Skip to content

Commit 84702d1

Browse files
domenukktokatoka
domenukk
and
tokatoka
authored
Make sure EM and Z remain consistent in InProcessExecutor (#2873)
* Make sure EM and Z remain consistent in InProcessExecutor * first make them compile * a * hah * fix intel pt * decouple fuzzer from em * lol * 3 * fix tcp * fix * fix * fix * fixer * std * fixer * plz * plzplzplz * plzplzplzplz * mm * more * symbol * a * a * mm * mmm * mmmm * mmmmm * ff --------- Co-authored-by: Toka <tokazerkje@outlook.com>
1 parent 6cd97e7 commit 84702d1

File tree

7 files changed

+124
-103
lines changed

7 files changed

+124
-103
lines changed

fuzzers/binary_only/intel_pt_baby_fuzzer/src/main.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -122,8 +122,8 @@ pub fn main() {
122122
}
123123
.build();
124124

125-
type PTInProcessExecutor<'a, H, I, OT, S, T> =
126-
GenericInProcessExecutor<H, &'a mut H, (IntelPTHook<T>, ()), I, OT, S>;
125+
type PTInProcessExecutor<'a, EM, H, I, OT, S, T, Z> =
126+
GenericInProcessExecutor<EM, H, &'a mut H, (IntelPTHook<T>, ()), I, OT, S, Z>;
127127
// Create the executor for an in-process function with just one observer
128128
let mut executor = PTInProcessExecutor::with_timeout_generic(
129129
tuple_list!(pt_hook),

libafl/src/executors/inprocess/inner.rs

Lines changed: 25 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
use core::{
22
ffi::c_void,
33
fmt::{self, Debug, Formatter},
4+
marker::PhantomData,
45
ptr::{self, null, write_volatile},
56
sync::atomic::{compiler_fence, Ordering},
67
time::Duration,
@@ -33,14 +34,17 @@ use crate::{
3334
};
3435

3536
/// The internal state of `GenericInProcessExecutor`.
36-
pub struct GenericInProcessExecutorInner<HT, I, OT, S> {
37+
pub struct GenericInProcessExecutorInner<EM, HT, I, OT, S, Z> {
3738
/// The observers, observing each run
3839
pub(super) observers: OT,
39-
// Crash and timeout hah
40+
/// Crash and timeout hooks
4041
pub(super) hooks: (InProcessHooks<I, S>, HT),
42+
/// `EM` and `Z` need to be tracked here to remain stable,
43+
/// else we can run into type confusions between [`Self::enter_target`] and [`Self::leave_target`].
44+
phantom: PhantomData<(EM, Z)>,
4145
}
4246

43-
impl<HT, I, OT, S> Debug for GenericInProcessExecutorInner<HT, I, OT, S>
47+
impl<EM, HT, I, OT, S, Z> Debug for GenericInProcessExecutorInner<EM, HT, I, OT, S, Z>
4448
where
4549
OT: Debug,
4650
{
@@ -51,7 +55,7 @@ where
5155
}
5256
}
5357

54-
impl<HT, I, OT, S> HasObservers for GenericInProcessExecutorInner<HT, I, OT, S> {
58+
impl<EM, HT, I, OT, S, Z> HasObservers for GenericInProcessExecutorInner<EM, HT, I, OT, S, Z> {
5559
type Observers = OT;
5660

5761
#[inline]
@@ -65,7 +69,7 @@ impl<HT, I, OT, S> HasObservers for GenericInProcessExecutorInner<HT, I, OT, S>
6569
}
6670
}
6771

68-
impl<HT, I, OT, S> GenericInProcessExecutorInner<HT, I, OT, S>
72+
impl<EM, HT, I, OT, S, Z> GenericInProcessExecutorInner<EM, HT, I, OT, S, Z>
6973
where
7074
OT: ObserversTuple<I, S>,
7175
{
@@ -76,7 +80,7 @@ where
7680
/// the code.
7781
// TODO: Remove EM and Z from function bound and add it to struct instead to avoid possible type confusion
7882
#[inline]
79-
pub unsafe fn enter_target<EM, Z>(
83+
pub unsafe fn enter_target(
8084
&mut self,
8185
fuzzer: &mut Z,
8286
state: &mut S,
@@ -111,13 +115,7 @@ where
111115

112116
/// This function marks the boundary between the fuzzer and the target
113117
#[inline]
114-
pub fn leave_target<EM, Z>(
115-
&mut self,
116-
_fuzzer: &mut Z,
117-
_state: &mut S,
118-
_mgr: &mut EM,
119-
_input: &I,
120-
) {
118+
pub fn leave_target(&mut self, _fuzzer: &mut Z, _state: &mut S, _mgr: &mut EM, _input: &I) {
121119
unsafe {
122120
let data = &raw mut GLOBAL_STATE;
123121

@@ -127,14 +125,14 @@ where
127125
}
128126
}
129127

130-
impl<HT, I, OT, S> GenericInProcessExecutorInner<HT, I, OT, S>
128+
impl<EM, HT, I, OT, S, Z> GenericInProcessExecutorInner<EM, HT, I, OT, S, Z>
131129
where
132130
HT: ExecutorHooksTuple<I, S>,
133131
OT: ObserversTuple<I, S>,
134132
S: HasExecutions + HasSolutions<I>,
135133
{
136134
/// Create a new in mem executor with the default timeout (5 sec)
137-
pub fn generic<E, EM, OF, Z>(
135+
pub fn generic<E, OF>(
138136
user_hooks: HT,
139137
observers: OT,
140138
fuzzer: &mut Z,
@@ -150,7 +148,7 @@ where
150148
S: HasCurrentTestcase<I> + HasSolutions<I>,
151149
Z: HasObjective<Objective = OF>,
152150
{
153-
Self::with_timeout_generic::<E, EM, OF, Z>(
151+
Self::with_timeout_generic::<E, OF>(
154152
user_hooks,
155153
observers,
156154
fuzzer,
@@ -162,7 +160,7 @@ where
162160

163161
/// Create a new in mem executor with the default timeout and use batch mode(5 sec)
164162
#[cfg(all(feature = "std", target_os = "linux"))]
165-
pub fn batched_timeout_generic<E, EM, OF, Z>(
163+
pub fn batched_timeout_generic<E, OF>(
166164
user_hooks: HT,
167165
observers: OT,
168166
fuzzer: &mut Z,
@@ -179,7 +177,7 @@ where
179177
S: HasCurrentTestcase<I> + HasSolutions<I>,
180178
Z: HasObjective<Objective = OF>,
181179
{
182-
let mut me = Self::with_timeout_generic::<E, EM, OF, Z>(
180+
let mut me = Self::with_timeout_generic::<E, OF>(
183181
user_hooks, observers, fuzzer, state, event_mgr, exec_tmout,
184182
)?;
185183
me.hooks_mut().0.timer_mut().batch_mode = true;
@@ -194,7 +192,7 @@ where
194192
/// * `observers` - the observers observing the target during execution
195193
///
196194
/// This may return an error on unix, if signal handler setup fails
197-
pub fn with_timeout_generic<E, EM, OF, Z>(
195+
pub fn with_timeout_generic<E, OF>(
198196
user_hooks: HT,
199197
observers: OT,
200198
_fuzzer: &mut Z,
@@ -238,7 +236,11 @@ where
238236
*hooks.0.millis_sec_mut() = timeout.as_millis() as i64;
239237
}
240238

241-
Ok(Self { observers, hooks })
239+
Ok(Self {
240+
observers,
241+
hooks,
242+
phantom: PhantomData,
243+
})
242244
}
243245

244246
/// The inprocess handlers
@@ -254,7 +256,9 @@ where
254256
}
255257
}
256258

257-
impl<HT, I, OT, S> HasInProcessHooks<I, S> for GenericInProcessExecutorInner<HT, I, OT, S> {
259+
impl<EM, HT, I, OT, S, Z> HasInProcessHooks<I, S>
260+
for GenericInProcessExecutorInner<EM, HT, I, OT, S, Z>
261+
{
258262
/// the timeout handler
259263
#[inline]
260264
fn inprocess_hooks(&self) -> &InProcessHooks<I, S> {

libafl/src/executors/inprocess/mod.rs

Lines changed: 30 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -40,29 +40,32 @@ pub mod inner;
4040
pub mod stateful;
4141

4242
/// The process executor simply calls a target function, as mutable reference to a closure.
43-
pub type InProcessExecutor<'a, H, I, OT, S> = GenericInProcessExecutor<H, &'a mut H, (), I, OT, S>;
43+
pub type InProcessExecutor<'a, EM, H, I, OT, S, Z> =
44+
GenericInProcessExecutor<EM, H, &'a mut H, (), I, OT, S, Z>;
4445

4546
/// The inprocess executor that allows hooks
46-
pub type HookableInProcessExecutor<'a, H, HT, I, OT, S> =
47-
GenericInProcessExecutor<H, &'a mut H, HT, I, OT, S>;
47+
pub type HookableInProcessExecutor<'a, EM, H, HT, I, OT, S, Z> =
48+
GenericInProcessExecutor<EM, H, &'a mut H, HT, I, OT, S, Z>;
4849
/// The process executor simply calls a target function, as boxed `FnMut` trait object
49-
pub type OwnedInProcessExecutor<I, OT, S> = GenericInProcessExecutor<
50+
pub type OwnedInProcessExecutor<EM, I, OT, S, Z> = GenericInProcessExecutor<
51+
EM,
5052
dyn FnMut(&I) -> ExitKind,
5153
Box<dyn FnMut(&I) -> ExitKind>,
5254
(),
5355
I,
5456
OT,
5557
S,
58+
Z,
5659
>;
5760

5861
/// The inmem executor simply calls a target function, then returns afterwards.
59-
pub struct GenericInProcessExecutor<H, HB, HT, I, OT, S> {
62+
pub struct GenericInProcessExecutor<EM, H, HB, HT, I, OT, S, Z> {
6063
harness_fn: HB,
61-
inner: GenericInProcessExecutorInner<HT, I, OT, S>,
64+
inner: GenericInProcessExecutorInner<EM, HT, I, OT, S, Z>,
6265
phantom: PhantomData<(*const H, HB)>,
6366
}
6467

65-
impl<H, HB, HT, I, OT, S> Debug for GenericInProcessExecutor<H, HB, HT, I, OT, S>
68+
impl<EM, H, HB, HT, I, OT, S, Z> Debug for GenericInProcessExecutor<EM, H, HB, HT, I, OT, S, Z>
6669
where
6770
OT: Debug,
6871
{
@@ -75,7 +78,7 @@ where
7578
}
7679

7780
impl<EM, H, HB, HT, I, OT, S, Z> Executor<EM, I, S, Z>
78-
for GenericInProcessExecutor<H, HB, HT, I, OT, S>
81+
for GenericInProcessExecutor<EM, H, HB, HT, I, OT, S, Z>
7982
where
8083
S: HasExecutions,
8184
OT: ObserversTuple<I, S>,
@@ -106,7 +109,9 @@ where
106109
}
107110
}
108111

109-
impl<H, HB, HT, I, OT, S> HasObservers for GenericInProcessExecutor<H, HB, HT, I, OT, S> {
112+
impl<EM, H, HB, HT, I, OT, S, Z> HasObservers
113+
for GenericInProcessExecutor<EM, H, HB, HT, I, OT, S, Z>
114+
{
110115
type Observers = OT;
111116

112117
#[inline]
@@ -120,15 +125,15 @@ impl<H, HB, HT, I, OT, S> HasObservers for GenericInProcessExecutor<H, HB, HT, I
120125
}
121126
}
122127

123-
impl<'a, H, I, OT, S> InProcessExecutor<'a, H, I, OT, S>
128+
impl<'a, EM, H, I, OT, S, Z> InProcessExecutor<'a, EM, H, I, OT, S, Z>
124129
where
125130
H: FnMut(&I) -> ExitKind + Sized,
126131
OT: ObserversTuple<I, S>,
127132
S: HasCurrentTestcase<I> + HasExecutions + HasSolutions<I>,
128133
I: Input,
129134
{
130135
/// Create a new in mem executor with the default timeout (5 sec)
131-
pub fn new<EM, OF, Z>(
136+
pub fn new<OF>(
132137
harness_fn: &'a mut H,
133138
observers: OT,
134139
fuzzer: &mut Z,
@@ -140,7 +145,7 @@ where
140145
OF: Feedback<EM, I, OT, S>,
141146
Z: HasObjective<Objective = OF>,
142147
{
143-
Self::with_timeout_generic::<EM, OF, Z>(
148+
Self::with_timeout_generic::<OF>(
144149
tuple_list!(),
145150
harness_fn,
146151
observers,
@@ -153,7 +158,7 @@ where
153158

154159
/// Create a new in mem executor with the default timeout and use batch mode(5 sec)
155160
#[cfg(all(feature = "std", target_os = "linux"))]
156-
pub fn batched_timeout<EM, OF, Z>(
161+
pub fn batched_timeout<OF>(
157162
harness_fn: &'a mut H,
158163
observers: OT,
159164
fuzzer: &mut Z,
@@ -166,7 +171,7 @@ where
166171
OF: Feedback<EM, I, OT, S>,
167172
Z: HasObjective<Objective = OF>,
168173
{
169-
let inner = GenericInProcessExecutorInner::batched_timeout_generic::<Self, EM, OF, Z>(
174+
let inner = GenericInProcessExecutorInner::batched_timeout_generic::<Self, OF>(
170175
tuple_list!(),
171176
observers,
172177
fuzzer,
@@ -190,7 +195,7 @@ where
190195
/// * `observers` - the observers observing the target during execution
191196
///
192197
/// This may return an error on unix, if signal handler setup fails
193-
pub fn with_timeout<EM, OF, Z>(
198+
pub fn with_timeout<OF>(
194199
harness_fn: &'a mut H,
195200
observers: OT,
196201
fuzzer: &mut Z,
@@ -203,7 +208,7 @@ where
203208
OF: Feedback<EM, I, OT, S>,
204209
Z: HasObjective<Objective = OF>,
205210
{
206-
let inner = GenericInProcessExecutorInner::with_timeout_generic::<Self, EM, OF, Z>(
211+
let inner = GenericInProcessExecutorInner::with_timeout_generic::<Self, OF>(
207212
tuple_list!(),
208213
observers,
209214
fuzzer,
@@ -220,7 +225,7 @@ where
220225
}
221226
}
222227

223-
impl<H, HB, HT, I, OT, S> GenericInProcessExecutor<H, HB, HT, I, OT, S>
228+
impl<EM, H, HB, HT, I, OT, S, Z> GenericInProcessExecutor<EM, H, HB, HT, I, OT, S, Z>
224229
where
225230
H: FnMut(&I) -> ExitKind + Sized,
226231
HB: BorrowMut<H>,
@@ -230,7 +235,7 @@ where
230235
I: Input,
231236
{
232237
/// Create a new in mem executor with the default timeout (5 sec)
233-
pub fn generic<EM, OF, Z>(
238+
pub fn generic<OF>(
234239
user_hooks: HT,
235240
harness_fn: HB,
236241
observers: OT,
@@ -243,7 +248,7 @@ where
243248
OF: Feedback<EM, I, OT, S>,
244249
Z: HasObjective<Objective = OF>,
245250
{
246-
Self::with_timeout_generic::<EM, OF, Z>(
251+
Self::with_timeout_generic::<OF>(
247252
user_hooks,
248253
harness_fn,
249254
observers,
@@ -256,7 +261,7 @@ where
256261

257262
/// Create a new in mem executor with the default timeout and use batch mode(5 sec)
258263
#[cfg(all(feature = "std", target_os = "linux"))]
259-
pub fn batched_timeout_generic<EM, OF, Z>(
264+
pub fn batched_timeout_generic<OF>(
260265
user_hooks: HT,
261266
harness_fn: HB,
262267
observers: OT,
@@ -271,7 +276,7 @@ where
271276
OF: Feedback<EM, I, OT, S>,
272277
Z: HasObjective<Objective = OF>,
273278
{
274-
let inner = GenericInProcessExecutorInner::batched_timeout_generic::<Self, EM, OF, Z>(
279+
let inner = GenericInProcessExecutorInner::batched_timeout_generic::<Self, OF>(
275280
user_hooks, observers, fuzzer, state, event_mgr, exec_tmout,
276281
)?;
277282

@@ -290,7 +295,7 @@ where
290295
/// * `observers` - the observers observing the target during execution
291296
///
292297
/// This may return an error on unix, if signal handler setup fails
293-
pub fn with_timeout_generic<EM, OF, Z>(
298+
pub fn with_timeout_generic<OF>(
294299
user_hooks: HT,
295300
harness_fn: HB,
296301
observers: OT,
@@ -304,7 +309,7 @@ where
304309
OF: Feedback<EM, I, OT, S>,
305310
Z: HasObjective<Objective = OF>,
306311
{
307-
let inner = GenericInProcessExecutorInner::with_timeout_generic::<Self, EM, OF, Z>(
312+
let inner = GenericInProcessExecutorInner::with_timeout_generic::<Self, OF>(
308313
user_hooks, observers, fuzzer, state, event_mgr, timeout,
309314
)?;
310315

@@ -349,8 +354,8 @@ pub trait HasInProcessHooks<I, S> {
349354
fn inprocess_hooks_mut(&mut self) -> &mut InProcessHooks<I, S>;
350355
}
351356

352-
impl<H, HB, HT, I, OT, S> HasInProcessHooks<I, S>
353-
for GenericInProcessExecutor<H, HB, HT, I, OT, S>
357+
impl<EM, H, HB, HT, I, OT, S, Z> HasInProcessHooks<I, S>
358+
for GenericInProcessExecutor<EM, H, HB, HT, I, OT, S, Z>
354359
{
355360
/// the timeout handler
356361
#[inline]

0 commit comments

Comments
 (0)