Add back exits

Author: wtdcode

FuzzerCorn.cpp

@@ -27,12 +27,12 @@ class FuzzerCorn {
   bool IsFuzzing() { return this->IsFuzzing_; }
 
   FuzzerCornError
-  Fuzz(uc_engine *Uc, int *Argc, char ***Argv,
-       FuzzerCornPlaceInputCallback Input, FuzzerCornInitialize Init,
-       FuzzerCornValidateCallback Validate, FuzzerCornMutatorCallback Mutate,
-       FuzzerCornCrossOverCallback Cross, InstrumentRange *Ranges,
-       size_t RangeCount, void *UserData, bool AlwaysValidate, int *ExitCode,
-       size_t CounterCount) {
+  Fuzz(uc_engine *Uc, int *Argc, char ***Argv, uint64_t *Exits,
+       size_t ExitCount, FuzzerCornPlaceInputCallback Input,
+       FuzzerCornInitialize Init, FuzzerCornValidateCallback Validate,
+       FuzzerCornMutatorCallback Mutate, FuzzerCornCrossOverCallback Cross,
+       InstrumentRange *Ranges, size_t RangeCount, void *UserData,
+       bool AlwaysValidate, int *ExitCode, size_t CounterCount) {
     InitializeCallback InitCb = Init ? InitializeCallbackWrapper_ : nullptr;
     CustomMutatorCallback MutCb = Mutate ? MutateCallbackWrapper_ : nullptr;
     CustomCrossOverCallback CrossCb =
@@ -51,6 +51,8 @@ class FuzzerCorn {
     this->PrevLoc_ = 0;
     this->Ranges_ = Ranges_;
     this->RangeCount_ = RangeCount;
+    this->Exits_ = Exits;
+    this->ExitCount_ = ExitCount_;
 
     *ExitCode = LLVMFuzzerRunDriver(
         Argc, Argv, TestOneInputCallbackWrapper_, InitCb, MutCb, CrossCb,
@@ -226,6 +228,23 @@ class FuzzerCorn {
     // In the fork mode:
     //    TODO!
 
+    if (this->ExitCount_ == 0) {
+      return FUZZERCORN_ERR_OK;
+    }
+
+    // Enable multiple exits.
+    Err = uc_ctl_exits_enable(this->Uc_);
+    if (unlikely(Err)) {
+      return FUZZERCORN_ERR_UC_ERR;
+    }
+
+    // Setup exits.
+    V.assign(this->Exits_, this->Exits_ + this->ExitCount_);
+    Err = uc_ctl_set_exits(this->Uc_, (uint64_t *)&V[0], this->ExitCount_);
+    if (unlikely(Err)) {
+      return FUZZERCORN_ERR_UC_ERR;
+    }
+
     return FUZZERCORN_ERR_OK;
   }
 
@@ -237,6 +256,8 @@ class FuzzerCorn {
   void *UserData_;
   InstrumentRange *Ranges_;
   size_t RangeCount_;
+  uint64_t *Exits_;
+  size_t ExitCount_;
   uc_engine *Uc_;
   FuzzerCornInitialize Init_;
   FuzzerCornPlaceInputCallback Input_;
@@ -252,12 +273,14 @@ class FuzzerCorn {
 
 FuzzerCorn FuzzerCorn::fuzzer;
 
-FuzzerCornError FuzzerCornFuzz(
-    uc_engine *Uc, int *Argc, char ***Argv, FuzzerCornPlaceInputCallback Input,
-    FuzzerCornInitialize Init, FuzzerCornValidateCallback Validate,
-    FuzzerCornMutatorCallback Mutate, FuzzerCornCrossOverCallback Cross,
-    InstrumentRange *Ranges, size_t RangeCount, void *UserData,
-    bool AlwaysValidate, int *ExitCode, size_t CounterCount) {
+FuzzerCornError
+FuzzerCornFuzz(uc_engine *Uc, int *Argc, char ***Argv, uint64_t *Exits,
+               size_t ExitCount, FuzzerCornPlaceInputCallback Input,
+               FuzzerCornInitialize Init, FuzzerCornValidateCallback Validate,
+               FuzzerCornMutatorCallback Mutate,
+               FuzzerCornCrossOverCallback Cross, InstrumentRange *Ranges,
+               size_t RangeCount, void *UserData, bool AlwaysValidate,
+               int *ExitCode, size_t CounterCount) {
   FuzzerCorn &fuzzer = FuzzerCorn::Get();
 
   if (unlikely(fuzzer.IsFuzzing())) {
@@ -285,7 +308,7 @@ FuzzerCornError FuzzerCornFuzz(
     return FUZZERCORN_ERR_ARG;
   }
 
-  return fuzzer.Fuzz(Uc, Argc, Argv, Input, Init, Validate, Mutate, Cross,
-                     Ranges, RangeCount, UserData, AlwaysValidate, ExitCode,
-                     CounterCount);
+  return fuzzer.Fuzz(Uc, Argc, Argv, Exits, ExitCount, Input, Init, Validate,
+                     Mutate, Cross, Ranges, RangeCount, UserData,
+                     AlwaysValidate, ExitCode, CounterCount);
 }

include/FuzzerCorn.h

@@ -63,32 +63,41 @@ typedef struct {
 // @Uc: The Unicorn instance.
 // @Argc: A pointer to argc.
 // @Argv: A pointer to argv array.
-// @Input: The Callback to place input. If it returns false, the unicorn won't be
-//         started. Users also may use this to implement custom fuzzing logic, for
-//         example starting fuzzer in the callback. Always return 0.
-// @Init: The Callback to initialize before fuzzing. Only called once and should always
+// @Input: The Callback to place input. If it returns false, the unicorn won't
+// be
+//         started. Users also may use this to implement custom fuzzing logic,
+//         for example starting fuzzer in the callback. Always return 0.
+// @Init: The Callback to initialize before fuzzing. Only called once and should
+// always
 //        return 0 whatever happens.
-// @Validate: Validate if an error is a crash. Only get called if unicorn returns an
-//            error by default. If @AlwaysValidate is set to true, it would be called
-//            everytime the emulation is done.
-// @Mutate: Mutate the input **in-place**. Note that setting this pointer to non-null but
-//          don't provide any implementation may have side-effects. If you would not like to
-//          mutate, set it to nullptr.
+// @Validate: Validate if an error is a crash. Only get called if unicorn
+// returns an
+//            error by default. If @AlwaysValidate is set to true, it would be
+//            called everytime the emulation is done.
+// @Mutate: Mutate the input **in-place**. Note that setting this pointer to
+// non-null but
+//          don't provide any implementation may have side-effects. If you would
+//          not like to mutate, set it to nullptr.
 // @Cross: Combines two input to new output.
-// @Ranges: Specify the ranges the fuzzer is interested. Only the code within the ranges
-//          would be intrumented. Setting this to nullptr will get all code instrumented.
+// @Ranges: Specify the ranges the fuzzer is interested. Only the code within
+// the ranges
+//          would be intrumented. Setting this to nullptr will get all code
+//          instrumented.
 // @UserData: User provided data and will be passed to callbacls.
 // @AlwaysValidate: see @Validate.
-// @ExitCode: The program (fuzzer) exit code. Should be returned as the exit code of the
+// @ExitCode: The program (fuzzer) exit code. Should be returned as the exit
+// code of the
 //            outer program.
-// @CounterCount: The coverage map size. Reduce this can speedup the fuzzing but may cause
+// @CounterCount: The coverage map size. Reduce this can speedup the fuzzing but
+// may cause
 //                more conflicts.
 FUZZER_INTERFACE_VISIBILITY FuzzerCornError FuzzerCornFuzz(
-    uc_engine *Uc, int *Argc, char ***Argv, FuzzerCornPlaceInputCallback Input,
-    FuzzerCornInitialize Init, FuzzerCornValidateCallback Validate,
-    FuzzerCornMutatorCallback Mutate, FuzzerCornCrossOverCallback Cross,
-    InstrumentRange *Ranges, size_t RangeCount, void *UserData,
-    bool AlwaysValidate, int *ExitCode, size_t CounterCount);
+    uc_engine *Uc, int *Argc, char ***Argv, uint64_t *Exits, size_t ExitCount,
+    FuzzerCornPlaceInputCallback Input, FuzzerCornInitialize Init,
+    FuzzerCornValidateCallback Validate, FuzzerCornMutatorCallback Mutate,
+    FuzzerCornCrossOverCallback Cross, InstrumentRange *Ranges,
+    size_t RangeCount, void *UserData, bool AlwaysValidate, int *ExitCode,
+    size_t CounterCount);
 
 #ifdef __cplusplus
 } // extern "C"