Integrate cereggii fuzzing, make some adjustments.

Author: devdanzin

fusil/python/__init__.py

@@ -187,6 +187,12 @@ def createFuzzerOptions(self, parser: OptionParserWithSections) -> None:
             action="store_true",
             default=False,
         )
+        fuzzing_options.add_option(
+            '--fuzz-cereggii-scenarios',
+            help='Run only specialized cereggii fuzzing scenarios instead of general API fuzzing.',
+            action='store_true',
+            default=False,
+        )
         fuzzing_options.add_option(
             "--filenames",
             help="Names separated by commas of readable files (default: %s)" % FILENAMES,

fusil/python/argument_generator.py

@@ -67,6 +67,15 @@
 except ImportError:
     TEMPLATES = []
 
+try:
+    from fusil.python import tricky_cereggii
+    _HAS_TRICKY_CEREGGII = True
+    print("Loaded tricky_cereggii aggregator for ArgumentGenerator.")
+except ImportError:
+    _HAS_TRICKY_CEREGGII = False
+    print("Warning: Could not load tricky_cereggii aggregator for ArgumentGenerator.")
+    tricky_cereggii = None # Define for type checking
+
 try:
     import numpy
 except ImportError:
@@ -107,6 +116,10 @@ def __init__(
         self.filenames = filenames
         self.errback_name = ERRBACK_NAME_CONST
 
+        is_cereggii_target = (
+            self.options.modules == "cereggii" or getattr(self.options, "fuzz_cereggii_scenarios", False)
+        )
+
         self.h5py_argument_generator = H5PyArgumentGenerator(self) if use_h5py and H5PyArgumentGenerator else None
 
         # Initialize generators for various data types
@@ -158,6 +171,35 @@ def __init__(
                 self.genTrickyObjects,
             )
 
+        if is_cereggii_target and _HAS_TRICKY_CEREGGII:
+            print("Activating cereggii-specific argument generators...")
+            # Add hashable cereggii objects
+            self.hashable_argument_generators += (
+                self.genTrickyAtomicInt64,          # AtomicInt64 is hashable
+                self.genTrickyHashableKeyCereggii, # Keys specifically chosen for hashability
+            ) * 10 # Weight: make them appear reasonably often
+
+            # Add simple (potentially non-hashable) cereggii objects
+            self.simple_argument_generators += (
+                self.genTrickyWeirdCereggii,
+                self.genTrickyRecursiveCereggii,
+                self.genTrickyThreadHandle,
+            ) * 10
+
+            # Add complex cereggii objects (AtomicDict itself)
+            self.complex_argument_generators += (
+                self.genTrickyAtomicDict,
+            ) * 10
+
+            # Also add the simple ones to complex, as complex can include simple
+            self.complex_argument_generators += (
+                self.genTrickyAtomicInt64,
+                self.genTrickyHashableKeyCereggii,
+                self.genTrickyWeirdCereggii,
+                self.genTrickyRecursiveCereggii,
+                self.genTrickyThreadHandle,
+            ) * 5 # Lower weight here as they are already in simple
+
         # Handle NumPy, h5py, and t-strings conditionally
         if not self.options.no_numpy and use_numpy and H5PyArgumentGenerator:
             if allow_external_references:
@@ -289,6 +331,60 @@ def genInterestingValues(self) -> list[str]:
         """Generate an 'interesting' predefined value."""
         return [choice(INTERESTING)]
 
+    def genTrickyAtomicInt64(self) -> list[str]:
+        """Generate a reference to a tricky AtomicInt64 instance."""
+        # Check if the aggregator and its specific list are available
+        if not _HAS_TRICKY_CEREGGII or not tricky_cereggii or not tricky_cereggii.tricky_atomicint64_instance_names:
+            # Fallback to creating a simple default instance if tricky ones aren't loaded
+            return ["cereggii.AtomicInt64(0)"]
+        # Select a random name from the aggregated list
+        name = choice(tricky_cereggii.tricky_atomicint64_instance_names)
+        # Return the code to access it from the dictionary defined in the boilerplate
+        # The name 'tricky_atomic_ints' must match the variable in tricky_atomicint64.py
+        return [f"tricky_atomic_ints['{name}']"]
+
+    def genTrickyAtomicDict(self) -> list[str]:
+        """Generate a reference to a tricky AtomicDict instance."""
+        if not _HAS_TRICKY_CEREGGII or not tricky_cereggii or not tricky_cereggii.tricky_atomicdict_instance_names:
+            return ["cereggii.AtomicDict()"]  # Fallback
+        name = choice(tricky_cereggii.tricky_atomicdict_instance_names)
+        # Assumes 'tricky_atomic_dicts' dict is defined in boilerplate
+        return [f"tricky_atomic_dicts['{name}']"]
+
+    def genTrickyWeirdCereggii(self) -> list[str]:
+        """Generate a reference to a weird cereggii subclass instance."""
+        if not _HAS_TRICKY_CEREGGII or not tricky_cereggii or not tricky_cereggii.tricky_weird_cereggii_instance_names:
+            return ["object()"]  # Generic fallback
+        name = choice(tricky_cereggii.tricky_weird_cereggii_instance_names)
+        # Assumes 'tricky_weird_cereggii_objects' dict is defined in boilerplate
+        return [f"tricky_weird_cereggii_objects['{name}']"]
+
+    def genTrickyRecursiveCereggii(self) -> list[str]:
+        """Generate a reference to a tricky recursive cereggii object."""
+        if not _HAS_TRICKY_CEREGGII or not tricky_cereggii or not tricky_cereggii.tricky_recursive_object_names:
+            return ["['recursive_fallback']"]  # Fallback
+        name = choice(tricky_cereggii.tricky_recursive_object_names)
+        # Assumes 'tricky_recursive_objects' dict is defined in boilerplate
+        return [f"tricky_recursive_objects['{name}']"]
+
+    def genTrickyThreadHandle(self) -> list[str]:
+        """Generate a reference to a tricky ThreadHandle instance or callable."""
+        if not _HAS_TRICKY_CEREGGII or not tricky_cereggii or not tricky_cereggii.tricky_threadhandle_instance_names:
+            # Fallback needs a valid object to wrap
+            return ["cereggii.ThreadHandle(None)"]
+        name = choice(tricky_cereggii.tricky_threadhandle_instance_names)
+        # Assumes 'tricky_threadhandle_collection' dict is defined in boilerplate
+        return [f"tricky_threadhandle_collection['{name}']"]
+
+    def genTrickyHashableKeyCereggii(self) -> list[str]:
+        """Generate a reference to a tricky but hashable object for use as a dict key."""
+        # Use the specific list aggregated in tricky_atomicdict.py
+        if not _HAS_TRICKY_CEREGGII or not tricky_cereggii or not tricky_cereggii.tricky_hashable_key_names:
+            return ["'fallback_key'"]  # Fallback to a simple string
+        name = choice(tricky_cereggii.tricky_hashable_key_names)
+        # Assumes 'tricky_hashable_keys' dict is defined in boilerplate
+        return [f"tricky_hashable_keys['{name}']"]
+
     def genTrickyObjects(self) -> list[str]:
         """Generate a name of a 'tricky' predefined object from tricky_weird."""
         tricky_name = choice(fusil.python.tricky_weird.tricky_objects_names)

fusil/python/blacklists.py

@@ -232,7 +232,6 @@
     "Lock",
     "RLock",
     "Semaphore",
-    "AtomicInt64"
 }
 METHOD_BLACKLIST = {
     "__class__",
@@ -248,7 +247,6 @@
     "_randbelow",
     "_randbelow_with_getrandbits",
     "_read",
-    "_rehash",
     "_run_once",
     "_serve",
     "_shutdown",

fusil/python/python_source.py

@@ -48,6 +48,11 @@ def __init__(self, project: Project, options: FusilConfig, source_output_path: s
                 verbose=self.options.verbose,
             ).search_modules()
 
+        if self.options.fuzz_cereggii_scenarios:
+            self.error("Cereggii Scenario Mode: Forcing target module to 'cereggii'.")
+
+            self.modules = {'cereggii'}
+
         if self.options.packages != "*":
             print("\nAdding packages...")
             all_modules = ListAllModules(
@@ -59,7 +64,12 @@ def __init__(self, project: Project, options: FusilConfig, source_output_path: s
                 verbose=self.options.verbose,
             )
 
-            for package in self.options.packages.split(","):
+            packages = self.options.packages.split(",")
+            if self.options.fuzz_cereggii_scenarios:
+                self.error("Cereggii Scenario Mode: Forcing packages to 'cereggii'.")
+                packages = ["cereggii"]
+
+            for package in packages:
                 package = package.strip().strip("/")
                 if not len(package):
                     continue
@@ -119,6 +129,7 @@ def loadModule(self, module_name: str) -> None:
             self.module_name,
             threads=not self.options.no_threads,
             _async=not self.options.no_async,
+            is_cereggii_scenario_mode=getattr(self.options, 'fuzz_cereggii_scenarios', False),
         )
 
     def on_session_start(self) -> None:

fusil/python/samples/cereggii/tricky_atomicdict.py

@@ -16,7 +16,7 @@
 # We gather a wide range of pre-existing tricky objects to use as keys/values.
 # This is wrapped in try-except to allow this module to run standalone.
 try:
-    from fusil.python.samples import tricky_objects, weird_classes  # , tricky_numpy
+    from fusil.python.samples import tricky_objects, weird_classes as weird_classes_module # , tricky_numpy
 
     _HAS_DEPS = True
 except ImportError:
@@ -205,7 +205,7 @@ def __repr__(self):
 if _HAS_DEPS:
     all_tricky_sources = {
         "tricky_obj": tricky_objects.__dict__,
-        "weird_cls": weird_classes.weird_instances,
+        "weird_cls": weird_classes_module.weird_instances,
         # "tricky_np": tricky_numpy.__dict__,
     }
     for source_name, source_dict in all_tricky_sources.items():

fusil/python/samples/cereggii/tricky_atomicint64.py

@@ -12,7 +12,7 @@
 # We wrap this in a try-except block to allow this module to be run standalone
 # without breaking, which can be useful for debugging the generated inputs.
 try:
-    from fusil.python.samples import weird_classes
+    from fusil.python.samples import weird_classes as weird_classes_module
 
     _HAS_WEIRD_CLASSES = True
 except ImportError:
@@ -188,14 +188,14 @@ def side_effect_callable(current_value):
 if _HAS_WEIRD_CLASSES:
     # Add callables that return instances from our other tricky modules.
     weird_callables["callable_ret_weird_list"] = (
-        lambda x: weird_classes.weird_instances["weird_list_empty"]
+        lambda x: weird_classes_module.weird_instances["weird_list_empty"]
     )
 
     # This callable returns a FrameModifier. When the C code DECREFs this returned
     # object, its __del__ method will be triggered, attempting to maliciously
     # modify variables in its caller's frame. This is a potent attack against
     # assumptions made by JIT compilers or C code about object lifetimes.
-    weird_callables["callable_frame_modifier"] = lambda x: weird_classes.FrameModifier(
+    weird_callables["callable_frame_modifier"] = lambda x: weird_classes_module.FrameModifier(
         "side_effect_target", 999
     )
 

fusil/python/samples/cereggii/tricky_atomicint_scenarios.py

@@ -18,7 +18,7 @@
 # We make imports of our other tricky modules optional to allow for modularity.
 try:
     from fusil.python.samples.cereggii import tricky_atomicint64
-    from fusil.python.samples import weird_classes
+    from fusil.python.samples import weird_classes as weird_classes_module
 except ImportError:
     print(
         "Warning: Could not import tricky_atomicint64 or weird_classes. "
@@ -35,7 +35,7 @@ class WeirdClassesMock:
         weird_instances = {}
 
     tricky_atomicint64 = TrickyAtomicInt64Mock()
-    weird_classes = WeirdClassesMock()
+    weird_classes_module = WeirdClassesMock()
 
 
 # --- Step 1.2: Aggregate a "Menu" of Operations and Operands ---
@@ -48,8 +48,8 @@ class WeirdClassesMock:
     operator.truediv,
     operator.floordiv,
     operator.mod,
-    operator.pow,
-    operator.lshift,
+    # operator.pow,
+    # operator.lshift,
     operator.rshift,
     operator.and_,
     operator.or_,
@@ -58,14 +58,15 @@ class WeirdClassesMock:
 
 # A parallel list of all in-place operators.
 _INPLACE_OPS = [
+
     operator.iadd,
     operator.isub,
     operator.imul,
     operator.itruediv,
     operator.ifloordiv,
     operator.imod,
-    operator.ipow,
-    operator.ilshift,
+    # operator.ipow,
+    # operator.ilshift,
     operator.irshift,
     operator.iand,
     operator.ior,
@@ -80,7 +81,7 @@ class WeirdClassesMock:
 _ALL_NUMERIC_OPERANDS.extend(tricky_atomicint64.overflow_operands)
 # 3. Add all number-like "weird" instances.
 _ALL_NUMERIC_OPERANDS.extend(
-    inst for name, inst in weird_classes.weird_instances.items() if "weird_int" in name
+    inst for name, inst in weird_classes_module.weird_instances.items() if "weird_int" in name
 )
 # 4. Add fundamental tricky numerics.
 _ALL_NUMERIC_OPERANDS.extend(
@@ -117,23 +118,30 @@ def worker():
             target_atomic_int = random.choice(
                 tricky_atomicint64.atomic_int_instances_for_binops
             )
-
+            print(f"{target_atomic_int.get()=}")
             # 2. Pick a random, potentially malicious, right-hand operand.
             right_hand_operand = random.choice(_ALL_NUMERIC_OPERANDS)
+            if hasattr(right_hand_operand, "get"):
+                print(f"{right_hand_operand.get()=}")
+            else:
+                print(f"{right_hand_operand=}")
 
             # 3. Randomly choose the type of operation to perform.
             op_type = random.choice(["binary", "inplace", "reflected"])
-
+            print(f"{op_type=}: ", end="")
             try:
                 if op_type == "inplace":
                     op = random.choice(_INPLACE_OPS)
+                    print(f"{op=}")
                     op(target_atomic_int, right_hand_operand)
                 elif op_type == "binary":
                     op = random.choice(_BINARY_OPS)
+                    print(f"{op=}")
                     op(target_atomic_int, right_hand_operand)
                 elif op_type == "reflected":
                     # For reflected ops, the non-atomic operand comes first.
                     op = random.choice(_BINARY_OPS)
+                    print(f"{op=}")
                     op(right_hand_operand, target_atomic_int)
 
             except (OverflowError, TypeError, ValueError, ZeroDivisionError) as e:

fusil/python/samples/cereggii/tricky_python_utils_scenarios.py

@@ -4,6 +4,7 @@
 or methods to attack the underlying C implementations indirectly. Also includes
 scenarios testing interactions between different utilities.
 """
+import math
 
 import cereggii
 import sys
@@ -16,12 +17,12 @@
 
 # --- Imports for Tricky Objects ---
 try:
-    from fusil.python.samples import weird_classes
+    from fusil.python.samples import weird_classes as weird_classes_module
 
     print("Successfully imported weird_classes for Python utils scenarios.")
 except ImportError:
     print("Warning: Could not import weird_classes.", file=sys.stderr)
-    weird_classes = None
+    weird_classes_module = None
 
 # REMOVED: try...except block for tricky_weird_cereggii
 
@@ -30,8 +31,8 @@
 
 # Collect integer-like weird objects for the poison constructor attack
 _TRICKY_INTS_FOR_LATCH = []
-if weird_classes:
-    for name, instance in weird_classes.weird_instances.items():
+if weird_classes_module:
+    for name, instance in weird_classes_module.weird_instances.items():
         # Check if it inherits from int/number and isn't just a basic type instance
         if "weird_" in name and isinstance(
             instance, (int, float, complex)
@@ -74,7 +75,7 @@ def scenario_poison_countdownlatch(num_waiters=4, num_decrementers=4):
             # Attempt to create the latch with the malicious object
             latch = cereggii.CountDownLatch(poison_object)
             print(
-                f"Successfully created CountDownLatch with {type(poison_object).__name__}"
+                f"Successfully created CountDownLatch with {type(poison_object).__name__}, log10={math.log10(poison_object)}"
             )
         except AssertionError:
             continue  # Expected failure for negative values etc.
@@ -216,7 +217,7 @@ def wait_worker():
 
 # --- Aggregate and Export Scenarios ---
 python_utils_scenarios = {
-    "scenario_poison_countdownlatch": scenario_poison_countdownlatch,
+    # "scenario_poison_countdownlatch": scenario_poison_countdownlatch,
     "scenario_latch_decremented_by_reduce": scenario_latch_decremented_by_reduce,  # Added new scenario
 }
 

fusil/python/samples/cereggii/tricky_reduce_nightmares.py

@@ -24,9 +24,9 @@
     print("Warning: 'tricky_atomicdict.py' not found.", file=sys.stderr)
 
 try:
-    from fusil.python.samples.weird_classes import weird_instances
+    from fusil.python.samples.weird_classes import weird_instances as _weird_instances
 except ImportError:
-    weird_instances = None
+    _weird_instances = None
     print("Warning: 'weird_classes.py' not found.", file=sys.stderr)
 
 
@@ -171,7 +171,7 @@ def __bool__(self):
 
 
 _non_hashable_key = (
-    weird_instances.get("weird_list_empty", []) if weird_instances else []
+    _weird_instances.get("weird_list_empty", []) if _weird_instances else []
 )
 
 specialized_breakers = {