SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add feature flags for fuzz components

Browse Source
This commit is contained in:
Alwin Berger 2022-05-04 22:55:26 +02:00
parent 18a592d763
commit 70dec21c8c
2 changed files with 59 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
fuzzers/wcet_qemu_sys/Cargo.toml
View File

@ -9,6 +9,19 @@ default = ["std"]
std = [] std = []
multicore = [] multicore = []
# select which feedbacks to use. enable at least one.
feed_afl = []
feed_clock = []
feed_state = []
feed_graph = []
# choose exactly one scheduler
sched_queue = []
sched_state = []
sched_graph = []
muta_snip = [ "sched_graph" ]
[profile.release] [profile.release]
debug = true debug = true

62
fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
View File

@ -1,5 +1,8 @@
//! A singlethreaded QEMU fuzzer that can auto-restart. //! A singlethreaded QEMU fuzzer that can auto-restart.
use libafl::inputs::Input;
use libafl::feedbacks::Feedback;
use libafl::HasFeedback;
use libafl::bolts::tuples::MatchName; use libafl::bolts::tuples::MatchName;
use libafl::state::HasFeedbackStates; use libafl::state::HasFeedbackStates;
use wcet_qemu_sys::sysstate::graph::SysGraphMetadata; use wcet_qemu_sys::sysstate::graph::SysGraphMetadata;
@ -333,13 +336,15 @@ fn fuzz(
let clock_observer = QemuClockObserver::default(); let clock_observer = QemuClockObserver::default();
// Create an observation channel using cmplog map // Create an observation channel using cmplog map
let cmplog_observer = CmpLogObserver::new("cmplog", unsafe { &mut cmplog::CMPLOG_MAP }, true); // let cmplog_observer = CmpLogObserver::new("cmplog", unsafe { &mut cmplog::CMPLOG_MAP }, true);
// The state of the edges feedback. // The state of the edges feedback.
let feedback_state = MapFeedbackState::with_observer(&edges_observer); let feedback_state = MapFeedbackState::with_observer(&edges_observer);
let sysstate_observer = QemuSysStateObserver::new(); let sysstate_observer = QemuSysStateObserver::new();
// let sysstate_feedback_state = SysStateFeedbackState::default(); #[cfg(feature = "sched_state")]
let sysstate_feedback_state = SysStateFeedbackState::default();
#[cfg(not(feature = "sched_state"))]
let sysstate_feedback_state = SysGraphFeedbackState::new(); let sysstate_feedback_state = SysGraphFeedbackState::new();
let target_map : HashMap<(u64,u64),u8> = match dump_edges { let target_map : HashMap<(u64,u64),u8> = match dump_edges {
@ -359,20 +364,19 @@ fn fuzz(
}, },
}; };
// Feedback to rate the interestingness of an input // Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR let feedback = ClockFeedback::new_with_observer(&clock_observer);
let feedback = feedback_or!( #[cfg(feature = "feed_afl")]
// New maximization map feedback linked to the edges observer and the feedback state let feedback = feedback_or!(feedback, MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false));
MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false), #[cfg(feature = "feed_clock")]
// HitImprovingFeedback::new(target_map.clone(), &edges_observer), let feedback = feedback_or!(feedback, QemuClockIncreaseFeedback::default());
// QemuClockIncreaseFeedback::default(), #[cfg(feature = "feed_state")]
ClockFeedback::new_with_observer(&clock_observer), let feedback = feedback_or!(feedback, NovelSysStateFeedback::default());
// NovelSysStateFeedback::default(), #[cfg(feature = "feed_graph")]
SysMapFeedback::new() let feedback = feedback_or!(feedback, SysMapFeedback::new());
);
// A feedback to choose if an input is a solution or not // A feedback to choose if an input is a solution or not
// let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace)); let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace));
let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer)); // let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer));
// let objective = SortedFeedback::new(); // let objective = SortedFeedback::new();
// create a State from scratch // create a State from scratch
@ -396,20 +400,25 @@ fn fuzz(
// Setup a randomic Input2State stage // Setup a randomic Input2State stage
// let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new()))); // let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new())));
#[cfg(feature = "muta_snip")]
let mutator_list = havoc_mutations().merge(tokens_mutations())
.merge(tuple_list!(RandGraphSnippetMutator::new()));
#[cfg(not(feature = "muta_snip"))]
let mutator_list = havoc_mutations().merge(tokens_mutations());
// Setup a MOPT mutator // Setup a MOPT mutator
let mutator = StdMOptMutator::new(&mut state, havoc_mutations() let mutator = StdMOptMutator::new(&mut state, mutator_list,5)?;
.merge(tokens_mutations())
.merge(tuple_list!(RandGraphSnippetMutator::new())),
5)?;
// let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer); // let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer);
let mutation = StdMutationalStage::new(mutator); let mutation = StdMutationalStage::new(mutator);
// A minimization+queue policy to get testcasess from the corpus // A minimization+queue policy to get testcasess from the corpus
// let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new()); // let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
// let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new()); #[cfg(feature = "sched_queue")]
let scheduler = QueueCorpusScheduler::new();
#[cfg(feature = "sched_state")]
let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
#[cfg(feature = "sched_graph")]
let scheduler = GraphMaximizerCorpusScheduler::new(QueueCorpusScheduler::new()); let scheduler = GraphMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
// let scheduler = QueueCorpusScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler // A fuzzer with feedbacks and a corpus scheduler
@ -512,14 +521,16 @@ fn fuzz(
dup2(null_fd, io::stderr().as_raw_fd())?; dup2(null_fd, io::stderr().as_raw_fd())?;
} }
// fuzzer
// .fuzz_for_solution(&mut stages, &mut executor, &mut state, &mut mgr)
// .expect("Error in the fuzzing loop");
fuzzer fuzzer
.fuzz_loop_for(&mut stages, &mut executor, &mut state, &mut mgr, 20) .fuzz_for_solution_or_n(&mut stages, &mut executor, &mut state, &mut mgr, 10000)
.expect("Error in the fuzzing loop"); .expect("Error in the fuzzing loop");
// fuzzer
// .fuzz_loop_for(&mut stages, &mut executor, &mut state, &mut mgr, 20)
// .expect("Error in the fuzzing loop");
#[cfg(feature = "feed_graph")]
{
let feedbackstate = state let feedbackstate = state
.feedback_states() .feedback_states()
.match_name::<SysGraphFeedbackState>("SysMap") .match_name::<SysGraphFeedbackState>("SysMap")
@ -528,10 +539,9 @@ fn fuzz(
|_, n| n.get_taskname(), |_, n| n.get_taskname(),
|_, e| e, |_, e| e,
); );
// println!("{:?}",feedbackstate.graph);
// println!("{:?}",Dot::with_config(&feedbackstate.graph, &[Config::EdgeNoLabel]));
let tempg = format!("{:?}",Dot::with_config(&newgraph, &[Config::EdgeNoLabel])); let tempg = format!("{:?}",Dot::with_config(&newgraph, &[Config::EdgeNoLabel]));
fs::write("./graph.dot",tempg).expect("Graph can not be written"); fs::write("./graph.dot",tempg).expect("Graph can not be written");
}
// Never reached // Never reached