add HitSysStateFeedback
This commit is contained in:
parent
5df99365f6
commit
a6294af2c3
@ -1,5 +1,7 @@
|
|||||||
//! A singlethreaded QEMU fuzzer that can auto-restart.
|
//! A singlethreaded QEMU fuzzer that can auto-restart.
|
||||||
|
|
||||||
|
use wcet_qemu_sys::sysstate::feedbacks::HitSysStateFeedback;
|
||||||
|
use wcet_qemu_sys::sysstate::MiniFreeRTOSSystemState;
|
||||||
use libafl::corpus::QueueCorpusScheduler;
|
use libafl::corpus::QueueCorpusScheduler;
|
||||||
use libafl_qemu::QemuInstrumentationFilter;
|
use libafl_qemu::QemuInstrumentationFilter;
|
||||||
use wcet_qemu_sys::sysstate::helpers::QemuSystemStateHelper;
|
use wcet_qemu_sys::sysstate::helpers::QemuSystemStateHelper;
|
||||||
@ -324,8 +326,6 @@ fn fuzz(
|
|||||||
let sysstate_observer = QemuSysStateObserver::new();
|
let sysstate_observer = QemuSysStateObserver::new();
|
||||||
let sysstate_feedback_state = SysStateFeedbackState::default();
|
let sysstate_feedback_state = SysStateFeedbackState::default();
|
||||||
|
|
||||||
// Feedback to rate the interestingness of an input
|
|
||||||
// This one is composed by two Feedbacks in OR
|
|
||||||
let target_map : HashMap<(u64,u64),u8> = match dump_edges {
|
let target_map : HashMap<(u64,u64),u8> = match dump_edges {
|
||||||
None => HashMap::new(),
|
None => HashMap::new(),
|
||||||
Some(ref s) => {
|
Some(ref s) => {
|
||||||
@ -334,6 +334,16 @@ fn fuzz(
|
|||||||
hmap
|
hmap
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
let target_trace : Option<Vec<MiniFreeRTOSSystemState>> = match dump_traces {
|
||||||
|
None => None,
|
||||||
|
Some(ref s) => {
|
||||||
|
let raw = fs::read(s).expect("Can not read dumped traces");
|
||||||
|
let trace : Vec<MiniFreeRTOSSystemState> = ron::from_str(&String::from_utf8_lossy(&raw)).expect("Can not parse traces");
|
||||||
|
Some(trace)
|
||||||
|
},
|
||||||
|
};
|
||||||
|
// Feedback to rate the interestingness of an input
|
||||||
|
// This one is composed by two Feedbacks in OR
|
||||||
let feedback = feedback_or!(
|
let feedback = feedback_or!(
|
||||||
// New maximization map feedback linked to the edges observer and the feedback state
|
// New maximization map feedback linked to the edges observer and the feedback state
|
||||||
MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false),
|
MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false),
|
||||||
@ -344,7 +354,7 @@ fn fuzz(
|
|||||||
);
|
);
|
||||||
|
|
||||||
// A feedback to choose if an input is a solution or not
|
// A feedback to choose if an input is a solution or not
|
||||||
let objective = HitFeedback::new(target_map,0.0,&edges_observer);
|
let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace));
|
||||||
// let objective = SortedFeedback::new();
|
// let objective = SortedFeedback::new();
|
||||||
|
|
||||||
// create a State from scratch
|
// create a State from scratch
|
||||||
|
|||||||
@ -132,6 +132,75 @@ impl Named for NovelSysStateFeedback
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//=============================
|
||||||
|
|
||||||
|
pub fn match_traces(target: &Vec<MiniFreeRTOSSystemState>, last: &Vec<MiniFreeRTOSSystemState>) -> bool {
|
||||||
|
let mut ret = true;
|
||||||
|
if target.len() > last.len() {return false;}
|
||||||
|
for i in 0..target.len() {
|
||||||
|
ret &= target[i].current_task.task_name==last[i].current_task.task_name;
|
||||||
|
}
|
||||||
|
ret
|
||||||
|
}
|
||||||
|
pub fn match_traces_name(target: &Vec<String>, last: &Vec<MiniFreeRTOSSystemState>) -> bool {
|
||||||
|
let mut ret = true;
|
||||||
|
if target.len() > last.len() {return false;}
|
||||||
|
for i in 0..target.len() {
|
||||||
|
ret &= target[i]==last[i].current_task.task_name;
|
||||||
|
}
|
||||||
|
ret
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A Feedback reporting novel System-State Transitions. Depends on [`QemuSysStateObserver`]
|
||||||
|
#[derive(Serialize, Deserialize, Clone, Debug, Default)]
|
||||||
|
pub struct HitSysStateFeedback
|
||||||
|
{
|
||||||
|
target: Option<Vec<String>>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<I, S> Feedback<I, S> for HitSysStateFeedback
|
||||||
|
where
|
||||||
|
I: Input,
|
||||||
|
S: HasClientPerfMonitor + HasFeedbackStates,
|
||||||
|
{
|
||||||
|
fn is_interesting<EM, OT>(
|
||||||
|
&mut self,
|
||||||
|
_state: &mut S,
|
||||||
|
_manager: &mut EM,
|
||||||
|
_input: &I,
|
||||||
|
observers: &OT,
|
||||||
|
_exit_kind: &ExitKind,
|
||||||
|
) -> Result<bool, Error>
|
||||||
|
where
|
||||||
|
EM: EventFirer<I>,
|
||||||
|
OT: ObserversTuple<I, S>,
|
||||||
|
{
|
||||||
|
let observer = observers.match_name::<QemuSysStateObserver>("sysstate")
|
||||||
|
.expect("QemuSysStateObserver not found");
|
||||||
|
// Do Stuff
|
||||||
|
match &self.target {
|
||||||
|
Some(s) => {
|
||||||
|
// #[cfg(debug_assertions)] eprintln!("Hit SysState Feedback trigger");
|
||||||
|
Ok(match_traces_name(s, &observer.last_run))
|
||||||
|
},
|
||||||
|
None => Ok(false),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Named for HitSysStateFeedback
|
||||||
|
{
|
||||||
|
#[inline]
|
||||||
|
fn name(&self) -> &str {
|
||||||
|
"hit_sysstate"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl HitSysStateFeedback {
|
||||||
|
pub fn new(target: Option<Vec<MiniFreeRTOSSystemState>>) -> Self {
|
||||||
|
Self {target: target.map(|x| x.into_iter().map(|y| y.current_task.task_name).collect())}
|
||||||
|
}
|
||||||
|
}
|
||||||
//=========================== Debugging Feedback
|
//=========================== Debugging Feedback
|
||||||
/// A [`Feedback`] meant to dump the system-traces for debugging. Depends on [`QemuSysStateObserver`]
|
/// A [`Feedback`] meant to dump the system-traces for debugging. Depends on [`QemuSysStateObserver`]
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user