Can't use `InProcessExecutor` inside of `InProcessExecutor`

[langston-barrett]

I know this is an odd one but... I have a fuzzer that runs a QemuExecutor inside of a StatefulInProcessExecutor. This two-layered structure is essential to its functionality. The problem is that InProcessExecutor internally uses a single global variable that is shared between all instances. In particular, my fuzzer is hitting this assertion:

LibAFL/crates/libafl/src/executors/hooks/inprocess.rs

Line 205 in 70e2116

assert!((*data).crash_handler.is_null());

To Reproduce

Here's a minimal test-case that has the same behavior:

// mkdir tmp && cd tmp
// cargo init
// cargo add --no-default-features --features=std --git https://github.com/AFLplusplus/LibAFL libafl
// cargo add --no-default-features --features=std --git https://github.com/AFLplusplus/LibAFL libafl_bolts
// cargo run

use std::path::PathBuf;

use libafl::{
    corpus::{InMemoryCorpus, OnDiskCorpus},
    executors::{ExitKind, InProcessExecutor},
    fuzzer::{Fuzzer, StdFuzzer},
    generators::RandPrintablesGenerator,
    inputs::BytesInput,
    mutators::{havoc_mutations::havoc_mutations, scheduled::HavocScheduledMutator},
    stages::mutational::StdMutationalStage,
};
use libafl_bolts::{current_nanos, nonzero, rands::StdRand, tuples::tuple_list};

fn fuzz_with_harness(harness: impl FnMut(&BytesInput) -> ExitKind) {
    let mut feedback = libafl::feedbacks::ConstFeedback::False;
    let mut objective = libafl::feedbacks::ConstFeedback::False;
    let mut state = libafl::state::StdState::new(
        StdRand::with_seed(current_nanos()),
        InMemoryCorpus::new(),
        OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
        &mut feedback,
        &mut objective,
    )
    .unwrap();
    let mon = libafl::monitors::SimpleMonitor::new(|s| println!("{s}"));
    let mut mgr = libafl::events::SimpleEventManager::new(mon);
    let scheduler = libafl::schedulers::QueueScheduler::new();
    let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
    let mut executor =
        InProcessExecutor::new(harness, (), &mut fuzzer, &mut state, &mut mgr).unwrap();
    let mut generator = RandPrintablesGenerator::new(nonzero!(32));
    state
        .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
        .unwrap();
    let mutator = HavocScheduledMutator::new(havoc_mutations());
    let mut stages = tuple_list!(StdMutationalStage::new(mutator));
    fuzzer
        .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
        .unwrap();
}

pub fn main() {
    fuzz_with_harness(|_| {
        fuzz_with_harness(|_| ExitKind::Ok);
        ExitKind::Ok
    });
}

Expected behavior
The above fuzzer works.

[domenukk]

Do you really need two inprocess executors? I don't think they should be nested, but just have a single one and call qemu from there? Or have a custom executor and call qemu inprocess?

[langston-barrett]

Do you really need two inprocess executors?

Unfortunately, I really do. Both are full-fledged fuzzers with their own corpora, feedbacks, etc. The design of the tool is to perform a kind of program synthesis using an algorithm inspired by CEGIS. The outer fuzzer produces candidate programs as inputs, the inner fuzzer acts as a verifier, attempting to find counter-examples to the specification.

[domenukk]

Can't you build a non-inprocess executor that can can call down to inprocess?

[langston-barrett]

Probably! It's just nice to use InProcessExecutor and have it take care of timeouts, signals, etc. It also seemed to work fine with LibAFL 0.13.* and 0.14.*. Perhaps that was just coincidental, though?

[domenukk]

Nesting was never supposed to work I think, having two inprocess executors should(tm) maybe work though and is currently potentially broken

[domenukk]

PRs welcome, but it's super hard to get this right

[langston-barrett]

Okay, fair enough! Thanks for taking a look.