Fixes in corpus minimizer (#3403)

* Fix removing file with ctr of the form "\u{3}000"

* Ensure input is loaded, also ensure exec_time is set

* Clippy

* Revert "Fix removing file with ctr of the form "\u{3}000""

This reverts commit 4cb3507.

* libafl: fix lockfile ctr serialization (#3319)

All locations reading from the lockfile expect an integer as a string,
but in `InMemoryOnDiskCorpus<I>::remove_testcase` the raw bytes of the
integer are written to the file in little endian byte order.

This may cause "ParseIntError { kind: InvalidDigit }" in e.g.
`InMemoryOnDiskCorpus<I>::save_testcase` during parsing of the file's
contents.

Fix this by writing the integer to the lockfile as a string in
`InMemoryOnDiskCorpus<I>::remove_testcase` as well.

* Extract run target with timing

* Expose run_target_with_timing

* Simplify

* HasExecutions

* clippy

* linters

* fmt

---------

Co-authored-by: Niklas Gögge <[email protected]>

Author: ThomasTNO

crates/libafl/src/corpus/minimizer.rs

@@ -2,7 +2,7 @@
 //! of your corpus.
 
 use alloc::{borrow::Cow, string::ToString, vec::Vec};
-use core::{hash::Hash, marker::PhantomData};
+use core::{hash::Hash, marker::PhantomData, time::Duration};
 
 use hashbrown::{HashMap, HashSet};
 use libafl_bolts::{
@@ -16,11 +16,12 @@ use crate::{
     Error, HasMetadata, HasScheduler,
     corpus::Corpus,
     events::{Event, EventFirer, EventWithStats, LogSeverity},
-    executors::{Executor, HasObservers},
+    executors::{Executor, ExitKind, HasObservers},
     inputs::Input,
     monitors::stats::{AggregatorOps, UserStats, UserStatsValue},
     observers::{MapObserver, ObserversTuple},
     schedulers::{LenTimeMulTestcaseScore, RemovableScheduler, Scheduler, TestcaseScore},
+    stages::run_target_with_timing,
     state::{HasCorpus, HasExecutions},
 };
 
@@ -66,7 +67,7 @@ where
         &self,
         fuzzer: &mut Z,
         executor: &mut E,
-        manager: &mut EM,
+        mgr: &mut EM,
         state: &mut S,
     ) -> Result<(), Error>
     where
@@ -88,7 +89,7 @@ where
 
         let mut cur_id = state.corpus().first();
 
-        manager.log(
+        mgr.log(
             state,
             LogSeverity::Info,
             "Executing each input...".to_string(),
@@ -97,31 +98,41 @@ where
         let total = state.corpus().count() as u64;
         let mut curr = 0;
         while let Some(id) = cur_id {
-            let (weight, input) = {
+            let (weight, executions) = {
+                if state.corpus().get(id)?.borrow().scheduled_count() == 0 {
+                    // Execute the input; we cannot rely on the metadata already being present.
+
+                    let input = state
+                        .corpus()
+                        .get(id)?
+                        .borrow_mut()
+                        .load_input(state.corpus())?
+                        .clone();
+
+                    let (exit_kind, mut total_time, _) =
+                        run_target_with_timing(fuzzer, executor, state, mgr, &input, false)?;
+                    if exit_kind != ExitKind::Ok {
+                        total_time = Duration::from_secs(1);
+                    }
+                    state
+                        .corpus()
+                        .get(id)?
+                        .borrow_mut()
+                        .set_exec_time(total_time);
+                }
+
                 let mut testcase = state.corpus().get(id)?.borrow_mut();
-                let weight = TS::compute(state, &mut *testcase)?
-                    .to_u64()
-                    .expect("Weight must be computable.");
-                let input = testcase
-                    .input()
-                    .as_ref()
-                    .expect("Input must be available.")
-                    .clone();
-                (weight, input)
+                (
+                    TS::compute(state, &mut *testcase)?
+                        .to_u64()
+                        .expect("Weight must be computable."),
+                    *state.executions(),
+                )
             };
 
-            // Execute the input; we cannot rely on the metadata already being present.
-            executor.observers_mut().pre_exec_all(state, &input)?;
-            let kind = executor.run_target(fuzzer, state, manager, &input)?;
-            executor
-                .observers_mut()
-                .post_exec_all(state, &input, &kind)?;
-
-            let executions = *state.executions();
-
             curr += 1;
 
-            manager.fire(
+            mgr.fire(
                 state,
                 EventWithStats::with_current_time(
                     Event::UpdateUserStats {
@@ -159,7 +170,7 @@ where
             cur_id = state.corpus().next(id);
         }
 
-        manager.log(
+        mgr.log(
             state,
             LogSeverity::Info,
             "Preparing Z3 assertions...".to_string(),
@@ -186,7 +197,7 @@ where
             opt.assert_soft(&!seed, *weight, None);
         }
 
-        manager.log(state, LogSeverity::Info, "Performing MaxSAT...".to_string())?;
+        mgr.log(state, LogSeverity::Info, "Performing MaxSAT...".to_string())?;
         // Perform the optimization!
         opt.check(&[]);
 

crates/libafl/src/stages/calibrate.rs

@@ -13,7 +13,7 @@ use num_traits::Bounded;
 use serde::{Deserialize, Serialize};
 
 use crate::{
-    Error, HasMetadata, HasNamedMetadata,
+    Error, HasMetadata, HasNamedMetadata, HasScheduler,
     corpus::{Corpus, HasCurrentCorpusId, SchedulerTestcaseMetadata},
     events::{Event, EventFirer, EventWithStats, LogSeverity},
     executors::{Executor, ExitKind, HasObservers},
@@ -77,6 +77,45 @@ impl Default for UnstableEntriesMetadata {
     }
 }
 
+/// Runs the target with pre and post execution hooks and returns the exit kind and duration.
+pub fn run_target_with_timing<E, EM, Z, S, OT, I>(
+    fuzzer: &mut Z,
+    executor: &mut E,
+    state: &mut S,
+    mgr: &mut EM,
+    input: &I,
+    had_errors: bool,
+) -> Result<(ExitKind, Duration, bool), Error>
+where
+    OT: ObserversTuple<I, S>,
+    E: Executor<EM, I, S, Z> + HasObservers<Observers = OT>,
+    EM: EventFirer<I, S>,
+    I: Input,
+    S: HasExecutions,
+{
+    executor.observers_mut().pre_exec_all(state, input)?;
+
+    let start = current_time();
+    let exit_kind = executor.run_target(fuzzer, state, mgr, input)?;
+    let mut has_errors = had_errors;
+    if exit_kind != ExitKind::Ok && !had_errors {
+        mgr.log(
+            state,
+            LogSeverity::Warn,
+            "Corpus entry errored on execution!".into(),
+        )?;
+
+        has_errors = true;
+    }
+    let duration = current_time() - start;
+
+    executor
+        .observers_mut()
+        .post_exec_all(state, input, &exit_kind)?;
+
+    Ok((exit_kind, duration, has_errors))
+}
+
 /// The calibration stage will measure the average exec time and the target's stability for this input.
 #[derive(Debug, Clone)]
 pub struct CalibrationStage<C, I, O, OT, S> {
@@ -104,7 +143,7 @@ where
         + HasExecutions
         + HasCurrentTestcase<I>
         + HasCurrentCorpusId,
-    Z: Evaluator<E, EM, I, S>,
+    Z: Evaluator<E, EM, I, S> + HasScheduler<I, S>,
     I: Input,
 {
     #[inline]
@@ -127,30 +166,11 @@ where
         }
 
         let mut iter = self.stage_max;
+
         // If we restarted after a timeout or crash, do less iterations.
         let input = state.current_input_cloned()?;
-
-        // Run once to get the initial calibration map
-        executor.observers_mut().pre_exec_all(state, &input)?;
-
-        let mut start = current_time();
-
-        let exit_kind = executor.run_target(fuzzer, state, mgr, &input)?;
-        let mut total_time = if exit_kind == ExitKind::Ok {
-            current_time() - start
-        } else {
-            mgr.log(
-                state,
-                LogSeverity::Warn,
-                "Corpus entry errored on execution!".into(),
-            )?;
-            // assume one second as default time
-            Duration::from_secs(1)
-        };
-
-        executor
-            .observers_mut()
-            .post_exec_all(state, &input, &exit_kind)?;
+        let (_, mut total_time, _) =
+            run_target_with_timing(fuzzer, executor, state, mgr, &input, false)?;
 
         let observers = &executor.observers();
         let map_first = observers[&self.map_observer_handle].as_ref();
@@ -179,33 +199,11 @@ where
         let mut has_errors = false;
 
         while i < iter {
-            let input = state.current_input_cloned()?;
-
-            executor.observers_mut().pre_exec_all(state, &input)?;
-            start = current_time();
-
-            let exit_kind = executor.run_target(fuzzer, state, mgr, &input)?;
-            if exit_kind != ExitKind::Ok {
-                if !has_errors {
-                    mgr.log(
-                        state,
-                        LogSeverity::Warn,
-                        "Corpus entry errored on execution!".into(),
-                    )?;
-
-                    has_errors = true;
-                }
-
-                if iter < CAL_STAGE_MAX {
-                    iter += 2;
-                }
-            }
-
-            total_time += current_time() - start;
+            let (exit_kind, duration, has_errors_result) =
+                run_target_with_timing(fuzzer, executor, state, mgr, &input, has_errors)?;
+            has_errors = has_errors_result;
 
-            executor
-                .observers_mut()
-                .post_exec_all(state, &input, &exit_kind)?;
+            total_time += duration;
 
             if self.track_stability && exit_kind != ExitKind::Timeout {
                 let map = &executor.observers()[&self.map_observer_handle]

crates/libafl/src/stages/mod.rs

@@ -14,7 +14,7 @@ use core::{fmt, marker::PhantomData};
 
 #[cfg(feature = "std")]
 pub use afl_stats::{AflStatsStage, CalibrationTime, FuzzTime, SyncTime};
-pub use calibrate::CalibrationStage;
+pub use calibrate::{CalibrationStage, run_target_with_timing};
 pub use colorization::*;
 #[cfg(all(feature = "std", unix))]
 pub use concolic::ConcolicTracingStage;