diff --git a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs index a9e56533d6..54c1d99f3b 100644 --- a/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs +++ b/fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs @@ -1,5 +1,7 @@ //! A singlethreaded QEMU fuzzer that can auto-restart. +use wcet_qemu_sys::sysstate::feedbacks::HitSysStateFeedback; +use wcet_qemu_sys::sysstate::MiniFreeRTOSSystemState; use libafl::corpus::QueueCorpusScheduler; use libafl_qemu::QemuInstrumentationFilter; use wcet_qemu_sys::sysstate::helpers::QemuSystemStateHelper; @@ -324,8 +326,6 @@ fn fuzz( let sysstate_observer = QemuSysStateObserver::new(); let sysstate_feedback_state = SysStateFeedbackState::default(); - // Feedback to rate the interestingness of an input - // This one is composed by two Feedbacks in OR let target_map : HashMap<(u64,u64),u8> = match dump_edges { None => HashMap::new(), Some(ref s) => { @@ -334,17 +334,27 @@ fn fuzz( hmap }, }; + let target_trace : Option> = match dump_traces { + None => None, + Some(ref s) => { + let raw = fs::read(s).expect("Can not read dumped traces"); + let trace : Vec = ron::from_str(&String::from_utf8_lossy(&raw)).expect("Can not parse traces"); + Some(trace) + }, + }; + // Feedback to rate the interestingness of an input + // This one is composed by two Feedbacks in OR let feedback = feedback_or!( // New maximization map feedback linked to the edges observer and the feedback state MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false), HitImprovingFeedback::new(target_map.clone(), &edges_observer), QemuClockIncreaseFeedback::default(), - ClockFeedback::new_with_observer(&clock_observer), + ClockFeedback::new_with_observer(&clock_observer), NovelSysStateFeedback::default() ); // A feedback to choose if an input is a solution or not - let objective = HitFeedback::new(target_map,0.0,&edges_observer); + let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace)); // let objective = SortedFeedback::new(); // create a State from scratch diff --git a/fuzzers/wcet_qemu_sys/src/sysstate/feedbacks.rs b/fuzzers/wcet_qemu_sys/src/sysstate/feedbacks.rs index cfbe0af0fe..fee5317482 100644 --- a/fuzzers/wcet_qemu_sys/src/sysstate/feedbacks.rs +++ b/fuzzers/wcet_qemu_sys/src/sysstate/feedbacks.rs @@ -132,6 +132,75 @@ impl Named for NovelSysStateFeedback } } +//============================= + +pub fn match_traces(target: &Vec, last: &Vec) -> bool { + let mut ret = true; + if target.len() > last.len() {return false;} + for i in 0..target.len() { + ret &= target[i].current_task.task_name==last[i].current_task.task_name; + } + ret +} +pub fn match_traces_name(target: &Vec, last: &Vec) -> bool { + let mut ret = true; + if target.len() > last.len() {return false;} + for i in 0..target.len() { + ret &= target[i]==last[i].current_task.task_name; + } + ret +} + +/// A Feedback reporting novel System-State Transitions. Depends on [`QemuSysStateObserver`] +#[derive(Serialize, Deserialize, Clone, Debug, Default)] +pub struct HitSysStateFeedback +{ + target: Option>, +} + +impl Feedback for HitSysStateFeedback +where + I: Input, + S: HasClientPerfMonitor + HasFeedbackStates, +{ + fn is_interesting( + &mut self, + _state: &mut S, + _manager: &mut EM, + _input: &I, + observers: &OT, + _exit_kind: &ExitKind, + ) -> Result + where + EM: EventFirer, + OT: ObserversTuple, + { + let observer = observers.match_name::("sysstate") + .expect("QemuSysStateObserver not found"); + // Do Stuff + match &self.target { + Some(s) => { + // #[cfg(debug_assertions)] eprintln!("Hit SysState Feedback trigger"); + Ok(match_traces_name(s, &observer.last_run)) + }, + None => Ok(false), + } + } +} + +impl Named for HitSysStateFeedback +{ + #[inline] + fn name(&self) -> &str { + "hit_sysstate" + } +} + +impl HitSysStateFeedback { + pub fn new(target: Option>) -> Self { + Self {target: target.map(|x| x.into_iter().map(|y| y.current_task.task_name).collect())} + } +} //=========================== Debugging Feedback /// A [`Feedback`] meant to dump the system-traces for debugging. Depends on [`QemuSysStateObserver`] #[derive(Debug)]