update input sizes, dump worstcase, benchmarking
This commit is contained in:
parent
594554eca0
commit
9cadc5d61c
@ -1,4 +1,4 @@
|
||||
TIME=1600
|
||||
TIME=5400
|
||||
|
||||
corpora/%/seed:
|
||||
mkdir -p $$(dirname $@)
|
||||
@ -13,7 +13,7 @@ corpora/%/seed:
|
||||
DUMP_SEED=seed; \
|
||||
../fuzzer.sh
|
||||
|
||||
timedump/%$(FUZZ_RANDOM): corpora/%/seed
|
||||
timedump/%$(FUZZ_RANDOM)$(SUFFIX): corpora/%/seed
|
||||
mkdir -p $$(dirname $@)
|
||||
LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
|
||||
export \
|
||||
@ -23,7 +23,8 @@ timedump/%$(FUZZ_RANDOM): corpora/%/seed
|
||||
FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \
|
||||
BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \
|
||||
SEED_RANDOM=1 \
|
||||
TIME_DUMP=benchmark/$@; \
|
||||
TIME_DUMP=benchmark/$@ \
|
||||
CASE_DUMP=benchmark/$@.case; \
|
||||
../fuzzer.sh + + + + + $(TIME) + + + > $@_log
|
||||
#SEED_DIR=benchmark/corpora/$*
|
||||
|
||||
@ -33,18 +34,24 @@ all_sequential: timedump/sequential/mpeg2$(FUZZ_RANDOM) timedump/sequential/dijk
|
||||
|
||||
all_kernel: timedump/kernel/bsort$(FUZZ_RANDOM) timedump/kernel/insertsort$(FUZZ_RANDOM) #timedump/kernel/fft$(FUZZ_RANDOM)
|
||||
|
||||
all_app: timedump/app/lift$(FUZZ_RANDOM)
|
||||
|
||||
all_system: timedump/lift$(FUZZ_RANDOM)$(SUFFIX)
|
||||
|
||||
all_period: timedump/waters$(FUZZ_RANDOM)$(SUFFIX)
|
||||
|
||||
tacle_rtos: timedump/tacle_rtos$(FUZZ_RANDOM)
|
||||
|
||||
graphics:
|
||||
Rscript --vanilla plot_comparison.r sequential audiobeam
|
||||
Rscript --vanilla plot_comparison.r sequential dijkstra
|
||||
Rscript --vanilla plot_comparison.r sequential epic
|
||||
Rscript --vanilla plot_comparison.r sequential g723_enc
|
||||
# Rscript --vanilla plot_comparison.r sequential gsm_enc
|
||||
# Rscript --vanilla plot_comparison.r sequential huff_dec
|
||||
Rscript --vanilla plot_comparison.r sequential mpeg2
|
||||
Rscript --vanilla plot_comparison.r sequential rijndael_dec
|
||||
Rscript --vanilla plot_comparison.r sequential rijndael_enc
|
||||
Rscript --vanilla plot_comparison.r mnt/timedump/sequential audiobeam
|
||||
Rscript --vanilla plot_comparison.r mnt/timedump/sequential dijkstra
|
||||
Rscript --vanilla plot_comparison.r mnt/timedump/sequential epic
|
||||
Rscript --vanilla plot_comparison.r mnt/timedump/sequential g723_enc
|
||||
# Rscript --vanilla plot_comparison.r mnt/timedump/sequential gsm_enc
|
||||
# Rscript --vanilla plot_comparison.r mnt/timedump/sequential huff_dec
|
||||
Rscript --vanilla plot_comparison.r mnt/timedump/sequential mpeg2
|
||||
# Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_dec
|
||||
# Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_enc
|
||||
|
||||
clean:
|
||||
rm -rf corpora timedump
|
||||
@ -5,8 +5,8 @@ args = commandArgs(trailingOnly=TRUE)
|
||||
myolors=c("dark green","dark blue","dark red") # grün, balu, rot
|
||||
|
||||
if (length(args)==0) {
|
||||
runtype="timedump_exp02"
|
||||
target="tacle_rtos"
|
||||
runtype="timedump"
|
||||
target="waters"
|
||||
filename_1=sprintf("%s.png",target)
|
||||
filename_2=sprintf("%s_maxline.png",target)
|
||||
filename_3=sprintf("%s_hist.png",target)
|
||||
@ -19,7 +19,7 @@ if (length(args)==0) {
|
||||
# filename_1=args[3]
|
||||
}
|
||||
|
||||
file_1=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s",runtype,target)
|
||||
file_1=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_state",runtype,target)
|
||||
file_2=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_afl",runtype,target)
|
||||
file_3=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_random",runtype,target)
|
||||
timetrace <- read.table(file_1, quote="\"", comment.char="")
|
||||
|
||||
@ -13,4 +13,6 @@ huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return
|
||||
huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return
|
||||
gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return
|
||||
tmr,main,FUZZ_INPUT,32,trigger_Qemu_break
|
||||
tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break
|
||||
tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break
|
||||
lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break
|
||||
waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
|
||||
|
@ -9,8 +9,10 @@ cd "$parent_path"
|
||||
[ -n "$5" -a "$5" != "+" -a -z "$BREAKPOINT" ] && export BREAKPOINT="$5"
|
||||
[ -n "$6" -a "$6" != "+" -a -z "$FUZZ_ITERS" ] && export FUZZ_ITERS="$6"
|
||||
[ -n "$7" -a "$7" != "+" -a -z "$TIME_DUMP" ] && export TIME_DUMP="$7"
|
||||
[ -n "$8" -a "$8" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$8"
|
||||
[ -n "$9" -a "$9" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="$9"
|
||||
[ -n "$8" -a "$8" != "+" -a -z "$CASE_DUMP" ] && export CASE_DUMP="$8"
|
||||
[ -n "$9" -a "$9" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$9"
|
||||
[ -n "${10}" -a "${10}" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="${10}"
|
||||
[ -n "${11}" -a "${11}" != "+" -a -z "$TRACE_DUMP" ] && export TRACE_DUMP="${11}"
|
||||
|
||||
[ -z "$FUZZER" ] && export FUZZER=target/debug/fret
|
||||
$FUZZER -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
|
||||
$FUZZER -icount shift=4,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
|
||||
@ -28,7 +28,7 @@ use libafl::{
|
||||
stages::StdMutationalStage,
|
||||
state::{HasCorpus, StdState, HasMetadata},
|
||||
Error,
|
||||
prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager}, Evaluator,
|
||||
prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager, HasBytesVec}, Evaluator,
|
||||
};
|
||||
use libafl_qemu::{
|
||||
edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
|
||||
@ -151,6 +151,7 @@ pub fn fuzz() {
|
||||
if let Ok(input_len) = env::var("FUZZ_INPUT_LEN") {
|
||||
unsafe {MAX_INPUT_SIZE = str::parse::<usize>(&input_len).expect("FUZZ_INPUT_LEN was not a number");}
|
||||
}
|
||||
unsafe {dbg!(MAX_INPUT_SIZE);}
|
||||
|
||||
let mut run_client = |state: Option<_>, mut mgr, _core_id| {
|
||||
// Initialize QEMU
|
||||
@ -172,11 +173,11 @@ pub fn fuzz() {
|
||||
let mut harness = |input: &BytesInput| {
|
||||
let target = input.target_bytes();
|
||||
let mut buf = target.as_slice();
|
||||
let len = buf.len();
|
||||
let mut len = buf.len();
|
||||
unsafe {
|
||||
if len > MAX_INPUT_SIZE {
|
||||
buf = &buf[0..MAX_INPUT_SIZE];
|
||||
// len = MAX_INPUT_SIZE;
|
||||
len = MAX_INPUT_SIZE;
|
||||
}
|
||||
|
||||
emu.write_phys_mem(input_addr, buf);
|
||||
@ -222,7 +223,7 @@ pub fn fuzz() {
|
||||
);
|
||||
#[cfg(feature = "systemstate")]
|
||||
let mut feedback = feedback_or!(
|
||||
// DumpSystraceFeedback::with_dump(None),
|
||||
// DumpSystraceFeedback::with_dump(env::var("TRACE_DUMP").ok().map(PathBuf::from)),
|
||||
NovelSystemStateFeedback::default(),
|
||||
feedback
|
||||
);
|
||||
@ -377,6 +378,23 @@ pub fn fuzz() {
|
||||
}
|
||||
}
|
||||
}
|
||||
if let Ok(td) = env::var("CASE_DUMP") {
|
||||
println!("Dumping worst case to {:?}", td);
|
||||
let corpus = state.corpus();
|
||||
let mut worst = Duration::new(0,0);
|
||||
let mut worst_input = None;
|
||||
for i in 0..corpus.count() {
|
||||
let tc = corpus.get(i).expect("Could not get element from corpus").borrow();
|
||||
if worst < tc.exec_time().expect("Testcase missing duration") {
|
||||
worst_input = Some(tc.input().as_ref().unwrap().bytes().to_owned());
|
||||
worst = tc.exec_time().expect("Testcase missing duration");
|
||||
}
|
||||
}
|
||||
match worst_input {
|
||||
Some(wi) => {fs::write(&td,wi).expect("Failed to write worst corpus element");},
|
||||
None => (),
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
11
fuzzers/FRET/src/lib.rs
Normal file
11
fuzzers/FRET/src/lib.rs
Normal file
@ -0,0 +1,11 @@
|
||||
#![feature(is_sorted)]
|
||||
#[cfg(target_os = "linux")]
|
||||
mod fuzzer;
|
||||
#[cfg(target_os = "linux")]
|
||||
mod clock;
|
||||
#[cfg(target_os = "linux")]
|
||||
mod qemustate;
|
||||
#[cfg(target_os = "linux")]
|
||||
pub mod systemstate;
|
||||
#[cfg(target_os = "linux")]
|
||||
mod worst;
|
||||
@ -42,9 +42,9 @@ static mut CURRENT_SYSTEMSTATE_VEC: Vec<RawFreeRTOSSystemState> = vec![];
|
||||
/// A reduced version of freertos::TCB_t
|
||||
#[derive(Debug, Default, Serialize, Deserialize, Clone, PartialEq)]
|
||||
pub struct RefinedTCB {
|
||||
task_name: String,
|
||||
priority: u32,
|
||||
base_priority: u32,
|
||||
pub task_name: String,
|
||||
pub priority: u32,
|
||||
pub base_priority: u32,
|
||||
mutexes_held: u32,
|
||||
notify_value: u32,
|
||||
notify_state: u8,
|
||||
@ -94,11 +94,11 @@ impl RefinedTCB {
|
||||
/// Refined information about the states an execution transitioned between
|
||||
#[derive(Debug, Default, Serialize, Deserialize, Clone)]
|
||||
pub struct RefinedFreeRTOSSystemState {
|
||||
start_tick: u64,
|
||||
end_tick: u64,
|
||||
pub start_tick: u64,
|
||||
pub end_tick: u64,
|
||||
last_pc: Option<u64>,
|
||||
input_counter: u32,
|
||||
current_task: RefinedTCB,
|
||||
pub current_task: RefinedTCB,
|
||||
ready_list_after: Vec<RefinedTCB>,
|
||||
}
|
||||
impl PartialEq for RefinedFreeRTOSSystemState {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user