Merge branch 'main' into mapping-mutator

Author: riesentoaster

.devcontainer/devcontainer.json

@@ -9,7 +9,10 @@
 	"customizations": {
 		"vscode": {
 			// Add the IDs of extensions you want installed when the container is created.
-			"extensions": ["matklad.rust-analyzer", "microsoft.Docker"],
+			"extensions": [
+				"rust-lang.rust-analyzer",
+				"microsoft.Docker"
+			],
 			// Set *default* container specific settings.json values on container create.
 			"settings": {
 				"rust-analyzer.cargo.noDefaultFeatures": true
@@ -20,7 +23,7 @@
 	// "forwardPorts": [],
 	// Uncomment the next line to run commands after the container is created - for example installing curl.
 	// Install development components that shouldn't be in the main Dockerfile
-	"postCreateCommand": "rustup component add --toolchain nightly rustfmt clippy llvm-tools-preview && cargo install --locked cargo-make",
+	"postCreateCommand": "rustup component add --toolchain nightly rustfmt clippy llvm-tools-preview && cargo binstall --locked cargo-make",
 	// Uncomment when using a ptrace-based debugger like C++, Go, and Rust
 	"runArgs": [
 		"--cap-add=SYS_PTRACE",
@@ -31,4 +34,4 @@
 	// "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
 	// Uncomment to connect as a non-root user if you've added one. See https://aka.ms/vscode-remote/containers/non-root.
 	// "remoteUser": "vscode"
-}
+}

Dockerfile

@@ -3,8 +3,10 @@ FROM rust:1.76.0 AS libafl
 LABEL "maintainer"="afl++ team <[email protected]>"
 LABEL "about"="LibAFL Docker image"
 
+# Install cargo-binstall to download the sccache build
+RUN curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
 # install sccache to cache subsequent builds of dependencies
-RUN cargo install --locked sccache
+RUN cargo binstall --no-confirm sccache
 
 ENV HOME=/root
 ENV SCCACHE_CACHE_SIZE="1G"
@@ -22,12 +24,11 @@ RUN rustup component add rustfmt clippy
 # Install clang 18, common build tools
 ENV LLVM_VERSION=18
 RUN apt update && apt install -y build-essential gdb git wget python3-venv ninja-build lsb-release software-properties-common gnupg cmake
-# Workaround until https://github.com/llvm/llvm-project/issues/62475 is resolved
 RUN set -ex &&\
-    echo "deb http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-${LLVM_VERSION} main" > /etc/apt/sources.list.d/apt.llvm.org.list &&\
-    wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key |  tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc &&\
-    apt update &&\
-    apt-get install -y clang-${LLVM_VERSION} lldb-${LLVM_VERSION} lld-${LLVM_VERSION} clangd-${LLVM_VERSION} clang-tidy-${LLVM_VERSION} clang-format-${LLVM_VERSION} clang-tools-${LLVM_VERSION} llvm-${LLVM_VERSION}-dev lld-${LLVM_VERSION} lldb-${LLVM_VERSION} llvm-${LLVM_VERSION}-tools libomp-${LLVM_VERSION}-dev libc++-${LLVM_VERSION}-dev libc++abi-${LLVM_VERSION}-dev libclang-common-${LLVM_VERSION}-dev libclang-${LLVM_VERSION}-dev libclang-cpp${LLVM_VERSION}-dev libunwind-${LLVM_VERSION}-dev libclang-rt-${LLVM_VERSION}-dev libpolly-${LLVM_VERSION}-dev
+    wget https://apt.llvm.org/llvm.sh &&\
+    chmod +x llvm.sh &&\
+    ./llvm.sh ${LLVM_VERSION}
+
 
 # Copy a dummy.rs and Cargo.toml first, so that dependencies are cached
 WORKDIR /libafl
@@ -39,6 +40,10 @@ COPY scripts/dummy.rs libafl_derive/src/lib.rs
 COPY libafl/Cargo.toml libafl/build.rs libafl/README.md libafl/
 COPY scripts/dummy.rs libafl/src/lib.rs
 
+# Set up LLVM aliases
+COPY scripts/createAliases.sh libafl/
+RUN bash libafl/createAliases.sh ${LLVM_VERSION}
+
 COPY libafl_bolts/Cargo.toml libafl_bolts/build.rs libafl_bolts/README.md libafl_bolts/
 COPY libafl_bolts/examples libafl_bolts/examples
 COPY scripts/dummy.rs libafl_bolts/src/lib.rs

fuzzers/fuzzbench/fuzzbench/src/lib.rs

@@ -310,7 +310,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_ctx/src/lib.rs

@@ -320,7 +320,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_fork_qemu/src/fuzzer.rs

@@ -313,7 +313,7 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_forkserver/src/main.rs

@@ -308,7 +308,7 @@ fn fuzz(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 

fuzzers/fuzzbench/fuzzbench_forkserver_cmplog/src/main.rs

@@ -308,7 +308,7 @@ fn fuzz(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 

fuzzers/fuzzbench/fuzzbench_qemu/src/fuzzer.rs

@@ -319,7 +319,7 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_text/src/lib.rs

@@ -380,7 +380,7 @@ fn fuzz_binary(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 
@@ -605,7 +605,7 @@ fn fuzz_text(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 

fuzzers/libpng/libfuzzer_libpng/src/lib.rs

@@ -150,7 +150,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/libpng/libfuzzer_libpng_cmin/src/lib.rs

@@ -150,7 +150,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/libpng/libfuzzer_libpng_tcp_manager/src/lib.rs

@@ -148,7 +148,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/others/cargo_fuzz/src/lib.rs

@@ -1,5 +1,6 @@
+#[allow(clippy::collapsible_if)]
 pub fn do_thing(data: &[u8]) {
-    if data.get(0) == Some(&b'a') {
+    if data.first() == Some(&b'a') {
         if data.get(1) == Some(&b'b') {
             if data.get(2) == Some(&b'c') {
                 if data.get(3) == Some(&b'd') {

fuzzers/others/dynamic_analysis/src/lib.rs

@@ -316,7 +316,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/others/libafl-fuzz/src/fuzzer.rs

@@ -14,8 +14,8 @@ use libafl::{
     mutators::{havoc_mutations, tokens_mutations, AFLppRedQueen, StdScheduledMutator, Tokens},
     observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
     schedulers::{
-        powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, QueueScheduler,
-        StdWeightedScheduler,
+        powersched::{BaseSchedule, PowerSchedule},
+        IndexesLenTimeMinimizerScheduler, QueueScheduler, StdWeightedScheduler,
     },
     stages::{
         mutational::MultiMutationalStage, CalibrationStage, ColorizationStage, IfStage,
@@ -183,7 +183,7 @@ where
         )
     };
     let mutational_stage = TimeTrackingStageWrapper::<FuzzTime, _, _>::new(inner_mutational_stage);
-    let strategy = opt.power_schedule.unwrap_or(PowerSchedule::EXPLORE);
+    let strategy = opt.power_schedule.unwrap_or(BaseSchedule::EXPLORE);
 
     // Create our ColorizationStage
     let colorization = ColorizationStage::new(&edges_observer);
@@ -195,8 +195,9 @@ where
     if opt.sequential_queue {
         scheduler = SupportedSchedulers::Queue(QueueScheduler::new(), PhantomData);
     } else {
+        let ps = PowerSchedule::new(strategy);
         let mut weighted_scheduler =
-            StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(strategy));
+            StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(ps));
         if opt.cycle_schedules {
             weighted_scheduler = weighted_scheduler.cycling_scheduler();
         }

fuzzers/others/libafl-fuzz/src/hooks.rs

@@ -10,12 +10,6 @@ pub struct LibAflFuzzEventHook {
     exit_on_solution: bool,
 }
 
-impl LibAflFuzzEventHook {
-    pub fn new(exit_on_solution: bool) -> Self {
-        Self { exit_on_solution }
-    }
-}
-
 impl<S> EventManagerHook<S> for LibAflFuzzEventHook
 where
     S: State + Stoppable,

fuzzers/others/libafl-fuzz/src/main.rs

@@ -25,7 +25,7 @@ use fuzzer::run_client;
 use libafl::{
     events::{CentralizedLauncher, EventConfig},
     monitors::MultiMonitor,
-    schedulers::powersched::PowerSchedule,
+    schedulers::powersched::BaseSchedule,
     Error,
 };
 use libafl_bolts::{
@@ -126,7 +126,7 @@ struct Opt {
     rng_seed: Option<u64>,
     /// power schedules compute a seed's performance score: explore(default), fast, exploit, seek, rare, mmopt, coe, lin
     #[arg(short = 'p')]
-    power_schedule: Option<PowerSchedule>,
+    power_schedule: Option<BaseSchedule>,
     /// enable `CmpLog` by specifying a binary compiled for it.
     #[arg(short = 'c')]
     cmplog: Option<String>,

fuzzers/others/libfuzzer_windows_asan/src/lib.rs

@@ -117,7 +117,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/others/tutorial/src/lib.rs

@@ -135,7 +135,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = PacketLenMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/qemu/qemu_launcher/src/instance.rs

@@ -127,7 +127,7 @@ impl<'a, M: Monitor> Instance<'a, M> {
         // A minimization+queue policy to get testcasess from the corpus
         let scheduler = IndexesLenTimeMinimizerScheduler::new(
             &edges_observer,
-            PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+            PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
         );
 
         let observers = tuple_list!(edges_observer, time_observer);

libafl/src/executors/forkserver.rs

@@ -309,6 +309,7 @@ impl Forkserver {
         memlimit: u64,
         is_persistent: bool,
         is_deferred_frksrv: bool,
+        coverage_map_size: Option<usize>,
         debug_output: bool,
     ) -> Result<Self, Error> {
         Self::with_kill_signal(
@@ -320,6 +321,7 @@ impl Forkserver {
             memlimit,
             is_persistent,
             is_deferred_frksrv,
+            coverage_map_size,
             debug_output,
             KILL_SIGNAL_DEFAULT,
         )
@@ -338,15 +340,20 @@ impl Forkserver {
         memlimit: u64,
         is_persistent: bool,
         is_deferred_frksrv: bool,
+        coverage_map_size: Option<usize>,
         debug_output: bool,
         kill_signal: Signal,
     ) -> Result<Self, Error> {
+        let Some(coverage_map_size) = coverage_map_size else {
+            return Err(Error::unknown("Coverage map size unknown. Use coverage_map_size() to tell the forkserver about the map size."));
+        };
+
         if env::var("AFL_MAP_SIZE").is_err() {
             log::warn!("AFL_MAP_SIZE not set. If it is unset, the forkserver may fail to start up");
         }
 
         if env::var("__AFL_SHM_ID").is_err() {
-            log::warn!("__AFL_SHM_ID not set. It is necessary to set this env, otherwise the forkserver cannot communicate with the fuzzer");
+            return Err(Error::unknown("__AFL_SHM_ID not set. It is necessary to set this env, otherwise the forkserver cannot communicate with the fuzzer".to_string()));
         }
 
         let mut st_pipe = Pipe::new().unwrap();
@@ -366,6 +373,8 @@ impl Forkserver {
             .stdout(stdout)
             .stderr(stderr);
 
+        command.env("AFL_MAP_SIZE", format!("{coverage_map_size}"));
+
         // Persistent, deferred forkserver
         if is_persistent {
             command.env("__AFL_PERSISTENT", "1");
@@ -813,6 +822,7 @@ where
                 0,
                 self.is_persistent,
                 self.is_deferred_frksrv,
+                self.map_size,
                 self.debug_child,
                 self.kill_signal.unwrap_or(KILL_SIGNAL_DEFAULT),
             )?,
@@ -1515,6 +1525,7 @@ mod tests {
         let executor = ForkserverExecutor::builder()
             .program(bin)
             .args(args)
+            .coverage_map_size(MAP_SIZE)
             .debug_child(false)
             .shmem_provider(&mut shmem_provider)
             .build::<_, ()>(tuple_list!(edges_observer));

libafl/src/executors/inprocess_fork/mod.rs

@@ -366,6 +366,7 @@ pub mod child_signal_handlers {
 }
 
 #[cfg(test)]
+#[cfg(all(feature = "std", feature = "fork", unix))]
 mod tests {
     use libafl_bolts::tuples::tuple_list;
     use serial_test::serial;
@@ -378,7 +379,6 @@ mod tests {
     #[test]
     #[serial]
     #[cfg_attr(miri, ignore)]
-    #[cfg(all(feature = "std", feature = "fork", unix))]
     fn test_inprocessfork_exec() {
         use core::marker::PhantomData;
 

libafl/src/monitors/mod.rs

@@ -318,8 +318,11 @@ fn prettify_float(value: f64) -> String {
         value => (value, ""),
     };
     match value {
+        value if value >= 1000000.0 => {
+            format!("{value:.2}{suffix}")
+        }
         value if value >= 1000.0 => {
-            format!("{value}{suffix}")
+            format!("{value:.1}{suffix}")
         }
         value if value >= 100.0 => {
             format!("{value:.1}{suffix}")