add feature flags for fuzz components

2022-05-04 22:55:26 +02:00 · 2022-05-04 22:55:26 +02:00 · 70dec21c8c
commit 70dec21c8c
parent 18a592d763
2 changed files with 59 additions and 36 deletions
--- a/fuzzers/wcet_qemu_sys/Cargo.toml
+++ b/fuzzers/wcet_qemu_sys/Cargo.toml
@ -9,6 +9,19 @@ default = ["std"]
 std = []
 multicore = []

+# select which feedbacks to use. enable at least one.
+feed_afl = []
+feed_clock = []
+feed_state = []
+feed_graph = []
+
+# choose exactly one scheduler
+sched_queue = []
+sched_state = []
+sched_graph = []
+
+muta_snip = [ "sched_graph" ]
+
 [profile.release]
 debug = true

--- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
+++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
@ -1,5 +1,8 @@
 //! A singlethreaded QEMU fuzzer that can auto-restart.

+use libafl::inputs::Input;
+use libafl::feedbacks::Feedback;
+use libafl::HasFeedback;
 use libafl::bolts::tuples::MatchName;
 use libafl::state::HasFeedbackStates;
 use wcet_qemu_sys::sysstate::graph::SysGraphMetadata;
@ -333,13 +336,15 @@ fn fuzz(
    let clock_observer = QemuClockObserver::default();

    // Create an observation channel using cmplog map
-    let cmplog_observer = CmpLogObserver::new("cmplog", unsafe { &mut cmplog::CMPLOG_MAP }, true);
+    // let cmplog_observer = CmpLogObserver::new("cmplog", unsafe { &mut cmplog::CMPLOG_MAP }, true);

    // The state of the edges feedback.
    let feedback_state = MapFeedbackState::with_observer(&edges_observer);
    
    let sysstate_observer = QemuSysStateObserver::new();
-    // let sysstate_feedback_state = SysStateFeedbackState::default();
+    #[cfg(feature = "sched_state")]
+    let sysstate_feedback_state = SysStateFeedbackState::default();
+    #[cfg(not(feature = "sched_state"))]
    let sysstate_feedback_state = SysGraphFeedbackState::new();

    let target_map : HashMap<(u64,u64),u8> = match dump_edges {
@ -359,20 +364,19 @@ fn fuzz(
        },
    };
    // Feedback to rate the interestingness of an input
-    // This one is composed by two Feedbacks in OR
-    let feedback = feedback_or!(
-        // New maximization map feedback linked to the edges observer and the feedback state
-        MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false),
-        // HitImprovingFeedback::new(target_map.clone(), &edges_observer),
-        // QemuClockIncreaseFeedback::default(),
-        ClockFeedback::new_with_observer(&clock_observer),
-        // NovelSysStateFeedback::default(),
-        SysMapFeedback::new()
-    );
+    let feedback = ClockFeedback::new_with_observer(&clock_observer);
+    #[cfg(feature = "feed_afl")]
+    let feedback = feedback_or!(feedback, MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false));
+    #[cfg(feature = "feed_clock")]
+    let feedback = feedback_or!(feedback, QemuClockIncreaseFeedback::default());
+    #[cfg(feature = "feed_state")]
+    let feedback = feedback_or!(feedback, NovelSysStateFeedback::default());
+    #[cfg(feature = "feed_graph")]
+    let feedback = feedback_or!(feedback, SysMapFeedback::new());

    // A feedback to choose if an input is a solution or not
-    // let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace));
-    let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer));
+    let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace));
+    // let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer));
    // let objective = SortedFeedback::new();

    // create a State from scratch
@ -396,20 +400,25 @@ fn fuzz(
    // Setup a randomic Input2State stage
    // let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new())));

+    #[cfg(feature = "muta_snip")]
+    let mutator_list = havoc_mutations().merge(tokens_mutations())
+        .merge(tuple_list!(RandGraphSnippetMutator::new()));
+    #[cfg(not(feature = "muta_snip"))]
+    let mutator_list = havoc_mutations().merge(tokens_mutations());
    // Setup a MOPT mutator
-    let mutator = StdMOptMutator::new(&mut state, havoc_mutations()
-        .merge(tokens_mutations())
-        .merge(tuple_list!(RandGraphSnippetMutator::new())),
-        5)?;
+    let mutator = StdMOptMutator::new(&mut state, mutator_list,5)?;

    // let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer);
    let mutation = StdMutationalStage::new(mutator);

    // A minimization+queue policy to get testcasess from the corpus
    // let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
-    // let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
+    #[cfg(feature = "sched_queue")]
+    let scheduler = QueueCorpusScheduler::new();
+    #[cfg(feature = "sched_state")]
+    let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
+    #[cfg(feature = "sched_graph")]
    let scheduler = GraphMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
-    // let scheduler = QueueCorpusScheduler::new();
    

    // A fuzzer with feedbacks and a corpus scheduler
@ -512,26 +521,27 @@ fn fuzz(
        dup2(null_fd, io::stderr().as_raw_fd())?;
    }

-    // fuzzer
-    //     .fuzz_for_solution(&mut stages, &mut executor, &mut state, &mut mgr)
-    //     .expect("Error in the fuzzing loop");
    fuzzer
-        .fuzz_loop_for(&mut stages, &mut executor, &mut state, &mut mgr, 20)
+        .fuzz_for_solution_or_n(&mut stages, &mut executor, &mut state, &mut mgr, 10000)
        .expect("Error in the fuzzing loop");
+    // fuzzer
+    //     .fuzz_loop_for(&mut stages, &mut executor, &mut state, &mut mgr, 20)
+    //     .expect("Error in the fuzzing loop");
        

-    let feedbackstate = state
-        .feedback_states()
-        .match_name::<SysGraphFeedbackState>("SysMap")
-        .unwrap();
-    let newgraph = feedbackstate.graph.map(
-        |_, n| n.get_taskname(),
-        |_, e| e,
-    );
-    // println!("{:?}",feedbackstate.graph);
-    // println!("{:?}",Dot::with_config(&feedbackstate.graph, &[Config::EdgeNoLabel]));
-    let tempg = format!("{:?}",Dot::with_config(&newgraph, &[Config::EdgeNoLabel]));
-    fs::write("./graph.dot",tempg).expect("Graph can not be written");
+    #[cfg(feature = "feed_graph")]
+    {
+        let feedbackstate = state
+            .feedback_states()
+            .match_name::<SysGraphFeedbackState>("SysMap")
+            .unwrap();
+        let newgraph = feedbackstate.graph.map(
+            |_, n| n.get_taskname(),
+            |_, e| e,
+        );
+        let tempg = format!("{:?}",Dot::with_config(&newgraph, &[Config::EdgeNoLabel]));
+        fs::write("./graph.dot",tempg).expect("Graph can not be written");
+    }


    // Never reached