Use ListInput

[riesentoaster]

(I understand why one would want the simplicity of implementing a custom input type for this tutorial, but ListInput enables a few cool features, hence this discussion entry, just to show it exists :) )

LibAFL provides ListInput, a wrapper for inputs that are lists of sub-parts. One other approach to building this fuzzer would involve using it. Steps for it to work:

1. Add the multipart_inputs feature to the libafl dependency.
2. Create a new PGMoveInput, which implements Input, and consists of the data required for a single move (so car ID and direction).
3. Replace all input types in the project with ListInput<PGMoveInput>. Replace any calls to moves with parts. Inserting and appending can be done directly using input.{insert,append}_part(). Other access functions are also available.

One cool thing you can do is write a Generator and use it in combination with GenerateToAppendMutator (provided by LibAFL) to create essentially the same behavior as with PGTailMutator:

impl<S, T> Generator<PGMoveInput, S> for PGAppendGenerator<T>
where
    S: HasMetadata + HasCurrentTestcase<ListInput<PGMoveInput>> + HasRand,
    T: BoardValue + DeserializeOwned + Serialize + 'static,
{
    fn generate(&mut self, state: &mut S) -> Result<PGMoveInput, libafl::Error> {
        let testcase = state.current_testcase()?;

        let metadata = testcase.metadata::<ViewMetadata<T>>().unwrap();

        let options = metadata
            .views()
            .flat_map(|(c, e)| {
                let mut suggestions = Vec::new();

                for (direction, distance) in [
                    (e.forward().direction(), e.forward().distance()),
                    (e.backward().direction(), e.backward().distance()),
                ] {
                    let mut distance = *distance;
                    while !distance.is_zero() {
                        suggestions.push((c, direction, distance));
                        distance -= T::one();
                    }
                }

                suggestions
            })
            .collect::<Vec<_>>();

        drop(testcase);

        let selected = state.rand_mut().choose(&options).unwrap();

        Ok(PGMoveInput(selected.0, selected.1))
    }
}

Now, if you don't need more complicated mutators, using a custom input type (like PGInput) works pretty well. But if you want to mutate existing parts of your input (instead of just inserting or appending parts), you can then a list of other mutators already implemented generically in LibAFL (all of these work on the list level, and don't mutate the list item contents themselves):

• RemoveLastEntryMutator
• RemoveRandomEntryMutator
• CrossoverInsertMutator
• CrossoverReplaceMutator

You can further write custom mutators (or use mutators provided by LibAFL) that target a single list entry and transform them to work on different parts of your list input with ListInput::map_to_mutate_on_{last,random}_part using LibAFL's MappingMutators.

[addisoncrump]

Good notes :) Do you want to add a PR to the README near the end about this?

[riesentoaster]

I can — would you rather have something short and a link to this discussion entry or more text in the README?

[addisoncrump]

Sure, something short; maybe add an "Addenda" section and add a summary + link to this as an entry? There will likely be similar notes like this in the future.