add virtual edge to longest runs

fuzzers/FRET/benchmark/target_symbols.csv

@@ -12,3 +12,4 @@ rijndael_enc,rijndael_enc_main,rijndael_enc_data,31369,rijndael_enc_return
 huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return
 huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return
 gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return
+tmr,main,FUZZ_INPUT,32,trigger_Qemu_break

fuzzers/FRET/src/fuzzer.rs

@@ -81,7 +81,7 @@ pub fn fuzz() {
             &env::var("FUZZ_INPUT").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()),
             0,
         )
-        .expect("Symbol or env FUZZ_INPUT not found");
+        .expect("Symbol or env FUZZ_INPUT not found"); //as GuestPhysAddr;
     let input_addr = virt2phys(input_addr,&elf) as GuestPhysAddr;
     println!("FUZZ_INPUT @ {:#x}", input_addr);
 
@@ -245,17 +245,23 @@ pub fn fuzz() {
 
         // A fuzzer with feedbacks and a corpus scheduler
         let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+        #[cfg(not(feature = "systemstate"))]
         let qhelpers = tuple_list!(
                 QemuEdgeCoverageHelper::default(),
-                QemuStateRestoreHelper::new());
+                QemuStateRestoreHelper::new()
+            );
         #[cfg(feature = "systemstate")]
-        let qhelpers = tuple_list!(qhelpers,
+        let qhelpers = tuple_list!(
-            QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone()));
+                QemuEdgeCoverageHelper::default(),
+                QemuStateRestoreHelper::new(),
+                QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone())
+            );
         let mut hooks = QemuHooks::new(&emu,qhelpers);
 
+        #[cfg(not(feature = "systemstate"))]
         let observer_list = tuple_list!(edges_observer, clock_time_observer);
         #[cfg(feature = "systemstate")]
-        let observer_list = tuple_list!(observer_list ,systemstate_observer);
+        let observer_list = tuple_list!(edges_observer, clock_time_observer, systemstate_observer);
 
         // Create a QEMU in-process executor
         let executor = QemuExecutor::new(

fuzzers/FRET/src/worst.rs

@@ -269,6 +269,7 @@ impl Named for ExecTimeCollectorFeedbackState
 pub struct ExecTimeIncFeedback
 {
     longest_time: u64,
+    last_is_longest: bool
 }
 
 impl<S> Feedback<S> for ExecTimeIncFeedback
@@ -293,8 +294,21 @@ where
         if observer.last_runtime() > self.longest_time {
             self.longest_time = observer.last_runtime();
         }
+        self.last_is_longest = observer.last_runtime() > self.longest_time;
         Ok(observer.last_runtime() > self.longest_time)
     }
+    fn append_metadata(
+        &mut self,
+        _state: &mut S,
+        testcase: &mut Testcase<<S as UsesInput>::Input>,
+    ) -> Result<(), Error> {
+        if self.last_is_longest {
+            let mim : Option<&mut MapIndexesMetadata>= testcase.metadata_mut().get_mut();
+            // pretend that the longest input alone excercises some non-existing edge, to keep it relevant
+            mim.unwrap().list.push(usize::MAX);
+        };
+        Ok(())
+    }
 }
 
 impl Named for ExecTimeIncFeedback
@@ -311,6 +325,6 @@ where
     /// Creates a new [`ExecTimeReachedFeedback`]
     #[must_use]
     pub fn new() -> Self {
-        Self {longest_time: 0}
+        Self {longest_time: 0, last_is_longest: false}
     }
 }