Composing feedback (#85)

* composing feedbacks as logic operations and bump to 0.2

* adapt fuzzers and libafl_frida

* fix windows build

fuzzers/baby_fuzzer/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "baby_fuzzer"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2018"
 

fuzzers/baby_fuzzer/src/main.rs

@@ -56,13 +56,13 @@ pub fn main() {
         StdRand::with_seed(current_nanos()),
         // Corpus that will be evolved, we keep it in memory for performance
         InMemoryCorpus::new(),
-        // Feedbacks to rate the interestingness of an input
-        tuple_list!(MaxMapFeedback::new_with_observer(&observer)),
+        // Feedback to rate the interestingness of an input
+        MaxMapFeedback::new_with_observer(&observer),
         // Corpus in which we store solutions (crashes in this example),
         // on disk so the user can get them after stopping the fuzzer
         OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
         // Feedbacks to recognize an input as solution
-        tuple_list!(CrashFeedback::new()),
+        CrashFeedback::new(),
     );
 
     // Setup a basic mutator with a mutational stage

fuzzers/frida_libpng/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "frida_libpng"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2018"
 build = "build.rs"
@@ -25,7 +25,7 @@ libafl = { path = "../../libafl/", features = [ "std", "llmp_compression" ] } #,
 capstone = "0.8.0"
 frida-gum = { version = "0.4", git = "https://github.com/s1341/frida-rust", features = [ "auto-download", "event-sink", "invocation-listener"] }
 #frida-gum = { version = "0.4", path = "../../../frida-rust/frida-gum", features = [ "auto-download", "event-sink", "invocation-listener"] }
-libafl_frida = { path = "../../libafl_frida", version = "0.1.0" }
+libafl_frida = { path = "../../libafl_frida", version = "0.2.0" }
 lazy_static = "1.4.0"
 libc = "0.2"
 libloading = "0.7.0"

fuzzers/frida_libpng/src/fuzzer.rs

@@ -12,6 +12,7 @@ use libafl::{
         inprocess::InProcessExecutor, timeout::TimeoutExecutor, Executor, ExitKind, HasExecHooks,
         HasExecHooksTuple, HasObservers, HasObserversHooks,
     },
+    feedback_or,
     feedbacks::{CrashFeedback, MaxMapFeedback, TimeoutFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     inputs::{HasTargetBytes, Input},
@@ -276,17 +277,13 @@ unsafe fn fuzz(
             // Corpus that will be evolved, we keep it in memory for performance
             InMemoryCorpus::new(),
             // Feedbacks to rate the interestingness of an input
-            tuple_list!(MaxMapFeedback::new_with_observer_track(
-                &edges_observer,
-                true,
-                false
-            )),
+            MaxMapFeedback::new_with_observer_track(&edges_observer, true, false),
             // Corpus in which we store solutions (crashes in this example),
             // on disk so the user can get them after stopping the fuzzer
             OnDiskCorpus::new_save_meta(objective_dir, Some(OnDiskMetadataFormat::JsonPretty))
                 .unwrap(),
             // Feedbacks to recognize an input as solution
-            tuple_list!(
+            feedback_or!(
                 CrashFeedback::new(),
                 TimeoutFeedback::new(),
                 AsanErrorsFeedback::new()

fuzzers/libfuzzer_libmozjpeg/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "libfuzzer_libmozjpeg"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2018"
 

fuzzers/libfuzzer_libmozjpeg/src/lib.rs

@@ -8,6 +8,7 @@ use libafl::{
     corpus::{Corpus, InMemoryCorpus, OnDiskCorpus, RandCorpusScheduler},
     events::setup_restarting_mgr_std,
     executors::{inprocess::InProcessExecutor, ExitKind},
+    feedback_or,
     feedbacks::{CrashFeedback, MaxMapFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     mutators::scheduled::{havoc_mutations, StdScheduledMutator},
@@ -76,7 +77,7 @@ fn fuzz(corpus_dirs: Vec<PathBuf>, objective_dir: PathBuf, broker_port: u16) ->
             // Corpus that will be evolved, we keep it in memory for performance
             InMemoryCorpus::new(),
             // Feedbacks to rate the interestingness of an input
-            tuple_list!(
+            feedback_or!(
                 MaxMapFeedback::new_with_observer(&edges_observer),
                 MaxMapFeedback::new_with_observer(&cmps_observer),
                 MaxMapFeedback::new_with_observer(&allocs_observer)
@@ -85,7 +86,7 @@ fn fuzz(corpus_dirs: Vec<PathBuf>, objective_dir: PathBuf, broker_port: u16) ->
             // on disk so the user can get them after stopping the fuzzer
             OnDiskCorpus::new(objective_dir).unwrap(),
             // Feedbacks to recognize an input as solution
-            tuple_list!(CrashFeedback::new()),
+            CrashFeedback::new(),
         )
     });
 

fuzzers/libfuzzer_libpng/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "libfuzzer_libpng"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2018"
 

fuzzers/libfuzzer_libpng/src/lib.rs

@@ -12,6 +12,7 @@ use libafl::{
     },
     events::{setup_restarting_mgr_std, EventManager},
     executors::{inprocess::InProcessExecutor, ExitKind, TimeoutExecutor},
+    feedback_or,
     feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     mutators::scheduled::{havoc_mutations, StdScheduledMutator},
@@ -76,15 +77,15 @@ fn fuzz(corpus_dirs: Vec<PathBuf>, objective_dir: PathBuf, broker_port: u16) ->
             // Corpus that will be evolved, we keep it in memory for performance
             InMemoryCorpus::new(),
             // Feedbacks to rate the interestingness of an input
-            tuple_list!(
+            feedback_or!(
                 MaxMapFeedback::new_with_observer_track(&edges_observer, true, false),
                 TimeFeedback::new()
             ),
             // Corpus in which we store solutions (crashes in this example),
             // on disk so the user can get them after stopping the fuzzer
             OnDiskCorpus::new(objective_dir).unwrap(),
             // Feedbacks to recognize an input as solution
-            tuple_list!(CrashFeedback::new(), TimeoutFeedback::new()),
+            feedback_or!(CrashFeedback::new(), TimeoutFeedback::new()),
         )
     });
 

fuzzers/libfuzzer_stb_image/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "libfuzzer_stb_image"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 edition = "2018"
 build = "build.rs"

fuzzers/libfuzzer_stb_image/src/main.rs

@@ -11,6 +11,7 @@ use libafl::{
     },
     events::setup_restarting_mgr_std,
     executors::{inprocess::InProcessExecutor, ExitKind},
+    feedback_or,
     feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
     mutators::scheduled::{havoc_mutations, StdScheduledMutator},
@@ -73,15 +74,15 @@ fn fuzz(corpus_dirs: Vec<PathBuf>, objective_dir: PathBuf, broker_port: u16) ->
             // Corpus that will be evolved, we keep it in memory for performance
             InMemoryCorpus::new(),
             // Feedbacks to rate the interestingness of an input
-            tuple_list!(
+            feedback_or!(
                 MaxMapFeedback::new_with_observer_track(&edges_observer, true, false),
                 TimeFeedback::new()
             ),
             // Corpus in which we store solutions (crashes in this example),
             // on disk so the user can get them after stopping the fuzzer
             OnDiskCorpus::new(objective_dir).unwrap(),
-            // Feedbacks to recognize an input as solution
-            tuple_list!(CrashFeedback::new()),
+            // Feedback to recognize an input as solution
+            CrashFeedback::new(),
         )
     });
 

libafl/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "libafl"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
 description = "Slot your own fuzzers together and extend their features using Rust"
 documentation = "https://docs.rs/libafl"

libafl/src/corpus/testcase.rs

@@ -23,8 +23,6 @@ where
     input: Option<I>,
     /// Filename, if this testcase is backed by a file in the filesystem
     filename: Option<String>,
-    /// Accumulated fitness from all the feedbacks
-    fitness: u32,
     /// Map of metadata associated with this testcase
     metadata: SerdeAnyMap,
     /// Time needed to execute the input
@@ -120,24 +118,6 @@ where
         self.filename = Some(filename);
     }
 
-    /// Get the fitness
-    #[inline]
-    pub fn fitness(&self) -> u32 {
-        self.fitness
-    }
-
-    /// Get the fitness (mutable)
-    #[inline]
-    pub fn fitness_mut(&mut self) -> &mut u32 {
-        &mut self.fitness
-    }
-
-    /// Set the fitness
-    #[inline]
-    pub fn set_fitness(&mut self, fitness: u32) {
-        self.fitness = fitness;
-    }
-
     /// Get the execution time of the testcase
     pub fn exec_time(&self) -> &Option<Duration> {
         &self.exec_time
@@ -157,7 +137,6 @@ where
         Testcase {
             input: Some(input.into()),
             filename: None,
-            fitness: 0,
             metadata: SerdeAnyMap::new(),
             exec_time: None,
             cached_len: None,
@@ -170,20 +149,6 @@ where
         Testcase {
             input: Some(input),
             filename: Some(filename),
-            fitness: 0,
-            metadata: SerdeAnyMap::new(),
-            exec_time: None,
-            cached_len: None,
-        }
-    }
-
-    /// Create a new Testcase instace given an input and a fitness
-    #[inline]
-    pub fn with_fitness(input: I, fitness: u32) -> Self {
-        Testcase {
-            input: Some(input),
-            filename: None,
-            fitness,
             metadata: SerdeAnyMap::new(),
             exec_time: None,
             cached_len: None,
@@ -195,7 +160,6 @@ where
         Testcase {
             input: None,
             filename: None,
-            fitness: 0,
             metadata: SerdeAnyMap::new(),
             exec_time: None,
             cached_len: None,

libafl/src/events/llmp.rs

@@ -292,11 +292,10 @@ where
 
                 let observers: OT = postcard::from_bytes(&observers_buf)?;
                 // TODO include ExitKind in NewTestcase
-                let fitness = state.is_interesting(&input, &observers, &ExitKind::Ok)?;
-                if fitness > 0
-                    && state
-                        .add_if_interesting(&input, fitness, scheduler)?
-                        .is_some()
+                let is_interesting = state.is_interesting(&input, &observers, &ExitKind::Ok)?;
+                if state
+                    .add_if_interesting(&input, is_interesting, scheduler)?
+                    .is_some()
                 {
                     #[cfg(feature = "std")]
                     println!("Added received Testcase");