diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs index 251c82e324..a9e56533d6 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs @@ -1,5 +1,6 @@ //! A singlethreaded QEMU fuzzer that can auto-restart. +use libafl::corpus::QueueCorpusScheduler; use libafl_qemu::QemuInstrumentationFilter; use wcet_qemu_sys::sysstate::helpers::QemuSystemStateHelper; use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver; @@ -126,6 +127,11 @@ pub fn main() { .long("libafl-edges") .takes_value(true), ) + .arg( + Arg::new("traces") + .long("libafl-traces") + .takes_value(true), + ) .arg( Arg::new("snapshot") .help("The qcow2 file used for snapshots") @@ -190,9 +196,14 @@ pub fn main() { None => None }; + let traces = match res.value_of("traces") { + Some(st) => Some(PathBuf::from(st.to_string())), + None => None + }; + let snapshot = PathBuf::from(res.value_of("snapshot").unwrap().to_string()); - fuzz(out_dir, crashes, in_dir, tokens, logfile, timeout, kernel, edges, snapshot) + fuzz(out_dir, crashes, in_dir, tokens, logfile, timeout, kernel, edges, traces, snapshot) .expect("An error occurred while fuzzing"); } @@ -216,9 +227,10 @@ fn fuzz( seed_dir: PathBuf, tokenfile: Option, logfile: PathBuf, - timeout: Duration, + _timeout: Duration, kernel: PathBuf, dump_edges: Option, + dump_traces: Option, snapshot: PathBuf, ) -> Result<(), Error> { env::remove_var("LD_LIBRARY_PATH"); @@ -351,19 +363,20 @@ fn fuzz( ) }); - let calibration = CalibrationStage::new(&mut state, &edges_observer); + // let calibration = CalibrationStage::new(&mut state, &edges_observer); // Setup a randomic Input2State stage - let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new()))); + // let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new()))); // Setup a MOPT mutator let mutator = StdMOptMutator::new(&mut state, havoc_mutations().merge(tokens_mutations()), 5)?; - let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer); + // let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer); + let mutation = StdMutationalStage::new(mutator); // A minimization+queue policy to get testcasess from the corpus // let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new()); - let scheduler = LenTimeMaximizerCorpusScheduler::new(PowerQueueCorpusScheduler::new()); + let scheduler = QueueCorpusScheduler::new(); // A fuzzer with feedbacks and a corpus scheduler @@ -390,7 +403,7 @@ fn fuzz( }; let system_state_filter = QemuInstrumentationFilter::AllowList(vec![svh..svh+1]); - let executor = QemuExecutor::new( + let mut executor = QemuExecutor::new( &mut harness, &emu, tuple_list!( @@ -407,9 +420,9 @@ fn fuzz( )?; // Create the executor for an in-process function with one observer for edge coverage and one for the execution time - let executor = TimeoutExecutor::new(executor, timeout); + // let executor = TimeoutExecutor::new(executor, timeout); // Show the cmplog observer - let mut executor = ShadowExecutor::new(executor, tuple_list!(cmplog_observer)); + // let mut executor = ShadowExecutor::new(executor, tuple_list!(cmplog_observer)); // Read tokens if let Some(tokenfile) = &tokenfile { @@ -435,10 +448,10 @@ fn fuzz( } } - let tracing = ShadowTracingStage::new(&mut executor); + // let tracing = ShadowTracingStage::new(&mut executor); // The order of the stages matter! - let mut stages = tuple_list!(calibration, tracing, i2s, power); + let mut stages = tuple_list!(mutation); // Remove target ouput (logs still survive) #[cfg(unix)]