better seeding + trace cutout

fuzzers/FRET/benchmark/Snakefile

@@ -142,8 +142,23 @@ rule tarnsform_trace:
     output:
         "{remote}timedump/{fuzzer}/{target}#{num}_case.jobs.csv",
         "{remote}timedump/{fuzzer}/{target}#{num}_case.resp.csv"
-    shell:
+    run:
-        "$(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]}"
+        with open('target_symbols.csv') as csvfile:
+            reader = csv.DictReader(csvfile)
+            line = next((x for x in reader if x['\ufeffkernel']==wildcards.target), None)
+            if line == None:
+                return False
+            kernel=line['\ufeffkernel']
+            fuzz_main=line['main_function']
+            fuzz_input=line['input_symbol']
+            fuzz_len=line['input_size']
+            bkp=line['return_function']
+            select_task=line['select_task']
+            script="""
+                echo $(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]} -t {select_task}
+                $(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]} -t {select_task}
+                """
+            shell(script)
 
 rule trace2gantt:
     input:

fuzzers/FRET/src/fuzzer.rs

@@ -15,13 +15,9 @@ edges::{self, edges_map_mut_ptr, QemuEdgeCoverageHelper, MAX_EDGES_FOUND}, elf::
 };
 use rand::{SeedableRng, StdRng, Rng};
 use crate::{
-    time::{
+    systemstate::{self, feedbacks::{DumpSystraceFeedback, SystraceErrorFeedback}, helpers::{get_function_range, load_symbol, try_load_symbol, QemuSystemStateHelper}, mutational::{input_bytes_to_interrupt_times, InterruptShiftStage}, observers::QemuSystemStateObserver, schedulers::{GenerationScheduler, LongestTraceScheduler}, stg::{stg_map_mut_slice, GraphMaximizerCorpusScheduler, STGEdge, STGNode, StgFeedback, MAX_STG_NUM}}, time::{
-        clock::{ClockTimeFeedback, IcHist, QemuClockIncreaseFeedback, QemuClockObserver, FUZZ_START_TIMESTAMP, QEMU_ICOUNT_SHIFT},
+        clock::{ClockTimeFeedback, IcHist, QemuClockIncreaseFeedback, QemuClockObserver, FUZZ_START_TIMESTAMP, QEMU_ICOUNT_SHIFT, QEMU_ISNS_PER_USEC}, qemustate::QemuStateRestoreHelper, worst::{AlwaysTrueFeedback, ExecTimeIncFeedback, TimeMaximizerCorpusScheduler, TimeProbMassScheduler, TimeStateMaximizerCorpusScheduler}
-        worst::{AlwaysTrueFeedback, ExecTimeIncFeedback, TimeMaximizerCorpusScheduler, TimeProbMassScheduler, TimeStateMaximizerCorpusScheduler},
+    }
-        qemustate::QemuStateRestoreHelper
-    },
-    systemstate::{self, feedbacks::{DumpSystraceFeedback, SystraceErrorFeedback}, helpers::{get_function_range, load_symbol, try_load_symbol, QemuSystemStateHelper}, observers::QemuSystemStateObserver, schedulers::{GenerationScheduler, LongestTraceScheduler}, stg::{stg_map_mut_slice, GraphMaximizerCorpusScheduler, STGEdge, STGNode, StgFeedback, MAX_STG_NUM}},
-    systemstate::mutational::{input_bytes_to_interrupt_times, InterruptShiftStage},
 };
 use std::time::SystemTime;
 use petgraph::dot::Dot;
@@ -33,6 +29,7 @@ use crate::cli::Commands;
 use crate::cli::set_env_from_config;
 use clap::Parser;
 use log;
+use rand::RngCore;
 
 // Constants ================================================================================
 
@@ -274,14 +271,18 @@ let api_ranges : Vec<_> = api_ranges.into_iter().collect();
 let isr_ranges : Vec<_> = isr_ranges.into_iter().collect();
 
 /// Setup the interrupt inputs. Noop if interrupts are not fuzzed
-fn setup_interrupt_inputs(mut input : MultipartInput<BytesInput>, interrupt_config : &Vec<(usize,u32)>) -> MultipartInput<BytesInput> {
+fn setup_interrupt_inputs(mut input : MultipartInput<BytesInput>, interrupt_config : &Vec<(usize,u32)>, mut random: Option<&mut StdRng>) -> MultipartInput<BytesInput> {
     #[cfg(feature = "fuzz_int")]
     for (i,_) in interrupt_config {
         let name = format!("isr_{}_times",i);
         if input.parts_by_name(&name).next().is_none() {
+            if let Some(random) = random.as_mut() {
+                input.add_part(name, BytesInput::new((0..MAX_NUM_INTERRUPT).map(|_| (random.next_u32()%(100*1000*QEMU_ISNS_PER_USEC)).to_le_bytes()).flatten().collect()));
+            } else {
                 input.add_part(name, BytesInput::new([0; MAX_NUM_INTERRUPT*4].to_vec()));
             }
         }
+    }
     input
 }
 
@@ -536,7 +537,7 @@ let run_client = |state: Option<_>, mut mgr, _core_id| {
                 Ok(x) => x,
                 Err(_) => {
                     println!("Interpreting input file as raw input");
-                    setup_interrupt_inputs(MultipartInput::from([("bytes",BytesInput::new(input.as_os_str().as_encoded_bytes().to_vec()))]), &interrupt_config)
+                    setup_interrupt_inputs(MultipartInput::from([("bytes",BytesInput::new(input.as_os_str().as_encoded_bytes().to_vec()))]), &interrupt_config, None)
                 }
             };
             fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, show_input)
@@ -548,9 +549,8 @@ let run_client = |state: Option<_>, mut mgr, _core_id| {
                 unsafe {
                     let mut rng = StdRng::seed_from_u64(se);
                     for _ in 0..100 {
-                        let inp1 = BytesInput::new(vec![rng.gen::<u8>(); MAX_NUM_INTERRUPT*4]);
+                        let inp2 = BytesInput::new((0..MAX_INPUT_SIZE).map(|_| rng.gen::<u8>()).collect());
-                        let inp2 = BytesInput::new(vec![rng.gen::<u8>(); MAX_INPUT_SIZE]);
+                        let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config, Some(&mut rng));
-                        let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config);
                         fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
                     }
                 }
@@ -591,9 +591,8 @@ let run_client = |state: Option<_>, mut mgr, _core_id| {
                         while start_time.elapsed() < target_duration {
                             // let inp = generator.generate(&mut state).unwrap();
                             // libafl's generator is too slow
-                            let inp1 = BytesInput::new(vec![rng.gen::<u8>(); MAX_NUM_INTERRUPT*4]);
+                            let inp2 = BytesInput::new((0..MAX_INPUT_SIZE).map(|_| rng.gen::<u8>()).collect());
-                            let inp2 = BytesInput::new(vec![rng.gen::<u8>(); MAX_INPUT_SIZE]);
+                            let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config, Some(&mut rng));
-                            let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config);
                             fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
                         }
                     }} else {