showmap dumps edges to file

fuzzers/wcet_qemu_sys/Cargo.toml

@@ -17,6 +17,7 @@ libafl = { path = "../../libafl/" }
 libafl_qemu = { path = "../../libafl_qemu/", features = ["systemmode", "arm"] }
 clap = { version = "3.0.0-beta.2", features = ["default"] }
 serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
+ron = "0.7" # write serialized data - including hashmaps
 hashbrown =  { version = "0.11", features = ["serde", "ahash-compile-time-rng"], default-features=false } # A faster hashmap, nostd compatible
 nix = "0.23.0"
 goblin = "0.4.2"

fuzzers/wcet_qemu_sys/src/showmap.rs

@@ -1,5 +1,6 @@
 //! A singlethreaded QEMU fuzzer that can auto-restart.
 
+use std::fs::File;
 use std::path::Path;
 use libafl::corpus::Corpus;
 use libafl::state::HasCorpus;
@@ -98,6 +99,11 @@ pub fn main() {
                 .long("libafl-timeout")
                 .default_value("1000"),
         )
+        .arg(
+            Arg::new("edges")
+                .long("libafl-edges")
+                .takes_value(true),
+        )
         .try_get_matches_from(filter_qemu_args())
     {
         Ok(res) => res,
@@ -138,9 +144,13 @@ pub fn main() {
     }
 
     let kernel = PathBuf::from(res.value_of("k").unwrap().to_string());
+    let edges = match res.value_of("edges") {
+        Some(st) => Some(PathBuf::from(st.to_string())),
+        None => None
+    };
 
 
-    fuzz(in_dir, kernel)
+    fuzz(in_dir, kernel, edges)
         .expect("An error occurred while fuzzing");
 }
 
@@ -161,6 +171,7 @@ fn virt2phys(vaddr : u64, tab : &goblin::elf::Elf) -> u64 {
 fn fuzz(
     seed_dir: PathBuf,
     kernel: PathBuf,
+    dump_edges: Option<PathBuf>,
 ) -> Result<(), Error> {
     //=========== Setup emulator
     let mut env: Vec<(String, String)> = env::vars().collect();
@@ -220,7 +231,7 @@ fn fuzz(
         HitcountsMapObserver::new(VariableMapObserver::new("edges", edges, edges_counter));
 
     //========= Feedback-Function evaluate the Maps. Need to dump it for debugging and check if it reaches targets.
-    let feedback = DumpMapFeedback::new();
+    let feedback = DumpMapFeedback::with_dump(dump_edges);
 
     // A feedback to choose if an input is a solution or not
     let objective = HitFeedback::new();
@@ -305,7 +316,9 @@ fn fuzz(
 //=========================== Debugging Feedback
 /// A [`Feedback`] meant to dump the edgemap for debugging.
 #[derive(Debug)]
-pub struct DumpMapFeedback {}
+pub struct DumpMapFeedback {
+    dumpfile: Option<PathBuf>
+}
 
 impl<I, S> Feedback<I, S> for DumpMapFeedback
 where
@@ -326,7 +339,13 @@ where
     {
         let observer = _observers.match_name::<HitcountsMapObserver<VariableMapObserver<u8>>>("edges")
             .expect("HitcountsMapObserver not found");
-        println!("{:#?}",observer.edgemap);
+        match &self.dumpfile {
+            Some(s) => {
+                    fs::write(s,ron::to_string(&observer.edgemap).expect("Error serializing hashmap")).expect("Can not dump to file");
+                    self.dumpfile = None
+                },
+            None => println!("{:#?}",observer.edgemap),
+        };
         Ok(true)
     }
 }
@@ -342,7 +361,10 @@ impl DumpMapFeedback {
     /// Creates a new [`HitFeedback`]
     #[must_use]
     pub fn new() -> Self {
-        Self {}
+        Self {dumpfile: None}
+    }
+    pub fn with_dump(dumpfile: Option<PathBuf>) -> Self {
+        Self {dumpfile: dumpfile}
     }
 }
 

fuzzers/wcet_qemu_sys/starter.sh

@@ -1,3 +1,3 @@
 mkdir -p target/test_in target/test_out
 [ ! -f target/test_in/test ] && echo " !test" > target/test_in/test
-LD_LIBRARY_PATH=target/debug target/debug/wcet_qemu_sys --libafl-kernel $1 --libafl-out target/test_out --libafl-in target/test_in
+LD_LIBRARY_PATH=target/debug target/debug/wcet_qemu_sys --libafl-out target/test_out --libafl-in target/test_in --libafl-kernel $@