diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index 2726a50675..3c9f4c364e 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -18,12 +18,12 @@ use libafl::{ executors::{ExitKind, TimeoutExecutor}, feedback_or, feedback_or_fast, - feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback, TimeoutFeedback}, + feedbacks::{CrashFeedback, MaxMapFeedback, TimeoutFeedback}, fuzzer::{Fuzzer, StdFuzzer}, inputs::{BytesInput, HasTargetBytes}, monitors::MultiMonitor, mutators::scheduled::{havoc_mutations, StdScheduledMutator}, - observers::{TimeObserver, VariableMapObserver}, + observers::{VariableMapObserver}, schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler}, stages::StdMutationalStage, state::{HasCorpus, StdState}, @@ -34,7 +34,10 @@ use libafl_qemu::{ edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor, QemuHooks, Regs, }; -use crate::{clock::QemuClockObserver, qemustate::QemuStateRestoreHelper}; +use crate::{ + clock::{QemuClockObserver, ClockTimeFeedback}, + qemustate::QemuStateRestoreHelper, +}; pub static mut MAX_INPUT_SIZE: usize = 50; @@ -91,14 +94,6 @@ pub fn fuzz() { emu.set_breakpoint(breakpoint); // BREAKPOINT - // let saved_cpu_states: Vec<_> = (0..emu.num_cpus()) - // .map(|i| emu.cpu_from_index(i).save_state()) - // .collect(); - - // emu.save_snapshot("start", true); - - // let snap = emu.create_fast_snapshot(true); - // The wrapped harness function, calling out to the LLVM-style harness let mut harness = |input: &BytesInput| { let target = input.target_bytes(); @@ -118,25 +113,12 @@ pub fn fuzz() { let mut pcs = (0..emu.num_cpus()) .map(|i| emu.cpu_from_index(i)) .map(|cpu| -> Result { cpu.read_reg(Regs::Pc) }); - let _ret = match pcs + match pcs .find(|pc| (breakpoint..breakpoint + 5).contains(pc.as_ref().unwrap_or(&0))) { Some(_) => ExitKind::Ok, None => ExitKind::Crash, - }; - - // OPTION 1: restore only the CPU state (registers et. al) - // for (i, s) in saved_cpu_states.iter().enumerate() { - // emu.cpu_from_index(i).restore_state(s); - // } - - // OPTION 2: restore a slow vanilla QEMU snapshot - // emu.load_snapshot("start", true); - - // OPTION 3: restore a fast devices+mem snapshot - // emu.restore_fast_snapshot(snap); - - _ret + } } }; @@ -146,7 +128,7 @@ pub fn fuzz() { let edges_observer = VariableMapObserver::new("edges", edges, edges_counter); // Create an observation channel to keep track of the execution time - let time_observer = TimeObserver::new("time"); + let clock_time_observer = QemuClockObserver::new("clocktime"); // Feedback to rate the interestingness of an input // This one is composed by two Feedbacks in OR @@ -154,7 +136,7 @@ pub fn fuzz() { // New maximization map feedback linked to the edges observer and the feedback state MaxMapFeedback::new_tracking(&edges_observer, true, true), // Time feedback, this one does not need a feedback state - TimeFeedback::new_with_observer(&time_observer) + ClockTimeFeedback::new_with_observer(&clock_time_observer) ); // A feedback to choose if an input is a solution or not @@ -191,7 +173,7 @@ pub fn fuzz() { let executor = QemuExecutor::new( &mut hooks, &mut harness, - tuple_list!(edges_observer, time_observer, QemuClockObserver::default()), + tuple_list!(edges_observer, clock_time_observer), &mut fuzzer, &mut state, &mut mgr,