0.10.0
Highlights
- AFL++'s Redqueen implementation
- New Scheduler method to run on evaluation
- EcoFuzz implementation
- Integration with CASR for deduplication
- Input loading from disk API moved to Corpus (this allows Corpora to be backed by network or databases)
- Batch mode timeout algorithm with lower syscall overhead (Linux only)
- Logic stages to enable and disable stages conditionally
- Full AFL++ forkserver support
- New WASM fuzzing example
What's Changed
- Change to combine restoration prologue with coverage register spill by @WorksButNotTested in #1029
- Remove unused imports by @tokatoka in #1035
- Add information about system mode QEMU by @domenukk in #1038
- Restart loading initial inputs even after a crash/timeout by @andreafioraldi in #1040
- Allow to load a list of files by @domenukk in #1044
- libafl:
with_capacitymethod forNewHashFeedbackby @langston-barrett in #1034 - Update deps for libafl by @rchildre3 in #1042
- libafl: Increase default capacity of NewHashFeedback by @langston-barrett in #1049
- Rename LLMP Timeout message by @tokatoka in #1048
- Send stability in calibration stage & FridaInstrumentationHelper retunrs Result<Self, Error> by @tokatoka in #1056
- Revert FridaInstrumentationHelper changes by @tokatoka in #1062
- Colorization stage by @tokatoka in #1039
- Remove unused deps by @tokatoka in #1069
- Use the log facade instead of println by @fabianfreyer in #1060
- QEMU: do not crash in helpers pre and post execs by @andreafioraldi in #1065
- Add stub lib for fuzzbench by @andreafioraldi in #1074
- minibsod solarish on amd64 implementations by @devnexen in #1068
- Use Instant::now instead of duration by @SpaceWhite in #1064
- Forkserver: 1. Add mem barrier 2. Don't send the initial 4 bytes message when it uses dynamic map option only by @tokatoka in #1073
- Add a missing condition for FS_OPT_MAPSIZE by @tokatoka in #1076
- CorpusMinimizer opt: don't add to map if it's the initial value (uninteresting) by @addisoncrump in #1078
- Make sure input was loaded to avoid panic on unwrap in MutatedTransform by @f0rki in #1077
- Weak link token section by @tokatoka in #1080* Use GuestAddr in QemuInstrumentationFilter by @andreafioraldi in #1085
- Move bytecount to dev-dependencies by @rchildre3 in #1090
- Exit broker when last client exits by @domenukk in #1057
- libafl: Generator instance for Iterator by @langston-barrett in #1101
- Cleanup forkserver exec builder by @clesmian in #1094
- UsesObserver by @tokatoka in #1104
- Add example for WASM by @addisoncrump in #1093
- on_evaluation Scheduler method by @andreafioraldi in #1106
- Real OnDiskCorpus by @domenukk in #1096
- Remove unnecessary check in calibration stage by @tokatoka in #1111
- Track parent testcase, tuneable stage probabilistic settings by @domenukk in #1081
- Implement EcoFuzz by @andreafioraldi in #1115
- Use a different crash history in forkserver examples by @arpankapoor in #1118
- SimpleLogger by @tokatoka in #1109
- Cargo feature to avoid regex dependency by @langston-barrett in #1102
- Forward on_evaluation callback in MinimizerScheduler by @EliaGeretto in #1122
- Use InMemoryCorpus in libfuzzer_libpng by @tokatoka in #1125
- Check CI result on cargo make test for available fuzzers by @SpaceWhite in #1107
- Improve find_llvm for MacOS by @Marcondiro in #1124
- Increase LLMP clients timeout to 5 min by @andreafioraldi in #1126
- Define custom collectors for QemuCallTracerHelper by @andreafioraldi in #1099
- Use regex feature in libafl_qemu by @andreafioraldi in #1127
- Safer EoP handling by @domenukk in #1128
- Allows libafl tests to run in miri by @domenukk in #1130
- Allow take the ownership of the BytesInput by @wtdcode in #1135
- Resolve zero-sized allocation in swap diff fuzzer by @addisoncrump in #1139
- AFL++ RedQueen by @tokatoka in #1087
- Added Truncate trait by @domenukk in #1141
- Make it explicit that clang/clang++ is needed by @tokatoka in #1142
- Created functions to get the metadata from State and Testcase by @matheusbaptistella in #1123
- Rename MetaData to Metadata by @tokatoka in #1144
- Create SchedulerTestcaseMetadata if it doesn't exist by @domenukk in #1151
- Implement From for usize by @domenukk in #1152
- Logic stages by @tokatoka in #1148
- IfStage by @tokatoka in #1157
- checks the presence of clang frontends. by @devnexen in #1158
- new metadata() and testcase() function added to the code by @matheusbaptistella in #1155
- Removed
new_from constructors that don't need it (API consistency) by @domenukk in #1159 - Don't build z3 from source by default (and add static_z3 feature) by @domenukk in #1160
- Remove duplicate lines in attributes by @bkrl in #1165
- libafl_frida run executable by @SpaceWhite in #1117
- fix UB in baby_fuzzer_grimoire by @Vincebye in #1166
- Install libz3-dev in CI by @domenukk in #1163
- Solves issue #1137 by @arimallick in #1168
- core_affinity freebsd constants are included in libc now. by @devnexen in #1170
- Remove libfuzzer_stb_image_sugar for now by @tokatoka in #1177
- Implement restarting without serializing the corpus by @andreafioraldi in #1182
- add readme documentation description about the tui feature by @Vincebye in #1198
- CASR deduplication for StacktraceObservers by @anfedotoff in #1184
- Use observers to handle crashes in run_target for TimeoutForkserverExecutor by @anfedotoff in #1189
- Bump to 0.10.0 by @andreafioraldi in #1156
- Removed more
new_(follow-up on #1159) by @domenukk in #1200 - qemu: Return errors from
Emulator::newinstead of asserting by @langston-barrett in #1197 - libafl: Copy-editing LLMP manager docstrings by @langston-barrett in #1208
- libafl: Mark
buffer_{self_,}copyas unsafe, don't export them by @langston-barrett in #1207 - Tuneable stage with per-seed timeout by @domenukk in #1209
- Example fuzzers with even less UB by @domenukk in #1212
- serial_test as normal optional dep enabled with std by @andreafioraldi in #1215
- Batch mode timeouts (Linux only ATM) by @andreafioraldi in #1193
- Move
Inputloading and dumping APIs fromTestcasetoCorpusby @domenukk in #1201
Fixes
- Fix readme position in qemu sys by @andreafioraldi in #1032
- Fix frida Cargo.toml by @andreafioraldi in #1033
- Comment Fix by @tokatoka in #1031
- Fix windows is_valid by @tokatoka in #1217
- Fix Testcase renaming on disk by @SpaceWhite in #1191
- Fix on_remove of MinimizerScheduler by @zeyugao in #1161
- Fix #1176 by @fbaltor in #1192
- Fix a build error in baby_fuzzer_minimizing by @ToSeven in #1195
- Fix #1181 by @tokatoka in #1183
- Fix testcase set_filename by @SpaceWhite in #1092
- Fix example fuzzers by @domenukk in #1171
- Fix libafl_qemu testcase by @domenukk in #1173
- Fmt, no_std fixes by @domenukk in #1167
- Fix fuzzers after HasTestcase (#1123) by @domenukk in #1162
- Fix mutator slowdown by @tokatoka in #1138
- Frida: fix aarch64 build by @domenukk in #1153
- Fix UB for differential map observer example by @domenukk in #1140
- Fix multiplication to division in powerschedule weighting by @vanhauser-thc in #1120
- Fix forkserver regression in LTO mode by @tokatoka in #1114
- Fix capstone mode in LibAFL QEMU by @andreafioraldi in #1136
- Fix fuzzbench_forkserver by @tokatoka in #1145
- Fix infinite calibration by @tokatoka in #1147
- Fix llmp CliendId search by @andreafioraldi in #1112
- Windows fix by @domenukk in #1116
- Fix CoreId for Frida, FreeBSD by @domenukk in #1100
- Fix CI by @tokatoka in #1103
- Fix StdErrObserver not implementing needed traits by @radl97 in #1072
- Fixes for on_replace/on_remove and related for StdFuzzer and MapFeedback by @addisoncrump in #1067
- Fix grimoire when used with on_replace/on_remove by @addisoncrump in #1075
- Fix max input size for {CrossOverInsert,BytesInsertCopy}Mutator by @Mrmaxmeier in #1097
- Fix llmp eop race, introduce llmp shmem cache by @domenukk in #1091
- Timeout executor cfg fix by @tokatoka in #1088
- Fix exits which may cause double-free corruption by @addisoncrump in #1086
- Fix fuzzbench build by @zeyugao in #1004
- Fix typo in directory visiting by @andreafioraldi in #1050
- Fix frida_gdiplus by @tokatoka in #1045
- Bump deps and fix Clippy warns in example fuzzers by @rchildre3 in #1043
- Fix accidental breakage of non-AARCH64 systems by @WorksButNotTested in #1036
- Mutator sampling probability fixes by @addisoncrump in #1030
- Fix SimplePrintingMonitor by @arpankapoor in #1164
- Frida: Fix Android build by @domenukk in #1154
- Fix fuzz_level related thing, separate on_replace/on_remove from Scheduler & various fixes by @tokatoka in #1119
New Contributors
- @zeyugao made their first contribution in #1004
- @f0rki made their first contribution in #1077
- @clesmian made their first contribution in #1094
- @arpankapoor made their first contribution in #1118
- @EliaGeretto made their first contribution in #1122
- @Marcondiro made their first contribution in #1124
- @wtdcode made their first contribution in #1135
- @matheusbaptistella made their first contribution in #1123
- @bkrl made their first contribution in #1165
- @Vincebye made their first contribution in #1166
- @arimallick made their first contribution in #1168
- @ToSeven made their first contribution in #1195
- @anfedotoff made their first contribution in #1184
- @fbaltor made their first contribution in #1192
Full Changelog: 0.9.0...0.10.0
Contributors
domenukk, f0rki, and 25 other contributors