Add MutatedTransform to the input type in TMinMutationalStage (#1251)
#1971
Conversation
|
I'm not very sure about modifications (three lines of code) in the second commit (12b3849). The |
|
|
||
| let before_len = input.len(); | ||
| let before_len = base.len(); |
There was a problem hiding this comment.
shouldn't this be input_transformed.len()?
There was a problem hiding this comment.
This is one of the awkward places.
The input_transformed is now of the wrapped type MutatedTransform<Input, State>. I think here we want the length of the internal input (if I understand correctly). If we use try_transform_into to get the internal input (so that we can call .len()), MutatedTransform<Input, State> will be consumed. But we still need to keep MutatedTransform<Input, State> to pass into the mutator.
i think already takes care of that post-operation right? |
I think I'm not sure about the behavior of |
No
It's not really insert it's |
|
wait I got it. i think you should replace post.post_exec() with base_post.post_exec(). |
But the base is of type Input, not
Yeah, the replacement is happening out of the loop, but there is also a |
|
Now I understand
Yes you are right |
I think It's the same in index as before. |
libafl/src/stages/tmin.rs
Outdated
| @@ -171,6 +182,7 @@ where | |||
| fuzzer | |||
| .scheduler_mut() | |||
| .on_replace(state, base_corpus_idx, &prev)?; | |||
| base_post.unwrap().post_exec(state, Some(base_corpus_idx))?; | |||
There was a problem hiding this comment.
can you try not to use unwrap() here?
There was a problem hiding this comment.
OK, I have updated.
Now it will return an error when the option is empty:
// perform the post operation for the new testcase, e.g. to update metadata.
// base_post should be updated along with the base (and is no longer None)
base_post
.ok_or_else(|| Error::empty_optional("Failed to get the MutatedTransformPost"))?
.post_exec(state, Some(base_corpus_idx))?;
| @@ -134,6 +143,7 @@ where | |||
| if feedback.is_interesting(state, manager, &input, observers, &exit_kind)? { | |||
| // we found a reduced corpus entry! use the smaller base | |||
| base = input; | |||
| base_post = Some(post.clone()); | |||
There was a problem hiding this comment.
is it possible to avoid this clone() ?
There was a problem hiding this comment.
The function MutatedTransformPost.post_exec consumes self. For example, the post is a metadata, and its ownership is transferred to the metadata map in the post_exec. So I guess it can't be avoided?
There was a problem hiding this comment.
I think you could set a bool to true here and then do base_post conversion and post_exec below, after calling post.post_exec
There was a problem hiding this comment.
So do we still need to clone? I think the post object is no longer valid after post_exec, because it is comsumed.
There was a problem hiding this comment.
ooh...
Well I guess in that case not much we can do..
|
@am009 |
One issue is that there may be an inconsistency between the I debugged the |
i'm updating post |
|
i don't understand why it run execute() then later calls process_execution() for the second time. it's doing the same thing twice |
Let me explains it further. For example,
But still, this is a helpful new approach to prevent the clone.
I think the
However, the tmin stage does not rely on the feedback of fuzzer, but it has its own feedback ( |
Ok I see. Then it's fine with your code. |
I thought this fuzzer.process_execution()'s purpose is to make sure that we don't actually increase the corpus. we process the execution then we can compare this later.
https://github.com/AFLplusplus/LibAFL/blob/main/fuzzers/baby_fuzzer_minimizing/src/main.rs#L42 |
|
In the
I think the feedback you referenced is for the first fuzzing step, not for the minimization stage. I think it is here, it sets the objective and feedback to LibAFL/fuzzers/baby_fuzzer_minimizing/src/main.rs Lines 134 to 137 in f0ee6e0 |
|
ok i see. |
|
Looks good thank you 👍 |
No description provided.