change interrupt mutation
This commit is contained in:
parent
4c8a435cfd
commit
2cbd9de2eb
@ -439,22 +439,9 @@ pub fn fuzz() {
|
||||
unsafe {
|
||||
#[cfg(feature = "fuzz_int")]
|
||||
{
|
||||
let mut start_tick : u32 = 0;
|
||||
for i in 0..DO_NUM_INTERRUPT {
|
||||
let mut t : [u8; 4] = [0,0,0,0];
|
||||
if len > (i+1)*4 {
|
||||
for j in 0 as usize..4 as usize {
|
||||
t[j]=buf[i*4+j];
|
||||
}
|
||||
if i == 0 || true {
|
||||
unsafe {start_tick = max(u32::from_le_bytes(t) % LIMIT, FIRST_INT);}
|
||||
} else {
|
||||
start_tick = u32::saturating_add(start_tick,max(unsafe{MINIMUM_INTER_ARRIVAL_TIME},u32::from_le_bytes(t)));
|
||||
}
|
||||
libafl_interrupt_offsets[i] = start_tick;
|
||||
libafl_num_interrupts = i+1;
|
||||
}
|
||||
}
|
||||
let t = input_bytes_to_interrupt_times(buf);
|
||||
for i in 0..t.len() {libafl_interrupt_offsets[i]=t[i];}
|
||||
libafl_num_interrupts=t.len();
|
||||
|
||||
if buf.len() > libafl_num_interrupts*4 {
|
||||
buf = &buf[libafl_num_interrupts*4..];
|
||||
@ -620,7 +607,8 @@ pub fn fuzz() {
|
||||
// Setup an havoc mutator with a mutational stage
|
||||
let mutator = StdScheduledMutator::new(mutations);
|
||||
|
||||
let mut stages = tuple_list!(StdMutationalStage::new(mutator));
|
||||
let stages = ();
|
||||
let mut stages = (StdMutationalStage::new(mutator), stages);
|
||||
#[cfg(feature = "fuzz_int")]
|
||||
let mut stages = (InterruptShiftStage::new(), stages);
|
||||
|
||||
|
||||
@ -31,13 +31,15 @@ pub fn input_bytes_to_interrupt_times(buf: &[u8]) -> Vec<u32> {
|
||||
for j in 0usize..4usize {
|
||||
t[j]=buf[i*4+j];
|
||||
}
|
||||
unsafe {start_tick = max(u32::from_le_bytes(t), FIRST_INT);}
|
||||
start_tick = u32::from_le_bytes(t);
|
||||
if start_tick < FIRST_INT {start_tick=0;}
|
||||
ret.push(start_tick);
|
||||
} else {break;}
|
||||
}
|
||||
ret.sort_unstable();
|
||||
// obey the minimum inter arrival time while maintaining the sort
|
||||
for i in 0..ret.len() {
|
||||
if ret[i]==0 {continue;}
|
||||
for j in i+1..ret.len()-1 {
|
||||
if ret[j]-ret[i] < unsafe{MINIMUM_INTER_ARRIVAL_TIME} {
|
||||
ret[j] = u32::saturating_add(ret[i],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
|
||||
@ -107,22 +109,9 @@ where
|
||||
let mut interrupt_offsets : [u32; 32] = [u32::MAX; 32];
|
||||
let mut num_interrupts : usize = 0;
|
||||
{
|
||||
let mut start_tick : u32 = 0;
|
||||
for i in 0..DO_NUM_INTERRUPT {
|
||||
let mut t : [u8; 4] = [0,0,0,0];
|
||||
if target_bytes.len() > (i+1)*4 {
|
||||
for j in 0 as usize..4 as usize {
|
||||
t[j]=target_bytes[i*4+j];
|
||||
}
|
||||
if i == 0 || true {
|
||||
start_tick = max(u32::from_le_bytes(t),FIRST_INT);
|
||||
} else {
|
||||
start_tick = u32::saturating_add(start_tick,max(unsafe{MINIMUM_INTER_ARRIVAL_TIME},u32::from_le_bytes(t)));
|
||||
}
|
||||
interrupt_offsets[i] = start_tick;
|
||||
num_interrupts = i+1;
|
||||
}
|
||||
}
|
||||
let t = input_bytes_to_interrupt_times(&target_bytes);
|
||||
for i in 0..t.len() {interrupt_offsets[i]=t[i];}
|
||||
num_interrupts=t.len();
|
||||
}
|
||||
interrupt_offsets.sort_unstable();
|
||||
|
||||
|
||||
6
fuzzers/FRET/src/systemstate/ARCH.md
Normal file
6
fuzzers/FRET/src/systemstate/ARCH.md
Normal file
@ -0,0 +1,6 @@
|
||||
# System-state heuristics
|
||||
## Information flow
|
||||
- ``fuzzer.rs`` resolves symbols and creates ``api_ranges`` and ``isr_ranges``
|
||||
- ``helpers::QemuSystemStateHelper`` captures a series of ``RawFreeRTOSSystemState``
|
||||
- ``observers::QemuSystemStateObserver`` divides this into ``ReducedFreeRTOSSystemState`` and ``ExecInterval``, the first contains the raw states and the second contains information about the flow between states
|
||||
- ``stg::StgFeedback`` builds an stg from the intervals
|
||||
Loading…
x
Reference in New Issue
Block a user