Merge branch 'main' into main

CONTRIBUTING.md

@@ -24,7 +24,7 @@ Once the package is installed, simply run `pre-commit install` to enable the hoo
 Before making your pull requests, try to see if your code follows these rules.
 
 - Wherever possible, use `Cow<'static, str>` instead of String.
-- `PhantomData` should have the smallest set of types needed.
+- `PhantomData` should have the smallest set of types needed. Try not adding `PhantomData` to your struct unless it is really necessary. Also even when you really need `PhantomData`, try to keep the types `T` used in `PhantomData` as smallest as possible 
 - Wherever possible, trait implementations with lifetime specifiers should use '_ lifetime elision.
 - Complex constructors should be replaced with `typed_builder`, or write code in the builder pattern for yourself.
 - Remove generic restrictions at the definitions (e.g., we do not need to specify that types impl `Serialize`, `Deserialize`, or `Debug` anymore at the struct definitions). Therefore, try avoiding code like this unless the contraint is really necessary.

Cargo.toml

@@ -83,8 +83,8 @@ libafl_jumper = { path = "./utils/libafl_jumper", version = "0.14.1", default-fe
 ahash = { version = "0.8.11", default-features = false } # The hash function already used in hashbrown
 arbitrary-int = "1.2.7" # arbitrary sized integers, useful in combination with bitfields (bitbybit crate)
 backtrace = { version = "0.3.74", default-features = false } # Used to get the stacktrace in StacktraceObserver
-bindgen = "0.70.1"
-bitbybit = "1.3.2" # bitfields, use this for bit fields and bit enums
+bindgen = "0.71.1"
+bitbybit = "1.3.3" # bitfields, use this for bit fields and bit enums
 clap = "4.5.18"
 cc = "1.1.21"
 cmake = "0.1.51"

MIGRATION.md

@@ -5,5 +5,8 @@
 - Removed `with_observers` from `Executor` trait.
 - `MmapShMemProvider::new_shmem_persistent` has been removed in favour of `MmapShMem::persist`. You probably want to do something like this: `let shmem = MmapShMemProvider::new()?.new_shmem(size)?.persist()?;`
 
-# 0.14.1 -> 0.14.2
-- `MmapShMem::new` and `MmapShMemProvider::new_shmem_with_id` now take `AsRef<Path>` instead of a byte array for the filename/id.
+# 0.14.1 -> 0.15.0
+- `MmapShMem::new` and `MmapShMemProvider::new_shmem_with_id` now take `AsRef<Path>` instead of a byte array for the filename/id.
+- The closure passed to a `DumpToDiskStage` now provides the `Testcase` instead of just the `Input`.
+- `StatsStage` is deleted, and it is superceded by `AflStatsStage`
+- 

fuzzers/baby/baby_fuzzer_custom_executor/src/main.rs

@@ -53,13 +53,12 @@ impl<EM, S, Z> Executor<EM, Z> for CustomExecutor<S>
 where
     EM: UsesState<State = S>,
     S: State + HasExecutions,
-    Z: UsesState<State = S>,
     Self::Input: HasTargetBytes,
 {
     fn run_target(
         &mut self,
         _fuzzer: &mut Z,
-        state: &mut Self::State,
+        state: &mut S,
         _mgr: &mut EM,
         input: &Self::Input,
     ) -> Result<ExitKind, libafl::Error> {

fuzzers/baby/tutorial/src/lib.rs

@@ -132,7 +132,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // Setup a lain mutator with a mutational stage
     let mutator = LainMutator::new();
 
-    let power: StdPowerMutationalStage<_, _, PacketData, _, _> =
+    let power: StdPowerMutationalStage<_, _, PacketData, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     let mut stages = tuple_list!(calibration, power);

fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs

@@ -314,7 +314,7 @@ fn fuzz(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus

fuzzers/binary_only/fuzzbench_qemu/src/fuzzer.rs

@@ -317,7 +317,7 @@ fn fuzz(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus

fuzzers/binary_only/qemu_launcher/src/instance.rs

@@ -1,5 +1,5 @@
 use core::fmt::Debug;
-use std::{fs, marker::PhantomData, ops::Range, process, time::Duration};
+use std::{fs, marker::PhantomData, ops::Range, path::PathBuf, process};
 
 #[cfg(feature = "simplemgr")]
 use libafl::events::SimpleEventManager;
@@ -23,8 +23,8 @@ use libafl::{
         powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, PowerQueueScheduler,
     },
     stages::{
-        calibrate::CalibrationStage, power::StdPowerMutationalStage, IfStage, ShadowTracingStage,
-        StagesTuple, StatsStage, StdMutationalStage,
+        calibrate::CalibrationStage, power::StdPowerMutationalStage, AflStatsStage, IfStage,
+        ShadowTracingStage, StagesTuple, StdMutationalStage,
     },
     state::{HasCorpus, StdState, UsesState},
     Error, HasMetadata, NopFuzzer,
@@ -137,7 +137,10 @@ impl<M: Monitor> Instance<'_, M> {
 
         let stats_stage = IfStage::new(
             |_, _, _, _| Ok(self.options.tui),
-            tuple_list!(StatsStage::new(Duration::from_secs(5))),
+            tuple_list!(AflStatsStage::builder()
+                .map_observer(&edges_observer)
+                .stats_file(PathBuf::from("stats.txt"))
+                .build()?),
         );
 
         // Feedback to rate the interestingness of an input
@@ -274,7 +277,7 @@ impl<M: Monitor> Instance<'_, M> {
                 5,
             )?;
 
-            let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+            let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
                 StdPowerMutationalStage::new(mutator);
 
             // The order of the stages matter!
@@ -309,9 +312,8 @@ impl<M: Monitor> Instance<'_, M> {
         stages: &mut ST,
     ) -> Result<(), Error>
     where
-        Z: Fuzzer<E, ClientMgr<M>, ST>
-            + UsesState<State = ClientState>
-            + Evaluator<E, ClientMgr<M>, State = ClientState>,
+        Z: Fuzzer<E, ClientMgr<M>, ClientState, ST>
+            + Evaluator<E, ClientMgr<M>, BytesInput, ClientState>,
         E: UsesState<State = ClientState>,
         ST: StagesTuple<E, ClientMgr<M>, ClientState, Z>,
     {

fuzzers/forkserver/fuzzbench_forkserver/src/main.rs

@@ -298,7 +298,7 @@ fn fuzz(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus

fuzzers/forkserver/fuzzbench_forkserver_cmplog/src/main.rs

@@ -300,7 +300,7 @@ fn fuzz(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus
@@ -371,7 +371,8 @@ fn fuzz(
         let tracing = AFLppCmplogTracingStage::new(cmplog_executor, cmplog_ref);
 
         // Setup a randomic Input2State stage
-        let rq = MultiMutationalStage::new(AFLppRedQueen::with_cmplog_options(true, true));
+        let rq: MultiMutationalStage<_, _, BytesInput, _, _, _> =
+            MultiMutationalStage::new(AFLppRedQueen::with_cmplog_options(true, true));
 
         let cb = |_fuzzer: &mut _,
                   _executor: &mut _,

fuzzers/forkserver/libafl-fuzz/src/executor.rs

@@ -357,7 +357,6 @@ pub enum SupportedExecutors<S, OT, FSV> {
 impl<S, OT, FSV, EM, Z> Executor<EM, Z> for SupportedExecutors<S, OT, FSV>
 where
     S: State,
-    Z: UsesState<State = S>,
     EM: UsesState<State = S>,
     FSV: Executor<EM, Z, State = S>,
 {

fuzzers/forkserver/libafl-fuzz/src/fuzzer.rs

@@ -22,7 +22,7 @@ use libafl::{
         CaptureTimeoutFeedback, ConstFeedback, CrashFeedback, MaxMapFeedback, TimeFeedback,
     },
     fuzzer::StdFuzzer,
-    inputs::{BytesInput, NopTargetBytesConverter},
+    inputs::{BytesInput, NopTargetBytesConverter, UsesInput},
     mutators::{havoc_mutations, tokens_mutations, AFLppRedQueen, StdScheduledMutator, Tokens},
     observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
     schedulers::{
@@ -38,7 +38,6 @@ use libafl::{
     },
     state::{
         HasCorpus, HasCurrentTestcase, HasExecutions, HasLastReportTime, HasStartTime, StdState,
-        UsesState,
     },
     Error, Fuzzer, HasFeedback, HasMetadata, SerdeAny,
 };
@@ -266,7 +265,7 @@ define_run_client!(state, mgr, fuzzer_dir, core_id, opt, is_main_node, {
         SupportedMutationalStages::StdMutational(StdMutationalStage::new(mutation), PhantomData)
     } else {
         SupportedMutationalStages::PowerMutational(
-            StdPowerMutationalStage::new(mutation),
+            StdPowerMutationalStage::<_, _, BytesInput, _, _, _>::new(mutation),
             PhantomData,
         )
     };
@@ -487,7 +486,9 @@ define_run_client!(state, mgr, fuzzer_dir, core_id, opt, is_main_node, {
         let tracing = AFLppCmplogTracingStage::new(cmplog_executor, cmplog_ref);
 
         // Create a randomic Input2State stage
-        let rq = MultiMutationalStage::new(AFLppRedQueen::with_cmplog_options(true, true));
+        let rq = MultiMutationalStage::<_, _, BytesInput, _, _, _>::new(
+            AFLppRedQueen::with_cmplog_options(true, true),
+        );
 
         // Create an IfStage and wrap the CmpLog stages in it.
         // We run cmplog on the second fuzz run of the testcase.
@@ -647,20 +648,19 @@ pub fn fuzzer_target_mode(opt: &Opt) -> Cow<'static, str> {
 #[derive(Debug, Serialize, Deserialize, SerdeAny)]
 pub struct IsInitialCorpusEntryMetadata {}
 
-pub fn run_fuzzer_with_stages<Z, ST, E, EM>(
+pub fn run_fuzzer_with_stages<E, EM, S, ST, Z>(
     opt: &Opt,
     fuzzer: &mut Z,
     stages: &mut ST,
     executor: &mut E,
-    state: &mut <Z as UsesState>::State,
+    state: &mut S,
     mgr: &mut EM,
 ) -> Result<(), Error>
 where
-    Z: Fuzzer<E, EM, ST>,
-    E: UsesState<State = Z::State>,
-    EM: ProgressReporter<State = Z::State>,
-    ST: StagesTuple<E, EM, Z::State, Z>,
-    <Z as UsesState>::State: HasLastReportTime + HasExecutions + HasMetadata,
+    Z: Fuzzer<E, EM, S, ST>,
+    EM: ProgressReporter<State = S>,
+    ST: StagesTuple<E, EM, S, Z>,
+    S: HasLastReportTime + HasExecutions + HasMetadata + UsesInput,
 {
     if opt.bench_just_one {
         fuzzer.fuzz_loop_for(stages, executor, state, mgr, 1)?;

fuzzers/forkserver/libafl-fuzz/src/stages/mutational_stage.rs

@@ -1,37 +1,25 @@
 use std::{borrow::Cow, marker::PhantomData};
 
 use libafl::{
-    corpus::Corpus,
-    inputs::Input,
-    mutators::Mutator,
-    stages::{mutational::MutatedTransform, MutationalStage, Stage},
-    state::{HasCorpus, HasRand, State, UsesState},
-    Error, Evaluator, HasNamedMetadata,
+    stages::{MutationalStage, Stage},
+    Error,
 };
 use libafl_bolts::Named;
 
 #[derive(Debug)]
-pub enum SupportedMutationalStages<S, SM, P, E, EM, M, I, Z> {
-    StdMutational(SM, PhantomData<(S, I, M, EM, Z, E)>),
-    PowerMutational(P, PhantomData<(S, I, M, EM, Z, E)>),
+pub enum SupportedMutationalStages<SM, P> {
+    StdMutational(SM, PhantomData<P>),
+    PowerMutational(P, PhantomData<SM>),
 }
 
-impl<S, SM, P, E, EM, M, I, Z> MutationalStage<E, EM, I, M, Z>
-    for SupportedMutationalStages<S, SM, P, E, EM, M, I, Z>
+impl<S, SM, P> MutationalStage<S> for SupportedMutationalStages<SM, P>
 where
-    E: UsesState<State = S>,
-    EM: UsesState<State = S>,
-    M: Mutator<I, S>,
-    Z: Evaluator<E, EM, State = S>,
-    I: MutatedTransform<S::Input, S> + Clone + Input,
-    SM: MutationalStage<E, EM, I, M, Z, State = S>,
-    P: MutationalStage<E, EM, I, M, Z, State = S>,
-    S: State<Input = I> + HasRand + HasCorpus + HasNamedMetadata,
-    <<Self as UsesState>::State as HasCorpus>::Corpus: Corpus<Input = Self::Input>, //delete me
+    SM: MutationalStage<S>,
+    P: MutationalStage<S, Mutator = SM::Mutator>,
 {
+    type Mutator = SM::Mutator;
     /// The mutator, added to this stage
-    #[inline]
-    fn mutator(&self) -> &M {
+    fn mutator(&self) -> &Self::Mutator {
         match self {
             Self::StdMutational(m, _) => m.mutator(),
             Self::PowerMutational(p, _) => p.mutator(),
@@ -40,7 +28,7 @@ where
 
     /// The list of mutators, added to this stage (as mutable ref)
     #[inline]
-    fn mutator_mut(&mut self) -> &mut M {
+    fn mutator_mut(&mut self) -> &mut Self::Mutator {
         match self {
             Self::StdMutational(m, _) => m.mutator_mut(),
             Self::PowerMutational(p, _) => p.mutator_mut(),
@@ -56,14 +44,7 @@ where
     }
 }
 
-impl<S, SM, P, E, EM, M, I, Z> UsesState for SupportedMutationalStages<S, SM, P, E, EM, M, I, Z>
-where
-    S: State + HasRand,
-{
-    type State = S;
-}
-
-impl<S, SM, P, E, EM, M, I, Z> Named for SupportedMutationalStages<S, SM, P, E, EM, M, I, Z>
+impl<SM, P> Named for SupportedMutationalStages<SM, P>
 where
     SM: Named,
     P: Named,
@@ -76,18 +57,10 @@ where
     }
 }
 
-impl<S, SM, P, E, EM, M, I, Z> Stage<E, EM, Z>
-    for SupportedMutationalStages<S, SM, P, E, EM, M, I, Z>
+impl<E, EM, S, SM, P, Z> Stage<E, EM, S, Z> for SupportedMutationalStages<SM, P>
 where
-    E: UsesState<State = S>,
-    EM: UsesState<State = S>,
-    M: Mutator<I, S>,
-    Z: Evaluator<E, EM, State = S>,
-    I: MutatedTransform<S::Input, S> + Clone + Input,
-    SM: MutationalStage<E, EM, I, M, Z, State = S>,
-    P: MutationalStage<E, EM, I, M, Z, State = S>,
-    S: State<Input = I> + HasRand + HasCorpus + HasNamedMetadata,
-    <<Self as UsesState>::State as HasCorpus>::Corpus: Corpus<Input = Self::Input>, //delete me
+    SM: Stage<E, EM, S, Z>,
+    P: Stage<E, EM, S, Z>,
 {
     #[inline]
     #[allow(clippy::let_and_return)]

fuzzers/inprocess/dynamic_analysis/src/lib.rs

@@ -314,7 +314,7 @@ fn fuzz(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus

fuzzers/inprocess/fuzzbench/src/lib.rs

@@ -307,7 +307,7 @@ fn fuzz(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus

fuzzers/inprocess/fuzzbench_ctx/src/lib.rs

@@ -317,7 +317,7 @@ fn fuzz(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus

fuzzers/inprocess/fuzzbench_text/src/lib.rs

@@ -374,7 +374,7 @@ fn fuzz_binary(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     // A minimization+queue policy to get testcasess from the corpus
@@ -589,7 +589,7 @@ fn fuzz_text(
         5,
     )?;
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     let grimoire_mutator = StdScheduledMutator::with_max_stack_pow(

fuzzers/inprocess/libfuzzer_libpng/src/lib.rs

@@ -143,7 +143,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
 
     let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     let mut stages = tuple_list!(calibration, power);

fuzzers/inprocess/libfuzzer_libpng_cmin/src/lib.rs

@@ -140,7 +140,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
 
     let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     let mut stages = tuple_list!(calibration, power);

fuzzers/inprocess/libfuzzer_libpng_tcp_manager/src/lib.rs

@@ -141,7 +141,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
 
     let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));
 
-    let power: StdPowerMutationalStage<_, _, BytesInput, _, _> =
+    let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
         StdPowerMutationalStage::new(mutator);
 
     let mut stages = tuple_list!(calibration, power);