Add MutatedTransform to the input type in TMinMutationalStage (#1251)
#1971
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| //! The [`TMinMutationalStage`] is a stage which will attempt to minimize corpus entries. | ||
|
|
||
| use alloc::string::{String, ToString}; | ||
| use core::{borrow::BorrowMut, fmt::Debug, hash::Hash, marker::PhantomData}; | ||
|
|
||
| use ahash::RandomState; | ||
| use libafl_bolts::{HasLen, Named}; | ||
|
|
@@ -16,7 +16,10 @@ use crate::{ | |
| mutators::{MutationResult, Mutator}, | ||
| observers::{MapObserver, ObserversTuple}, | ||
| schedulers::{RemovableScheduler, Scheduler}, | ||
| stages::{ | ||
| mutational::{MutatedTransform, MutatedTransformPost}, | ||
| ExecutionCountRestartHelper, Stage, | ||
| }, | ||
| start_timer, | ||
| state::{ | ||
| HasCorpus, HasCurrentTestcase, HasExecutions, HasMaxSize, HasMetadata, HasSolutions, State, | ||
|
|
@@ -30,7 +33,7 @@ use crate::{monitors::PerfFeature, state::HasClientPerfMonitor}; | |
| /// Mutational stage which minimizes corpus entries. | ||
| /// | ||
| /// You must provide at least one mutator that actually reduces size. | ||
| pub trait TMinMutationalStage<CS, E, EM, F1, F2, I, IP, M, OT, Z>: | ||
| Stage<E, EM, Z> + FeedbackFactory<F2, CS::State, OT> | ||
| where | ||
| Self::State: HasCorpus + HasSolutions + HasExecutions + HasMaxSize, | ||
|
|
@@ -40,12 +43,14 @@ where | |
| EM: EventFirer<State = Self::State>, | ||
| F1: Feedback<Self::State>, | ||
| F2: Feedback<Self::State>, | ||
| M: Mutator<I, Self::State>, | ||
| OT: ObserversTuple<CS::State>, | ||
| Z: ExecutionProcessor<OT, State = Self::State> | ||
| + ExecutesInput<E, EM> | ||
| + HasFeedback<Feedback = F1> | ||
| + HasScheduler<Scheduler = CS>, | ||
| IP: MutatedTransformPost<Self::State> + Clone, | ||
| I: MutatedTransform<Self::Input, Self::State, Post = IP> + Clone, | ||
| { | ||
| /// The mutator registered for this stage | ||
| fn mutator(&self) -> &M; | ||
|
|
@@ -77,7 +82,10 @@ where | |
| - usize::try_from(self.execs_since_progress_start(state)?).unwrap(); | ||
|
|
||
| start_timer!(state); | ||
| let transformed = I::try_transform_from(state.current_testcase_mut()?.borrow_mut(), state)?; | ||
| let mut base = state.current_input_cloned()?; | ||
| // potential post operation if base is replaced by a shorter input | ||
| let mut base_post = None; | ||
| let base_hash = RandomState::with_seeds(0, 0, 0, 0).hash_one(&base); | ||
| mark_feature_time!(state, PerfFeature::GetInputFromCorpus); | ||
|
|
||
|
|
@@ -93,20 +101,21 @@ where | |
| } | ||
|
|
||
| let mut next_i = i + 1; | ||
| let mut input_transformed = transformed.clone(); | ||
|
|
||
| let before_len = base.len(); | ||
|
|
||
| state.set_max_size(before_len); | ||
|
|
||
| start_timer!(state); | ||
| let mutated = self.mutator_mut().mutate(state, &mut input_transformed)?; | ||
| mark_feature_time!(state, PerfFeature::Mutate); | ||
|
|
||
| if mutated == MutationResult::Skipped { | ||
| continue; | ||
| } | ||
|
|
||
| let (input, post) = input_transformed.try_transform_into(state)?; | ||
| let corpus_idx = if input.len() < before_len { | ||
| // run the input | ||
| let exit_kind = fuzzer.execute_input(state, executor, manager, &input)?; | ||
|
|
@@ -134,6 +143,7 @@ where | |
| if feedback.is_interesting(state, manager, &input, observers, &exit_kind)? { | ||
| // we found a reduced corpus entry! use the smaller base | ||
| base = input; | ||
| base_post = Some(post.clone()); | ||
|
There was a problem hiding this comment. is it possible to avoid this clone() ? There was a problem hiding this comment. The function There was a problem hiding this comment. I think you could set a bool to There was a problem hiding this comment. So do we still need to clone? I think the post object is no longer valid after post_exec, because it is comsumed. There was a problem hiding this comment. ooh... |
||
|
|
||
| // do more runs! maybe we can minify further | ||
| next_i = 0; | ||
|
|
@@ -149,6 +159,7 @@ where | |
|
|
||
| start_timer!(state); | ||
| self.mutator_mut().post_exec(state, corpus_idx)?; | ||
| post.post_exec(state, corpus_idx)?; | ||
| mark_feature_time!(state, PerfFeature::MutatePostExec); | ||
|
|
||
| i = next_i; | ||
|
|
@@ -171,6 +182,11 @@ where | |
| fuzzer | ||
| .scheduler_mut() | ||
| .on_replace(state, base_corpus_idx, &prev)?; | ||
| // perform the post operation for the new testcase, e.g. to update metadata. | ||
| // base_post should be updated along with the base (and is no longer None) | ||
| base_post | ||
| .ok_or_else(|| Error::empty_optional("Failed to get the MutatedTransformPost"))? | ||
| .post_exec(state, Some(base_corpus_idx))?; | ||
| } | ||
|
|
||
| state.set_max_size(orig_max_size); | ||
|
|
@@ -184,7 +200,7 @@ where | |
|
|
||
| /// The default corpus entry minimising mutational stage | ||
| #[derive(Clone, Debug)] | ||
| pub struct StdTMinMutationalStage<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> { | ||
| /// The mutator(s) this stage uses | ||
| mutator: M, | ||
| /// The factory | ||
|
|
@@ -194,22 +210,24 @@ pub struct StdTMinMutationalStage<CS, E, EM, F1, F2, FF, M, OT, Z> { | |
| /// The progress helper for this stage, keeping track of resumes after timeouts/crashes | ||
| restart_helper: ExecutionCountRestartHelper, | ||
| #[allow(clippy::type_complexity)] | ||
| phantom: PhantomData<(CS, E, EM, F1, F2, I, IP, OT, Z)>, | ||
| } | ||
|
|
||
| impl<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> UsesState | ||
| for StdTMinMutationalStage<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> | ||
| where | ||
| CS: Scheduler, | ||
| M: Mutator<I, CS::State>, | ||
| Z: ExecutionProcessor<OT, State = CS::State>, | ||
| CS::State: HasCorpus, | ||
| IP: MutatedTransformPost<CS::State> + Clone, | ||
| I: MutatedTransform<CS::Input, CS::State, Post = IP> + Clone, | ||
| { | ||
| type State = CS::State; | ||
| } | ||
|
|
||
| impl<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> Stage<E, EM, Z> | ||
| for StdTMinMutationalStage<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> | ||
| where | ||
| CS: Scheduler + RemovableScheduler, | ||
| CS::State: HasCorpus + HasSolutions + HasExecutions + HasMaxSize + HasCorpus + HasMetadata, | ||
|
|
@@ -219,12 +237,14 @@ where | |
| F1: Feedback<CS::State>, | ||
| F2: Feedback<CS::State>, | ||
| FF: FeedbackFactory<F2, CS::State, OT>, | ||
| M: Mutator<I, CS::State>, | ||
| OT: ObserversTuple<CS::State>, | ||
| Z: ExecutionProcessor<OT, State = CS::State> | ||
| + ExecutesInput<E, EM> | ||
| + HasFeedback<Feedback = F1> | ||
| + HasScheduler<Scheduler = CS>, | ||
| IP: MutatedTransformPost<CS::State> + Clone, | ||
| I: MutatedTransform<CS::Input, CS::State, Post = IP> + Clone, | ||
| { | ||
| fn perform( | ||
| &mut self, | ||
|
|
@@ -250,8 +270,8 @@ where | |
| } | ||
| } | ||
|
|
||
| impl<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> FeedbackFactory<F2, Z::State, OT> | ||
| for StdTMinMutationalStage<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> | ||
| where | ||
| F2: Feedback<Z::State>, | ||
| FF: FeedbackFactory<F2, Z::State, OT>, | ||
|
|
@@ -262,8 +282,8 @@ where | |
| } | ||
| } | ||
|
|
||
| impl<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> TMinMutationalStage<CS, E, EM, F1, F2, I, IP, M, OT, Z> | ||
| for StdTMinMutationalStage<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> | ||
| where | ||
| CS: Scheduler + RemovableScheduler, | ||
| E: HasObservers<Observers = OT, State = CS::State> + Executor<EM, Z>, | ||
|
|
@@ -272,13 +292,15 @@ where | |
| F2: Feedback<CS::State>, | ||
| FF: FeedbackFactory<F2, CS::State, OT>, | ||
| <CS::State as UsesInput>::Input: HasLen + Hash, | ||
| M: Mutator<I, CS::State>, | ||
| OT: ObserversTuple<CS::State>, | ||
| CS::State: HasCorpus + HasSolutions + HasExecutions + HasMaxSize + HasMetadata, | ||
| Z: ExecutionProcessor<OT, State = CS::State> | ||
| + ExecutesInput<E, EM> | ||
| + HasFeedback<Feedback = F1> | ||
| + HasScheduler<Scheduler = CS>, | ||
| IP: MutatedTransformPost<CS::State> + Clone, | ||
| I: MutatedTransform<CS::Input, CS::State, Post = IP> + Clone, | ||
| { | ||
| /// The mutator, added to this stage | ||
| #[inline] | ||
|
|
@@ -302,12 +324,15 @@ where | |
| } | ||
| } | ||
|
|
||
| impl<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> | ||
| StdTMinMutationalStage<CS, E, EM, F1, F2, FF, I, IP, M, OT, Z> | ||
| where | ||
| CS: Scheduler, | ||
| M: Mutator<I, CS::State>, | ||
| Z: ExecutionProcessor<OT, State = CS::State>, | ||
| CS::State: HasCorpus, | ||
| IP: MutatedTransformPost<CS::State> + Clone, | ||
| I: MutatedTransform<CS::Input, CS::State, Post = IP> + Clone, | ||
| { | ||
| /// Creates a new minimizing mutational stage that will minimize provided corpus entries | ||
| pub fn new(mutator: M, factory: FF, runs: usize) -> Self { | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this be input_transformed.len()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is one of the awkward places.
The
input_transformedis now of the wrapped typeMutatedTransform<Input, State>. I think here we want the length of the internal input (if I understand correctly). If we usetry_transform_intoto get the internal input (so that we can call.len()),MutatedTransform<Input, State>will be consumed. But we still need to keepMutatedTransform<Input, State>to pass into the mutator.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok got it