SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add HitSysStateFeedback

Browse Source
This commit is contained in:
Alwin Berger 2022-02-22 23:14:05 +01:00
parent 5df99365f6
commit a6294af2c3
2 changed files with 83 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
View File

@ -1,5 +1,7 @@
//! A singlethreaded QEMU fuzzer that can auto-restart.
use wcet_qemu_sys::sysstate::feedbacks::HitSysStateFeedback;
use wcet_qemu_sys::sysstate::MiniFreeRTOSSystemState;
use libafl::corpus::QueueCorpusScheduler;
use libafl_qemu::QemuInstrumentationFilter;
use wcet_qemu_sys::sysstate::helpers::QemuSystemStateHelper;
@ -324,8 +326,6 @@ fn fuzz(
let sysstate_observer = QemuSysStateObserver::new();
let sysstate_feedback_state = SysStateFeedbackState::default();
// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
let target_map : HashMap<(u64,u64),u8> = match dump_edges {
None => HashMap::new(),
Some(ref s) => {
@ -334,6 +334,16 @@ fn fuzz(
hmap
},
};
let target_trace : Option<Vec<MiniFreeRTOSSystemState>> = match dump_traces {
None => None,
Some(ref s) => {
let raw = fs::read(s).expect("Can not read dumped traces");
let trace : Vec<MiniFreeRTOSSystemState> = ron::from_str(&String::from_utf8_lossy(&raw)).expect("Can not parse traces");
Some(trace)
},
};
// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
let feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false),
@ -344,7 +354,7 @@ fn fuzz(
);
// A feedback to choose if an input is a solution or not
let objective = HitFeedback::new(target_map,0.0,&edges_observer);
let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace));
// let objective = SortedFeedback::new();
// create a State from scratch

69
fuzzers/wcet_qemu_sys/src/sysstate/feedbacks.rs
View File

@ -132,6 +132,75 @@ impl Named for NovelSysStateFeedback
}
}
//=============================
pub fn match_traces(target: &Vec<MiniFreeRTOSSystemState>, last: &Vec<MiniFreeRTOSSystemState>) -> bool {
let mut ret = true;
if target.len() > last.len() {return false;}
for i in 0..target.len() {
ret &= target[i].current_task.task_name==last[i].current_task.task_name;
}
ret
}
pub fn match_traces_name(target: &Vec<String>, last: &Vec<MiniFreeRTOSSystemState>) -> bool {
let mut ret = true;
if target.len() > last.len() {return false;}
for i in 0..target.len() {
ret &= target[i]==last[i].current_task.task_name;
}
ret
}
/// A Feedback reporting novel System-State Transitions. Depends on [`QemuSysStateObserver`]
#[derive(Serialize, Deserialize, Clone, Debug, Default)]
pub struct HitSysStateFeedback
{
target: Option<Vec<String>>,
}
impl<I, S> Feedback<I, S> for HitSysStateFeedback
where
I: Input,
S: HasClientPerfMonitor + HasFeedbackStates,
{
fn is_interesting<EM, OT>(
&mut self,
_state: &mut S,
_manager: &mut EM,
_input: &I,
observers: &OT,
_exit_kind: &ExitKind,
) -> Result<bool, Error>
where
EM: EventFirer<I>,
OT: ObserversTuple<I, S>,
{
let observer = observers.match_name::<QemuSysStateObserver>("sysstate")
.expect("QemuSysStateObserver not found");
// Do Stuff
match &self.target {
Some(s) => {
// #[cfg(debug_assertions)] eprintln!("Hit SysState Feedback trigger");
Ok(match_traces_name(s, &observer.last_run))
},
None => Ok(false),
}
}
}
impl Named for HitSysStateFeedback
{
#[inline]
fn name(&self) -> &str {
"hit_sysstate"
}
}
impl HitSysStateFeedback {
pub fn new(target: Option<Vec<MiniFreeRTOSSystemState>>) -> Self {
Self {target: target.map(|x| x.into_iter().map(|y| y.current_task.task_name).collect())}
}
}
//=========================== Debugging Feedback
/// A [`Feedback`] meant to dump the system-traces for debugging. Depends on [`QemuSysStateObserver`]
#[derive(Debug)]