add virtual edge to longest runs

2023-01-19 10:33:13 +01:00 · 2023-01-19 10:33:13 +01:00 · 2cb479581d
commit 2cb479581d
parent 1fbf948478
3 changed files with 28 additions and 7 deletions
--- a/fuzzers/FRET/benchmark/target_symbols.csv
+++ b/fuzzers/FRET/benchmark/target_symbols.csv
@ -11,4 +11,5 @@ rijndael_dec,rijndael_dec_main,rijndael_dec_data,32768,rijndael_dec_return
 rijndael_enc,rijndael_enc_main,rijndael_enc_data,31369,rijndael_enc_return
 huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return
 huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return
-gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return
+gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return
+tmr,main,FUZZ_INPUT,32,trigger_Qemu_break
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@ -81,7 +81,7 @@ pub fn fuzz() {
            &env::var("FUZZ_INPUT").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()),
            0,
        )
-        .expect("Symbol or env FUZZ_INPUT not found");
+        .expect("Symbol or env FUZZ_INPUT not found"); //as GuestPhysAddr;
    let input_addr = virt2phys(input_addr,&elf) as GuestPhysAddr;
    println!("FUZZ_INPUT @ {:#x}", input_addr);

@ -245,17 +245,23 @@ pub fn fuzz() {

        // A fuzzer with feedbacks and a corpus scheduler
        let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
+        #[cfg(not(feature = "systemstate"))]
        let qhelpers = tuple_list!(
                QemuEdgeCoverageHelper::default(),
-                QemuStateRestoreHelper::new());
+                QemuStateRestoreHelper::new()
+            );
        #[cfg(feature = "systemstate")]
-        let qhelpers = tuple_list!(qhelpers,
-            QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone()));
+        let qhelpers = tuple_list!(
+                QemuEdgeCoverageHelper::default(),
+                QemuStateRestoreHelper::new(),
+                QemuSystemStateHelper::new(svh,curr_tcb_pointer,task_queue_addr,input_counter_ptr,app_range.clone())
+            );
        let mut hooks = QemuHooks::new(&emu,qhelpers);

+        #[cfg(not(feature = "systemstate"))]
        let observer_list = tuple_list!(edges_observer, clock_time_observer);
        #[cfg(feature = "systemstate")]
-        let observer_list = tuple_list!(observer_list ,systemstate_observer);
+        let observer_list = tuple_list!(edges_observer, clock_time_observer, systemstate_observer);

        // Create a QEMU in-process executor
        let executor = QemuExecutor::new(
--- a/fuzzers/FRET/src/worst.rs
+++ b/fuzzers/FRET/src/worst.rs
@ -269,6 +269,7 @@ impl Named for ExecTimeCollectorFeedbackState
 pub struct ExecTimeIncFeedback
 {
    longest_time: u64,
+    last_is_longest: bool
 }

 impl<S> Feedback<S> for ExecTimeIncFeedback
@ -293,8 +294,21 @@ where
        if observer.last_runtime() > self.longest_time {
            self.longest_time = observer.last_runtime();
        }
+        self.last_is_longest = observer.last_runtime() > self.longest_time;
        Ok(observer.last_runtime() > self.longest_time)
    }
+    fn append_metadata(
+        &mut self,
+        _state: &mut S,
+        testcase: &mut Testcase<<S as UsesInput>::Input>,
+    ) -> Result<(), Error> {
+        if self.last_is_longest {
+            let mim : Option<&mut MapIndexesMetadata>= testcase.metadata_mut().get_mut();
+            // pretend that the longest input alone excercises some non-existing edge, to keep it relevant
+            mim.unwrap().list.push(usize::MAX);
+        };
+        Ok(())
+    }
 }

 impl Named for ExecTimeIncFeedback
@ -311,6 +325,6 @@ where
    /// Creates a new [`ExecTimeReachedFeedback`]
    #[must_use]
    pub fn new() -> Self {
-        Self {longest_time: 0}
+        Self {longest_time: 0, last_is_longest: false}
    }
 }