Merge pull request #1101 from AFLplusplus/dev

Dev

9 files changed, 44 insertions, 32 deletions

diff --git a/custom_mutators/README.md b/custom_mutators/README.md
index fa877f34..0289e150 100644
--- a/custom_mutators/README.md
+++ b/custom_mutators/README.md
@@ -15,6 +15,7 @@ In `./rust`, you will find rust bindings, including a simple example in `./rust/
 
 If you use git to clone AFL++, then the following will incorporate our
 excellent grammar custom mutator:
+
 ```sh
 git submodule update --init
 ```
diff --git a/custom_mutators/gramatron/README.md b/custom_mutators/gramatron/README.md
index 91f93355..8aa0cc44 100644
--- a/custom_mutators/gramatron/README.md
+++ b/custom_mutators/gramatron/README.md
@@ -1,19 +1,19 @@
 # GramaTron
 
-Gramatron is a coverage-guided fuzzer that uses grammar automatons to perform
-grammar-aware fuzzing.  Technical details about our framework are available
-in the [ISSTA'21 paper](https://nebelwelt.net/files/21ISSTA.pdf).
-The artifact to reproduce the experiments presented in the paper are present
-in `artifact/`. Instructions to run a sample campaign and incorporate new
-grammars is presented below: 
+GramaTron is a coverage-guided fuzzer that uses grammar automatons to perform
+grammar-aware fuzzing.  Technical details about our framework are available in
+the [ISSTA'21 paper](https://nebelwelt.net/files/21ISSTA.pdf). The artifact to
+reproduce the experiments presented in the paper are present in `artifact/`.
+Instructions to run a sample campaign and incorporate new grammars is presented
+below:
 
-# Compiling
+## Compiling
 
-Simply execute `./build_gramatron_mutator.sh`
+Execute `./build_gramatron_mutator.sh`.
 
-# Running
+## Running
 
-You have to set the grammar file to use with `GRAMMATRON_AUTOMATION`:
+You have to set the grammar file to use with `GRAMATRON_AUTOMATION`:
 
 ```
 export AFL_DISABLE_TRIM=1
@@ -23,23 +23,27 @@ export GRAMATRON_AUTOMATION=grammars/ruby/source_automata.json
 afl-fuzz -i in -o out -- ./target
 ```
 
-# Adding and testing a new grammar
+## Adding and testing a new grammar
 
-- Specify in a JSON format for CFG. Examples are correspond `source.json` files 
+- Specify in a JSON format for CFG. Examples are correspond `source.json` files.
 - Run the automaton generation script (in `src/gramfuzz-mutator/preprocess`)
   which will place the generated automaton in the same folder.
-```
-./preprocess/prep_automaton.sh <grammar_file> <start_symbol> [stack_limit]
 
-Eg. ./preprocess/prep_automaton.sh ~/grammars/ruby/source.json PROGRAM
-```
-- If the grammar has no self-embedding rules then you do not need to pass the
-  stack limit parameter. However, if it does have self-embedding rules then you
+  ```
+  ./preprocess/prep_automaton.sh <grammar_file> <start_symbol> [stack_limit]
+
+  E.g., ./preprocess/prep_automaton.sh ~/grammars/ruby/source.json PROGRAM
+  ```
+
+- If the grammar has no self-embedding rules, then you do not need to pass the
+  stack limit parameter. However, if it does have self-embedding rules, then you
   need to pass the stack limit parameter. We recommend starting with `5` and
-  then increasing it if you need more complexity
-- To sanity-check that the automaton is generating inputs as expected you can use the `test` binary housed in `src/gramfuzz-mutator`
-```
-./test SanityCheck <automaton_file>
+  then increasing it if you need more complexity.
+- To sanity-check that the automaton is generating inputs as expected, you can
+  use the `test` binary housed in `src/gramfuzz-mutator`.
 
-Eg. ./test SanityCheck ~/grammars/ruby/source_automata.json
-```
+  ```
+  ./test SanityCheck <automaton_file>
+
+  E.g., ./test SanityCheck ~/grammars/ruby/source_automata.json
+  ```
\ No newline at end of file
diff --git a/custom_mutators/grammar_mutator/grammar_mutator b/custom_mutators/grammar_mutator/grammar_mutator
-Subproject eedf07ddb0fb1f437f5e76b77cfd4064cf6a5d6
+Subproject b79d51a8daccbd7a693f9b6765c81ead14f28e2
diff --git a/custom_mutators/libfuzzer/FuzzerLoop.cpp b/custom_mutators/libfuzzer/FuzzerLoop.cpp
index 08fda520..6716dbf5 100644
--- a/custom_mutators/libfuzzer/FuzzerLoop.cpp
+++ b/custom_mutators/libfuzzer/FuzzerLoop.cpp
@@ -1086,6 +1086,7 @@ ATTRIBUTE_INTERFACE size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size,
                                             size_t MaxSize) {
 
   assert(fuzzer::F);
+  fuzzer::F->GetMD().StartMutationSequence();
   size_t r = fuzzer::F->GetMD().DefaultMutate(Data, Size, MaxSize);
 #ifdef  INTROSPECTION
   introspection_ptr = fuzzer::F->GetMD().WriteMutationSequence();
diff --git a/custom_mutators/libfuzzer/README.md b/custom_mutators/libfuzzer/README.md
index fb3025f2..cb4773b7 100644
--- a/custom_mutators/libfuzzer/README.md
+++ b/custom_mutators/libfuzzer/README.md
@@ -11,9 +11,11 @@ Note that this is currently a simple implementation and it is missing two featur
   * Dictionary support
 
 To update the source, all that is needed is that FuzzerDriver.cpp has to receive
+
 ```
 #include "libfuzzer.inc"
 ```
+
 before the closing namespace bracket.
 
 It is also libfuzzer.inc where the configuration of the libfuzzer mutations
@@ -21,4 +23,4 @@ are done.
 
 > Original repository: https://github.com/llvm/llvm-project
 > Path: compiler-rt/lib/fuzzer/*.{h|cpp}
-> Source commit: df3e903655e2499968fc7af64fb5fa52b2ee79bb
+> Source commit: df3e903655e2499968fc7af64fb5fa52b2ee79bb
\ No newline at end of file
diff --git a/custom_mutators/libfuzzer/libfuzzer.inc b/custom_mutators/libfuzzer/libfuzzer.inc
index 01f21dbe..8c4bdbf6 100644
--- a/custom_mutators/libfuzzer/libfuzzer.inc
+++ b/custom_mutators/libfuzzer/libfuzzer.inc
@@ -2,7 +2,7 @@
 
 extern "C" ATTRIBUTE_INTERFACE void
 LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int Seed) {
-  Random Rand(Seed);
+  auto *Rand = new Random(Seed);
   FuzzingOptions Options;
   Options.Verbosity = 3;
   Options.MaxLen = 1024000;
@@ -30,7 +30,7 @@ LLVMFuzzerMyInit(int (*Callback)(const uint8_t *Data, size_t Size), unsigned int
   struct EntropicOptions Entropic;
   Entropic.Enabled = Options.Entropic;
   EF = new ExternalFunctions();
-  auto *MD = new MutationDispatcher(Rand, Options);
+  auto *MD = new MutationDispatcher(*Rand, Options);
   auto *Corpus = new InputCorpus(Options.OutputCorpus, Entropic);
   auto *F = new Fuzzer(Callback, *Corpus, *MD, Options);
 }
diff --git a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc
index e0273849..ecbfdd1c 100644
--- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc
+++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.cc
@@ -99,10 +99,12 @@ extern "C" size_t afl_custom_fuzz(MyMutator *mutator, // return value from afl_c
     std::string s = ProtoToData(*p);
     // Copy to a new buffer ( mutated_out )
     size_t mutated_size = s.size() <= max_size ? s.size() : max_size; // check if raw data's size is larger than max_size
-    uint8_t *mutated_out = new uint8_t[mutated_size+1];
-    memcpy(mutated_out, s.c_str(), mutated_size); // copy the mutated data
+
+    delete mutator->mutated_out;
+    mutator->mutated_out = new uint8_t[mutated_size+1];
+    memcpy(mutator->mutated_out, s.c_str(), mutated_size); // copy the mutated data
     // Assign the mutated data and return mutated_size
-    *out_buf = mutated_out;
+    *out_buf = mutator->mutated_out;
     return mutated_size;
 }
 
diff --git a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h
index ebd3ca65..0f5484ca 100644
--- a/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h
+++ b/custom_mutators/libprotobuf-mutator-example/lpm_aflpp_custom_mutator_input.h
@@ -2,4 +2,6 @@
 #include "test.pb.h"
 
 class MyMutator : public protobuf_mutator::Mutator {
+public:
+    uint8_t *mutated_out = nullptr; 
 };
diff --git a/custom_mutators/symcc/symcc.c b/custom_mutators/symcc/symcc.c
index 19218449..86f23343 100644
--- a/custom_mutators/symcc/symcc.c
+++ b/custom_mutators/symcc/symcc.c
@@ -129,7 +129,7 @@ uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
 
   int pid = fork();
 
-  if (pid == -1) return;
+  if (pid == -1) return 0;
 
   if (pid) {
 
@@ -147,7 +147,7 @@ uint8_t afl_custom_queue_new_entry(my_mutator_t * data,
         if (r <= 0) {
 
           close(pipefd[1]);
-          return;
+          return 0;
 
         }