Add avoid_crash option to scheduler (#2530)

* chg

* add avoid_crash

* a

* clp

* just use .00 at this point

* libafl-fuzz chg

fuzzers/fuzzbench/fuzzbench/src/lib.rs

@@ -310,7 +310,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_ctx/src/lib.rs

@@ -320,7 +320,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_fork_qemu/src/fuzzer.rs

@@ -313,7 +313,7 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_forkserver/src/main.rs

@@ -308,7 +308,7 @@ fn fuzz(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 

fuzzers/fuzzbench/fuzzbench_forkserver_cmplog/src/main.rs

@@ -309,7 +309,7 @@ fn fuzz(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 

fuzzers/fuzzbench/fuzzbench_qemu/src/fuzzer.rs

@@ -319,7 +319,7 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/fuzzbench/fuzzbench_text/src/lib.rs

@@ -380,7 +380,7 @@ fn fuzz_binary(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 
@@ -605,7 +605,7 @@ fn fuzz_text(
         StdWeightedScheduler::with_schedule(
             &mut state,
             &edges_observer,
-            Some(PowerSchedule::EXPLORE),
+            Some(PowerSchedule::explore()),
         ),
     );
 

fuzzers/libpng/libfuzzer_libpng/src/lib.rs

@@ -149,7 +149,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/libpng/libfuzzer_libpng_cmin/src/lib.rs

@@ -149,7 +149,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/libpng/libfuzzer_libpng_tcp_manager/src/lib.rs

@@ -147,7 +147,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/others/dynamic_analysis/src/lib.rs

@@ -316,7 +316,11 @@ fn fuzz(
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/others/libafl-fuzz/src/fuzzer.rs

@@ -16,8 +16,8 @@ use libafl::{
     },
     observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
     schedulers::{
-        powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, QueueScheduler,
+        powersched::{BaseSchedule, PowerSchedule},
-        StdWeightedScheduler,
+        IndexesLenTimeMinimizerScheduler, QueueScheduler, StdWeightedScheduler,
     },
     stages::{
         mutational::MultiMutationalStage, CalibrationStage, ColorizationStage, IfStage,
@@ -185,7 +185,7 @@ where
         )
     };
     let mutational_stage = TimeTrackingStageWrapper::<FuzzTime, _, _>::new(inner_mutational_stage);
-    let strategy = opt.power_schedule.unwrap_or(PowerSchedule::EXPLORE);
+    let strategy = opt.power_schedule.unwrap_or(BaseSchedule::EXPLORE);
 
     // Create our ColorizationStage
     let colorization = ColorizationStage::new(&edges_observer);
@@ -197,8 +197,9 @@ where
     if opt.sequential_queue {
         scheduler = SupportedSchedulers::Queue(QueueScheduler::new(), PhantomData);
     } else {
+        let ps = PowerSchedule::new(strategy);
         let mut weighted_scheduler =
-            StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(strategy));
+            StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(ps));
         if opt.cycle_schedules {
             weighted_scheduler = weighted_scheduler.cycling_scheduler();
         }

fuzzers/others/libafl-fuzz/src/hooks.rs

@@ -10,12 +10,6 @@ pub struct LibAflFuzzEventHook {
     exit_on_solution: bool,
 }
 
-impl LibAflFuzzEventHook {
-    pub fn new(exit_on_solution: bool) -> Self {
-        Self { exit_on_solution }
-    }
-}
-
 impl<S> EventManagerHook<S> for LibAflFuzzEventHook
 where
     S: State + Stoppable,

fuzzers/others/libafl-fuzz/src/main.rs

@@ -25,7 +25,7 @@ use fuzzer::run_client;
 use libafl::{
     events::{CentralizedLauncher, EventConfig},
     monitors::MultiMonitor,
-    schedulers::powersched::PowerSchedule,
+    schedulers::powersched::BaseSchedule,
     Error,
 };
 use libafl_bolts::{
@@ -126,7 +126,7 @@ struct Opt {
     rng_seed: Option<u64>,
     /// power schedules compute a seed's performance score: explore(default), fast, exploit, seek, rare, mmopt, coe, lin
     #[arg(short = 'p')]
-    power_schedule: Option<PowerSchedule>,
+    power_schedule: Option<BaseSchedule>,
     /// enable `CmpLog` by specifying a binary compiled for it.
     #[arg(short = 'c')]
     cmplog: Option<String>,

fuzzers/others/libfuzzer_windows_asan/src/lib.rs

@@ -114,7 +114,11 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = IndexesLenTimeMinimizerScheduler::new(
         &edges_observer,
-        StdWeightedScheduler::with_schedule(&mut state, &edges_observer, Some(PowerSchedule::FAST)),
+        StdWeightedScheduler::with_schedule(
+            &mut state,
+            &edges_observer,
+            Some(PowerSchedule::fast()),
+        ),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/others/tutorial/src/lib.rs

@@ -135,7 +135,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // A minimization+queue policy to get testcasess from the corpus
     let scheduler = PacketLenMinimizerScheduler::new(
         &edges_observer,
-        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+        PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
     );
 
     // A fuzzer with feedbacks and a corpus scheduler

fuzzers/qemu/qemu_launcher/src/instance.rs

@@ -127,7 +127,7 @@ impl<'a, M: Monitor> Instance<'a, M> {
         // A minimization+queue policy to get testcasess from the corpus
         let scheduler = IndexesLenTimeMinimizerScheduler::new(
             &edges_observer,
-            PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST),
+            PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()),
         );
 
         let observers = tuple_list!(edges_observer, time_observer);

libafl/src/schedulers/powersched.rs

@@ -155,10 +155,104 @@ impl SchedulerMetadata {
     }
 }
 
+/// The struct for the powerschedule algorithm
+#[derive(Debug, Clone, Serialize, Deserialize, Copy)]
+pub struct PowerSchedule {
+    base: BaseSchedule,
+    avoid_crash: bool,
+}
+
+impl PowerSchedule {
+    #[must_use]
+    /// Constructor
+    pub fn new(base: BaseSchedule) -> Self {
+        Self {
+            base,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `explore` power schedule
+    #[must_use]
+    pub fn explore() -> Self {
+        Self {
+            base: BaseSchedule::EXPLORE,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `exploit` power schedule
+    #[must_use]
+    pub fn exploit() -> Self {
+        Self {
+            base: BaseSchedule::EXPLOIT,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `fast` power schedule
+    #[must_use]
+    pub fn fast() -> Self {
+        Self {
+            base: BaseSchedule::FAST,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `coe` power schedule
+    #[must_use]
+    pub fn coe() -> Self {
+        Self {
+            base: BaseSchedule::COE,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `lin` power schedule
+    #[must_use]
+    pub fn lin() -> Self {
+        Self {
+            base: BaseSchedule::LIN,
+            avoid_crash: false,
+        }
+    }
+
+    /// Use `quad` power schedule
+    #[must_use]
+    pub fn quad() -> Self {
+        Self {
+            base: BaseSchedule::QUAD,
+            avoid_crash: false,
+        }
+    }
+
+    /// Getter to `avoid_crash`
+    #[must_use]
+    pub fn avoid_crash(&self) -> bool {
+        self.avoid_crash
+    }
+
+    /// Avoid scheduling testcases that caused crashes
+    pub fn set_avoid_crash(&mut self) {
+        self.avoid_crash = true;
+    }
+
+    /// Getter to the base scheduler
+    #[must_use]
+    pub fn base(&self) -> &BaseSchedule {
+        &self.base
+    }
+
+    /// Setter to the base scheduler
+    pub fn set_base(&mut self, base: BaseSchedule) {
+        self.base = base;
+    }
+}
+
 /// The power schedule to use
 #[derive(Serialize, Deserialize, Clone, Copy, Debug, PartialEq, Eq)]
 #[cfg_attr(feature = "clap", derive(clap::ValueEnum))]
-pub enum PowerSchedule {
+pub enum BaseSchedule {
     /// The `explore` power schedule
     EXPLORE,
     /// The `exploit` power schedule

libafl/src/schedulers/testcase_score.rs

@@ -9,7 +9,7 @@ use crate::{
     feedbacks::MapIndexesMetadata,
     schedulers::{
         minimizer::{IsFavoredMetadata, TopRatedsMetadata},
-        powersched::{PowerSchedule, SchedulerMetadata},
+        powersched::{BaseSchedule, SchedulerMetadata},
     },
     state::HasCorpus,
     Error, HasMetadata,
@@ -71,7 +71,7 @@ where
         let psmeta = state.metadata::<SchedulerMetadata>()?;
 
         let fuzz_mu = if let Some(strat) = psmeta.strat() {
-            if strat == PowerSchedule::COE {
+            if *strat.base() == BaseSchedule::COE {
                 let corpus = state.corpus();
                 let mut n_paths = 0;
                 let mut v = 0.0;
@@ -175,14 +175,14 @@ where
         // COE and Fast schedule are fairly different from what are described in the original thesis,
         // This implementation follows the changes made in this pull request https://github.com/AFLplusplus/AFLplusplus/pull/568
         if let Some(strat) = psmeta.strat() {
-            match strat {
+            match strat.base() {
-                PowerSchedule::EXPLORE => {
+                BaseSchedule::EXPLORE => {
                     // Nothing happens in EXPLORE
                 }
-                PowerSchedule::EXPLOIT => {
+                BaseSchedule::EXPLOIT => {
                     factor = MAX_FACTOR;
                 }
-                PowerSchedule::COE => {
+                BaseSchedule::COE => {
                     if libm::log2(f64::from(psmeta.n_fuzz()[tcmeta.n_fuzz_entry()])) > fuzz_mu
                         && !favored
                     {
@@ -190,7 +190,7 @@ where
                         factor = 0.0;
                     }
                 }
-                PowerSchedule::FAST => {
+                BaseSchedule::FAST => {
                     if entry.scheduled_count() != 0 {
                         let lg = libm::log2(f64::from(psmeta.n_fuzz()[tcmeta.n_fuzz_entry()]));
 
@@ -229,11 +229,11 @@ where
                         }
                     }
                 }
-                PowerSchedule::LIN => {
+                BaseSchedule::LIN => {
                     factor = (entry.scheduled_count() as f64)
                         / f64::from(psmeta.n_fuzz()[tcmeta.n_fuzz_entry()] + 1);
                 }
-                PowerSchedule::QUAD => {
+                BaseSchedule::QUAD => {
                     factor = ((entry.scheduled_count() * entry.scheduled_count()) as f64)
                         / f64::from(psmeta.n_fuzz()[tcmeta.n_fuzz_entry()] + 1);
                 }
@@ -241,7 +241,7 @@ where
         }
 
         if let Some(strat) = psmeta.strat() {
-            if strat != PowerSchedule::EXPLORE {
+            if *strat.base() != BaseSchedule::EXPLORE {
                 if factor > MAX_FACTOR {
                     factor = MAX_FACTOR;
                 }
@@ -252,7 +252,7 @@ where
 
         // Lower bound if the strat is not COE.
         if let Some(strat) = psmeta.strat() {
-            if strat == PowerSchedule::COE && perf_score < 1.0 {
+            if *strat.base() == BaseSchedule::COE && perf_score < 1.0 {
                 perf_score = 1.0;
             }
         }
@@ -262,6 +262,10 @@ where
             perf_score = HAVOC_MAX_MULT * 100.0;
         }
 
+        if entry.objectives_found() > 0 && psmeta.strat().map_or(false, |s| s.avoid_crash()) {
+            perf_score *= 0.00;
+        }
+
         Ok(perf_score)
     }
 }
@@ -303,15 +307,17 @@ where
 
         let q_bitmap_size = tcmeta.bitmap_size() as f64;
 
-        if let Some(
+        if let Some(ps) = psmeta.strat() {
-            PowerSchedule::FAST | PowerSchedule::COE | PowerSchedule::LIN | PowerSchedule::QUAD,
+            match ps.base() {
-        ) = psmeta.strat()
+                BaseSchedule::FAST | BaseSchedule::COE | BaseSchedule::LIN | BaseSchedule::QUAD => {
-        {
                     let hits = psmeta.n_fuzz()[tcmeta.n_fuzz_entry()];
                     if hits > 0 {
                         weight /= libm::log10(f64::from(hits)) + 1.0;
                     }
                 }
+                _ => (),
+            }
+        }
 
         weight *= avg_exec_us / q_exec_us;
         weight *= libm::log2(q_bitmap_size).max(1.0) / avg_bitmap_size;
@@ -333,6 +339,10 @@ where
             weight *= 2.0;
         }
 
+        if entry.objectives_found() > 0 && psmeta.strat().map_or(false, |s| s.avoid_crash()) {
+            weight *= 0.00;
+        }
+
         assert!(weight.is_normal());
 
         Ok(weight)

libafl/src/schedulers/weighted.rs

@@ -13,13 +13,14 @@ use libafl_bolts::{
 };
 use serde::{Deserialize, Serialize};
 
+use super::powersched::PowerSchedule;
 use crate::{
     corpus::{Corpus, CorpusId, HasTestcase, Testcase},
     inputs::UsesInput,
     observers::{MapObserver, ObserversTuple},
     random_corpus_id,
     schedulers::{
-        powersched::{PowerSchedule, SchedulerMetadata},
+        powersched::{BaseSchedule, SchedulerMetadata},
         testcase_score::{CorpusWeightTestcaseScore, TestcaseScore},
         AflScheduler, HasQueueCycles, RemovableScheduler, Scheduler,
     },
@@ -236,21 +237,23 @@ where
     }
 
     /// Cycles the strategy of the scheduler; tries to mimic AFL++'s cycling formula
-    fn cycle_schedule(&mut self, metadata: &mut SchedulerMetadata) -> Result<PowerSchedule, Error> {
+    fn cycle_schedule(&mut self, metadata: &mut SchedulerMetadata) -> Result<(), Error> {
-        let next_strat = match metadata.strat().ok_or(Error::illegal_argument(
+        let mut ps = metadata.strat().ok_or(Error::illegal_argument(
             "No strategy specified when initializing scheduler; cannot cycle!",
-        ))? {
+        ))?;
-            PowerSchedule::EXPLORE => PowerSchedule::EXPLOIT,
+        let new_base = match ps.base() {
-            PowerSchedule::COE => PowerSchedule::LIN,
+            BaseSchedule::EXPLORE => BaseSchedule::EXPLOIT,
-            PowerSchedule::LIN => PowerSchedule::QUAD,
+            BaseSchedule::COE => BaseSchedule::LIN,
-            PowerSchedule::FAST => PowerSchedule::COE,
+            BaseSchedule::LIN => BaseSchedule::QUAD,
-            PowerSchedule::QUAD => PowerSchedule::FAST,
+            BaseSchedule::FAST => BaseSchedule::COE,
-            PowerSchedule::EXPLOIT => PowerSchedule::EXPLORE,
+            BaseSchedule::QUAD => BaseSchedule::FAST,
+            BaseSchedule::EXPLOIT => BaseSchedule::EXPLORE,
         };
-        metadata.set_strat(Some(next_strat));
+        ps.set_base(new_base);
+        metadata.set_strat(Some(ps));
         // We need to recalculate the scores of testcases.
         self.table_invalidated = true;
-        Ok(next_strat)
+        Ok(())
     }
 }
 

libafl_libfuzzer/runtime/src/lib.rs

@@ -413,7 +413,7 @@ macro_rules! fuzz_with {
             let grimoire = IfStage::new(|_, _, _, _| Ok(grimoire.into()), (StdMutationalStage::transforming(grimoire_mutator), ()));
 
             // A minimization+queue policy to get testcasess from the corpus
-            let scheduler = IndexesLenTimeMinimizerScheduler::new(&edges_observer, PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::FAST));
+            let scheduler = IndexesLenTimeMinimizerScheduler::new(&edges_observer, PowerQueueScheduler::new(&mut state, &edges_observer, PowerSchedule::fast()));
 
             // A fuzzer with feedbacks and a corpus scheduler
             let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);