Fix clippy warnings and TODOs in binary_only fuzzers (#3564)

* feat: fix clippy warnings in frida_executable_libpng

* feat: fix clippy warnings in frida_libpng

* feat: fix clippy warnings in fuzzbench_fork_qemu

* feat: fix clippy warnings in fuzzbench_qemu

* feat: address the TODOs present in intel_pt_baby_fuzzer

* feat: address the TODOs present in intel_pt_command_executor

* feat: fix clippy warnings for qemu_cmin

* feat: fix clippy warnings in qemu_launcher

* feat: run cargo +nightly fmt on all fuzzers in binary_only

* feat: switch out StdMapObserver for ConstMapObserver in fuzzers/binary_only/intel_pt_*

* fix: run cargo +nightly fmt on fuzzers/binary_only/intel_pt_*

Author: atharva-potdar

fuzzers/binary_only/frida_executable_libpng/src/fuzzer.rs

@@ -252,7 +252,7 @@ unsafe fn fuzz(
                 let coverage = CoverageRuntime::new();
                 let cmplog = CmpLogRuntime::new();
 
-                let mut frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
+                let frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
                     &gum,
                     options,
                     tuple_list!(coverage, cmplog),
@@ -397,7 +397,7 @@ unsafe fn fuzz(
 
                 let coverage = CoverageRuntime::new();
 
-                let mut frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
+                let frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
                     &gum,
                     options,
                     tuple_list!(coverage),

fuzzers/binary_only/frida_executable_libpng/src/lib.rs

@@ -1,4 +1,3 @@
-#![allow(clippy::missing_safety_doc)]
 use std::mem::transmute;
 
 use libc::{c_void, dlsym, RTLD_NEXT};
@@ -23,6 +22,8 @@ extern "C" fn _dummy_main(_argc: i32, _argv: *const *const u8, _env: *const *con
 
 static mut ORIG_MAIN: MainFunc = _dummy_main;
 
+/// # Safety
+/// Accesses mutable static variable
 #[no_mangle]
 pub unsafe extern "C" fn main_hook(
     _argc: i32,
@@ -33,6 +34,8 @@ pub unsafe extern "C" fn main_hook(
     0
 }
 
+/// # Safety
+/// Modifies mutable static variable, performs unsafe memory transmutation
 #[no_mangle]
 pub unsafe extern "C" fn __libc_start_main(
     main: extern "C" fn(i32, *const *const u8, *const *const u8) -> i32,

fuzzers/binary_only/frida_libpng/src/fuzzer.rs

@@ -244,7 +244,7 @@ fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
 
         let mut stages = tuple_list!(
             IfElseStage::new(
-                |_, _, _, _| Ok(is_cmplog(&options, &client_description)),
+                |_, _, _, _| Ok(is_cmplog(options, &client_description)),
                 tuple_list!(tracing, i2s),
                 tuple_list!()
             ),

fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs

@@ -400,7 +400,12 @@ fn fuzz(
 
     if state.must_load_initial_inputs() {
         state
-            .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &[seed_dir.clone()])
+            .load_initial_inputs(
+                &mut fuzzer,
+                &mut executor,
+                &mut mgr,
+                std::slice::from_ref(&seed_dir),
+            )
             .unwrap_or_else(|_| {
                 println!("Failed to load initial corpus at {:?}", &seed_dir);
                 process::exit(0);

fuzzers/binary_only/fuzzbench_qemu/src/fuzzer.rs

@@ -413,7 +413,12 @@ fn fuzz(
 
     if state.must_load_initial_inputs() {
         state
-            .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &[seed_dir.clone()])
+            .load_initial_inputs(
+                &mut fuzzer,
+                &mut executor,
+                &mut mgr,
+                std::slice::from_ref(&seed_dir),
+            )
             .unwrap_or_else(|_| {
                 println!("Failed to load initial corpus at {:?}", &seed_dir);
                 process::exit(0);

fuzzers/binary_only/intel_pt_baby_fuzzer/src/main.rs

@@ -17,20 +17,18 @@ use libafl::{
     generators::RandPrintablesGenerator,
     inputs::{BytesInput, HasTargetBytes},
     mutators::{havoc_mutations::havoc_mutations, scheduled::HavocScheduledMutator},
-    observers::StdMapObserver,
+    observers::ConstMapObserver,
     schedulers::QueueScheduler,
     stages::mutational::StdMutationalStage,
     state::StdState,
 };
-use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice};
+use libafl_bolts::{current_nanos, nonnull_raw_mut, rands::StdRand, tuples::tuple_list, AsSlice};
 use proc_maps::get_process_maps;
 
 // Coverage map
 const MAP_SIZE: usize = 4096;
 static mut MAP: [u8; MAP_SIZE] = [0; MAP_SIZE];
-// TODO: This will break soon, fix me! See https://github.com/AFLplusplus/LibAFL/issues/2786
-#[allow(static_mut_refs)] // only a problem in nightly
-static mut MAP_PTR: *mut u8 = unsafe { MAP.as_mut_ptr() };
+static mut MAP_PTR: *mut u8 = &raw mut MAP as _;
 
 pub fn main() {
     // The closure that we want to fuzz
@@ -50,7 +48,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the map
-    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", MAP_PTR, MAP_SIZE) };
+    let observer = unsafe { ConstMapObserver::from_mut_ptr("signals", nonnull_raw_mut!(MAP)) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);

fuzzers/binary_only/intel_pt_command_executor/src/main.rs

@@ -14,21 +14,19 @@ use libafl::{
     generators::RandPrintablesGenerator,
     monitors::SimpleMonitor,
     mutators::{havoc_mutations::havoc_mutations, scheduled::HavocScheduledMutator},
-    observers::StdMapObserver,
+    observers::ConstMapObserver,
     schedulers::QueueScheduler,
     stages::mutational::StdMutationalStage,
     state::StdState,
 };
-use libafl_bolts::{core_affinity, rands::StdRand, tuples::tuple_list, Error};
+use libafl_bolts::{core_affinity, nonnull_raw_mut, rands::StdRand, tuples::tuple_list, Error};
 use libafl_intelpt::{AddrFilter, AddrFilterType, AddrFilters, IntelPT, PAGE_SIZE};
 use object::{elf::PF_X, Object, ObjectSegment, SegmentFlags};
 
 // Coverage map
 const MAP_SIZE: usize = 4096;
 static mut MAP: [u8; MAP_SIZE] = [0; MAP_SIZE];
-// TODO: This will break soon, fix me! See https://github.com/AFLplusplus/LibAFL/issues/2786
-#[allow(static_mut_refs)] // only a problem in nightly
-static mut MAP_PTR: *mut u8 = unsafe { MAP.as_mut_ptr() };
+static mut MAP_PTR: *mut u8 = &raw mut MAP as _;
 
 pub fn main() -> Result<(), Box<dyn std::error::Error>> {
     // Let's set the default logging level to `warn`
@@ -70,7 +68,7 @@ pub fn main() -> Result<(), Box<dyn std::error::Error>> {
     log::debug!("Using core {} for fuzzing", cpu.0);
 
     // Create an observation channel using the map
-    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", MAP_PTR, MAP_SIZE) };
+    let observer = unsafe { ConstMapObserver::from_mut_ptr("signals", nonnull_raw_mut!(MAP)) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);

fuzzers/binary_only/qemu_cmin/src/fuzzer.rs

@@ -144,7 +144,7 @@ pub fn fuzz() -> Result<(), Error> {
     let stdout_callback = |buf: &[u8]| {
         if let Ok(s) = from_utf8(buf) {
             let msg = s.trim_end();
-            if msg.len() != 0 {
+            if !msg.is_empty() {
                 log::info!("{msg}");
             }
         }

fuzzers/binary_only/qemu_launcher/src/harness.rs

@@ -19,12 +19,10 @@ pub const MAX_INPUT_SIZE: usize = 1_048_576; // 1MB
 impl Harness {
     /// Change environment
     #[inline]
-    #[expect(clippy::ptr_arg)]
     pub fn edit_env(_env: &mut Vec<(String, String)>) {}
 
     /// Change arguments
     #[inline]
-    #[expect(clippy::ptr_arg)]
     pub fn edit_args(_args: &mut Vec<String>) {}
 
     /// Helper function to find the function we want to fuzz.