add feed_known_edges, fix TimeMaximizerCorpusScheduler

fuzzers/wcet_qemu_sys/Cargo.toml

@@ -10,6 +10,7 @@ std = []
 multicore = []
 
 # select which feedbacks to use. enable at least one.
+feed_known_edges = []
 feed_afl = []
 feed_clock = []
 feed_state = []

fuzzers/wcet_qemu_sys/Makefile

@@ -6,38 +6,41 @@ TARGET_EDGES = $(BENCHDIR)/edges/tmr_worst.ron
 $(BENCHDIR)/bin:
 	mkdir -p $@
 
-$(BENCHDIR)/bin/fuzz_vanilla: $(BENCHDIR)/bin
+$(BENCHDIR)/target_known_edges: $(BENCHDIR)/bin
-	cargo build --features benchmark,feed_afl,sched_mapmax
+	cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_known_edges,sched_queue,obj_edges
-	cp target/debug/fuzzer $@
 
-$(BENCHDIR)/bin/fuzz_state: $(BENCHDIR)/bin
+$(BENCHDIR)/target_vanilla: $(BENCHDIR)/bin
-	cargo build --features benchmark,feed_state,sched_state
+	cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_afl,sched_mapmax
-	cp target/debug/fuzzer $@
 
-$(BENCHDIR)/bin/fuzz_graph: $(BENCHDIR)/bin
+$(BENCHDIR)/target_state: $(BENCHDIR)/bin
-	cargo build --features benchmark,feed_graph,sched_graph
+	cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_state,sched_state
-	cp target/debug/fuzzer $@
 
-$(BENCHDIR)/bin/fuzz_graph_snip: $(BENCHDIR)/bin
+$(BENCHDIR)/target_graph: $(BENCHDIR)/bin
-	cargo build --features benchmark,feed_graph,sched_graph,muta_snip,muta_input,muta_suffix
+	cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph
-	cp target/debug/fuzzer $@
 
-$(BENCHDIR)/bin/fuzz_graph_afl: $(BENCHDIR)/bin
+$(BENCHDIR)/target_graph_snip: $(BENCHDIR)/bin
-	cargo build --features benchmark,feed_graph,sched_graph,feed_afl
+	cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph,muta_snip,muta_input,muta_suffix
-	cp target/debug/fuzzer $@
 
-$(BENCHDIR)/bin/fuzz_graph_all: $(BENCHDIR)/bin
+$(BENCHDIR)/target_graph_afl: $(BENCHDIR)/bin
-	cargo build --features benchmark,feed_graph,sched_graph,feed_afl,muta_snip,muta_input,muta_suffix
+	cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph,feed_afl
-	cp target/debug/fuzzer $@
 
-binaries: $(BENCHDIR)/bin/fuzz_vanilla $(BENCHDIR)/bin/fuzz_state $(BENCHDIR)/bin/fuzz_graph $(BENCHDIR)/bin/fuzz_graph_snip $(BENCHDIR)/bin/fuzz_graph_afl $(BENCHDIR)/bin/fuzz_graph_all
+$(BENCHDIR)/target_graph_all: $(BENCHDIR)/bin
+	cargo build --bin fuzzer --target-dir $@ --features benchmark,feed_graph,sched_graph,feed_afl,muta_snip,muta_input,muta_suffix
+
+binaries: $(BENCHDIR)/target_known_edges $(BENCHDIR)/target_vanilla $(BENCHDIR)/target_state $(BENCHDIR)/target_graph $(BENCHDIR)/target_graph_snip $(BENCHDIR)/target_graph_afl $(BENCHDIR)/target_graph_all
 
 # variants: vanilla, state, graph, graph_snip, graph_afl, graph_all
-$(BENCHDIR)/bench_%.log: $(BENCHDIR)/bin/fuzz_% $(TARGET_TRACE)
+$(BENCHDIR)/bench_%.log: $(BENCHDIR)/target_% $(TARGET_TRACE)
-	for i in {1..1}; do ./fuzzer_bench.sh $< $(TARGET) --libafl-traces $(TARGET_TRACE) --libafl-exectimes $@.exec_$$i > $@_$$i; done
+	for i in {1..10}; do \
+		CASE=$$(basename -s.log $@ | cut -d'_' -f 2- ); \
+		echo $$CASE Iteration $$i; \
+		./fuzzer_bench.sh $</debug/fuzzer $(TARGET) --libafl-traces $(TARGET_TRACE) \
+			--libafl-edges $(TARGET_EDGES) --libafl-exectimes $(BENCHDIR)/bench_$$CASE\_$$i.exec > $@_$$i; \
+		sed -i "1 i\\$$CASE " $(BENCHDIR)/bench_$$CASE\_$$i.exec; \
+		done
 	for i in $@_*; do tail -n 1 $$i >> $@; done
 
-benchmarks: target/bench/bench_vanilla.log target/bench/bench_state.log target/bench/bench_graph.log target/bench/bench_graph_snip.log target/bench/bench_graph_afl.log target/bench/bench_graph_all.log
+benchmarks: target/bench/bench_known_edges.log target/bench/bench_vanilla.log target/bench/bench_state.log target/bench/bench_graph.log target/bench/bench_graph_snip.log target/bench/bench_graph_afl.log target/bench/bench_graph_all.log
 
 all: binaries benchmarks
 
@@ -57,3 +60,5 @@ clean:
 			--libafl-traces $(BENCHDIR)/traces/$$PROG\_$$CASE.ron | \
 			grep "Qemu Ticks:"; \
 		done
+
+$(TARGET_TRACE): tmr.case

fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs

@@ -1,5 +1,6 @@
 //! A singlethreaded QEMU fuzzer that can auto-restart.
 
+use wcet_qemu_sys::worst::TimeMaximizerCorpusScheduler;
 use libafl::corpus::InMemoryCorpus;
 use wcet_qemu_sys::sysstate::graph::RandGraphSuffixMutator;
 use wcet_qemu_sys::sysstate::graph::RandInputSnippetMutator;
@@ -394,6 +395,8 @@ fn fuzz(
     };
     // Feedback to rate the interestingness of an input
     let feedback = ClockFeedback::new_with_observer(&clock_observer);
+    #[cfg(feature = "feed_known_edges")]
+    let feedback = feedback_or!(feedback, HitImprovingFeedback::new(target_map.clone(), &edges_observer));
     #[cfg(feature = "feed_afl")]
     let feedback = feedback_or!(feedback, MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false));
     #[cfg(feature = "feed_clock")]
@@ -467,7 +470,7 @@ fn fuzz(
     #[cfg(feature = "sched_queue")]
     let scheduler = QueueCorpusScheduler::new();
     #[cfg(feature = "sched_mapmax")]
-    let scheduler = LenTimeMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
+    let scheduler = TimeMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
     #[cfg(feature = "sched_state")]
     let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
     #[cfg(feature = "sched_graph")]
@@ -584,6 +587,7 @@ fn fuzz(
     //     .expect("Error in the fuzzing loop");
         
 
+    #[cfg(not(feature = "benchmark"))]
     #[cfg(feature = "feed_graph")]
     {
         let feedbackstate = state