From 2cb479581d64dd339414d3576b5f412776c70c8e Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Thu, 19 Jan 2023 10:33:13 +0100 Subject: [PATCH] add virtual edge to longest runs --- fuzzers/FRET/benchmark/target_symbols.csv | 3 ++- fuzzers/FRET/src/fuzzer.rs | 16 +++++++++++----- fuzzers/FRET/src/worst.rs | 16 +++++++++++++++- 3 files changed, 28 insertions(+), 7 deletions(-) diff --git a/fuzzers/FRET/benchmark/target_symbols.csv b/fuzzers/FRET/benchmark/target_symbols.csv index 47733a6544..6d1e0aa18d 100644 --- a/fuzzers/FRET/benchmark/target_symbols.csv +++ b/fuzzers/FRET/benchmark/target_symbols.csv @@ -11,4 +11,5 @@ rijndael_dec,rijndael_dec_main,rijndael_dec_data,32768,rijndael_dec_return rijndael_enc,rijndael_enc_main,rijndael_enc_data,31369,rijndael_enc_return huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return -gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return \ No newline at end of file +gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return +tmr,main,FUZZ_INPUT,32,trigger_Qemu_break \ No newline at end of file diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index f714ebd5b6..09f389b57d 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -81,7 +81,7 @@ pub fn fuzz() { &env::var("FUZZ_INPUT").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()), 0, ) - .expect("Symbol or env FUZZ_INPUT not found"); + .expect("Symbol or env FUZZ_INPUT not found"); //as GuestPhysAddr; let input_addr = virt2phys(input_addr,&elf) as GuestPhysAddr; println!("FUZZ_INPUT @ {:#x}", input_addr); @@ -245,17 +245,23 @@ pub fn fuzz() { // A fuzzer with feedbacks and a corpus scheduler let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective); + #[cfg(not(feature = "systemstate"))] let qhelpers = tuple_list!( QemuEdgeCoverageHelper::default(), - QemuStateRestoreHelper::new()); + QemuStateRestoreHelper::new() + ); #[cfg(feature = "systemstate")] - let qhelpers = tuple_list!(qhelpers, - QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone())); + let qhelpers = tuple_list!( + QemuEdgeCoverageHelper::default(), + QemuStateRestoreHelper::new(), + QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone()) + ); let mut hooks = QemuHooks::new(&emu,qhelpers); + #[cfg(not(feature = "systemstate"))] let observer_list = tuple_list!(edges_observer, clock_time_observer); #[cfg(feature = "systemstate")] - let observer_list = tuple_list!(observer_list ,systemstate_observer); + let observer_list = tuple_list!(edges_observer, clock_time_observer, systemstate_observer); // Create a QEMU in-process executor let executor = QemuExecutor::new( diff --git a/fuzzers/FRET/src/worst.rs b/fuzzers/FRET/src/worst.rs index c16a2b99c5..6bb2a847d8 100644 --- a/fuzzers/FRET/src/worst.rs +++ b/fuzzers/FRET/src/worst.rs @@ -269,6 +269,7 @@ impl Named for ExecTimeCollectorFeedbackState pub struct ExecTimeIncFeedback { longest_time: u64, + last_is_longest: bool } impl Feedback for ExecTimeIncFeedback @@ -293,8 +294,21 @@ where if observer.last_runtime() > self.longest_time { self.longest_time = observer.last_runtime(); } + self.last_is_longest = observer.last_runtime() > self.longest_time; Ok(observer.last_runtime() > self.longest_time) } + fn append_metadata( + &mut self, + _state: &mut S, + testcase: &mut Testcase<::Input>, + ) -> Result<(), Error> { + if self.last_is_longest { + let mim : Option<&mut MapIndexesMetadata>= testcase.metadata_mut().get_mut(); + // pretend that the longest input alone excercises some non-existing edge, to keep it relevant + mim.unwrap().list.push(usize::MAX); + }; + Ok(()) + } } impl Named for ExecTimeIncFeedback @@ -311,6 +325,6 @@ where /// Creates a new [`ExecTimeReachedFeedback`] #[must_use] pub fn new() -> Self { - Self {longest_time: 0} + Self {longest_time: 0, last_is_longest: false} } } \ No newline at end of file