* squash libfuzzer edits
* fixup: compat with custom mutators
* use tui flag
* add introspection support
* use libfuzzer dep now that we've merged
* force input loading
* some fixes
* begin docs, impl shrink
* make whole-archive conditional and not default
* make more copies of counters maps
* lol, remember to add the observer
* make size edge map observer an observer
* fixup: make def of run driver conditional
* add sanity checks for insertion
* revert silencing of forks
* add experimental tmin support; add default asan flags
* use default options instead of specifying our own
* implement lockless mode
* fix merge
* fixup lockless corpus
* fixup for generalisation
* remove erroneous drop_in_place
* improve error logging in the case of corpus loading failure
* ok, use lock files 😔
* fix tmin
* implement merge (again); fix rare cases with maps being too small
* implement a scheduler for removing excess
* implement a walking strategy for corpus loading for large corpora
* revert filename parameter; rename and remove duplicates
* various cleanup and clippy satisfaction
* fix no_std tests
* clang-format
* expand and satisfy the clippy gods
* fix sanitizer_ifaces bindgen for no_std
* fix wasm fuzzer
* fixup clippy script
* rename and provide a small amount of explanation for sanitizer_interfaces
* fixup: HasLastReportTime
* fix clippy oddities
* restrict clippy checks to linux-only for libafl_libfuzzer_runtime
* name the mutators
* format
* fix clippy warning
* hope docker is fixed
* fix cmin lint
* clippy pass
* more docs
* more clippy
* fix remaining clippy complaints
* fix import
* miri fixes (no constructors executed)
* exclude libafl_libfuzzer from cargo-hack
* fix clippy check for sanitizer_interfaces
* fmt
* fix CI (?)
* deduplicate sancov 8bit for improved perf on ASAN
* merge 8bit coverage regions + comment out insane deduplication
* no erroring out on free hooks
* fixup for non-forking merge
* skip the corpus dir if we use it
* fixup: recent libafl changes and feature flags
* libafl_libfuzzer: use rust-lld for whole-archive feature
* clarify cause of failure
* mark unsafe
* clippy :cursed_cowboy:
* attempt to fix wasm
* spooky unknowable bug 👻
* more clippy lints
* clippy fix for merge
* use the version pin
* add unsafe to ::register
* Serdeany autoreg fix
* make type assert actionable
* miri fixes
---------
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: Dominik Maier <dmnk@google.com>
Co-authored-by: Mrmaxmeier <Mrmaxmeier@gmail.com>
* More less default
* More clippy
* updated rangemap
* Clean up depencdencies
* Undo accidental remove
* Fix
* trying to fix qemu build
* hexagon be gone
* Change executor trait to allow \&mut Input
* Add mut inprocess executor
* Add mut inprocess executor
* Format and fix clippy errors
* Fix more clippy errors
* Revert accidental refactoring of InMemoryCorpus
* Add mut versions of all executors that can support it
* Do not persist possible testcase mutation in stages, shadow/differential executors, or corpus minimization
* Fix missing imports
* Fix executor type for missed qemu items
* Add re-exports for mut executors
* Use InProcessForkExecutorMut in QemuForkExecutorMut
* Update BytesInput harnesses to take mutable references
* Update other-input-type-taking harnesses to take mut references
* Clippy fixes
* Feature gate TryFromIntError import
* Fix missed harness input type in baby_fuzzer
* Fix additional clippy issues
* Fix unnecessary hashes on string literal
* Even MORE clippy fixes
* Fix one more clippy issue
---------
Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>
* Associated types for Corpus, State
* cleanup
* fix no_std
* drop unused clauses
* Corpus
* cleanup
* adding things
* fixed fuzzer
* remove phantom data
* python
* progress?
* more more
* oof
* wow it builds?
* python fixes, tests
* fix python fun
* black fmt for python
* clippy, added Nop things
* fixes
* fix merge
* make it compile (#836)
* doc-test fixes, prelude-b-gone for cargo-hack compat
* fixes for windows, concolic
* really fix windows, maybe
* imagine using windows
* ...
* elide I generic when used with S: State
* Elide many, many generics, but at what cost?
* progress on push
* Constraint HasCorpus, HasSolutions at trait definition
* remove unused feature
* remove unstable usage since we constrained HasCorpus at definition
* compiled, but still no type inference for MaxMapFeedback
* cleanup inprocess
* resolve some std conflicts
* simplify map
* undo unnecessary cfg specification
* fix breaking test case for CI on no-std
* fix concolic build failures
* fix macos build
* fixes for windows build
* timeout fixes for windows build
* fix pybindings issues
* fixup qemu
* fix outstanding local build issues
* maybe fix windows inprocess
* doc fixes
* unbridled fury
* de-associate State from Feedback, replace with generic as AT inference is not sufficient to derive specialisation for MapFeedback
* merge update
* refactor + speed up fuzzer builds by sharing build work
* cleanup lingering compiler errors
* lol missed one
* revert QEMU-Nyx change, not sure how I did that
* move HasInput to inputs
* HasInput => KnowsInput
* update bounds to enforce via associated types
* disentangle observers with fuzzer
* revert --target; update some fuzzers to match new API
* resolve outstanding fuzzer build blockers (that I can run on my system)
* fixes for non-linux unixes
* fix for windows
* Knows => Uses, final fixes for windows
* <guttural screaming>
* fixes for concolic
* loosen bound for frida executor so windows builds correctly
* cleanup generics for eventmanager/eventprocessor to drop observers requirement
* improve inference over fuzz_one and friends
* update migration notes
* fixes for python bindings
* fixes for generic counts in event managers
* finish migration notes
* post-merge fix
Co-authored-by: Addison Crump <addison.crump@cispa.de>
* DifferentialExecutor for CommandExecutor along with StdIO observer
* format
* fix CI issues
* fix format and unit test
* fix documentation
* allow three structs and doc only for linux
* resolve documentation test failure
* minor
* running fmt_all.sh
* into_executor() takes 4 params, not just 1
Co-authored-by: Dominik Maier <domenukk@gmail.com>
* build fuzzers with shared cargo target dir
* Make external build scripts aware of CARGO_TARGET_DIR
* fix libmozjpeg fuzzer with shared target dir
* fix cargo-make default value for CARGO_TARGET_DIR
* avoid ./ in cargo-make for windows compat
* CI: cargo-hack's --feature-powerset is too powerful
* fuzzer_concolic: support CARGO_TARGET_DIR
* ci: install z3 to avoid building from source
* ci: update actions
* ci: test nightly features with nightly rust
* test_all_fuzzers: try pruning more compilation artifacts
* ci: fix nightly feature check
* ci: apply rust-cache action after checkout (d'oh)
The rust-cache action populates the checkout directory, which is promply
deleted by the checkout action during checkout.. whoops!
* fix compilation of runtime of concolic example fuzzer
* fix compilation of example fuzzer
* fix incorrect traced target configuration
this would lead to the runtime never tracing any expressions.
failed to specifiy the input file name for the runtime to know what to symbolize
* add ability to specify whether a node should do concolic or traditional
* slightly more realistic concolic solving by using solver timeout
* enable expression pruning
* create a separate crate for symcc url and commit hash
also contains functions to checkout and build symcc from a build script
* fix dockerfile
* clippy
* add stub runtime that links with symcc common runtime code
* implement tracing runtime to generate message file
* move ShMemCursor to libafl proper
* qualify enum imports to make clippy happy
* fix warnings
* formatting
* update symcc submodule to point to AFL++ org repo
* fix naming of ShMemCursor and remove std requirement
* ensure runtime is named correctly after compilation
* add devcontainer files for easier development
(will be removed later)
* move rust nightly install into devcontainer.json
this makes it run after the container has been built
* dev container: install recommended packages
* switch to building rust runtime from SymCC cmake
* install corrosion in dev container for cmake-cargo integration
* add smoke test for symcc-runtime integration
* update symcc submodule
* add rustfmt to devcontainer
* properly mark the end of a constraint trace
Using a special "End" message
* small tool to dump constraints from a traced process
* extend smoke test to include parsing & printing of constraints
* update symcc submodule
* first draft of expression filters for concolic
* fix type in runtime method name
* update symcc submodule
* implement extensions to serdeany map:
* remove -> Option<T>
* insert_boxed(Box<T>) (avoids allocation if value is already boxed)
* implement std::io::Seek for ShMemCursor
* implement framing for in-memory traces
this allows to efficiently get the length of trace.
this is important for efficiently copying the trace out of the shared
memory region.
* fix for serdeany map
* fuzzer that associates concolic traces with test
case
* ensure runtime can handle 0-expressions
* move metadata, observer and feedback into separate files
* convert executor to command executor and move to separate file
* refactoring and streamlining
* move panic mode configuration to cmake script
* compile cmake from source, because debians version is too old.........
* use separate stage for tracing
* fix dockerfile
* move runtime into the workspace
using prior work on compilation flags from cmake
* actually make use of selective symbolication filter
* update to support latest symcc changes
* implement hitmap for concolic runtime
* clippy
* implement selective symbolization and coverage map for dump_constraints tool
* use concolic runtime coverage for concolic fuzzer feedback
* actually kill process on timeout
* be extra careful after killing process
* increase command executor busy wait to 5ms
* implement concolic tracing stage
* address naming issue
* implement floating point expression filter for runtime
* rename expression filters to be less verbose
* implement expression pruning
* implement ConcolicMutationalStage
* refactor command executor and remove busy loop
* implement generic command executor
* remove debug prints
* refactor + documentation
* refactor
* add stub runtime that links with symcc common runtime code
* implement tracing runtime to generate message file
* move ShMemCursor to libafl proper
* qualify enum imports to make clippy happy
* fix warnings
* formatting
* update symcc submodule to point to AFL++ org repo
* fix naming of ShMemCursor and remove std requirement
* ensure runtime is named correctly after compilation
* add devcontainer files for easier development
(will be removed later)
* move rust nightly install into devcontainer.json
this makes it run after the container has been built
* dev container: install recommended packages
* switch to building rust runtime from SymCC cmake
* install corrosion in dev container for cmake-cargo integration
* add smoke test for symcc-runtime integration
* update symcc submodule
* add rustfmt to devcontainer
* properly mark the end of a constraint trace
Using a special "End" message
* small tool to dump constraints from a traced process
* extend smoke test to include parsing & printing of constraints
* update symcc submodule
* first draft of expression filters for concolic
* fix type in runtime method name
* update symcc submodule
* implement extensions to serdeany map:
* remove -> Option<T>
* insert_boxed(Box<T>) (avoids allocation if value is already boxed)
* implement std::io::Seek for ShMemCursor
* implement framing for in-memory traces
this allows to efficiently get the length of trace.
this is important for efficiently copying the trace out of the shared
memory region.
* fix for serdeany map
* fuzzer that associates concolic traces with test
case
* ensure runtime can handle 0-expressions
* move metadata, observer and feedback into separate files
* convert executor to command executor and move to separate file
* refactoring and streamlining
* move panic mode configuration to cmake script
* compile cmake from source, because debians version is too old.........
* use separate stage for tracing
* fix dockerfile
* move runtime into the workspace
using prior work on compilation flags from cmake
* actually make use of selective symbolication filter
* update to support latest symcc changes
* implement hitmap for concolic runtime
* clippy
* implement selective symbolization and coverage map for dump_constraints tool
* use concolic runtime coverage for concolic fuzzer feedback
* actually kill process on timeout
* be extra careful after killing process
* increase command executor busy wait to 5ms
* implement concolic tracing stage
* address naming issue
* implement floating point expression filter for runtime
* rename expression filters to be less verbose
* implement expression pruning
* implement ConcolicMutationalStage
* refactor command executor and remove busy loop
* implement generic command executor
* remove debug prints
* refactor + documentation
* refactor
* fixed build, clippy
* no_std
* implement WithObservers executor as discussed
* add symqemu as a submodule
* fix symqemu submodule URL to be relative
* update the concolic runtime to match the new interface
* update the trace file header regularly to save constraints in case the program crashes
* add build dependencies for symqemu
* handle full mesage buffer properly
* better policy for updating trace header
* less aggregiously inefficient GC information serialization
* move concolic runtime hitmap count to filter
this is in preparation for the new runtime interface
* very WIP new runtime interface
* use more convenient types in rust runtime
* EmptyRuntime -> NopRuntime
* hide cpp_runtime and formatting
* implement tracing runtime using new runtime interface
* implement filters with new runtime interface
* use a local checkout for symcc_runtime
* make test runtime tracing
* use test_runtime in smoke test
* fix formatting
* make the clippy overlord happy?
* disable symcc build on everything but linux
* make more of symcc_runtime linux only
* fix linking symcc_runtime with C++ stdlib
* will clippy ever be happy?
* formatting
* don't export symcc runtime when compiling tests
* clippy...
* "don't export symcc runtime when compiling tests" for runtime crate as well
* clippy
* move command executor to LibAFL
* move concolic crate into LibAFL
* move concolic{metada,observer} into LibAFL
* move ConcolicFeedback into LibAFL
* move ConolicStage into LibAFL
* fix bug in symcc part of concolic runtime
* stb_image fuzzer with concolic as example fuzzer
* clean up basic_concolic_fuzzer
* clean up and document concolic example fuzzer
* formatting
* clippy
* remove basic_concolic_fuzzer (it is now part of the examples)
* remove the runtime crate in favor of symcc_runtime
* re-architect concolic smoke test and remove git submodules
* remove old submodule directories
* make coverage filter public
* focker docker build
* clippy
* clippy fixes
* fix ubuntu as well
* remove .gitmodules
* move concolic mutational stage into libafl behind feature flag
* script to install dependencies for concolic smoke test
* fix bug
* clippy
* add github action to run smoke test
* fix action
* ensure smoke test is run in correct directory
* remove devcontainer files
* address feedback
* clippy
* more clippy
* address more feedback
Co-authored-by: Dominik Maier <domenukk@gmail.com>
