Merge branch 'release-0.25.2'

README.rst

@@ -83,10 +83,11 @@ Dependencies
 + Optional:
 
   - `xtermcolor`_: Terminal color support
-  - `cups`_: Python bindings for libcups
-  - `rpyc`_: Remote Python Call (RPyC), a transparent and symmetric RPC library
+  - `graphviz`_: For graphic visualization (e.g., scenario display)
   - `paramiko`_: Python implementation of the SSHv2 protocol
   - `serial`_: For serial port access
+  - `cups`_: Python bindings for libcups
+  - `rpyc`_: Remote Python Call (RPyC), a transparent and symmetric RPC library
 
 + For testing:
 
@@ -102,10 +103,11 @@ Dependencies
 .. _six: http://pythonhosted.org/six/
 .. _sqlite3: https://www.sqlite.org/
 .. _xtermcolor: https://github.com/broadinstitute/xtermcolor
-.. _cups: https://pypi.python.org/pypi/pycups
-.. _rpyc: https://pypi.python.org/pypi/rpyc
+.. _graphviz: https://pypi.python.org/pypi/graphviz
 .. _paramiko: http://www.paramiko.org/
 .. _serial: https://github.com/pyserial/pyserial
+.. _cups: https://pypi.python.org/pypi/pycups
+.. _rpyc: https://pypi.python.org/pypi/rpyc
 .. _ddt: https://github.com/txels/ddt
 .. _mock: https://pypi.python.org/pypi/mock
 .. _sphinx: http://sphinx-doc.org/

TODO

@@ -1,7 +1,6 @@
 [NEW FEATURES]
 
 - Add support for automatic creation of Generators that play around scenarios
-- Add support for scenario visualization and JSON description of scenario
 - Add GDB/PIN/QEMU probes/managers
 - Add support for evolutionary fuzzing
 - Add FmkDB visualization tools

data_models/protocols/pppoe_strategy.py

@@ -58,7 +58,7 @@ def retrieve_X_from_feedback(env, current_step, next_step, feedback, x='padi', u
                     raise ValueError
 
                 if data is None:
-                    return False
+                    continue
                 off = data.find(mac_dst)
                 data = data[off:]
                 result = msg_x.absorb(data, constraints=AbsNoCsts(size=True, struct=True))
@@ -169,10 +169,11 @@ def disrupt_data(self, dm, target, prev_data):
         return prev_data
 
 ### PADI fuzz scenario ###
-step_wait_padi = NoDataStep(fbk_timeout=10, fbk_mode=Target.FBK_WAIT_UNTIL_RECV)
+step_wait_padi = NoDataStep(fbk_timeout=10, fbk_mode=Target.FBK_WAIT_UNTIL_RECV,
+                            step_desc='Wait PADI')
 
 dp_pado = DataProcess(process=[('ALT', None, UI(conf='fuzz')),
-                               ('tTYPE', UI(init=20), UI(order=True, fuzz_mag=0.7)),
+                               ('tTYPE', UI(init=1), UI(order=True, fuzz_mag=0.7)),
                                'FIX_FIELDS#pado1'], seed='pado')
 dp_pado.append_new_process([('ALT', None, UI(conf='fuzz')),
                             ('tSTRUCT', UI(init=1), UI(deep=True)), 'FIX_FIELDS#pado2'])
@@ -189,7 +190,7 @@ def disrupt_data(self, dm, target, prev_data):
 sc1.set_anchor(step_wait_padi)
 
 ### PADS fuzz scenario ###
-step_wait_padi = NoDataStep(fbk_timeout=10, fbk_mode=Target.FBK_WAIT_UNTIL_RECV)
+step_wait_padi = NoDataStep(fbk_timeout=10, fbk_mode=Target.FBK_WAIT_UNTIL_RECV, step_desc='Wait PADI')
 step_send_valid_pado = Step(DataProcess(process=[('FIX_FIELDS#pads1', None, UI(reevaluate_csts=True))],
                                         seed='pado'), fbk_timeout=0.1, fbk_mode=Target.FBK_WAIT_FULL_TIME)
 step_send_padt = Step(DataProcess(process=[('FIX_FIELDS#pads2', None, UI(reevaluate_csts=True))],
@@ -201,7 +202,8 @@ def disrupt_data(self, dm, target, prev_data):
 dp_pads.append_new_process([('ALT', None, UI(conf='fuzz')),
                             ('tSTRUCT#2', UI(init=1), UI(deep=True)), 'FIX_FIELDS#pads4'])
 step_send_fuzzed_pads = Step(dp_pads, fbk_timeout=0.1, fbk_mode=Target.FBK_WAIT_FULL_TIME)
-step_wait_padr = NoDataStep(fbk_timeout=10, fbk_mode=Target.FBK_WAIT_UNTIL_RECV)
+step_wait_padr = NoDataStep(fbk_timeout=10, fbk_mode=Target.FBK_WAIT_UNTIL_RECV,
+                            step_desc='Wait PADR/PADI')
 
 step_wait_padi.connect_to(step_send_valid_pado, cbk_after_fbk=retrieve_padi_from_feedback)
 step_send_valid_pado.connect_to(step_send_fuzzed_pads, cbk_after_fbk=retrieve_padr_from_feedback_and_update)

docs/source/conf.py

@@ -57,7 +57,7 @@
 # The short X.Y version.
 version = '0.25'
 # The full version, including alpha/beta/rc tags.
-release = '0.25.1'
+release = '0.25.2'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/source/data_model.rst

@@ -1621,7 +1621,7 @@ Example 1: The basics.
                  {'name': 'HTTP_version_5', 'contents': INT_Str(mini=0, maxi=9)} ]}
 
 
-Example 2: Introducing choice. (Refer to :ref:`dm:nt-keywords`)
+Example 2: Introducing choices. (Refer to :ref:`dm:nt-keywords`)
 
 .. code-block:: python
    :linenos:
@@ -1633,13 +1633,43 @@ Example 2: Introducing choice. (Refer to :ref:`dm:nt-keywords`)
               'shape_type': MH.Pick,
               'contents': [
                  {'name':'something_1', 'contents':INT_Str(values=[333, 444])},
-                 {'name':'something_1', 'contents':String(values=["foo", "bar"])},
-                 {'name':'something_1', 'contents':String(alphabet="0123456789",size=1)},
-                 {'name':'something_1', 'contents':String(alphabet="th|is", size=1)}
+                 {'name':'something_2', 'contents':String(values=["foo", "bar"])},
+                 {'name':'something_3', 'contents':String(alphabet="0123456789",size=1)},
+                 {'name':'something_4', 'contents':String(alphabet="th|is", size=1)}
               ]}
 
 
-Example 3: Using quantifiers and the escape character ``\``.
+Example 3: Using shapes. (Refer to :ref:`dm:patterns`)
+
+.. code-block:: python
+   :linenos:
+
+   regex = {'name': 'something',
+            'contents': 'this[\d](is)|a|digit[!]'}
+   # is equivalent to
+   classic = {'name': 'something',
+              'contents': [
+                 {'weights': 1,
+                  'contents': [
+                     {'name': 'something_1', 'contents': String(values=['this'])},
+                     {'name': 'something_2', 'contents': String(alphabet='0123456789')},
+                     {'name': 'something_3', 'contents': String(values=['is'])},
+                  ]},
+
+                 {'weights': 1,
+                  'contents': [
+                     {'name': 'something_4', 'contents': String(values=['a'])},
+                  ]},
+
+                 {'weights': 1,
+                  'contents': [
+                     {'name': 'something_5', 'contents': String(values=['digit'])},
+                     {'name': 'something_6', 'contents': String(alphabet='!')},
+                  ]},
+              ]}
+
+
+Example 4: Using quantifiers and the escape character ``\``.
 
 .. code-block:: python
    :linenos:
@@ -1651,13 +1681,13 @@ Example 3: Using quantifiers and the escape character ``\``.
               'contents': [
                  {'name': 'something_1', 'contents': String(values=["(this"])},
                  {'name': 'something_2',
-	              'contents': String(alphabet="is", min_sz=3, max_sz=4)},
+                  'contents': String(alphabet="is", min_sz=3, max_sz=4)},
                  {'name': 'something_3', 'contents': String(values=["th"])},
                  {'name': 'something_4', 'qty': (1, -1),
                   'contents': String(values=["e"])},
                  {'name': 'something_5', 'contents': String(values=["end]"])} ]}
 
-Example 4: Invalid regular expressions.
+Example 5: Invalid regular expressions.
 
 .. code-block:: python
    :linenos:
@@ -1666,6 +1696,7 @@ Example 4: Invalid regular expressions.
    # raise an framework.error_handling.InconvertibilityError
    # because there are two nested parenthesis.
 
-   error_2 = {'name': 'rejected', 'contents': '(HTTP)foo|bar'}
+   error_2 = {'name': 'rejected', 'contents': '(HT?TP)foo|bar'}
    # raise also an framework.error_handling.InconvertibilityError
-   # because | has priority over parenthesis in regular expressions.
+   # because a quantifier (that requires the creation of a terminal node)
+   # has been found within parenthesis.

docs/source/disruptors.rst

@@ -52,6 +52,10 @@ Parameters:
         |      | desc: when set to True, if a node structure has changed, the modelwalker
         |      |       will reset its walk through the children nodes
         |      | default: True [type: bool]
+        |_ ign_sep
+        |      | desc: when set to True, non-terminal separators will be ignored if
+        |      |       any are defined.
+        |      | default: False [type: bool]
         |_ fix
         |      | desc: limit constraints fixing to the nodes related to the currently
         |      |       fuzzed one (only implemented for 'sync_size_with' and

docs/source/scenario.rst

@@ -105,6 +105,10 @@ a client listening on a TCP socket bound to the port 12345::
 
   [another term] # nc -k -l 12345
 
+If you want to visualize your scenario, you can issue the following command
+(``[FMT]`` is optional and can be ``xdot``, ``pdf``, ``png``, ...)::
+
+  [fuddly term] >> show_scenario SC_EX1 [FMT]
 
 Finally, note that a step once executed will display a description related to what it did. You
 can override this description by providing the ``step_desc`` parameter of a

framework/data_model.py

@@ -4352,13 +4352,23 @@ def unfreeze(self, conf=None, recursive=True, dont_change_state=False, ignore_en
                             self.expanded_nodelist_sz += 1
                             self.expanded_nodelist = fresh_expanded_nodelist[:self.expanded_nodelist_sz]
                         else:
-                            # This case should not exist, a priori
-                            self.expanded_nodelist_sz = len(fresh_expanded_nodelist)
-                            self.expanded_nodelist = fresh_expanded_nodelist
+                            # This case should never trigger
+                            raise ValueError
+                            # self.expanded_nodelist_sz = len(fresh_expanded_nodelist)
+                            # self.expanded_nodelist = fresh_expanded_nodelist
                     else:
                         # assert self.expanded_nodelist_origsz > self.expanded_nodelist_sz
-                        self.expanded_nodelist.append(fresh_expanded_nodelist[self.expanded_nodelist_sz])
-                        self.expanded_nodelist_sz += 1
+                        if self.expanded_nodelist_sz is None:
+                            # This means that nothing has been computed yet. This is the case after
+                            # a call to reset() which is either due to a node copy after an absorption
+                            # or at node initialization.
+                            # In such a case, self.expanded_nodelist should be equal to []
+                            assert self.expanded_nodelist == []
+                            self.expanded_nodelist = fresh_expanded_nodelist
+                            self.expanded_nodelist_sz = len(fresh_expanded_nodelist)
+                        else:
+                            self.expanded_nodelist.append(fresh_expanded_nodelist[self.expanded_nodelist_sz])
+                            self.expanded_nodelist_sz += 1
                 else:
                     # In this case the states are random, thus we
                     # don't bother trying to recover the previous one
@@ -5310,6 +5320,7 @@ def set_internals(self, backup):
         self.internals = backup.internals
         self.current_conf = backup.current_conf
         self.entangled_nodes = backup.entangled_nodes
+        self._delayed_jobs_called = backup._delayed_jobs_called
 
     def __check_conf(self, conf):
         if conf is None: