AFLplusplus · BAGUVIX456 · Dec 7, 2024 · Dec 7, 2024 · Dec 10, 2024 · Dec 11, 2024
diff --git a/libafl/Cargo.toml b/libafl/Cargo.toml
@@ -146,6 +146,9 @@ unicode = ["libafl_bolts/alloc", "ahash/std", "serde/rc", "bitvec"]
 ## Enable multi-part input formats and mutators
 multipart_inputs = ["arrayvec", "rand_trait"]
 
+## Share objectives across nodes
+share_objectives = []
+
 #! ## LibAFL-Bolts Features
 
 ## Provide the `#[derive(SerdeAny)]` macro.

diff --git a/libafl/src/events/centralized.rs b/libafl/src/events/centralized.rs
@@ -285,15 +285,14 @@ where
         if !self.is_main {
             // secondary node
             let mut is_tc = false;
-            // Forward to main only if new tc or heartbeat
+            // Forward to main only if new tc, heartbeat, or optionally, a new objective
             let should_be_forwarded = match &mut event {
                 Event::NewTestcase { forward_id, .. } => {
                     *forward_id = Some(ClientId(self.inner.mgr_id().0 as u32));
                     is_tc = true;
                     true
                 }
-                Event::UpdateExecStats { .. } => true, // send it but this guy won't be handled. the only purpose is to keep this client alive else the broker thinks it is dead and will dc it
-                Event::Stop => true,
+                Event::UpdateExecStats { .. } | Event::Objective { .. } | Event::Stop => true, // send UpdateExecStats but this guy won't be handled. the only purpose is to keep this client alive else the broker thinks it is dead and will dc it
                 _ => false,
             };
 

diff --git a/libafl/src/events/llmp/mgr.rs b/libafl/src/events/llmp/mgr.rs
@@ -469,6 +469,21 @@ where
                     }
                 }
             }
+
+            #[cfg(feature = "share_objectives")]
+            Event::Objective { input, .. } => {
+                log::debug!("Received new Objective");
+                let mut testcase = Testcase::from(input);
+                testcase.set_parent_id_optional(*state.corpus().current());
+
+                if let Ok(mut tc) = state.current_testcase_mut() {
+                    tc.found_objective();
+                }
+
+                state.solutions_mut().add(testcase)?;
+                log::info!("Added received Objective to Corpus");
+            }
+
             Event::CustomBuf { tag, buf } => {
                 for handler in &mut self.custom_buf_handlers {
                     if handler(state, &tag, &buf)? == CustomBufEventResult::Handled {

diff --git a/libafl/src/events/llmp/mod.rs b/libafl/src/events/llmp/mod.rs
@@ -15,13 +15,18 @@ use libafl_bolts::{
 };
 use serde::Deserialize;
 
+#[cfg(feature = "share_objectives")]
+use crate::corpus::Testcase;
 use crate::{
     corpus::Corpus,
     events::{CustomBufEventResult, CustomBufHandlerFn, Event, EventFirer},
     executors::{Executor, HasObservers},
     fuzzer::{EvaluatorObservers, ExecutionProcessor},
     inputs::{Input, InputConverter, NopInput, NopInputConverter, UsesInput},
-    state::{HasCorpus, HasExecutions, NopState, State, Stoppable, UsesState},
+    state::{
+        HasCorpus, HasCurrentTestcase, HasExecutions, HasSolutions, NopState, State, Stoppable,
+        UsesState,
+    },
     Error, HasMetadata,
 };
 
@@ -296,6 +301,8 @@ where
     where
         E: Executor<EM, Z, State = S> + HasObservers,
         EM: UsesState<State = S> + EventFirer,
+        S: HasSolutions + HasCurrentTestcase,
+        S::Solutions: Corpus<Input = S::Input>,
         S::Corpus: Corpus<Input = S::Input>,
         for<'a> E::Observers: Deserialize<'a>,
         Z: ExecutionProcessor<EM, <S::Corpus as Corpus>::Input, E::Observers, S>
@@ -324,6 +331,29 @@ where
                 }
                 Ok(())
             }
+
+            #[cfg(feature = "share_objectives")]
+            Event::Objective { input, .. } => {
+                log::debug!("Received new Objective");
+
+                let Some(converter) = self.converter_back.as_mut() else {
+                    return Ok(());
+                };
+
+                let converted_input = converter.convert(input)?;
+                let mut testcase = Testcase::from(converted_input);
+                testcase.set_parent_id_optional(*state.corpus().current());
+
+                if let Ok(mut tc) = state.current_testcase_mut() {
+                    tc.found_objective();
+                }
+
+                state.solutions_mut().add(testcase)?;
+                log::info!("Added received Objective to Corpus");
+
+                Ok(())
+            }
+
             Event::CustomBuf { tag, buf } => {
                 for handler in &mut self.custom_buf_handlers {
                     if handler(state, &tag, &buf)? == CustomBufEventResult::Handled {
@@ -351,6 +381,8 @@ where
     where
         E: Executor<EM, Z, State = S> + HasObservers,
         EM: UsesState<State = S> + EventFirer,
+        S: HasSolutions + HasCurrentTestcase,
+        S::Solutions: Corpus<Input = S::Input>,
         S::Corpus: Corpus<Input = S::Input>,
         for<'a> E::Observers: Deserialize<'a>,
         Z: ExecutionProcessor<EM, <S::Corpus as Corpus>::Input, E::Observers, S>

diff --git a/libafl/src/events/mod.rs b/libafl/src/events/mod.rs
@@ -323,6 +323,9 @@ where
     },
     /// A new objective was found
     Objective {
+        /// Input of newly found Objective
+        #[cfg(feature = "share_objectives")]
+        input: I,
         /// Objective corpus size
         objective_size: usize,
         /// The time when this event was created

diff --git a/libafl/src/events/tcp.rs b/libafl/src/events/tcp.rs
@@ -643,6 +643,21 @@ where
                     log::info!("Added received Testcase as item #{item}");
                 }
             }
+
+            #[cfg(feature = "share_objectives")]
+            Event::Objective { input, .. } => {
+                log::debug!("Received new Objective");
+                let mut testcase = Testcase::from(input);
+                testcase.set_parent_id_optional(*state.corpus().current());
+
+                if let Ok(mut tc) = state.current_testcase_mut() {
+                    tc.found_objective();
+                }
+
+                state.solutions_mut().add(testcase)?;
+                log::info!("Added received Objective to Corpus");
+            }
+
             Event::CustomBuf { tag, buf } => {
                 for handler in &mut self.custom_buf_handlers {
                     if handler(state, &tag, &buf)? == CustomBufEventResult::Handled {

diff --git a/libafl/src/executors/inprocess/mod.rs b/libafl/src/executors/inprocess/mod.rs
@@ -472,6 +472,9 @@ pub fn run_observers_and_save_state<E, EM, OF, Z>(
             .fire(
                 state,
                 Event::Objective {
+                    #[cfg(feature = "share_objectives")]
+                    input: input.clone(),
+
                     objective_size: state.solutions().count(),
                     time: libafl_bolts::current_time(),
                 },

diff --git a/libafl/src/fuzzer/mod.rs b/libafl/src/fuzzer/mod.rs
@@ -444,6 +444,9 @@ where
                     manager.fire(
                         state,
                         Event::Objective {
+                            #[cfg(feature = "share_objectives")]
+                            input,
+
                             objective_size: state.solutions().count(),
                             time: current_time(),
                         },
@@ -687,6 +690,9 @@ where
             manager.fire(
                 state,
                 Event::Objective {
+                    #[cfg(feature = "share_objectives")]
+                    input,
+
                     objective_size: state.solutions().count(),
                     time: current_time(),
                 },

diff --git a/libafl/src/stages/sync.rs b/libafl/src/stages/sync.rs
@@ -17,7 +17,10 @@ use crate::{
     fuzzer::{Evaluator, EvaluatorObservers, ExecutionProcessor},
     inputs::{Input, InputConverter, UsesInput},
     stages::{RetryCountRestartHelper, Stage},
-    state::{HasCorpus, HasExecutions, HasRand, MaybeHasClientPerfMonitor, State, Stoppable},
+    state::{
+        HasCorpus, HasExecutions, HasRand, HasSolutions, MaybeHasClientPerfMonitor, State,
+        Stoppable,
+    },
     Error, HasMetadata, HasNamedMetadata,
 };
 
@@ -232,6 +235,7 @@ where
     client: LlmpEventConverter<DI, IC, ICB, S, SP>,
 }
 
+// Do not include trait bound HasSolutions to S if share_objectives is disabled
 impl<E, EM, IC, ICB, DI, S, SP, Z> Stage<E, EM, S, Z> for SyncFromBrokerStage<DI, IC, ICB, S, SP>
 where
     EM: EventFirer<State = S>,
@@ -241,7 +245,8 @@ where
         + HasMetadata
         + Stoppable
         + UsesInput<Input = <S::Corpus as Corpus>::Input>
-        + State,
+        + State
+        + HasSolutions,
     SP: ShMemProvider,
     E: HasObservers + Executor<EM, Z, State = S>,
     for<'a> E::Observers: Deserialize<'a>,
@@ -251,6 +256,7 @@ where
     ICB: InputConverter<From = DI, To = <S::Corpus as Corpus>::Input>,
     DI: Input,
     <<S as HasCorpus>::Corpus as Corpus>::Input: Input + Clone,
+    S::Solutions: Corpus<Input = S::Input>,
 {
     #[inline]
     fn perform(