diff --git a/fuzzers/wcet_qemu_sys/Cargo.toml b/fuzzers/wcet_qemu_sys/Cargo.toml index 769772a60f..f9b49b3ba7 100644 --- a/fuzzers/wcet_qemu_sys/Cargo.toml +++ b/fuzzers/wcet_qemu_sys/Cargo.toml @@ -10,6 +10,7 @@ std = [] multicore = [] # select which feedbacks to use. enable at least one. +feed_known_edges = [] feed_afl = [] feed_clock = [] feed_state = [] diff --git a/fuzzers/wcet_qemu_sys/Makefile b/fuzzers/wcet_qemu_sys/Makefile index 86057c2a23..67cc9b4307 100644 --- a/fuzzers/wcet_qemu_sys/Makefile +++ b/fuzzers/wcet_qemu_sys/Makefile @@ -6,38 +6,41 @@ TARGET_EDGES = $(BENCHDIR)/edges/tmr_worst.ron $(BENCHDIR)/bin: mkdir -p $@ -$(BENCHDIR)/bin/fuzz_vanilla: $(BENCHDIR)/bin - cargo build --features benchmark,feed_afl,sched_mapmax - cp target/debug/fuzzer $@ +$(BENCHDIR)/target_known_edges: $(BENCHDIR)/bin + cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_known_edges,sched_queue,obj_edges -$(BENCHDIR)/bin/fuzz_state: $(BENCHDIR)/bin - cargo build --features benchmark,feed_state,sched_state - cp target/debug/fuzzer $@ +$(BENCHDIR)/target_vanilla: $(BENCHDIR)/bin + cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_afl,sched_mapmax -$(BENCHDIR)/bin/fuzz_graph: $(BENCHDIR)/bin - cargo build --features benchmark,feed_graph,sched_graph - cp target/debug/fuzzer $@ +$(BENCHDIR)/target_state: $(BENCHDIR)/bin + cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_state,sched_state -$(BENCHDIR)/bin/fuzz_graph_snip: $(BENCHDIR)/bin - cargo build --features benchmark,feed_graph,sched_graph,muta_snip,muta_input,muta_suffix - cp target/debug/fuzzer $@ +$(BENCHDIR)/target_graph: $(BENCHDIR)/bin + cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph -$(BENCHDIR)/bin/fuzz_graph_afl: $(BENCHDIR)/bin - cargo build --features benchmark,feed_graph,sched_graph,feed_afl - cp target/debug/fuzzer $@ +$(BENCHDIR)/target_graph_snip: $(BENCHDIR)/bin + cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph,muta_snip,muta_input,muta_suffix -$(BENCHDIR)/bin/fuzz_graph_all: $(BENCHDIR)/bin - cargo build --features benchmark,feed_graph,sched_graph,feed_afl,muta_snip,muta_input,muta_suffix - cp target/debug/fuzzer $@ +$(BENCHDIR)/target_graph_afl: $(BENCHDIR)/bin + cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph,feed_afl -binaries: $(BENCHDIR)/bin/fuzz_vanilla $(BENCHDIR)/bin/fuzz_state $(BENCHDIR)/bin/fuzz_graph $(BENCHDIR)/bin/fuzz_graph_snip $(BENCHDIR)/bin/fuzz_graph_afl $(BENCHDIR)/bin/fuzz_graph_all +$(BENCHDIR)/target_graph_all: $(BENCHDIR)/bin + cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph,feed_afl,muta_snip,muta_input,muta_suffix + +binaries: $(BENCHDIR)/target_known_edges $(BENCHDIR)/target_vanilla $(BENCHDIR)/target_state $(BENCHDIR)/target_graph $(BENCHDIR)/target_graph_snip $(BENCHDIR)/target_graph_afl $(BENCHDIR)/target_graph_all # variants: vanilla, state, graph, graph_snip, graph_afl, graph_all -$(BENCHDIR)/bench_%.log: $(BENCHDIR)/bin/fuzz_% $(TARGET_TRACE) - for i in {1..1}; do ./fuzzer_bench.sh $< $(TARGET) --libafl-traces $(TARGET_TRACE) --libafl-exectimes $@.exec_$$i > $@_$$i; done +$(BENCHDIR)/bench_%.log: $(BENCHDIR)/target_% $(TARGET_TRACE) + for i in {1..10}; do \ + CASE=$$(basename -s.log $@ | cut -d'_' -f 2- ); \ + echo $$CASE Iteration $$i; \ + ./fuzzer_bench.sh $ $@_$$i; \ + sed -i "1 i\\$$CASE " $(BENCHDIR)/bench_$$CASE\_$$i.exec; \ + done for i in $@_*; do tail -n 1 $$i >> $@; done -benchmarks: target/bench/bench_vanilla.log target/bench/bench_state.log target/bench/bench_graph.log target/bench/bench_graph_snip.log target/bench/bench_graph_afl.log target/bench/bench_graph_all.log +benchmarks: target/bench/bench_known_edges.log target/bench/bench_vanilla.log target/bench/bench_state.log target/bench/bench_graph.log target/bench/bench_graph_snip.log target/bench/bench_graph_afl.log target/bench/bench_graph_all.log all: binaries benchmarks @@ -56,4 +59,6 @@ clean: --libafl-edges $(BENCHDIR)/edges/$$PROG\_$$CASE.ron \ --libafl-traces $(BENCHDIR)/traces/$$PROG\_$$CASE.ron | \ grep "Qemu Ticks:"; \ - done \ No newline at end of file + done + +$(TARGET_TRACE): tmr.case \ No newline at end of file diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs index 23bdeff435..b05b0922b2 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs @@ -1,5 +1,6 @@ //! A singlethreaded QEMU fuzzer that can auto-restart. +use wcet_qemu_sys::worst::TimeMaximizerCorpusScheduler; use libafl::corpus::InMemoryCorpus; use wcet_qemu_sys::sysstate::graph::RandGraphSuffixMutator; use wcet_qemu_sys::sysstate::graph::RandInputSnippetMutator; @@ -394,6 +395,8 @@ fn fuzz( }; // Feedback to rate the interestingness of an input let feedback = ClockFeedback::new_with_observer(&clock_observer); + #[cfg(feature = "feed_known_edges")] + let feedback = feedback_or!(feedback, HitImprovingFeedback::new(target_map.clone(), &edges_observer)); #[cfg(feature = "feed_afl")] let feedback = feedback_or!(feedback, MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false)); #[cfg(feature = "feed_clock")] @@ -467,7 +470,7 @@ fn fuzz( #[cfg(feature = "sched_queue")] let scheduler = QueueCorpusScheduler::new(); #[cfg(feature = "sched_mapmax")] - let scheduler = LenTimeMaximizerCorpusScheduler::new(QueueCorpusScheduler::new()); + let scheduler = TimeMaximizerCorpusScheduler::new(QueueCorpusScheduler::new()); #[cfg(feature = "sched_state")] let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new()); #[cfg(feature = "sched_graph")] @@ -584,6 +587,7 @@ fn fuzz( // .expect("Error in the fuzzing loop"); + #[cfg(not(feature = "benchmark"))] #[cfg(feature = "feed_graph")] { let feedbackstate = state