worker: fix initial corpus load logic

Author: baflor

src/cli/concolic_explore.rs

@@ -290,7 +290,7 @@ impl<'a> ConcolicExplorer<'a> {
         let mut submitted = HashSet::default();
         let mut i = 0;
         let mut skip = 0;
-        for (precond_event, precond_inputs) in trace.events[..event_idx]
+        for (precond_event, _precond_inputs) in trace.events[..event_idx]
             .iter()
             .zip(trace.event_inputs[..event_idx].iter())
             .rev()

src/cli/mod.rs

@@ -711,6 +711,8 @@ pub(crate) fn main() {
                 #[cfg(feature = "reports")]
                 crate::cli::cov_html::write_html_cov_report(mod_spec, &sess, &out_path);
                 #[cfg(not(feature = "reports"))]
+                let _ = out_path;
+                #[cfg(not(feature = "reports"))]
                 panic!("trying to write html report without 'reports' feature")
             }
         }
@@ -809,9 +811,7 @@ pub(crate) fn main() {
                 for (file_idx, file) in report_info.files.iter().enumerate() {
                     for line_idx in file.line_coverage.covered.iter_ones() {
                         let key = (file_idx, line_idx);
-                        if !blame.map.contains_key(&key) {
-                            blame.map.insert(key, inp_idx);
-                        }
+                        blame.map.entry(key).or_insert(inp_idx);
                     }
                 }
             }

src/fuzzer/worker.rs

@@ -132,28 +132,40 @@ impl Worker {
                 worker.sess.reset_pass_coverage();
                 worker.sess.initialize(&mut worker.stats);
                 eprintln!("running orc's inputs ...");
+                let mut discarded_input_size = 0;
+                let mut interesting_inputs = 0;
+                let orc_input_count = corpus.len();
                 for input in corpus {
                     if input.len() > worker.sess.swarm.input_alloc_size() {
+                        discarded_input_size += 1;
                         continue;
                     }
                     // NOTE: we don't need to trace here if we're going to throw them away anyways!
-                    let res = worker.on_corpus(&input, false);
+                    let res = worker.on_corpus(&input, true);
                     if matches!(res, Err(_) | Ok(InputVerdict::Crashed)) {
+                        eprintln!("Worker::new crashed on corpus entry: {:?}", res);
                         break;
                     }
+                    interesting_inputs += matches!(res, Ok(InputVerdict::Interesting)) as usize;
                 }
+                if discarded_input_size > 0 {
+                    eprintln!("discarded {discarded_input_size} inputs due to size limit");
+                }
+                eprintln!("interesting inputs: {interesting_inputs}/{orc_input_count}");
                 eprintln!(
-                    "after fetch_corpus: {} edges",
-                    worker.sess.get_edge_cov().unwrap_or(0)
+                    "after fetch_corpus: {} edges, {} inputs",
+                    worker.sess.get_edge_cov().unwrap_or(0),
+                    worker.corpus.count()
                 );
                 for _ in 0..10 {
                     if !worker.inmemory_cmin(false) {
                         break;
                     }
                 }
                 eprintln!(
-                    "after inmem_cmin: {} edges",
-                    worker.sess.get_edge_cov().unwrap_or(0)
+                    "after inmem_cmin: {} edges, {} inputs",
+                    worker.sess.get_edge_cov().unwrap_or(0),
+                    worker.corpus.count()
                 );
             }
         }
@@ -165,6 +177,8 @@ impl Worker {
     fn on_corpus(&mut self, input: &[u8], is_seed: bool) -> Result<InputVerdict, libafl::Error> {
         tracy_full::zone!("Worker::on_corpus");
         let ignore_crashes = *self.opts.x.fuzz_through_crashes;
+
+        let mut was_interesting = false;
         if !*self.opts.x.run_from_snapshot {
             let res = self.sess.run_reusable(input, false, &mut self.stats);
             if res.is_crash() && !ignore_crashes {
@@ -174,6 +188,7 @@ impl Worker {
             if is_seed && !res.novel_coverage {
                 return Ok(InputVerdict::NotInteresting);
             }
+            was_interesting = res.novel_coverage;
         }
 
         // make sure we catch inputs that crash on fresh instances but not on used ones (TODO?)
@@ -183,7 +198,7 @@ impl Worker {
             return Ok(InputVerdict::Crashed);
         }
 
-        if !res.novel_coverage {
+        if !res.novel_coverage && !was_interesting {
             return Ok(InputVerdict::NotInteresting);
         }
 

src/instrumentation/code_coverage.rs

@@ -84,6 +84,7 @@ impl<K: Ord + Clone> CoverageBitset<K> {
         self.saved.iter_ones().map(|i| self.keys[i].clone())
     }
 
+    #[allow(unused)]
     pub(crate) fn saved_val(&self, key: &K) -> bool {
         let index = self.keys.binary_search(key).unwrap();
         self.saved[index]