prioritize long tarces

fuzzers/FRET/benchmark/Snakefile

@@ -42,6 +42,12 @@ rule build_stg:
     shell:
         "cargo build --target-dir {output} {def_flags},config_stg"
 
+rule build_stgpath:
+    output:
+        directory("bins/target_stgpath")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_stg_aggregatehash,sched_stg_aggregatehash,mutate_stg"
+
 rule build_showmap_int:
     output:
         directory("bins/target_showmap_int")
@@ -73,6 +79,12 @@ rule build_stg_int:
     shell:
         "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int"
 
+rule build_stgpath_int:
+    output:
+        directory("bins/target_stgpath_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_stg_aggregatehash,sched_stg_aggregatehash,mutate_stg,fuzz_int"
+
 rule build_feedgeneration1:
     output:
         directory("bins/target_feedgeneration1")
@@ -241,51 +253,53 @@ rule clusterfuzz:
 
 rule all_new:
     input:
-        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random', 'feedgeneration100', 'frafl', 'stg'], target=['waters', 'watersv2', 'interact'],num=range(0,2)),
-        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random_int', 'feedgeneration100_int', 'frafl_int', 'stg_int'], target=['waters_int', 'watersv2_int', 'interact_int'],num=range(0,3))
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100', 'frafl', 'stg'], target=['waters', 'watersv2'],num=range(0,3)),
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100_int', 'frafl_int', 'stg_int'], target=['waters_int', 'watersv2_int'],num=range(0,3))
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random', 'stgpath'], target=['waters', 'watersv2'],num=range(0,3))
+        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random_int', 'stgpath_int'], target=['waters_int', 'watersv2_int'],num=range(0,3))
 
-rule build_stgpath:
-    output:
-        directory("bins/target_stgpath_int")
-    shell:
-        "cargo build --target-dir {output} {def_flags},config_stg,sched_stg_pathhash,feed_stg_pathhash"
+-- rule build_stgpath:
+--     output:
+--         directory("bins/target_stgpath_int")
+--     shell:
+--         "cargo build --target-dir {output} {def_flags},config_stg,sched_stg_pathhash,feed_stg_pathhash"
 
-rule build_stgabb:
-    output:
-        directory("bins/target_stgabb_int")
-    shell:
-        "cargo build --target-dir {output} {def_flags},config_stg,sched_stg_abbhash,feed_stg_abbhash"
+-- rule build_stgabb:
+--     output:
+--         directory("bins/target_stgabb_int")
+--     shell:
+--         "cargo build --target-dir {output} {def_flags},config_stg,sched_stg_abbhash,feed_stg_abbhash"
 
-rule build_stgaggregate:
-    output:
-        directory("bins/target_stgaggregate_int")
-    shell:
-        "cargo build --target-dir {output} {def_flags},config_stg,sched_stg_aggregatehash,feed_stg_aggregatehash"
+-- rule build_stgaggregate:
+--     output:
+--         directory("bins/target_stgaggregate_int")
+--     shell:
+--         "cargo build --target-dir {output} {def_flags},config_stg,sched_stg_aggregatehash,feed_stg_aggregatehash"
 
-rule build_stgpath_int:
-    output:
-        directory("bins/target_stgpath_int")
-    shell:
-        "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int,sched_stg_pathhash,feed_stg_pathhash"
+-- rule build_stgpath_int:
+--     output:
+--         directory("bins/target_stgpath_int")
+--     shell:
+--         "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int,sched_stg_pathhash,feed_stg_pathhash"
 
-rule build_stgabb_int:
-    output:
-        directory("bins/target_stgabb_int")
-    shell:
-        "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int,sched_stg_abbhash,feed_stg_abbhash"
+-- rule build_stgabb_int:
+--     output:
+--         directory("bins/target_stgabb_int")
+--     shell:
+--         "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int,sched_stg_abbhash,feed_stg_abbhash"
 
-rule build_stgaggregate_int:
-    output:
-        directory("bins/target_stgaggregate_int")
-    shell:
-        "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int,sched_stg_aggregatehash,feed_stg_aggregatehash"
+-- rule build_stgaggregate_int:
+--     output:
+--         directory("bins/target_stgaggregate_int")
+--     shell:
+--         "cargo build --target-dir {output} {def_flags},config_stg,fuzz_int,sched_stg_aggregatehash,feed_stg_aggregatehash"
 
-rule custom_test:
-    input:
-        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['stgpath', 'stgabb', 'stgaggregate'], target=['waters','watersv2','interact'],num=range(0,2)),
-        expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['stgpath_int', 'stgabb_int', 'stgaggregate_int'], target=['waters_int','watersv2_int','interact_int'],num=range(0,2)),
+-- rule custom_test:
+--     input:
+--         expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['stgpath', 'stgabb', 'stgaggregate'], target=['waters','watersv2','interact'],num=range(0,2)),
+--         expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['stgpath_int', 'stgabb_int', 'stgaggregate_int'], target=['waters_int','watersv2_int','interact_int'],num=range(0,2)),
     
 
 rule all_bins:
     input:
-        expand("bins/target_{target}{flag}",target=['random','frafl','stg','feedgeneration100'],flag=['','_int'])
+        expand("bins/target_{target}{flag}",target=['random','frafl','stg','stgpath','feedgeneration100'],flag=['','_int'])

fuzzers/FRET/src/fuzzer.rs

@@ -568,7 +568,7 @@ pub fn fuzz() {
         #[cfg(feature = "sched_afl",)]
         let scheduler = TimeMaximizerCorpusScheduler::new(QueueScheduler::new());
         #[cfg(feature = "sched_stg")]
-        let scheduler = GraphMaximizerCorpusScheduler::new(QueueScheduler::new());
+        let scheduler = LongestTraceScheduler::new(GraphMaximizerCorpusScheduler::new(QueueScheduler::new()));
         #[cfg(feature = "sched_genetic")]
         let scheduler = GenerationScheduler::new();
 
@@ -632,7 +632,7 @@ pub fn fuzz() {
             if let Some(se) = seed {
                 unsafe {
                     let mut rng = StdRng::seed_from_u64(se);
-                    for i in 0..1000 {
+                    for i in 0..100 {
                         let inp = BytesInput::new(vec![rng.gen::<u8>(); MAX_INPUT_SIZE]);
                         fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
                     }

fuzzers/FRET/src/mutational.rs

@@ -37,7 +37,7 @@ pub fn input_bytes_to_interrupt_times(buf: &[u8]) -> Vec<u32> {
     }
     ret.sort_unstable();
     // obey the minimum inter arrival time while maintaining the sort
-    for i in 0..ret.len()-1 {
+    for i in 0..ret.len() {
         for j in i+1..ret.len()-1 {
             if ret[j]-ret[i] < unsafe{MINIMUM_INTER_ARRIVAL_TIME} {
                 ret[j] = u32::saturating_add(ret[i],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
@@ -91,7 +91,7 @@ where
                 .borrow_mut().clone();
         let mut newinput = _input.input_mut().as_mut().unwrap().clone();
         let mut do_rerun = false;
-        // if state.rand_mut().between(1, 100) <= 50 // only attempt the mutation half of the time
+        if state.rand_mut().between(1, 100) <= 50 // only attempt the mutation half of the time
         {
             // need our own random generator, because borrowing rules
             let mut myrand = StdRand::new();
@@ -185,8 +185,9 @@ where
                                     ub = u32::saturating_sub(interrupt_offsets[i+1],unsafe{MINIMUM_INTER_ARRIVAL_TIME});
                                 }
                                 let alternatives : Vec<_> = (0..trace.intervals.len()).filter(|x|
-                                    trace.intervals[*x].start_tick < (lb as u64) && (lb as u64) < trace.intervals[*x].end_tick
-                                    || trace.intervals[*x].start_tick > (lb as u64) && trace.intervals[*x].start_tick < (ub as u64)
+                                    node_indices[*x].is_some() &&
+                                    (trace.intervals[*x].start_tick < (lb as u64) && (lb as u64) < trace.intervals[*x].end_tick
+                                    || trace.intervals[*x].start_tick > (lb as u64) && trace.intervals[*x].start_tick < (ub as u64))
                                 ).collect();
                                 let not_yet_hit : Vec<_> = alternatives.iter().filter(
                                     |x| feedbackstate.graph.edges_directed(*node_indices[**x].unwrap(), petgraph::Direction::Outgoing).any(|y| y.weight().event != CaptureEvent::ISRStart)).collect();

fuzzers/FRET/src/systemstate/schedulers.rs

@@ -18,7 +18,7 @@ use libafl::{
 
 use crate::worst::MaxTimeFavFactor;
 
-use super::FreeRTOSSystemStateMetadata;
+use super::{stg::STGNodeMetadata, FreeRTOSSystemStateMetadata};
 
 /// A state metadata holding a map of favoreds testcases for each map entry
 #[derive(Debug, Serialize, Deserialize, SerdeAny, Default)]
@@ -100,7 +100,7 @@ where
                     .get(idx)?
                     .borrow()
                     .metadata_map()
-                    .get::<FreeRTOSSystemStateMetadata>().map_or(0, |x| x.trace_length);
+                    .get::<STGNodeMetadata>().map_or(0, |x| x.nodes.len());
             let m = self.get_update_trace_length(state,l);
             state.rand_mut().below(m) > l as u64 
         } && state.rand_mut().below(100) < self.skip_non_favored_prob