EventFirer<I, S> + EventRestarter<S>,
+        F: Feedback<EM, I, E::Observers, S>,
         OF: Feedback<EM, I, E::Observers, S>,
         S: HasExecutions + HasSolutions<I> + HasCurrentTestcase<I>,
-        Z: HasObjective<Objective = OF>,
+        Z: HasObjective<Objective = OF> + HasFeedback<Feedback = F>,
         I: Input + Clone,
     {
         // # Safety
@@ -249,7 +250,7 @@ impl<I, S> InProcessHooks<I, S> {
         #[cfg(all(not(miri), unix, feature = "std"))]
         let data = unsafe { &raw mut GLOBAL_STATE };
         #[cfg(feature = "std")]
-        unix_signal_handler::setup_panic_hook::<E, EM, I, OF, S, Z>();
+        unix_signal_handler::setup_panic_hook::<E, EM, F, I, OF, S, Z>();
         // # Safety
         // Setting up the signal handlers with a pointer to the `GLOBAL_STATE` which should not be NULL at this point.
         // We are the sole users of `GLOBAL_STATE` right now, and only dereference it in case of Segfault/Panic.
@@ -262,10 +263,10 @@ impl<I, S> InProcessHooks<I, S> {
         compiler_fence(Ordering::SeqCst);
         Ok(Self {
             #[cfg(feature = "std")]
-            crash_handler: unix_signal_handler::inproc_crash_handler::<E, EM, I, OF, S, Z>
+            crash_handler: unix_signal_handler::inproc_crash_handler::<E, EM, F, I, OF, S, Z>
                 as *const c_void,
             #[cfg(feature = "std")]
-            timeout_handler: unix_signal_handler::inproc_timeout_handler::<E, EM, I, OF, S, Z>
+            timeout_handler: unix_signal_handler::inproc_timeout_handler::<E, EM, F, I, OF, S, Z>
                 as *const _,
             #[cfg(feature = "std")]
             timer: TimerStruct::new(exec_tmout),
@@ -276,15 +277,16 @@ impl<I, S> InProcessHooks<I, S> {
     /// Create new [`InProcessHooks`].
     #[cfg(windows)]
     #[allow(unused_variables)] // for `exec_tmout` without `std`
-    pub fn new<E, EM, OF, Z>(exec_tmout: Duration) -> Result<Self, Error>
+    pub fn new<E, EM, F, OF, Z>(exec_tmout: Duration) -> Result<Self, Error>
     where
         E: Executor<EM, I, S, Z> + HasObservers + HasInProcessHooks<I, S>,
         E::Observers: ObserversTuple<I, S>,
         EM: EventFirer<I, S> + EventRestarter<S>,
         I: Input + Clone,
+        F: Feedback<EM, I, E::Observers, S>,
         OF: Feedback<EM, I, E::Observers, S>,
         S: HasExecutions + HasSolutions<I> + HasCurrentTestcase<I>,
-        Z: HasObjective<Objective = OF>,
+        Z: HasObjective<Objective = OF> + HasFeedback<Feedback = F>,
     {
         let ret;
         #[cfg(feature = "std")]
@@ -293,6 +295,7 @@ impl<I, S> InProcessHooks<I, S> {
             crate::executors::hooks::windows::windows_exception_handler::setup_panic_hook::<
                 E,
                 EM,
+                F,
                 I,
                 OF,
                 S,
@@ -304,6 +307,7 @@ impl<I, S> InProcessHooks<I, S> {
                 crate::executors::hooks::windows::windows_exception_handler::inproc_crash_handler::<
                     E,
                     EM,
+                    F,
                     I,
                     OF,
                     S,
@@ -313,6 +317,7 @@ impl<I, S> InProcessHooks<I, S> {
                 crate::executors::hooks::windows::windows_exception_handler::inproc_timeout_handler::<
                     E,
                     EM,
+                    F,
                     I,
                     OF,
                     S,
@@ -339,13 +344,14 @@ impl<I, S> InProcessHooks<I, S> {
     /// Create a new [`InProcessHooks`]
     #[cfg(all(not(unix), not(windows)))]
     #[expect(unused_variables)]
-    pub fn new<E, EM, OF, Z>(exec_tmout: Duration) -> Result<Self, Error>
+    pub fn new<E, EM, F, OF, Z>(exec_tmout: Duration) -> Result<Self, Error>
     where
         E: Executor<EM, I, S, Z> + HasObservers + HasInProcessHooks<I, S>,
         EM: EventFirer<I, S> + EventRestarter<S>,
+        F: Feedback<EM, I, E::Observers, S>,
         OF: Feedback<EM, I, E::Observers, S>,
         S: HasExecutions + HasSolutions<I>,
-        Z: HasObjective<Objective = OF>,
+        Z: HasObjective<Objective = OF> + HasFeedback<Feedback = F>,
     {
         #[cfg_attr(miri, allow(unused_variables))]
         let ret = Self {
@@ -472,17 +478,18 @@ impl InProcessExecutorHandlerData {
     ///
     /// Should only be called to signal a crash in the target
     #[cfg(all(unix, feature = "std"))]
-    pub unsafe fn maybe_report_crash<E, EM, I, OF, S, Z>(
+    pub unsafe fn maybe_report_crash<E, EM, F, I, OF, S, Z>(
         &mut self,
         bsod_info: Option<BsodInfo>,
     ) -> bool
     where
         E: Executor<EM, I, S, Z> + HasObservers,
         E::Observers: ObserversTuple<I, S>,
         EM: EventFirer<I, S> + EventRestarter<S>,
+        F: Feedback<EM, I, E::Observers, S>,
         OF: Feedback<EM, I, E::Observers, S>,
         S: HasExecutions + HasSolutions<I> + HasCorpus<I> + HasCurrentTestcase<I>,
-        Z: HasObjective<Objective = OF>,
+        Z: HasObjective<Objective = OF> + HasFeedback<Feedback = F>,
         I: Input + Clone,
     {
         unsafe {
@@ -510,7 +517,7 @@ impl InProcessExecutorHandlerData {
                     }
                 }
 
-                run_observers_and_save_state::<E, EM, I, OF, S, Z>(
+                run_observers_and_save_state::<E, EM, F, I, OF, S, Z>(
                     executor,
                     state,
                     input,

libafl/src/executors/hooks/timer.rs

@@ -178,7 +178,7 @@ impl TimerStruct {
     pub unsafe fn new(exec_tmout: Duration, timeout_handler: *const c_void) -> Self {
         let milli_sec = exec_tmout.as_millis() as i64;
 
-        let timeout_handler: PTP_TIMER_CALLBACK = unsafe { std::mem::transmute(timeout_handler) };
+        let timeout_handler: PTP_TIMER_CALLBACK = unsafe { core::mem::transmute(timeout_handler) };
         let ptp_timer = unsafe {
             CreateThreadpoolTimer(
                 Some(timeout_handler),